Should the Internal audit for ISO 9001 cover all elements of the standard?

Timothy1

Involved In Discussions
#1
Hi
Is there any requirement to cover all applicable requirements of ISO 9001:2008 annually or at-least once in 3 years in the Internal audit. Anything from ISO 17021?
Thanks
Tim
 
Elsmar Forum Sponsor

Jim Wynne

Staff member
Admin
#2
Re: Internal audit coverage of elements - ISO 9001:2008

17021 applies only to auditing by CBs. 8.2.2 of ISO 9001:2008 says in part:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard...
 

Timothy1

Involved In Discussions
#4
Re: Should the Internal audit for ISO 9001 cover all elements of the standard ?

I understand in the past Guide 62 ( the precursor to ISO 17021) had a requirement for the CBs to make sure their clients (the organisations that are getting audited) to have an internal audit program which check of the QMS is fully functional atleast annually. this was interpreted by the CBs as either all elements need to be audited/ atleast have a defence for not covering certain elements in the annual audit (example if no issues on document control in the last few audits, use it as a basis for excluding it from this year's audit). (I have worked in the past as CBs' auditor as well as consultant).

I am not sure about the present day interpretation especially with ISO 17021 (which just expects an annual audit & does not say much about element coverage). If we go purely based on 822 clause of ISO 9001:2008 which goes by results of previous audit and status and importance of processes, then there is no requirement for me audit all requirements even for 10 years. CB auditor cannot challenge me. (that is, if I did not had any issues on doc control in last year's audit and also it is not a critical process for me and no changes in doc control process for the next 10 years. Can I interpret that for next 10 years I need not audit doc control
Appreciate your inputs
Tim
 

somashekar

Staff member
Super Moderator
#5
Re: Should the Internal audit for ISO 9001 cover all elements of the standard ?

I understand in the past Guide 62 ( the precursor to ISO 17021) had a requirement for the CBs to make sure their clients (the organisations that are getting audited) to have an internal audit program which check of the QMS is fully functional atleast annually. this was interpreted by the CBs as either all elements need to be audited/ atleast have a defence for not covering certain elements in the annual audit (example if no issues on document control in the last few audits, use it as a basis for excluding it from this year's audit). (I have worked in the past as CBs' auditor as well as consultant).

I am not sure about the present day interpretation especially with ISO 17021 (which just expects an annual audit & does not say much about element coverage). If we go purely based on 822 clause of ISO 9001:2008 which goes by results of previous audit and status and importance of processes, then there is no requirement for me audit all requirements even for 10 years. CB auditor cannot challenge me. (that is, if I did not had any issues on doc control in last year's audit and also it is not a critical process for me and no changes in doc control process for the next 10 years. Can I interpret that for next 10 years I need not audit doc control
Appreciate your inputs
Tim
Audit is a sampling activity.
Effectiveness and continual improvement assessment are the focus.
Not having an issue then does not qualify for no audit.
Results of previous audit and status and importance of processes, is to be applied for the better and stronger checks into such process compared to the regular checks that are planned through the internal audits.
Internal audit results in itself are NOT the true are authentic indicators of a process.
Internal audits strength are perhaps the most weakest of the various processes strength of any organization as I assess.
:2cents:
 

Big Jim

Super Moderator
#6
Re: Should the Internal audit for ISO 9001 cover all elements of the standard ?

I understand in the past Guide 62 ( the precursor to ISO 17021) had a requirement for the CBs to make sure their clients (the organisations that are getting audited) to have an internal audit program which check of the QMS is fully functional atleast annually. this was interpreted by the CBs as either all elements need to be audited/ atleast have a defence for not covering certain elements in the annual audit (example if no issues on document control in the last few audits, use it as a basis for excluding it from this year's audit). (I have worked in the past as CBs' auditor as well as consultant).

I am not sure about the present day interpretation especially with ISO 17021 (which just expects an annual audit & does not say much about element coverage). If we go purely based on 822 clause of ISO 9001:2008 which goes by results of previous audit and status and importance of processes, then there is no requirement for me audit all requirements even for 10 years. CB auditor cannot challenge me. (that is, if I did not had any issues on doc control in last year's audit and also it is not a critical process for me and no changes in doc control process for the next 10 years. Can I interpret that for next 10 years I need not audit doc control
Appreciate your inputs
Tim
I have never read Guide 62, but from those that administered it I have learned that there never was a requirement for annual internal audits.

