|
This thread is carried over and continued in the Current Elsmar Cove Forums
|
The New Elsmar Cove Forums
|
The New Elsmar Cove Forums
![]() Auditing
![]() Internal Auditing - Some Thoughts
|
| next newest topic | next oldest topic |
| Author | Topic: Internal Auditing - Some Thoughts | |
|
Marc Smith Cheech Wizard Posts: 4119 |
--> From: Al Hitchcock --> Contract Internal Audits /Hitchcock --> --> I am a QA Manager at a company that has 60 retail stores located in --> 6 Midwestern states. We are ISO certified with a corporate --> certificate. Over the course of 3 years I have to get all locations --> assessed. To implement and maintain internal audits at all locations --> that have already been through this is beginning to be a challenge. I try to get all my clients to out-source Internal Audits. I have seen too many problems with companies doing their own. Some handle it well but many don't. Do a quick cost analysis and you will also see you can generally do internal audits cheaper by getting an outside source. Consider training costs, training time, personnel salary & burden, trained folks who 'decide' not to, trained folks who leave or are transferred. Consider the inherent conflict of interest (my Buddy Bob and I work in different jobs and areas, but we drink together, party together, etc.). Example: I worked with a client in a QS9000 implementation. I trained 45 people in Internal Auditing. Within 6 months over 20 were gone for one reason or another. More people to train. Doing your own can work, but you'll save yourself a lot of hassle if you out-source them. No - I don't include internal auditing as part of my business - I'm not looking for business. I do know many people who do internal auditing (yes - qualified people). They charge anywhere from US$320 (travel costs - not travel time - extra) a day to US$1200 a day plus expenses plus travel time. A pretty wide range. I have 3 friends right now in Kansas working for US$350 a day (that includes their expenses. They are all retired professionals. One I spoke with today. He enjoys auditing - which is why he does it. My personal opinion is that internal audits by company employees is like the fox guarding the hen house. It's just plain silly. And - It's expensive. While I understand this is an ISO group, the QS folks are seeking examination and certification of internal auditors. More expense. More hassle. More constraints. Just one more thing a company has to take on. And guess who will make the money from the training and certification.... Another business expense? I have heard the arguements about how it 'educates' folks in the company and such but I keep coming back to this: If you do internal audits with company employees, you should hire with that criteria stated and include it in each job description. If that is not the case, IMHO you are not ISO compliant in your job descriptions. Now ask yourself: Is your company really in the business of training and keeping internal auditors going? Just like companies outsource IT services, janitorial, security (and many other services), outsourcing internal audits just makes sense. Considering your potential need of 200 audits a year, I would contract with 1 person (maybe 2) for those audits for consistency. Note that I said 1 person. Don't go through a company unless they guarantee (of course unless that auditor quits) you the same auditor every where. I also suggest you understand that if you go through a contract house you will pay twice as much or more than if you contract with an individual. Look for someone who is IRCA registered Lead Auditor or equivalent. I would be happy to put you in touch with a couple of folks who would be interested. Shoot me an e-mail if interested. Or - Check with your local ASQC chapter. Most cities have an auditor consortium / pool. Regards, Marc T. Smith ---------------snippo------------- --> From: Tom Moore Let your registrar ensure you systems are ISO compliant. I cannot for the life of me understand why so many companies want their internal auditors to be ISO experts. Is it in their job description? There is no requirement for #2 above. None what so ever. Once your systems are compliant as confirmed by a successful ISO registration, the only 'check for ISO compliance' that has to be made is when ISO systems are changed, such as a level 2 procedure. Unless a major system is changed there should be absolutely no need to continually check for ISO compliance. No change is no change! I am not sure why there is this big push to make Internal Auditors ISO (or QS) experts, but (bluntly) I think it's just plain stupid. You might also want to check my recent response to: I think this 'Internal Auditing' thing is getting totally out of hand. Regards, Marc T. Smith --------snippo-------- --> From: Brian Charles Kohn --> A third-party registrar conducts only very superficial assessments Ummm, wow. Let me know which third party registrar conducts only superficial assessments. I deal with a lot of them from time to time - UL, TUV, LRQA, AGA (formerly), Entela, to name a few. Every one of them goes right to the meat - where 'the rubber meets the road' so to speak. The closest they ever come to a 'superficial' assessment is the original document review prior to pre-assessment. Regards, Marc T. Smith --------snippo-------- --> From: Dennis Arter Sorry Dennis, I'm afraid your statement/advice is incorrect. You are helping to build on a myth that internal audfitors should be ISO experts. --> Perhaps you forgot about the *majority* of firms who use the ISO I simply do not believe there is a legion of companies out there going through compliance without registering. Not likely at all. --> Perhaps you also forgot that there are two Compliance (I'm assuming you mean compliance to ISO9000 - you don't state which) should be the province of your registrars, management rep or other qualified person - NOT your internal auditors. Why does everyone want to make internal auditing an adventure of ISO9000 interpretation? Why in the world do folks foster this myth that you need a croud of people (a gagle of internal auditors) checking for ISO9001 compliance? Compliance Audits: --> While the first part of your reply is correct (auditors, internal Please explain what you are saying here. The second part? Gary wrote: --> >An internal auditor should be checking compliance with the What second part? --> A truly helpful internal auditor checks compliance with several --> corporate standards, the local manual requirements, the shop And sometimes the companies are only 10 to 14 people. Or a few hundred. You confuse behemouths like Motorola with the reality that most companies do not have corporate - they are the company. They do not have layers and layers of inter-related documentation and inter-related corporate and site dependent requirements. You can go right from the quality manual to the tier 2 to the WI to the supporting records in short order. I suggest to you smaller companies are the real world. Huge multinationals have quite different needs than those of main stream businesses. Again, I believe you are propagating the myth that internal auditors need to know more than they really do need to know and that they need to do more than they need to do. You say "...a really helpful internal auditor will...". Let's get it real. Your description is one of a professional internal auditor. In real life internal auditors hardly have the time to get their jobs done not to mention to do an internal audit. --> I could go on and on about management audits. (But I won't - smile.) --> There is absolutely no requirement that internal auditors be trained against ISO9000 unless your company decides they want the internal auditors to also check for ISO9000 compliance - which is silly. No fundamental rule broken - This just does not jive with your belief (definition) that internal auditors should be competent to verify compliance with ISO9000. --> a) Auditors are not allowed to interpret. Sure, they do it all the --> folks a favor by offering this interpretation. They have just I sure don't understand what you are trying to say. They can interpret whether a form is being filled out. They can interpret whether a record is being filed. They can interpret whether documented (and undocumented, such as 'trained' systems/procedures) are being followed. All that they cannot interpret is whether the systems are ISO compliant. Internal auditors only have to see if something is being done as documented. Not many gray areas. Not much to interpret. Unless you expect them to interpret compliance to ISO requirements - which should not be their job. --> the problem. If the manuals, procedures, and work instructions are If vagueness, fuzziness or clarity was not addressed when the documents were authored there is a fundamental problem to begin with which should not be in the scope of the internal auditors duties to decide. I have serious problems with an expectation of an internal auditor going out and setting an agenda of defining the clarity / vagueness / fuzziness of documented systems. IMHO you are way off track here blinded to the real world by your experience and profession. --> b) The client (audit boss) has not qualified his or her staff. Or --> of auditors. Two very fundamental qualification requirements address --> a) technical knowledge of the processes, and b) understanding of the --> way audits are performed. If I train my internal auditors how to prepare for and carry out an audit and they are knowledgable of the system / process they are auditing, that's all I need. I'm trying to get my product processed and get business done. Elevating internal auditing to such a high level is silly. The extreme is where (as in some very large multi-nationals) there is a dedicated audit staff. Motorola has what amounts to an audit department to validate QSR compliance at facilities world wide. But let's say my company is only 250 people. I'm not sure I can go that route with any economic sense. All I am trying to do is verify (pre-audit prep - check intra-document consistency - then derive check list) and then validate (show me the evidence you're doing this) my internal documentation / system. --> >Compliance with ISO is the responsibility of the third party I thought we were talking about internal audits, not 'conformity' assessments. Also, see conformity definitions above. --> I hope my words don't offend -- they are not intended that way. Same here. I see things much differently. --> fear you have been exposed to some very bad advice on auditing Dennis, I totally disagree. Gary wrote: --> >An internal auditor should be checking compliance with the And he is correct. This is not bad advice on internal auditing in the real world. Internal auditors should not be used for 'conformance' audits where by conformance you mean conformance to ISO9000. They should be verifying and validating documented (and some undocumented / trained) company procedures (systems). --> and even the way the ISO 9001 or 9002 standards should be Regards, Marc T. Smith
IP: Logged | |
|
Marc Smith Cheech Wizard Posts: 4119 |
