The Elsmar Cove Business Standards Discussion Forums More Free Files Forum Discussion Thread Post Attachments Listing Elsmar Cove Discussion Forums Main Page
Welcome to what was The Original Cayman Cove Forums!
This thread is carried over and continued in the Current Elsmar Cove Forums

Search the Elsmar Cove!

Wooden Line
This is a "Frozen" Legacy Forum.
Most links on this page do NOT work.
Discussions since 2001 are HERE

Owl Line
The New Elsmar Cove Forums   The New Elsmar Cove Forums
  Auditing
  Outsourcing Internal Audits

Post New Topic  Post A Reply
profile | register | preferences | faq | search

UBBFriend: Email This Page to Someone! next newest topic | next oldest topic
Author Topic:   Outsourcing Internal Audits
Richard K
Forum Contributor

Posts: 11
From:The Pas, MB, Canada
Registered: Jun 99

posted 10 December 1999 05:25 PM     Click Here to See the Profile for Richard K     Edit/Delete Message   Reply w/Quote
There has been discussion on the mailing lists about outsourcing internal audits, including whether it is permitted by the standard. As far as I can tell, there is nothing in ISO 9001:1994 that prevents outsourcing. However, I have just now managed to look at ISO/CD2 9001:2000, and in 8.2.1.2 it states 'The organization shall carry out objective audits...' My question is, is this wording the same in the DIS, and if so, what exactly does 'carry out' mean? Is hiring a contractor to plan and perform an internal audit 'carrying out' an audit?

Richard

IP: Logged

Marc Smith
Cheech Wizard

Posts: 4119
From:West Chester, OH, USA
Registered:

posted 10 December 1999 11:13 PM     Click Here to See the Profile for Marc Smith   Click Here to Email Marc Smith     Edit/Delete Message   Reply w/Quote
Hello and welcome to the Cove!

You can outsource Internal Audits under the 'proposed' ISO9001:2000.

See https://elsmar.com/ubb/Forum13/HTML/000037.html for a good thread on this topic. I 'glean' from several listservs, so some stuff may be redundant if you're on any of the lists I'm on. Also see https://elsmar.com/ubb/Forum13/HTML/000027.html

As far as 'The organization shall carry out objective audits...' there is nothing telling a company how to do this. This just says the audits shall be done and that the audits shall be objective (the old 'you can't audit yourself'). One arguement is that a company can outsource any function and process. If a company hires me to do their internal audits, I am technically a 'temporary' employee.

Carry out means to follow or 'do' your internal audit procedure. As in to 'Carry Out' a plan. It implies acting on.

IP: Logged

Richard K
Forum Contributor

Posts: 11
From:The Pas, MB, Canada
Registered: Jun 99

posted 13 December 1999 11:43 AM     Click Here to See the Profile for Richard K     Edit/Delete Message   Reply w/Quote
Thanks for the reply, Marc. Your interpretation sounds good to me. It seems though that the new wording might strengthen the case for those who argue otherwise. Are there any registrars that cause difficulties over this point?

Richard

IP: Logged

Marc Smith
Cheech Wizard

Posts: 4119
From:West Chester, OH, USA
Registered:

posted 13 December 1999 11:55 AM     Click Here to See the Profile for Marc Smith   Click Here to Email Marc Smith     Edit/Delete Message   Reply w/Quote
So far I have yet to hear of a registrar which rejected contracted internal audits. To me this is a ghost issue - people talk about it as an issue - but it's not an issue.

What possible reason could a registrar have for telling a company that they cannot outsource internal audits? I don't see the verbiage in any way addressing the issue of contracted internal audits one way or the other.

IP: Logged

Kevin Mader
Forum Wizard

Posts: 575
From:Seymour, CT USA
Registered: Nov 98

posted 13 December 1999 01:16 PM     Click Here to See the Profile for Kevin Mader   Click Here to Email Kevin Mader     Edit/Delete Message   Reply w/Quote
Marc,

I was wondering myself if the "objective audits" opened the door for performing self audits, objectivity and independence being separate. I was hoping that the new wording actually was as a result of having found objectivity being more important than independence (single person entities having ISO accreditation for example). If this is true, then I will be happier auditor. What do you think?

Regards,

Kevin

IP: Logged

Marc Smith
Cheech Wizard

Posts: 4119
From:West Chester, OH, USA
Registered:

posted 13 December 1999 01:30 PM     Click Here to See the Profile for Marc Smith   Click Here to Email Marc Smith     Edit/Delete Message   Reply w/Quote
OK - I guess the definitions of objective vs independent is now the issue of discussion.