Like everything else in the ISO 9001, the internal audit needs to be effective. Evidently, somewhere along the way many have interpreted that need for effectiveness as annual. Personally, I think it is a good idea, but it is not a requirement.

As an auditor, if the auditee is not doing internal audits annually, I'm looking real close to see if it appears to be effective. Most organizations I have been around are on an annual schedule. Of the ones that are not, they usually still do some core areas annually, and have determined the areas that are not as critical to be done less frequently.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#8
Re: Internal audit coverage of elements - ISO 9001:2008

Hi
Is there any requirement to cover all applicable requirements of ISO 9001:2008 annually or at-least once in 3 years in the Internal audit. Anything from ISO 17021?
17021 applies only to auditing by CBs. 8.2.2 of ISO 9001:2008 says in part:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard...
Jim is correct; ISO 17021 applies to the CB's but I am sure that the OP was asking if there was anything in that standard that mandates CB's to impose maximum intervals in between internal audit cycles of registrants.

The straight answer is: no, ISO 17021 does not mandate CB's to impose any specific interval of registrant's internal audit cycles. Having said, in addition to what Jim already mentioned, ISO 9001 requires internal audits to be scheduled based on status, importance and past history of the processes.

The (certification) industry "rule of thumb" has been that internal audit cycles, as well as maximum intervals between management reviews should be "annual". But, once again, there is NO REQUIREMENT, extrinsic to organizations to force that. As a side note, in the past, a large aircraft OEM had a requirement for their supplier to have an annual audit cycle, but that requirement no longer exists.

The answer that is rarely provided to the OP question is this:

If you want to justify that the checking done via the internal audit step (of the PDCA cycle) can be extended beyond the "industry norm" of 12 months, you must have (and provide) evidence that the status, importance and history of the processes, functions, etc. support that. When I was a QMS lead auditor, I had no problem "accepting" well thought out internal audit schedules which allowed certain, non-critical, stable processes to be audited in "longer than usual" intervals. After all, internal audit resources are limited and we should put them to good use, and use the risk-based approach implied by ISO 9001:2008, 8.2.2.

Simply using the fact that ISO 9001, 17021 and other relevant norms do not mandate a maximum interval is not sufficient, simply because it would be a sliding slope; i.e., if you can justify that you can audit a process within a 3 year interval, what stops you to extend that to 5, 10, 20 years?

Unfortunately, most internal audit programs are performed and perceived as a non-value added activity, thus the reason for so many organizations to do as little internal audits as possible, while passing external scrutiny.

I wonder if we tried to push the envelope the same way with product inspection; i.e., stretch the sampling of product inspection to once per calendar month (or longer). Even the organizations themselves would realize that it is a poor decision, from a risk management perspective and would ensure the checking (of the PDCA cycle) of product is done in adequate intervals. Why not for checking of the processes effectiveness?
 
#9
Hi
Is there any requirement to cover all applicable requirements of ISO 9001:2008 annually or at-least once in 3 years in the Internal audit. Anything from ISO 17021?
Thanks
Tim
Only in the minds of some external auditors. In principle, they wish you to avoid getting a nonconformity that they find, so they would 'prefer" you to find them. Of course, it's easier to say doing everything once a year than to address the real issue which is "how do you set up an audit programme based on status and importance?" - a question that many of them don't know the answer to!

No requirement, now or before.
 

Stijloor

Staff member
Super Moderator
#10
Of course, it's easier to say doing everything once a year than to address the real issue which is "how do you set up an audit programme based on status and importance?" - a question that many of them don't know the answer to!
Good point!!

This is covered in great detail in my internal audit course.. :agree1:
 
