Internal Audits - Necessary before Stage 1 Audit?

[somashekar]

It is a potential customer requirement and the potential customer is a rather large account. so that is why we are getting certified.

Most common reason ... But be sure that the QMS is yours and that it helps your organization to continually improve yourself.
Any idea if the large account customer has any preference of CB that you work with, or can he recommend his CB to your certification project ?
The S1 audit is otherwise also called readiness review such that no surprises surface in the S2 audit, leading to unpleasant situations at certification stage. If internal audits are not performed it is a surprise ...
Practical approach:
With all other things in better control can you surely perform an internal audit and review the audit performance with management and take suitable actions between S1 and S2, which normally has a month's time between them... ?
Discuss with your CB and if you have a timeline to meet from your customer, discuss this also with your CB.
You are not in bad shape, but you could have been better.

 

[Golfman25]

Can you help us understand when you say it works better? Better than what?

I'm confused when you describe an ongoing review process and the relationship to audits. The answer to your question so what has already been answered! It's very important that audits are performed, particularly as an input to the reviews!

In my experience, to say any different, is missing the fundamentals of why it's a requirement do audits and, therefore, perform a review...

But audits are not the ONLY input to the review. In fact, in a small company with a mature system, audits don't tend to reveal a lot.

In my view Management review is a continious process -- it happens at every meeting. ISO has required us to formalize and document the review process. The usual result is a specific management review meeting where you walk thru and review the system -- keeping minuites/records thereof. Most small companies will do this once or twice each year.

The problem is sometimes audits aren't ready yet, numbers (metrics) aren't caluclated yet, etc. for the reivew. So what happens in a cronological system -- the review is delayed until the audits, metrics, etc. are completed. Work gets in the way and then a week before the audit you realize you need to have a "management review" so you cram it in to show the auditor.

With our approach, if something isn't ready, we'll skip it but move on to the next area. If an audit later reveals something, we'll take up that issue at the next opportuinty.

 

[AndyN]

But audits are not the ONLY input to the review. In fact, in a small company with a mature system, audits don't tend to reveal a lot.

In my view Management review is a continuous process -- it happens at every meeting. ISO has required us to formalize and document the review process. The usual result is a specific management review meeting where you walk thru and review the system -- keeping minutes/records thereof. Most small companies will do this once or twice each year.

The problem is sometimes audits aren't ready yet, numbers (metrics) aren't calculated yet, etc. for the review. So what happens in a chronological system -- the review is delayed until the audits, metrics, etc. are completed. Work gets in the way and then a week before the audit you realize you need to have a "management review" so you cram it in to show the auditor.

With our approach, if something isn't ready, we'll skip it but move on to the next area. If an audit later reveals something, we'll take up that issue at the next opportunity.

Maybe it's the way the audits are being done? If you have an organization where audits don't reveal very much, then I'd ask why? BTW - what do you expect them to reveal?

To my way of thinking, what you've described is a poorly implemented system, done because ISO-says-so", not because there's been institutionalization of the system that IS0 9001 provides for.

Management Review is a navigational exercise - in exactly the same way that you don't drive looking at every turn on the GPS, every mile clicked off or every drop of fuel being on the dashboard. To suggest that a small business is run that way is bizarre. Here's a benefit of using ISO 9001 in a business. It should stop management being consumed in the day to day, so they can look at things a little more strategically. To get away from the noise, rise about that and get into seeing into the distance. When done correctly, it forces a wider vision of what's going on. The audits become part of that. Using the system the way you have described it show opportunity for improvement...

 

[pldey42]

But audits are not the ONLY input to the review. In fact, in a small company with a mature system, audits don't tend to reveal a lot.

In my view Management review is a continious process -- it happens at every meeting. ISO has required us to formalize and document the review process. The usual result is a specific management review meeting where you walk thru and review the system -- keeping minuites/records thereof. Most small companies will do this once or twice each year.

The problem is sometimes audits aren't ready yet, numbers (metrics) aren't caluclated yet, etc. for the reivew. So what happens in a cronological system -- the review is delayed until the audits, metrics, etc. are completed. Work gets in the way and then a week before the audit you realize you need to have a "management review" so you cram it in to show the auditor.

With our approach, if something isn't ready, we'll skip it but move on to the next area. If an audit later reveals something, we'll take up that issue at the next opportuinty.

This sounds fine to me. As long as all the required inputs to management review are covered in one review or another, and the required outputs are generated, it's conformant - but better, an example of how it should be done, not slavishly but according to business need.

