Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo Especially for content not in the forum
Such as files in the Cove "Members" Directory

Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work)

Randy

Super Moderator
Good day @Sidney Vianna ;
Regardless of context, I'm not sure how a definition can be "mandatory". It is a definition. No dispute there...a definition is, by definition, a definition. Just like a requirement is, by definition, a requirement. Both are accurate for what they are, but they are different.

Be well.
Definitions are applicable to the standards, therefore if they can be applied they need to be applied.
 
Last edited:

Sidney Vianna

Post Responsibly
Staff member
Admin
I'm not sure how a definition can be "mandatory". It is a definition. No dispute there...a definition is, by definition, a definition.
Let me offer an example. To this date, around the world, there are many people that believe that when nonconforming product is produced, what one does to fix (repair/rework) the nonconforming product is called corrective action; and, if you want to prevent that type of defect from happening again, that is called preventive action.

Those of us, who are familiar and follow ISO 9000 terminology and definitions know that, we should be referring to correction and corrective action, instead.

Another example that I have experienced and I am sure others have as well: When planning to interview "top management" of an organization, I was brought to speak with a quality manager. The ISO 9000 definition of "top management" clearly establishes that the typical quality manager does not fulfill the expectations of who "top management" is.

The definitions are only definitions if they are enforced, and that's the reason for the document to be called a normative reference.
 
There are lots of "should" statements in the ISO 19011 auditing guidelines doc, but should is not shall.

I had a registrar auditor say 9.2.2.c (select auditors and conduct audits to ensure objectivity and the impartiality of the audit process) meant you could not audit your own work and we HAD to have an auditor who only audited the internal audit process. No amount of my arguing would change his mind. Management chose not to fight it. Each company must decide for themselves how to satisfy this requirement.
I had the same thing happen last week. I was in the middle of a surveillance audit and the auditor questioned if the QP was audited in the last IA. This got him searching (the internal auditor had in fact documented where he had audited the QP), but then this brought up the issue of auditing the IA. We have always had an outside contracted internal auditor because we are a small company and I did not have 2 people who I could have trained to do IA's so one would not be auditing his/her own work. The outside auditor got us around this - or so I thought. The surveillance auditor stated that the auditor could not audit the internal audit because he/she would be auditing his/her own work. I mentioned that we discuss the IA in the management reviews and act on any findings and this should serve as our "audit" of the IA. He would not accept this and wrote a minor NCR. He kept stating that the auditor could not be objective of his own audit even though he could not prove the auditor was partial or being subjective.

We could go down this rabbit hole of someone needing to audit my audit of the internal audit saying that I was not objective since I was the MR and I was present and participating in the IA. This is maddening. I'm considering disputing his findings but I'm also wondering if the dispute wouldn't be more work than modifying our QM and adding a clause where I will audit the IA and mention my audit of the IA in the management review.

Has anyone successfully disputed (or received any definitive ruling) on an auditor auditing his/her own work? It would seem to be up to the discretion of the auditor writing the NCR as to whether or not this is part of the standard. The standard leaves it up for interpretation. Any ideas?

Edit - after doing this for the last 14 years - this is the first auditor who has mentioned ANYTHING about auditing the IA. For all 14 years we have had the IA performed by the same outside consulting company.
 
Last edited:

ScottK

Not out of the crisis
Staff member
Super Moderator
You are not auditing your own work unless you are auditing work you have actually done.
yeesh - An FDA inspector didn't believe that a few years ago... I had internal auditors who did the actual audits but I listed myself as Lead Auditor for every audit because I would review the audit plan and the results. She made me take myself off the schedule altogether because as the "management rep" I owned everything in the QMS.

I asked for a raise when my boss heard her say that.
 

John Broomfield

Staff member
Super Moderator
yeesh - An FDA inspector didn't believe that a few years ago... I had internal auditors who did the actual audits but I listed myself as Lead Auditor for every audit because I would review the audit plan and the results. She made me take myself off the schedule altogether because as the "management rep" I owned everything in the QMS.

