Food for though - I think I’m inspired today
Theoretically speaking - love theory - what is the objective of an internal audit?
For ISO 9001/13485 it is to determine if the qualit system
- conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
- is effectively implemented and maintained.
People tend to think of it only in terms of the time (6 months, 1 year, 2 years, etc) and in bulk (the internal audit wil verify everything), but in fact "planned intervals" and the four things you have to verify means that you have to analyse your processes and decide when it's necessary to:
- evaluate if the planning of product realization is being followed - this is related to fulfilling the plan.
- evaluate if the requirements of ISO standards are being fulfilled (the process "control" requirements which is what the standards are) - this is related to fulfilling the standard.
- evaluate if the requirements of the quality management system (the majority of the reuirements of any system are the ones that the organization defines as needed to perform - meaning, the processes requirements) - meaning, if the requirements define by the company are being fulfilled.
- evaluate if the system is effective - this is related to the system performance, meaning, if the system is achieving it's objectives.
Note that they are 4 very different things, but users and auditors usually focus only on the second part thinking that the "audit" will verify everything.
In fact it won't.
Also note that the type of audit for each one differs, which means that the required intervals differs too.
Problably, the best way to fulfill these requirements is to have at least 4 different audits, each one focusing on one of the aspects required by the standard.
- one audit to evaluate if the product realization planning is being fulfilled - plans are to be created and followed - and usually are finished in the defined time, and are only re-taken if something changed. So, this audit would be in principle performed when you create for the first time your product realization process, and another audit is only needed if the plan changes. This is the planned interval (note that it's related to the time but to a situation)
- one audit to evaluate the conformity with the standard - this is what regulators, NBs and certification bodies really might think of being annual. However, from the standpoint of the standard, when is it really necessary to evaluate the conformity with the standard?
If you remember that the requirements of a management system standard are simply controls which have to be included in the processes defined by the organization to fulfill it's objectives, when you need to evaluate if the controls are being used correctly? The standard already require that the system have a feedback loop of monitoring, measurement and anslysis processes to ensure conformity. So, in fact an audit to evaluate thaht the controls are implemented are only necessary when you implement the controls, or when the standard changes - not annually!
- one audit to evaluate if the requirements of the quality management system are being met - the same thing, once implemented, an audit would only be needed if things change.
- one audit to verify if the system is effectively implemented and maintained - this is the real deal. This audit verify if the system is “performing” as intended, if it’s achieving it’s objevtives. So, if the objective of a process is to creat xx devices per month, this audit would evaluate that. When is it needed? Aytime the business needs to verify if it’s operating as intented. Is annually ok? Doubt it, if I have a business I would require some kind of monthly analysis to verify that things are ok. From a business perspective, I cannot wait one year to see if things are ok, I need as much assurance as temporarily possible to make business decisions if things are out of the expected.
Wow. Now I’m tired.