Re: Internal audit coverage of elements - ISO 9001:2008
Hi
Is there any requirement to cover all applicable requirements of ISO 9001:2008 annually or at-least once in 3 years in the Internal audit. Anything from ISO 17021?
17021 applies only to auditing by CBs. 8.2.2 of ISO 9001:2008 says in part:
The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard...
Jim is correct; ISO 17021 applies to the CB's but I am sure that the OP was asking if there was anything in that standard that mandates CB's to impose maximum intervals in between internal audit cycles of registrants.
The straight answer is: no, ISO 17021 does not mandate CB's to impose any specific interval of registrant's internal audit cycles. Having said, in addition to what Jim already mentioned, ISO 9001 requires internal audits to be scheduled based on status, importance and past history of the processes.
The (certification) industry "rule of thumb" has been that internal audit cycles, as well as maximum intervals between management reviews should be "annual". But, once again, there is NO REQUIREMENT, extrinsic to organizations to force that. As a side note, in the past, a large aircraft OEM had a requirement for their supplier to have an annual audit cycle, but that requirement no longer exists.
The answer that is rarely provided to the OP question is this:
If you want to justify that the checking done via the internal audit step (of the PDCA cycle) can be extended beyond the "industry norm" of 12 months, you must have (and provide) evidence that the status, importance and history of the processes, functions, etc. support that. When I was a QMS lead auditor, I had no problem "accepting" well thought out internal audit schedules which allowed certain, non-critical, stable processes to be audited in "longer than usual" intervals. After all, internal audit resources are limited and we should put them to good use, and use the risk-based approach implied by ISO 9001:2008, 8.2.2.
Simply using the fact that ISO 9001, 17021 and other relevant norms do not mandate a maximum interval is not sufficient, simply because it would be a sliding slope; i.e., if you can justify that you can audit a process within a 3 year interval, what stops you to extend that to 5, 10, 20 years?
Unfortunately, most internal audit programs are performed and perceived as a non-value added activity, thus the reason for so many organizations to do as little internal audits as possible, while passing external scrutiny.
I wonder if we tried to push the envelope the same way with product inspection; i.e., stretch the sampling of product inspection to once per calendar month (or longer). Even the organizations themselves would realize that it is a poor decision, from a risk management perspective and would ensure the checking (of the PDCA cycle) of product is done in adequate intervals. Why not for checking of the processes effectiveness?