The Elsmar Cove Business Standards Discussion Forums More Free Files Forum Discussion Thread Post Attachments Listing Elsmar Cove Discussion Forums Main Page
Welcome to what was The Original Cayman Cove Forums!
This thread is carried over and continued in the Current Elsmar Cove Forums

Search the Elsmar Cove!

Wooden Line
This is a "Frozen" Legacy Forum.
Most links on this page do NOT work.
Discussions since 2001 are HERE

Owl Line
The New Elsmar Cove Forums   The New Elsmar Cove Forums
  Auditing
  Internal Auditing - Some Thoughts

Post New Topic  Post A Reply
profile | register | preferences | faq | search

UBBFriend: Email This Page to Someone! next newest topic | next oldest topic
Author Topic:   Internal Auditing - Some Thoughts
Marc Smith
Cheech Wizard

Posts: 4119
From:West Chester, OH, USA
Registered:

posted 07 February 1999 08:25 AM     Click Here to See the Profile for Marc Smith   Click Here to Email Marc Smith     Edit/Delete Message   Reply w/Quote
--> From: Al Hitchcock Subject: Q:
--> Contract Internal Audits /Hitchcock
-->
--> I am a QA Manager at a company that has 60 retail stores located in
--> 6 Midwestern states. We are ISO certified with a corporate
--> certificate. Over the course of 3 years I have to get all locations
--> assessed. To implement and maintain internal audits at all locations

--> that have already been through this is beginning to be a challenge.
--> Since we are working with internal auditors that volunteer, getting
--> and scheduling audits is getting to be a real headache. In looking
--> towards the future, I may have to rely on some other method to
--> "maintain" my system and conduct the internal audits at these
--> locations.
-->
--> Question: Does anyone out there have any idea's on how this can be
--> accomplished? Does it make any sense to contract this service out
--> and still make it cost effective? It may come to the point with our
--> growth that we could potentially be looking at 200 internal audits
--> per year (100 locations with a internal audit once every six
--> months). My staff would have to be huge?
-->
--> Looking for suggestions....
-->
--> - Al...

I try to get all my clients to out-source Internal Audits. I have seen too many problems with companies doing their own. Some handle it well but many don't. Do a quick cost analysis and you will also see you can generally do internal audits cheaper by getting an outside source. Consider training costs, training time, personnel salary & burden, trained folks who 'decide' not to, trained folks who leave or are transferred. Consider the inherent conflict of interest (my Buddy Bob and I work in different jobs and areas, but we drink together, party together, etc.). Example: I worked with a client in a QS9000 implementation. I trained 45 people in Internal Auditing. Within 6 months over 20 were gone for one reason or another. More people to train.

Doing your own can work, but you'll save yourself a lot of hassle if you out-source them. No - I don't include internal auditing as part of my business - I'm not looking for business. I do know many people who do internal auditing (yes - qualified people). They charge anywhere from US$320 (travel costs - not travel time - extra) a day to US$1200 a day plus expenses plus travel time. A pretty wide range. I have 3 friends right now in Kansas working for US$350 a day (that includes their expenses. They are all retired professionals. One I spoke with today. He enjoys auditing - which is why he does it.

My personal opinion is that internal audits by company employees is like the fox guarding the hen house. It's just plain silly. And - It's expensive. While I understand this is an ISO group, the QS folks are seeking examination and certification of internal auditors. More expense. More hassle. More constraints. Just one more thing a company has to take on. And guess who will make the money from the training and certification.... Another business expense?

I have heard the arguements about how it 'educates' folks in the company and such but I keep coming back to this: If you do internal audits with company employees, you should hire with that criteria stated and include it in each job description. If that is not the case, IMHO you are not ISO compliant in your job descriptions.

Now ask yourself: Is your company really in the business of training and keeping internal auditors going? Just like companies outsource IT services, janitorial, security (and many other services), outsourcing internal audits just makes sense.

