The Best Way to Make an Internal Audit Checklist

J

Jamie

Internal Audit Checklist?

I tried to perform a search to see if I could find something to help me with this. I didn't have much luck finding what I needed. If I overlooked a thread, I apologize in advance.

I am getting ready to start performing our internal audits. We used to use Internal Audit software by Harrington. I hated the software so I "removed it from service". In creating our new audit process, I have put the responsibility of creating the questions on the checklist to the auditors. In reading some of the threads from my search there were some suggestions made to take a copy of the procedure with you and make notes and questions on it along the way. I hate the idea of using a "canned" checklist. We've been that route before. I just can't figure out another way do to this.

First you ensure our system meets the standard....if it does you proceed to see if what they are doing is compliant to the documented procedures and work instructions. There was also talk in some threads along the way of using checkmarks.

This is what I had in mind....

On the front page of the checklist have a place for the auditor to identify which clauses they are auditing against (these are identified on the audit schedule) and to the right have a place to check if the system satisfied the clause, same with the QMS. If there are any areas unsatisfactory you identify the findings or any observations below.

My boss really liked the idea of an Audit Summary Report. When we used Harrington, my boss at the time had me submit a copy of the checklist to All departmetal supervisors involved. There was no "report". To be honest they didn't read them half the time they'd look for any findings and that was it. If you don't do a checklist, just what do you do? How do you document and have a record of your audit?

If you audit against the standard and the QMS and everything is hunky dorey...What and Why would you want to go into all the detail of documenting what you compared it to and what you found I've already said in my auditing procedure that we audit the standard and our own QMS. Would this satisfy the standard.

People were talking about an audit trail in some of the threads I was reading on as well. I'm not sure how all this is coming into play.

Can anyone help me "see" the light? Knowing me, I'm making this much harder than it is.

You all have a GREAT weekend!
:bigwave:

Jamie
 
J

Jamie

I meant to attach a copy of what I had created so far for our report and checklist. I hope I have them attached to this message right. If I do, what do you think?

Jamie
 

Attachments

  • qf-51q.doc
    25.5 KB · Views: 1,177
E

energy

Re: Internal Audit Checklist?

Originally posted by Jamie
First you ensure our system meets the standard....if it does you proceed to see if what they are doing is compliant to the documented procedures and work instructions. There was also talk in some threads along the way of using checkmarks.

If you audit against the standard and the QMS and everything is hunky dorey...What and Why would you want to go into all the detail of documenting what you compared it to and what you found I've already said in my auditing procedure that we audit the standard and our own QMS. Would this satisfy the standard.
:bigwave:
Jamie

Jamie,

We do not intend to let our Internal Auditors audit to the standard. They will audit approved procedures written with the standard in mind, by a Steering Committee of (7) Department Heads and Managers. These meetings are often contentious, argumentative and eventually end up in agreement regarding interpretations. If seven us find it difficult to agree on what the standard means, what chance does an Auditor have in coming to a conclusion on what meets the intent? That does not preclude them from using a checklist to perform their audits. Again, the checklist will be developed with the standard in mind by the Committee. While the Internal Auditors have had auditor training by an outside consultant, the limited time (2 man days) is not enough to become familiar with a document that they never saw before. They are also not being paid to spend hours reading the standard before beginning their audits. All Auditors have a copy of the standard and are encouraged to read it. Certainly, as they mature and become more familiar with the standard, they have the right through the Document Control System to suggest changes to procedures and explain why. But not now.
So, documents/procedures approved and released by the Committee are binding and only subject to arbitration with our Consultant and/or our eventual Registrar. While everybody on the committee is recognized for their individual expertise, the standard (or intent) causes a lot of confusion as to what a section really means. Look at the differing opinions that we see here at the Cove. If you allow your Internal Auditors to question anything that doesn’t agree with what they perceive to be the correct meaning of a particular section of the standard, you can be in for a long day. I’m a firm believer in that old saying, “Give a man a hammer and he will bang it”.


:ko: :smokin:

Oh I forgot. We have 8 auditors for a Company of 45 people. 4 of them are on the Steering Committee. That leaves 3 that are not auditors. Conflict of interest? Not. We're all in this together. JMHO
 
Last edited by a moderator:
M

M Greenaway

Energy

It is a requirement of ISO9001:2000 that your internal audits are conducted against the requirements of the standard.

Your internal audit system as you describe it would be non-compliant with ISO9001:2000, and doubtless ineffective also.

