Why internally audit ISO clauses for ISO 9001:2000? (Small company)

[Bob_M]

Why internally audit ISO clauses for 9k2k? (Small company)

My thinking may be a bit off here but I'll post it anyways...

With the change from ISO 9001:1994 which was very element and checklist oriented (typically) to 9k2k which is suppose to be process, flow and effectiveness based...

Why would you want/need to audit your company's compliance to the ISO standards ASSUMING YOU'VE PASSED REGISTRATION AND BUILT A GOOD SOLID SYSTEM THAT TRULY FOLLOWING ISO?

Shouldn't "good" systems really just be audited based on internal processes, procedures, and flow?

In theory the Quality Manager/ISO Coordinator/Someone should be verifying that all new/changed procedures/processes follow ISO BEFORE they are implemented.
-----------
This question stems the fact that we/I need to schedule our next "round" of Internal Audits in the not-to-distance future and our small company's auditors really don't 100% understand ISO but do know OUR requirements...

We don't want to focus just on ISO like our our 1994 style audits which really didn't do us any good... (Different Quality Manager)

Why waste time teaching/auditing to the ISO standards, when we are suppose to be focusing on the processes during IA?
-----------
If I'm way off please straighten me out!
I'm not quite sure how we're going to run our next round of IAs.
The last round was used as mainly a document auditing process while we were re-writing MOST of our procedures and work instructions (for our OWN needs), and it just happened to work well with our ISO upgrade process.
Our auditor was OK with this round's FOCUS, but we definately need to focus on the processes and objective evidence the next time...

 

[Randy]

You're nowhere near being off track, in fact you so much on it's scary!

Your audit should be against the implementation and continuing operation of your system that was established to meet the requirements of the standard. Your internal auditors needn't concern themselves with walking around looking for conformance to 7.whatever, they need to focus on the system and the system requirements (what we say vs. what we do). Now where it gets tricky is to show that the audit process is effective and that you are addressing all the 4.-8. stuff. You've got to audit the audit so-to-speak.

You're asking good questions and you're answering them at the same time.

 

[Jimmy Olson]

Our internal audit system is set up to look for performance rather than compliance and we haven't had any problem. Of course compliance to the standard is in the back of our mind so no surprises come up during our regular audits.

Our schedule is broken down by areas and departments and we look at the processes for that area as well as our own procedures. As part of the planning for each audit we look at the standard and see what clauses apply for that area and that way we can claim that we are adressing the standard, but the focus is looking for improvement opportunities.

Based on what you mentioned so far it sounds like you're on track for a good system without any problems. Just make sure that you keep the standard in the back of your mind so you can keep the external auditors happy

 

[Bob_M]

Re: Why internally audit ISO clauses for 9k2k? (Small company)

You're nowhere near being off track, in fact you so much on it's scary! !

Your audit should be against the implementation and continuing operation of your system that was established to meet the requirements of the standard. Your internal auditors needn't concern themselves with walking around looking for conformance to 7.whatever, they need to focus on the system and the system requirements (what we say vs. what we do). Now where it gets tricky is to show that the audit process is effective and that you are addressing all the 4.-8. stuff. You've got to audit the audit so-to-speak.

You're asking good questions and you're answering them at the same time.

Well at least I'm on track... It may be slightly to get our auditors to understand the "new" concept, but at the same time I still have some tweaking of our manual and process maps before our Upgrade Audit so maybe it will be easier to figure out/schedule/explain later...
(Maybe I'm worrying to soon again)
-------------
If we are able to sucessfully audit our system to check
what we say vs. what we do
and judge the effectiveness of OUR systems
then in a (BSI) auditor's eyes we should be OK for covering internal audits?

 

[db]

The only time you might need to reference the standard is when something changes, or in some rare instances you have no documentation that is directly auditable.

An example might be the designation of a Management Rep -- You might have who the management rep is documented [a record], but no where in you documentation is the "shall", that you would audit against. Without referencing the standard, you would not even be aware that a MR is required.

 

[Bob_M]

Re: Why internally audit ISO clauses for 9k2k? (Small company)

The only time you might need to reference the standard is when something changes, or in some rare instances you have no documentation that is directly auditable.

An example might be the designation of a Management Rep -- You might have who the management rep is documented [a record], but no where in you documentation is the "shall", that you would audit against. Without referencing the standard, you would not even be aware that a MR is required.

Good Point!
Although that should not be a problem unless there was no "ISO" champion/cooridinator or actual quality manager in the future.
------------
To be honest ISO 9k2k sounds very easy on the surface.
But upgrading, implementing, and auditing are not as easy or easy to plan (at least for me).
I'm sure I'll be looking for specific help when I need to work on the IA planning/scheduling.

 

[howste]

8.2.2 Internal audit
The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
b) is effectively implemented and maintained.

You still need to audit to make sure that your system conforms to the ISO requirements. The focus should really be on 8.2.2b once the system is established, though IMO.

 

[Randy]

Re: Re: Why internally audit ISO clauses for 9k2k? (Small company)

If we are able to sucessfully audit our system to check
what we say vs. what we do
and judge the effectiveness of OUR systems
then in a (BSI) auditor's eyes we should be OK for covering internal audits?

I thought I was looking thru the eyes of a BSI auditor (if a part-time one counts)

Just make sure during the course of your audit process that the essential requirments are being addressed. How you say you do it and how you do it are up to you. Within your audit plan you might want to provide some visual guidance as to how the 4.-8. dribble is being maintained or whatever.

The audit plan is essential. You need to be sure that your plan addresses the neat things like objective, scope and criteria. One of the easiest ways to do this is to use ISO 19011:2002, 6.4.1 Preparing the audit plan.

The audit plan should cover the following:
a) the audit objectives;
b) the audit criteria and any reference documents;
c) the audit scope, including identification of the organizational and functional units and processes to be audited;
d) the dates and places where the on-site audit activities are to be conducted;
e) the expected time and duration of on-site audit activities, including meetings with the auditee’s management
and audit team meetings;
f) the roles and responsibilities of the audit team members and accompanying persons;
g) the allocation of appropriate resources to critical areas of the audit.
The audit plan should also cover the following, as appropriate:
h) identification of the auditee’s representative for the audit;
i) the working and reporting language of the audit where this is different from the language of the auditor and/or
the auditee;
j) the audit report topics;
k) logistic arrangements (travel, on-site facilities, etc.);
l) matters related to confidentiality;
m) any audit follow-up actions.

Use this as a guide. Audit success (as with anything else) begins with planning.

You've got you head screwed on pretty good here

 

[Craig H.]

Bob

I remember discussing this in a previous thread, but I couldn't find it.

The way I look at it is this. We design our quality system with ISO 9001 (9004) in mind. Our internal audits do look at the standard itself, but almost always focus on making sure we do what we say we do (as has just been mentioned). The external audit is much more focused on the standard, but if we get caught not doing something in one of our procs, "DING".

I am not sure this is intentional, but people tend to gravitate toward what they are most familiar/comfortable with.

JMHO

 

[Shaun Daly]

We never have audited our system v ISO itself after registration.

As other peole have done, we audited our performance (and compliance to our system).

However, as I read somewhere recently - things degrade with time.

Changes to your system should be approved as ISO compatible before implementation, but........

If your organisation is anything like mine, you have a 100 people running about like lunatics introducing new products, inhabiting new buildings, a constant turnover of staff;

Can you(we) be everywhere, everywhen?

After a few hiccups here I am starting to take the view that a complete system check TO ISO is not such a bad idea every now & then.

Once a year? How long will it take for a small company to do this. 1 day? 2?

How many embarrasing NC's during surveillance audits will it save?