1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Internal Auditor's Sufficiency

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Michak, May 16, 2018.

  1. Michak

    Michak Member

    Joined:
    May 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    2
    I was wondering what kind of evidence would prove to an external auditor the sufficiency of the personnel responsible for conducting internal auditing. We got a Nonconformity A with regard to that, and we are now requested to implement our Corrective Action with Dates Set, etc, and deliver what will be the output.

    In Management Review, the second Nonconformity, it's clear to me that a template document has to be made according to the requirements for the inputs and outputs of that process. But, honestly, to my perspective, for someone to perform internal auditing he would obviously need to have a good grasp of the standard's concepts and even more of the specific areas which he is suppose to audit. Beyond that, what?

    I have seen that there are some auditors in the forum and also experienced "quality" people. If someone could share his opinion, please.

    Thank you.
    Michael.
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Can you share the EXACT wording of the non-conformity? I smell a rat...
     
  3. Michak

    Michak Member

    Joined:
    May 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    2
    It states the following:

    Clause 7.2 - 10.2: No corrective action was realized to deal with non conformity B identified during the past audit, in relation to organization's lack of capability to perform internal audits. Furthermore, no sufficient knowledge of standard's ISO 9001:2015 requirements can be demonstrated.

    Non conformity B of 2017's audit report was stating exactly that:

    Clause 7.2 - 10.2: training of internal auditors in internal audit issues could not be proved.

    I think, Andy, I know what it is that you smell :D

    Any suggestions on how to deal with that? Oh, except from attending to a seminar-training for internal auditors organized by the certification body.

    Thank you!
     
  4. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    The initial response from me is I'd like to see a properly worded non-conformity from the CB auditor! What they have written, recognizing it may not be by a native English speaker, needs a whole lot of work...

    Firstly, internal auditors shall be competent, not trained. Training is an option available to bring someone to a level of competency. There is NO ISO 9001 requirement which states "Internal auditors shall be trained..."

    Secondly, internal auditors (or anyone particularly) - under the competency requirement - don't need to have "sufficient knowledge" of ISO 9001 ("sufficient" is an opinion). Once again, we should go back to whether they are competent. Nothing in section 7 or 9.2.2 states "Auditors shall be sufficiently trained on ISO 9001:2015". It sounds a bit like mission creep from the automotive world. It seems that your auditor is pushing their bias into the situation.

    If your auditor has written this as a finding and departed the audit, all you need to do is respond back to the CB Operations management and reject their nc as faulty, since there is no reference to any criteria in ISO 9001:2015 which makes either of these statements. Tell them you don't expect their auditors - whomever they send - to be auditing from personal bias and quote ISO 19011 as your reference for auditor attributes...
     
    Last edited: May 16, 2018
    tony s and Jennifer Kirley like this.
  5. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    So I think the real answer to your question is contained in the internal auditor's report itself. A good report should indicate a level of competency. If you're a small company with limited internal auditor resources, we have found that a good reporting form and timely review helps.
     
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    The answer? I'm struggling to know what the question/issue is...

    Too many times, I've discovered, "reading between the lines" gets clients into trouble when deciphering (CB) auditors' reports...
     
  7. yodon

    yodon Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    198
    Likes Received:
    115
    Trophy Points:
    42
    Agree with Andy that the original finding was poorly worded and should have focused on competence... but maybe let's focus on that a bit. What WAS presented as demonstration of a) competence to audit; and b) competence of 9001:2015? The update to the standard DID introduce some unique things so I can at least understand that this might be a concern.

    If, for example, the ISO auditor found some obvious nonconformities (e.g., some of the new aspects in :2015 completely missing from the quality system) then ONE conclusion that could be drawn was that the internal audit was ineffective and the internal auditor not sufficiently qualified. (I've also seen this as an ISO auditor apparently trying to prove 'dominance' more than competence). But maybe the rat smell is due to a fire burning under it (to badly mix metaphors).
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I agree, somewhat, however, that's a bit like firing the QC guy on the line for a product design screw-up... "Didn't you know..?" The reason I bring that up is from a previous life when, as a newly minted SQE, I discovered a product design flaw and became the pariah of the Engineering design group for pointing it out!
     
    Jennifer Kirley likes this.
  9. Michak

    Michak Member

    Joined:
    May 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    2
    I was wondering, using the own terms of ISO 9001:2015, shouldn't we think of CB as one more interested party in relation to the organization? If so, wouldn't be then part of a quality system to also evaluate CB and whoever represents them? Just some thoughts.

    Back to the subject, first non conformity type A was about management review process; considering that this is a clear requirement of standard's 2015 version we treated it as such. We made a MG report file to meet every requirement stated in clause 9.3. For the second one discussed here, we opt for delivering basically what it is a Task Schedule document where we state dates for internal meetings in every one of which a specific internal audit subject will be addressed. I don't know what you believe from your experience, but I'd like to think this will be enough to have our certificate delivered right away.

