The Elsmar Cove Business Standards Discussion Forums More Free Files Forum Discussion Thread Post Attachments Listing Elsmar Cove Discussion Forums Main Page
Welcome to what was The Original Cayman Cove Forums!
This thread is carried over and continued in the Current Elsmar Cove Forums

Search the Elsmar Cove!

Wooden Line
This is a "Frozen" Legacy Forum.
Most links on this page do NOT work.
Discussions since 2001 are HERE

Owl Line
The New Elsmar Cove Forums   The New Elsmar Cove Forums
  Auditing
  Can someone explain why?

Post New Topic  Post A Reply
profile | register | preferences | faq | search

UBBFriend: Email This Page to Someone! next newest topic | next oldest topic
Author Topic:   Can someone explain why?
W. Kindel
Lurker (<10 Posts)

Posts: 9
From:Arvada, Colorado, USA
Registered: Aug 2000

posted 02 November 2000 11:39 AM     Click Here to See the Profile for W. Kindel   Click Here to Email W. Kindel     Edit/Delete Message   Reply w/Quote
Hello, one and all,

I have a question about auditing (ISO and QS9000) that I so far haven't been able to get a good answer to, so I'm hoping one of you'se folks in the auditing field can help me out.

Why is it that a small company (we have a total of 18 people, including management) needs to perform its own internal quality system audit, when we've already hired a registrar to come in and do the same thing?

Since registering to ISO & QS9000 is in internal business decision, with the audit hired, paid for, and reported to top management, it seems to me that the registrar's work already qualifies as an internal audit. Why do it again? More work for auditors?

Many thanks,

W. Kindel

IP: Logged

Kevin Mader
Forum Wizard

Posts: 575
From:Seymour, CT USA
Registered: Nov 98

posted 02 November 2000 12:24 PM     Click Here to See the Profile for Kevin Mader   Click Here to Email Kevin Mader     Edit/Delete Message   Reply w/Quote
Simply put: an internal audit (first party audit)is not the same as a third party audit (an external audit performed by a Registrar).

Every Audit is comprised of three players. Sometimes a player plays two roles.

The Players:

Auditor
Auditee
Client

An Auditor may be either Internal (a member of the organization)or External (not part of the immediate organization, generally a second or third party organization).

The Auditee is the person who is the ricipient of the audit. The Auditee may also be the Client.

The Client is the requester of the audit. The client may request the audit to be performed on themselves, and thus become both the Auditee and Client.

In some companies, the Internal Quality Auditing is sometimes sourced to a consultant, who on behalf of the organization, checks the System. There is debate on whether this is in keeping with the intent of the standard, but I have asked several auditors for a few Registrars and so far, none have found this to be an issue. To decide for yourself, please review past threads in this forum which address this at greater length (much greater!).

Trying to use your Third Party Audit as a First Party Audit is in conflict. The standard is looking for those intimate with the business details to independently and objectively review the Quality Program and System. Third Party folks understand the standard very well. But they couldn't possibly understand your System as well as those working in it (hopefully this is the case).

Regards,

Kevin

IP: Logged

Dave Davis
Lurker (<10 Posts)

Posts: 7
From:San Juan Capistrano, CA
Registered: Nov 2000

posted 02 November 2000 04:49 PM     Click Here to See the Profile for Dave Davis   Click Here to Email Dave Davis     Edit/Delete Message   Reply w/Quote
One main consideration is that personnel within an organisation are more likly to devulge information to internal auditors rather than external ones. The employees are more open and understand that this information is used to help the company meet its quality policy or objectives (they're supossed to anyway)... in other words - they don't hide stuff!

IP: Logged

W. Kindel
Lurker (<10 Posts)

Posts: 9
From:Arvada, Colorado, USA
Registered: Aug 2000

posted 03 November 2000 10:36 AM     Click Here to See the Profile for W. Kindel   Click Here to Email W. Kindel     Edit/Delete Message   Reply w/Quote
Thanks to you both for taking the time and trouble to try to explain all this to me. I don't know, though, whether middle-age has wrapped its flatulent grip around my brainstem, or if I learned just enough business law in college to be dangerous, but I'm still not seeing what the problem is with letting the registrar's audit serve as the basic ISO9000 Internal Audit.

The semantics of quality may be part of my problem, for in business law, the question of whether a function is "Internal" or "External" is easily answered: Who signed the check? If we, the supplier, requested the audit, hired the auditor, paid the auditor's invoice, and received the auditor's report, then the audit was "internal", no matter whether the legwork was done by first-party, second-party, or third-party auditors. Likewise, if a customer or other outside entity requests the audit, pays for the auditor's services (either using their own staff, our people, or a consulting service), and receives the final report, the audit is "external".

