Outsourcing Internal Audits - Hiring a contractor to plan and perform internal audits

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#11
OK - I admit it - this is mine from a listserve:

-------------snippo---------

From: ISO Standards Discussion
Date: Fri, 17 Dec 1999 11:49:45 -0600
Subject: Re: Internal Auditing Resources /../Kyllo/Russo/Smith

From: Marc Smith

--> C.W. Russ Russo...

I do 'contract' internal audits. To address Russ's issues:

--> From: "C.W. Russ Russo"
-->
--> You might want to reconsider this assumption. The first sentence in
--> element 4.17 requires the supplier to plan and implement the
--> internal audit program. It may be possible to hire an outside
--> auditor to conduct the audits, but the responsibility for the
--> program remains with the supplier.

I have yet to see a client without an audit plan / schedule. However, I see nothing in ISO9001:1994 (or the 'latest' ISO9001:2000) which says a company cannot outsource planning / scheduling as well as the internal audits if the company so chooses.

--> Moreover, I would advise folks considering this route to re-look at
--> Element 4.6, Purchasing, particularly the evaluation of
--> subcontractors based on "any quality assurance requirements." True,
--> ISO 10011 is not a "requirement." However, from my perspective, if a

I advise my clients that there are two issues here: I must be an approved supplier and there has to be defined criteria.

--> company really wants to abide by ISO 10011 they cannot absolve
--> themselves of active management and become a client. Such an
--> approach opens a fairly large can of wiggly worms.

I'm amazed you can say this. Just because a company outsources internal audits doesn't mean that management is trying to absolve its self of active management. If a company hires out design of a product (or prototyping or other SIGNIFICANT part of their product and/or business system) you don't hear people yelling:

"There must be serious problems if the company has to outsource that function. Heck, their management is trying to absolve its self of active management."

In fact, most companies hire out what they do not consider part of their 'core' business, yet is critical to their business. It seems so many people have the OPINION that internal audits must be a part of their core business. Businesses outsource their legal needs every day, as well as financial services, design and many other functions. My question is, what makes internal auditing such a sacred goat that it 'should' not be outsourced while other functions are outsourced every day (ever heard of Make-Buy decisions?)?

It seems that where ever the standard says "The company shall..." some folks immediately read to mean that the function cannot be outsourced. I do not agree with this interpretation at all.

Regards,

Marc T. Smith
 
Elsmar Forum Sponsor
Z

Zainul

#12
Marc,

You said:

What possible reason could a registrar have for telling a company that they cannot outsource internal audits? I don't see the verbiage in any way addressing the issue of contracted internal audits one way or the other.

--------

I think the question is whether they (external auditors) are more competent than you are in your own industry. Audit techniques and specific technical knowledge goes hand in hand. It is better for internal team to acquire audit techniques and intertwine them with technical knowledge they already have. It takes time and experience. All the more so you have to conduct it yourself.

The other issue that might be raised could be the confidence put on internal audit team. Why are they not capable of conducting the audit themselves that they have to outsource them?

Regards

Zainul
 

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#13
I think the question is whether they (external auditors) are more competent than you are in your own industry.
I'm not sure the person or persons contracted to do internal audits for a company has to know more than "you are in your own industry". I think this is most important for registration audits. And in some areas it may be more important than others. An example is calibration of 'critical' process monitoring gages / tests - a background in the industry better prepares an auditor to make judgments on whether a gage 'should' be calibrated or not. An example here would be injection molding where hold time, barrel temperature, mold temperature and related parameters are often critical parameters.

Audit techniques and specific technical knowledge goes hand in hand.
I believe this is true to some degree, however quite a bit depends upon your intent. When I do internal audits for a company I am mainly interested in the very basic Are these folks following their defined systems?. I also look at compliance to the standard, but again here I am not so sure that extensive experience in a specific industry is all that critical.

I will agree that a well run internal audit system is a good idea. But then again, up pops reality. I see most companies founder in trying to maintain a system. I see internal auditors try to interpret the standard and make judgments about whether current systems meet the intent after a Lead Auditor or Internal Auditor course - this scares me because if we who are 'professionals' are arguing these issues (evidence is this series of forums and well as the ISO listserve) after years 'in the business' 7 in my case), I can hardly expect a part time internal auditor to make these interpretations.

