Internal audits 3 year plan? Internal audit frequency

B

brutas

#1
Hello,

Our company has approx 60 processes in 26 countries!
We want to build 3 years internal audits plan (ISO9001). Each of the process has to be audited during this 3 years period. Could you give me a clue how to proceed? Are there any principles we have to follow? What would be the best way to assess all processes with minimal efforts?

:thanx:
 
Last edited by a moderator:
Elsmar Forum Sponsor

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#2
Re: Internal audits 3 year plan?

Hello,

Our company has approx 60 processes in 26 countries!
We want to build 3 years internal audits plan (ISO9001). Each process has to be audited once per 3 years. Could you give me a clue how to proceed? Are there any principles we have to follow? What would be the best way to assess all processes with minimal efforts?

:thanx:
Are your processes that much under control that you only need to perform Internal Audits on a 3 year cycle?
 

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#4
Re: Internal audits 3 year plan?

Well, for some I would say no, but this approach was agreed with our certification body
Technically, the CB couldn't say no. The requirements state upon importance and results of previous audits...

So, this is how I would approach the situation:

Develop the schedule based upon the 3 years cycle (e.g, Internal Audit schedule FY 2009, 2010, and 2011). Identify the process that will be reviewed , where and when. That will get you started.
 
D

Duke Okes

#5
Re: Internal audits 3 year plan?

Do what makes sense for your organization/processes, not what makes your CB happy.

At a minimum you should consider risk and previous performance of the processes. This also means that a 3-year plan may need to be revised if performance of a process changes.
 
B

brutas

#6
Re: Internal audits 3 year plan?

There is something that is also important:
Some of the processes are newly defined and implemented...
 

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#7
Re: Internal audits 3 year plan?

There is something that is also important:
Some of the processes are newly defined and implemented...
With this added information, than I would suggest that these specific processes be reviewed every other month, until you feel comfortable that they are producing the correct output.
 

Raffy

Quite Involved in Discussions
#8
Re: Internal audits 3 year plan?

Hi Brutas,
some insights...
for me its not practical. There are so many things that might happen within the three year period. On our end, we have the status and importance through point system and every year the audit plan change.
raffy
Hello,

Our company has approx 60 processes in 26 countries!
We want to build 3 years internal audits plan (ISO9001). Each of the process has to be audited during this 3 years period. Could you give me a clue how to proceed? Are there any principles we have to follow? What would be the best way to assess all processes with minimal efforts?

:thanx:
 

Randy

Super Moderator
#9
Re: Internal audits 3 year plan?

Set your cycle to correspond with the registrar...just provide seperation. If the registrar audits twice a year set your audits halfway between theirs.

All you have to show is effective planning, performance and results

Or apply what the registrars have to apply when doing multi-sites

From old Guide 62............

4. CRITERIA FOR SAMPLING

4.1. Methodology
4.1.1. The sample should be partly selective based on the factors set out below and partly nonselective,and should result in a range of different sites being selected, without excluding the random element of sampling.
4.1.2. At least 25% of the sample should be selected at random.
4.1.3. Taking into account the criteria mentioned hereafter, the remainder should be selected so that the differences among the sites selected over the period of validity of the certificate / registration is as large as possible.
4.1.4. The site selection criteria may include among others the following aspects:
a) Results of internal audits or previous certification/registration assessments,
b) Records of complaints and other relevant aspects of corrective and preventive action,
c) Significant variations in the size of the sites,
d) Variations in the work procedures,
e) Modifications since the last certification/registration assessment,
f) Geographical dispersion.
4.1.5. This selection does not have to be done at the start of the assessment process. It can also be done once the assessment at the central office has been completed. In any case, the central office shall be informed of the sites to be part of the sample. This can be on relatively short notice, but should allow adequate time for preparation for the audit.
4.1.6. The central office shall be examined during every certification/registration audit and at least annually as part of surveillance.

