ISO 13485:2016 Internal Audits method

T.Garcia

Registered
Hello everyone, let me start by saying that I'm not a experienced auditor ( less than 3 years) and this might be a dumb questions but don't we have to carry out 1st and 2nd party audits following requirements of ISO 19011?

Im asking this because the Head of QA of my current company ( certified MD company in ISO13485:2016) wants me to do internal audits but following only a schedule and writing a report in the end, she does not want audit plans or checklists/trails, just a report that includes documents reviewed and findings/observations/recommendations.


I feel this IA is more a document review of a certain SOP that an "audit", but let me know your thoughts.
 

Golfman25

Trusted Information Resource
Hello everyone, let me start by saying that I'm not a experienced auditor ( less than 3 years) and this might be a dumb questions but don't we have to carry out 1st and 2nd party audits following requirements of ISO 19011?

Im asking this because the Head of QA of my current company ( certified MD company in ISO13485:2016) wants me to do internal audits but following only a schedule and writing a report in the end, she does not want audit plans or checklists/trails, just a report that includes documents reviewed and findings/observations/recommendations.


I feel this IA is more a document review of a certain SOP that an "audit", but let me know your thoughts.
Clarify if your Head of QA only wants the report and not the source documentation for the report? In other words, you can audit via plans, checklists, trails, etc. and then just send the report without the backup.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
Is your boss asking for this _in addition to_ the planned internal audit or _in place of_? Are they worried things are NC and prefer not to document the problems first?

In your report are you permitted to reference the portion of the standard being reviewed?

If you do have a finding you will NEED to reference the part of the standard found to be NC. If its not part of the standard then reference the internal SOP etc that is not being complied with.
 

T.Garcia

Registered
To clarify,my boss wants this report with all backup documentation reviewed as part of of the pack for the internal audit to a certain SOP.

We only to process audits based on SOPs rather than tracer audits so they are not accepting NC on reports and prefer to fix everything we find before the final report is issued throwing the whole thing out of purpose.


My understanding of "how to" do an internal audit is following the guidelines of iso 19011 and having an audit plan in place of what is going to be checked, interviewed etc... writing and audit trail, and write a report based on that audit trail and checklist.

Also using different methods of auditing like statistical analysis, document review, interviewing, observation etc... Not just a document review with a report in the end.
 
Last edited:

SeanN

Involved In Discussions
Hello everyone, let me start by saying that I'm not a experienced auditor ( less than 3 years) and this might be a dumb questions but don't we have to carry out 1st and 2nd party audits following requirements of ISO 19011?

Im asking this because the Head of QA of my current company ( certified MD company in ISO13485:2016) wants me to do internal audits but following only a schedule and writing a report in the end, she does not want audit plans or checklists/trails, just a report that includes documents reviewed and findings/observations/recommendations.


I feel this IA is more a document review of a certain SOP that an "audit", but let me know your thoughts.
ISO 19011 is not mandatory. So maybe it's not applicable for your organization. Your Head of QA may want a documentation review/audit only. This is sometimes called "horizontal audit".
 

the_norwegian

Starting to get Involved
If you are ISO 13485 certified then you should expect the auditor from your ISO certifier to look into how your internal audits are planned and executed. Section 8.2.4 in the Standard contains a lot of detailed requirements to internal audits, and there is also a Note with reference to ISO 19011 at the end of section 8.2.4.
 

Sidney Vianna

Post Responsibly
Leader
Admin
This is sometimes called "horizontal audit".
Can you provide a reference for that? Document review is a valid STEP as part of a management system audit, but, in itself is not a representative assessment of the system because it fails to address the effective implementation of the process, supposedly described in such documents.
 

SeanN

Involved In Discussions
Can you provide a reference for that? Document review is a valid STEP as part of a management system audit, but, in itself is not a representative assessment of the system because it fails to address the effective implementation of the process, supposedly described in such documents.
I completely support your perspective, and I apologize for any confusion in my previous message. Our internal auditing process involves breaking down into vertical, technical, and horizontal audits, enabling us to thoroughly examine our QMS. In our horizontal audits, we typically conduct a comprehensive documentation review using a checklist aligned with industry standards. Vertical and technical audits focus on ensuring the efficient implementation of processes. It appears that T. Garcia is transitioning to a new company. Given the possibility that she may not have an in-depth understanding of the technical aspects, a documentation review could prove invaluable in helping her familiarize herself with the operations. Additionally, this can provide a fresh perspective for the (smart) QA manager, offering new insights into the system. My insights stem from past experiences in similar situations.
 

T.Garcia

Registered
Appreciate the input from everyone
I take that is commonly agreed that document review alone it's not an effective audit method to assess any process effectiveness or the determine with enough clear evidence that an NC exists.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
I suggest not "Fixing things prior to the report" We use all NC to demonstrate our QMS is active, and catches problems, and tracks fixes. The only reason a manager would not want that is 1) Its a recurring issue thats been addressed previously but not solved for some reason 2) this manager has communicated to other parties its not a problem and a true audit would determine thats not true.
 
Top Bottom