I have to come back to what you expect of your internal audits. I believe the paradigm over the last few years has been to evolve into a 'find opportunities for improvement' drive. I believe that QS9000 has had a large part to play in this evolution. Can you state specifically what you expect from your internal audits? If you include finding 'opportunities for improvement', I will suggest that your company has engineers and others whose job function is to be assessing continually for 'opportunities for improvement'. How many of your internal auditors are really qualified to do this? Part of my concern with even contracted auditors telling a company about 'opportunities for improvement' is that I believe it is beyond the scope of what internal audits are about - which should be IMHO 'Are employees following the defined systems', not "This is what you should be doing to improve your processes and business". The internal auditing function is supposed to be part 'consultant' in nature? Not in my opinion. In my opinion, internal audits are not a tool for Continuous Improvement beyond whether folks are following their procedures and such.

When I first started implementations about 8 years ago I was told how the quality manual should be 'a company's own manual'. I quickly learned that while this sounds great, it's mainly bull. The auditors come in and say "You didn't address this, or you didn't address that...in your quality manual..." even when you didn't do that. An example is design. A company doesn't do design, but the company cannot just omit that section - they have to specifically state, at least, "Company X does not do design" in their quality manual. I found that to tailor the text of the standard is the way to go. The 'Make it you own' sure sounded good, but it really made no sense. Your manual is audited against the standard line by line. And I ask here, what specifically does one mean by 'make it your own'? Changing the wording some? The sequence?

I disagree on the validity of expectations and intent of internal audits. I will say that the CD2 draft I have has significantly changed the verbiage from the 1994 version. The old read "...verify whether quality activities and related results comply with planned arrangements and to determine the effectiveness of the quality system..." The CD2 draft reads (8.2.1.2 Internal Audit) "...in order to determine if the quality management system has been effectively implemented and maintained and conforms to this International Standard. In addition, the organization may carry out audits to identify potential opportunities for improvement..." (Personally I can think of much better tools for identifying potential opportunities for improvement than internal audits.

IMHO the wording of CD2 elevates the Internal Audit well beyond the intent of the last revision and the 1987 original. I also believe by doing this that who can do internal audits is further restricted (and adds up to selling a lot of internal auditing courses). How far should internal auditors go in determining things like 'Opportunities for Improvement'? What background must they now have? An engineering degree? A degree in business? Five years experience as a process engineer or supervisor? Two years internal auditing experience?

A lot of this is sorta like the old "Buy low, sell high." It sounds so simple, but try to put that in practice. So - you have to ask yourself, what do I expect from Internal Audits? I maintain that the Management Rep (or someone with appropriate training and experience) should be deciding if the systems conform to the International Standard, for example - not line personnel and/or managers - unless you actually have that as part of their defined, documented job duties and appropriate training and experience are defined. Take a read of ISO10011-2:1994 sections 4, 5 and 6 (not to mention 7, 8 and 9).

Why does the Internal Auditing question get me so aroused? Because I see the evolution as being more financial (sell more courses) than realistic. I am not convinced that internal auditing is an appropriate tool beyond determining whether folks are doing their jobs by following systems.

While I believe Internal Audits are important, I believe the ROLE of internal audits has evolved to a point which far exceeds what it should be. I believe QS9000 has played a big part in this evolution. And I believe this makes it even more appropriate that knowledgeable professionals perform Internal Audits whether the company hires a professional or out sources them.

The other issue that might be raised could be the confidence put on internal audit team. Why are they not capable of conducting the audit themselves that they have to out source them?
This is not an issue if you out source - there is no internal audit team. No team to train. No one to 'quit' (I typically see high turnover in Internal Audit team members for a variety of reasons) necessitating more people to find to 'join the team', to train and to gain experience. Out source and there's no more "I know it was scheduled but problems came up in my department so we'll have to postpone the audit" and other excuses leading to a disastrous schedule.

One more failure mode of doing your own internal audits is that they often significantly exacerbate antagonisms between departments and areas within companies. Internal audits become a game.

To me the bottom line is: Doing your own Internal Auditing is rarely cost effective and rarely makes good business sense. I do not believe internal audits are typically an appropriate/significant Continuous Improvement tool - heck, there are a lot of companies that do not even have an effective method of tracking scrap not to mention investigating the reason (root cause or root causes) for the scrap. If I were to be given a company and told to improve it, internal audits would not be the highest thing on my list. I would want process engineers looking at the processes. I would want purchasing to reevaluate their procedures and such. I would want managers to look at staffing, training needs and such.

