1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Internal Audit - Stage 1?

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Oct 28, 2016.

  1. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    As much as I despise using CB audit techniques as a model for internal quality audits, it occurs to me that the reason(s) for - if not the actual complete process - a CB "stage 1" type audit have many benefits for internal audits.
    Thoughts?
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hasn't anyone any thoughts or experience they want to share? Did I miss something?
     
  3. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    We use the CB type audit to get us through the transition to ISO9001:2015.
     
  4. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    [Andy], you're an experienced professional with the capability to jump into any situation with little to no tools and come up smelling of roses.

    I, on the other hand, manage an ever-changing roster of dragooned persons from other functions in the company and call it my internal audit team. A stage one (desktop review of applicable documentation, correct? Am I on the same page ? ) is a good starting point for a novice auditor.
     
    Andy Nichols likes this.
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Great point Normzone. The reason for my post was a recent epiphany from working with some internal auditors. In doing what you describe as a desktop review, it became abundantly clear to us that the documentation wasn't a very good basis for how the organization operated. However, it was sufficient as a means to move forward with the audit. It occurred to me that it would be worth sitting with the process owner before the audit took place, to get a "read" on where their head was with the documented QMS, rather than simply doing the desktop review (which did help with compiling a checklist/plan for the audit. Such a "stage 1" would have been beneficial for a variety of reasons, IMHO, over and above simply arriving to do the audit, armed with whatever auditors arm themselves with!
     
  6. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    " it would be worth sitting with the process owner before the audit took place, to get a "read" on where their head was with the documented QMS "

    Yes, and to hear them say " Yeah, that's right, we revised this last year because ... "

    OR

    " Oh, wow, that's old news. We don't do it that way anymore... "
     
    Andy Nichols likes this.
  7. Paul Simpson

    Paul Simpson Member

    Joined:
    Aug 6, 2015
    Messages:
    41
    Likes Received:
    61
    Trophy Points:
    17
    In the spirit of 'people helping people' here is an article I wrote for Bywater suggesting other ways of looking at internal audit. Definitely a long way away from the Stage 1 approach, Andy, but worth considering?
     
    Andy Nichols likes this.
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Thanks, Paul. You will have read my comments elsewhere, I know. I am constantly amazed at the number of clients I meet who are permitted - as in their CB auditor doesn't highlight any issues during their audits - to do a single internal audit each year. The words "status and importance" seems not to have registered with any CB auditors, and, as long as Lead Auditor courses continue to teach auditing from the perspective of the third party, little will change. "Imitation is the sincerest form of flattery"...

    Training for CB auditors should be the exclusive domain of a few providers - and not made public and training organizations should be required by the accreditors to either be focused on internal auditing or supplier auditing. This idea of a "one size" fits all training for auditors is (and was) inappropriate and a clear distinction needs to be made before too many more people are trained.
     
  9. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Since CBs are (hopefully) accredited to ISO 17021 and that standard is silent about how many internal audits are to be done each year, I want to stop short of direct criticism - though I do personally agree that the single annual audit is not a good idea and does appear to go against the standard.

    I'd like to point out though:

    1) ISO 9001:2015 says "...shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;..." which is not a directive to actually do more than consider. The 2008 version also said "An audit programme shall be planned, taking into consideration..."

    2) Auditors do call people out on this; just a couple of weeks ago a colleague of mine issued NC against an ineffective once-a-year internal audit process that did not find a number of things he did. The point is, the NC was issued after evidence was available showing the once-a-year approach was unsound. Given less than that, he would be issuing an action request based on his opinion - which we really should not do. We're after objective evidence and have to stick to what the standard says, not what we want it to say.

    3) Having a separate class for CB auditors is not sensible. The same information should be available to persons who want to prepare their systems. Why would we not want that? I do recommend attending an accredited class. I did, about a month ago. More people should do so. If I could have a wish on that subject granted, I would see that all of my colleagues pass that class instead of just attending the annual CB-internal training, which can turn into an echo chamber of dubious value. The trainer also had classes for Internal Auditor, plus awareness classes - it is not one size fits all.

    If you have more questions about CB practices, I'd be happy to answer that which I can and am permitted.
     
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Jennifer: I've heard the same comments from others. In all reality, when someone arrives at a course, they have little clue as to what perspective the course is going to be taught from - indeed, many times we taught the Excel Partnership Inc course from the 2nd party perspective and as internal "corporate" auditors (course "rules" require all perspectives to be considered in teaching). So the point of learning how the CB is going to handle their audits doesn't hold water, I'm afraid...
     
  11. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    I believe they have the right to the same information we are getting. This is no time to make the business into some kind of Jedi religion. Six Sigma was bad enough.

    A nonconformity is a nonconformity, in our eyes of those of the 1st party auditor. Although, they frankly have rather more freedom than I do.

    The standard is the same, ISO 19011 is the same, ISO 9000:2015 is the same, the Technical Committee guidance documents do not mean anything different for them than us. If they don't use what they learned in the same context that's fine, but they still deserve the truth.