You may have done too much. ISO 9001 does not require the management review process to be documented. If it did, 5.6.1 would mandate a documented procedure. But it only requires the results to be documented.

Processes are often documented because a significant proportion of the management systems community did not internalize the change to the process approach that came with the 2000 revision of ISO 9001. Bad auditors feel more comfortable when processes are documented, bad consultants make more money by writing them down.

Requiring documentation for no purpose, when it's not required by the standard or by the people who do the work, is one way ISO 9001 programmes fall into disuse. It's one reason formal management reviews are only conducted once per year: how can anyone manage complex processes by only looking at them annually? And why do CBs sign them off as effective?

Good management reviews are often the weekly (or daily) ops reviews. They often not one meeting, but several, each concerned with specific issues and involving appropriate experts and managers. In a connected, distributed world they're often not meetings, but a mix of e-mails, phone conferences and virtual conferences involving people all around the globe.

A healthy management review process is sustained by good leadership. Bad leadership and weak management review cannot be fixed by documenting a theoretical management review process cribbed from ISO 9001. What's needed is real inputs relevant to the business, an agenda, and the will to review the evidence, meet and talk.

Real management reviews aren't always conveniently regular: regular disciplines help with time management and stopping things from falling through cracks, but good management reviews are also conducted when necessary, e.g. to deal with a pressing problem. And absolutely, if all the inputs expected aren't ready, it's often more expedient to have an incomplete review and deal with some of the issues, and address the others when practical.

 

[Big Jim]

This sounds fine to me. As long as all the required inputs to management review are covered in one review or another, and the required outputs are generated, it's conformant - but better, an example of how it should be done, not slavishly but according to business need.

You may have done too much. ISO 9001 does not require the management review process to be documented. If it did, 5.6.1 would mandate a documented procedure. But it only requires the results to be documented.

Processes are often documented because a significant proportion of the management systems community did not internalize the change to the process approach that came with the 2000 revision of ISO 9001. Bad auditors feel more comfortable when processes are documented, bad consultants make more money by writing them down.

Requiring documentation for no purpose, when it's not required by the standard or by the people who do the work, is one way ISO 9001 programmes fall into disuse. It's one reason formal management reviews are only conducted once per year: how can anyone manage complex processes by only looking at them annually? And why do CBs sign them off as effective?

Good management reviews are often the weekly (or daily) ops reviews. They often not one meeting, but several, each concerned with specific issues and involving appropriate experts and managers. In a connected, distributed world they're often not meetings, but a mix of e-mails, phone conferences and virtual conferences involving people all around the globe.

A healthy management review process is sustained by good leadership. Bad leadership and weak management review cannot be fixed by documenting a theoretical management review process cribbed from ISO 9001. What's needed is real inputs relevant to the business, an agenda, and the will to review the evidence, meet and talk.

Real management reviews aren't always conveniently regular: regular disciplines help with time management and stopping things from falling through cracks, but good management reviews are also conducted when necessary, e.g. to deal with a pressing problem. And absolutely, if all the inputs expected aren't ready, it's often more expedient to have an incomplete review and deal with some of the issues, and address the others when practical.

Well said.

Please remember though that some organizations need the structure and discipline of a quality management system with more than the six firmly required written procedures. It is really up to the organizatiion to determine what they need to create documented procedures for, and the level of detail those procedures need.

I absolutely agree it should not be the auditor's decision, but a good consultant should play an active role here. That's the consultant's job, to help make the quality management system useful and effective.

 

[pldey42]

Oh yes, absolutely, Jim.

I often find that if you try to tell organizations to document processes (something I gave up doing a long time ago) they kick and scream.

But if you show them the benefits of a repeatable process and ask them what they would like to write down, they'll list all the documents you might have demanded, and more besides. I'm sure I'm not alone in that experience.

 

[Randy Lefferts]

Can you help us understand when you say it works better? Better than what?

I'm confused when you describe an ongoing review process and the relationship to audits. The answer to your question so what has already been answered! It's very important that audits are performed, particularly as an input to the reviews!

In my experience, to say any different, is missing the fundamentals of why it's a requirement do audits and, therefore, perform a review...

Perhaps I am missing something, and if I did, please point it out, but I didn't read that Golfman was saying audits weren't important as an input to the review process. I read that their management reviews were held regardless of the status of the audit(s). So they performed reviews on everything they could at that point rather than let the status of an audit hold them up from reviewing other equally important items.