To address your specific concern: You can easily find a company with an auditor (or more than one auditor) who has the appropriate auditing experience as well as an understanding of the industry and related processes, to perform your audits. If you want internal auditors to go beyond verifying / validating that folks are following their defined systems, call in professionals. If you want objective internal audits, hire a professional from out side the company.

End of rant.
 
I

isodog

#14
Outsourcing internal auditing

I have two customers at which I subcontact internal auditing. Many MR's don't even know it's legal.

I'd be interested in opionions (pro and con) as to views of this practice (outsourcing internal auditing) and whether they have considered this option.

Dave
 

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#15
You might want to take a looksie at:
Outsourcing Internal Audits and Internal Auditor Training to start out.

[This message has been edited by Marc Smith (edited 25 June 2000).]

Edited 15 November 2001

I can't re-lookup and change every old link to posts in the old forums. Most of them *should* still be there. If you want to find the post in the New forums, if the link to the thread in the old forums works (most of them should...), look at the thread (topic) title and what forum it is in. Then back here in the New forums - go to that forum and look for the thread topic title - OR - do a Search for the key words from Title (Note - you can search entire threads or just the 'subject' or 'title' - if you look in the Forums search page you'll see the options.

Call me lazy...
:rolleyes:
 
S

selle

#16
Outsourcing Internal Audits

what are the main factors that lead to the decision of outsourcing internal audit? what is its relevance in philippine settings?
 
A

Al Dyer

#17
Originally posted by selle:
what are the main factors that lead to the decision of outsourcing internal audit? what is its relevance in philippine settings?
The three main factors that come to mind are cost, experience, and bias.

COST:
Depending on the size of your company it might be more cost effective to outsource. Ongoing training costs add up quickly and probably even costlier is the cost of peoples time in performing a good audit.

EXPERIENCE:
Do you have a staff that is capable of understanding the audit process? Do you have a high turnover rate? What is the level of management buy-in?

BIAS:
This is tough to overcome, internal auditors are usually experienced employees that have engrained relationships (good or bad) that might affect the outcome of the audit. Auditors might be biased without even knowing it.

I prefer a two tiered approach that consists of an internal audit system (reviewed by upper management) that is occasionally reviewed by an outside soure.

Hope this helps,

ASD...
 

barb butrym

Quite Involved in Discussions
#18
i wrote and presented a paper on that subject, would be happy to share it. it has the point of view of the company, the registrar and the consultant. Pro and Con. Don't think the location changes what you need to think about, just maybe the answers to consider.
if you were registered, I would have emailed it already !!!

Barb

[This message has been edited by barb butrym (edited 19 March 2001).]
 

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#19
You might want to take a read through Outsourcing Internal Audits and Internal Auditor Training

Also see The Intent of Internal Audits

These threads (and several others revealed in a forums search) address the outsourcing of internal audits question in some detail.

Edited 15 November 2001

I can't re-lookup and change every old link to posts in the old forums. Most of them *should* still be there. If you want to find the post in the New forums, if the link to the thread in the old forums works (most of them should...), look at the thread (topic) title and what forum it is in. Then back here in the New forums - go to that forum and look for the thread topic title - OR - do a Search for the key words from Title (Note - you can search entire threads or just the 'subject' or 'title' - if you look in the Forums search page you'll see the options.

Call me lazy...
:rolleyes:
 
S

selle

#20
thanks for the offer. i've sent you an email already.

you're such a BIG help. thanks.

i'm sure we can do good especially now that you're helping us. thanks again.

God bless!
 
