--> From: Al Hitchcock
--> Contract Internal Audits /Hitchcock
-->
--> I am a QA Manager at a company that has 60 retail stores located in
--> 6 Midwestern states. We are ISO certified with a corporate
--> certificate. Over the course of 3 years I have to get all locations
--> assessed. To implement and maintain internal audits at all locations
--> that have already been through this is beginning to be a challenge.
--> Since we are working with internal auditors that volunteer, getting
--> and scheduling audits is getting to be a real headache. In looking
--> towards the future, I may have to rely on some other method to
--> "maintain" my system and conduct the internal audits at these
--> locations.
-->
--> Question: Does anyone out there have any idea's on how this can be
--> accomplished? Does it make any sense to contract this service out
--> and still make it cost effective? It may come to the point with our
--> growth that we could potentially be looking at 200 internal audits
--> per year (100 locations with a internal audit once every six
--> months). My staff would have to be huge??
-->
--> Looking for suggestions....
-->
--> - Al...
I try to get all my clients to out-source Internal Audits. I have seen too many problems with companies doing their own. Some handle it well but many don't. Do a quick cost analysis and you will also see you can generally do internal audits cheaper by getting an outside source. Consider training costs, training time, personnel salary & burden, trained folks who 'decide' not to, trained folks who leave or are transferred. Consider the inherent conflict of interest (my Buddy Bob and I work in different jobs and areas, but we drink together, party together, etc.). Example: I worked with a client in a QS9000 implementation. I trained 45 people in Internal Auditing. Within 6 months over 20 were gone for one reason or another. More people to train.
Doing your own can work, but you'll save yourself a lot of hassle if you out-source them. No - I don't include internal auditing as part of my business - I'm not looking for business. I do know many people who do internal auditing (yes - qualified people). They charge anywhere from US$320 (travel costs - not travel time - extra) a day to US$1200 a day plus expenses plus travel time. A pretty wide range. I have 3 friends right now in Kansas working for US$350 a day (that includes their expenses. They are all retired professionals. One I spoke with today. He enjoys auditing - which is why he does it.
My personal opinion is that internal audits by company employees is like the fox guarding the hen house. It's just plain silly. And - It's expensive. While I understand this is an ISO group, the QS folks are seeking examination and certification of internal auditors. More expense. More hassle. More constraints. Just one more thing a company has to take on. And guess who will make the money from the training and certification.... Another business expense?
I have heard the arguements about how it 'educates' folks in the company and such but I keep coming back to this: If you do internal audits with company employees, you should hire with that criteria stated and include it in each job description. If that is not the case, IMHO you are not ISO compliant in your job descriptions.
Now ask yourself: Is your company really in the business of training and keeping internal auditors going? Just like companies outsource IT services, janitorial, security (and many other services), outsourcing internal audits just makes sense.
Considering your potential need of 200 audits a year, I would contract with 1 person (maybe 2) for those audits for consistency. Note that I said 1 person. Don't go through a company unless they guarantee (of course unless that auditor quits) you the same auditor every where. I also suggest you understand that if you go through a contract house you will pay twice as much or more than if you contract with an individual. Look for someone who is IRCA registered Lead Auditor or equivalent. I would be happy to put you in touch with a couple of folks who would be interested. Shoot me an e-mail if interested. Or - Check with your local ASQC chapter. Most cities have an auditor consortium / pool.
Regards,
Marc T. Smith
---------------snippo-------------
--> From: Tom Moore Subject: Q: Int. Auditor Responsibilities/Moore
-->
--> I know there are two basic responsibilities for auditors:
-->
--> 1. Does the area perform according to documented procedures?
-->
--> 2. Are the documented procedures compliant to ISO?
-->
Let your registrar ensure you systems are ISO compliant.
Let your internal auditors audit your internal systems for internal compliance.
