Using Customer Audits as part of the Internal Audit Plan for ISO9001

[ScottK]

Lets say you are an ISO9001 registered company and supply companies that audit you regulary (drug, device, auto, aerospace, etc).

Let's also say times are very lean and you're failing to meet your internal audit plan because you are now doing the job of someone else who got laid off in addition to your own.

Is it possible to use these customer audits as part of said system, treating them as you would a consultant you might hire to do your internal audits?
Perhaps review the areas covered during these customer audits and then supplementing them to ensure all the processes you need to audit in a given time period are covered?

I'm just tyring to think out of the box. I'm not in such a situation, in fact I'm expanding my internal audit program, but looking at my upcoming customer audit schedule my whole QMS will be audited multiple times over in the next sic months by very qualified auditors.

I know it defeats the purpose of getting people inside the company involved but it does still contribute to continual improvement.

 

[Doug]

Lets say you are an ISO9001 registered company and supply companies that audit you regulary (drug, device, auto, aerospace, etc).

Let's also say times are very lean and you're failing to meet your internal audit plan because you are now doing the job of someone else who got laid off in addition to your own.

Is it possible to use these customer audits as part of said system, treating them as you would a consultant you might hire to do your internal audits?
Perhaps review the areas covered during these customer audits and then supplementing them to ensure all the processes you need to audit in a given time period are covered?

I'm just tyring to think out of the box. I'm not in such a situation, in fact I'm expanding my internal audit program, but looking at my upcoming customer audit schedule my whole QMS will be audited multiple times over in the next sic months by very qualified auditors.

I know it defeats the purpose of getting people inside the company involved but it does still contribute to continual improvement.

I've asking myself the very same question. I do not have enough trained competent personal at the moment to satisfy my audit needs. However, as you mentioned, I receive many csutomer audits yearly. Thanks for the post.

 

[Stijloor]

Lets say you are an ISO9001 registered company and supply companies that audit you regulary (drug, device, auto, aerospace, etc).

Let's also say times are very lean and you're failing to meet your internal audit plan because you are now doing the job of someone else who got laid off in addition to your own.

Is it possible to use these customer audits as part of said system, treating them as you would a consultant you might hire to do your internal audits?
Perhaps review the areas covered during these customer audits and then supplementing them to ensure all the processes you need to audit in a given time period are covered?

I'm just trying to think out of the box. I'm not in such a situation, in fact I'm expanding my internal audit program, but looking at my upcoming customer audit schedule my whole QMS will be audited multiple times over in the next sic months by very qualified auditors.

I know it defeats the purpose of getting people inside the company involved but it does still contribute to continual improvement.

Scott,

If customer audits are fairly common at your organization, you should include these 2nd Party (Customer) audits in your internal audit procedure. Make sure that the audit reports, results, observations and nonconformities are duly reported, reviewed and corrective actions completed. When you tie all this in with Management Review (item "a" talks about audit results), then you have killed two birds with one stone. Customer audit scopes may be limited. So, at a regular basis, you determine what other processes remain to be audited, and include those in your (updated) audit schedule.

Stijloor.

 

[ScottK]

I've asking myself the very same question. I do not have enough trained competent personal at the moment to satisfy my audit needs. However, as you mentioned, I receive many csutomer audits yearly. Thanks for the post.

I was just googling for guidances and don't see anything specifically regarding this.
I'm thiking that
A) define it well in a procedure how you go about using customer audit reports supplemented by your own to meet the requirements of 8.2.2
B) document customer findings in your CAPA system

you should be covered.

8.2.2 never says internal audits need to be performed by internal personnel

does anyone have the ISO definition of Internal Audit?

 

[Randy]

does anyone have the ISO definition of Internal Audit?

Yep...ISO 9000:2005

audit
systematic, independent and documented process (3.4.1) for obtaining audit evidence (3.9.4) and evaluating it objectively to determine the extent to which audit criteria (3.9.3) are fulfilled

NOTE 1 Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization (3.3.1) itself for management review and other internal purposes, and may form the basis for an organization’s declaration of conformity (3.6.1). In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited.