Love

Martin
 
I agree with M Greenaway here. All our internal audits start out from the std requirements. How else would we find out if we missed a requirement?
:confused:

/Claes
 
Nope... I insist

Aha... Debate.. I like that :D
It depends on your priorities. Who cares if you miss a requirement? Don't you pay a registrar to look after that?
Nope. We have to do it ourselves:

8.2.2 a (Internal audit): determine whether the QMS: conforms to the requirements of this standard.
Besides, The registrar spends two days/year here. Our internal auditors are here all the time. Thus they are able to dig up things the registrar would never find.
You could look at 9001 compliance separately
Why? That would mean doing the same thing twice.
why involve all those excellent busy people trying to do their work? Keep it away from them. Expose them to the organization's system, not to ISO 9000
I agree with that apart from the auditors. It's their job to do just that.

/Claes
 
M

M Greenaway

Jim

Internal audits must address the organisations compliance with the requirments of ISO9001:2000. You can slice and dice it anyway you want - and you may seperate the compliance to ISO9001 audit (even if you call it an annual desk top review - or any other name) from the compliance to our own procedures, from the effectiveness of the system - but you have to cover all these points.

The system you describe does not do away with the ISO9001 compliance audit - you have just seperated it from the other audit criteria and called it a different name.
 
I still insist

You quote 8.2.2. I submit that there is a much more relevant and important clause: 8.2.1.3. Tell me if you can't find it

Sure. 8.2.1.3 is certainly relevant (No worries about finding it either), and it reflects my main reason for doing audits at all: To find input for improvement. However, that cannot be used to negate 8.2.2. Exactly how an audit is performed is beside the point, clipboards and deskchecks or not. We still have to use them to make certain that we conform to 9001.

Besides, we never go out waving the 9000 flag during audits. We ask questions designed to tell us whether we can improve the way we work. If we find that we don't fulfil the requirements in the standard, that's one of the things we need to fix....
There are alternatives. You could, and this is JUST AN EXAMPLE, meet the 'conform to 9001' requirement by having one person do a deskcheck and then have managers audit their own departments or processes with no reference to ISO 9001 at all.
Err... I certainly want them to work with improvement in their own areas, no argument there. But: Bearing in mind that you're not supposed to audit yourself that is continual improvement, not part of the audit system. And yes, you could have one person do a deskcheck to see if you fulfill the standard. I just fail to see the point in having a number of trained auditors do only part of the job and leave the rest to this one person when they are perfectly able to do it themself?

/Claes
 
E

energy

Love you, too!

Originally posted by M Greenaway
Energy
It is a requirement of ISO9001:2000 that your internal audits are conducted against the requirements of the standard.
Your internal audit system as you describe it would be non-compliant with ISO9001:2000, and doubtless ineffective also.
Love
Martin

I believe that my post says that they will audit to procedures that are written with the standard in mind. We stand by our procedures that they meet the standard. Auditors do not need to have a copy of the standard to do internal audits. They can use the checklist that the Registrars use and ask the same questions. The auditees have to demonstrate that they are aware of the procedures and I consider that effective. The standard is poured over in detail by the Committee and all areas will be addressed in some form or other. We will not have people reading into the standard and interpreting at will. We leave that to you guys. If we have done our job correctly, we're golden. If not, well, shame on us. The relevant sections of the standard are shown on the "references" portion of the procedures. Auditors are free to look at their copy if they determine that there is a N/C. They will not cite the standard. They can suggest changes if they feel that the procedure is causing a problem with their interpretation of the standard. We do not intend to muffle any concerns the auditors may have. And I also said that the auditors make up the majority of the Steering Committee, so they are in the driver's seat when it comes to approving and releasing procedures/documents. How you interpreted that we are non compliant in respect to internal auditing eludes me. But then, I'm not an acredited Auditor. I do have the feeling though that you would cite us because our auditors would not reference the standard when issuing a N/C. They would be referencing our procedure, by paragraph, etc.. I promise to study that more carefully, as your posts usually contain some thought provoking subjects and are usually right on. Are you one of those auditors that are so sure that they are correct that there is no way you can see an alternative method? You question everything as evidenced by your initiated topics. I'm a little surprised at your response and will investigate further. Thanks for the input.
 
Last edited by a moderator:
Absolutley...

Claes

I think we are in agreement!

If we want the badge, we must meet the requirements. But we can meet them any way we choose.
Absolutley Jim,

Nice to have a bit of a discussion every now and then. It sparks the old creativity. And believe me: Just like you I'm doing my level best to cut down on the crap in the QMS and concentrate on what should be there.

/Claes :agree:
 
Last edited:
Top Bottom