Internal Audits For Multiple Sites - 80 locations but only one is ISO 9001:2000



Internal Audits For Multiple Sites

We have 80 locations but only one is ISO 9001:2000 certified. However, every location follows the same quality system. Many customers are auditing the non-certified locations and writing nonconformances for not doing internal audits. At non-certified locations, is it possible to do partial audits or maybe audits at each location every few years? Also, if the documentation is being audited annually for the certified location, I don't think we should have to do an internal audit on the documentation every time we audit another location since the documentation is the same for every site (this is an online quality system with forms, SOPs, Quality Manual, etc.). Can I change the procedure to indicate only full audits are conducted at certified locations? Please advise...thanks!:ca:

Jim Biz

Thoughts to ponder


First impression is what level of customers do you have??

Why? would a customer
1) Do any type of "Formalized audit" of a non-certified facility?
(Other than for their own informational purposes)
2) Feel it necessary to issue a written nonconformance??

In situation one - nothing that I know of would make an "audit anything more than a "Lets look see what you are doing"
Oh sure there are customers out there that have heir own definitions of "Audits" but IMHO if they know their business that should "Rule Out" the formalization of the process.

In situation two - ok so a customer writes a nonconformance on a situation that you have recognized from past history - what's the penality ?? - It might make the customer feel better - you can put the remarks into a customer comlaint file for future focus or customer satisfaction (informational) file - but unless/until the facility being "audited" is prepared to be registered - its "just an opinion" anyway.

Can you write into the system that says audits are conducted at certified facilities only - sure but usually thats a "given" --

Upon further reflection

?? Where did you write into the system that non-certified facilities would folow the certification documentation to begin with?? - Does the Scope of your manual state that the policys & actions apply to all facilities - certified or not?

Then again this all could change IF you are claiming somehow that "All facilities" are self certified or operating under certified systems documentation.
Havent looked latley but at least in ISO9000- there is NO clause or case for Exemption of auditing.
Last edited by a moderator:


RE: Thoughts to ponder

These are mostly aerospace customers but for instance today it is Honeywell. They know these facilities are not certified but they require compliance. They hire outside companies or have inside auditors perform the audits, which are identical to ISO audits. I do the internal audits for our ISO facility but I can't fly all over the country doing each location and we don't have the manpower to train internal auditors for every location and manage separate audit schedules for each one.

Jim Biz

Well - there "May" be a way to satisfy them as long as they "know" the facilities are not certified.

Create an Internal audit completion checklist - post it on your companies network & require each facility to do a check-off report yearly (not a "formal ISO internal audit mind you) just an informal

a Yes/no we reviewed the System documentation Model dated __
b Yes/no we are in compliance with sections 4.1-5.X 6.X etc.
c yes/no We feel due to review the system could be improved at our site with the addition of _____ or change to _____

Gather the information at your site and use it as a benchmark for overall compay improvements.

:bonk: Only other thought is that IF they insist on pushing the issue you could also do a cost study and inform them what costs would be passed on to them with the demand for internal ISO audits be conducted at each "Non certified" facilitiy.



Good idea, I will share with management...Thanks a lot!:bigwave:



I don't see how you could claim an individual facility is compliant to ISO 9000 if there is no type of internal audit done. You could also be risking problems at your headquarters location since you are not following the customer requirement of being ISO compliant.

Also, if you are not doing audits, how do you know there are not other parts of the system that are not being implemented? How do you know if site # 79 complies with 100%, 50% or 0% of your corporate requirements?

Options I could see for you include:

1. Make up some checklists of the system requirements. Make these specific to your operations. Since all 80 sites are the same, you only have to make them once. Use questions built on your specifics - for example:

ISO Question: Is there a system to identify and segretage nonconforming material.

Your site question: Is nonconforming material in house identified with form # ABC-123 and stored in the designated holding area? Is there evidence the MRB board has met to disposition material as required by SOP-1234? Are monthly pareto charts of NC causes and dollars lost maintained as per SOP-9999? and so on.

Setting up checklists like this should make it pretty easy for your site people to audit their owns system without the need for much training.

2. Select a sample of sites to audit each year. Make it clear to your customers that it is quite possible each site will not be audited each year, but a sample is taken throughout the company and as long as the system seems to be working elsewhere, all locations are covered. This would basically be the same as the corporate registration scheme.

The negative with this plan is that if one site fails, you need to consider that all have failed since it is not clear if the system is implemented or not. Nonconformances or other issues could be a trigger for an audit, but can also show that the site is not in compliance with the requirement.

3. Consider your customer audits the same as an internal audit. This does not meet the true intent of auditing your own system, but it is better than saying you don't do any auditing at all. I doubt this would pass your customer's review, but you could give it a shot.

I agree that if you documentation is the same everywhere, you only have to audit it once.

My suggestion would be a combination of #1 and #2 above. Implement a site self assessment checklist and have them communicate them back to HQ. Based on findings, schedule audits from corporate for A. all facilities that rated themselves low and B. some facilities that rated themselves perfect/high. This will help you improve the "honest" facilities and also weed out of the system the potential of pencil-whipping the audit for the sites that think nobody will check up on them.

I have a client now with close to 400 sites that uses this basic system. They do have a team of about 25 full time auditors that perform on-site audits, but it could be a few years between audits for a single facility. They still have to do a self assessment at least annually.

Hope this helps. Let me know if you could use any additional help.



Thanks for the additional suggestions. This particular location use to do internal audits but the person who did them left. I was not made aware that they were suppose to be compliant until 3 weeks ago, and they basically are except for the audits. I will let management decide how to proceed. I appreciate your input!:bigwave:

Joe Cruse


If your company has videoconferencing capabilities, that can help you get with personnel at other sites to work on some of your internal audit work. Our corporate office and customer service center is several hundred miles away, and we started doing our internal audits via this route, along with fax machine to send requested document/records sampling. Our registrar likes this approach, and it saves us money/time in the long run.

"First impression is what level of customers do you have??

Why? would a customer
1) Do any type of "Formalized audit" of a non-certified facility?
(Other than for their own informational purposes)
2) Feel it necessary to issue a written nonconformance??"

We've been ISO certified for nearly 10 years, and still have 1-3 customers per year come in and audit us, sometimes to QS or TS standard. We audit any major supplier that is not certified, once every 3 years.
Most of our customers send us surveys every year. If you are not ISO/QS, then they want you to have some kind of formal QMS in place, which usually includes self-auditing.

I would agree with the suggestions on implementing internal audits at your other facilities.


Top Bottom