SBS - The Best Value in QMS software

Types of Internal Audit findings based on ISO 9001 Clause 8.2.2

I

Integrator - 2012

#1
ISO 9001 8.2.2 Internal audit states
"The organization shall conduct internal audits at planned intervals to determine whether the quality management system

a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
b) is effectively implemented and maintained."

I've always fellt that this definition of internal auditing is effective but awkward. To me it boils douwn to

+ Does the internal audit show:-
a) (Documented) system conforms to (ISO 9001) standard requirements and company requirements?
b) (Documented) company system is being followed by auditee.



I put "documented" in brackets because systems are normally but not always documented.

These two aspects of internal audit are critical and are separate issues. An auit nonconformance should always be categorisable into type a) and type b).

Audits that focus on type a) are sometimes called "process" or "desktop" audits and there are some other names for type b), but it is always possible to do an internal audit and categorise findings into type a) or type b) inyetnal audit nonconformances.


I came up with my own 'labels' for these two types of audit findings but I wish to reconsider these labels.

My question is:- What do other quality practititioners call these type a) and type b) findings?

Integrator


 
Elsmar Forum Sponsor

Big Jim

Super Moderator
#2
The standard only requires six topics have documented procedures (Control of Documents, Control of Records, Internal Audit, Control of Nonconforming Product, Corrective Action, and Preventive Action).

Organizations can choose to document more, and most do, but few choose to document every topic.

In your scheme, how would you audit the topics that are not documented?

Auditor's need to audit your actual practice. That is done by auditing any applicable documents and records as you have noticed as well as auditing your organization's actual practice. When there is no documented procedure and no required records, the actual practice is audited is by interview and observation.

Something else amiss in your understanding is that "desktop audit" does not equal "process audit".

The comparison instead is between "element based audit" and "process based audit". An element based audit uses a checklist that walks through the standard one element at a time from 4.1 to 8.5.3. It can be useful for confirming each element is addressed, but usually is not very useful in determining how healthy the organization is overall. It is especially weak in addressing element 8.2.3 (Monitoring and Measurement of Processes).

A process audit is performed by determining what the auditee says their processes are (identified from the description of the interaction of processes), determining what elements apply to that process, and then auditing that process. For example, when auditing Purchasing, an auditor would stress element 7.4 as well as the outsourcing portion of 4.1. Of course, all other elements would be considered too as applicable. Any pertinent documents and records would be audited to accomplish this as well as auditing the actual practice of that process.

I'm not sure that I answered your question, but hopefully I have expanded your understanding, and sometimes that accomplishes the same thing.
 

Jim Wynne

Staff member
Admin
#3
<snip> I came up with my own 'labels' for these two types of audit findings but I wish to reconsider these labels.

My question is:- What do other quality practititioners call these type a) and type b) findings? <snip>
I call them "findings." :D Why do you feel that you need give them separate names?
 

Mikishots

Trusted Information Resource
#4
ISO 9001 8.2.2 Internal audit states
"The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
b) is effectively implemented and maintained."

I've always fellt that this definition of internal auditing is effective but awkward. To me it boils douwn to

+ Does the internal audit show:-
a) (Documented) system conforms to (ISO 9001) standard requirements and company requirements?
b) (Documented) company system is being followed by auditee.



I put "documented" in brackets because systems are normally but not always documented.

These two aspects of internal audit are critical and are separate issues. An auit nonconformance should always be categorisable into type a) and type b).

Audits that focus on type a) are sometimes called "process" or "desktop" audits and there are some other names for type b), but it is always possible to do an internal audit and categorise findings into type a) or type b) inyetnal audit nonconformances.


I came up with my own 'labels' for these two types of audit findings but I wish to reconsider these labels.

My question is:- What do other quality practititioners call these type a) and type b) findings?

Integrator
I don't necessarily agree with your interpretation; the critical aspect (and the whole point of the audit) is to determine if the processes are effective or not. People can follow a documented company system to the letter, but if the system sucks, the audit cannot report a successful implementation. They specifically used the term "effective" for a reason.

As a result, I don't entirely agree with your categories. If I was told I had to document only two types, they would be:
a) The process is in place but planned results are not achieved (i.e. not effective). Actions are being taken to resolve.
b) The process is not in place and the planned results are not achieved.

