1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Internal Audits in very small businesses

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Mar 20, 2020.

  1. Guy Léger

    Guy Léger Member

    Joined:
    Mar 24, 2020
    Messages:
    29
    Likes Received:
    1
    Trophy Points:
    2
    Location:
    Chelyabinsk
    I understand and respect all of your opinions, and situations, but I am just trying to share situations of my own experience...

    Sincerely,
     
  2. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    You forgot Myself and I.
     
  3. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    I canned them both last year...they wouldn't follow proper procedures and kept badmouthing the auditor (me).
     
  4. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    We appreciate you sharing your experiences, especially as it sounds as if they have occurred in a part of the world where most of our members have little exposure.

    The definition of the small business provided is interesting in that it shows the variation in how each country operates.

    The OP - or original post - and even the title indicate that this is about very small businesses. Not just small...VERY small. @Eric Twiname gives a great example of his company with 3 people. It is this size of company that we were discussing...where people are the process owners for multiple processes and work side-by-side every day. Communication is not usually an issue with these individuals - between the continual interaction and the fact process owner for quality and production could be the very same person so no actual communication is required.

    Now, if you were to ask about documentation instead of communication, we could probably have a very interesting discussion, but that would be taking this thread off-topic.

    So, sticking to the idea of internal audits and VERY small businesses, how do you see internal audits adding value, @Guy Léger ? I offered one possibility in Post #13 of this thread, but it requires a characteristic not always found in people.
     
  5. Joe Ferrado

    Joe Ferrado New Member

    Joined:
    Apr 23, 2020
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I am in a company of 26 employees. We are ISO 9001 and 14001 2015. We have a Business Management System promoting the improvement of processes by continually evolving control systems and optimizing all phases of the project life cycle. I am in the process of improving internal audit processes. We have three internal auditors. We will have three major audit processes based on ISO 9001 and 14001 2015:
    Major Process Clause 4 and 5 Major Process Clause 6,7, and 8 Major Process Clause 9 and 10. Audits are systemic and touch the other ISO clauses. Quality is the fabric of production.
    ISO provides the structure for successful companies. Owners I have worked with want the structure of ISO processes and not the certification.
    Small companies can create an effective internal audit processes. Thoughts?
    [​IMG]
     
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Welcome Joe! An interesting question. I'd offer the following:

    You are auditing clauses. That's not really what internal audits are supposed to focus on. The commonly held belief is that internal audits should be performed on processes (I can't find any actual requirement for this, but it is an option which makes more business sense than doing clauses). The purpose is to determine if the processes are achieving their objectives and that the process controls are being followed.

    You do just three audits in 12 months? What is that based upon. Nothing in either standard requires any kind of scheduled event, just that they are planned (which might be 5/10/20/30/40 days before) and the frequency is determined.

    Your diagram isn't an accurate depiction of your processes. I see a lot of "standards" vocabulary but not much business operations. Can your management team describe what happens using this diagram? Its the way the requirements work together, but that's NOT how businesses operate (not in my 45 years in industry). I see nothing about the actual processes of the organization e.g rfq, sales order, design engineering, procurement, etc. Where are they referenced?

    If you're not certified, that's fine. If you are, and certified with an IAF-accredited CB, then I can't see how you comply, based on this.

    I apologize if you've not heard this feedback before...
     
    Last edited: Apr 23, 2020
    John C. Abnet likes this.
  7. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Good day @Joe Ferrado , and welcome to the site.
    As mentioned by @Andy Nichols , your organization's flow diagram describes how the STANDARDS are set up, but does it describe (to a new associate, for example), what your organization does? what are the processes and their sequence? How does the flow diagram help your organization? Would your organization create THIS flow diagram if it were not certified and no auditor was going to look at it?

    Remember to be selfish. An effective QMS serves the needs of the organization first and foremost ...(in a way that meets the requirements of the standard). Considering that the process of an organization are (should be) interrelated and interdependent, I am concerned that the description of your organization's internal audit appear isolated to specific clauses and the use of the term "major". May I ask what is the definition of "major" and would all members of leadership in your organization identify the same "major" activities?

