Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.
  • Google has changed ad sizes for some reason. I am investigating and will get the sizes reduced to what they have been until now. I apologise for the inconvenience.

Informational What is the purpose of Internal Audits?

TPMB4

Quite Involved in Discussions
#1
Something came to mind today concerning internal auditing our quality system (certified to iso 9001: 2015). Is the purpose of internal audit to check we are working to our quality system or a combination of that and that it meets the requirements of the standard?

I think it's to check we're doing what we say we do. The external auditor is checking compliance to our system and the standard.

Of course prior to transition we did the check against meeting the requirements of the standard, making improvements to ensure that. However after that the standard doesn't change so you only need to repeat checks against standard for changes to your standard. With no changes does the internal auditor actually need the standard with them?

Am I over thinking this or stating the obvious?
 
#2
ISO 9001:2015 states its purpose for internal audit under section 9.2.1 items a) (especially) and b).

a.1. says you'll provide information through 'conformance' audits on whether the quality management system (usually read as your resources: your personnel, equipment facilities, records, documentation etc.) conforms to your own higher-level requirements for that system (e.g. underlying instruction to its procedure, procedures to policies).​
a.2. says you'll check your quality management system conforms to ISO 9001 through 'conformance' audits .​
b. on effective implementation and maintenance through 'adherence' audits (see the definitions to understand this)​
You can check for all points in the same audit, or have audits focus on any subpoint.

How much you cover each point for each audit item (process) should be risk based, taking into consideration at least importance of processes, prior audit results, changes (such as an upgrade or wholly new standard), etc. resulting in an audit programme which meets your needs: attention where you know little or expect conditions to have changed significantly, no waste of resources on predictable results (because of prior audits or monitoring (though you should still audit the monitoring system itself)).

E.g. if you've been passing external audits to ISO 9001 without any non-conformities or observations you should be able to only sparsely do a.2 type audits. If you have been having some observations, those might give you the areas to focus on in internal audits of type a.2 to pre-empt external audit non-conformities. etc.​
However, you could find some interference here from your certifying organization, who might expect you to do more of a.2 while this should be at your discretion (taking into account the noted considerations).

The political option is to write up b against a.1 if a.1 meets a.2, a.1 to a.2 if it doesn't.

e.g. if procedure is conforming requirements but there is evidence that people are not adhering to it cite your QMS procedure (an a level item that conforms); if one of your work instructions is not according to procedure/policy you write it up against the a.1 level QMS procedure (that does conform to ISO 9001 (level a.2). If your procedure (level a.1) is not conforming to an ISO 9001 clause you write up that a level procedure against ISO 9001, a level a.2 item). (I know this last bit is a mish-mash between example and theoretical labelling, apologies).​
 

Randy

Super Moderator
#3
The reason for internal audits is clearly explained in the 9K15 standard itself, it's to verify if your quality management system:

a) conforms to:
1) the organization’s own requirements for its quality management system;
2) the requirements of this International Standard;
b) is effectively implemented and maintained.


All the other information and help you're going to get is extra and maybe some fluff, but the reason "why" is up above.
 

smryan

Perspective.
#4
I have our IA process in 2 separate parts. The Lead Auditor (me) is responsible for making sure we maintain compliance (and a bunch of other duties). The IA Team process can be simplified as "Continual Improvement". They don't worry about ISO clauses. They look at their assigned processes and the associated documents with 3 basic questions in mind. 1) Do the documents accurately and adequately describe the process? 2) Are people following the process consistently? 3) Are their improvements that can be made to process, documents, or training?

Taking the "ISOese" language out of the IA process has removed a significant stress level for both the auditors and the folks they audit. It has been well received so far.
 

John Broomfield

Staff member
Super Moderator
#5
Every audit needs an objective which is also known as the question to be answered by the audit.

That objective comes from the entity paying for the audit which we may take as top management for internal audits.

So, are audit objectives discussed during management review for the internal audit program?

Does each internal audit contribute towards the fulfillment of those objectives?

Aimless audit (aka fishing expedition) is frustrating for auditees.
 
#6
The reason for internal audits is clearly explained in the 9K15 standard itself,
"Clearly"...:lmao:

Which is why so many people struggle with it and post countless questions about when and how and what etc to audit...

The bottom line to doing internal audits (which has no connection to Certification because meeting ISO 9001 and being certified are almost mutually exclusive) is that the audits provide (independent) validation of the results of the various processes of the organization. So, not JUST are we doing what we say we should. Of course, this validation is what management review is about. A review of the performance of the processes of the org, their ability to achieve the objectives, satisfy customers etc and that the QMS was being implemented to assist in that. Hence, the results are a) believable and b) can be improved.
 

RoxaneB

Super Moderator
Super Moderator
#7
I have the "Start with Why" document posted at my desk. Everything I am asked to do - be it a presentation for results, training on a concept, or develop a new process - needs to start with Why. And I'll be quite blunt here - doing audits for reasons such as compliance, conformance, certification, etc. is completely, utterly, totally pointless. Doing audits for reasons such as compliance, conformance, certification, etc. does little to instill a culture of quality and, if anything, simply perpetuates the perception that our job is to catch people at violating some "rule."

The "Why" behind anything needs to resonate with people...make them nod in agreement and thing "Oh my gosh, that is so true! I can totally support that cause." The "Why" may also be personal - my "Why" behind audits may not be the same as yours, TPMB4...or Andy's or Randy's or John's.

You might find it a bit fluffy, perhaps even whimsical, but (and I am biased here) when I read the lines below, I see the value that can be gained by audits.

Why - We believe that everything we do, we do well and, yet, can still do better.
How - We celebrate our strengths and seize our opportunities.
What - We just happen do this through audits (against defined criteria).
 

Attachments

John Broomfield

Staff member
Super Moderator
#8
Roxane,

Completely agree.

The auditees love to know why you are there as an auditor.

That’s one of the reasons for sharing the audit plan (headed with the reason why) with the auditees the week before.
 

Ninja

Looking for Reality
Trusted
#9
Pretty awesome answers up above.

Is the purpose of internal audit to check we are working to our quality system or a combination of that and that it meets the requirements of the standard?
Providing that "your quality system" is built to encompass all aspects and requirements of the standard...as it should be...these are not really separable. Auditing to "Your QMS" should handle the basic requirements of the standard too...if not, that's a great OFI.

In my words, which I certainly think includes what's up above...
Internal audits are to find all of the dead bodies you've been hiding, so they don't get found by the external auditors...(with the assumption that you then handle them properly instead of just hiding them better).
 
#10
I have our IA process in 2 separate parts. The Lead Auditor (me) is responsible for making sure we maintain compliance (and a bunch of other duties). The IA Team process can be simplified as "Continual Improvement". They don't worry about ISO clauses. They look at their assigned processes and the associated documents with 3 basic questions in mind. 1) Do the documents accurately and adequately describe the process? 2) Are people following the process consistently? 3) Are their improvements that can be made to process, documents, or training?

Taking the "ISOese" language out of the IA process has removed a significant stress level for both the auditors and the folks they audit. It has been well received so far.
This is a great idea. It also allows you to separate qualification requirements such as impartiality (as discussed in this thread) and in-depth knowledge of standards & regulatory requirements (your internal auditors on the "continual improvement" front need only concern themselves with internal processes and requirements). I like it! (y)

...meeting ISO 9001 and being certified are almost mutually exclusive...
Ah, Andy... ever the cynic! :lol:
 
Top Bottom