Outsourcing Internal Audits - Hiring a contractor to plan and perform internal audits

R

Richard K

There has been discussion on the mailing lists about outsourcing internal audits, including whether it is permitted by the standard. As far as I can tell, there is nothing in ISO 9001:1994 that prevents outsourcing. However, I have just now managed to look at ISO/CD2 9001:2000, and in 8.2.1.2 it states 'The organization shall carry out objective audits...' My question is, is this wording the same in the DIS, and if so, what exactly does 'carry out' mean? Is hiring a contractor to plan and perform an internal audit 'carrying out' an audit?

Richard
 

Marc

Fully vaccinated are you?
Leader
Hello and welcome to the Cove!

You can outsource Internal Audits under the 'proposed' ISO9001:2000.

See Internal Auditors Have Real Jobs for a good thread on this topic. I 'glean' from several listservs, so some stuff may be redundant if you're on any of the lists I'm on. Also see Internal Auditor Training

As far as 'The organization shall carry out objective audits...' there is nothing telling a company how to do this. This just says the audits shall be done and that the audits shall be objective (the old 'you can't audit yourself'). One arguement is that a company can outsource any function and process. If a company hires me to do their internal audits, I am technically a 'temporary' employee.

Carry out means to follow or 'do' your internal audit procedure. As in to 'Carry Out' a plan. It implies acting on.
 
R

Richard K

Thanks for the reply, Marc. Your interpretation sounds good to me. It seems though that the new wording might strengthen the case for those who argue otherwise. Are there any registrars that cause difficulties over this point?

Richard
 

Marc

Fully vaccinated are you?
Leader
So far I have yet to hear of a registrar which rejected contracted internal audits. To me this is a ghost issue - people talk about it as an issue - but it's not an issue.

What possible reason could a registrar have for telling a company that they cannot outsource internal audits? I don't see the verbiage in any way addressing the issue of contracted internal audits one way or the other.
 

Kevin Mader

One of THE Original Covers!
Leader
Admin
Marc,

I was wondering myself if the "objective audits" opened the door for performing self audits, objectivity and independence being separate. I was hoping that the new wording actually was as a result of having found objectivity being more important than independence (single person entities having ISO accreditation for example). If this is true, then I will be happier auditor. What do you think?

Regards,

Kevin
 

Marc

Fully vaccinated are you?
Leader
OK - I guess the definitions of objective vs independent is now the issue of discussion.

At that at this point I will agree that it's possible that objectivity being more important than independence could be the reason, but I doubt there are many 'one person shows' that want to register. I'd love to hear from someone on the committee who could elaborate.
 

barb butrym

Quite Involved in Discussions
once again the discussion turns to this old topic. Speaking for a few registrars, and from experience as well.....Registrars have no problem with outsourcing the internal audit function, most welcome it. The 'temporary employee' thing of which marc speaks is a good justification when needed..... the key is in the definition of a 1st party audit.....the client and auditee/auditor have the interest of the company in hand (continuous improvement...if you will)...not that of a second party or independant body. Who pays the bill, who gets the value....etc. Who assigns/gets CA? Who controls the audit? The standard is looking for an independant and objective self-assessment, not clouded with hidden agendas.
The audit trail will tell all....if an objective audit is not performed the trail will ...in most cases...reveal that loud and clear...other times it will be hidden but the experience auditor will see it anyway.

As to independance.....I think if the audit is clearly objective (as evidenced by the audit trail?????) and not totally independant (as we all know it may not always be)there will be room to allow it as the DIS is currently written. Must be a case by case decision, by the registrar's auditor as I personally see it (not reflecting any input from registering bodies to date)

[This message has been edited by barb butrym (edited 14 December 1999).]
 

Kevin Mader

One of THE Original Covers!
Leader
Admin
Barb,

Have any of your Lead Accessor friends commented on this new wording in 9000:2000?

Regards,

Kevin
 

barb butrym

Quite Involved in Discussions
kevin...our conversations about the new wording always end up with the intent is the same, the presentation of the requirements has changed.....the shift has gone from the 20 seperate elements to tieing them together where they really belong... and nothing has gone away (and little added that wasn't already implied)..the shift is to require a system to span the entire company, as well it should....not just stand alone. Anyone already doing the standard as it was really intended (abet not written) is already pretty well in compliance. the registrars are still mute but off the record have the same opinions.

As to the comments on this particular subject...my LA colleagues agree with me.

[This message has been edited by barb butrym (edited 15 December 1999).]
 
Top Bottom