I asked for a raise when my boss heard her say that.
As the audit program manager you are not the lead auditor. Not sure if the FDA auditors differ from so-called ISO auditors on this. Probably best to train AN Other to audit the auditing.

I would think that your system could have to distributed QMS responsibilities to its process owners to give you sufficient objectivity and impartiality.
 
I had the same thing happen last week. I was in the middle of a surveillance audit and the auditor questioned if the QP was audited in the last IA. This got him searching (the internal auditor had in fact documented where he had audited the QP), but then this brought up the issue of auditing the IA. We have always had an outside contracted internal auditor because we are a small company and I did not have 2 people who I could have trained to do IA's so one would not be auditing his/her own work. The outside auditor got us around this - or so I thought. The surveillance auditor stated that the auditor could not audit the internal audit because he/she would be auditing his/her own work. I mentioned that we discuss the IA in the management reviews and act on any findings and this should serve as our "audit" of the IA. He would not accept this and wrote a minor NCR. He kept stating that the auditor could not be objective of his own audit even though he could not prove the auditor was partial or being subjective.

We could go down this rabbit hole of someone needing to audit my audit of the internal audit saying that I was not objective since I was the MR and I was present and participating in the IA. This is maddening. I'm considering disputing his findings but I'm also wondering if the dispute wouldn't be more work than modifying our QM and adding a clause where I will audit the IA and mention my audit of the IA in the management review.

Has anyone successfully disputed (or received any definitive ruling) on an auditor auditing his/her own work? It would seem to be up to the discretion of the auditor writing the NCR as to whether or not this is part of the standard. The standard leaves it up for interpretation. Any ideas?

Edit - after doing this for the last 14 years - this is the first auditor who has mentioned ANYTHING about auditing the IA. For all 14 years we have had the IA performed by the same outside consulting company.

If your boss tells you not to pursue it your hands are tied. You might try talking with your boss how these things sometimes grow when that auditor gives you grief on the nonconformance response.

Ideally you should talk to your certification body. It is unlikely that they will support that auditor's position. It is not defendable.
 
If your boss tells you not to pursue it your hands are tied. You might try talking with your boss how these things sometimes grow when that auditor gives you grief on the nonconformance response.

Ideally you should talk to your certification body. It is unlikely that they will support that auditor's position. It is not defendable.
LOL - I am the boss. I own the company and I am talking to myself o_O. I remember making the transition from 2008 to 2015 and this was a hot topic for discussion. A lot of people like myself were happy to see the change since it allowed for one auditor within a small company to cover all areas (if some precautions were taken and or someone else assisted in that auditors area). Now he was adamant that an auditor cannot audit his own work.

It is interesting though how he wrote the NCR. He didn't actually state that the auditor can't audit his own work he states:
"The organization outsourced their internal audit process to a 3rd party. However, no evidence/documentation was available to confirm that the internal audit process itself was audited."

In the body of the internal audit the auditor noted:

9.2 Output is defined processes controlled and maintained - Completed management review with actions that are acted on and completed - Completed internal audits and findings reviewed by the management representative, completed audit findings acted on without undue delay and competent personnel shown by prescribed records.

This should indicate internal audits were reviewed.

Our management review meeting, which was held exactly 2 weeks after the IA, we reviewed the IA - the minutes read:

"We had an internal audit in the middle of this month. The auditor was thorough, as usual and offered some good advice. He did issue one minor non-conformance and one opportunity for improvement. The minor non-conformance was due to the fact that management had not reviewed the Risks & Opportunities from a the previous MRMs. The opportunity for improvement suggested development of internal/external inputs to our review of risks & opportunities to improve our continual improvement & proactive measures. A CAR has been opened and will be discussed later in the meeting.

This should indicate that we actually reviewed the IA (impartial from the internal auditor). It doesn't indicate we went over the entire IA though which, IMO, is splitting hairs.

I am seriously considering challenging this finding.
 