To add to this, a fella just called (yes - 7:30 am on sunday). He's a line supervisor at a large multi-national. He went to a 'QS Internal Auditing course. Basically the gist was he couldn't pick up all the QS interpretations so he felt he did poorly on the course. Folks - The AIAG, Plexus (I suspect) and some others will make plenty of money on this 'certified QS Internal' Auditor bull. So - here we are wanting companies to train a bunch of people to interpret QS9000 compliance. Hell - the auditors working for registrars and consultants like me have enough problems interpreting it. Now they want line supervisors to 'understand' and interpret QS9000. What a joke. And an expensive joke. I stripped out any identifying specifics as the e-mail was sent in confidence, however someone recently wrote me saying: --> To put this in perspective, I'm no rookie. You and I discussed a Let me see here - he and I make our living interpreting QS9000. And the AIAG and the other automotive folks want line supervisors to understand and interpret QS9000. A cruel, expensive joke. ----------- I want to take a minute to thank Warren Norid, Steve Walsh and Dan Reid for providing me with new (and increasingly unintelligible) material (the QS 3rd edition) to keep me (and many, many others) consistently employed. Everyone who buys a car is putting at least a few cents into my pocket. As long as they continue to keep QS9000 as vague and next to impossible to interpret as they have to this point, my financial future is assured. I'm sorry they're pushing for certified internal auditors, but I do understand it. They want the money for the training and certification. The side effect is that companies will have to add 'internal audits' to documented job descriptions. And they will have to add the understanding of QS9000 as a required job skill. Considering the trouble registrars are having interpreting QS, I'm sure we'll get some interesting interpretations from all these extra auditors whose jobs are (really) assembly, supervision, etc., etc. Maybe next they can certify management reps. And then maybe cal lab managers. Then cal lab techs. Then maybe purchasing managers. Then maybe materials managers. Wow! We can have everyone certified to something and the AIAG and related folks (with kickbacks to Warren Norid, Steve Walsh and Dan Reid in one way or another - like the Plexus sweetheart deal provided them) can clean up on training and certification fees. How about a certified plant manager? Or a certified HR specialist? And why stop there? How about a certified receptionist? Geezzzzzeeeeee..... [This message has been edited by Marc Smith (edited 02-07-99).] IP: Logged | |
|
Don Winton Forum Contributor Posts: 498 |
Marc, My response may be sorta long. First, I hope the responses you submitted here you also sent to the listserve. Those, for the most part, need it. The responses I have seen, in addition to the ones you posted, need some realism.
quote: In this case described, contract audits is probably the most effective.
quote: I have experienced virtually the same thing. Under the assumption that internal audits are a perpetual thing (they are) then contracting may be the preferred method.
quote: I know you probably saw it, but if not, see Scalies post.
quote: I could not agree more with Marcâs response to this.
quote: Agreed, See above.
quote: Marc, this may not necessarily be true. With the advent of FDA, Telecom and aerospace so-called ãequivalents,ä some may be compliant and not considering registration. But, that would not be a wise move on their part.
quote: Perhaps the FDA and QS bug has struck. Perhaps not.
quote: This goes to your ãappropriateä and ãintentä statement. Their is no requirement anywhere, other than the proposed RBA stuff, that internal auditors be ISO experts or anything else of the ilk(sp).
quote: Agreed. Well said, Marc. I particularly dislike ã...a really helpful internal auditor will...". An effective internal auditor will observe and report. It is managementâs responsibility to implement corrective action based on these reports.
quote: Agreed and, again, well said. OK, enough for now. Marc, all of your replies are well stated and well said. The so-called ISO pundits would do well to observe your sage advice. One last thing:
quote: Reiterated from this end. Regards, [This message has been edited by Don Winton (edited 02-07-99).] IP: Logged | |
|
Roger Eastin Forum Wizard Posts: 345 |
This is a great discussion on internal auditing! Wow, there is a lot of confusion on this topic...almost scary. I mean the standard seems pretty clear that the internal auditor is to check for effectiveness of the quality system. This does not seem to say anything about checking for compliance. I know that a check for compliance needs to be done, but that belongs to another function other than internal auditing. Thanks for the snippos. We all learn a lot from them. IP: Logged | |
|
Marc Smith Cheech Wizard Posts: 4119 |
Also see Andy Bassett Forum Contributor Posts: 274 |
I go along with everything you say. If you have a company that is fully ISO motivated, well supported from management, with large training budgets and employees with time on their hands, Yes! Why not train them all to the 'N' th degree in ISO and let them crawl all over the company and check it for ISO compliance. If however you have a real-life company with employees that are busy doing their own job, then i suggest at the most they spend some time to make sure that their processes AND THE LINKS BETWEEN THEM OR THE DEPTS are in good condition. Auditing for ISO compliance should belong to a full-time ISO trained employee. or better still an external person. I favour the external person becuase you are likley to get someone who has a good cross-section of experience across the industry. In short i have met very few SME's that can do Internal Auditing themselves well. Regards ------------------ IP: Logged |
All times are Eastern Standard Time (USA) | next newest topic | next oldest topic |
![]() |
Hop to: |
Your Input Into These Forums Is Appreciated! Thanks!