They would then review the audit or it's findiings at the next management review after the audit was performed. It sounds as if they hold reviews more often than once a year, quarterly etc so I still fail to see a fallacy in their method.

For example, we held weekly (and sometimes daily if warranted) management reviews that were documented. So week 13 we hold a review and an audit is ongoing. We still hold the meeting and review the other items and if the audit is completed by the week 14 review, we review it at that point. I think Golfman was just saying that in their situtation, they didn't let the audit dictate whether to hold a review. They reviewed it at the next review.

It seems to mirror what we did as well and I fail to see a fallacy with that but am all ears if someone has information to the contrary. That's one of the beauties of this site, the differing opinions that can provide food for thought.

 

[Golfman25]

You got it Randy.

We used to do it the once per year "formal" review. Problem is work frequently got in the way. Nothing ever came together at the right time. When we changed to an ongoing review process -- durring a regular monthly meeting -- it has gone much better.

 

[AndyN]

Perhaps I am missing something, and if I did, please point it out, but I didn't read that Golfman was saying audits weren't important as an input to the review process. I read that their management reviews were held regardless of the status of the audit(s). So they performed reviews on everything they could at that point rather than let the status of an audit hold them up from reviewing other equally important items.

They would then review the audit or it's findiings at the next management review after the audit was performed. It sounds as if they hold reviews more often than once a year, quarterly etc so I still fail to see a fallacy in their method.

For example, we held weekly (and sometimes daily if warranted) management reviews that were documented. So week 13 we hold a review and an audit is ongoing. We still hold the meeting and review the other items and if the audit is completed by the week 14 review, we review it at that point. I think Golfman was just saying that in their situtation, they didn't let the audit dictate whether to hold a review. They reviewed it at the next review.

It seems to mirror what we did as well and I fail to see a fallacy with that but am all ears if someone has information to the contrary. That's one of the beauties of this site, the differing opinions that can provide food for thought.

The issue is in not understanding the role audits play in Management Review and the purpose of Management Review (of the QMS)! If you understand 'management review' how can you be doing it daily?

That's like driving down the road looking at your dashboard and all the measurements going on! Management review is a navigational exercise to look at the direction the organization is headed and to see what the measurements (including audits) are telling you! You're describing a (volatile) QMS which needed daily/weekly management meetings? I cannot conceive of such a thing in a real business! What could possibly have been going on?

I'm not saying that any audit dictate when a review should be held, but if an organization is using the review to evaluate progress toward goals/objectives etc. then wouldn't contemporary audit results be helpful?

 

[Randy Lefferts]

Hi Andy,

I am not sure if the statement about understanding the role of audits in Management Review was directed at me but I am fairly sure I do understand its importance. It’s the very first input listed in Management Review.

The input to management review shall include information on
a) results of audits,
b) customer feedback,
c) process performance and product conformity,
d) status of preventive and corrective actions,
e) follow-up actions from previous management reviews,
f) changes that could affect the quality management system, and
g) recommendations for improvement.


The frequency of these reviews worked for that company. As most have said time and again, do what works for your company. There’s more to review than just audits, as you know.

When I initially started with the company the meetings were held monthly. A review of all inputs happened once a month. As an improvement? to the Management Review, it was determined that meeting more often to review these inputs had a positive effect. Car’s stayed at the forefront, quicker response to customer feedback, audit results responded to quicker, etc. By management meeting weekly to hold a review of items, it had the effect of keeping things at the forefront and not sitting idle since they had 3-4 weeks before having to ensure they actioned on the item in the monthly format.

Good, bad or indifferent, the weekly reviews were what worked for them.

Sure, they generated a lot of records but fortunately they were electronic so no trees were harmed. To say they didn’t understand the meaning of a review is unfair. Conventional? Maybe not. Successful for them? Yes.

Oh, as far as the daily reviews I mentioned. It was rare but there were a few times that Management met and reviewed certain items that were nearing maturation or items that were discussed in the weekly review that they felt were important enough to answer quickly and they wanted to meet daily to review the progress and ensure it was moving. A “real” management review? Maybe not, but a team of managers met to review inputs to the management review so I called it as such. It was documented the same. I could have easily called it just a meeting to review the progress of said items.

If one thing I have learned from these very forums, and in some cases from your posts, is that there are multiple ways to do something. Along the lines of your vehicle analogy, when my wife drives to the store, she heads directly there using one route. I will head 2 blocks over and pass my parents house before heading to the same store she is going. At least 2 ways to get to the same destination.