Internal Audit Schedule Conformance

[RSfun]

We are certified to ISO 9001 and I was wondering what you guys think about this?

In the past we have published our Internal Audit Schedule to the organization and if for one reason or another the audit was not done on the scheduled date, we would just update the schedule with a new date and complete the audit.
Moving forward, I want to track and measure the audits that are not completed on the scheduled date leaving the completed date as "Late". I am curious if this would cause a nonconformance during or Surveillance Audit. (Per 8.2.2 - "The organization shall conduct internal audits at planned intervals") If I identify it and maybe create a Corrective Action will this suffice, or can I leave it, and during Management Review identify the issue but not require a CAR? Or should I just keep updating the schedule?

Just looking for some opinions.

Thanks,
Paul

 

[somashekar]

In keeping with the spirit of things, follow your business process and let IS09001 be a guiding factor for you rather than following the ISO9001 keeping business outside.
Remember that like all other activity, internal audit is also a planned activity and plans can change under changing circumstances.
Be true to yourself and do not show undue delay in any of these.

Or should I just keep updating the schedule?

A plan vs actual will just be good. ...again no undue delay

 

[Jim Wynne]

One simple thing you can do is expand the window. Rather than saying that an audit is scheduled for a particular day or week, schedule it for a particular month. You can still notify auditees in advance.

 

[Sidney Vianna]

Paul, don't overlook (as the vast majority of organizations do) the REQUIREMENT from the standard which reads:

An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits.

In the real world, it is very unlikely that all business processes have the same degree of criticality and importance, in terms of product conformity and customer satisfaction.

In the real world, it is very unlikely that all business processes/departments have the same degree of discipline in terms of sticking to the QMS.

Without using the word risk, ISO 9001 intends organizations to have a risk-based approach to scheduling their internal audits. Many times, there will be very little residual risk if an internal audit gets delayed/postponed, but sometimes, when audits are conducted effectively and there are significant risks to be mitigated, internal audits should not be rescheduled willy nilly, since that practice would be (unintentionally) conveying the message that internal audits are not that important.

If internal audits are conducted in a way to really identify business risks and (as importantly) identify/trigger opportunities for improvement in effectiveness and efficiency, top management would be on top of the program and resist excessive rescheduling. It all boils down to the degree of (perceived) value and importance the organization places on the internal QMS audit program.

 

[insect warfare]

In my experience it should not incur a NC, if you have established a plan of action (corrective action) which can be demonstrated or shown to your CB as being implemented and/or followed up on.

Maybe your internal audit procedure(s) are creating constraints, or maybe your auditors are doing this on purpose, or maybe there is just lack of incentive, but somewhere there a fundamental reason exists for your current situation and corrective action will eliminate the root cause and get you back on track.

Brian

 

[silentrunning]

Like Jim suggested, I have mine scheduled during a month. No dates. I have never had anyone question this so far.

 

[RSfun]

Thanks guys for the feedback. I believe there is an issue and that is why I want to start tracking the audits that are late, bringing the issue to Upper Management's attention.
I realize that other departments may not see the value of the internal audit system. I want to determine if this is happening in certain departments, with certain auditors, or with certain auditees on a regular basis.
One reason I didn't want to change the dates or open the dates up to allow flexibility was because I want to see what the trends are (Who, what, when, why). But, at the same time, I do not want to open the system up for a nonconformance.

 

[AndyN]

Paul, in all practicality you are going to track something which is, frankly, a waste of time! As Sidney correctly posted, your emphasis should not be on trying to predict when to do audits by calendar, but by those things which present risks. You don't need a crystal ball to do the risk-based thing. And, more importantly, you are NOT required to determine a whole calendar of audits - despite what an external auditor might believe!

Far better time is spent working with your management team to find out what's keeping them awake at night! You won't find too many times when the audits are missed. In fact, you may find you are the reason - trying to play catch up!

 

[RSfun]

Currently, I am using a weighted scoring template to calculate the risks for our audits. This is based on Upper Management request, business impact,
any changes to the management system, findings from last audits(Internal/External) and date of last audit occurance. This is then transfered to our audit schedule calendar.

The problem is that the missed audits have never been reported and I am sure that the Upper Management has not been aware that the audits have been rescheduled. (Maybe the system could get some support.)
Although you maybe right, and it is a waste of my time because the audits are getting completed and there are definitely bigger fish to fry. It is just something that would be easy to track and drill deeper into determining if there are any commonalities.

 

[Chance]

IMHO, I think what would add MORE value to the organization is to track the nature of internal audit finidngs. Is it happening over and over in a particular department, is the kind of issue spreading through all departments, is it the same auditee all the time.
Internal audits at planned intervals does not necessarily mean doing it in the specified date, well its good if it is. The most important date is the actual date the audit was conducted.
Missing the right time to conduct an audit could possibly lead to a business risk - as long as there is no foreseen risk changing the date won't matter too much. So don't worry about it, focus on what adds value to the organization.