posted 02 November 2000 11:39 AM               

I have a question about auditing (ISO and QS9000) that I so far haven't been able to get a good answer to, so I'm hoping one of you'se folks in the auditing field can help me out.

Why is it that a small company (we have a total of 18 people, including management) needs to perform its own internal quality system audit, when we've already hired a registrar to come in and do the same thing?

Since registering to ISO & QS9000 is in internal business decision, with the audit hired, paid for, and reported to top management, it seems to me that the registrar's work already qualifies as an internal audit. Why do it again? More work for auditors?

Many thanks,

posted 02 November 2000 12:24 PM               

Every Audit is comprised of three players. Sometimes a player plays two roles.

The Players:

Auditor
Auditee
Client

An Auditor may be either Internal (a member of the organization)or External (not part of the immediate organization, generally a second or third party organization).

The Auditee is the person who is the ricipient of the audit. The Auditee may also be the Client.

The Client is the requester of the audit. The client may request the audit to be performed on themselves, and thus become both the Auditee and Client.

In some companies, the Internal Quality Auditing is sometimes sourced to a consultant, who on behalf of the organization, checks the System. There is debate on whether this is in keeping with the intent of the standard, but I have asked several auditors for a few Registrars and so far, none have found this to be an issue. To decide for yourself, please review past threads in this forum which address this at greater length (much greater!).

Trying to use your Third Party Audit as a First Party Audit is in conflict. The standard is looking for those intimate with the business details to independently and objectively review the Quality Program and System. Third Party folks understand the standard very well. But they couldn't possibly understand your System as well as those working in it (hopefully this is the case).

Regards,

posted 03 November 2000 10:36 AM               

The semantics of quality may be part of my problem, for in business law, the question of whether a function is "Internal" or "External" is easily answered: Who signed the check? If we, the supplier, requested the audit, hired the auditor, paid the auditor's invoice, and received the auditor's report, then the audit was "internal", no matter whether the legwork was done by first-party, second-party, or third-party auditors. Likewise, if a customer or other outside entity requests the audit, pays for the auditor's services (either using their own staff, our people, or a consulting service), and receives the final report, the audit is "external".

If you flip open your ISO or QS9000 manual to Element 4.17, you'll find this section on Internal Quality Audits to be quite short and sweet, with no mention of "first-party", "third-party", or any other party. And if you open your "ISO Standards Compendium" to ISO 10011-1, Section 4.1, you'll see where it says that "Audits are normally designed for ONE OR MORE of the following purposes:", followed by a list of audit types which includes conformity of the system with specified requirements, AND to permit the listing of the organization's quality system in a register. And to top it off, Note 13 states that "Quality audits should not lead to an increase in the scope of quality functions over and above those necessary to meet quality objectives." This all says to me that it's permissible, even encouraged, to have the registering auditor's system audit serve for the internal audit as well.

Many thanks for your thoughts on this!

posted 03 November 2000 11:33 AM               

1) External audits by Registrations folks basically is a broad based view giving us confidence that our procedures
A)are actually implemented, authorized controlled etc.
B) match/satisfy the requirement needs of written standards?

2) Internal based audits "now that we know" the procedures are handeled properly and satisfy the standards. As a "CLOSER LOOK" Give us confidence that
A) Yes we are doing/matching all tasks we said we would.
B)What we have decided to do (In all detailed documents) is in fact working IE Effective) for our needs.

posted 05 November 2000 07:44 PM               

The suggestion of the audit type is in the title of the element.

An annual or semi-annual third party audit is probably not be enough to ensure continued suitability of the Quality Program or compliance to it by the organization. As such, it is necessary to schedule internal Quality Audits to help ensure a healthy, functioning Quality System. It is but one of the many Check tools.

Regards,

posted 06 November 2000 10:13 AM               

Are there any genuine card-carrying ISO- or QS-9000 auditors out there who can explain why the auditors I've suggested this to find the idea so ridiculous? It always seemed like it made good sense to use the registrar's audit as the cornerstone of the Interal Audit program, as though that's what the authors of 4.17 had in mind from the start. (Then a company would only have to do their own if they wanted to be fully compliant, but weren't seeking registration through a registrar.) Top it off with some focused audits of functions unique to the company, and you've got it done without waste or redundancy.

Thanks again for the feedback!

posted 07 November 2000 08:31 AM               

quote:

---

Originally posted by W. Kindel:
If we, the supplier, requested the audit, hired the auditor, paid the auditor's invoice, and received the auditor's report, then the audit was "internal", no matter whether the legwork was done by first-party, second-party, or third-party auditors. Likewise, if a customer or other outside entity requests the audit, pays for the auditor's services (either using their own staff, our people, or a consulting service), and receives the final report, the audit is "external".

