Question - No Systemwide Internal Audits - But the auditor just audited

O

Oriondad

#1
Here is one I have not found an answer to (though maybe I didn't look hard enough)

We recently went through a preassessment audit by our registrars. Also, we had not completed our first systemwide internal audit.

We are progressing but I have this nagging thought running through my head.

Okay, I am sitting there with our registrar and he is reviewing our training (which we had previously audited, but let's say we had not!!!). Now, he has no findings. Now, I am reviewing my audit schedule and see that we need to do an internal audit on Training. Didn't I just PAY to have that audited. Why must I audit it again in the next week?

Can I consider that as being audited and move the next audit out in say 3 months?

So, here is the million dollar question:

Can I consider those areas that were covered by the pre-assessment as internal audits (using an outside resource). I can consider them complete on my schedule and I can therefore move on to other elements that need review.

See one of the findings was that we had was that we hadn't done a full system audit. So here I am reviewing my audit schedule and seeing that I need to audit Customer Satisfaction. Well our auditor just did that. Now to comply with his finding on the pre-assessment, I need to audit it again just so I can show that I did a full system audit!!!!

my head is swirling :biglaugh:
 
Elsmar Forum Sponsor

SteelMaiden

Super Moderator
Super Moderator
#2
was one of your internal auditors along during this part of the audit? Can you document who what when and where? Are you sure that the pre-assessment was in depth enough to satisfy your requirements or gut feel or whatever? Personally, I would think that somewhere in your audits you would have had to touch on customer satisfaction...management review? CAPA? You don't have to do a special audit for each of the subclauses, just make sure that they are covered in the audit process somewhere.
 
#3
Oriondad said:
Can I consider those areas that were covered by the pre-assessment as internal audits (using an outside resource). I can consider them complete on my schedule and I can therefore move on to other elements that need review.
Good question, and we have touched on a similar subject before, in this thread: Internal Audit vs. Customer Audits - Can we count Customer Audits as IAs?. Alas, I have to say no. The very point with internal audits is that you are supposed to have your own process for assessing your system. There is also the fact that the registrar visits you briefly, while you on the other hand, with more intimate knowledge about your system, should be able to find things they'd never discover.

On the other hand, (assuming we are talking about ISO9001:2000) you are supposed to direkt your major efforts at the areas were they are best needed:
ISO9001:2000 said:
An audit programme shall be planned, taking into consideration the status and importance of the processes and
areas to be audited
I suggest having a look at this old thing: 8.2.2 - Opinions please...

/Claes
 
J

jaimezepeda

#4
Don't forget the Registrar!

Please consider your contract with your registrar as well. I have seen contracts that require a full internal audit cycle (according to the organization's internal audit programme) and management review prior to registration.

You see, sometimes registation isn't just conformance to the standard. Apparently it also entails conformance to your registrar's paradigm.

Jaime
 
Last edited by a moderator:
O

Oriondad

#5
Pre-assessement audit findings

Thanks for the input.

Here is how I look at it.

Our intent is to monitor our system continuously. We will perform audits monthly. However, we also have an objective of getting registered. So our intent is good, but we also have to be realistic as well.

I have been trained to audit but am the audit manager, and I worked with the registrar auditor through the whole process. We reviewed every element of the QS system. It was a 4 day pre-assessment. We generated 25 findings. Now, I can go back through, interview everyone, again, and generate the same findings, duplicating what we just did, and take up the time of the managers, AGAIN,

or,

I can just take the documented findings, place them in our internal audit format, issue the corrective action (if any) to the managers, close it and verify it. This is what I plan on doing. For the life of me, I don't see the sense in duplicating what I and our registrar auditor just did.

Tell me what I am doing makes sense. If you tell me, NO, YOU HAVE TO AUDIT AGAIN, then I am going to tell you this system is more politicized than our government. :truce:
 
K

Ken B.

#6
As Jaime said. Be sure to check your contract with your registrar. Many of them require this. Do your internal auditors have any prior experience? This may be an opportunity for them to gain a little more practice before you are certified.

Ken
 

Al Rosen

Staff member
Super Moderator
#7
Oriondad said:
Thanks for the input.

Here is how I look at it.

Our intent is to monitor our system continuously. We will perform audits monthly. However, we also have an objective of getting registered. So our intent is good, but we also have to be realistic as well.