Thread starter Similar threads Forum Replies Date
R IATF 16949 - Outsourcing of internal audits Internal Auditing 10
D Contracted Internal Auditors - Outsourcing Internal Audits Internal Auditing 14
Crusader Your Internal Audit Team: Internal or Hired External? Outsourcing Internal Audits Internal Auditing 100
K Outsourcing ISO 9000 Internal Audits Internal Auditing 12
apestate Outsourcing Internal Audits - Is this a bad idea? Internal Auditing 14
Marc Outsourcing Internal Audits - 60 Retail Stores - Effectiveness vs. Compliance Internal Auditing 6
M Outsourcing and internal controls Internal Auditing 1
V Outsourcing Internal Quality Auditing functions Internal Auditing 26
A Outsourcing IEC 60601-1 Ed 3.2 Testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
S ISO 45001 and outsourcing the transporation of products Occupational Health & Safety Management Standards 3
A Sample Agreement available for Outsourcing Medical Device Design activity? ISO 13485:2016 - Medical Device Quality Management Systems 1
G QMS requirements for legal manufacturer when outsourcing manufacturing process Other Medical Device Regulations World-Wide 25
B ISO 50001 Interpretation of section 3.3.9 (Outsourcing) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
M Supplier Management outsourcing - Business idea Supplier Quality Assurance and other Supplier Issues 8
S Outsourcing manufacturing - Who controls the suppliers of parts to the CMO? ISO 13485:2016 - Medical Device Quality Management Systems 2
B Outsourcing process design (8.3.3) IATF 16949 - Automotive Quality Systems Standard 1
T ISO 13485 for software outsourcing company ISO 13485:2016 - Medical Device Quality Management Systems 7
G Outsourcing Processes within the Same Company (ISO 13485) Quality Manager and Management Related Issues 4
smryan Compliance Officer Outsourcing? RoHS, REACH, ELV, GADSL, IECSC Other ISO and International Standards and European Regulations 5
B Must a Design Outsourcing Company have ISO13485? ISO 13485:2016 - Medical Device Quality Management Systems 3
R Microbiology Testing Outsourcing - Transport Qualification and Risk Assesssment Qualification and Validation (including 21 CFR Part 11) 2
J Definition Outsourcing - How Far Does it Go? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 6
J API Q1 9th Edition - Question on Outsourcing 5.6.1.6 Oil and Gas Industry Standards and Regulations 1
S Outsourcing a Core Process ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
M Medical Device Outsourcing Batch Traceability Requirements Other Medical Device and Orthopedic Related Topics 2
G Definition Work Transfer vs. Outsourcing Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 6
Crusader 7.6 Calibration (referencing outsourcing) in the Quality Manual Quality Management System (QMS) Manuals 5
S Outsourcing PPAP Function APQP and PPAP 8
C How to handle Outsourcing with Same Site - Separate Cert ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
Y ISO9001 Implementation for Business Process Outsourcing ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
T Outsourcing Calibration - NIST, OEM, and Calibration Laboratory General Measurement Device and Calibration Topics 2
L Risk Management in Outsourcing Company ISO 14971 - Medical Device Risk Management 16
A Outsourcing Records Storage - Compliance Aspects to be considered during Audits Document Control Systems, Procedures, Forms and Templates 7
R Outsourcing of a Semi-Finished Product - Which major things to address in the QMS ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
T Outsourcing Shipping Product directly from our Warehouse to the End Customer ISO 13485:2016 - Medical Device Quality Management Systems 2
T Brief Survey for OEM's about Outsourcing Supplier Quality Assurance and other Supplier Issues 5
E Business Process Outsourcing - Training Plans for Employees where you deliver labour ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
B ISO 13485 and Medical Device Manufacturing Outsourcing ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
K What's the difference between Outsourcing and Work Transfer? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
J General Procedure for Outsourcing of Human Resources and Service Processes wanted Document Control Systems, Procedures, Forms and Templates 1
J Extending QMS Scope to External Company Site (Outsourcing) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
Sidney Vianna From Human Resources to Outsourcing ? ISO expands work in five areas Other ISO and International Standards and European Regulations 4
O Outsourcing part of Design & Dev Process- Still requiring D&D ver & val-7.3.5, 7.3.6? IATF 16949 - Automotive Quality Systems Standard 6
B Distributor Outsourcing Value Added Services - Is it work transfer? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 9
T To share and (hopefully) to hear feedback - Outsourcing to China Quality Manager and Management Related Issues 20
R ISO/TS 16949:2009 Clause 4.1 General Requirements (Outsourcing) Clarification IATF 16949 - Automotive Quality Systems Standard 6
L Outsourcing Special Processes such as Plating, Painting, NDT as related to AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 13
L Outsourcing of Quality Tests (same company but different division) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
S Outsourcing manufacturing of final product ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
C Terms & Conditions done by Outsourcing Company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9

Similar threads

Top Bottom