I cannot for the life of me understand why so many companies want their internal auditors to be ISO experts. Is it in their job description? There is no requirement for #2 above. None what so ever. Once your systems are compliant as confirmed by a successful ISO registration, the only 'check for ISO compliance' that has to be made is when ISO systems are changed, such as a level 2 procedure. Unless a major system is changed there should be absolutely no need to continually check for ISO compliance. No change is no change! I am not sure why there is this big push to make Internal Auditors ISO (or QS) experts, but (bluntly) I think it's just plain stupid.
You might also want to check my recent response to:
--> From: Al Hitchcock Subject: Q: Contract Internal Audits /Hitchcock
I think this 'Internal Auditing' thing is getting totally out of hand.
Regards,
Marc T. Smith
--------snippo--------
--> From: Brian Charles Kohn Subject: RE: Internal Auditor Responsibilities/Moore/Kohn
--> A third-party registrar conducts only very superficial assessments
--> of your quality system, especially at the detailed procedure and
--> work instruction level.
-->
--> Brian...
Ummm, wow. Let me know which third party registrar conducts only superficial assessments. I deal with a lot of them from time to time - UL, TUV, LRQA, AGA (formerly), Entela, Eagle to name a few. Every one of them goes right to the meat - where 'the rubber meets the road' so to speak. The closest they ever come to a 'superficial' assessment is the original document review prior to pre-assessment.
Regards,
Marc T. Smith
--------snippo--------
--> From: Dennis Arter Subject:RE: Internal Auditor Responsibilities/Moore/Vaissiere/Arter
-->
--> Earlier, Gary Vaissiere wrote:
-->
--> >An internal auditor should be checking compliance with the
--> >procedures not with the standard.
-->
--> Sorry Gary, I'm afraid your advice is incorrect.
Sorry Dennis, I'm afraid your statement/advice is incorrect. You are helping to build on a myth that internal audfitors should be ISO experts.
--> Perhaps you forgot about the *majority* of firms who use the ISO
--> 9001 or 9002 standard and don't give a flip about registration,
--> third party or otherwise.
I simply do not believe there is a legion of companies out there going through compliance without registering. Not likely at all.
--> Perhaps you also forgot that there are two
--> types of quality system audits: compliance and management.
Compliance (I'm assuming you mean compliance to ISO900x - you don't state which) should be the province of your registrars, management rep or other qualified person - NOT your internal auditors. Why does everyone want to make internal auditing an adventure of ISO900x interpretation? Why in the world do folks foster this myth that you need a croud of people (a gagle of internal auditors) checking for ISO9001 compliance?
Compliance Audits:
Compliance to ISO9001 (or other spec)
Compliance to internal company documentation (documented systems)
Let us be specific.
--> While the first part of your reply is correct (auditors, internal
--> and external, always check compliance with procedures), the second
--> part is much too restrictive.
Please explain what you are saying here. The second part? Gary wrote:
--> >An internal auditor should be checking compliance with the
--> >procedures not with the standard.
What second part?
--> A truly helpful internal auditor checks compliance with several
--> levels of documentation: the external policies and requirements, the
--> corporate standards, the local manual requirements, the shop
--> procedures, and even the job work instructions. Depending on the
--> purpose and scope, the emphasis of the audit will vary. Sometimes,
--> it is high level and much of the detail is deferred until a later
--> assessment. Sometimes, it's very focused and the foreman wants a
--> look all the way down to the blueprints.
And sometimes the companies are only 10 to 14 people. Or a few hundred. You confuse behemouths like Motorola with the reality that most companies do not have corporate - they are the company. They do not have layers and layers of inter-related documentation and inter-related corporate and site dependent requirements. You can go right from the quality manual to the tier 2 to the WI to the supporting records in short order. I suggest to you smaller companies are the real world. Huge multinationals have quite different needs than those of main stream businesses.
Again, I believe you are propagating the myth that internal auditors need to know more than they really do need to know and that they need to do more than they need to do. You say "...a really helpful internal auditor will...". Let's get it real. Your description is one of a professional internal auditor. In real life internal auditors hardly have the time to get their jobs done not to mention to do an internal audit.