I have been trained to audit but am the audit manager, and I worked with the registrar auditor through the whole process. We reviewed every element of the QS system. It was a 4 day pre-assessment. We generated 25 findings. Now, I can go back through, interview everyone, again, and generate the same findings, duplicating what we just did, and take up the time of the managers, AGAIN,

or,

I can just take the documented findings, place them in our internal audit format, issue the corrective action (if any) to the managers, close it and verify it. This is what I plan on doing. For the life of me, I don't see the sense in duplicating what I and our registrar auditor just did.

Tell me what I am doing makes sense. If you tell me, NO, YOU HAVE TO AUDIT AGAIN, then I am going to tell you this system is more politicized than our government. :truce:
You didn't mention, the standard your system is based on, whether the audit was processed based or if your audit procedure describes what you plan on doing.

:2cents:I think you may be better served by allowing some time for the findings to be corrected and then performing an internal audit as a follow-up. Also, a third party audit does not take the place of your internal audit. If it did, you would never have to do an internal audit. It has nothing to do with politics. There is no way that an outside auditor will be able to audit your organization as well as someone within it. That is why it is a requirement of the standard.
 
O

Oriondad

#8
I agree with you

on all points.

Our standard is ISO9001-2000. I certainly believe we are approaching our audits as processed based. We will NOT have 3rd party audits performed. It is our intent to continue and improve our internal audits.

Believe me when I say we want to do this right!!!!

However,

I just audited training with our registrar auditor. We had no findings. Now, to get a full system audit done before our registration audit in January, according to what I have heard, I need to again audit training. THIS DOES NOT MAKE SENSE TO ME.

I understand that possibly in 8 months I may need to audit it again, but to do it twice within a month just to show that I have a complete system audit seems redundant and a waste of our auditor and our HR staff.
 

matkins

Starting to get Involved
#9
I understand where you are coming from. I relooked at the standard and it says:
"The organization shall conduct internal audits at planned intervals..."
and
"An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits." **Note this statement does not state previous internal audits.**

The requirement of the standard is that you have an audit program where you audit all your processes at planned intervals within a timeframe you determine. You set up the plan and the schedule. There is no requirement that you conduct a full system audit. You have to have an active, implemented, planned program.

What the registrar should be looking for during your certification audit is that you have an internal audit program and that you are working it. Not that you have audited everything before he got there. The program I have set up schedules all processes to be audited once a year with different processes scheduled for audit each month.

What I would do is work on corrective actions for the findings you had from the preassessment. Get them corrected and perform an internal audit on each before the certification. I'd be sure that I could show evidence of my corrective action and internal audit processes working at the certification audit.

I'd also make sure that my internal audit program is fully implemented, with everything scheduled for audit within a designated timeframe. Have audit evidence for what has been audited and be able to show plans for future scheduled audits.

Those processes looked at during the pre-assessment that had no findings, I would schedule for future auditing having taken into consideration the status and importance of the processes and the results of previous audits.
 
B

Bill Pflanz

#10
Claes Gefvenberg said:
Good question, and we have touched on a similar subject before, in this thread: Internal Audit vs. Customer Audits - Can we count Customer Audits as IAs?. Alas, I have to say no. The very point with internal audits is that you are supposed to have your own process for assessing your system. There is also the fact that the registrar visits you briefly, while you on the other hand, with more intimate knowledge about your system, should be able to find things they'd never discover.

/Claes

I agree with Claes. What the auditor wants to verify is not what non-conformances you have found in an audit but wants to verify that you have an audit system in place to find non-conformances.

The auditor wants to see how the auditors were trained, how they did audit plans, how they documented their audit and findings and how they followed up on obtaining corrective action reponses from the auiditees.

You are assuming that an audit is not successful unless you find something. It is possible that you find nothing but have documented who, how and what you documented. This early in your effort, it is likely that you will find things the auditor missed since they have not checked your entire system only a sample.

