Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work)

[AndyN]

The 600lb gorilla is this: If it's such an imperative then why isn't it in the latest version? 2015 only makes selection and the audit process the focus of objectivity and impartiality. 2008 stated "you can't audit your own work". Even back as far as 1987, it stated Design reviews and internal audits had to be conducted independently. Today, will we get is sideways references and allusions in notes in guidance... Nothing to "circumvent". Period.

 

[Yukon]

Andy,
What's your bottom line on this. Can you do an internal audit on a process that you are responsible for ? For example can the Metrologist audit the calibration process, can the QC Manager audit the quality assurance process. Let's give. Ed some straight answers. I say NO to my two examples any audit results from the two audits would be subject to potential bias.

 

[Sidney Vianna]

But you seem to have avoided the point I made about the lack of difference between "practicable" and "practical" in this context that you raised earlier.

When would it be unfeasible? We are tired of hearing the cases of one-man shops outsourcing internal audits. So, it would always be feasible to find an independent person. Note that I find unwise for very small organizations to seek certification. A certified one-man shop is an aberration in my opinion.

How can anyone know that an internal auditor who is independent of the process being audited will be impartial and objective?

You know the saying, Jim; only taxes and death....

When it comes to auditing, ISO 19011 stipulates 7 fundamental principles in order to make audits effective and reliable. They are:

1. Integrity: the foundation of professionalism
2. Fair presentation: the obligation to report truthfully and accurately
3. Due professional care: the application of diligence and judgement in auditing
4. Confidentiality: security of information
5. Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions
6. Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process
7. risk-based approach: an audit approach that considers risks and opportunities.

So, Jim, as you can see, ISO 19011, written by (supposedly) experts in management system audits establish independence as the basis for impartiality and objectivity. But there is no assurance. Misguided people can use the internal audit function to hurt professionally people they don't like. I've taught hundreds of internal auditor classes. I always made it clear that internal auditing should never be weaponized, especially because, next time, you might be a target.

Note principle 7, as well. Anyone who thinks a "self audit" is not riskier, in terms of objectivity and impartiality, is living in a different dimension from the real world.

 

[Sidney Vianna]

Today, will we get is sideways references and allusions in notes in guidance... Nothing to "circumvent". Period.

Don't you know the difference between guidance and normative? For the 10th time, ISO 9000 is NOT a guidance; it is a NORMATIVE reference and, as already explained in this thread, it's application in the context of ISO 9001 implementation is MANDATORY. If one does not follow the DEFINITIONS contained in ISO 9001, there is NO STANDARDIZATION possible.

From the ISO document available @ https://www.iso.org/files/live/sites/isoorg/files/archive/pdf/en/how-to-write-standards.pdf

On page 6 of the document, we read:

The Normative references clause is mandatory, even if there are no normative references in the document. It lists reference documents which are cited in the text in such a way that some or all of their content constitutes requirements of the document (e.g. “Sampling shall be carried out in accordance with ISO 24333:2009, Clause 5”). Remember to date the reference if it refers to a specific clause, subclause, figure, table, etc., in that reference document. References are generally made to other ISO and IEC standards. Documents from other organizations can also be referenced under certain conditions. References must be publicly available.

ISO 14001:2015, for example has no normative reference. ISO 9001:2015, on the other hand, does; ISO 9000:2015. And the definitions contained therein HAVE to be used when implementing ISO 9001.

 

[AndyN]

Don't you know the difference between guidance and normative?

This isn't a serious question now, is it?

 

[Sidney Vianna]

This isn't a serious question now, is it?

Don't understand your question. You wrote:

Today, will we get is sideways references and allusions in notes in guidance... Nothing to "circumvent". Period.

The notes to the DEFINITION of the term audit are available in ISO 9000:2015, a NORMATIVE REFERENCE; not guidance.

 

[Golfman25]

The fact is hat there is a separate "secret" book not included with the purchase of the standard is all you need to know about ISO.

 

[Sidney Vianna]

I remember clearly that during the early drafts of the ISO 9001:2015 there was a desire to make ISO 9000 embedded in 9001. Eventually, I suspect for commercial reasons, ISO decided to keep the documents separate because many sector specific quality management system standards (such as AS9100, TL-9000, ISO 13485, etc...) call ISO 9000 as a normative reference.

The ISO/IEC Directives, Part 1 — Consolidated ISO Supplement — Procedures specific to ISO document in section SL 9.2 stipulates:

ISO MSS include the high level structure and identical core text as found in Appendix 2 to this Annex SL. The common terms and core definitions are either included or normatively reference an international standard where they are included.

So, as I mentioned earlier, as an example, ISO 14001:2015 has no normative reference. So, section 3 of ISO 14001:2015 includes many definitions used in the standard.

Finally, an old article concerning this: ISO 9000:2015 — What’s Normative, Anyway? - The Auditor

 

[Big Jim]

Food for thought for this weighty debate.

ISO/TS 9002 published November 1st 2016. Quality Management System Guidance for the Implementation of ISO 9001:2015

Yes, it says guidance, but it was published by TC 176, The introduction starts out with "This document has been developed to assist users to apply the quality management system requirements of ISO 9001:2015 Quality management systems – Requirements."

The format follows the same numbering system as ISO 9001:2015, and here is what we find in the fourth paragraph of 9.2.2:

"When assigning persons to conduct audits, the organization should ensure objectivity and impartiality of the audit process. In some cases, specifically in smaller organizations or areas of the organization where specific job knowledge is required, it can be necessary for a person to audit their own work. In this situation, the organization might have the internal auditor work with a peer, or have the results reviewed by a peer or a manager, to ensure results are impartial. The organization could also consider obtaining resources from an external provider such as a university, external auditor, or another organization."

Now for my comments. To say that you cannot be impartial and objective and audit your own work is really arrogant. I will agree that not everyone could. I might say that two important factors would be the integrity of the individual and the culture of the company. Both are topics that an auditor would likely be hard pressed to challenge.

This guidance provides possible methods to be used to ensure impartiality and objectivity. It is also common sense.

Flame suit on.

 

[AndyN]

Nice post, Jim.