--> I could go on and on about management audits. (But I won't - smile.)
-->
--> >Such an auditor is usually not qualified (4.18) for interpretation
--> >of ISO.
-->
--> Whoa! If this statement is true, then at least two, and possibly
--> more, fundamental rules have been violated:
There is absolutely no requirement that internal auditors be trained against ISO900x unless your company decides they want the internal auditors to also check for ISO900x compliance - which is silly. No fundamental rule broken - This just does not jive with your belief (definition) that internal auditors should be competent to verify compliance with ISO900x.
--> a) Auditors are not allowed to interpret. Sure, they do it all the
--> time, but it's wrong. Because management has not done the
--> interpretation in the first place, some auditors feel they are doing
--> folks a favor by offering this interpretation. They have just
--> crossed over that "vested interest" line. The auditor is now part of
I sure don't understand what you are trying to say. They can interpret whether a form is being filled out. They can interpret whether a record is being filed. They can interpret whether documented (and undocumented, such as 'trained' systems/procedures) are being followed. All that they cannot interpret is whether the systems are ISO compliant. Internal auditors only have to see if something is being done as documented. Not many gray areas. Not much to interpret. Unless you expect them to interpret compliance to ISO requirements - which should not be their job.
--> the problem. If the manuals, procedures, and work instructions are
--> vague and fuzzy, the auditor should say, "The requirements have not
--> been defined. I have nothing to audit against."
If vagueness, fuzziness or clarity was not addressed when the documents were authored there is a fundamental problem to begin with which should not be in the scope of the internal auditors duties to decide. I have serious problems with an expectation of an internal auditor going out and setting an agenda of defining the clarity / vagueness / fuzziness of documented systems. IMHO you are way off track here blinded to the real world by your experience and profession.
--> b) The client (audit boss) has not qualified his or her staff. Or
--> perhaps there is no audit boss. Regardless, a truly good internal
--> (or external) audit program needs accountability for the performance
--> of auditors. Two very fundamental qualification requirements address
--> a) technical knowledge of the processes, and b) understanding of the
--> way audits are performed.
If I train my internal auditors how to prepare for and carry out an audit and they are knowledgable of the system / process they are auditing, that's all I need. I'm trying to get my product processed and get business done. Elevating internal auditing to such a high level is silly. The extreme is where (as in some very large multi-nationals) there is a dedicated audit staff. Motorola has what amounts to an audit department to validate QSR compliance at facilities world wide. But let's say my company is only 250 people. I'm not sure I can go that route with any economic sense. All I am trying to do is verify (pre-audit prep - check intra-document consistency - then derive check list) and then validate (show me the evidence you're doing this) my internal documentation / system.
--> >Compliance with ISO is the responsibility of the third party
--> >registrar or an external body such as a vendor evaluation against
--> >their criteria and/or ISO >
-->
--> I believe you misunderstand the real intent of Conformity
--> Assessment. Originally, third parties came around to *verify* that
--> companies were telling the truth. Unfortunately, that purpose has
--> morphed into something quite different today.
I thought we were talking about internal audits, not 'conformity' assessments. Also, see conformity definitions above.
--> I hope my words don't offend -- they are not intended that way.
Same here. I see things much differently.
--> fear you have been exposed to some very bad advice on auditing
Dennis, I totally disagree. Gary wrote:
--> >An internal auditor should be checking compliance with the
--> >procedures not with the standard.
And he is correct. This is not bad advice on internal auditing in the real world. Internal auditors should not be used for 'conformance' audits where by conformance you mean conformance to ISO900x. They should be verifying and validating documented (and some undocumented / trained) company procedures (systems).
--> and even the way the ISO 9001 or 9002 standards should be
implemented.
--> Thankfully, we have this fine discussion list to share ideas and
--> help each other.
-->
--> Dennis R. Arter, "The Audit Guy..."
