Internal Auditing - Umbrella QMS and Multiple Standards

KMJA

Registered
#1
Hi everyone, I hope I can get some help with this.

Currently my company has 3 major sites across the world, including our HQ. Of these, our HQ and one other site are both ISO 9001 and API Q1 certified, the third site will come online as the need for certification arises.

In order to manage this we have established a global management system which includes a number of internal standards that define our minimum requirements for getting things done (these are written to combine the requirements of API, ISO 900, some other standards we're compliant with and our own internal best practice). The intention was that sites would develop their own procedures to meet the requirements of our global standards, but the reality is that the standards tend to be prescriptive enough (including flowcharts and getting relatively detailed where appropriate) and the sites don't have a need for their own procedures outside of specific manufacturing procedures where equipment varies, etc.

My question is relating to how one goes about putting together an audit program for this kind of situation. At the moment we are performing full system audits to the ISO 9001 and API Q1 standards separately at each site; however, this only gives us the opportunity for a cursory glance at compliance with our own standards due to time and resource limitations. I should also mention that our auditors all come from our HQ site and are shipped around the world to perform these audits - our production sites tend to run very lean and there generally wouldn't be enough work for a specific QA rep at every site.

What we are currently proposing is two desktop audits against the ISO and API standards for our internal standards at our HQ level to verify compliance of the system as a whole, and then all site audits to be conducted against only our own internal standards. Is this something that is generally accepted? I note that both API and ISO9001 state that every site needs to compliance audited to the entirety of the respective standard; however, I don't see an easy way of doing this without repeating vast amounts of information in every audit that's conducted. Another concern that arises is that not everything in the standards generally needs to be documented in a process/standard, so how do we capture those things at the site level without performing a compliance audit? Essentially, how do I build an effective audit programme in this kind of setting with relatively limited resources?
 
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#2
Essentially, how do I build an effective audit programme in this kind of setting with relatively limited resources?
Welcome to The Cove. Indeed, you have a lot of challenges ahead and you need to realize that API Spec Q1 pretty much mandates the internal audit of the whole QMS within a 12-month cycle.

The best way to overcome resource challenges for internal audits is to develop an audit program that is perceived by top management as a business benefit and they would like to see more done. As long as the internal audits are performed, primarily to "pass" external audits, the mind set is: what is the least we can do and still "pass" the CB audits. When that is the case, top management will want to lean the resources for internal audits as much as possible.
In order to develop a QMS internal audit process that is perceived by top management as an added value activity, an organization needs internal auditors that are knowledgeable and competent in making the connection between the risks in the business processes that affect product conformity and customer satisfaction and their audits.

Remember, all of these QMS standards require top management to provide adequate resources for the operation of the system. Limited resources is the reality for everybody. The question becomes: how can I demonstrate that these audits add value so the resources are not overly limited?

Good luck.
 

KMJA

Registered
#3
Welcome to The Cove. Indeed, you have a lot of challenges ahead and you need to realize that API Spec Q1 pretty much mandates the internal audit of the whole QMS within a 12-month cycle.

The best way to overcome resource challenges for internal audits is to develop an audit program that is perceived by top management as a business benefit and they would like to see more done. As long as the internal audits are performed, primarily to "pass" external audits, the mind set is: what is the least we can do and still "pass" the CB audits. When that is the case, top management will want to lean the resources for internal audits as much as possible.
In order to develop a QMS internal audit process that is perceived by top management as an added value activity, an organization needs internal auditors that are knowledgeable and competent in making the connection between the risks in the business processes that affect product conformity and customer satisfaction and their audits.

Remember, all of these QMS standards require top management to provide adequate resources for the operation of the system. Limited resources is the reality for everybody. The question becomes: how can I demonstrate that these audits add value so the resources are not overly limited?

Good luck.
Hi Sidney, thanks for the quick response. I may have overplayed the lack of resources a little - they’re not exactly lacking in as much as they are centralised at one site for a number of reasons. Frequent travel and the costs associated aren’t really an issue, but I was more interested in how an effective programme could be built to incorporate the requirements of both standards.

I understand that API mandates an audit of the full system in each 12-month period, but my concern is where it says “Audits shall verify that the quality management system is effectively implemented and maintained and conforms to the requirements of this specification” (and ISO 9001 has a similar clause) - how do we go about satisfying this criteria without constant repetition of the standard clauses in audits? What I proposed above is essentially making our audits traceable back to the standards by ensuring our documented internal standards are compliant, and then auditing against our own internal standards at the production sites. Is this allowable and/or are there any issues with it I haven’t identified?

It’s very possible I’m overthinking it and we just have to do a pile of compliance audits alongside our process audits.
 