The definition for non-conformance is explicitly detailed and I won't repeat it here. It comes down to the degree (separating a major from a minor). In my two examples above, the first would be classified as a minor and the second as a major.

I'm a bit confused as to why such emphasis is only made on documented procedures - what about the others?

Differentiating findings into "types" is unnecessary and helps nothing - if the finding is described adequately, it really isn't important.
 
Last edited:
I

Integrator - 2012

#5
Thank you all for your well considered comments.

As I haven't been deluged with a 'consensus view' I'll stick to my original labels, which are:-

1) "adequacy", i.e. (documented) procedure meets/does not meet requirements of std.
2) "conformance", (documented) procedure is/is not being followed.
3) "effectiveness", (documented) procedure is/is not effective.

All types of audit findings get a grade + OBS, - OBS, Minor NC, Major NC.

All audits have an assessment of conformance. For a well functioning process this is the very least that can be done in an audit, i.e. a + OBS with a copy of a compliant record. An explanation is then made in audit findings in this case by rote that the procedure is adequate to standard and is effectively implemented.

The main reason for the categorisation is the different "typical" outcomes.

1) adequacy NC - rewrite procedure to meet standard, company and client requirements, possible retrain staff.
2) conformance NC - retrain staff.
3) effectiveness NC - review process, re-document, retrain.

As the internal auditor I am often explaining these categories, especially 'adequacy' and 'conformance' and their different outcomes to my co-workers. They usually appreciate the simplicity of the approach. I know I could be accused of oversimplifying, but as we all know, everyone starts with baby food first.
 
#7
I'm inclined to think that you're making a simple situation more difficult than it needs to be. A well constructed non-conformance statement doesn't need 'grading'. I believe, since this is your focus, you might do well to look at the content of any NC and see what that leads to. I also believe that your suggested actions are also a bit prescriptive. Why should any retraining be necessary? Unless a competency was detected as being required, don't just jump to training as the answer. Don't forget that management have to buy in to this and simple is best with them!
 
J

JaneB

#8
I'm inclined to think that you're making a simple situation more difficult than it needs to be. A well constructed non-conformance statement doesn't need 'grading'. I believe, since this is your focus, you might do well to look at the content of any NC and see what that leads to. I also believe that your suggested actions are also a bit prescriptive. Why should any retraining be necessary? Unless a competency was detected as being required, don't just jump to training as the answer. Don't forget that management have to buy in to this and simple is best with them!
I'm with Andy, in that it sounds as though you're making it more difficult than it needs to be.

My main reservations:

  • There's really no need to grade NCs. Just because external auditors do doesn't mean you have to.
  • In your original gradings, you pretty much discarded any consideration of effectiveness which is one of the most important things of all! in favour of complies/doesn't comply. Although a later post says you do determine if it is/is not effective.
  • It isn't the job of the internal auditor to decide what the solution to an identified weakness is. That responsiblity belongs to the manager of the area. Doing it your way is akin to telling them 'I found this weakness in your area, and here's what you must do in order to fix it' is usually a sure fire prescription for making 'quality' and 'internal audit' deeply unpopular with managers, and for good reason.
    Everyone has to own the system. Beware of the 'qwality kop' road.
 

somashekar

Staff member
Super Moderator
#9
I'm with Andy, in that it sounds as though you're making it more difficult than it needs to be.

My main reservations:

  • There's really no need to grade NCs. Just because external auditors do doesn't mean you have to.
  • In your original gradings, you pretty much discarded any consideration of effectiveness which is one of the most important things of all! in favour of complies/doesn't comply. Although a later post says you do determine if it is/is not effective.
  • It isn't the job of the internal auditor to decide what the solution to an identified weakness is. That responsiblity belongs to the manager of the area. Doing it your way is akin to telling them 'I found this weakness in your area, and here's what you must do in order to fix it' is usually a sure fire prescription for making 'quality' and 'internal audit' deeply unpopular with managers, and for good reason.
    Everyone has to own the system. Beware of the 'qwality kop' road.
In actual situations, one of these can happen.
1. There is no system in place.
(Not your case as you have a system) .. still look for it in your internal audit.
2. There is a system in place but is not followed.
(Your internal audit has to find this) ... leading to CA
3. There is system in place and is followed, but is not effective.
(Your internal audit has to find this) ... leading to CA
4. There is a system in place and is followed, and is effective.
(Your internal audit has to find this) ... and record
Continual improvement is assessed in above, as the audit finds effectiveness in changing circumstances of business of your organization.
All the 4 above are part of the PDCA which is the essence of QMS and audit.
If you can typecast them, you may. But you need not.
 