Regards,
Marc T. Smith
--> Contract Internal Audits /Hitchcock
-->
--> I am a QA Manager at a company that has 60 retail stores located in
--> 6 Midwestern states. We are ISO certified with a corporate
--> certificate. Over the course of 3 years I have to get all locations
--> assessed. To implement and maintain internal audits at all locations
--> that have already been through this is beginning to be a challenge.
--> Since we are working with internal auditors that volunteer, getting
--> and scheduling audits is getting to be a real headache. In looking
--> towards the future, I may have to rely on some other method to
--> "maintain" my system and conduct the internal audits at these
--> locations.
-->
--> Question: Does anyone out there have any idea's on how this can be
--> accomplished? Does it make any sense to contract this service out
--> and still make it cost effective? It may come to the point with our
--> growth that we could potentially be looking at 200 internal audits
--> per year (100 locations with a internal audit once every six
--> months). My staff would have to be huge??
-->
--> Looking for suggestions....
-->
--> - Al...
I try to get all my clients to out-source Internal Audits. I have seen too many problems with companies doing their own. Some handle it well but many don't. Do a quick cost analysis and you will also see you can generally do internal audits cheaper by getting an outside source. Consider training costs, training time, personnel salary & burden, trained folks who 'decide' not to, trained folks who leave or are transferred. Consider the inherent conflict of interest (my Buddy Bob and I work in different jobs and areas, but we drink together, party together, etc.). Example: I worked with a client in a QS9000 implementation. I trained 45 people in Internal Auditing. Within 6 months over 20 were gone for one reason or another. More people to train.
Doing your own can work, but you'll save yourself a lot of hassle if you out-source them. No - I don't include internal auditing as part of my business - I'm not looking for business. I do know many people who do internal auditing (yes - qualified people). They charge anywhere from US$320 (travel costs - not travel time - extra) a day to US$1200 a day plus expenses plus travel time. A pretty wide range. I have 3 friends right now in Kansas working for US$350 a day (that includes their expenses. They are all retired professionals. One I spoke with today. He enjoys auditing - which is why he does it.
My personal opinion is that internal audits by company employees is like the fox guarding the hen house. It's just plain silly. And - It's expensive. While I understand this is an ISO group, the QS folks are seeking examination and certification of internal auditors. More expense. More hassle. More constraints. Just one more thing a company has to take on. And guess who will make the money from the training and certification.... Another business expense?
I have heard the arguements about how it 'educates' folks in the company and such but I keep coming back to this: If you do internal audits with company employees, you should hire with that criteria stated and include it in each job description. If that is not the case, IMHO you are not ISO compliant in your job descriptions.
Now ask yourself: Is your company really in the business of training and keeping internal auditors going? Just like companies outsource IT services, janitorial, security (and many other services), outsourcing internal audits just makes sense.
Considering your potential need of 200 audits a year, I would contract with 1 person (maybe 2) for those audits for consistency. Note that I said 1 person. Don't go through a company unless they guarantee (of course unless that auditor quits) you the same auditor every where. I also suggest you understand that if you go through a contract house you will pay twice as much or more than if you contract with an individual. Look for someone who is IRCA registered Lead Auditor or equivalent. I would be happy to put you in touch with a couple of folks who would be interested. Shoot me an e-mail if interested. Or - Check with your local ASQC chapter. Most cities have an auditor consortium / pool.
Regards,
Marc T. Smith
---------------snippo-------------
--> From: Tom Moore Subject: Q: Int. Auditor Responsibilities/Moore
-->
--> I know there are two basic responsibilities for auditors:
-->
--> 1. Does the area perform according to documented procedures?
-->
--> 2. Are the documented procedures compliant to ISO?
-->
Let your registrar ensure you systems are ISO compliant.
Let your internal auditors audit your internal systems for internal compliance.
