Originally posted by rrramirez:
Well, If you don´t conduct at least one internal audit before the surveillance audit of the registrar it´s possible that the organization doesn´t realize its compliance with the standard.
There are 2 issues.
1. Do the company's documented systems fulfill the requirements of the standard (not to mention requirements of applicable standards other than ISO9001)?
I do not see this as an issue of internal auditing, however QS9000 and to some degree ISO (not to mention the Institute of Internal Auditors who are not without an agenda to increase the 'importance' of internal auditing - they are an interest group like any other) are 'expanding' the intent of internal auditing to include consulting and compliance to one or more standard(s). See
http://Elsmar.com/ubb/Forum13/HTML/000054.html
In their definition, the IIA says "It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and governance processes." In my opinion they have elevated internal auditing to a functionary / expertise level which the typical employee is simply
not qualified. To meet this evolution of the definition companies will have to hire professional, qualified internal auditors - people whose specialty is internal auditing.
If they don't, the question becomes: If a buyer is auditing maintenance does that buyer have any
qualification to "...evaluate effectiveness of risk management, control and governance of processes..." in a maintenance environment? Typically this is simply not the case.
But as is evident - the definition of internal auditing is changing. Now it includes consulting! QS9000 internal auditing teaches that the auditor should understand QS9000 and verify compliance to it as well. I personally see this as a much higher level function and beyond the province (not to mention the words
qualified to do so) of the typical internal audior. See
http://Elsmar.com/ubb/Forum13/HTML/000054.html
2. Are employees following (complying with) documented and undocumented (OJT) systems procedures?
I wish to listen your opinion regarding the value-added concept, because most "quality gurus" consider the audit as a non-value added activity.
Internal auditing
should not be value added. Internal auditing
in the past was an activity where the auditors simply verified that employees are doing what they are supposed to do.
Ideally there should be
no need to verify that employees are doing what they are supposed to be doing. Companies hire someone to do a job and you expect them to do it.
The reality is many times people are not doing everything they are supposed to be doing. This is why, in my opinion, internal audits are very important - at least initially - in most companies. I have only been into a few companies where people knew their jobs and really did everything required. Sometimes its simple stuff like not completing a form properly. Sometimes it's serious such as circumventing established systems. The reality is internal audits almost always are value added as they reveal where people are ignoring what they are required to do. Sometimes it's a matter of not being trained properly. Sometimes it's a matter of lack of attention and lack of caring. Sometimes it's a lack of supervision.
Ideally internal auditing is not a value added function. In reality it is value added in (just a wild *** guess - no objective evidence) 95% of companies.
Internal audits, in my humble(?) opinion should be used as an input (are people doing their jobs - following procedures - or are they not) into management decision making. The real consulting should be done by those qualified in their field during the various management decision making meetings.
This is not to say that 'observations' are totally without merit, but they should be kept in perspective.