The Holistic Approach to Internal Auditing (ISO 9001)

C

ChrissieO

#1
We are trying to move away from the 30-35 Internal audits we normally do every year. These are usually conducted by 1 auditor and take a couple of hours + planning and report writing.

The operation consists of about 350 people accross 2 main sites and approxiamtley 3 satalite teams. This includes, customer services, customer support services, warehousing & distribution, some conversion work and all the support services needed to run these activities.

I would like our audit schedule to consist of 4 major team style audits over a number of days as the core of our schedule, supported by the few specific audits we need to conduct and also any additional audits requested by the management team for specific processes as and when required.

Would this work?

Has any one tried this and got any good advice on how best to put this in place?

I need to present the case for the changes to the MR over the next few days
 
Elsmar Forum Sponsor
#2
Chrissie:

It could work, however, there's a lot more I'd need to know about your audit process before I decided to commend this change to you! I'd like to know about the selection of the scopes, what criteria and frequency was chosen for audits, and why. Simply changing the 'scale' of the audits from smaller, frequent events to larger less frequent audits (plus the other things) is going to get you much - and what are you intending to gain from this?
 
C

ChrissieO

#3
Chrissie:

It could work, however, there's a lot more I'd need to know about your audit process before I decided to commend this change to you! I'd like to know about the selection of the scopes, what criteria and frequency was chosen for audits, and why. Simply changing the 'scale' of the audits from smaller, frequent events to larger less frequent audits (plus the other things) is going to get you much - and what are you intending to gain from this?
Historically our audit schedule has been 99.9% push audits instead of pull and we have taken each individual department and auditied that. I am trying to get people away from this outdated way of auditing so that we look at the whole process and flow through the operation with input from the management team as to any specific areas of concerns. We have currently introduced a number of new processes and I see those as priority.

We have a very mature QMS but where I see it works for us and complies to the requirements of our CB, I do not feel it is enough and that we are not gaining any value from it.

I have attached the audit schedule, which I must add I am not that happy with as I don't think we are encompasing the process approach but although I managed to persuade the MR to cut many of the "pointless" audits from previous schedules I still think a whole new aproach is needed.

Another reason for wanting to do this is that currently some of the management team do not give as much credance to the internal audit processes and we have issues with completing findings. By raising the level of the audits and adopting a more formal but added value structure, i.e. function management involved, opening and closing meetings etc I feel we would get significantly better buy in from them.

We have an experienced, albeit diminishing, audit team which includes 7 NQA trained internal auditors, ranging from 2-7 years experience and 2 lead auditors (myselfand one other) so I feel we are reasonably well equiped to take create and complete an audit schedule that I feel would add value.

We are currently in the process of aranging in house external training for all our internal auditors with regard to "process auditing" and I cant see the point of spending all this money only to revert to verticle auditing not adding any value to our internal audit programme.

The audit schedule file has macros in it so the buttons at the top hide and reveal the individual elements needed to be covered.

Thanks for your help.

Chrissie

PS I am currently at my desk re-readingyour article "All process are not created equally" ;)
 

Attachments

Last edited by a moderator:

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#4
I can't claim my methods = organizational success, though I believe I have seen some promising QMS gains since I started auditing a few years ago.

I audit QMS, EMS, OHSAS, and now Process safety Management (at this point as a component of OHSAS) and Reliability Lab to 17025. My plant has 500+/- people.

Now I am also doing Document Control part time, which tends to fragment my attention and, in my view, tends to render my auditing work less effective.

Over the last three years I have noticed some improvement in dealing with open issues, but schedule or team/holistic audit approaches had nothing to do with it. My growing a spine and fully engaging the escalation process had half to do with it, and the other half of gains have been from getting full buy-in at time the audit report is issued. I do this by sending out a "draft" 4-5 days ahead of a promised "if I don't hear from you by then I will issue as-is" invitation to clarify issues, produce more data, etc.

By escalation process I mean after X time has passed, I send out a warning and then send the issue to othe CA owner's manager as a Management Action Notice.

As far as holistics and schedule crunching goes, I collect my sample for things like Process Realization, Training, Document Control and Change Control over the series of process audits. Then, when these particular processes come up I look at the data and look for patterns pointing to a systemic opportunity. Of course I don't need to wait until a Document Control audit comes up to raise an issue, it's just more likely to be an issue directed to the process versus fixing an outdated document, etc.

Safety and Environmental audit learnings and findings can feed into certain QMS components, such as Section 6 Infrastructure and safety for production readiness.

This year, because I lose so much time to Document Control I am scheduling audits based on subject versus process. So Planning might include Management Review because business and capital plans are so often an output of such review.

