Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work)

Eredhel

Quality Manager
Trusted
#12
I think this is what Sidney is referencing:

"The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application...

ISO 9000:2015 Quality management systems – Fundamentals and vocabulary"

As well as:

"3. TERMS AND DEFINITIONS
For the purposes of this document, the terms and definitions given in ISO 9000:2015 and the following apply."
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#13
Yes. If we don’t ascribe to the definitions in ISO 9000, implementation of 9001 becomes (even more) nonsensical.

If people could have their own definitions of audit, corrective action, top management, etc. what would be the point of a standard?
 

AndyN

A problem shared...
Staff member
Super Moderator
#14
"Independent", as US citizens know, means "free of pressure", not from another country/land/department. (from a British historical perspective)
 

insect warfare

QA=Question Authority
#15
I am in charge of the EHS department where I work, plus I sideline as the owner of our internal audit program who also conducts internal audits from time to time. As an internal auditor I am typically confronted with these 3 scenarios:

1) I am evaluating whether to audit a process where I am not its owner (i.e. Purchasing). Because I have no responsibilities related to the Purchasing process, and as long as I don't review any purchase orders that I was involved in, I am free of any conflict and can audit independently and impartially. This is a no-brainer situation.

2) I am evaluating whether to audit a process where I am not its owner (i.e. Production), but in the past I did provide some input when the process and its documents were created. Even though today I might have some production-related responsibilities (like ensuring workplace safety), I can still audit the Production process with some independence. However, if I anticipate coming across safety-related production records, I will simply make sure that I don't review my own records. If the case is that all of the safety-related records are generated by me, I will plan a joint audit with another auditor and have that auditor review those records. Independence maintained.

3) I am evaluating whether to audit a process where I am the owner (i.e. Internal Audit). I have the sole responsibility for ensuring that the audit program requirements are fulfilled. To avoid any conflicts of interest, I will have someone from my audit team do the audit, and inform them not to audit their own records. Impartiality achieved.

Having absolute freedom from responsibility from the process being audited is the gold standard for maintaining independence. When freedom from responsibility is not possible, then efforts should be made to avoid reviewing your own records during an audit. If even this is not possible, then this is a good indicator that you should probably invest in qualifying another person as an auditor or else consider outsourcing your internal audits.

If you had a hand in writing another department's procedures this should be normally irrelevant, but nevertheless the two questions to ask before any audit are "Do I have any responsibilities to this process that are going to be audited?" and "Am I expecting to encounter my own records during this audit?". If the answer to either question is YES, then you need to plan around it before the audit happens (hence the term "internal audit plan").

Brian :rolleyes:
 

John Broomfield

Staff member
Super Moderator
#16
When it comes to the definitions of the terms used in ISO 9001, ISO 9000 is a normative reference.

Audit has to be independent if it is to count as audit, otherwise it is monitoring,
 

AndyN

A problem shared...
Staff member
Super Moderator
#17
When it comes to the definitions of the terms used in ISO 9001, ISO 9000 is a normative reference.

Audit has to be independent if it is to count as audit, otherwise it is monitoring,
Don't agree. The 2015 version was specifically written to address the needs of small businesses. It's a virtual impossibility not to audit work you've been involved with. But the people CAN be objective and impartial. They can still audit. Being independent doesn't mean not being involved in the process. That's a myth.
 

Eredhel

Quality Manager
Trusted
#18
Don't agree. The 2015 version was specifically written to address the needs of small businesses. It's a virtual impossibility not to audit work you've been involved with. But the people CAN be objective and impartial. They can still audit. Being independent doesn't mean not being involved in the process. That's a myth.
I do wish that were true, I've been in the small business trenches for many years. Not just the technical definition of a small business but shops with under 100, under 50, under 10, and under 3 people. But I find it difficult to ignore the standard calling out 9000, and 9000 is pretty clear. I wish it weren't, I really do.

What are your thoughts on that? Do you think ISO 9001 actually calls out 9000 as indispensable, and does 9000 state that it has to be done by someone not responsible for the object being audited?

Edit: For the record over the years I've only ever had one auditor bring this up.
 

AndyN

A problem shared...
Staff member
Super Moderator
#19
it has to be done by someone not responsible for the object being audited?
The thing is that, even if you do look at your own work, experience shows that when time elapses, you can look at work you did and be very objective and impartial about whether it was done in compliance etc. I see no barriers put in place by ISO 9000. Only that people put one interpretation on (my native language) to suit their point of view.
 

Eredhel

Quality Manager
Trusted
#20
I like the idea. But if ISO wants to do that I feel like they need to change how it's called out. It's unfortunately pretty cut and dry.
 

Top Bottom