    Coming from the engineering and math world, I really like the rigor and the insight of your approach, Andy and the rest. I am learning a lot. Thank you!
     
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    You could, but I wouldn't (and I used to be a CB employee!). I think you're better off simply lumping them in (without reference directly) as "suppliers".

    If you wanted to sanitize your documents and share them here we'd be better able to guide you. Redact a copy and scan and post for simplicity.
     
  11. Michak

    Michak Member

    Joined:
    May 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    2
    Sure. take a look https://www.dropbox.com/s/v6j0rlp0t...rmities resolution - External Audits.pdf?dl=0

    We were asked not to present the "shall", but instead what has been done to address non conformities. So, while in the first case we are in position to deliver a MR Report document to meet 9.3, in the second, internal auditors non competency case, we present our plan to approach it. And I suppose, or I am hoping, that these actions will be enough to give us the certification.
     
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    In quick review, it looks to me that the actions are timed incorrectly. You need to assure the competency of your internal auditors (I'm still uncertain, from the CB report, what the actual issue is) and, having done that, do some audits. Then you can throw the results on the agenda for management to review. Bear in mind that audits are there to validate (or not) that the process was being followed.

    I'd like to take a look for myself at what the CB was shown, to be able to be truly helpful to you...
     
  13. Michak

    Michak Member

    Joined:
    May 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    2
    Well, Andy, I am afraid there are not too many differences from what I have described here, but you can look for yourself:

    https://www.dropbox.com/s/572cwc8ekpt4yov/NC LIST TUV HELLAS AUDIT 2018 (003).pdf?dl=0

    Again, the issue is NCA #2. Note that when mentions "NC B of previous audit.." she/he refers to that: "Training of internal auditors on subjects of internal audits can not be proved" (copied form 2017's audit report).

    I am pretty sure that if appropriately defined actions will be presented in response (not just a plan) we will get where we want.
    So, rather than a prescribed formula, I guess I am looking for a framework here. Considering also that the standard is now more loose on how documenting information, I am thinking on how should I document that. For example, following the Plan Do Check Act practice, I could use a "Corrective Action Form", which resumes 3 phases: 1) identification, 2) Plan/Corrective Action, 3) Verification/Approval. As for the essential part, what should internal auditors do to be competent, I think it comes down to this: "What do they the audit? Why? What should they expect to see?". Am I in the right way?
     
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Internal auditor competencies are more extensive (I've been doing audits and training auditors for 25 years btw). Training, per se, isn't what's required. Competency is, however, your auditor didn't report that and has diagnosed the symptom, which is NOT their job! You could have trained them it just wasn't good/appropriate training!

    However, the simple question is, did your internal auditor(s) have any kind of training by an organization who train internal QMS auditors?
     
  15. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    So it sounds to me like you have two findings. The first, from last year, is on auditor competency. The second, for this audit, is on corrective action -- which wasn't taken from last year's competency finding. That makes no sense. If you had a finding from last year on competency, was that corrected?

    Second thing is the smells like automotive creep. IATF has specific requirements for internal auditors which includes "knowledge" of the standard. ISO is much more open.

    I would basically come up with a competency checklist to evaluate your auditors against. I would use a completed audit report as proof of them meeting those competencies.
     
  16. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    But that's ONLY approximately 1/3 of the audit task... Don't they have to be competent in planning and conducting the audit too? How do you compare a result if you don't know what was planned? Just like your manufacturing line, don't you need to know what was planned to compare the result with?
     
  17. Michak

    Michak Member

    Joined:
    May 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    2
    No at all. The CB, however, conducts trainings on ISO 9001 subjects and the auditor they send to us urge us every year in every audit to attend one of those.
    Wasn't that the rat you had discovered?
     
  18. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Not quite, but that also makes sense that they would try to drum up business. Based on what they reported - such a poor NC statement, I wouldn't let them train any of my auditors!

    Have you defined competencies for your auditors? If not, you should take a look at what ISO 19011 says about auditors' personal competencies. It's unlikely that the people you have posses all the skills they need. If your CB auditor was competent, he would have reported more accurately, instead of simply trying to get someone into a class!
     
  19. Michak

    Michak Member

    Joined:
    May 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    2
  20. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    In my experience, this isn't what I'd be doing. I have a fundamental problem with writing out questions. We are capable of phrasing questions and have done since we were 3 years old (generally). So why write the thing out? After that, you have to evaluate the process - or whatever you are auditing - so these aren't the questions you have to answer. Management can't do anything with this type of report. It's what I call form filling for it's own sake.

    A single page report is always best. Do a narrative, with maybe some charts/traffic lights.
     
    Last edited: Jun 4, 2018
    Michak likes this.