Considering your potential need of 200 audits a year, I would contract with 1 person (maybe 2) for those audits for consistency. Note that I said 1 person. Don't go through a company unless they guarantee (of course unless that auditor quits) you the same auditor every where. I also suggest you understand that if you go through a contract house you will pay twice as much or more than if you contract with an individual. Look for someone who is IRCA registered Lead Auditor or equivalent. I would be happy to put you in touch with a couple of folks who would be interested. Shoot me an e-mail if interested. Or - Check with your local ASQC chapter. Most cities have an auditor consortium / pool.

Regards,

Marc T. Smith

---------------snippo-------------

--> From: Tom Moore Subject: Q: Int. Auditor
--> Responsibilities/Moore
-->
--> I know there are two basic responsibilities for auditors:
-->
--> 1. Does the area perform according to documented procedures?
-->
--> 2. Are the documented procedures compliant to ISO?
-->

Let your registrar ensure you systems are ISO compliant.
Let your internal auditors audit your internal systems for internal compliance.

I cannot for the life of me understand why so many companies want their internal auditors to be ISO experts. Is it in their job description? There is no requirement for #2 above. None what so ever. Once your systems are compliant as confirmed by a successful ISO registration, the only 'check for ISO compliance' that has to be made is when ISO systems are changed, such as a level 2 procedure. Unless a major system is changed there should be absolutely no need to continually check for ISO compliance. No change is no change! I am not sure why there is this big push to make Internal Auditors ISO (or QS) experts, but (bluntly) I think it's just plain stupid.

You might also want to check my recent response to:
--> From: Al Hitchcock Subject: Q:
--> Contract Internal Audits /Hitchcock

I think this 'Internal Auditing' thing is getting totally out of hand.

Regards,

Marc T. Smith

--------snippo--------

--> From: Brian Charles Kohn Subject: RE: Internal
--> Auditor Responsibilities/Moore/Kohn

--> A third-party registrar conducts only very superficial assessments
--> of your quality system, especially at the detailed procedure and
--> work instruction level.
-->
--> Brian...

Ummm, wow. Let me know which third party registrar conducts only superficial assessments. I deal with a lot of them from time to time - UL, TUV, LRQA, AGA (formerly), Entela, to name a few. Every one of them goes right to the meat - where 'the rubber meets the road' so to speak. The closest they ever come to a 'superficial' assessment is the original document review prior to pre-assessment.

Regards,

Marc T. Smith

--------snippo--------

--> From: Dennis Arter Subject:RE: Internal Auditor
--> Responsibilities/Moore/Vaissiere/Arter
-->
--> Earlier, Gary Vaissiere wrote:
-->
--> >An internal auditor should be checking compliance with the
--> >procedures not with the standard. >
-->
--> Sorry Gary, I'm afraid your advice is incorrect.

Sorry Dennis, I'm afraid your statement/advice is incorrect. You are helping to build on a myth that internal audfitors should be ISO experts.

--> Perhaps you forgot about the *majority* of firms who use the ISO
--> 9001 or 9002 standard and don't give a flip about registration,
--> third party or otherwise.

I simply do not believe there is a legion of companies out there going through compliance without registering. Not likely at all.

--> Perhaps you also forgot that there are two
--> types of quality system audits: compliance and management.

Compliance (I'm assuming you mean compliance to ISO9000 - you don't state which) should be the province of your registrars, management rep or other qualified person - NOT your internal auditors. Why does everyone want to make internal auditing an adventure of ISO9000 interpretation? Why in the world do folks foster this myth that you need a croud of people (a gagle of internal auditors) checking for ISO9001 compliance?

Compliance Audits:
Compliance to ISO9001 (or other spec)
Compliance to internal company documentation (documented systems)
Let us be specific.

--> While the first part of your reply is correct (auditors, internal
--> and external, always check compliance with procedures), the second
--> part is much too restrictive.