NOTE 2 External audits include those generally termed second- and third-party audits. Second-party audits are conducted by parties having an interest in the organization, such as customers (3.3.5), or by other persons on their behalf. Third-party audits are conducted by external, independent auditing organizations, such as those providing certification/registration of conformity to ISO 9001 or ISO 14001.

NOTE 3 When two or more management systems (3.2.2) are audited together, this is termed a combined audit.

NOTE 4 When two or more auditing organizations cooperate to audit a single auditee (3.9.8), this is termed a joint audit.

And lets not forget ISO 9001:2008, 8.2.2

8.2.2 Internal audit
The organization shall conduct internal audits at planned intervals to determine whether the quality
management system

 

[ScottK]

Isn't hiring a third party to conduct an internal audit on a org's behalf an accepted practice?
The organization has conducted the internal audit by hiring a temp, so to speak.

stretching that sentinment a little further we can do an internal audit of the 2nd party audit results and therefore have audited the areas the second party did. Why should we repeat all that work? Then we can hit the processes not covered with a true internal audit.

8.2.2 also says "taking into consideration the status and importance of the processes and areas to be audited"... if I have processes that have been audited multiple times already by a 2nd party - then I can bump those down the importance factor and focus on areas and processes not already covered.

 

[Colin]

My view on this is that 2nd party audit results can be very helpful and should be considered as 1 of the inputs to management review but they should not be instead of your own internal audits.

In most systems, 2nd and 3rd party audits are largely checking conformance with the standard whilst internal audits tend to be more focused on checking for conformance with the procedures. This means that internal audits should get into more detail than external audits.

 

[ScottK]

My view on this is that 2nd party audit results can be very helpful and should be considered as 1 of the inputs to management review but they should not be instead of your own internal audits.

In most systems, 2nd and 3rd party audits are largely checking conformance with the standard whilst internal audits tend to be more focused on checking for conformance with the procedures. This means that internal audits should get into more detail than external audits.

I find second party audits to be very thorough for the most part. Thorough as far as the areas they are checking... they certainly don't cover the entire standard.
But when you get audited on average once a month it'll hit nearly everything in the course of a year.

 

[Randy]

Here's the deal, whether or not an internal audit is performed by organic or external personnel isn't in question, it's the relationship the audit relative to the organization and the purpose (it's called objective) of the audit.

Are you seriously going to let a customer audit ALL of your system and organizational processes or only open your doors to information that is only relevant to them?

Are you seriously going to let your customer audit communications and other information that may be relevant to other your customers such as their individual specifications and maybe proprietary inforation which is only shared with you? Gotta good lawyer?

Let customers audit each others stuff that you do for them That dog ain't gonna hunt as we say here.

Scott, Yes, you can use data (results) from your customer audits as part of the input into your internal audit, but not as your internal audit. Why? Mainly because you (your organization) have no ownership of their audit process which is an absolute for internal audits.

 

[Stijloor]

Here's the deal, whether or not an internal audit is performed by organic or external personnel isn't in question, it's the relationship the audit relative to the organization and the purpose (it's called objective) of the audit.

Are you seriously going to let a customer audit ALL of your system and organizational processes or only open your doors to information that is only relevant to them?

Are you seriously going to let your customer audit communications and other information that may be relevant to other your customers such as their individual specifications and maybe proprietary information which is only shared with you? Gotta good lawyer?

Let customers audit each others stuff that you do for them That dog ain't gonna hunt as we say here.

Scott, Yes, you can use data (results) from your customer audits as part of the input into your internal audit, but not as your internal audit. Why? Mainly because you (your organization) have no ownership of their audit process which is an absolute for internal audits.

I do not think that your concerns were part of Scott's question. I do not believe that it is the intent to have customer auditors come in and audit ALL processes and activities. But customer audits (just as in Scott's case) will happen and I believe that the audit results should be considered in the audit process. Nothing wrong with being pragmatic as long as the intent is clear that 2nd Party audits will not replace internal audits in its entirety.

Stijloor.