posted 08 October 1999 01:28 AM               

From: [email protected]
Subject: RE: Internal Audit Findings and the Registrar /Maroney-Benassi/Naish

Patricia,

My experience with the auditors from the registrar include the following:

1) They check to make sure the audits are adequately documented.

A. Are the forms completed as per the procedure.

B. Does the record include both comforming and non conforming audits.

C. Can you see independence of the auditor from the area being audited.

D. Is there an adequate description of any discrepancies either on the audit form or a corrective action form.

2) They check to see if you are following your schedule or plan within the criteria you set for doing so.

A. If you say you do all sections in a year in all areas of the company can you show you have tracked all sections and all areas.

B. If you say you have to o the audit within a given month are you doing them within a given month.

C. If you say managers are given X notice can you show the managers were notified in advance.

3) Are the audits effective.

A. If they see obvious non conformaces or discrepancies they want to see if the internal audits 1: looked at that area of the company and 2: Did the auditor(s) see what the registrar is seeing. I had one auditor make an observation that the audits were not effective since there were a number of minor non conformances he observed and the audits performed the previous two months for the same areas did not identify the discrepancies.

B. They have asked if the ISO Rep thought there were enough audits being performed to fully evaluate the whole system in some of the larger companies who had only one audit per area in a one year period.

C. If there are checklists used, do the checklists cover all of the specific section(s) of the standard being audited for an area. In other words is the whole system really being evaluated in the audits or are some subsections of the standard or some group(s) of people being omitted that should be audited.

4) Are the auditors trained.

A. Do you have training records.

B. How much training do the auditors get.

C. Does at least part of the training include a review and understanding of the ISO standard.

Hope that helps you.

posted 08 October 1999 01:35 AM               

From: Brian Charles Kohn [email protected]
Subject: RE: Internal Audit Findings and the Registrar/Maroney-Benassi/Kohn

>From: "Maroney-Benassi, Patricia" [email protected]

>ISO 9001:1994 section 4.17 requires procedures for internal audits and sets
>some specifications for the manner in which the audits are conducted and the
>records are used. Once an internal audit process is established and
>functioning, does the registrar generally review the actual audit findings?

Without a doubt. The third-party system is structured to allow only a very superficial audit vis a vis the size of the organization being audited. The reason why the system has integrity is because it is really a cross-check, a cross-check on the conclusions already reached through the internal audit process. The only way I, as a third-party auditor, can say that an organization is compliant, is based on the evidence presented to me by the client in that regard. I only audit them to make sure they're not fabricating internal audit, corrective action, management review and other critical records.

If the internal audit system says there's a problem, then there is a problem. For sure. Now, as a matter of practice, I often didn't cite minor nonconformances when they were apparently properly logged and being expediently worked through the internal audit system. Practically speaking, in the case of minor nonconformances, all that would happen is that the client would work the issue and then I'd have to spend time making sure they did so during my next visit. Since I must sample their internal audit findings for timely and effective corrective action anyway (during each visit), I need to be judicious in citing minor nonconformances of this sort; otherwise I'd be spending an inappropriate amount of surveillance time looking at internal audit and corrective action, and therefore an inadequate amount of time looking at the rest of the system.

Major nonconformances are another story, however. My typical follow-up would be in the short-term; i.e., a special visit within 2-3 months. That cannot nor should not be short-circuited based on any reliance on the client's internal audit and corrective action systems.

>If so, are they reviewing only to establish that the internal audit system
>functions (i.e. trace an observation through corrective action, resolution,
>and tie in to 4.1.3)? Or do they actually use the internal audit findings to
>measure the health of your quality system (i.e. find out what problems we've
>been having)?

It bears repeating: The third-party auditor is reviewing the internal audit system records primarily to see that you have assured that you are indeed in compliance.

- It is *NOT* to see where your problems are so they can focus in on those areas.

- It is not *only* to verify that the internal audit process itself has integrity (although that *is* one intent.)

posted 08 October 1999 01:49 AM               

From: [email protected] (Doug Pfrang)
Subject: RE: Internal Audit Find. and the Reg. /Maroney-Benassi/Pfrang

>From: "Maroney-Benassi, Patricia"
>Subject: Q: Internal Audit Findings and the Registrar /Maroney-Benassi
>
>ISO 9001:1994 section 4.17 requires procedures for internal audits and sets
>some specifications for the manner in which the audits are conducted and the
>records are used. Once an internal audit process is established and
>functioning, does the registrar generally review the actual audit findings?

Yes, the registrar does generally review the actual audit findings. In fact, I know of one that does this as a routine part of every surveillance audit. They begin every surveillance audit with several administrative activities, one of which is a review of the findings of all internal audits performed since the previous surveillance audit.

>If so, are they reviewing only to establish that the internal audit system
>functions (i.e. trace an observation through corrective action, resolution,
>and tie in to 4.1.3)? Or do they actually use the internal audit findings to
>measure the health of your quality system (i.e. find out what problems we've
>been having)?

Yes, the registrars review internal audit findings to establish that the internal audit system functions, and yes, they actually use the internal audit findings to measure the health of the quality system. For example, they will routinely follow-up any audit finding that occurs is in an area which they cover in their surveillance audit. They will also follow-up a random sampling of audit findings during their surveillance audit of the internal audit procedure, to confirm that the corrective action was taken and was effective.

>As a regulatory agency, we generally keep our nose out of a firm's internal
>audit findings so as not to "chill" their quality assurance efforts. We use
>complaint handling to measure the effectiveness of corrective action
>procedures. I was wondering if registrars take this same approach even
>though they have a customer/client relationship with a firm.

Yes, they use this approach as well, but much less often. Since they have access to internal audit findings, they can evaluate the corrective action procedure by simply reviewing the internal audit findings and ensuring that corrective action was taken; therefore, they do not need to rely on the other inputs to the corrective action procedure -- such as complaint handling -- to evaluate the corrective action procedure. Nevertheless, since complaint handling is another input to the corrective action procedure, they will occasionally confirm that it is also functioning, but only when the surveillance audit specifically covers the corrective action procedure.

posted 08 October 1999 07:29 AM               

phyllis is right on....exactly what we look for.

posted 21 October 1999 03:42 PM               

If my internal audit system has cited a finding and if other findings and corrective actions have been effective and timely, my registrar has not cited.

If, however, an area was recently audited internally and a finding was not noted (even recognizing it might not have been there at the time), the registrar will write, and rightfully so.