Internal Audits - Can I do them all?

Elsmar Forum Sponsor
N

NiceTom

#22
Well now I am getting confused about the internal audit frequency. One person is telling me that auditing elements once per year is not enough-in fact, a glaring mistake, that the CB (certifiying body?) should never have allowed to pass. I understand your points about basing the audit schedule around process changes, under-performing areas, customer needs, etc., but I'm getting hungup on how to schedule things in a "planned interval" manner. Some of these types of issues are due to unforseen problems, which would tend to make having "planned intervals" more difficult.

Another person telling me that by using a well-reasoned approach, they audit critical processes once per year, and less critical process every two to three years. As you explain it, I understand, and agree. I think your approach goes right along with what Andy is saying (correct me if I'm wrong), yet....the pragmatic part of me recognizes that even though my Company is using a calender-based approach, rather than a well reasoned approach, they are still performing internal audits more often.

Another person telling me that once per year is a common, rule-of-thumb method (in my limited experience-I've only worked at 3 places-this is how it's been at all of them).

At this point, the QMS for my company states that all elements are to have internal audits annually. Is this, or is this not, in compliance with the standard?
 

Big Jim

Super Moderator
#23
Well now I am getting confused about the internal audit frequency. One person is telling me that auditing elements once per year is not enough-in fact, a glaring mistake, that the CB (certifiying body?) should never have allowed to pass. I understand your points about basing the audit schedule around process changes, under-performing areas, customer needs, etc., but I'm getting hungup on how to schedule things in a "planned interval" manner. Some of these types of issues are due to unforseen problems, which would tend to make having "planned intervals" more difficult.

Another person telling me that by using a well-reasoned approach, they audit critical processes once per year, and less critical process every two to three years. As you explain it, I understand, and agree. I think your approach goes right along with what Andy is saying (correct me if I'm wrong), yet....the pragmatic part of me recognizes that even though my Company is using a calender-based approach, rather than a well reasoned approach, they are still performing internal audits more often.

Another person telling me that once per year is a common, rule-of-thumb method (in my limited experience-I've only worked at 3 places-this is how it's been at all of them).

At this point, the QMS for my company states that all elements are to have internal audits annually. Is this, or is this not, in compliance with the standard?
You are exceeding the requirements of the standard and in so doing you are aligning yourself with how it is usually done. Of course, since you say that is how you will do it, that is how you need to do it.

Your company can change that approach, and if done properly you can still meet the requirments of the standard. Some of those alternative ways may raise the eyebrows of an auditor though, and some less enlightened audits may take exception to it. It is always good to be able to explain and defend your position, as some on this thread have done.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#24
Well now I am getting confused about the internal audit frequency. One person is telling me that auditing elements once per year is not enough-in fact, a glaring mistake, that the CB (certifiying body?) should never have allowed to pass. I understand your points about basing the audit schedule around process changes, under-performing areas, customer needs, etc., but I'm getting hungup on how to schedule things in a "planned interval" manner. Some of these types of issues are due to unforseen problems, which would tend to make having "planned intervals" more difficult.

Another person telling me that by using a well-reasoned approach, they audit critical processes once per year, and less critical process every two to three years. As you explain it, I understand, and agree. I think your approach goes right along with what Andy is saying (correct me if I'm wrong), yet....the pragmatic part of me recognizes that even though my Company is using a calender-based approach, rather than a well reasoned approach, they are still performing internal audits more often.

Another person telling me that once per year is a common, rule-of-thumb method (in my limited experience-I've only worked at 3 places-this is how it's been at all of them).

At this point, the QMS for my company states that all elements are to have internal audits annually. Is this, or is this not, in compliance with the standard?
Let us step back a moment and do a compare/contrast exersize.

The standard - I presume you are referring to ISO 9001, 8.2.2 - says "An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits." The 9001 standard does not say audits need to be done to any time frame. The TS 16949 standard (8.2.2.2) does go on to say "The organization shall audit each manufacturing process to determine its effectiveness" and (8.2.2.4) "Internal audits shall cover all quality management related processes, activities and shifts, and shall be scheduled according to an annual plan" so we must be clear there's an expectation that everything gets audited.