    Without sounding like I'm hung up on semantics, I would also council to take care to not confuse the use of the term "process". "ISO processes", are not a thing. Although you are correct, that ISO management system standards can indeed be an extremely helpful TOOL in structuring an organization for success, "ISO" alone does not provide that structure and "ISO" is not a set of processes. Your organization determines how the organization and its QMS will be structured and your organization's processes are what "ISO" is referring to.

    Hope this helps.
    Be well.
     
    Andy Nichols likes this.
  8. Joe Ferrado

    Joe Ferrado New Member

    Joined:
    Apr 23, 2020
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Andy no apolifgies necessary

    Andy and John - thank you for your perspectives. When were in a one deep position these forums help to provide another view and improvements.

    Sorry I provided only the donut hole and not the donut in my posting.

    There are 21 Process Maps associated to each of the ISO clauses. See one I posted in this reply

    I am creating three turtle diagrams for the three groups of clauses I mentioned. These will provide guidance for the internal auditors to records, documents, and processes. Along with reflecting on risks and measurement of the processes.
     

    Attached File(s): 1. Scan for viruses before using. 2. Report any 'bad' files by reporting this post. 3. Use at your own Risk.:

    Last edited by a moderator: Apr 23, 2020
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Wow. There's 26 people in the company? TBH - I think you're making this waaaay more complex than needed. You are letting ISO requirements drive you to compliance. In years of doing this in small/medium businesses, I've never had this degree of complexity. Can you help me understand how someone is supposed to navigate from the first diagram posted to one of these 21? I can see no linkages.

    I think you may still be missing the point about audits. You creating a "turtle" for each clause isn't going to help. Apart from anything, I've never found turtles to work. Secondly, YOU shouldn't be doing any kind of planning for any auditors - they need to do that, with guidance.

    I'm not getting a warm feeling here Joe...
     
    Last edited: Apr 24, 2020
  10. Mike S.

    Mike S. Member

    Joined:
    Apr 20, 2020
    Messages:
    37
    Likes Received:
    7
    Trophy Points:
    7
    I was once in a startup that was 5 people. I was quality manager, applications engineer, test engineer, purchasing, and HR. I didn't become half the audit team until we "matured" to an ISO 9001 QMS and got "big" at 10 or so people. :D
     
  11. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    Always a bad thing...ISO doesn't lead, ISO is the janitor who checks to make sure stuff ain't broken and leaking on the nice clean floor.

    Do the stuff right in the first place, and check to verify you're doing stuff right in the first place, and you're already ISO "compliant"...the rest is basically paperwork, cash outlay and annoyance.
     
    Andy Nichols likes this.
  12. Joe Ferrado

    Joe Ferrado New Member

    Joined:
    Apr 23, 2020
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Appreciate your thoughts, will help to improve our processes

    Many years ago a DQS Register auditor helped create the first Business Management System map.

    Following PDCA the map conveys the high level Business Management System of a company identifying the ISO 9001 and 14001 2015 Standards. Provides the scope of the company.

    Then the individual process maps provide a description of the companies quality and environmental processes.
     
    Last edited by a moderator: Apr 25, 2020
  13. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Which is EXACTLY what they are NOT supposed to do. In actual fact, they simply copied the diagram out of the ISO 9000 normative reference. Nothing to "create" - which they should have left to you...actually create YOUR system.

    Joe, you may not be aware of this, but being an auditor doesn't make any kind of qualification to create a management system. Think of it like this. How many people do you know who are QC inspectors have had a successful career as a product designer? Or, how many QC inspectors do you know who had a successful career as a Manufacturing Engineer? It's EXACTLY the right analogy, before anyone tells you it isn't.

    What you have, appears to me at least, to be something which passed "QC" but doesn't actually do what the designer or the manufacturer intended.
     
    Last edited: Apr 26, 2020