Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work)

Randy

Super Moderator
Good day @Sidney Vianna ;
Regardless of context, I'm not sure how a definition can be "mandatory". It is a definition. No dispute there...a definition is, by definition, a definition. Just like a requirement is, by definition, a requirement. Both are accurate for what they are, but they are different.

Be well.
Definitions are applicable to the standards, therefore if they can be applied they need to be applied.
 
Last edited:
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
I'm not sure how a definition can be "mandatory". It is a definition. No dispute there...a definition is, by definition, a definition.
Let me offer an example. To this date, around the world, there are many people that believe that when nonconforming product is produced, what one does to fix (repair/rework) the nonconforming product is called corrective action; and, if you want to prevent that type of defect from happening again, that is called preventive action.

Those of us, who are familiar and follow ISO 9000 terminology and definitions know that, we should be referring to correction and corrective action, instead.

Another example that I have experienced and I am sure others have as well: When planning to interview "top management" of an organization, I was brought to speak with a quality manager. The ISO 9000 definition of "top management" clearly establishes that the typical quality manager does not fulfill the expectations of who "top management" is.

The definitions are only definitions if they are enforced, and that's the reason for the document to be called a normative reference.
 
There are lots of "should" statements in the ISO 19011 auditing guidelines doc, but should is not shall.

I had a registrar auditor say 9.2.2.c (select auditors and conduct audits to ensure objectivity and the impartiality of the audit process) meant you could not audit your own work and we HAD to have an auditor who only audited the internal audit process. No amount of my arguing would change his mind. Management chose not to fight it. Each company must decide for themselves how to satisfy this requirement.
I had the same thing happen last week. I was in the middle of a surveillance audit and the auditor questioned if the QP was audited in the last IA. This got him searching (the internal auditor had in fact documented where he had audited the QP), but then this brought up the issue of auditing the IA. We have always had an outside contracted internal auditor because we are a small company and I did not have 2 people who I could have trained to do IA's so one would not be auditing his/her own work. The outside auditor got us around this - or so I thought. The surveillance auditor stated that the auditor could not audit the internal audit because he/she would be auditing his/her own work. I mentioned that we discuss the IA in the management reviews and act on any findings and this should serve as our "audit" of the IA. He would not accept this and wrote a minor NCR. He kept stating that the auditor could not be objective of his own audit even though he could not prove the auditor was partial or being subjective.

We could go down this rabbit hole of someone needing to audit my audit of the internal audit saying that I was not objective since I was the MR and I was present and participating in the IA. This is maddening. I'm considering disputing his findings but I'm also wondering if the dispute wouldn't be more work than modifying our QM and adding a clause where I will audit the IA and mention my audit of the IA in the management review.

Has anyone successfully disputed (or received any definitive ruling) on an auditor auditing his/her own work? It would seem to be up to the discretion of the auditor writing the NCR as to whether or not this is part of the standard. The standard leaves it up for interpretation. Any ideas?

Edit - after doing this for the last 14 years - this is the first auditor who has mentioned ANYTHING about auditing the IA. For all 14 years we have had the IA performed by the same outside consulting company.
 
Last edited:

ScottK

Not out of the crisis
Staff member
Super Moderator
You are not auditing your own work unless you are auditing work you have actually done.
yeesh - An FDA inspector didn't believe that a few years ago... I had internal auditors who did the actual audits but I listed myself as Lead Auditor for every audit because I would review the audit plan and the results. She made me take myself off the schedule altogether because as the "management rep" I owned everything in the QMS.

I asked for a raise when my boss heard her say that.
 

John Broomfield

Staff member
Super Moderator
yeesh - An FDA inspector didn't believe that a few years ago... I had internal auditors who did the actual audits but I listed myself as Lead Auditor for every audit because I would review the audit plan and the results. She made me take myself off the schedule altogether because as the "management rep" I owned everything in the QMS.

I asked for a raise when my boss heard her say that.
As the audit program manager you are not the lead auditor. Not sure if the FDA auditors differ from so-called ISO auditors on this. Probably best to train AN Other to audit the auditing.