Now let's look at the "planned interval" thing. It means you plan audits at intervals of time, which may be yearly or it may be 1 year for A, B and C, and every other year for D, E and F. From this long range plan a yearly plan is made. In addition to inserting the audits from the long range plan, the organization is expected to schedule based on audit results. If I find a major problem while auditing or a process undergoing fundamental change, I will put that into the coming year's audit plan regardless of what the long range schedule says. At the bottom of my annual audit plan I keep notes about these decisions, not because the standard says I have to but as evidence to show CBs and because I might need to be replaced suddenly and the next person should be left with sufficient data to explain why the annual plan shows audits are scheduled as they have been.

Keeping both long and short range schedules can be confusing, but I find the idea of auditing every thing each year more of a burden than maintaining these schedules.

If you go a complete registration cycle (3 years for ISO 9001, 14001, OHSAS 18001 for example, which I audit to) without auditing one or more processes, then you are very likely to be asked to explain how you know your processes are effective without auditing them. We're expected to understand and respond to critical importance of certain processes by scheduling their audits yearly.

The approach I take isn't necessarily the approach you should take. Many organizations schedule audits annually because they think they have to, because they think they should, or because it's too confusing to take the 3-year approach as I have done. Indeed, one of the systems I audit (ISO/IEC 17025) is scheduled on an annual basis - I audit every process in there once a year, both because it's an immature management system and I believe the CB auditors from A2LA expect it.

Since your manuals/process specs say you will audit yearly, then that's what you must do unless/until you change those documents.

Since you are new there I believe you can take the calculated risk of being accused of auditing your own work by going through everything before you get much into the job of managing the system, IF you do not delay and IF you complete them expediently. I argue this is the best approach, just this once, because in your position of responsibility you need to make strategic plans for the QMS and presenting and the results of your audits can be presented to top management for resourcing as needed. During a registration audit you can expect to be challenged on this because it's true the standard says auditors shall not audit our own work. So your audit samples cannot include anything you have done since you started there.

Such results may, or may not support a decision to make a long range plan and change your documents to show that decision.

Does this make sense?
 
#25
Well now I am getting confused about the internal audit frequency. One person is telling me that auditing elements once per year is not enough-in fact, a glaring mistake, that the CB (certifiying body?) should never have allowed to pass. I understand your points about basing the audit schedule around process changes, under-performing areas, customer needs, etc., but I'm getting hungup on how to schedule things in a "planned interval" manner. Some of these types of issues are due to unforseen problems, which would tend to make having "planned intervals" more difficult.

Another person telling me that by using a well-reasoned approach, they audit critical processes once per year, and less critical process every two to three years. As you explain it, I understand, and agree. I think your approach goes right along with what Andy is saying (correct me if I'm wrong), yet....the pragmatic part of me recognizes that even though my Company is using a calender-based approach, rather than a well reasoned approach, they are still performing internal audits more often.

Another person telling me that once per year is a common, rule-of-thumb method (in my limited experience-I've only worked at 3 places-this is how it's been at all of them).

At this point, the QMS for my company states that all elements are to have internal audits annually. Is this, or is this not, in compliance with the standard?
Tom: I understand your confusion. Let me put it to you simply. If 'all elements' or 'the whole system' had to be covered once a year, it would be in the standard, wouldn't it? This is an aspect of the standard where the requirements, 'conventional wisdom' and (some) CB auditors preferences get blurred...

You have to meet the 'status and importance' requirements, as well as defining a frequency. So, given your particular situation, I'd recommend this course of action:-

1. Take the 2011 schedule and put a date on there to do a system wide audit.

2. Since there's been no internal audits done, do that system-wide, process based audit, from RFQ to delivery out the shipping dock (or similar) as a way to 'baseline' your understanding of the current status.

3. From that, analyze your results and put some kind of simple Pareto analysis of the results (ncs) and from that, determine what to audit next. Start with a frequency of monthly - you can do more frequent audits, of course, if your results tell you that the systems needs more work to bring it to compliance.

4. Put on the schedule a couple of dates which are 'hard points' - like when your CB is coming in (get that from them if they didn't tell you already). Work back from that date and schedule audits around the things they plan on looking at - corrective actions, management review, customer feedback etc. We know you can't do an internal audit on yourself, so you know have a date and a reason to find another auditor (internally or externally)

5. Fill in the schedule with the results of the analysis between the dates of the first audit you do, and the CB audit.

6. Do your audits, report results, etc.

7. Present your work to management to show them what you're doing. Show them the standard and any back up info like this forum's comments, to let them know that you need another auditor and why the past audit once a year wasn't enough.