I hope this helps!
 
J
#5
Personally I don't see any real reason to say that your idea will not work. Just be prepared to continue to fine tune it over time.

Larger and more comprehensive audits will likely be less expensive overall in a company with a "mature QMS". This is always a good thing.
More comprehensive audits might also reveal things not seen in smaller more "local" audits, which in turn might help focus decisionis on improvement projects or point up areas needing more focused "follow-up" audits.

Even if you only reduced the actual number of audits from 35 to 15 and the days from 35 to 20 the savings could be significant.

Just my 2c

Peace
James
 
C

ChrissieO

#6
Over the last three years I have noticed some improvement in dealing with open issues, but schedule or team/holistic audit approaches had nothing to do with it. My growing a spine and fully engaging the escalation process had half to do with it, and the other half of gains have been from getting full buy-in at time the audit report is issued.
I can see where you are coming from on this and we have come some way from where we were 3 years ago by escualation but I would like the management team to see the internal audit schedule as opportunities to improve and grow and not as a necessary evil.

Until they can see that there is a point to audit they will never give the attention required to the findings and at the moment both myself and them cant see the point in doing audits for audits sake.

Cx
 
#7
I can see where you are coming from on this and we have come some way from where we were 3 years ago by escualation but I would like the management team to see the internal audit schedule as opportunities to improve and grow and not as a necessary evil.

Until they can see that there is a point to audit they will never give the attention required to the findings and at the moment both myself and them cant see the point in doing audits for audits sake.

Cx
You can do it! You will have to show them, slowly, but they will see. Firstly, find someone who is open to the idea and make them a champion (willing or otherwise).

If you don't publish such a daunting (to them) schedule - except for maybe a few of the 'predictable' audits (like the Cb audits etc) then, solicit managements' input as to what needs to be done earlier in the calendar etc - based on 'status and importance' - you can then target those things and deliver the results they would like, but didn't expect. It will mean a different auditor's approach too, but you should see some improvements.
 
Q

QCAce

#8
...
Another reason for wanting to do this is that currently some of the management team do not give as much credance to the internal audit processes and we have issues with completing findings. By raising the level of the audits and adopting a more formal but added value structure, i.e. function management involved, opening and closing meetings etc I feel we would get significantly better buy in from them.
...
Chrissie,
I'm curious, do the findings from your current audits exhibit any type of trend? Or do all the findings have a similar flavor, (i.e. "dept xyz did not have the latest revision of their work instruction..")?
What types of findings are you currently seeing?
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#9
Chrissie,
I'm curious, do the findings from your current audits exhibit any type of trend? Or do all the findings have a similar flavor, (i.e. "dept xyz did not have the latest revision of their work instruction..")?
What types of findings are you currently seeing?
This would, in my view, have a good deal more meaning to management than the schedule. :agree1:
 
G

Groo3

#10
Speaking as one who typically manages about 8 comprehensive process audits a year for our site (about 230 people across 2 sites), I would say yes... In my opinion, it's doable, and you can take credit for it as a continuous improvement opportunity.

For our site, we utilize auditors from our site as well as auditors from our division (our North America division consists of about 10 manufacturing locations with approximately 2,500 employees total, there are about 20 auditors to assist with the divisional audits, myself included). The divisional audits are planned by our North America divisional management. Our site audits are planned by me. Our audit plan typically involves a 2 year cycle, and about 8 comprehensive process audits per year.

Each audit is typically 1 lead auditor with 1 to 2 auditors assisting; the audits take between 1 and 2 days to complete (average auditor commitment is between 3 and 4.5 auditor days per audit), but sometimes they can take longer. On average, we are pretty close to the 1/3 rule = the time spent planning the audit (checklist with questions, etc.) is equal to the time spent conducting the audit (including follow-up of any previous corrective actions where appropriate) is equal to the time spent writting up the audit (including the report, presentation of the findings and creation of any corrective actions).

Every couple of years, we re-think our approach to auditing... Our most recent change involves incorporating the divisional audits into our process. Our QMS has been registered since 1994, so I would consider our system somewhat mature. Our audit plan consists of ISO-9001 audits and Responsible Care audits. We audit our processes against the standards, our corporate and divisional requirements, as well as site processes.

