Too Simple an Internal Audit Check Sheet?

[kiwilass]

We have been redeveloping our QMS using a process mapping software system which links in all the information needed to carry out the process (i.e. forms, SOPs, policies etc) into each relevant process and ties in the requirements of about 15 different accreditation standards.

On the basis that our Quality department ensures that they have are aware of where the accreditation gaps are and work on addressing these with the relevant team and track where exactly each accreditation requirement is demonstrated within our system to show that we fulfil the specific requirement listed.

I would like to formalise an generic internal audit sheet to be used by our internal auditors against any chosen processes, which would cover the following points:

- Process name and version number being assessed.
- Auditor and Auditees and date of audit
- Is the process documented being followed as described?
- Are staff involved aware and understand the process and have access to the procedure and how are they informed of changes to the process?

- Has the procedure being reviewed in the timescale required?​

- Training - Are staff involved in the process trained and do they have training records for staff to confirm training has taken place?
- Maintenance and service records - is there any maintenance or service (including calibration) required to be carried out? Records available to show service has been carried out and are these being conducted on time?

- Testing ? Is there any testing required as a direct result of the procedure are these within expected limits and samples taken as required?
- Records ? verify that the records being described by the process are being filled out to completion and signatures are identifiable and records are kept for time frame specified?
- Document Control - are the documents described within the process being utilised and/or displayed and are the correct version number? There are no other documents being utilised that aren't controlled (confirmed) as described within the process?
- Inspection of equipment ? is equipment utilised in a clean state and suitable for use? Is cleaning being carried out as scheduled?
- Process improvement - are suggestions for improvement to the process being reviewed and responded to accordingly?​

Ideally I don't want to have to go down the path of formalising individual audit sheets that cover each variation and detail within the process. However is the above too simple in terms of an internal audit sheet? Is there anything glaring that I have missed out completely?


Thank you in advance for any feedback given.

 

[AndyN]

Kiwilass:

Are you proposing these be the questions your auditors ask? Or at least be what they go and check on? If so, you are started down the wrong road, IMHO.

I have done remedial training after organizations have chosen this method - because their auditors didn't like doing the audits. They have no "stake" in planning and preparing and therefore no reason to do a good job. In fact, you are taking away from them, one vital thing they really need to work on - preparation. By making auditors responsible, you won't have to prepare more sheets, either!

These may be the things you keep to guide them through preparation, such that they can tell you, when they sit down to plan their audit what their approach is going to be.

Also, you've added a lot of things into the questions which may not be worth asking. For example, if the crew working hasn't changed etc. why ask about training? You seem to have phrased questions like an external auditor which aren't really appropriate. Your auditors should be asking about how your system works. Why would you be asking about maintenance? You may be asking the wrong people, so the scope has to be precise!

You mention "accreditation gaps" - what do you mean?

 

[treesei]

I agree with Andy. Giving a detailed checklist to the internal auditors is a great way to de-motivate them by taking away their ownership of the audit they are responsible for.

 

[kiwilass]

Thanks Andy for your feedback.

Yes I was proposing that auditors read through and understand the process prior and then go on and check on the relevant questions and confirm whether the process was being followed.

With regards to your comments about the auditors being prepared and plan their audits and what their approach is going to be - are you inferring that the internal auditors should be responsible for designing and creating their own questions to ask during an audit?

In terms of accreditation gaps what I mean is that there are some areas in which our business still has to progress on, for example ensuring we have a documented crisis management plan.

 

[AndyN]

With regards to your comments about the auditors being prepared and plan their audits and what their approach is going to be - are you inferring that the internal auditors should be responsible for designing and creating their own questions to ask during an audit?

Not just inferring They should sit down and prepare their whole audit. They should be able to describe to you, at the end (or even before they start studying) what they would do to audit a particular scope and the associated criteria. You may have to work with them to ensure that level of competency, of course.

 

[John Broomfield]

Thanks Andy for your feedback.

Yes I was proposing that auditors read through and understand the process prior and then go on and check on the relevant questions and confirm whether the process was being followed.

With regards to your comments about the auditors being prepared and plan their audits and what their approach is going to be - are you inferring that the internal auditors should be responsible for designing and creating their own questions to ask during an audit?

In terms of accreditation gaps what I mean is that there are some areas in which our business still has to progress on, for example ensuring we have a documented crisis management plan.

kiwilass,

Train and mentor your auditors so you trust them or replace them. But do not attempt to control them.

After all, your auditors are meant to have the authority to gather and evaluate evidence of conformity and effectiveness and to report the results impartially and objectively.

You must also protect their independence so be careful not to allow auditing (8.2.2) to replace monitoring (8.2.3). Indeed, your auditors should be free to audit the effectiveness of process monitoring.

John

 

[mihzago]

I'll add that auditors should not be auditing to a generic set of questions but prepare an audit based on the scope of the audit i.e. federal regulations or standards. They should prepare their own questions, checklists or other materials based on the particular requirements they're auditing against; for example sec. 7.6 of ISO 13485.

 

[JaneB]

Excellent advice from all. I wholeheartedly concur.

 

[Hershal]

Excellent advice has been given. However, given you repeatedly refer to accreditations, and some 15 standards, you may have to watch out for some potential traps.

For example, if you have ISO9001 and ISO/IEC 17025, you likely will need two different checklists, due to the significant differences in the standards involved. I use these as examples, as you mention processes which is typical for ISO9001, and testing which comes under ISO/IEC 17025. However, the same may be true for other standards.

You also need to look at auditor qualifications. For example, an auditor may be able to work on one standard but not another.

As for having the auditors potentially develop the worksheets, that can be a good idea. They should also be involved in the audit planning, but looking at standards and SOPs used by the auditees, and selecting some portion, then preparing an agenda. The report at the end should reflect the agenda also.

Hope this helps.

 

[AndyN]

Excellent advice has been given. However, given you repeatedly refer to accreditations, and some 15 standards, you may have to watch out for some potential traps.

For example, if you have ISO9001 and ISO/IEC 17025, you likely will need two different checklists, due to the significant differences in the standards involved. I use these as examples, as you mention processes which is typical for ISO9001, and testing which comes under ISO/IEC 17025. However, the same may be true for other standards.

You also need to look at auditor qualifications. For example, an auditor may be able to work on one standard but not another.

As for having the auditors potentially develop the worksheets, that can be a good idea. They should also be involved in the audit planning, but looking at standards and SOPs used by the auditees, and selecting some portion, then preparing an agenda. The report at the end should reflect the agenda also.

Hope this helps.

Only if you are using the standards as your audit criteria. Internal auditors shouldn't really be using the standards as their audit criteria (certainly not exclusively).