Internal Audit - Process Clause Matrix / Audit Checklist

[COR88]

Hi All,

I have a question regarding the internal audit process. Please see below background about the company I work for:
Our site is certified to ISO 13485:2016 and 21 CFR 820. We have an extensive audit checklist (13485 and 21 CFR 820) which is pretty much in the form of turning every clause into a question. To accompany this we also have a Process Clause Matrix, however the PCM does not reference any clauses, it simply details the process on the X axis and then has a list of “elements” on the Y axis. See example below:




My issue with this PCM is that the 13485:2016 and 21 CFR clauses are not specifically called out in this document. For example if an auditor were to complete an internal audit that involved the review of the change management process, The control of documents is called out as an element for review during this audit but no specific clauses are called out. Therefore the auditor needs to trawl through the audit checklist, find this element (and other applicable elements) and complete the audit.

What I would like to know if anyone has any advice or any examples of a PCM that has a list of process and a list of elements that cover all applicable clauses to that site (Ideally if you have an example that has 13485 and 21 CFR 820 that would be great, I more so just want to see how it is laid out). In my opinion the PCM should reference all clauses for all certification on site to prove that our audits are robust and all elements are taken into consideration during the internal audit process. For example, if control of documents is required the elements section should include reference to 13485:2016 4.2 and 820.40 21 CFR 820

Also I want to ultimately make it easier on the internal auditors to complete the internal audit checklist, if they can simply review the PCM, N/A the clauses which are not applicable to their audit and carry on this will save invaluable time.

If anyone’s mindset differs please let me know and describe why you do not prescribe to this method of internal auditing and what you would do differently.

Many thanks
COR

 

[RoxaneB]

Hello, COR.

I actually like the way you have presented it, especially if you do integrated internal audits, especially if the horizontal axis is laid out in alignment with your organization's business system. When I first when down this road - years ago, to be honest and to different standards - my clause-based audit checklists included narrow columns (checkbox width) where I indicated if the clause was applicable to the standard(s) being audited.

 

[COR88]

Hi Roxane,

Many thanks for your feedback! The document that you attached looks great. I just have one question about it. You have broken this down by a list of requirements and you have identified which standards are applicable to those requirements. This is a great way for auditors to understand whether the requirement is applicable to their audit. But what I don't understand is how you know if the requirement is applicable to that audit in the first place? In your document example "Q1" is applicable to all your standards, but how do you know if the process you are auditing needs to be audited against that requirement?

That's were my dilemma there in lies, I am trying to match the relevant clauses to the process being audited in my PCM, therefore I want one document that an auditor can refer to and know which requirement are applicable. Then they will mark the requirements in their checklist as N/A that are not applicable and are left with the clauses that are required.

In my example I may need to create a separate PCM for each standard, rather than make it more complicated by trying to include both 13485 and 21 CFR in the same PCM

I hope that makes sense.

Regards
Cathal

Hello, COR.

I actually like the way you have presented it, especially if you do integrated internal audits, especially if the horizontal axis is laid out in alignment with your organization's business system. When I first when down this road - years ago, to be honest and to different standards - my clause-based audit checklists included narrow columns (checkbox width) where I indicated if the clause was applicable to the standard(s) being audited.

 

[RoxaneB]

The question makes sense.

You could do a supporting matrix that shows your organization's elements on one axis and standard clauses along the other.

and/or

Your management rep(s) for the relevant standards reviews the internal audit checklists and determines the alignment.

 

[COR88]

Hi @RoxaneB ,

Yes creating a supporting matrix sounds like the best option to me.

Thanks for your help!

 

[RoxaneB]

To throw in an extra layer of complexity for you ( ), why not use something other than 'X' to denote alignment between the clauses and your organization's elements?

We used something like:
D - Direct responsibility
U - User
- - Not Applicable (we didn't want to leave any blanks as a way to ensure that every possible combination was considered...a blank cell could mean that someone missed it)

From an internal audit perspective, this helped my team of internal auditors frame their questions based on the relationship with the clauses. For example, since my team OWNED the document control process, the questions were really clause-centric. Whereas, if an internal auditor was out in product, they'd ask questions like "So, how do you know what you need to do", "What if you forget how to do your job?", "What do you do if you realize that there's a better way to do something than what's documented?", etc.

 

[GreatNate]

To throw in an extra layer of complexity for you ( ), why not use something other than 'X' to denote alignment between the clauses and your organization's elements?

We used something like:
D - Direct responsibility
U - User
- - Not Applicable (we didn't want to leave any blanks as a way to ensure that every possible combination was considered...a blank cell could mean that someone missed it)

From an internal audit perspective, this helped my team of internal auditors frame their questions based on the relationship with the clauses. For example, since my team OWNED the document control process, the questions were really clause-centric. Whereas, if an internal auditor was out in product, they'd ask questions like "So, how do you know what you need to do", "What if you forget how to do your job?", "What do you do if you realize that there's a better way to do something than what's documented?", etc.

Hi Roxane

Do you have a copy of an ISO 9001 Audit schedule and Audit report? if you could share that would be really helpful thanks

 

[RoxaneB]

Hi Roxane

Do you have a copy of an ISO 9001 Audit schedule and Audit report? if you could share that would be really helpful thanks

Hello, GreatNate.

An audit schedule depends upon your organization, how its management system is set-up, and the culture of your organization. Some spread their audits out over a period of time, such as one year. Others mirror an external audit and do it all in one shot at a defined frequency.

Using a Gantt chart or even just a tracker in Excel, you can indicate when an audit is scheduled, and then change the colour to show if it's in progress, on time, delayed, cancelled, etc. That can be a helpful visual aid to see if audits are being conducted on time - and if they're not, then it's time to have a discussion with senior leadership about why. Their involvement may be needed.

Your audit plan is more detailed and focuses on the scope of the audit that you're organization is about to conduct - processes, procedures, people to include, timing, agendas, etc.

Your audit report can also be based upon what your organization is looking for. Typically, it contains general information regarding the logistics of the audit (e.g., date, scope, applicable standard(s), auditor(s), and so on). Some include a section for strengths. Mine include a summary of the issued nonconformances, while I've seen others simply refer to the issued nonconformance reports.

All that being said, if you click on "Attachment List" at the top of the screen, you can do a search for 'internal audit schedule' and 'internal audit report.' That will hopefully give you some good examples which will allow you to develop something appropriate for your organization.