Should the Internal audit for ISO 9001 cover all elements of the standard?

[Timothy1]

Hi
Is there any requirement to cover all applicable requirements of ISO 9001:2008 annually or at-least once in 3 years in the Internal audit. Anything from ISO 17021?
Thanks
Tim

 

[Jim Wynne]

Re: Internal audit coverage of elements - ISO 9001:2008

17021 applies only to auditing by CBs. 8.2.2 of ISO 9001:2008 says in part:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard...

 

[Randy]

Re: Internal audit coverage of elements - ISO 9001:2008

And that means you have to audit everything! No interpretation needed

 

[Timothy1]

Re: Should the Internal audit for ISO 9001 cover all elements of the standard ?

I understand in the past Guide 62 ( the precursor to ISO 17021) had a requirement for the CBs to make sure their clients (the organisations that are getting audited) to have an internal audit program which check of the QMS is fully functional atleast annually. this was interpreted by the CBs as either all elements need to be audited/ atleast have a defence for not covering certain elements in the annual audit (example if no issues on document control in the last few audits, use it as a basis for excluding it from this year's audit). (I have worked in the past as CBs' auditor as well as consultant).

I am not sure about the present day interpretation especially with ISO 17021 (which just expects an annual audit & does not say much about element coverage). If we go purely based on 822 clause of ISO 9001:2008 which goes by results of previous audit and status and importance of processes, then there is no requirement for me audit all requirements even for 10 years. CB auditor cannot challenge me. (that is, if I did not had any issues on doc control in last year's audit and also it is not a critical process for me and no changes in doc control process for the next 10 years. Can I interpret that for next 10 years I need not audit doc control
Appreciate your inputs
Tim

 

[somashekar]

Re: Should the Internal audit for ISO 9001 cover all elements of the standard ?

I understand in the past Guide 62 ( the precursor to ISO 17021) had a requirement for the CBs to make sure their clients (the organisations that are getting audited) to have an internal audit program which check of the QMS is fully functional atleast annually. this was interpreted by the CBs as either all elements need to be audited/ atleast have a defence for not covering certain elements in the annual audit (example if no issues on document control in the last few audits, use it as a basis for excluding it from this year's audit). (I have worked in the past as CBs' auditor as well as consultant).

I am not sure about the present day interpretation especially with ISO 17021 (which just expects an annual audit & does not say much about element coverage). If we go purely based on 822 clause of ISO 9001:2008 which goes by results of previous audit and status and importance of processes, then there is no requirement for me audit all requirements even for 10 years. CB auditor cannot challenge me. (that is, if I did not had any issues on doc control in last year's audit and also it is not a critical process for me and no changes in doc control process for the next 10 years. Can I interpret that for next 10 years I need not audit doc control
Appreciate your inputs
Tim

Audit is a sampling activity.
Effectiveness and continual improvement assessment are the focus.
Not having an issue then does not qualify for no audit.
Results of previous audit and status and importance of processes, is to be applied for the better and stronger checks into such process compared to the regular checks that are planned through the internal audits.
Internal audit results in itself are NOT the true are authentic indicators of a process.
Internal audits strength are perhaps the most weakest of the various processes strength of any organization as I assess.

 

[Big Jim]

Re: Should the Internal audit for ISO 9001 cover all elements of the standard ?

I understand in the past Guide 62 ( the precursor to ISO 17021) had a requirement for the CBs to make sure their clients (the organisations that are getting audited) to have an internal audit program which check of the QMS is fully functional atleast annually. this was interpreted by the CBs as either all elements need to be audited/ atleast have a defence for not covering certain elements in the annual audit (example if no issues on document control in the last few audits, use it as a basis for excluding it from this year's audit). (I have worked in the past as CBs' auditor as well as consultant).