At that at this point I will agree that it's possible that objectivity being more important than independence could be the reason, but I doubt there are many 'one person shows' that want to register. I'd love to hear from someone on the committee who could elaborate.

IP: Logged

Kevin Mader
Forum Wizard

Posts: 575
From:Seymour, CT USA
Registered: Nov 98

posted 14 December 1999 08:55 AM     Click Here to See the Profile for Kevin Mader   Click Here to Email Kevin Mader     Edit/Delete Message   Reply w/Quote
I wonder if I would be stretching the intent on semantics perhaps?

IP: Logged

barb butrym
Forum Contributor

Posts: 637
From:South Central Massachusetts
Registered:

posted 14 December 1999 09:32 AM     Click Here to See the Profile for barb butrym   Click Here to Email barb butrym     Edit/Delete Message   Reply w/Quote
once again the discussion turns to this old topic. Speaking for a few registrars, and from experience as well.....Registrars have no problem with outsourcing the internal audit function, most welcome it. The 'temporary employee' thing of which marc speaks is a good justification when needed..... the key is in the definition of a 1st party audit.....the client and auditee/auditor have the interest of the company in hand (continuous improvement...if you will)...not that of a second party or independant body. Who pays the bill, who gets the value....etc. Who assigns/gets CA? Who controls the audit? The standard is looking for an independant and objective self-assessment, not clouded with hidden agendas.
The audit trail will tell all....if an objective audit is not performed the trail will ...in most cases...reveal that loud and clear...other times it will be hidden but the experience auditor will see it anyway.

As to independance.....I think if the audit is clearly objective (as evidenced by the audit trail???) and not totally independant (as we all know it may not always be)there will be room to allow it as the DIS is currently written. Must be a case by case decision, by the registrar's auditor as I personally see it (not reflecting any input from registering bodies to date)

[This message has been edited by barb butrym (edited 14 December 1999).]

IP: Logged

Kevin Mader
Forum Wizard

Posts: 575
From:Seymour, CT USA
Registered: Nov 98

posted 14 December 1999 01:02 PM     Click Here to See the Profile for Kevin Mader   Click Here to Email Kevin Mader     Edit/Delete Message   Reply w/Quote
Barb,

Have any of your Lead Accessor friends commented on this new wording in 9000:2000?

Regards,

Kevin

IP: Logged

barb butrym
Forum Contributor

Posts: 637
From:South Central Massachusetts
Registered:

posted 15 December 1999 08:51 AM     Click Here to See the Profile for barb butrym   Click Here to Email barb butrym     Edit/Delete Message   Reply w/Quote
kevin...our conversations about the new wording always end up with the intent is the same, the presentation of the requirements has changed.....the shift has gone from the 20 seperate elements to tieing them together where they really belong... and nothing has gone away (and little added that wasn't already implied)..the shift is to require a system to span the entire company, as well it should....not just stand alone. Anyone already doing the standard as it was really intended (abet not written) is already pretty well in compliance. the registrars are still mute but off the record have the same opinions.

As to the comments on this particular subject...my LA colleagues agree with me.

[This message has been edited by barb butrym (edited 15 December 1999).]

IP: Logged

Marc Smith
Cheech Wizard

Posts: 4119
From:West Chester, OH, USA
Registered:

posted 18 December 1999 02:09 PM     Click Here to See the Profile for Marc Smith   Click Here to Email Marc Smith     Edit/Delete Message   Reply w/Quote
OK - I admit it - this is mine from a listserve:

-------------snippo---------

From: ISO Standards Discussion
Date: Fri, 17 Dec 1999 11:49:45 -0600
Subject: Re: Internal Auditing Resources /../Kyllo/Russo/Smith

From: Marc Smith

--> C.W. Russ Russo...

I do 'contract' internal audits. To address Russ's issues:

--> From: "C.W. Russ Russo"
-->
--> You might want to reconsider this assumption. The first sentence in
--> element 4.17 requires the supplier to plan and implement the
--> internal audit program. It may be possible to hire an outside
--> auditor to conduct the audits, but the responsibility for the
--> program remains with the supplier.

I have yet to see a client without an audit plan / schedule. However, I see nothing in ISO9001:1994 (or the 'latest' ISO9001:2000) which says a company cannot outsource planning / scheduling as well as the internal audits if the company so chooses.

--> Moreover, I would advise folks considering this route to re-look at
--> Element 4.6, Purchasing, particularly the evaluation of
--> subcontractors based on "any quality assurance requirements." True,
--> ISO 10011 is not a "requirement." However, from my perspective, if a

I advise my clients that there are two issues here: I must be an approved supplier and there has to be defined criteria.