Last edited:

jmech

Trusted Information Resource
#4
From your first post, it is not clear to me if you are conducting separate audits for API Q1 and ISO 9001 (one audit for each standard per facility). Using API's combined Q1 & ISO 9001 audit checklist works and has always been acceptable to API in my experience, as long as you remove the API logo from it and control it as your own document (they started getting touchy about this a couple years ago). This should allow you to get down to one audit per site, if you were auditing them separately. If you were already auditing Q1 and 9001 together, then sorry for the wasted paragraph :)

Your proposal of ensuring that all your internal standards meet the API Q1 and ISO 9001 requirements and then verifying that each site meets your internal standards might be acceptable, provided that you have sufficient evidence and traceability. Your internal standards could be viewed as equivalent to your own audit checklist which incorporates the requirements of both Q1 and 9001. I think this should be acceptable, but it could depend on the auditor. You could help your chances of it being accepted by writing any findings against both Q1/9001 and your internal standards and by explicitly listing both API Q1 and ISO 9001 as audit criteria on your audit records for each location.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#5
how do we go about satisfying this criteria without constant repetition of the standard clauses in audits? What I proposed above is essentially making our audits traceable back to the standards by ensuring our documented internal standards are compliant, and then auditing against our own internal standards at the production sites. Is this allowable and/or are there any issues with it I haven’t identified?
Yes, a 2-stage audit process like the one you proposed is doable. But remember that the site's command media (procedures, instructions, manuals, etc...) are dynamic and they get revised from time to time; so the auditors might be faced with newer version of documents when they show up on-site. Also, are languages and cultures barriers to effective auditing? If the sites documentation are in a language not commanded by the HQ auditors, that's a hindrance.

Good luck.
 
Thread starter Similar threads Forum Replies Date
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 4
S Risk based internal auditing Internal Auditing 6
F AS9100D Internal auditing requirements Internal Auditing 3
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 144
N Online Internal Auditing Course for ISO 13485 - Suggestions ISO 13485:2016 - Medical Device Quality Management Systems 8
U Internal auditing - Company employees or contract second party Internal Auditing 10
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
G AS9101 Rev F - Worksheets for internal auditing AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
S ISO 13485:2016 and MDSAP internal auditing ISO 13485:2016 - Medical Device Quality Management Systems 6
S ISO 9001:2015 - Internal Auditing - Audit to the Standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
R Internal Auditor auditing Internal Audit Procedure (AS9100) Internal Auditing 18
M Is Automated Internal Auditing Possible? Internal Auditing 13
C Internal Auditing Requirements (ISO 9001:2008) Internal Auditing 3
L Auditing Design and Development in ISO 9001 (Internal Audit) Internal Auditing 1
sswaim Auditing Internal Laboratory Personnel for Competence General Auditing Discussions 4
K Internal Auditing a previous Nonconformance? Internal Auditing 19
P Recommended books on ISO 27001:2013 Implementation and Internal Auditing IEC 27001 - Information Security Management Systems (ISMS) 4
M Are auditing checklists required for Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
B ISO/TS16949 Internal Auditing - How many auditors? Internal Auditing 4
bgoers PFMEA, Internal Auditing, Corrective Action Training In Native Language (China) Training - Internal, External, Online and Distance Learning 1
Gman2 Internal Auditing Requirements before ISO 9001 Registration ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
S Auditing TS 16949 Cl. 7.6.3.1 - Internal Calibration Laboratory Requirements IATF 16949 - Automotive Quality Systems Standard 8
T ISO 9001 Internal Auditing Auditor Training in Amsterdam Training - Internal, External, Online and Distance Learning 1
S In an internal auditing desert and I'm the only one here.... AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 15
G Internal Auditing in a Multi-Site Environment ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
B Internal Auditing of MDD and CMDR Requirements Other Medical Device Related Standards 5
O Internal Auditing in small Engineering company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
T Looking for a webinar on Internal Auditing General Auditing Discussions 3
R On Auditing Internal Audit Process - How Independence can be Established Internal Auditing 4
D Auditing Abroad - Internal Audits of our European Sister Companies ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
R Auditing a process outside the realm of the formal Internal Audit ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
G New to Internal Auditing - Best questions to ask? Internal Auditing 17
M Auditing the Internal Audit Process - 8.2.2 General Auditing Discussions 2
J Auditing the Internal Auditing Process - Audit Nonconformance General Auditing Discussions 3
S Internal Auditing related to RISK Internal Auditing 9
W Internal Auditing - Observational Checklist for a Behavior Based System Internal Auditing 3
R Internal Auditing Checklist - Major NCR because the Checklist was not Completed Internal Auditing 17
V Depth of Internal Auditing and Training aspects in Research & Development (R & D) Internal Auditing 4
N Good Internal Auditing Training Courses Training - Internal, External, Online and Distance Learning 13
L Internal Auditing Reports / Documents - Design and Content Document Control Systems, Procedures, Forms and Templates 1
N Recommend internal auditing training 101 please (Tucson or Phoenix, AZ) Training - Internal, External, Online and Distance Learning 1
L Internal Auditing - How can I audit my QMS independently? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
C Internal Auditing - How to make it useful? Internal Auditing 36
K Sample Questions for Auditing Management Rep , Internal Audit and Reg. Compliance Internal Auditing 7
K More Positive Internal Auditing - Would This Work? Internal Auditing 8

Similar threads

Top Bottom