    That said, let's keep in mind these are accredited classes. I intend to offer a somewhat different Lead Auditor class, which will focus more on managing the internal audit program and less on the certification process.

    Also, I did not attend the Internal Auditor class so I don't know what that one includes. Maybe your clients should have been taking that class instead - though that's hard to say without knowing just what it was like. Did Excel Partnership offer an Internal Auditor course?
     
    Candi1024 likes this.
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Yes, Jennifer. Excel Partnership wrote some of the very earliest Lead and Internal Auditor courses - long before 3rd Party Certification became available. The focus of each course was quite different and didn't include anything on certification until accreditation came along and forced us to teach the 3rd party process - when in fact few actual CB auditors ever came to the courses. People MAY have found their way into becoming a CB, but much later.

    IMHO the fact that ISO 19011 is the same for all audits is and has been part of the problem - and confirmation of that came recently when CBs got the new version of ISO/IEC 17021 to use INSTEAD of 19011. And, if you look at the make up of the committee which writes 19011 and also the APG you'll see many external auditors present. When you (only) look through 3rd party eyes, all audits look the same...
     
  13. Paul Simpson

    Paul Simpson Member

    Joined:
    Aug 6, 2015
    Messages:
    41
    Likes Received:
    61
    Trophy Points:
    17
    Hi, Andy. We've been around this one a few times over the years. ;) I think we agree that 1st, 2nd and 3rd party audits are not the same and that the competence requirements for auditors in each group may be different but that doesn't mean that an individual can't do all three, it just takes a flexible mindset.

    There is a core set of identical audit skills required for each group: time management, observation, questioning, good judgement, report writing, persistence, etc. It is the context (!) of the audit that creates difference. Some training organisations are able to differentiate and deliver tailored courses for at least external and internal audit.

    I don't agree that 3rd party training should be restricted to a few providers. Most CBs conduct their own training to get their auditors to understand the CB systems and assess their auditors' competence. Where restriction of training providers can work is if there are a standard set of industry requirements that need to be trained as well as 'vanilla' ISO - such as aerospace and automotive and industry groups typically manage this.
     
    Jennifer Kirley and Andy Nichols like this.
  14. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    I've been a 1st party auditor for several years, a 3rd party auditor for some years, and did a 2nd party audit and can't for the life of me understand why an organization would not want to know what CB auditors are taught to look for and how to interpret the standard, how to manage a team etc. Such topics would be suitable for a team leader, program manager or a site's sole auditor. It is good for such people to understand how the registration process works.

    Certainly competency needs would be different for the various levels; I agree it is a good deal different to be on this side of the table. But the information should not be hidden from those who want to know. I would worry that would turn the industry into more of what 6Sigma became, a sort of Jedi religion. Paul is right about the specifics that accrediting bodies want - that much was not included in the Lead Auditor class I recently attended. And that is fine. We do have different levels of responsibility and ABs want more from us than they do people who pass the class - that is why our qualification process includes XX supervised audit days and a demonstration for readiness to work independently. There are additionally different levels for surveillance, co-auditor and lead auditor. This of course may vary between CBs but the program is subject to scrutiny during accreditation. None of that is even discussed in the Lead Auditor class - it doesn't belong there.

    Competency requirements in 19011 need not be parsed out for the different levels; the organization can determine the extent and degree of competency to suit their needs. I have confidence in their ability to do so, and haven't yet found much reason to regret feeling that way.
     
  15. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Good luck with that! My 20 years + experience from the clients' point of view is that it's all over the map! Just this week, while teaching an internal auditor course, I was hearing things clients had been told - by auditors of very well known CBs - which made my blood run cold! Clients being told not just "interpretations" (something which ISN'T the CB auditor's job, BTW) but things which are very simply put: LIES!

    In actual fact this isn't what is taught in LA courses! It's apocryphal that anyone learns the registration process and since every auditor is different, how can anyone learn what their specific auditor is going to do?

    However, back to my original post, why shouldn't internal auditors perform a very similar preparation/readiness review similar to a stage 1?
     
  16. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    It was included in the LA course I took about a month ago. The subject included timeframes, the general process. The course also introduced 17021, which is what CB auditors are supposed to be doing - also covered was the option to appeal if the auditors are not doing that.

    I am 100% for an internal auditor doing a readiness review. I merely suggest that LA preparation could better prepare them for that, and for the registration process in general, and so they are better prepared to call out the CB auditors' errors/lies (saying they were lying implies they knew better) via a well-articulated dispute.

    Without taking the accredited LA class, CB auditors and clients alike are subject to the limitations of access to good information, especially given the extent of uncertainty about some of the terms and clauses. I wanted to escape the echo chamber by taking the class. I feel the investment was well spent, and I think most of my clients are intelligent enough to take the class. I was the only CB auditor there, in fact.

    CB auditors get annual training as per accreditation requirements, which is intended to be on top of what the LA class teaches but I will be interested to mentally compare what I hear in the echo chamber to what the accredited class delivered.