--> company really wants to abide by ISO 10011 they cannot absolve
--> themselves of active management and become a client. Such an
--> approach opens a fairly large can of wiggly worms.

I'm amazed you can say this. Just because a company outsources internal audits doesn't mean that management is trying to absolve its self of active management. If a company hires out design of a product (or prototyping or other SIGNIFICANT part of their product and/or business system) you don't hear people yelling:

"There must be serious problems if the company has to outsource that function. Heck, their management is trying to absolve its self of active management."

In fact, most companies hire out what they do not consider part of their 'core' business, yet is critical to their business. It seems so many people have the OPINION that internal audits must be a part of their core business. Businesses outsource their legal needs every day, as well as financial services, design and many other functions. My question is, what makes internal auditing such a sacred goat that it 'should' not be outsourced while other functions are outsourced every day (ever heard of Make-Buy decisions?)?

It seems that where ever the standard says "The company shall..." some folks immediately read to mean that the function cannot be outsourced. I do not agree with this interpretation at all.

Regards,

Marc T. Smith

IP: Logged

Zainul
Lurker (<10 Posts)

Posts: 1
From:malaysia
Registered: Dec 1999

posted 19 December 1999 07:04 AM     Click Here to See the Profile for Zainul     Edit/Delete Message   Reply w/Quote
Marc,

You said:

What possible reason could a registrar have for telling a company that they cannot outsource internal audits? I don't see the verbiage in any way addressing the issue of contracted internal audits one way or the other.

--------

I think the question is whether they (external auditors) are more competent than you are in your own industry. Audit techniques and specific technical knowledge goes hand in hand. It is better for internal team to acquire audit techniques and intertwine them with technical knowledge they already have. It takes time and experience. All the more so you have to conduct it yourself.

The other issue that might be raised could be the confidence put on internal audit team. Why are they not capable of conducting the audit themselves that they have to outsource them?

Regards

Zainul

IP: Logged

Marc Smith
Cheech Wizard

Posts: 4119
From:West Chester, OH, USA
Registered:

posted 19 December 1999 09:50 AM     Click Here to See the Profile for Marc Smith   Click Here to Email Marc Smith     Edit/Delete Message   Reply w/Quote
quote:
I think the question is whether they (external auditors) are more competent than you are in your own industry.
I'm not sure the person or persons contracted to do internal audits for a company has to know more than "you are in your own industry". I think this is most important for registration audits. And in some areas it may be more important than others. An example is calibration of 'critical' process monitoring gages / tests - a background in the industry better prepares an auditor to make judgments on whether a gage 'should' be calibrated or not. An example here would be injection molding where hold time, barrel temperature, mold temperature and related parameters are often critical parameters.

quote:
Audit techniques and specific technical knowledge goes hand in hand.
I believe this is true to some degree, however quite a bit depends upon your intent. When I do internal audits for a company I am mainly interested in the very basic Are these folks following their defined systems?. I also look at compliance to the standard, but again here I am not so sure that extensive experience in a specific industry is all that critical.

I will agree that a well run internal audit system is a good idea. But then again, up pops reality. I see most companies founder in trying to maintain a system. I see internal auditors try to interpret the standard and make judgments about whether current systems meet the intent after a Lead Auditor or Internal Auditor course - this scares me because if we who are 'professionals' are arguing these issues (evidence is this series of forums and well as the ISO listserve) after years 'in the business' 7 in my case), I can hardly expect a part time internal auditor to make these interpretations.

I have to come back to what you expect of your internal audits. I believe the paradigm over the last few years has been to evolve into a 'find opportunities for improvement' drive. I believe that QS9000 has had a large part to play in this evolution. Can you state specifically what you expect from your internal audits? If you include finding 'opportunities for improvement', I will suggest that your company has engineers and others whose job function is to be assessing continually for 'opportunities for improvement'. How many of your internal auditors are really qualified to do this? Part of my concern with even contracted auditors telling a company about 'opportunities for improvement' is that I believe it is beyond the scope of what internal audits are about - which should be IMHO 'Are employees following the defined systems', not "This is what you should be doing to improve your processes and business". The internal auditing function is supposed to be part 'consultant' in nature? Not in my opinion. In my opinion, internal audits are not a tool for Continuous Improvement beyond whether folks are following their procedures and such.

When I first started implementations about 8 years ago I was told how the quality manual should be 'a company's own manual'. I quickly learned that while this sounds great, it's mainly bull. The auditors come in and say "You didn't address this, or you didn't address that...in your quality manual..." even when you didn't do that. An example is design. A company doesn't do design, but the company cannot just omit that section - they have to specifically state, at least, "Company X does not do design" in their quality manual. I found that to tailor the text of the standard is the way to go. The 'Make it you own' sure sounded good, but it really made no sense. Your manual is audited against the standard line by line. And I ask here, what specifically does one mean by 'make it your own'? Changing the wording some? The sequence?

