Well now I am getting confused about the internal audit frequency. One person is telling me that auditing elements once per year is not enough-in fact, a glaring mistake, that the CB (certifiying body?) should never have allowed to pass. I understand your points about basing the audit schedule around process changes, under-performing areas, customer needs, etc., but I'm getting hungup on how to schedule things in a "planned interval" manner. Some of these types of issues are due to unforseen problems, which would tend to make having "planned intervals" more difficult.
Another person telling me that by using a well-reasoned approach, they audit critical processes once per year, and less critical process every two to three years. As you explain it, I understand, and agree. I think your approach goes right along with what Andy is saying (correct me if I'm wrong), yet....the pragmatic part of me recognizes that even though my Company is using a calender-based approach, rather than a well reasoned approach, they are still performing internal audits more often.
Another person telling me that once per year is a common, rule-of-thumb method (in my limited experience-I've only worked at 3 places-this is how it's been at all of them).
At this point, the QMS for my company states that all elements are to have internal audits annually. Is this, or is this not, in compliance with the standard?
Let us step back a moment and do a compare/contrast exersize.
The standard - I presume you are referring to ISO 9001, 8.2.2 - says "An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits." The 9001 standard does
not say audits need to be done to any time frame. The TS 16949 standard (8.2.2.2) does go on to say "The organization shall audit each manufacturing process to determine its effectiveness" and (8.2.2.4) "Internal audits shall cover all quality management related processes, activities and shifts, and shall be scheduled according to an annual plan" so we must be clear there's an expectation that everything gets audited.
Now let's look at the "planned interval" thing. It means you plan audits at intervals of time, which may be yearly or it may be 1 year for A, B and C, and every other year for D, E and F. From this long range plan a yearly plan is made. In addition to inserting the audits from the long range plan, the organization is expected to schedule based on audit results. If I find a major problem while auditing or a process undergoing fundamental change, I will put that into the coming year's audit plan regardless of what the long range schedule says. At the bottom of my annual audit plan I keep notes about these decisions, not because the standard says I have to but as evidence to show CBs and because I might need to be replaced suddenly and the next person should be left with sufficient data to explain why the annual plan shows audits are scheduled as they have been.
Keeping both long and short range schedules can be confusing, but I find the idea of auditing every thing each year more of a burden than maintaining these schedules.
If you go a complete registration cycle (3 years for ISO 9001, 14001, OHSAS 18001 for example, which I audit to) without auditing one or more processes, then you are very likely to be asked to explain how you know your processes are effective without auditing them. We're expected to understand and respond to critical importance of certain processes by scheduling their audits yearly.
The approach I take isn't necessarily the approach you should take. Many organizations schedule audits annually because they think they have to, because they think they should, or because it's too confusing to take the 3-year approach as I have done. Indeed, one of the systems I audit (ISO/IEC 17025) is scheduled on an annual basis - I audit every process in there once a year, both because it's an immature management system and I believe the CB auditors from A2LA expect it.
Since your manuals/process specs say you will audit yearly, then that's what you must do unless/until you change those documents.
Since you are new there I believe you can take the calculated risk of being accused of auditing your own work by going through everything before you get much into the job of managing the system, IF you do not delay and IF you complete them expediently. I argue this is the best approach,
just this once, because in your position of responsibility you need to make strategic plans for the QMS and presenting and the results of your audits can be presented to top management for resourcing as needed. During a registration audit you can expect to be challenged on this because it's true the standard says auditors shall not audit our own work. So your audit samples
cannot include anything you have done since you started there.
Such results may, or may not support a decision to make a long range plan and change your documents to show that decision.
Does this make sense?