1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Internal Audit must be announced?

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by may@ m., Sep 5, 2019.

  1. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Hi, newbie here trying to gain valuable insights i can apply to our organization.
    Our CB keeps on insisting that our internal audit should be announced, and be at a regular interval which they explained that if our planned interval is every year, then site A audited in Jan 2019 must be audited in Jan 2020?
    By the way, our organization is in the banking industry, and that we deem our IA is integrated in our regular operations audit. And that we do unannounced audit because of cash count component. Further, the conduct of IA to sites is based on approved risk analysis. Lastly, our IA is recognized compliant much above the standards of global audit organizations.
    May i know your thoughts, please?
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hello:

    What kind of internal audit are we talking about? If it's a management system (ISO 9001) type audit, then yes, it should be announced. There is NO good reason to treat people as if they have been caught with "their hand in the cookie jar".

    As far as the scheduling goes, doing one internal audit a year - if, again, we are considering an ISO 9001 type audit, is a) not what's required and b) isn't going to be effective.

    Internal audits should be risk based.
     
  3. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Hello. Thank you for the reply.
    I meant our Internal Audit for our QMS which is done by our Internal Audit Group. Only, said internal audit is subsumed during regular operations audit in the organization. Say, as we are a bank, when the IAG conducts its operational audit in a branch, they also check QMS implementation in said branch. So because the regular operations audit is not announced, then it follows so for the QMS Audit for that branch to be a surprised audit even if it is not intended to be.

    Are we doing it correctly? By the way, is there a documentation that says a QMS Audit should be announced?

    Thanks again.
     
  4. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Does your QMS comply to something like ISO 9001?
     
  5. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    ISO 19011:2018 (Guidelines for Auditing Management System) section 6.2.2g specifies: "The audit team leader should ensure that contact is made with the auditee to: g) make arrangements for the audit including the schedule".
     
    Andy Nichols likes this.
  6. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Is this applicable to an IMS Internal Audit?

    OR

    to a CB auditing its client?

    TIA.
     
  7. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Yes.
     
  8. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Yes. ISO 19011:2018 Introduction stated this:
    "This document adopts the combined audit approach when two or more management systems of different disciplines are audited together. Where these systems are integrated into a single management system, the principles and processes of auditing are the same as for a combined audit (sometimes known as an integrated audit)".
    Could be. However, CB audits are required to satisfy the ISO/IEC 17021-1:2015 (Conformity Assessment - Requirements for Bodies Providing Audit and Certification of Management Systems).
     
  9. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1

    So can they raise an NC with our methodology?
     
  10. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    If NC against ISO 9001, then, definitely NO. There's no categorical statement in ISO 9001 standard that requires internal audits must be announced.
     
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Are you asking if a CB auditor can raise an NC if you perform unannounced internal, QMS audits?
     
  12. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Yes. That's one thing i would want to clarify. Because our CB has just raised an NC with the grounds that our internal audit is done unannounced.
     
  13. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    ISO 9000:2015 defines nonconformity as "non-fulfillment of a requirement". There must be a requirement first before an NC can be raised. Even ISO/IEC 17021-1:2015 (Requirements for bodies providing audit and certification of management systems), in section 9.4.5.3, mentions "A finding of nonconformity shall be recorded against a specific requirement..." Where in the standard did the auditor raise the issue against? You have to make an appeal.
     
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Meh, that's not a non-conformity, as Tony points out. However, a COMPETENT auditor would find where the internal audits weren't effective, due to being unannounced...
     
  15. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    Where in the heck is the "shall" for that? We haven't "announced" our internal audits for years. We are small company an expect things to be working without an announcement. So many bigger things to deal with. Good luck.
     
  16. Quality Guy

    Quality Guy Member

    Joined:
    Jul 3, 2019
    Messages:
    19
    Likes Received:
    9
    Trophy Points:
    2
    We perform weekly audits that are unannounced. Since they are weekly they are somewhat expected so it is really not an issue. An external audit is always announced however.
     
  17. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Why?
     
  18. Quality Guy

    Quality Guy Member

    Joined:
    Jul 3, 2019
    Messages:
    19
    Likes Received:
    9
    Trophy Points:
    2
    We do weekly audits on work cells. This stems from some real problems we encountered in one department and the audits just carried over to include other departments as well. It covers some ISO stuff but mostly procedures and documentation related items.
     
  19. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    These sound more like "Layered Process Audits" which aren't the same as Quality Management Systems (process) audits. Do you have any other types of internal audits going on? An audit of simply documentation also isn't a QMS audit. Are you certified to ISO 9001?
     
  20. Quality Guy

    Quality Guy Member

    Joined:
    Jul 3, 2019
    Messages:
    19
    Likes Received:
    9
    Trophy Points:
    2
    No these are not management systems audits. Sorry if I implied that. Yes, we are ISO9001:2015.