Jim Wynne

Staff member
Admin
#10
Thank you all for your well considered comments.

As I haven't been deluged with a 'consensus view' I'll stick to my original labels, which are:-

1) "adequacy", i.e. (documented) procedure meets/does not meet requirements of std.
Whether or not a documented procedure meets the the requirements of the standard is something that should be determined before the document is released into the wild and shouldn't have to be verified by an internal auditor.

2) "conformance", (documented) procedure is/is not being followed.
This is, or should be, the prime focus, only I characterize it as whether or not the process is operating as designed.


3) "effectiveness", (documented) procedure is/is not effective.
It's not clear to me whether you're applying "effectiveness" to a document or to a process. If the former case is true, then your #2 should address the issue to some extent. If it's the latter, I'm not sure that internal auditors are in a good position to determine whether or not a process is effective. There should be measureable outputs that can be seen at any given point in time that will tell whether the process is effective or not.


All types of audit findings get a grade + OBS, - OBS, Minor NC, Major NC.
I've never personally seen grading of internal audits to be useful. There's usually too much subjectivity involved. A thing either fulfills the requirements or it doesn't. Observation of a single process isn't likely to yield a reasonable determination that a nonconformity is "major," and an auditor's determination that a nonconformity is "minor" could easily be misbegotten in terms of the bigger picture. Let the auditors report what they find and then let the process owners and upper management sort it out.


All audits have an assessment of conformance. For a well functioning process this is the very least that can be done in an audit, i.e. a + OBS with a copy of a compliant record. An explanation is then made in audit findings in this case by rote that the procedure is adequate to standard and is effectively implemented.
What you refer to as a "+ OBS" ( a positive observation, I take it) is unnecessary if the process and its output are operating as defined. The absence of nonconformity speaks for itself. An "observation" might involve something the auditor sees that is unexpectedly good, such as an operator who has a particularly clean and orderly work station, or a person whose record keeping is somehow exemplary. These kinds of "+ OBS" are important in keeping the general perception of audits positive.


The main reason for the categorisation is the different "typical" outcomes.

1) adequacy NC - rewrite procedure to meet standard, company and client requirements, possible retrain staff.
As suggested above, documents that don't meet the requirements of the standard (or other requirements) shouldn't be released in the first place.

2) conformance NC - retrain staff.
While you describe this as a "typical" outcome, there's almost always a reason that processes aren't operated according to the documented requirements that retraining won't help. There should be some effort made to determine why the documented requirements aren't being followed, and whether or not the requirements can possibly be improved.

3) effectiveness NC - review process, re-document, retrain.
Before you start writing NCs against effectiveness, you had better be sure that there is a good and rational and objective operational definition of the term. In many, if not most, cases internal auditors are not in a good position to be making judgments about effectiveness. It's better to raise a question than to come to an ill-informed conclusion.


As the internal auditor I am often explaining these categories, especially 'adequacy' and 'conformance' and their different outcomes to my co-workers. They usually appreciate the simplicity of the approach. I know I could be accused of oversimplifying, but as we all know, everyone starts with baby food first.
As others have noted here, I think your system leans towards overcomplication rather than simplicity. Let auditors be reporters, telling in objective terms what they see and don't see, and let management sort it out.
 