If you flip open your ISO or QS9000 manual to Element 4.17, you'll find this section on Internal Quality Audits to be quite short and sweet, with no mention of "first-party", "third-party", or any other party. And if you open your "ISO Standards Compendium" to ISO 10011-1, Section 4.1, you'll see where it says that "Audits are normally designed for ONE OR MORE of the following purposes:", followed by a list of audit types which includes conformity of the system with specified requirements, AND to permit the listing of the organization's quality system in a register. And to top it off, Note 13 states that "Quality audits should not lead to an increase in the scope of quality functions over and above those necessary to meet quality objectives." This all says to me that it's permissible, even encouraged, to have the registering auditor's system audit serve for the internal audit as well.

Many thanks for your thoughts on this!

W. Kindel

IP: Logged

Sam
Forum Contributor

Posts: 244
From:
Registered: Sep 1999

posted 03 November 2000 11:24 AM     Click Here to See the Profile for Sam   Click Here to Email Sam     Edit/Delete Message   Reply w/Quote
W. Kindel,
Your logic or as you infer, lawyerism, makes sense to me, however, the group that you have to convince is your registration body. Without their buy-in you will be required to perform internal audits IAW 4.17. (QS9000)

IP: Logged

Jim Biz
Forum Wizard

Posts: 275
From:ILLINOIS
Registered: Mar 2000

posted 03 November 2000 11:33 AM     Click Here to See the Profile for Jim Biz   Click Here to Email Jim Biz     Edit/Delete Message   Reply w/Quote
Would this help?

1) External audits by Registrations folks basically is a broad based view giving us confidence that our procedures
A)are actually implemented, authorized controlled etc.
B) match/satisfy the requirement needs of written standards?

2) Internal based audits "now that we know" the procedures are handeled properly and satisfy the standards. As a "CLOSER LOOK" Give us confidence that
A) Yes we are doing/matching all tasks we said we would.
B)What we have decided to do (In all detailed documents) is in fact working IE Effective) for our needs.

Regards
Jim

IP: Logged

Kevin Mader
Forum Wizard

Posts: 575
From:Seymour, CT USA
Registered: Nov 98

posted 05 November 2000 07:44 PM     Click Here to See the Profile for Kevin Mader   Click Here to Email Kevin Mader     Edit/Delete Message   Reply w/Quote
4.17 Internal Quality Audits

The suggestion of the audit type is in the title of the element.

An annual or semi-annual third party audit is probably not be enough to ensure continued suitability of the Quality Program or compliance to it by the organization. As such, it is necessary to schedule internal Quality Audits to help ensure a healthy, functioning Quality System. It is but one of the many Check tools.

Regards,

Kevin

IP: Logged

W. Kindel
Lurker (<10 Posts)

Posts: 9
From:Arvada, Colorado, USA
Registered: Aug 2000

posted 06 November 2000 10:13 AM     Click Here to See the Profile for W. Kindel   Click Here to Email W. Kindel     Edit/Delete Message   Reply w/Quote
Thanks for everyone's feedback on this!

Are there any genuine card-carrying ISO- or QS-9000 auditors out there who can explain why the auditors I've suggested this to find the idea so ridiculous? It always seemed like it made good sense to use the registrar's audit as the cornerstone of the Interal Audit program, as though that's what the authors of 4.17 had in mind from the start. (Then a company would only have to do their own if they wanted to be fully compliant, but weren't seeking registration through a registrar.) Top it off with some focused audits of functions unique to the company, and you've got it done without waste or redundancy.

Thanks again for the feedback!

W. Kindel

IP: Logged

Marc Smith
Cheech Wizard

Posts: 4119
From:West Chester, OH, USA
Registered:

posted 06 November 2000 03:27 PM     Click Here to See the Profile for Marc Smith   Click Here to Email Marc Smith     Edit/Delete Message   Reply w/Quote
The bottom line is the intent of each is different. My smaller clients just hire out their internal audits.

IP: Logged

AJPaton
Forum Contributor

Posts: 73
From:Fayetteville, NC USA
Registered: Apr 2000

posted 07 November 2000 08:31 AM     Click Here to See the Profile for AJPaton   Click Here to Email AJPaton     Edit/Delete Message   Reply w/Quote
quote:
Originally posted by W. Kindel:
If we, the supplier, requested the audit, hired the auditor, paid the auditor's invoice, and received the auditor's report, then the audit was "internal", no matter whether the legwork was done by first-party, second-party, or third-party auditors. Likewise, if a customer or other outside entity requests the audit, pays for the auditor's services (either using their own staff, our people, or a consulting service), and receives the final report, the audit is "external".