4.2. Size Of Sample
4.2.1. The certification/registration body shall have a procedure for determining the sample to be taken when auditing sites as part of the assessment and certification/registration of a multi-site organization. This should take into account all the factors described in this annex.
4.2.2. In the event that application of the certification/registration body’s procedure results in a smaller sample than would result from the application of the guidance set out below, the certification/registration body shall record the reasons justifying this and demonstrate that it is operating in accordance with its approved procedure.
4.2.3. The following guidance is based on the example of a low to medium risk activity with less than 50 employees at each site. The minimum number of sites to be visited per audit is:

Initial audit: the size of the sample should be the square root of the number of remote sites: (y=√x ), rounded to the upper whole number.

Surveillance visit: the size of the annual sample should be the square root of the number of remote sites with 0.6 as a coefficient (y=0.6 √x), rounded to the upper whole number.

Reassessment: the size of the sample should be the same as for an initial audit. Nevertheless, where the quality management system has proved to be effective over a period of three years, the size of the sample could be reduced by a factor 0.8, i.e.: (y=0.8 √x), rounded to the upper whole number.
4.2.4. The central office shall be visited in addition.
4.2.5. The size of sample should be increased where the certification/registration body’s risk analysis of the activity covered by the quality management system subject to
certification/registration indicates special circumstances in respect of factors like:
a) The size of the sites and number of employees,
b) The complexity of the activity and of the quality management system,
c) Variations in working practices,
d) Variations in activities undertaken,
e) Records of complaints and other relevant aspects of corrective and preventive action,
f) Any multinational aspects;
g) Results of internal audits.
4.2.6. When the organization has a hierarchical system of branches (e.g. head (central) office / national offices/regional offices/local branches), the sampling model for initial audit as defined above applies to each level.

Example:
1 head office: visited at each audit cycle (initial/surveillance/reassessment)
4 national offices: sample = 2: minimum 1 at random
27 regional offices: sample = 6: minimum 2 at random
1700 local branches: sample = 42: minimum 11 at random.

4.3. Assessment Times
4.3.1. The audit time to spend for each individual site is another important element to consider, and the certification/registration body shall be prepared to justify the time spent on multi-site assessment in terms of its overall policy for allocation of assessment time.
4.3.2. Normally the number of man-days per site should be consistent with the number shown in the chart in Annex 2 of IAF Guidance on the Application of ISO/IEC Guide 62 - 1996.
4.3.3. Reductions can be applied to take into account the clauses that are not relevant to the local sites and are only examined at the central office.
4.3.4. The complexity of the activity is another factor that may be taken into consideration.
4.3.5. No reduction is permitted for the central office.
4.3.6. The total time expended on initial assessment and surveillance (understood as the total sum of the time spent at each site plus the central office) should never be less than that which would have been calculated for the size and complexity of the operation if all the work had been undertaken at a single site (i.e. with all the employees of the company in the same site). In most cases it will be considerably more.

4.4 Additional Sites
4.4.1. On the application of a new group of sites to join an already certified multi-site network, each new group of sites should be considered as an independent set for the determination of the sample size. After inclusion of the new group in the certificate, the new sites should be cumulated to the previous ones for determining the sample size for future surveillance visits or reassessment audits.
 
#10
Re: Internal audits 3 year plan?

Hello,

Our company has approx 60 processes in 26 countries!
We want to build 3 years internal audits plan (ISO9001). Each of the process has to be audited during this 3 years period. Could you give me a clue how to proceed? Are there any principles we have to follow? What would be the best way to assess all processes with minimal efforts?

:thanx:
The simple answer is 'don't'..............

You can't build a meaningful internal audit schedule that covers three years from now. Of course your CB auditor likes it - that's what they do, but since you don't have a crystal ball you can't base a schedule for internal audits like this!! Your CB auditor has no say in this matter, other than to ensure you've reflected the requirements of ISO 9001 in your audit process.

You are required to establish an audit programme based on status and importance - on which there have been numerous posts here, if you'd care to search.

Stop emulating the CB approach - it's not a suitable basis for internal audits. Do the scheduling based on what drives (management) value in your business.
 