Thread starter Similar threads Forum Replies Date
B IATF 16949 Cl. 9.2.2.1 - Internal audit program - Types of evidence Internal Auditing 1
T Types of confidential information ISO 17025 related Discussions 8
L Allowable AC mains fuse types for latest IEC60601 IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A Torque Value for Different types of Fasteners (Socket Head, Button Head, CSK) Manufacturing and Related Processes 2
C PCBA Hardware Component different failure types - How to rate detection? FMEA and Control Plans 8
E Different types of Actions? CARs, OFIs or N/A ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
S The key differences in 510k types - Traditional vs. Abbreviated vs. Special US Food and Drug Administration (FDA) 0
R ISO9001 & ISO13485 QMS for 2 types of products ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
Rameshwar25 Other types of Control Charts described in Chapter II of SPC Manual Statistical Analysis Tools, Techniques and SPC 6
P Any official doc/spec on different types of Yield calculation? Manufacturing and Related Processes 0
S ITAR Document Types and Training Other ISO and International Standards and European Regulations 6
Q Where to include other types of Nonconformities ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
R 21 CFR Part 820.186 - Types of Quality System Records Document Control Systems, Procedures, Forms and Templates 1
C What types of Calibration Metrics are Collected General Measurement Device and Calibration Topics 2
S Double Thermocouple - Two types, same sheath (AMS2750/Nadcap) Manufacturing and Related Processes 9
S Clarification regarding types of processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
E Types of nonactive Medical Device implants - What is the origin of this codification? EU Medical Device Regulations 6
M Types of Controlled Documentation - Call Lists of Emergency Contacts Quality Manager and Management Related Issues 5
M Process Approach: Types & number of processes required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
G Comparison Study of CMMs and software along with Probe Types Inspection, Prints (Drawings), Testing, Sampling and Related Topics 12
V CMM plane construction method types and accuracy differences for measuring Pos Tol Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
S Latest types of Fire Extinguishers in India Misc. Quality Assurance and Business Systems Related Topics 1
L Capability studies on machine types - Supplier has over 1000 machines Quality Manager and Management Related Issues 7
C Chrysler Quality Definitions? Chrysler has identified six types of quality Quality Manager and Management Related Issues 1
C AUDITS! Different types of audits and what they mean? General Auditing Discussions 9
U Dial Gages of all types in company flood - How to recover them General Measurement Device and Calibration Topics 6
Z KFDA (Korea) Device Change Regulations - What are 32 Types of Changes Exempted? Other Medical Device Regulations World-Wide 2
E Implementing Risk Management - Required Document Types ISO 14971 - Medical Device Risk Management 8
P NQA-1 Requirement 17 Quality Records - Facility Types and Temporary Storage Various Other Specifications, Standards, and related Requirements 5
Michael Malis FDA Guidance for Herpes Simplex Virus Types 1 and 2 Serological Assays US Food and Drug Administration (FDA) 0
B What are the Types of Quality Tools? Quality Tools, Improvement and Analysis 6
R Inspection types A, B AND C used in FMEA Preparation FMEA and Control Plans 3
M Design for Six Sigma to be applied for different types of Manufacturing Processes Six Sigma 1
R Different types of Design and Development - AS9100C Clause 7.3 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
Q Different Types of Audits in Medical Device industry Misc. Quality Assurance and Business Systems Related Topics 9
E Types of Standards and Harmonized Standards Other ISO and International Standards and European Regulations 6
N Report Content of 2 types of Calibration on the same equipment - Timer and Speed Test General Measurement Device and Calibration Topics 2
N Difference between different types of Benchtop Convection Ovens General Measurement Device and Calibration Topics 5
Q How should I Keep my various types of records .. ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
J BS EN131-1:2007 Standards (Ladders, Specification for terms, types, functional sizes) Other ISO and International Standards and European Regulations 1
T Determination of UMDNS Code for various types of Contact Lens ISO 13485:2016 - Medical Device Quality Management Systems 4
Marc Three-Inch Device Detects 3,000 Types of Viruses and Bacteria World News 0
M Types of Yearly Quality Goals for all Manufacturing Associates Manufacturing and Related Processes 3
O Average Life Cycle Duration for a large number of medical equipment types Other Medical Device and Orthopedic Related Topics 2
E Calibration of Calipers, Mics, Height gauges - Recommended Gage Block Types General Measurement Device and Calibration Topics 7
C Creating a Micro QMS - 4 geographical sites and 3 types of core activities ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
M Definition P-Diagram - Types of Noise Factors - Information System Processes Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 12
P Determining Sample Size - Filling a bag with three different types of candy Inspection, Prints (Drawings), Testing, Sampling and Related Topics 31
K What types of charts, lists, views do you like regarding FMEA results? FMEA and Control Plans 7
I How do you classify/name your CAR (Corrective Action) types? Nonconformance and Corrective Action 6

Similar threads

Top Bottom