John C. Abnet

Teacher,Sensei,Kennari
LOL - I am the boss. I own the company and I am talking to myself o_O. I remember making the transition from 2008 to 2015 and this was a hot topic for discussion. A lot of people like myself were happy to see the change since it allowed for one auditor within a small company to cover all areas (if some precautions were taken and or someone else assisted in that auditors area). Now he was adamant that an auditor cannot audit his own work.
Good day @JohnfromIN ;
I infer from your your moniker/handle that I, like you, am also "John from IN".

A couple of questions if I may...
1- Are you certified to ISO 9001 or IATF 16949 (i..e what governing standard are we dealing with?)
A- If we are dealing with ISO 9001, then, as you obviously know, the requirements are only a framework (i.e. very little specificity in regards
to what and when).
B- If we are dealing with IATF 16949, then, the requirement is to cover "all...management system...over each three year calendar.."

The emphasis is now/currently on risk based thinking. Audit frequency considerations require prioritization by the processes importance, past history, and "risk". It sounds to me as if your auditor is stuck in the old "every clause-every year- Excel calendar" approach. While that is "ok" (to a point), there must be consideration and/if necessary, frequency adjustment based on the aforementioned considerations.

Based on your comments and obvious knowledge of the standard, I would be surprised if your internal audit process has not been audited at least once in the past 3 calendar years.

In regards to your auditor's comment ..."an auditor cannot audit his own work". Nowhere in the standard is this stated. The only requirement is to have auditors conduct audits "...to ensure objectivity and impartiality..."

Sounds like you may be correct to consider challenging the non-conformance finding (if indeed my understanding/assumptions are correct).

Be well.
 
Good day @JohnfromIN ;
I infer from your your moniker/handle that I, like you, am also "John from IN".

A couple of questions if I may...
1- Are you certified to ISO 9001 or IATF 16949 (i..e what governing standard are we dealing with?)
A- If we are dealing with ISO 9001, then, as you obviously know, the requirements are only a framework (i.e. very little specificity in regards
to what and when).
B- If we are dealing with IATF 16949, then, the requirement is to cover "all...management system...over each three year calendar.."

The emphasis is now/currently on risk based thinking. Audit frequency considerations require prioritization by the processes importance, past history, and "risk". It sounds to me as if your auditor is stuck in the old "every clause-every year- Excel calendar" approach. While that is "ok" (to a point), there must be consideration and/if necessary, frequency adjustment based on the aforementioned considerations.

Based on your comments and obvious knowledge of the standard, I would be surprised if your internal audit process has not been audited at least once in the past 3 calendar years.

In regards to your auditor's comment ..."an auditor cannot audit his own work". Nowhere in the standard is this stated. The only requirement is to have auditors conduct audits "...to ensure objectivity and impartiality..."

Sounds like you may be correct to consider challenging the non-conformance finding (if indeed my understanding/assumptions are correct).

Be well.
Yes - I am John from IN...

We are speaking about ISO 9001 and I do understand it is only a framework designed to fit the multitude of businesses out there - any sector; be it manufacturing (which is what we are), healthcare, service based, product based...etc. Being the MR, I was heavily involved in the transition phase from 2008 to 2015 and the shift to risk based thinking was the bulk of the discussions (as were interested parties) but a major offshoot was the removal of the phrase in 8.2.2 "Auditors shall not audit their own work" and kept the more generic phrase that was in the older version (& open for interpretation) 9.2.2(c) "...shall... select auditors and conduct audits to ensure objectivity and the impartiality of the audit process.

I also, understand your point regarding shifting the audit to concentrate on areas that have shown a need for improvement. This is all about continual improvement and I somehow think this auditor felt as though he had to find something or he wouldn't be doing his job. A person can't drive across town with a policeman behind them and not get an infraction if that policeman/woman is intent on writing a ticket. In our industry (finishing) we call it inspecting to accept or inspecting to reject. Obviously, we want our inspectors to inspect to accept but that doesn't mean overlooking obvious reasons to reject. In the same light, auditors can look for conformances or look for non conformances and I think the better auditors look for conformance to the standard rather than trying their best to find a non conformance.
 
Top Bottom