Bill Pflanz
 
Thread starter Similar threads Forum Replies Date
lanley liao Question regarding the calibration of monitoring and measure equipment. Oil and Gas Industry Standards and Regulations 0
C Gauge R&R Question Using Minitab Software 1
J IATF 16949 Internal Audit question - Auditor's responsibility Internal Auditing 6
K Question on MDR classification EU Medical Device Regulations 4
D Question on equipment - when to use reference only or research only stickers ISO 13485:2016 - Medical Device Quality Management Systems 5
D Work Instruction Question ISO 13485:2016 - Medical Device Quality Management Systems 5
M Clinical Decision Support Software Question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
John C. Abnet VDA 6.3 - Question 7.3 - "blocking of parts" VDA Standards - Germany's Automotive Standards 6
D Approved supplier list - Distributors question ISO 13485:2016 - Medical Device Quality Management Systems 6
D Equipment Register and PM question ISO 13485:2016 - Medical Device Quality Management Systems 2
D Question regarding "storage and distribution" ISO 13485:2016 - Medical Device Quality Management Systems 1
D Calibration tolerance question using Pipettes Medical Device and FDA Regulations and Standards News 1
D Question regarding customer feedback process ISO 13485:2016 - Medical Device Quality Management Systems 3
D Equipment Register related question ISO 13485:2016 - Medical Device Quality Management Systems 1
S Study sign off question / responsibilities ISO 13485:2016 - Medical Device Quality Management Systems 3
S Qualification question - ISO 13485 - Setting up a small lab Reliability Analysis - Predictions, Testing and Standards 2
M Question for Auditors - "Off the Record" Conversation? General Auditing Discussions 14
D Question regarding ECO process, specifically for Life Science products and defining form fit and function ISO 13485:2016 - Medical Device Quality Management Systems 1
R Accelerated Aging - Creating test samples - Implantable medical device Question Other Medical Device Related Standards 4
A Question on Authorized Representative in Malaysia Other Medical Device Regulations World-Wide 3
D Limited Scope for second site Question? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I ISO 2233:2000 Question - Medical Device Shipping/Transportation Validation Other ISO and International Standards and European Regulations 1
Anonymous16-2 Labeling Question (Dietary Supplements/Food) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
T Question for: Cg & Cgk calculation General Measurement Device and Calibration Topics 3
N ASL Question for GitHub ISO 13485:2016 - Medical Device Quality Management Systems 6
hogheavenfarm GDT Flatness measurement question Inspection, Prints (Drawings), Testing, Sampling and Related Topics 10
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 11
dinaroxentool Question about FDA Classification of a Device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Another DFAR question 252.225-7009 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
F Conflict Mineral Smelter Question RoHS, REACH, ELV, IMDS and Restricted Substances 8
R NRTL - Scope Question - Off-the-Shelf Plug In IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D API 6A Certification Question Oil and Gas Industry Standards and Regulations 4
dinaroxentool Question about qualification as a medical device or accessory in Europe EU Medical Device Regulations 2
R DHR question: Traceability of components ISO 13485:2016 - Medical Device Quality Management Systems 2
C MDR - Question around software accesories EU Medical Device Regulations 2
K My question is, what/when is a nonconformity? Therefore what requires an NCR? Nonconformance and Corrective Action 9
Watchcat Authoritative References about the Research Question? Quality Tools, Improvement and Analysis 0
T Question about Quality Department employee position titles Quality Manager and Management Related Issues 10
N Question on creepage/clearance requirements for HF Active Accessories for 2nd edition 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
J Question: How to create an IMDS RoHS, REACH, ELV, IMDS and Restricted Substances 3
K Question on whether IEC 60601-2-62 standard is applied IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
B QMS question in regards to multiple medical devices/products and N/A activities Other Medical Device Related Standards 12
C NB approval - Basic question about Notified Bodies and their role EU Medical Device Regulations 10
G Question about Non-conformances during New Product Introduction Nonconformance and Corrective Action 14
F ISO 13485 8.2.3 Reporting to regulatory authorities: Question regarding a procedure for this clause. ISO 13485:2016 - Medical Device Quality Management Systems 4
O Mitutoyo Digital Caliper to PC USB question General Measurement Device and Calibration Topics 2
R Probability - Need a help to solve the below question Statistical Analysis Tools, Techniques and SPC 5
B Minitab Type 1 Gage Study on True Position Question Measurement Uncertainty (MU) 1
Q Supplier audit question cataloque VDA Standards - Germany's Automotive Standards 0
Ed Panek Inactive key supplier question - We are not actively buying from them ISO 13485:2016 - Medical Device Quality Management Systems 2

Similar threads

Top Bottom