I think you've got a small problem in this thinking due to who gets the "final report" in the registrar's audit.

You do not.

You get a copy of the report of what is found in the audit, but the original will remain with the registrar. What you're paying for is not an audit, but a shot at registration/continuing registration.

You get the same thing with regulatory bodies such as UL. They'll send folks in to see if rules are being followed. You're not paying for an audit, but they are auditing.

I know that the consultant as internal auditor/Management Representative has been covered in other posts in this forum, and the consensus seems to be that it's okay if the consultant is considered a "temporary employee".

I don't think any registrar out there is going to consent to it's auditors being considered your "temporary employees".

Just my two cents worth.

AJP

IP: Logged

W. Kindel
Lurker (<10 Posts)

Posts: 9
From:Arvada, Colorado, USA
Registered: Aug 2000

posted 08 November 2000 10:07 AM     Click Here to See the Profile for W. Kindel   Click Here to Email W. Kindel     Edit/Delete Message   Reply w/Quote
Thanks for the two cents' worth - easily worth more than that, for certain!

The question of what you're specifically buying from a registrar no doubt varies from one registration firm to the next, but in our case, we're buying audit services, sold to us in units of "auditor-days" required to perform the audit. In addition, the registrar is careful to be sure that we understand that the registration certificates haven't been sold to us, but remain the property of the registrar, presumably so that he can legally take them back if we don't keep our quality system together properly.

Since he's selling us audit services, why not let them do "double duty", and serve as the portion of our internal audit program that verifies our continuing conformance to ISO- and QS-9000? We're a small outfit, and try to always get the most "bang for the buck" that we can!

W. Kindel

IP: Logged

Jim Biz
Forum Wizard

Posts: 275
From:ILLINOIS
Registered: Mar 2000

posted 10 November 2000 11:14 AM     Click Here to See the Profile for Jim Biz   Click Here to Email Jim Biz     Edit/Delete Message   Reply w/Quote
IMHO - Can't say I totally disagree with your thoughts but how it works here is that our upkeep surveliance audits simply do not cover our "total system". They come in and focus on 4 or 5 elements each visit and do not begin to address the remaining 15-16 elements - which Is what I believe to be the normal mode of surveilance auditing.

I'm sure that there might be some registration firms willing to preform "double duty" for you - If you were willing to pay for the double service" - increase the visit time to a minimum of 6-8 mandays per year - tell them you want them to audit the entire system according to your internal procedures each visit -- and go the "Double cost" + travel/meals/housing/car rental/pencils/paper/ postage /long distance phone charges / laundry cleaning /shoe shines etc. etc.

We get the "bigger bang for the buck" - by relying on our own internal folks doing audits without the need for paying XXX.XX per hour for hired in auditors

Regards
Jim

[This message has been edited by Jim Biz (edited 10 November 2000).]

IP: Logged

W. Kindel
Lurker (<10 Posts)

Posts: 9
From:Arvada, Colorado, USA
Registered: Aug 2000

posted 13 November 2000 04:09 PM     Click Here to See the Profile for W. Kindel   Click Here to Email W. Kindel     Edit/Delete Message   Reply w/Quote
I appreciate everyone's observations, comments and input on this topic - if nothing else, it makes for some lively Forum chit-chat! What pleases me most, though, is the fact that no one was able to pull up a paragraph from any of the ISO- or QS-9000 official literature which specifically forbids using the registrar's work as part of the internal audit program. And it is, after all, what's contained in the official standard that really counts, not the opinions of auditors, registrars, consultants, etc.

Many thanks for your suggestions and ideas - most appreciated!

W. Kindel

IP: Logged

John C
Forum Contributor

Posts: 134
From:Cork City, Ireland
Registered: Nov 98

posted 21 November 2000 10:07 AM     Click Here to See the Profile for John C   Click Here to Email John C     Edit/Delete Message   Reply w/Quote
W. Kindel,

You asked; ĪWhy is it that a company needs to perform its own internal quality system audit, when we've already hired a registrar to come in and do the same thing?ā

