Internal Audits - Can I do them all?

#31
He described previous audits as having been done by a contracted consultant. That being the case I would not be surprised to see them all done at once. After all, the standard doesn't say when they will be done, just that they will be done and scheduled annually.

One could certainly argue, based on what little I know from this thread that this is an organizational attempt to improve things, to make audits an internal process versus hiring an outsider. And that having been done if I was a CB and saw an organization packing an entire system's worth of audits into a single month or quarter, I would ask why. But as I understand the requirements (do I?) the CB can't require audits to be spaced out throughout the year so the question is really an exploration into that rather subjective topic called effectiveness.
From my experience, organizations use a consultant to get the audits up and running - once a year being all they're prepared to pay for, and that a CB auditor will 'accept' as complying. However, now they may wish to save money or even have some frustration that the audits are doing anything more than the CB does, hence bringing it 'inside'!

Certainly the CB auditor can't require 'spacing out', but then, practically doing one audit a year doesn't address the 'status and importance' does it? Does no organization have any changes/new or poor performing processes etc?

Oh and BTW - the basic ISO standard doesn't require anything to be done scheduled annually...
 
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#32
So, now there's culpability on the CB auditor's part, since they 'allowed' only one audit a year to happen,
Andy, I suspect that 95%+ of CB auditors let this requirement slide. It is a collective failure of implementers, consultants and auditors. An annual internal audit schedule is the norm out there and there are things that are left to discretion. For example, when Jennifer said that some of the processes at her organization get audited once every 3 years due to system maturity and a risk assessment, someone could then try to stretch the interval from 3 to 5 to 10 years. Where in the standard does it say they couldn't ?
 
#33
Andy, I suspect that 95%+ of CB auditors let this requirement slide. It is a collective failure of implementers, consultants and auditors. An annual internal audit schedule is the norm out there and there are things that are left to discretion. For example, when Jennifer said that some of the processes at her organization get audited once every 3 years due to system maturity and a risk assessment, someone could then try to stretch the interval from 3 to 5 to 10 years. Where in the standard does it say they couldn't ?
We both know it says nothing of this Sidney!:rolleyes:

What's being missed here is that an effective process based audit will touch on many aspects of the QMS system and, as a result, much of the requirements of ISO can be evaluated each time. Furthermore, I'd suggest that any company which has nothing which affects a given process in a 3 year period - that is to say, nothing new/ nothing changed or poorly performing - which affects that process (directly or indirectly) has something wrong going on somewhere!
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#34
Andy, I suspect that 95%+ of CB auditors let this requirement slide. It is a collective failure of implementers, consultants and auditors. An annual internal audit schedule is the norm out there and there are things that are left to discretion. For example, when Jennifer said that some of the processes at her organization get audited once every 3 years due to system maturity and a risk assessment, someone could then try to stretch the interval from 3 to 5 to 10 years. Where in the standard does it say they couldn't ?
The standard doesn't say so anywhere, but we are registered to TS 16949 and its standard is rather more... detailed than ISO 9001, and we and our registrar have agreed it is acceptable to maintain our 3-year schedule based on our certificate having a 3-year cycle. Stretching audits out longer would be awkward, hard to defend, and both of us would prefer not to try.

And so it goes. Much is left open to the standard's interpretation unless the organization pins down the CB for exactly what would be deemed acceptable. This has to be a tricky subject for the CB to navigate, knowing that the certification body must press for effectiveness with nothing to clearly describe what that would look like. No wonder there is variation in third party audits, that is from one CB to another if each one does a good job of aligning its auditors to its internal guidelines, which in the past my plant's auditor declined to share with us. :notme:
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#35
Furthermore, I'd suggest that any company which has nothing which affects a given process in a 3 year period - that is to say, nothing new/ nothing changed or poorly performing - which affects that process (directly or indirectly) has something wrong going on somewhere!
No doubt that is the purpose for the wording in element 8.2.2: "...taking into account the status and importance of the processes and areas to be audited, as well as the results of previous audits."