Please explain what you are saying here. The second part? Gary wrote:

--> >An internal auditor should be checking compliance with the
--> >procedures not with the standard.

What second part?

--> A truly helpful internal auditor checks compliance with several
--> levels of documentation: the external policies and requirements, the

--> corporate standards, the local manual requirements, the shop
--> procedures, and even the job work instructions. Depending on the
--> purpose and scope, the emphasis of the audit will vary. Sometimes,
--> it is high level and much of the detail is deferred until a later
--> assessment. Sometimes, it's very focused and the foreman wants a
--> look all the way down to the blueprints.

And sometimes the companies are only 10 to 14 people. Or a few hundred. You confuse behemouths like Motorola with the reality that most companies do not have corporate - they are the company. They do not have layers and layers of inter-related documentation and inter-related corporate and site dependent requirements. You can go right from the quality manual to the tier 2 to the WI to the supporting records in short order. I suggest to you smaller companies are the real world. Huge multinationals have quite different needs than those of main stream businesses.

Again, I believe you are propagating the myth that internal auditors need to know more than they really do need to know and that they need to do more than they need to do. You say "...a really helpful internal auditor will...". Let's get it real. Your description is one of a professional internal auditor. In real life internal auditors hardly have the time to get their jobs done not to mention to do an internal audit.

--> I could go on and on about management audits. (But I won't - smile.)

-->
--> >Such an auditor is usually not qualified (4.18) for interpretation
--> >of ISO.
-->
--> Whoa! If this statement is true, then at least two, and possibly
--> more, fundamental rules have been violated:

There is absolutely no requirement that internal auditors be trained against ISO9000 unless your company decides they want the internal auditors to also check for ISO9000 compliance - which is silly. No fundamental rule broken - This just does not jive with your belief (definition) that internal auditors should be competent to verify compliance with ISO9000.

--> a) Auditors are not allowed to interpret. Sure, they do it all the
--> time, but it's wrong. Because management has not done the
--> interpretation in the first place, some auditors feel they are doing

--> folks a favor by offering this interpretation. They have just
--> crossed over that "vested interest" line. The auditor is now part of

I sure don't understand what you are trying to say. They can interpret whether a form is being filled out. They can interpret whether a record is being filed. They can interpret whether documented (and undocumented, such as 'trained' systems/procedures) are being followed. All that they cannot interpret is whether the systems are ISO compliant. Internal auditors only have to see if something is being done as documented. Not many gray areas. Not much to interpret. Unless you expect them to interpret compliance to ISO requirements - which should not be their job.

--> the problem. If the manuals, procedures, and work instructions are
--> vague and fuzzy, the auditor should say, "The requirements have not
--> been defined. I have nothing to audit against."

If vagueness, fuzziness or clarity was not addressed when the documents were authored there is a fundamental problem to begin with which should not be in the scope of the internal auditors duties to decide. I have serious problems with an expectation of an internal auditor going out and setting an agenda of defining the clarity / vagueness / fuzziness of documented systems. IMHO you are way off track here blinded to the real world by your experience and profession.

--> b) The client (audit boss) has not qualified his or her staff. Or
--> perhaps there is no audit boss. Regardless, a truly good internal
--> (or external) audit program needs accountability for the performance

--> of auditors. Two very fundamental qualification requirements address

--> a) technical knowledge of the processes, and b) understanding of the

--> way audits are performed.

If I train my internal auditors how to prepare for and carry out an audit and they are knowledgable of the system / process they are auditing, that's all I need. I'm trying to get my product processed and get business done. Elevating internal auditing to such a high level is silly. The extreme is where (as in some very large multi-nationals) there is a dedicated audit staff. Motorola has what amounts to an audit department to validate QSR compliance at facilities world wide. But let's say my company is only 250 people. I'm not sure I can go that route with any economic sense. All I am trying to do is verify (pre-audit prep - check intra-document consistency - then derive check list) and then validate (show me the evidence you're doing this) my internal documentation / system.