Well, the fact is, you havenāt hired a registrar to come in and do the same thing. All you have done is asked a registrar to come in and do his own thing, whatever that is. I donāt know the registrarās plan and objectives and I doubt whether you do. All we know is that, when it is over, he will registrar or refuse to registrar, based on his own rules. We have some knowledge of what he wonāt do, though;
We expect that the decision will bear some relationship to our compliance with ISO 9001/2 although it will not guarantee full compliance, even at the time of the audit. What we do know, for sure, is that it will not have been run according to our established and maintained documented procedures for planning and implementing internal audit and that, in this, it fails to meet the requirements of ISO 9001/2. Other requirements it normally fails to meet are our need to; identify the responsibilities of persons who will carry out the internal audit; provide the necessary resources including personnel and be responsible to ensure they have adequate training; initiate the audits according to our own audit schedule, etc. We will also have to audit the internal audit function with independent auditors, ie, auditors not from the registrar. Finally, we will have to review the implementation and effectiveness and take corrective action as necessary, through management review, getting committment from the registrar to put right any failures in his conformance with our procedures and objectives. We will have to record these failures, report them to his management and follow up on corrective action within his process.***

I donāt see any reason, within ISO 9001/2 why you canāt go ahead and do this, given that you get the agreement of your registrar, of course. (this might not be easy and I wouldnāt be surprised if the fee went up by about 1000%, or 10,000% when the registrar saw what you were expecting to do to him)

Itās not looking so good so far, is it? But thereās more, though it's pretty mundane stuff; No doubt there is another set of requirements relating to what registrars can and can not do, which will scupper your plan completely. Iāve never looked at these requirements but I would be very surprised if there isnāt an Īindependanceā clause in the rules handed down to them, just as there is in our clause 4.17, which will say that the people doing the work cannot make the call on whether the work is in compliance, ie; the registrar cannot award registration to his own organisation or to any organisation to which that registrar is answerable. I canāt say for certain that this is the case but if you do want an authoritive answer then you should ask your registrar and see what they say.

Thanks for the question - it's an interesting one. More interesting than at first glance when you think about the implications of the requirements it imposes on contracted auditors (see my *** above) and the can of worms this could open. I never thought about this before and I doubt if many people have. Being a contracted internal auditor myself, I prefer to say no more for the present. Keep the lid on the can.
rgds, John C

[This message has been edited by John C (edited 21 November 2000).]

IP: Logged

Marilyn
unregistered
posted 22 November 2000 01:48 PM           Edit/Delete Message   Reply w/Quote
Hello everyone:

I highly recommend reading The Quality Audit Handbook, Second Ed. ASQ Quality Audit Division.

In addition to being a requirement (our third party registrar would not conduct the registration audit until one cycle of internal audits had been completed) here are some of the benefits:

1) Internal audits uncover opportunities for improvement before a third party audit.

2) An audit is an ideal time to identify training needs.

Why not find problems yourself before the third party audit and fix them? Unless you want nonconformances during the audit.

I have been the administrator of the internal audit program where I work for almost 5 years and this is based on past experience.


Internal auditors

IP: Logged

ISO GUY
Forum Contributor

Posts: 81
From:Rochester, NY
Registered: Jan 2000

posted 01 February 2001 12:59 PM     Click Here to See the Profile for ISO GUY   Click Here to Email ISO GUY     Edit/Delete Message   Reply w/Quote
quote:
Originally posted by W. Kindel:
Hello, one and all,

I have a question about auditing (ISO and QS9000) that I so far haven't been able to get a good answer to, so I'm hoping one of you'se folks in the auditing field can help me out.

Why is it that a small company (we have a total of 18 people, including management) needs to perform its own internal quality system audit, when we've already hired a registrar to come in and do the same thing?

Since registering to ISO & QS9000 is in internal business decision, with the audit hired, paid for, and reported to top management, it seems to me that the registrar's work already qualifies as an internal audit. Why do it again? More work for auditors?

Many thanks,

W. Kindel


Why do it again? Well lets see, if you are having you registrar come back more frequently when you have nonconformances or complaints occur, then I would say you are safe (unless of course your company receives no complaints and there are never any non-conformances). Internal audits from my understanding are "to be scheduled on the basis of status and importance", so as non-conformance's or complaints from customers increase, I would have to say your internal audits of that area should increase also. Sounds logical to me.

Let me ask you a question do you audit your suppliers?

IP: Logged

W. Kindel
Lurker (<10 Posts)

Posts: 9
From:Arvada, Colorado, USA
Registered: Aug 2000

posted 01 February 2001 02:30 PM     Click Here to See the Profile for W. Kindel   Click Here to Email W. Kindel     Edit/Delete Message   Reply w/Quote
Hello again!

While we don't audit our suppliers, we do examine everything they send to us via a documented Incoming Materials Inspection.