I know my posts can get too wordy, but I had hoped I had satisfactorily made my points around that subject. If an organization runs an identical audit schedule every year, how can it exhibit it is using audits for understanding system effectiveness as the above 8.2.2 excerpt describes?
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#36
What's being missed here is that an effective process based audit will touch on many aspects of the QMS system and, as a result, much of the requirements of ISO can be evaluated each time. Furthermore, I'd suggest that any company which has nothing which affects a given process in a 3 year period - that is to say, nothing new/ nothing changed or poorly performing - which affects that process (directly or indirectly) has something wrong going on somewhere!
IMO what is being missed here is the fact that most registrants are completely disinterested in internal audit effectiveness. They just want the certificate. And the least thinking needed to get it and maintain it, the better.
 
#38
Much is left open to the standard's interpretation unless the organization pins down the CB for exactly what would be deemed acceptable. This has to be a tricky subject for the CB to navigate, knowing that the certification body must press for effectiveness with nothing to clearly describe what that would look like. No wonder there is variation in third party audits, that is from one CB to another if each one does a good job of aligning its auditors to its internal guidelines, which in the past my plant's auditor declined to share with us. :notme:
Surely not? Isn't it the organization's responsibility to define, in this case, what 'status and importance' or any other requirement means to them? The CB has no place in defining what's acceptable or what THE interpretation is.

Isn't it the responsibility of the CB auditor to confirm that what the client has implemented is, indeed, effective? I may be missing something here, but as a CB auditor in the past, we audited the client's 'planned arrangements' for implementation and confirmed compliance, than thus to the standard (after we'd done the 'stage 1').

I understand that many CB auditors go around making up their version of what ISO says - we read them here, often enough. However, the process should be to audit the client QMS for implementation and effectiveness, not debate words in the standard or auditor 'expectations'. This is where the variations come from - using the standard as their only audit criterion, instead of, primarily, the client's system!
 
#39
IMO what is being missed here is the fact that most registrants are completely disinterested in internal audit effectiveness. They just want the certificate. And the least thinking needed to get it and maintain it, the better.
Partly, it's true. I also suggest that the root of much of what's also wrong with internal audits is the bias of auditor training towards external techniques - in particular the accredited ones! Simply, if auditor training were focused in a similar manner to SSGB training, management would get results, whatever they expected...
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#40
Surely not? Isn't it the organization's responsibility to define, in this case, what 'status and importance' or any other requirement means to them? The CB has no place in defining what's acceptable or what THE interpretation is.

Isn't it the responsibility of the CB auditor to confirm that what the client has implemented is, indeed, effective? I may be missing something here, but as a CB auditor in the past, we audited the client's 'planned arrangements' for implementation and confirmed compliance, than thus to the standard (after we'd done the 'stage 1').

I understand that many CB auditors go around making up their version of what ISO says - we read them here, often enough. However, the process should be to audit the client QMS for implementation and effectiveness, not debate words in the standard or auditor 'expectations'. This is where the variations come from - using the standard as their only audit criterion, instead of, primarily, the client's system!
Like it or not, my people don't lay out in spec what "status and importance" means. But we can describe it whenever asked, which is at least once a year per registration audit.

I think it's the CB auditor's responsibility to notice ineffective implementation, such as a process audit's frequency not being sped up after the previous year's nonconformance, or conversely, effectiveness if the schedule does indeed show that sensitivity. Not only that, the CB auditor is responsible to notice if an audit manager can't talk to the subject.

But the standard specifies these things. Surely, a more difficult task is spotting and arguing ineffectiveness without evidence of a consequence to rote, glassy-eyed attention to conformity alone.
 