I cannot for the life of me understand why so many companies want their internal auditors to be ISO experts. Is it in their job description? There is no requirement for #2 above. None what so ever. Once your systems are compliant as confirmed by a successful ISO registration, the only 'check for ISO compliance' that has to be made is when ISO systems are changed, such as a level 2 procedure. Unless a major system is changed there should be absolutely no need to continually check for ISO compliance. No change is no change! I am not sure why there is this big push to make Internal Auditors ISO (or QS) experts, but (bluntly) I think it's just plain stupid.
You might also want to check my recent response to:
--> From: Al Hitchcock Subject: Q: Contract Internal Audits /Hitchcock
I think this 'Internal Auditing' thing is getting totally out of hand.
Regards,
Marc T. Smith
--------snippo--------
--> From: Brian Charles Kohn Subject: RE: Internal Auditor Responsibilities/Moore/Kohn
--> A third-party registrar conducts only very superficial assessments
--> of your quality system, especially at the detailed procedure and
--> work instruction level.
-->
--> Brian...
Ummm, wow. Let me know which third party registrar conducts only superficial assessments. I deal with a lot of them from time to time - UL, TUV, LRQA, AGA (formerly), Entela, Eagle to name a few. Every one of them goes right to the meat - where 'the rubber meets the road' so to speak. The closest they ever come to a 'superficial' assessment is the original document review prior to pre-assessment.
Regards,
Marc T. Smith
--------snippo--------
--> From: Dennis Arter Subject:RE: Internal Auditor Responsibilities/Moore/Vaissiere/Arter
-->
--> Earlier, Gary Vaissiere wrote:
-->
--> >An internal auditor should be checking compliance with the
--> >procedures not with the standard.
-->
--> Sorry Gary, I'm afraid your advice is incorrect.
Sorry Dennis, I'm afraid your statement/advice is incorrect. You are helping to build on a myth that internal audfitors should be ISO experts.
--> Perhaps you forgot about the *majority* of firms who use the ISO
--> 9001 or 9002 standard and don't give a flip about registration,
--> third party or otherwise.
I simply do not believe there is a legion of companies out there going through compliance without registering. Not likely at all.
--> Perhaps you also forgot that there are two
--> types of quality system audits: compliance and management.
Compliance (I'm assuming you mean compliance to ISO900x - you don't state which) should be the province of your registrars, management rep or other qualified person - NOT your internal auditors. Why does everyone want to make internal auditing an adventure of ISO900x interpretation? Why in the world do folks foster this myth that you need a croud of people (a gagle of internal auditors) checking for ISO9001 compliance?
Compliance Audits:
Compliance to ISO9001 (or other spec)
Compliance to internal company documentation (documented systems)
Let us be specific.
--> While the first part of your reply is correct (auditors, internal
--> and external, always check compliance with procedures), the second
--> part is much too restrictive.
Please explain what you are saying here. The second part? Gary wrote:
--> >An internal auditor should be checking compliance with the
--> >procedures not with the standard.
What second part?
--> A truly helpful internal auditor checks compliance with several
--> levels of documentation: the external policies and requirements, the
--> corporate standards, the local manual requirements, the shop
--> procedures, and even the job work instructions. Depending on the
--> purpose and scope, the emphasis of the audit will vary. Sometimes,
--> it is high level and much of the detail is deferred until a later
--> assessment. Sometimes, it's very focused and the foreman wants a
--> look all the way down to the blueprints.
And sometimes the companies are only 10 to 14 people. Or a few hundred. You confuse behemouths like Motorola with the reality that most companies do not have corporate - they are the company. They do not have layers and layers of inter-related documentation and inter-related corporate and site dependent requirements. You can go right from the quality manual to the tier 2 to the WI to the supporting records in short order. I suggest to you smaller companies are the real world. Huge multinationals have quite different needs than those of main stream businesses.
Again, I believe you are propagating the myth that internal auditors need to know more than they really do need to know and that they need to do more than they need to do. You say "...a really helpful internal auditor will...". Let's get it real. Your description is one of a professional internal auditor. In real life internal auditors hardly have the time to get their jobs done not to mention to do an internal audit.