Also tell them the CB auditor wasn't doing their job! Things will change and be better from now, since your approach will be risk based and they should call on your audits to help get control over the risks they lose sleep over!

OK, questions?
 
#26
Jennifer - I believe your approach would be correct for a very large organization, however for much smaller businesses, the whole concept of dealing with a 3 year window is highly improbable. Especially, since - from my understanding of your role - your audits are doing the 'corporate' version of compliance audits, not so different from what the CB does. BTW, I've seen such an approach done in many very large corporations, multi-sites and so on. For a one building business, I don't believe this would work, however...they need smaller, focused audits on Particular processes, client requirements, suppliers etc.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#27
Jennifer - I believe your approach would be correct for a very large organization, however for much smaller businesses, the whole concept of dealing with a 3 year window is highly improbable. Especially, since - from my understanding of your role - your audits are doing the 'corporate' version of compliance audits, not so different from what the CB does. BTW, I've seen such an approach done in many very large corporations, multi-sites and so on. For a one building business, I don't believe this would work, however...they need smaller, focused audits on Particular processes, client requirements, suppliers etc.
I agree that a small business would be more likely to do audits more often than once every three years. My place only has a few processes that get the three-year frequency. Most are one or two years.

But I'd reserve judgement on what's right until I actually saw the operations by doing a full round of audits. Until then I will just point out that the standard does not require everything be audited annually - it's a common misunderstanding that we here in the Cove have addressed many times - and what options look like.

No, I don't do much corporate level auditing - mostly at the manufacturing site. But I would LOVE to ask the Director of Global Quality (whom I sometimes sit next to during dinner after an ASQ meeting) what those audit metrics that we report to corporate mean to top management during management review, what decisions are derived form them, and why his own corporate office's audit metrics aren't included. :whip:

Our site audits are on processes, but also on unscheduled topics like "Why are we always shutting down the line from running out of critical material?" when someone asks for it. I do audits at the operational level, and am describing how those operational-level audits are scheduled in my place.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#28
Andy, in what way was the CB auditor not doing his/her job? My understanding is that the 2011 audits will be looked at during next year's registration audit. So, a schedule not having been made or followed and no competent auditor apparently having been resourced during that time, there's clearly a nonconformance but they hired our OP to fix things.

Since it would be laughable to conjure a 2011 audit schedule at this stage of the year, it seems to me that "is what it is" and he should just expediently do this round of audits and make next year's schedule. When auditing internal audits he can point out the lack of an annual schedule and audits for the past many months, but I wonder how much value citing a nonconformance would add when the action to resolve the problem is the OP himself?
 
#29
Andy, in what way was the CB auditor not doing his/her job? My understanding is that the 2011 audits will be looked at during next year's registration audit. So, a schedule not having been made or followed and no competent auditor apparently having been resourced during that time, there's clearly a nonconformance but they hired our OP to fix things.

Since it would be laughable to conjure a 2011 audit schedule at this stage of the year, it seems to me that "is what it is" and he should just expediently do this round of audits and make next year's schedule. When auditing internal audits he can point out the lack of an annual schedule and audits for the past many months, but I wonder how much value citing a nonconformance would add when the action to resolve the problem is the OP himself?
Partly, in letting the organization only do an annual audit! Without knowing much about the OP's organization, I will predict that plenty has happened which should have resulted in audits being done, during the year.

So, now there's culpability on the CB auditor's part, since they 'allowed' only one audit a year to happen, if a new auditor comes along, in the interim, and does what should have been done all along, they can hardly call 'foul' can they?
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#30
Partly, in letting the organization only do an annual audit! Without knowing much about the OP's organization, I will predict that plenty has happened which should have resulted in audits being done, during the year.

So, now there's culpability on the CB auditor's part, since they 'allowed' only one audit a year to happen, if a new auditor comes along, in the interim, and does what should have been done all along, they can hardly call 'foul' can they?
He described previous audits as having been done by a contracted consultant. That being the case I would not be surprised to see them all done at once. After all, the standard doesn't say when they will be done, just that they will be done and scheduled annually.