---

I think you've got a small problem in this thinking due to who gets the "final report" in the registrar's audit.

You do not.

You get a copy of the report of what is found in the audit, but the original will remain with the registrar. What you're paying for is not an audit, but a shot at registration/continuing registration.

You get the same thing with regulatory bodies such as UL. They'll send folks in to see if rules are being followed. You're not paying for an audit, but they are auditing.

I know that the consultant as internal auditor/Management Representative has been covered in other posts in this forum, and the consensus seems to be that it's okay if the consultant is considered a "temporary employee".

I don't think any registrar out there is going to consent to it's auditors being considered your "temporary employees".

Just my two cents worth.

AJP

posted 08 November 2000 10:07 AM               

The question of what you're specifically buying from a registrar no doubt varies from one registration firm to the next, but in our case, we're buying audit services, sold to us in units of "auditor-days" required to perform the audit. In addition, the registrar is careful to be sure that we understand that the registration certificates haven't been sold to us, but remain the property of the registrar, presumably so that he can legally take them back if we don't keep our quality system together properly.

Since he's selling us audit services, why not let them do "double duty", and serve as the portion of our internal audit program that verifies our continuing conformance to ISO- and QS-9000? We're a small outfit, and try to always get the most "bang for the buck" that we can!

posted 10 November 2000 11:14 AM               

I'm sure that there might be some registration firms willing to preform "double duty" for you - If you were willing to pay for the double service" - increase the visit time to a minimum of 6-8 mandays per year - tell them you want them to audit the entire system according to your internal procedures each visit -- and go the "Double cost" + travel/meals/housing/car rental/pencils/paper/ postage /long distance phone charges / laundry cleaning /shoe shines etc. etc.

We get the "bigger bang for the buck" - by relying on our own internal folks doing audits without the need for paying XXX.XX per hour for hired in auditors

Regards
Jim

posted 13 November 2000 04:09 PM               

Many thanks for your suggestions and ideas - most appreciated!

posted 21 November 2000 10:07 AM               

You asked; ÎWhy is it that a company needs to perform its own internal quality system audit, when we've already hired a registrar to come in and do the same thing?â

Well, the fact is, you havenât hired a registrar to come in and do the same thing. All you have done is asked a registrar to come in and do his own thing, whatever that is. I donât know the registrarâs plan and objectives and I doubt whether you do. All we know is that, when it is over, he will registrar or refuse to registrar, based on his own rules. We have some knowledge of what he wonât do, though;
We expect that the decision will bear some relationship to our compliance with ISO 9001/2 although it will not guarantee full compliance, even at the time of the audit. What we do know, for sure, is that it will not have been run according to our established and maintained documented procedures for planning and implementing internal audit and that, in this, it fails to meet the requirements of ISO 9001/2. Other requirements it normally fails to meet are our need to; identify the responsibilities of persons who will carry out the internal audit; provide the necessary resources including personnel and be responsible to ensure they have adequate training; initiate the audits according to our own audit schedule, etc. We will also have to audit the internal audit function with independent auditors, ie, auditors not from the registrar. Finally, we will have to review the implementation and effectiveness and take corrective action as necessary, through management review, getting committment from the registrar to put right any failures in his conformance with our procedures and objectives. We will have to record these failures, report them to his management and follow up on corrective action within his process.***

I donât see any reason, within ISO 9001/2 why you canât go ahead and do this, given that you get the agreement of your registrar, of course. (this might not be easy and I wouldnât be surprised if the fee went up by about 1000%, or 10,000% when the registrar saw what you were expecting to do to him)

Itâs not looking so good so far, is it? But thereâs more, though it's pretty mundane stuff; No doubt there is another set of requirements relating to what registrars can and can not do, which will scupper your plan completely. Iâve never looked at these requirements but I would be very surprised if there isnât an Îindependanceâ clause in the rules handed down to them, just as there is in our clause 4.17, which will say that the people doing the work cannot make the call on whether the work is in compliance, ie; the registrar cannot award registration to his own organisation or to any organisation to which that registrar is answerable. I canât say for certain that this is the case but if you do want an authoritive answer then you should ask your registrar and see what they say.