I would think that your system could have to distributed QMS responsibilities to its process owners to give you sufficient objectivity and impartiality.
 

Big Jim

Trusted Information Resource
I had the same thing happen last week. I was in the middle of a surveillance audit and the auditor questioned if the QP was audited in the last IA. This got him searching (the internal auditor had in fact documented where he had audited the QP), but then this brought up the issue of auditing the IA. We have always had an outside contracted internal auditor because we are a small company and I did not have 2 people who I could have trained to do IA's so one would not be auditing his/her own work. The outside auditor got us around this - or so I thought. The surveillance auditor stated that the auditor could not audit the internal audit because he/she would be auditing his/her own work. I mentioned that we discuss the IA in the management reviews and act on any findings and this should serve as our "audit" of the IA. He would not accept this and wrote a minor NCR. He kept stating that the auditor could not be objective of his own audit even though he could not prove the auditor was partial or being subjective.

We could go down this rabbit hole of someone needing to audit my audit of the internal audit saying that I was not objective since I was the MR and I was present and participating in the IA. This is maddening. I'm considering disputing his findings but I'm also wondering if the dispute wouldn't be more work than modifying our QM and adding a clause where I will audit the IA and mention my audit of the IA in the management review.

Has anyone successfully disputed (or received any definitive ruling) on an auditor auditing his/her own work? It would seem to be up to the discretion of the auditor writing the NCR as to whether or not this is part of the standard. The standard leaves it up for interpretation. Any ideas?

Edit - after doing this for the last 14 years - this is the first auditor who has mentioned ANYTHING about auditing the IA. For all 14 years we have had the IA performed by the same outside consulting company.

If your boss tells you not to pursue it your hands are tied. You might try talking with your boss how these things sometimes grow when that auditor gives you grief on the nonconformance response.

Ideally you should talk to your certification body. It is unlikely that they will support that auditor's position. It is not defendable.
 
If your boss tells you not to pursue it your hands are tied. You might try talking with your boss how these things sometimes grow when that auditor gives you grief on the nonconformance response.

Ideally you should talk to your certification body. It is unlikely that they will support that auditor's position. It is not defendable.
LOL - I am the boss. I own the company and I am talking to myself o_O. I remember making the transition from 2008 to 2015 and this was a hot topic for discussion. A lot of people like myself were happy to see the change since it allowed for one auditor within a small company to cover all areas (if some precautions were taken and or someone else assisted in that auditors area). Now he was adamant that an auditor cannot audit his own work.

It is interesting though how he wrote the NCR. He didn't actually state that the auditor can't audit his own work he states:
"The organization outsourced their internal audit process to a 3rd party. However, no evidence/documentation was available to confirm that the internal audit process itself was audited."

In the body of the internal audit the auditor noted:

9.2 Output is defined processes controlled and maintained - Completed management review with actions that are acted on and completed - Completed internal audits and findings reviewed by the management representative, completed audit findings acted on without undue delay and competent personnel shown by prescribed records.

This should indicate internal audits were reviewed.

Our management review meeting, which was held exactly 2 weeks after the IA, we reviewed the IA - the minutes read:

"We had an internal audit in the middle of this month. The auditor was thorough, as usual and offered some good advice. He did issue one minor non-conformance and one opportunity for improvement. The minor non-conformance was due to the fact that management had not reviewed the Risks & Opportunities from a the previous MRMs. The opportunity for improvement suggested development of internal/external inputs to our review of risks & opportunities to improve our continual improvement & proactive measures. A CAR has been opened and will be discussed later in the meeting.

This should indicate that we actually reviewed the IA (impartial from the internal auditor). It doesn't indicate we went over the entire IA though which, IMO, is splitting hairs.

I am seriously considering challenging this finding.
 

John C. Abnet

Teacher, sensei, kennari
LOL - I am the boss. I own the company and I am talking to myself o_O. I remember making the transition from 2008 to 2015 and this was a hot topic for discussion. A lot of people like myself were happy to see the change since it allowed for one auditor within a small company to cover all areas (if some precautions were taken and or someone else assisted in that auditors area). Now he was adamant that an auditor cannot audit his own work.
Good day @JohnfromIN ;
I infer from your your moniker/handle that I, like you, am also "John from IN".