And while we don't call our registrar to return for more frequent ISO system audits if a customer has a problem, we do perform a number of additional internal audits of our manufacturing and business functions at intervals chosen by management, and which may be done more frequently if circumstances suggest would be the wise thing to do.

What I'm questioning is the apparent need for us to go through all twenty chapters of ISO ourselves, only to have our registrar come out and do the same thing again. (And yes, if our registrar spots a nonconformance in the system, he does return to verify that it has been fixed.) While I can appreciate that many good, sound reasons for extra auditing can be put forth, I'm just not seeing the requirement for it anywhere in the standard.

Thanks for your thoughts and opinions!

IP: Logged

awk
Forum Contributor

Posts: 19
From:Ontario, Canada
Registered: Sep 2000

posted 04 February 2001 09:56 AM     Click Here to See the Profile for awk   Click Here to Email awk     Edit/Delete Message   Reply w/Quote

Here is a test. Do not complete an internal audit. Have the registrar of your choice come in and complete their audit. Even at the doc audit they will ask whether an audit and a management review have been conducted. If you answer no this is a major nonconformance. At this point it is merely on paper. This is stipulated in their guidelines that they answer to.

If by the time you get to your final audit, either the auditors will call off the audit or they will complete it and you still receive a major. Part of their criteria is that they audit your results and objective evidence.

If you cannot provide this evidence you're through. This isn't very cost effective for any company, since the registrars will not provide a refund.

awk

IP: Logged

W. Kindel
Lurker (<10 Posts)

Posts: 9
From:Arvada, Colorado, USA
Registered: Aug 2000

posted 06 February 2001 10:52 AM     Click Here to See the Profile for W. Kindel   Click Here to Email W. Kindel     Edit/Delete Message   Reply w/Quote
Yes, you are quite correct - if I do as you describe, I will most certainly get written up for a Major nonconformity. But my question is "Why?"

Our registrar returns at six-month intervals (checking approximately half of the elements with each visit), and we could certainly show him his past work, as evidence of an ongoing internal ISO9000 system audit program.

And if you flop your big blue ISO Compendium book open to ISO10011-1:1990 section 4.1, you'll see that audits can be performed for one OR MORE of the purposes therein described, which include not only conformance to the standard, but also for the listing of the organization in a register.

That's why I opened this particular Forum topic for discussion - it just seems that a small organization should be able to get "double duty" out of the registrar's work, which would be more efficient that having to do the whole thing twice every year.

Thanks for your observations and ideas!

IP: Logged

SteelMaiden
Forum Contributor

Posts: 28
From:NC, USA
Registered: Jan 2001

posted 06 February 2001 02:37 PM     Click Here to See the Profile for SteelMaiden     Edit/Delete Message   Reply w/Quote
Why?

Because the registrar is there to assess your company's conformance to the standard. An internal auditor is there to assess your company's conformance to to your quality management system, your quality policy, your way of doing business etc., etc.

Do your hire temps in your business? They do work at your place of business, and money goes from your company to their wallet. BUT, you are actually paying a temp agency to furnish you with suitable help. (see the comparison? You pay the "Registrar" the pay the auditor.) You don't have to pay that temp the same benifits as a full time employee because they are not actually employed by you. So it goes with the registrar's auditors. Even though you are paying for an audit, those auditors do not work for you, therefore you cannot consider their work as an internal audit.

Does that make sense? Don't fall into the trap of thinking just because you paid for it, their agenda is the same as yours should be.

IP: Logged

Jon Shaver
Forum Contributor

Posts: 38
From:Edgemont, PA, USA
Registered:

posted 17 February 2001 08:20 AM     Click Here to See the Profile for Jon Shaver   Click Here to Email Jon Shaver     Edit/Delete Message   Reply w/Quote
I think W. Kindel's point is well taken for a small company (noted above as 18 people).

Registration Audit = conformance
Internal Audit = conformance + effectiveness

But Management Review also includes assessment of effectiveness. So, in a small company using external audit for assessing conformance and expanding the Mgmt Review to include assessment of whether the QMS "conforms to planned arrangements" (i.e. objectives & plans) and is "effectively implemented & maintained" would suffice. Need records.

[This message has been edited by Jon Shaver (edited 17 February 2001).]

IP: Logged

All times are Eastern Standard Time (USA)

next newest topic | next oldest topic

Administrative Options: Close Topic | Archive/Move | Delete Topic
Post New Topic  Post A Reply Hop to:

Contact Us | The Elsmar Cove Home Page

Your Input Into These Forums Is Appreciated! Thanks!


Main Site Search
Y'All Come Back Now, Ya Hear?
Powered by FreeBSD!Made With A Mac!Powered by Apache!