Thanks for the question - it's an interesting one. More interesting than at first glance when you think about the implications of the requirements it imposes on contracted auditors (see my *** above) and the can of worms this could open. I never thought about this before and I doubt if many people have. Being a contracted internal auditor myself, I prefer to say no more for the present. Keep the lid on the can.
rgds, John C

posted 22 November 2000 01:48 PM              

I highly recommend reading The Quality Audit Handbook, Second Ed. ASQ Quality Audit Division.

In addition to being a requirement (our third party registrar would not conduct the registration audit until one cycle of internal audits had been completed) here are some of the benefits:

1) Internal audits uncover opportunities for improvement before a third party audit.

2) An audit is an ideal time to identify training needs.

Why not find problems yourself before the third party audit and fix them? Unless you want nonconformances during the audit.

I have been the administrator of the internal audit program where I work for almost 5 years and this is based on past experience.

posted 01 February 2001 12:59 PM               

quote:

---

Originally posted by W. Kindel:
Hello, one and all,

I have a question about auditing (ISO and QS9000) that I so far haven't been able to get a good answer to, so I'm hoping one of you'se folks in the auditing field can help me out.

Why is it that a small company (we have a total of 18 people, including management) needs to perform its own internal quality system audit, when we've already hired a registrar to come in and do the same thing?

Since registering to ISO & QS9000 is in internal business decision, with the audit hired, paid for, and reported to top management, it seems to me that the registrar's work already qualifies as an internal audit. Why do it again? More work for auditors?

Many thanks,

W. Kindel

---

Why do it again? Well lets see, if you are having you registrar come back more frequently when you have nonconformances or complaints occur, then I would say you are safe (unless of course your company receives no complaints and there are never any non-conformances). Internal audits from my understanding are "to be scheduled on the basis of status and importance", so as non-conformance's or complaints from customers increase, I would have to say your internal audits of that area should increase also. Sounds logical to me.

Let me ask you a question do you audit your suppliers?

posted 01 February 2001 02:30 PM               

While we don't audit our suppliers, we do examine everything they send to us via a documented Incoming Materials Inspection.

And while we don't call our registrar to return for more frequent ISO system audits if a customer has a problem, we do perform a number of additional internal audits of our manufacturing and business functions at intervals chosen by management, and which may be done more frequently if circumstances suggest would be the wise thing to do.

What I'm questioning is the apparent need for us to go through all twenty chapters of ISO ourselves, only to have our registrar come out and do the same thing again. (And yes, if our registrar spots a nonconformance in the system, he does return to verify that it has been fixed.) While I can appreciate that many good, sound reasons for extra auditing can be put forth, I'm just not seeing the requirement for it anywhere in the standard.

posted 04 February 2001 09:56 AM               

If by the time you get to your final audit, either the auditors will call off the audit or they will complete it and you still receive a major. Part of their criteria is that they audit your results and objective evidence.

If you cannot provide this evidence you're through. This isn't very cost effective for any company, since the registrars will not provide a refund.

posted 06 February 2001 10:52 AM               

Our registrar returns at six-month intervals (checking approximately half of the elements with each visit), and we could certainly show him his past work, as evidence of an ongoing internal ISO9000 system audit program.

And if you flop your big blue ISO Compendium book open to ISO10011-1:1990 section 4.1, you'll see that audits can be performed for one OR MORE of the purposes therein described, which include not only conformance to the standard, but also for the listing of the organization in a register.

That's why I opened this particular Forum topic for discussion - it just seems that a small organization should be able to get "double duty" out of the registrar's work, which would be more efficient that having to do the whole thing twice every year.

posted 06 February 2001 02:37 PM            

Because the registrar is there to assess your company's conformance to the standard. An internal auditor is there to assess your company's conformance to to your quality management system, your quality policy, your way of doing business etc., etc.

Do your hire temps in your business? They do work at your place of business, and money goes from your company to their wallet. BUT, you are actually paying a temp agency to furnish you with suitable help. (see the comparison? You pay the "Registrar" the pay the auditor.) You don't have to pay that temp the same benifits as a full time employee because they are not actually employed by you. So it goes with the registrar's auditors. Even though you are paying for an audit, those auditors do not work for you, therefore you cannot consider their work as an internal audit.

posted 17 February 2001 08:20 AM               

Registration Audit = conformance
Internal Audit = conformance + effectiveness

But Management Review also includes assessment of effectiveness. So, in a small company using external audit for assessing conformance and expanding the Mgmt Review to include assessment of whether the QMS "conforms to planned arrangements" (i.e. objectives & plans) and is "effectively implemented & maintained" would suffice. Need records.