--> I could go on and on about management audits. (But I won't - smile.)
-->
--> >Such an auditor is usually not qualified (4.18) for interpretation
--> >of ISO.
-->
--> Whoa! If this statement is true, then at least two, and possibly
--> more, fundamental rules have been violated:
There is absolutely no requirement that internal auditors be trained against ISO900x unless your company decides they want the internal auditors to also check for ISO900x compliance - which is silly. No fundamental rule broken - This just does not jive with your belief (definition) that internal auditors should be competent to verify compliance with ISO900x.
--> a) Auditors are not allowed to interpret. Sure, they do it all the
--> time, but it's wrong. Because management has not done the
--> interpretation in the first place, some auditors feel they are doing
--> folks a favor by offering this interpretation. They have just
--> crossed over that "vested interest" line. The auditor is now part of
I sure don't understand what you are trying to say. They can interpret whether a form is being filled out. They can interpret whether a record is being filed. They can interpret whether documented (and undocumented, such as 'trained' systems/procedures) are being followed. All that they cannot interpret is whether the systems are ISO compliant. Internal auditors only have to see if something is being done as documented. Not many gray areas. Not much to interpret. Unless you expect them to interpret compliance to ISO requirements - which should not be their job.
--> the problem. If the manuals, procedures, and work instructions are
--> vague and fuzzy, the auditor should say, "The requirements have not
--> been defined. I have nothing to audit against."
If vagueness, fuzziness or clarity was not addressed when the documents were authored there is a fundamental problem to begin with which should not be in the scope of the internal auditors duties to decide. I have serious problems with an expectation of an internal auditor going out and setting an agenda of defining the clarity / vagueness / fuzziness of documented systems. IMHO you are way off track here blinded to the real world by your experience and profession.
--> b) The client (audit boss) has not qualified his or her staff. Or
--> perhaps there is no audit boss. Regardless, a truly good internal
--> (or external) audit program needs accountability for the performance
--> of auditors. Two very fundamental qualification requirements address
--> a) technical knowledge of the processes, and b) understanding of the
--> way audits are performed.
If I train my internal auditors how to prepare for and carry out an audit and they are knowledgable of the system / process they are auditing, that's all I need. I'm trying to get my product processed and get business done. Elevating internal auditing to such a high level is silly. The extreme is where (as in some very large multi-nationals) there is a dedicated audit staff. Motorola has what amounts to an audit department to validate QSR compliance at facilities world wide. But let's say my company is only 250 people. I'm not sure I can go that route with any economic sense. All I am trying to do is verify (pre-audit prep - check intra-document consistency - then derive check list) and then validate (show me the evidence you're doing this) my internal documentation / system.
--> >Compliance with ISO is the responsibility of the third party
--> >registrar or an external body such as a vendor evaluation against
--> >their criteria and/or ISO >
-->
--> I believe you misunderstand the real intent of Conformity
--> Assessment. Originally, third parties came around to *verify* that
--> companies were telling the truth. Unfortunately, that purpose has
--> morphed into something quite different today.
I thought we were talking about internal audits, not 'conformity' assessments. Also, see conformity definitions above.
--> I hope my words don't offend -- they are not intended that way.
Same here. I see things much differently.
--> fear you have been exposed to some very bad advice on auditing
Dennis, I totally disagree. Gary wrote:
--> >An internal auditor should be checking compliance with the
--> >procedures not with the standard.
And he is correct. This is not bad advice on internal auditing in the real world. Internal auditors should not be used for 'conformance' audits where by conformance you mean conformance to ISO900x. They should be verifying and validating documented (and some undocumented / trained) company procedures (systems).
--> and even the way the ISO 9001 or 9002 standards should be
implemented.
--> Thankfully, we have this fine discussion list to share ideas and
--> help each other.
-->
--> Dennis R. Arter, "The Audit Guy..."
Regards,
Marc T. Smith
