Internal Auditing in a Multi-Site Environment

G

Greg_F

Hi there,

we are wondering about the scope of the internal audit program in a multisite environment. The question is: needs each site to be fully internal audited each year or are random sample audits in the different sites sufficient taking for granted that every aspect of the system is covered every year.

Looking forward to your expert opinions. What would be the recommended way of working.

Greg F.
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Re: Internal auditing in a multisite environment

Good day Greg F,

There is a common assumption that each site must be audited to the entire standard each year. It is a myth. In fact, 8.2.2 of ISO 9001 specifically states that audit planning is to be done based on (paraphrased) importance of the process and process performance, including what happened in the previous audit(s).

That means it is both practical and expected to audit some processes more frequently than others, but be warned that CBs will expect to hear an understanding of why that process is scheduled for every second or third year.

I would not schedule longer than three years, so I would make a matrix to ensure all the processes and parts of the standard (except exclusions of course) get covered at least once in a three year period, but critical processes get scheduled more often. I would additionally find a way to show how your planning addresses process performance, especially if previous audit results showed significant problems. I would speed up the schedule for those processes if they skip a year or two.

I hope this helps!
 

somashekar

Leader
Admin
Re: Internal auditing in a multisite environment

Hi there,

we are wondering about the scope of the internal audit program in a multisite environment. The question is: needs each site to be fully internal audited each year <snip>
It is never the year that is a benchmark. Rather it is the process and its significance with respect to the overall QMS performance. The multisites may be interacting with each other as well as with the lead site. Changes in a site may effect the performance at an other site. This has to be critically viewed and assessed if internal audit frequency have to be changed at such effected sites. Jennifer has done the neat explanation.
 

AndyN

Moved On
Re: Internal auditing in a multisite environment

Hi there,

we are wondering about the scope of the internal audit program in a multisite environment. <snip>

Greg: Running an internal audit programme shouldn't be confused for emulating the CB audit process. The idea that you have to audit the QMS on a specific time frame is not appropriate. Jennifer gave some strong direction as to what you should consider. I'll go a step further and tell you that you don't even have to have any kind of calendar of planned audits! OK, so a couple of audits might have a place in a 12 month cycle, but after that, stop trying to "preduct" where you should audit and think "RISK" and "IMPORTANCE".

Risk comes from new/changed and poor/over performance. Importance looks at the risk from the perspective of the customer or profitability. So, what's new/changed/poorly performing and how does it impact the customer or your own internal operations? THAT's where you go audit! Do it on a rolling 30/60/90 day window. Plan them WITH your management team.
 
M

mguilbert

Re: Internal auditing in a multisite environment

We have a multi-site certificate. As I agree with other suggestions based on risk. We have a dedicated audit team of two. Our department goals are to audit each location twice per year. In addition those recieving the CB audit will be audited a third time. We believe if it is important enough to be included in the scope of our certificate, the process they perform is important enough to warrant at least annual internal audits. Audits for a location may be increased due to findings and risks. We currently have 16 sites in our scope. They are in Arkansas, Oklahoma, South Carolina, Georgia, Tennessee, Mississippi, and Alabama. We, as the ISO department also do presentations, facilitate changes, act as gate keeper for documents, create data analysis tools and electronic documents, and help educate employees on ISO.

Edit: As others have mentioned we do not audit each facility to the full standard. Certain tasks are performed by the corporate office ie. product planning.

I hope this helps. This is just we do.
 
Last edited by a moderator:

Big Jim

Admin
Re: Internal auditing in a multisite environment

Greg: I'll go a step further and tell you that you don't even have to have any kind of calendar of planned audits! OK, so a couple of audits might have a place in a 12 month cycle, but after that, stop trying to "preduct" where you should audit and think "RISK" and "IMPORTANCE".

Risk comes from new/changed and poor/over performance. Importance looks at the risk from the perspective of the customer or profitability. So, what's new/changed/poorly performing and how does it impact the customer or your own internal operations? THAT's where you go audit! Do it on a rolling 30/60/90 day window. Plan them WITH your management team.

Keep this in balance with what the standard says:

"The organization shall conduct internal audits at planned intervals . . . "

and:

"An audit program shall be planned, taking into consideration the importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency, and methods shall be defined."

Most of all, the internal audit schedule should be a living document that is modified as frequently as needed to accommodate changing conditions in your QMS.

This isn't going to be easy without a calendar.
 

AndyN

Moved On
Re: Internal auditing in a multisite environment

This isn't going to be easy without a calendar.

Planned intervals doesn't mean the same as a time based frequency. In fact, the previous version of ISO9004 actually said that audit scheduling should be flexible. Having a calendar and then keep changing it doesn't make sense...
 
F

Frankie11

Re: Internal auditing in a multisite environment

Hi Greg F,

We do at least one on-site audit at each location every year and try to cover as much of the system as we can during the visit (like a surveillance audit).

We also do monthly remote audits via email. So for example, I would ask all locations to email through the last 2 pages of their non-conformance register and then select one or two NCs and ask for those to be sent through and audit the process that way.
 

Big Jim

Admin
Re: Internal auditing in a multisite environment

Planned intervals doesn't mean the same as a time based frequency. In fact, the previous version of ISO9004 actually said that audit scheduling should be flexible. Having a calendar and then keep changing it doesn't make sense...

Agreed. But having a calendar and modifying it as needed does make sense and it would be easier to handle it with a calendar than without.
 

AndyN

Moved On
Re: Internal auditing in a multisite environment

Agreed. But having a calendar and modifying it as needed does make sense and it would be easier to handle it with a calendar than without.

Not in my experience... I based my comments on successfully managing a TS 16949 Internal Audit programme - System, Process, Product and LPAs (for Chrysler) and NOT predicting a calendar for the QMS, which worked very well, without making multiple changes as issues were encountered. This practical experience, leading to a successful TS registration (and multiple product launches) was done with the full collaboration and understanding of the plant staff, with a smooth transition to the TS co-ordinator after I moved on to another assignment.
 
Top Bottom