I disagree on the validity of expectations and intent of internal audits. I will say that the CD2 draft I have has significantly changed the verbiage from the 1994 version. The old read "...verify whether quality activities and related results comply with planned arrangements and to determine the effectiveness of the quality system..." The CD2 draft reads (8.2.1.2 Internal Audit) "...in order to determine if the quality management system has been effectively implemented and maintained and conforms to this International Standard. In addition, the organization may carry out audits to identify potential opportunities for improvement..." (Personally I can think of much better tools for identifying potential opportunities for improvement than internal audits.

IMHO the wording of CD2 elevates the Internal Audit well beyond the intent of the last revision and the 1987 original. I also believe by doing this that who can do internal audits is further restricted (and adds up to selling a lot of internal auditing courses). How far should internal auditors go in determining things like 'Opportunities for Improvement'? What background must they now have? An engineering degree? A degree in business? Five years experience as a process engineer or supervisor? Two years internal auditing experience?

A lot of this is sorta like the old "Buy low, sell high." It sounds so simple, but try to put that in practice. So - you have to ask yourself, what do I expect from Internal Audits? I maintain that the Management Rep (or someone with appropriate training and experience) should be deciding if the systems conform to the International Standard, for example - not line personnel and/or managers - unless you actually have that as part of their defined, documented job duties and appropriate training and experience are defined. Take a read of ISO10011-2:1994 sections 4, 5 and 6 (not to mention 7, 8 and 9).

Why does the Internal Auditing question get me so aroused? Because I see the evolution as being more financial (sell more courses) than realistic. I am not convinced that internal auditing is an appropriate tool beyond determining whether folks are doing their jobs by following systems.

While I believe Internal Audits are important, I believe the ROLE of internal audits has evolved to a point which far exceeds what it should be. I believe QS9000 has played a big part in this evolution. And I believe this makes it even more appropriate that knowledgeable professionals perform Internal Audits whether the company hires a professional or out sources them.

quote:
The other issue that might be raised could be the confidence put on internal audit team. Why are they not capable of conducting the audit themselves that they have to out source them?
This is not an issue if you out source - there is no internal audit team. No team to train. No one to 'quit' (I typically see high turnover in Internal Audit team members for a variety of reasons) necessitating more people to find to 'join the team', to train and to gain experience. Out source and there's no more "I know it was scheduled but problems came up in my department so we'll have to postpone the audit" and other excuses leading to a disastrous schedule.

One more failure mode of doing your own internal audits is that they often significantly exacerbate antagonisms between departments and areas within companies. Internal audits become a game.

To me the bottom line is: Doing your own Internal Auditing is rarely cost effective and rarely makes good business sense. I do not believe internal audits are typically an appropriate/significant Continuous Improvement tool - heck, there are a lot of companies that do not even have an effective method of tracking scrap not to mention investigating the reason (root cause or root causes) for the scrap. If I were to be given a company and told to improve it, internal audits would not be the highest thing on my list. I would want process engineers looking at the processes. I would want purchasing to reevaluate their procedures and such. I would want managers to look at staffing, training needs and such.

To address your specific concern: You can easily find a company with an auditor (or more than one auditor) who has the appropriate auditing experience as well as an understanding of the industry and related processes, to perform your audits. If you want internal auditors to go beyond verifying / validating that folks are following their defined systems, call in professionals. If you want objective internal audits, hire a professional from out side the company.

End of rant.

IP: Logged

Marc Smith
Cheech Wizard

Posts: 4119
From:West Chester, OH, USA
Registered:

posted 22 December 1999 06:22 AM     Click Here to See the Profile for Marc Smith   Click Here to Email Marc Smith     Edit/Delete Message   Reply w/Quote
Internal Auditing makes the grade:

See https://elsmar.com/ubb/Forum2/HTML/000123.html

It appears ISO 19011 is in our future!

[This message has been edited by Marc Smith (edited 08 April 2001).]

IP: Logged

All times are Eastern Standard Time (USA)

next newest topic | next oldest topic

Administrative Options: Close Topic | Archive/Move | Delete Topic
Post New Topic  Post A Reply Hop to:

Contact Us | The Elsmar Cove Home Page

Your Input Into These Forums Is Appreciated! Thanks!


Main Site Search
Y'All Come Back Now, Ya Hear?
Powered by FreeBSD!Made With A Mac!Powered by Apache!