--> >Compliance with ISO is the responsibility of the third party
--> >registrar or an external body such as a vendor evaluation against
--> >their criteria and/or ISO >
-->
--> I believe you misunderstand the real intent of Conformity
--> Assessment. Originally, third parties came around to *verify* that
--> companies were telling the truth. Unfortunately, that purpose has
--> morphed into something quite different today.

I thought we were talking about internal audits, not 'conformity' assessments. Also, see conformity definitions above.

--> I hope my words don't offend -- they are not intended that way.

Same here. I see things much differently.

--> fear you have been exposed to some very bad advice on auditing

Dennis, I totally disagree. Gary wrote:

--> >An internal auditor should be checking compliance with the
--> >procedures not with the standard.

And he is correct. This is not bad advice on internal auditing in the real world. Internal auditors should not be used for 'conformance' audits where by conformance you mean conformance to ISO9000. They should be verifying and validating documented (and some undocumented / trained) company procedures (systems).

--> and even the way the ISO 9001 or 9002 standards should be
implemented.
--> Thankfully, we have this fine discussion list to share ideas and
--> help each other.
-->
--> Dennis R. Arter, "The Audit Guy..."

Regards,

Marc T. Smith

IP: Logged

Marc Smith
Cheech Wizard

Posts: 4119
From:West Chester, OH, USA
Registered:

posted 07 February 1999 09:02 AM     Click Here to See the Profile for Marc Smith   Click Here to Email Marc Smith     Edit/Delete Message   Reply w/Quote
To add to this, a fella just called (yes - 7:30 am on sunday). He's a line supervisor at a large multi-national. He went to a 'QS Internal Auditing course. Basically the gist was he couldn't pick up all the QS interpretations so he felt he did poorly on the course.

Folks - The AIAG, Plexus (I suspect) and some others will make plenty of money on this 'certified QS Internal' Auditor bull. So - here we are wanting companies to train a bunch of people to interpret QS9000 compliance. Hell - the auditors working for registrars and consultants like me have enough problems interpreting it. Now they want line supervisors to 'understand' and interpret QS9000. What a joke. And an expensive joke.

I stripped out any identifying specifics as the e-mail was sent in confidence, however someone recently wrote me saying:

--> To put this in perspective, I'm no rookie. You and I discussed a
--> similar "gray area" a year or so ago regarding Ford requirements for
--> QS-9000. I've logged more hours on internal and external auditing
--> from a first, second, and third party aspect in the past five years
--> than most registrar auditors on the road today. In 96, I was the
--> xxnd person in the world to pass the certification exam (same exam
--> given to registrars) for first party auditing to QS-9000 given by
--> the Supplier Quality Requirements Task Force. The certificate
--> hanging on my wall is sanctioned and recognized by Ford, GM, and
--> Chrysler. I have been management rep for a large worldwide
--> xxxxxxxxxx manufacturer for nearly five years now (notice I said
--> Management Rep, not QA Manager. My whole job is
--> QS-9000....full-time). Having established the fact that I am an
--> experienced professional, if I am somewhat confused on this third
--> edition issue, that's a problem. Registrars have the habit of
--> incorporating their own opinions into the requirements which they
--> call "meeting the intent". I'm having problems being prepared to
--> anticipate the issues that might be considered the "intent" of this
--> whole "qualified in-house laboratory" issue.

Let me see here - he and I make our living interpreting QS9000. And the AIAG and the other automotive folks want line supervisors to understand and interpret QS9000. A cruel, expensive joke.

-----------

I want to take a minute to thank Warren Norid, Steve Walsh and Dan Reid for providing me with new (and increasingly unintelligible) material (the QS 3rd edition) to keep me (and many, many others) consistently employed. Everyone who buys a car is putting at least a few cents into my pocket. As long as they continue to keep QS9000 as vague and next to impossible to interpret as they have to this point, my financial future is assured.