:2cents:
 
Thread starter Similar threads Forum Replies Date
D CE SaMD modular approach CE Marking (Conformité Européene) / CB Scheme 5
K MDSAP Audit Approach 2020 for Brazil Other Medical Device Regulations World-Wide 1
K MDSAP Audit Approach 2020 ISO 13485:2016 - Medical Device Quality Management Systems 3
DuncanGibbons Understanding the applicability of Design of Experiments to the IQ OQ PQ qualification approach Qualification and Validation (including 21 CFR Part 11) 5
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 8
qualprod Best approach to get a real value as average? Statistical Analysis Tools, Techniques and SPC 6
DuncanGibbons FAA's Building Block approach to certification Inspection, Prints (Drawings), Testing, Sampling and Related Topics 0
G New CAPA Work Flow with Revised 8D Approach Process Maps, Process Mapping and Turtle Diagrams 35
R Bottom up approach versus system level ISO 14971 - Medical Device Risk Management 2
D Validation of existing equipment - Risk based approach example ISO 13485:2016 - Medical Device Quality Management Systems 3
qualprod Shortening processes complying with process approach ISO 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
O Validation approach for a Photostability Chamber (used for fluid therapy and injectable drug products) Qualification and Validation (including 21 CFR Part 11) 1
Sidney Vianna NASA to Develop a Novel Approach for All-Electric Aircraft Using Cryogenic Liquid Hydrogen as Energy Storage World News 2
tony s What is the automotive process approach for auditing? IATF 16949 - Automotive Quality Systems Standard 2
C Usability IEC 62366-1:2015 and MDR 2017/745 - Risk based approach IEC 62366 - Medical Device Usability Engineering 1
M Informational EU – Medicinal products and medical devices: Coordinated approach in case of a withdrawal of the United Kingdom from the Union without a deal Medical Device and FDA Regulations and Standards News 0
M Informational USFDA draft guidance – A Risk-Based Approach to Monitoring of Clinical Investigations Questions and Answers Guidance for Industry Medical Device and FDA Regulations and Standards News 0
M APQC PCF (Process Classification Framework) and ISO 9001 - Processes Based Approach ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
S Risk Approach doesn't address External Issues (Auditor's Comment) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 30
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
Q Questions about the Risk-based approach to QMS processes ISO 13485:2016 - Medical Device Quality Management Systems 17
N Do I need to approach galvanized steel sheet flatness issue with DOE? Problem Solving, Root Cause Fault and Failure Analysis 9
S ISO 13485:2016 - Risk-based Approach ISO 13485:2016 - Medical Device Quality Management Systems 3
S Risk based approach - Procedures already take a risk-based approach to QMS processes ISO 13485:2016 - Medical Device Quality Management Systems 3
S IATF 16949 - Manufacturing and Product Audit Approach IATF 16949 - Automotive Quality Systems Standard 19
S ISO 13485:2016 - How I can integrate a risk management approach in our SOPs ISO 13485:2016 - Medical Device Quality Management Systems 1
S Risk Based Approach for ISO 13485:2016 Form/Procedure ISO 13485:2016 - Medical Device Quality Management Systems 23
P Best approach to tackle difficult certifications Career and Occupation Discussions 2
C Does Japan accept the Bracketing Approach for Process Validation Japan Medical Device Regulations 1
A How to approach ISO 9001:2015 Clause 7.1.6 when 3rd Party Auditing ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
B Risk Requirements to meet the explicit Risk Based Approach of ISO 13485:2016 Examples ISO 13485:2016 - Medical Device Quality Management Systems 21
A How do we implement a Process Approach ISO 13485:2016 - Existing GMP QMS Other ISO and International Standards and European Regulations 2
V When and How to apply the Bayes Success Run approach for Sample Size Determination Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
A Quality Policy approach of ISO 9001:2015 Clause 5.2.1a ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Ajit Basrur Could a bracketing approach be used for Gage R & R ? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 1
P CMM Equipment Validation and Qualification Approach ISO 13485:2016 - Medical Device Quality Management Systems 11
W ISO 9001, ISO 14001 and 18001 Integrated Approach ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
C Need assistance with ISO 9001 Certification Approach ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
G Quality Manual - Taking a Different Approach Quality Management System (QMS) Manuals 11
A FTA-Top/Down approach to Risk Analysis ISO 14971 - Medical Device Risk Management 2
D How to approach Paper and Electronic Record Control for ISO 9001:2008 Records and Data - Quality, Legal and Other Evidence 7
P System Audit Approach - Application of VDA 6.3 - Process Auditing VDA Standards - Germany's Automotive Standards 2
B How do you approach the "Safe Launch" Process APQP and PPAP 17
M Quality training through tests/quiz style approach Training - Internal, External, Online and Distance Learning 8
M Process Approach: Types & number of processes required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
V Is there an approach to define the "must 'or' should" in supplier audits? US Food and Drug Administration (FDA) 2
WCHorn Quality Digest article on the Process Approach to ISO 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
M GRR approach for off line Measuring Equipment Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
W Help explaining the need for the Process Approach AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4

Similar threads

Top Bottom