One could certainly argue, based on what little I know from this thread that this is an organizational attempt to improve things, to make audits an internal process versus hiring an outsider. And that having been done if I was a CB and saw an organization packing an entire system's worth of audits into a single month or quarter, I would ask why. But as I understand the requirements (do I?) the CB can't require audits to be spaced out throughout the year so the question is really an exploration into that rather subjective topic called effectiveness.
 
Thread starter Similar threads Forum Replies Date
lanley liao How to understand this words that the planning of internal audit shall take into consideration the results of previous audits? Oil and Gas Industry Standards and Regulations 10
M ISO13485:2016, MDSAP and Internal Audits ISO 13485:2016 - Medical Device Quality Management Systems 8
S Would this be a second site for the purposes of internal and third party audits? General Auditing Discussions 4
J ISMS - Internal Audits Internal Auditing 3
L Documented Information in Internal Audits Process (9.2) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
D CB and customer audits considered as internal audits? General Auditing Discussions 9
R IATF 16949 - Outsourcing of internal audits Internal Auditing 10
M Major vs. Minor for Internal Audits? Internal Auditing 10
C Internal Audits in a tiny Dx Company Internal Auditing 33
N Sampling Plan for Internal Audits - ISO 2859 or 3951 - Or Neither? Internal Auditing 6
O ISO13485 implementation - Are internal audits expected before stage 1 audit? Design and Development of Products and Processes 3
O Informational Scaling back internal audits due to corona virus while avoiding a NC Internal Auditing 7
G Internal Audits and Employee engagement Internal Auditing 16
S Internal audit discrepancy - We missed a few audits that were scheduled Internal Auditing 12
F ISO 17025 8.8 Internal Audits in a segmented company ISO 17025 related Discussions 5
qualprod Internal Audits - Categories of non conformances Internal Auditing 12
G Non Conformance During ISO 9001 Audit - Not All Internal Audits Completed General Auditing Discussions 19
K A way to monitor our Internal Audits as a KPI AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
A External Auditor issue with Internal Audits Internal Auditing 7
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 149
Gman2 Quality Record Retention (Internal Audits, CA's) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
T Informational What is the purpose of Internal Audits? Internal Auditing 27
F API Spec Q1 9th Edition Surveillance Audit - Questions about internal audits. Oil and Gas Industry Standards and Regulations 22
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
R ISO 13485:2016 Registration - NC on full cycle of internal audits ISO 13485:2016 - Medical Device Quality Management Systems 7
J Internal Audit clarification - How to perform the audits IATF 16949 - Automotive Quality Systems Standard 6
S Corrective Action from Internal Audits not performed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
W FAA Advisory Circular (AC) Requirements (FAA AC 00-56) - Internal Audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
B Going into IATF 16949 transition without Internal Audits IATF 16949 - Automotive Quality Systems Standard 4
S Internal Audits performed by another local business ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 26
K No Internal Audits For Upcoming IATF Trans Audit IATF 16949 - Automotive Quality Systems Standard 5
J Supporting Processes - Internal Audits - Need help settling a debate IATF 16949 - Automotive Quality Systems Standard 4
K AS9100 Rev. D Transition - Internal Audits & Gap Analysis Requirements AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 14
J Internal Audits - Closing Audit Deficiency Reports (ISO 13485) Internal Auditing 4
S Is Audit Plan / Agenda required for Internal Audits? Internal Auditing 2
J ISO 9001:2008 - Can I still conduct Internal Audits in my company? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
F What is your favorite software for ISO 9001:2015 Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C ISO 9001:2008 Surveillance Audit - No Internal Audits Internal Auditing 9
J Dinged on Internal Audits for supervising an auditor I was training Internal Auditing 10
Marc ISO 9001:2015 vs. 2008 - Internal Audits - What changes are you making? Internal Auditing 44
M Are auditing checklists required for Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
dubrizo Internal Audit Value - What is the point of conducting internal audits to a checklist Internal Auditing 40
D Using consultants for Internal Audits Internal Auditing 24
O New Job 1 Month from Recertification Audit - Missing Documents, no Internal Audits ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
R How do I conduct my API Q1, ISO compliant internal audits? Internal Auditing 1
F Is it good to outsource the Internal Audits? Quality Manager and Management Related Issues 16
S Advice for ISO17025 First Round of Internal Audits ISO 17025 related Discussions 10
S Engineering Audits - Internal Audits IATF 16949 - Automotive Quality Systems Standard 7

Similar threads

Top Bottom