Internal Audits viewed by Third Parties

[Rob Nix]

Some time ago I consulted for a company that performed TWO internal audits! One audit they did as window dressing for their third party auditor. They included in it only NCs that were for concerns they were already addressing. They did not want to "air their dirty laundry" to the registrar, where he might potentially be influenced to look for problems in the areas identified as "weak".

So they performed another, "functional", audit (unseen by their registrar) to address the big problems they found or were very familiar with; you know, those chronic management problems we hope the 3rd party auditor doesn't pick up on!

Has anyone else experienced something similar, or would you like to comment on this subject?

 

[Tom W]

Some time ago I consulted for a company that performed TWO internal audits! One audit they did as window dressing for their third party auditor. They included in it only NCs that were for concerns they were already addressing. They did not want to "air their dirty laundry" to the registrar, where he might potentially be influenced to look for problems in the areas identified as "weak".

So they performed another, "functional", audit (unseen by their registrar) to address the big problems they found or were very familiar with; you know, those chronic management problems we hope the 3rd party auditor doesn't pick up on!

Has anyone else experienced something similar, or would you like to comment on this subject?

Wow! That would be my first comment. This makes no sense to me. The point of a thrid party registrar is to help you as an organization improve, to actually help you find the weak points. I would be embarrassed to be involved with a scam like that at a company. That shows little to no management committment to improvements. That just does not make any sense to me. Sorry - I don't see the benefit in covert operations like that within a company - especially if the company is interested in actually improving its business. WOW!!!

 

[Craig H.]

Rob:

This is scary. The one time our external auditor found a major (customer supplied packaging was not covered in our system) I was able to show that we had found it in our last internal audit and were addressing it.

If not for that nonconformance we had already found and documented, the external auditor was ready to end the audit. So that documented N/C saved my rear.

Window dressing for window dressing?

Craig

 

[Rob Nix]

Well here is the "rest of the story".

They had two things going against them. 1) Their management was indeed NOT COMMITTED to an effective QMS. Their whole reason for having a MR at all was simply, and I quote, "to pass audits". 2) Their previous registrar auditor did actually use their past internal audit to probe deeper into a problem they addressed and found further problems, which he wrote up as majors! Management's contention: he wouldn't have found it if we hadn't pointed it out!

So, yes indeed, they missed the whole purpose of registration!

I put together a robust internal audit system, did training, and explained that their addressing all internal issues, as Craig states, is a protection for them in that it shows they have a handle on their system - just like with SPC, a point is not out of control if you have identified the cause and can do something about it.

 

[Laura M]

If the deeper probe proved they didn't fix an internal audit finding without "undue delay" then it probably is a registration N/C. If the deeper probe revealed that the organization didn't assess "root cause" then it probably is a registration N/C.

If the deeper probe revealed similar instances, but the organization was sincerely addressing the problem, then the auditor should be looking elsewhere.

But I do think 2 audits is deceiving, and they should clean up their problems so the internal audits becoming helpful. But I've seen organizations that I can imagine that going on in. I have been asked "not to write" n/c's for a similar reason but its never happened.

 

[howste]

I've never heard of this one either. Talk about a waste of time! More than likely anything found in an internal audit will also be found in an external audit eventually, so why not do it right the first time? It sounds like what happened before (investigating a previously identified nonconformity) showed a deficiency in the corrective action system.

Craig's comment above is important. If something is found in an external audit and you can show that corrective action is already in the works, it's not in anybody's best interest to write it up again.

 

[Greg B]

Guys,

Do you think that sometimes non QA people sometimes think that if a QMS is not 100% correct at the time of the audit then they may suffer so they tend to panic and try to sweep things under the carpet or generally mislead the auditor for fear of failure?

I have had managers (and people I have audited) that have been extremely worried that part of the system is not up to scratch and I tell them that it does not have to be as long as we understand that:
a.) It is a problem, and
b.) We have or will put a plan in place to remedy it.

Example: Many of our current procedures are out of date and urgently need review due to changes ion Production, Authority etc. We have identified this in our internal audits, management meetings and individuals have placed requests in the system for change. I will show our Registrar this in a few weeks during our annual audit and I'm sure he will note it but that is about as far as it will go. He may place a minor on us but we won't worry because we aim to fix it within the next few months anyway. There will always be a part of the system that is not current. There has to be gaps (IMHO) at least in larger compnaies.

Greg B

 

[Laura M]

Greg,

I think you are accurate in stating that people think it HAS to be 100% at THE AUDIT!!!!!!!!!! Not any other time!!!!

If I find people that recognize it'll never be 100%, but know the system and aim to comply, I'm very happy. It's those that run one system the other 362 days/year then panic and want to know "the answers for the audit" that are the problem.

I'm sure most auditors start to recognize when an employee is just talking and explaining like its second nature, vs trying to remember what the process is suppsed to be.

 

[Greg B]

Greg,

I think you are accurate in stating that people think it HAS to be 100% at THE AUDIT!!!!!!!!!! Not any other time!!!!

If I find people that recognize it'll never be 100%, but know the system and aim to comply, I'm very happy. It's those that run one system the other 362 days/year then panic and want to know "the answers for the audit" that are the problem.

I'm sure most auditors start to recognize when an employee is just talking and explaining like its second nature, vs trying to remember what the process is suppsed to be.

Laura,

I could not have said it better myself.

Greg B

 

[Rob Nix]

Thanks Greg and Laura. I think you folks have your finger on the pulse. I think it always has been our job to enlighten the powers that be that ISO does not require perfection, it requires an understanding and control of our processes.

It is like parenting. We have rules, and some of those rules the kids inevitably break. We then administer "corrective action". We keep aware of their subsequent activity (we "audit" them), and "tweak" them where needed (continual improvement). So we've done our job, not because no rules were ever broken, but because we deal with the situations intelligently in a controlled environment.

Hmm, I don't know if that was the best analogy, but I do sometimes think I', working with a bunch of kids.