I'm sorry they're pushing for certified internal auditors, but I do understand it. They want the money for the training and certification. The side effect is that companies will have to add 'internal audits' to documented job descriptions. And they will have to add the understanding of QS9000 as a required job skill. Considering the trouble registrars are having interpreting QS, I'm sure we'll get some interesting interpretations from all these extra auditors whose jobs are (really) assembly, supervision, etc., etc.

Maybe next they can certify management reps. And then maybe cal lab managers. Then cal lab techs. Then maybe purchasing managers. Then maybe materials managers. Wow! We can have everyone certified to something and the AIAG and related folks (with kickbacks to Warren Norid, Steve Walsh and Dan Reid in one way or another - like the Plexus sweetheart deal provided them) can clean up on training and certification fees. How about a certified plant manager? Or a certified HR specialist? And why stop there? How about a certified receptionist?

Geezzzzzeeeeee.....

[This message has been edited by Marc Smith (edited 02-07-99).]

IP: Logged

Don Winton
Forum Contributor

Posts: 498
From:Tullahoma, TN
Registered:

posted 07 February 1999 03:14 PM     Click Here to See the Profile for Don Winton   Click Here to Email Don Winton     Edit/Delete Message   Reply w/Quote
Marc,

My response may be sorta long.

First, I hope the responses you submitted here you also sent to the listserve. Those, for the most part, need it. The responses I have seen, in addition to the ones you posted, need some realism.

quote:
Does anyone out there have any idea's on how this can be accomplished? Does it make any sense to contract this service out and still make it cost effective?

In this case described, contract audits is probably the most effective.

quote:
Example: I worked with a client in a QS9000 implementation. I trained 45 people in Internal Auditing. Within 6 months over 20 were gone for one reason or another.

I have experienced virtually the same thing. Under the assumption that internal audits are a perpetual thing (they are) then contracting may be the preferred method.

quote:
Doing your own can work, but you'll save yourself a lot of hassle if you out-source them... My personal opinion is that internal audits by company employees is like the fox guarding the hen house.[/quote]

Agreed. I also am not looking for auditing work. I suggest this (outsourcing) as, perhaps, the ultimate in „objectiveš internal audits.

quote:
the QS folks are seeking examination and certification of internal auditors. More expense. More hassle. More constraints. Just one more thing a company has to take on.

Personally, the RAB and QS folks deserve each other.

quote:
Now ask yourself: Is your company really in the business of training and keeping internal auditors going? Just like companies outsource IT services, janitorial, security (and many other services), outsourcing internal audits just makes sense.

Agreed. And anyway, where does it say that internal audits shall be performed by employees.

quote:
Let your registrar ensure you systems are ISO compliant. Let your internal auditors audit your internal systems for internal compliance.

Marc, that is perhaps the best bit of wisdom I have heard in a very, very long time.

quote:
I cannot for the life of me understand why so many companies want their internal auditors to be ISO experts.

Agreed. This only contributes the őurban legend‚ that internal auditors must be ISO savvy.

[quote]I think this 'Internal Auditing' thing is getting totally out of hand.


I know you probably saw it, but if not, see Scalies post.

quote:
A third-party registrar conducts only very superficial assessments of your quality system, especially at the detailed procedure and work instruction level.

I could not agree more with Marc‚s response to this.

quote:
Sorry Gary, I'm afraid your advice is incorrect.

Sorry Dennis, I'm afraid your statement/advice is incorrect. You are helping to build on a myth that internal auditors should be ISO experts.


Agreed, See above.

quote:
I simply do not believe there is a legion of companies out there going through compliance without registering. Not likely at all.

Marc, this may not necessarily be true. With the advent of FDA, Telecom and aerospace so-called „equivalents,š some may be compliant and not considering registration. But, that would not be a wise move on their part.

quote:
Why does everyone want to make internal auditing an adventure of ISO9000 interpretation?