Thread starter Similar threads Forum Replies Date
lanley liao How to understand this words that the planning of internal audit shall take into consideration the results of previous audits? Oil and Gas Industry Standards and Regulations 10
M ISO13485:2016, MDSAP and Internal Audits ISO 13485:2016 - Medical Device Quality Management Systems 8
S Would this be a second site for the purposes of internal and third party audits? General Auditing Discussions 4
J ISMS - Internal Audits Internal Auditing 3
L Documented Information in Internal Audits Process (9.2) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
D CB and customer audits considered as internal audits? General Auditing Discussions 9
R IATF 16949 - Outsourcing of internal audits Internal Auditing 10
M Major vs. Minor for Internal Audits? Internal Auditing 10
C Internal Audits in a tiny Dx Company Internal Auditing 33
N Sampling Plan for Internal Audits - ISO 2859 or 3951 - Or Neither? Internal Auditing 6
O ISO13485 implementation - Are internal audits expected before stage 1 audit? Design and Development of Products and Processes 3
O Informational Scaling back internal audits due to corona virus while avoiding a NC Internal Auditing 7
G Internal Audits and Employee engagement Internal Auditing 16
S Internal audit discrepancy - We missed a few audits that were scheduled Internal Auditing 12
F ISO 17025 8.8 Internal Audits in a segmented company ISO 17025 related Discussions 5
qualprod Internal Audits - Categories of non conformances Internal Auditing 12
G Non Conformance During ISO 9001 Audit - Not All Internal Audits Completed General Auditing Discussions 19
K A way to monitor our Internal Audits as a KPI AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
A External Auditor issue with Internal Audits Internal Auditing 7
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 149
Gman2 Quality Record Retention (Internal Audits, CA's) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
T Informational What is the purpose of Internal Audits? Internal Auditing 27
F API Spec Q1 9th Edition Surveillance Audit - Questions about internal audits. Oil and Gas Industry Standards and Regulations 22
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
R ISO 13485:2016 Registration - NC on full cycle of internal audits ISO 13485:2016 - Medical Device Quality Management Systems 7
J Internal Audit clarification - How to perform the audits IATF 16949 - Automotive Quality Systems Standard 6
S Corrective Action from Internal Audits not performed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
W FAA Advisory Circular (AC) Requirements (FAA AC 00-56) - Internal Audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
B Going into IATF 16949 transition without Internal Audits IATF 16949 - Automotive Quality Systems Standard 4
S Internal Audits performed by another local business ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 26
K No Internal Audits For Upcoming IATF Trans Audit IATF 16949 - Automotive Quality Systems Standard 5
J Supporting Processes - Internal Audits - Need help settling a debate IATF 16949 - Automotive Quality Systems Standard 4
K AS9100 Rev. D Transition - Internal Audits & Gap Analysis Requirements AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 14
J Internal Audits - Closing Audit Deficiency Reports (ISO 13485) Internal Auditing 4
S Is Audit Plan / Agenda required for Internal Audits? Internal Auditing 2
J ISO 9001:2008 - Can I still conduct Internal Audits in my company? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
F What is your favorite software for ISO 9001:2015 Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C ISO 9001:2008 Surveillance Audit - No Internal Audits Internal Auditing 9
J Dinged on Internal Audits for supervising an auditor I was training Internal Auditing 10
Marc ISO 9001:2015 vs. 2008 - Internal Audits - What changes are you making? Internal Auditing 44
M Are auditing checklists required for Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
dubrizo Internal Audit Value - What is the point of conducting internal audits to a checklist Internal Auditing 40
D Using consultants for Internal Audits Internal Auditing 24
O New Job 1 Month from Recertification Audit - Missing Documents, no Internal Audits ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
R How do I conduct my API Q1, ISO compliant internal audits? Internal Auditing 1
F Is it good to outsource the Internal Audits? Quality Manager and Management Related Issues 16
S Advice for ISO17025 First Round of Internal Audits ISO 17025 related Discussions 10
S Engineering Audits - Internal Audits IATF 16949 - Automotive Quality Systems Standard 7

Similar threads

Top Bottom