I am not sure about the present day interpretation especially with ISO 17021 (which just expects an annual audit & does not say much about element coverage). If we go purely based on 822 clause of ISO 9001:2008 which goes by results of previous audit and status and importance of processes, then there is no requirement for me audit all requirements even for 10 years. CB auditor cannot challenge me. (that is, if I did not had any issues on doc control in last year's audit and also it is not a critical process for me and no changes in doc control process for the next 10 years. Can I interpret that for next 10 years I need not audit doc control
Appreciate your inputs
Tim

I have never read Guide 62, but from those that administered it I have learned that there never was a requirement for annual internal audits.

Like everything else in the ISO 9001, the internal audit needs to be effective. Evidently, somewhere along the way many have interpreted that need for effectiveness as annual. Personally, I think it is a good idea, but it is not a requirement.

As an auditor, if the auditee is not doing internal audits annually, I'm looking real close to see if it appears to be effective. Most organizations I have been around are on an annual schedule. Of the ones that are not, they usually still do some core areas annually, and have determined the areas that are not as critical to be done less frequently.

 

[Randy]

Hey for the real answer just do this...Don't audit everything, just stand back and wait for what your CB auditor says and does

 

[Sidney Vianna]

Re: Internal audit coverage of elements - ISO 9001:2008

Hi
Is there any requirement to cover all applicable requirements of ISO 9001:2008 annually or at-least once in 3 years in the Internal audit. Anything from ISO 17021?

17021 applies only to auditing by CBs. 8.2.2 of ISO 9001:2008 says in part:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard...

Jim is correct; ISO 17021 applies to the CB's but I am sure that the OP was asking if there was anything in that standard that mandates CB's to impose maximum intervals in between internal audit cycles of registrants.

The straight answer is: no, ISO 17021 does not mandate CB's to impose any specific interval of registrant's internal audit cycles. Having said, in addition to what Jim already mentioned, ISO 9001 requires internal audits to be scheduled based on status, importance and past history of the processes.

The (certification) industry "rule of thumb" has been that internal audit cycles, as well as maximum intervals between management reviews should be "annual". But, once again, there is NO REQUIREMENT, extrinsic to organizations to force that. As a side note, in the past, a large aircraft OEM had a requirement for their supplier to have an annual audit cycle, but that requirement no longer exists.

The answer that is rarely provided to the OP question is this:

If you want to justify that the checking done via the internal audit step (of the PDCA cycle) can be extended beyond the "industry norm" of 12 months, you must have (and provide) evidence that the status, importance and history of the processes, functions, etc. support that. When I was a QMS lead auditor, I had no problem "accepting" well thought out internal audit schedules which allowed certain, non-critical, stable processes to be audited in "longer than usual" intervals. After all, internal audit resources are limited and we should put them to good use, and use the risk-based approach implied by ISO 9001:2008, 8.2.2.

Simply using the fact that ISO 9001, 17021 and other relevant norms do not mandate a maximum interval is not sufficient, simply because it would be a sliding slope; i.e., if you can justify that you can audit a process within a 3 year interval, what stops you to extend that to 5, 10, 20 years?

Unfortunately, most internal audit programs are performed and perceived as a non-value added activity, thus the reason for so many organizations to do as little internal audits as possible, while passing external scrutiny.

I wonder if we tried to push the envelope the same way with product inspection; i.e., stretch the sampling of product inspection to once per calendar month (or longer). Even the organizations themselves would realize that it is a poor decision, from a risk management perspective and would ensure the checking (of the PDCA cycle) of product is done in adequate intervals. Why not for checking of the processes effectiveness?

 

[AndyN]

Hi
Is there any requirement to cover all applicable requirements of ISO 9001:2008 annually or at-least once in 3 years in the Internal audit. Anything from ISO 17021?
Thanks
Tim

Only in the minds of some external auditors. In principle, they wish you to avoid getting a nonconformity that they find, so they would 'prefer" you to find them. Of course, it's easier to say doing everything once a year than to address the real issue which is "how do you set up an audit programme based on status and importance?" - a question that many of them don't know the answer to!

No requirement, now or before.

 

[Stijloor]

Of course, it's easier to say doing everything once a year than to address the real issue which is "how do you set up an audit programme based on status and importance?" - a question that many of them don't know the answer to!

Good point!!

This is covered in great detail in my internal audit course..