Perhaps the FDA and QS bug has struck. Perhaps not.

quote:
I suggest to you smaller companies are the real world. Huge multinationals have quite different needs than those of main stream businesses.

This goes to your „appropriateš and „intentš statement. Their is no requirement anywhere, other than the proposed RBA stuff, that internal auditors be ISO experts or anything else of the ilk(sp).

quote:
Again, I believe you are propagating the myth that internal auditors need to know more than they really do need to know and that they need to do more than they need to do. You say "...a really helpful internal auditor will...". Let's get it real. Your description is one of a professional internal auditor. In real life internal auditors hardly have the time to get their jobs done not to mention to do an internal audit.

Agreed. Well said, Marc. I particularly dislike „...a really helpful internal auditor will...". An effective internal auditor will observe and report. It is management‚s responsibility to implement corrective action based on these reports.

quote:
There is absolutely no requirement that internal auditors be trained against ISO9000 unless your company decides they want the internal auditors to also check for ISO9000 compliance - which is silly. No fundamental rule broken - This just does not jive with your belief (definition) that internal auditors should be competent to verify compliance with ISO9000.

Agreed and, again, well said.

OK, enough for now. Marc, all of your replies are well stated and well said. The so-called ISO pundits would do well to observe your sage advice.

One last thing:

quote:
Geezzzzzeeeeee.....

Reiterated from this end.

Regards,
Don

[This message has been edited by Don Winton (edited 02-07-99).]

IP: Logged

Roger Eastin
Forum Wizard

Posts: 345
From:Greenville, SC
Registered:

posted 08 February 1999 08:51 AM     Click Here to See the Profile for Roger Eastin   Click Here to Email Roger Eastin     Edit/Delete Message   Reply w/Quote
This is a great discussion on internal auditing! Wow, there is a lot of confusion on this topic...almost scary. I mean the standard seems pretty clear that the internal auditor is to check for effectiveness of the quality system. This does not seem to say anything about checking for compliance. I know that a check for compliance needs to be done, but that belongs to another function other than internal auditing. Thanks for the snippos. We all learn a lot from them.

IP: Logged

Marc Smith
Cheech Wizard

Posts: 4119
From:West Chester, OH, USA
Registered:

posted 11 March 2000 05:45 PM     Click Here to See the Profile for Marc Smith   Click Here to Email Marc Smith     Edit/Delete Message   Reply w/Quote
Also see Andy Bassett

Forum Contributor

Posts: 274
From:Donegal Ireland
Registered: Jun 1999

posted 12 March 2000 10:53 AM     Click Here to See the Profile for Andy Bassett   Click Here to Email Andy Bassett     Edit/Delete Message   Reply w/Quote
I go along with everything you say.

If you have a company that is fully ISO motivated, well supported from management, with large training budgets and employees with time on their hands, Yes! Why not train them all to the 'N' th degree in ISO and let them crawl all over the company and check it for ISO compliance.

If however you have a real-life company with employees that are busy doing their own job, then i suggest at the most they spend some time to make sure that their processes AND THE LINKS BETWEEN THEM OR THE DEPTS are in good condition. Auditing for ISO compliance should belong to a full-time ISO trained employee. or better still an external person. I favour the external person becuase you are likley to get someone who has a good cross-section of experience across the industry.

In short i have met very few SME's that can do Internal Auditing themselves well.

Regards

------------------
Andy B

IP: Logged

All times are Eastern Standard Time (USA)

next newest topic | next oldest topic

Administrative Options: Close Topic | Archive/Move | Delete Topic
Post New Topic  Post A Reply Hop to:

Contact Us | The Elsmar Cove Home Page

Your Input Into These Forums Is Appreciated! Thanks!


Main Site Search
Y'All Come Back Now, Ya Hear?
Powered by FreeBSD!Made With A Mac!Powered by Apache!