A couple of questions if I may...
1- Are you certified to ISO 9001 or IATF 16949 (i..e what governing standard are we dealing with?)
A- If we are dealing with ISO 9001, then, as you obviously know, the requirements are only a framework (i.e. very little specificity in regards
to what and when).
B- If we are dealing with IATF 16949, then, the requirement is to cover "all...management system...over each three year calendar.."

The emphasis is now/currently on risk based thinking. Audit frequency considerations require prioritization by the processes importance, past history, and "risk". It sounds to me as if your auditor is stuck in the old "every clause-every year- Excel calendar" approach. While that is "ok" (to a point), there must be consideration and/if necessary, frequency adjustment based on the aforementioned considerations.

Based on your comments and obvious knowledge of the standard, I would be surprised if your internal audit process has not been audited at least once in the past 3 calendar years.

In regards to your auditor's comment ..."an auditor cannot audit his own work". Nowhere in the standard is this stated. The only requirement is to have auditors conduct audits "...to ensure objectivity and impartiality..."

Sounds like you may be correct to consider challenging the non-conformance finding (if indeed my understanding/assumptions are correct).

Be well.
 
Good day @JohnfromIN ;
I infer from your your moniker/handle that I, like you, am also "John from IN".

A couple of questions if I may...
1- Are you certified to ISO 9001 or IATF 16949 (i..e what governing standard are we dealing with?)
A- If we are dealing with ISO 9001, then, as you obviously know, the requirements are only a framework (i.e. very little specificity in regards
to what and when).
B- If we are dealing with IATF 16949, then, the requirement is to cover "all...management system...over each three year calendar.."

The emphasis is now/currently on risk based thinking. Audit frequency considerations require prioritization by the processes importance, past history, and "risk". It sounds to me as if your auditor is stuck in the old "every clause-every year- Excel calendar" approach. While that is "ok" (to a point), there must be consideration and/if necessary, frequency adjustment based on the aforementioned considerations.

Based on your comments and obvious knowledge of the standard, I would be surprised if your internal audit process has not been audited at least once in the past 3 calendar years.

In regards to your auditor's comment ..."an auditor cannot audit his own work". Nowhere in the standard is this stated. The only requirement is to have auditors conduct audits "...to ensure objectivity and impartiality..."

Sounds like you may be correct to consider challenging the non-conformance finding (if indeed my understanding/assumptions are correct).

Be well.
Yes - I am John from IN...

We are speaking about ISO 9001 and I do understand it is only a framework designed to fit the multitude of businesses out there - any sector; be it manufacturing (which is what we are), healthcare, service based, product based...etc. Being the MR, I was heavily involved in the transition phase from 2008 to 2015 and the shift to risk based thinking was the bulk of the discussions (as were interested parties) but a major offshoot was the removal of the phrase in 8.2.2 "Auditors shall not audit their own work" and kept the more generic phrase that was in the older version (& open for interpretation) 9.2.2(c) "...shall... select auditors and conduct audits to ensure objectivity and the impartiality of the audit process.

I also, understand your point regarding shifting the audit to concentrate on areas that have shown a need for improvement. This is all about continual improvement and I somehow think this auditor felt as though he had to find something or he wouldn't be doing his job. A person can't drive across town with a policeman behind them and not get an infraction if that policeman/woman is intent on writing a ticket. In our industry (finishing) we call it inspecting to accept or inspecting to reject. Obviously, we want our inspectors to inspect to accept but that doesn't mean overlooking obvious reasons to reject. In the same light, auditors can look for conformances or look for non conformances and I think the better auditors look for conformance to the standard rather than trying their best to find a non conformance.
 