Thread starter Similar threads Forum Replies Date
N Sampling Plan for Internal Audits - ISO 2859 or 3951 - Or Neither? Internal Auditing 6
S Is Audit Plan / Agenda required for Internal Audits? Internal Auditing 2
ScottK Using Customer Audits as part of the Internal Audit Plan for ISO9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
R Outsourcing Internal Audits - Hiring a contractor to plan and perform internal audits Internal Auditing 21
lanley liao How to understand this words that the planning of internal audit shall take into consideration the results of previous audits? Oil and Gas Industry Standards and Regulations 10
M ISO13485:2016, MDSAP and Internal Audits ISO 13485:2016 - Medical Device Quality Management Systems 8
S Would this be a second site for the purposes of internal and third party audits? General Auditing Discussions 4
J ISMS - Internal Audits Internal Auditing 3
L Documented Information in Internal Audits Process (9.2) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
D CB and customer audits considered as internal audits? General Auditing Discussions 9
R IATF 16949 - Outsourcing of internal audits Internal Auditing 10
M Major vs. Minor for Internal Audits? Internal Auditing 10
C Internal Audits in a tiny Dx Company Internal Auditing 33
O ISO13485 implementation - Are internal audits expected before stage 1 audit? Design and Development of Products and Processes 3
O Informational Scaling back internal audits due to corona virus while avoiding a NC Internal Auditing 7
G Internal Audits and Employee engagement Internal Auditing 16
S Internal audit discrepancy - We missed a few audits that were scheduled Internal Auditing 12
F ISO 17025 8.8 Internal Audits in a segmented company ISO 17025 related Discussions 5
qualprod Internal Audits - Categories of non conformances Internal Auditing 12
G Non Conformance During ISO 9001 Audit - Not All Internal Audits Completed General Auditing Discussions 19
K A way to monitor our Internal Audits as a KPI AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
A External Auditor issue with Internal Audits Internal Auditing 7
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 149
Gman2 Quality Record Retention (Internal Audits, CA's) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
T Informational What is the purpose of Internal Audits? Internal Auditing 27
F API Spec Q1 9th Edition Surveillance Audit - Questions about internal audits. Oil and Gas Industry Standards and Regulations 22
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
R ISO 13485:2016 Registration - NC on full cycle of internal audits ISO 13485:2016 - Medical Device Quality Management Systems 7
J Internal Audit clarification - How to perform the audits IATF 16949 - Automotive Quality Systems Standard 6
S Corrective Action from Internal Audits not performed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
W FAA Advisory Circular (AC) Requirements (FAA AC 00-56) - Internal Audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
B Going into IATF 16949 transition without Internal Audits IATF 16949 - Automotive Quality Systems Standard 4
S Internal Audits performed by another local business ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 26
K No Internal Audits For Upcoming IATF Trans Audit IATF 16949 - Automotive Quality Systems Standard 5
J Supporting Processes - Internal Audits - Need help settling a debate IATF 16949 - Automotive Quality Systems Standard 4
K AS9100 Rev. D Transition - Internal Audits & Gap Analysis Requirements AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 14
J Internal Audits - Closing Audit Deficiency Reports (ISO 13485) Internal Auditing 4
J ISO 9001:2008 - Can I still conduct Internal Audits in my company? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
F What is your favorite software for ISO 9001:2015 Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C ISO 9001:2008 Surveillance Audit - No Internal Audits Internal Auditing 9
J Dinged on Internal Audits for supervising an auditor I was training Internal Auditing 10
Marc ISO 9001:2015 vs. 2008 - Internal Audits - What changes are you making? Internal Auditing 44
M Are auditing checklists required for Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
dubrizo Internal Audit Value - What is the point of conducting internal audits to a checklist Internal Auditing 40
D Using consultants for Internal Audits Internal Auditing 24
O New Job 1 Month from Recertification Audit - Missing Documents, no Internal Audits ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
R How do I conduct my API Q1, ISO compliant internal audits? Internal Auditing 1
F Is it good to outsource the Internal Audits? Quality Manager and Management Related Issues 16

Similar threads

Top Bottom