Thread starter Similar threads Forum Replies Date
L Should Internal Audit CAPAs be kept separate from "normal" CAPAs? ISO 13485:2016 - Medical Device Quality Management Systems 6
C How should I present Internal Audit results to Management in Management Review Internal Auditing 18
T Who should provide information I ask for? Internal Audit question Internal Auditing 4
R Should Internal Audit criteria be a Controlled Document? Internal Auditing 5
K Should Internal Audit Plan be Approved by Top Management? Internal Auditing 19
O Should Staff have Access to see Internal and/or CB Audit Results? Internal Auditing 5
G Internal Audit Report Meeting - Who should be present? Internal Auditing 19
M Should Internal Audit Checklists be Controlled Documents? Document Control Systems, Procedures, Forms and Templates 9
J Internal Audit Teams - How big the audit team should be and who should be on it General Auditing Discussions 6
Coury Ferguson Should a Registrar write a NC on something that was found during the Internal Audit Registrars and Notified Bodies 138
P Internal PPAP Audit - What should I ask? Plastic parts (automotive) TS 16949 IATF 16949 - Automotive Quality Systems Standard 7
P The Optimal IA Schedule - How should the Internal Audit Schedule be set up? General Auditing Discussions 26
R ISO19011 Internal Audit Schedule - Should it have to be approved? General Auditing Discussions 12
S Internal Audit Team - The number of internal auditors a company should have Internal Auditing 4
C Should I get an Internal Auditor Certification of Exemplar Global / RABQSA? Internal Auditing 17
R Should internal auditors be compulsorily certified as internal auditors ? Internal Auditing 11
R Full Time Internal Auditor - Where should I be looking for someone? Career and Occupation Discussions 15
R What questions should I ask during Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
Z Should we recertify our internal auditors as we transitioned to ISO 9001:2008? Internal Auditing 1
S Internal Auditor Training - How often should an internal auditor be trained? Training - Internal, External, Online and Distance Learning 15
S Who should do the CA's (Corrective Actions) from Internal Audits Internal Auditing 9
S Internal Auditor Qualifications - What qualifications should I include? Internal Auditing 49
I Auditing the CEO - How? What should our Internal Auditor ask? Internal Auditing 6
A Should Customer Complaints trigger Internal Audits? Customer Complaints 6
A Scheduling Internal Audits - What should I be auditing and when Internal Auditing 8
K Should QS/TS certified internal test/calibration labs be required to be ISO17025 ISO 17025 related Discussions 16
B UKRP to what level should you audit Class I Technical Documentation? UK Medical Device Regulations 0
C When should you quit programming? Job Openings, Consulting and Employment Opportunities 3
C Should resolution be included in uncertainty budget for digital caliper or micrometer calibration? Measurement Uncertainty (MU) 5
Ed Panek External Standards List - Should this document include previously revised standards? ISO 13485:2016 - Medical Device Quality Management Systems 4
T How should I approach REACH, CM, etc. as a job shop? RoHS, REACH, ELV, IMDS and Restricted Substances 18
A Should we assign the PRRC before the date of application of MDR (26 May 2021)? EU Medical Device Regulations 0
J UDI-DI how should we interpret Device version or model to determine if a new UDI-DI is needed? EU Medical Device Regulations 0
Sidney Vianna Interesting Discussion Should ISO 9004 be changed from a guidance document to a requirements standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
A Should I take an online course for a career in Occupational Health and Safety? Career and Occupation Discussions 2
J Should a Class 1 medical device with an option to measure body weight be considered Class 1m? EU Medical Device Regulations 0
K Should APQP/PPAP has its own section in a QM? Quality Management System (QMS) Manuals 1
S What should i choose for "testing procedure" characteristics? (N95) General Information Resources 0
P Should eIFU link per ISO 15223-1:2016 be added to labels out of scope of Reg 207/2012? EU Medical Device Regulations 1
S Which Sampling Plan(s) Should I Use? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 13
A Document release vs its related training. Which should come first? ISO 13485:2016 - Medical Device Quality Management Systems 18
S Which department should prepare the control plan? could you show me a standard regarding to this matter. FMEA and Control Plans 17
J Help settle a disagreement: Should external providers of preventive maintenance be on your ASL? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
N Master Samples - What should we be keeping? IATF 16949 - Automotive Quality Systems Standard 9
G Supplier delivered recent PPAP, should he deliver yearly layout inspection? IATF 16949 - Automotive Quality Systems Standard 4
John Broomfield Vote - Should ISO9004 Become a Requirements Standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
A Capability Study - in the beginning of your career what should you have known about the tool Quality Tools, Improvement and Analysis 11
J Should Loading and Unloading be Included in Cycle Times? Lean in Manufacturing and Service Industries 14
E Manufacturers should develop a testing device for covid19 Service Industry Specific Topics 0
T 510(k) submission - Which name should I use in the submission? Other US Medical Device Regulations 3

Similar threads

Top Bottom