Thread starter Similar threads Forum Replies Date
C Internal Audits in a tiny Dx Company Internal Auditing 33
N Sampling Plan for Internal Audits - ISO 2859 or 3951 - Or Neither? Internal Auditing 6
O ISO13485 implementation - Are internal audits expected before stage 1 audit? Design and Development of Products and Processes 3
O Informational Scaling back internal audits due to corona virus while avoiding a NC Internal Auditing 7
G Internal Audits and Employee engagement Internal Auditing 16
S Internal audit discrepancy - We missed a few audits that were scheduled Internal Auditing 12
F ISO 17025 8.8 Internal Audits in a segmented company ISO 17025 related Discussions 5
Q Internal Audits - Categories of non conformances Internal Auditing 12
G Non Conformance During ISO 9001 Audit - Not All Internal Audits Completed General Auditing Discussions 19
K A way to monitor our Internal Audits as a KPI AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 7
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
A External Auditor issue with Internal Audits Internal Auditing 7
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 3
Gman2 Quality Record Retention (Internal Audits, CA's) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
T Informational What is the purpose of Internal Audits? Internal Auditing 27
F API Spec Q1 9th Edition Surveillance Audit - Questions about internal audits. Oil and Gas Industry Standards and Regulations 23
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
R ISO 13485:2016 Registration - NC on full cycle of internal audits ISO 13485:2016 - Medical Device Quality Management Systems 7
J Internal Audit clarification - How to perform the audits IATF 16949 - Automotive Quality Systems Standard 6
S Corrective Action from Internal Audits not performed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
W FAA Advisory Circular (AC) Requirements (FAA AC 00-56) - Internal Audits AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 4
B Going into IATF 16949 transition without Internal Audits IATF 16949 - Automotive Quality Systems Standard 4
S Internal Audits performed by another local business ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 26
K No Internal Audits For Upcoming IATF Trans Audit IATF 16949 - Automotive Quality Systems Standard 5
J Supporting Processes - Internal Audits - Need help settling a debate IATF 16949 - Automotive Quality Systems Standard 4
K AS9100 Rev. D Transition - Internal Audits & Gap Analysis Requirements AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 14
J Internal Audits - Closing Audit Deficiency Reports (ISO 13485) Internal Auditing 4
S Is Audit Plan / Agenda required for Internal Audits? Internal Auditing 2
J ISO 9001:2008 - Can I still conduct Internal Audits in my company? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
F What is your favorite software for ISO 9001:2015 Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C ISO 9001:2008 Surveillance Audit - No Internal Audits Internal Auditing 9
J Dinged on Internal Audits for supervising an auditor I was training Internal Auditing 10
Marc ISO 9001:2015 vs. 2008 - Internal Audits - What changes are you making? Internal Auditing 44
M Are auditing checklists required for Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
dubrizo Internal Audit Value - What is the point of conducting internal audits to a checklist Internal Auditing 40
D Using consultants for Internal Audits Internal Auditing 24
O New Job 1 Month from Recertification Audit - Missing Documents, no Internal Audits ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
R How do I conduct my API Q1, ISO compliant internal audits? Internal Auditing 1
F Is it good to outsource the Internal Audits? Quality Manager and Management Related Issues 16
S Advice for ISO17025 First Round of Internal Audits ISO 17025 related Discussions 10
S Engineering Audits - Internal Audits IATF 16949 - Automotive Quality Systems Standard 7
L Time Allocation for Internal Audits Internal Auditing 5
A A Guide to Effective Internal Management System Audits Book, Video, Blog and Web Site Reviews and Recommendations 2
M Utilizing ISO and Customer Audits for Internal Audits Internal Auditing 14
N Internal Process Audits - 7.1 Planning - How do YOU audit it? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
G Scope of External & Internal Audits General Auditing Discussions 10
S Internal Audits of QMS Corporate Basics at the Local Plant Level ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
S Internal Audits: Rabbit Holes or Marked Roads? Internal Auditing 13
Gman2 Frequency of Internal Audits per TS 16949 Requirements IATF 16949 - Automotive Quality Systems Standard 12
K Can anyone share an Note to File for justifying postponement of Internal Audits ? Quality Manager and Management Related Issues 5
Similar threads


















































Top Bottom