Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work)

[embedded]

I work at a small company where I wear many hats. I'm new to quality and putting together an internal audit plan for the first time. I started off with our key processes(sales, D&D, purchasing/inventory, and production), and for each key process listed the process document(each key process has multiple process documents and process owners) and corresponding process owners. My problem is when I look at the four key processes and process owners my name is showing up as a process owner for one of the process documents in 3 of the 4 key processes. Does that mean I can't audit these areas?

To give a specific example I'd really like to audit production myself, I don't work in production but I am a process owner in that I'm responsible to define processes for RMAs and control of production services and provisions. I don't actually do the work myself, the people that do report to me. What are the requirements and recommendations given my current situation?

 

[AndyN]

Can you be objective and impartial? If you aren't touching what's being done, you're good. This issue of not auditing your own work, was removed to help small businesses. Choose something which was done a while ago, make a good plan to audit actual requirements and not ISO and keep good notes of what was sampled. Simples!

 

[John Broomfield]

You are not auditing your own work unless you are auditing work you have actually done. But who do you have to audit your internal audits?

Recommend that you select another person with the recommended attributes for training to become your second internal auditor.

That may also ease your concern for keeping your audits objective and impartial.

 

[Randy]

Nowhere does it say that you can't audit your own work.
Are you an honest person?
Do you have a good code of ethics you follow?
Are you trustworthy?
Could you find fault with something you've done and report it so that it could be corrected?

Knock yourself out and audit away.

 

[somashekar]

Clarity and Sincerity of the purpose .. Here the purpose is Internal audit.

 

[Coury Ferguson]

I agree with both Andy and Randy. If you are a trained and competent you can audit your own work/responsibilities. As they said, there is no requirement that states you can't audit your own work.

The previous QM of the company had that statement in the procedure. Guess what I am going to do...remove that statement from the procedure.

 

[Mike S.]

There are lots of "should" statements in the ISO 19011 auditing guidelines doc, but should is not shall.

I had a registrar auditor say 9.2.2.c (select auditors and conduct audits to ensure objectivity and the impartiality of the audit process) meant you could not audit your own work and we HAD to have an auditor who only audited the internal audit process. No amount of my arguing would change his mind. Management chose not to fight it. Each company must decide for themselves how to satisfy this requirement.

 

[AndyN]

we HAD to have an auditor who only audited the internal audit process.

Mission creep... and incompetent.

 

[Sidney Vianna]

My problem is when I look at the four key processes and process owners my name is showing up as a process owner for one of the process documents in 3 of the 4 key processes. Does that mean I can't audit these areas?
...SNIP.... I don't actually do the work myself, the people that do report to me. What are the requirements and recommendations given my current situation?

The situation as you described is closer to the scenario described in the Can I audit processes I've established but do not implement or maintain? thread. Auditing a process that you are the owner is perfectly acceptable.

As for people auditing their own work, there is a requirement that prohibits it. It is in the definition of the term audit, contained in ISO 9000, a normative reference in ISO 9001. The definition and the first note to the entry are provided below:

​

Note that the word independent is used and note 1 clearly stipulates the aspect of "carried out by personnel not being responsible for the object audited.

So, in my view, if you "audit" your own work, you are not in compliance with the requirements of the standard. Nobody will be independent, objective and impartial auditing their own work.

ISO/TS 9002 gives explanation of what to do in cases where you have to "audit" your own work, due to special circumstances....so you can find some guidance there.

 

[Coury Ferguson]

The situation as you described is closer to the scenario described in the Can I audit processes I've established but do not implement or maintain? thread. Auditing a process that you are the owner is perfectly acceptable.

As for people auditing their own work, there is a requirement that prohibits it. It is in the definition of the term audit, contained in ISO 9000, a normative reference in ISO 9001. The definition and the first note to the entry are provided below:

View attachment 25420
​

Note that the word independent is used and note 1 clearly stipulates the aspect of "carried out by personnel not being responsible for the object audited.

So, in my view, if you "audit" your own work, you are not in compliance with the requirements of the standard. Nobody will be independent, objective and impartial auditing their own work.

ISO/TS 9002 gives explanation of what to do in cases where you have to "audit" your own work, due to special circumstances....so you can find some guidance there.

Sidney,

I agree to disagree. ISO 9000 is not a requirement nor is ISO 19011. They are both guidance documents.

ISO 9001:2015 is the requirement. ISO 9001:2015 paragraphs 9.2.1 (a1-a2, and b) and 9.2.2 a-f does not have that requirement that I see. As for the comment "Nobody will be independent, objective and impartial auditing their own work." might just be an overstatement. I perform audits of my own work, and if there is a noncompliance found, it is documented as such. I show no favoritism when performing an internal audit. I look at the requirements regardless if I am responsible or not.

So, that is why I agree to disagree.