1. Hello and Welcome to The Quality Forum Online...Continuing in the spirit of People Helping People !
    Dismiss Notice
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Internal Audit 9.2.1a2

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Phil Scott, Jul 30, 2018.

Tags:
  1. Phil Scott

    Phil Scott Member

    Joined:
    Jul 26, 2018
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    2
    I infer that the requirement that internal audits provide retained documented information clearly evidencing on whether an organization's quality management system conforms to "the requirements of this International Standard" means all applicable elements, clauses, sub clauses, and letters.

    If an organization outsources the internal audits every twelve months, then the entire QMS (all applicable elements, clauses, sub clauses, and letters) must be audited and evidenced in the audit records.

    Where am I off?

    Thanks everyone.
    Phil
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,137
    Likes Received:
    1,100
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hi Phil: The requirement isn't to retain documented information etc. but to ensure the system "complies with the requirements of this standard". I'd take a higher level viewpoint. Let's say that, as an internal auditor, you find a document control issue regarding the updating of work instructions, then clearly ISO 9001:2015 7.5.3.2 c is nonconforming.

    You've got a bigger issue in that doing internal audits on a 12 month cycle, you aren't running an effective audit program, and don't consider the importance of processes or changes... In fact, I'd go so far as to say your external auditor resource, doesn't know the standard (or your organization is unwilling to pay for more audits a year - which is very common).
     
    Last edited: Jul 30, 2018
  3. Phil Scott

    Phil Scott Member

    Joined:
    Jul 26, 2018
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    2
    Thanks Andy. For this organization, assume that an annual internal audit is what they can afford and seems to be adequate.
    My question meant to target whether the wording in 9.2.1a2 means each and every one of the standard's requirements must be audited with each annual internal audit.

    I think it does, but I want to check my take on it.

    Best regards,
    Phil
     
  4. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,137
    Likes Received:
    1,100
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Nope. The requirement is to audit based on a) ensuring compliance, b) importance of process(es) and c) changes.

    It is, however, unlikely, that once is a year is suitable, based on these requirements... Let's discuss.
     
  5. Phil Scott

    Phil Scott Member

    Joined:
    Jul 26, 2018
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    2
    I understand the planned intervals must be appropriate and effective, so I don't want to stray from the focus of my question.

    Just so I'm crystal clear, assume the QMS is internally audited every quarter (and this planned interval is demonstrably appropriate and effective), does your response above, "a) ensuring compliance" mean that each year the four internal audits must have collectively (not necessarily individually) covered each and every requirement of the International Standard?

    Thanks for your patience,
    Phil
     
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,137
    Likes Received:
    1,100
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It's somewhat dependent on the implementation continuum. At the start of implementing an ISO 9001-based QMS, compliance is the focus of the audit(s) and you tend to "worry" about "are we doing what ISO says?". Once compliance (and certification) is established, you enter the maintenance phase. That's when (subtle) changes occur and things go out of compliance. People are added or leave. New suppliers are used, new customers, products, processes, technologies etc. Such changes often result in the system being out of compliance. Internal audits, done around the time of the change, can help minimize the risks.
     
    Phil Scott likes this.
  7. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    681
    Likes Received:
    443
    Trophy Points:
    62
    Location:
    Laguna Philippines
    There is no requirement that the organization must demonstrate that ALL the applicable clauses/subclauses are audited. Audits (internal and external) are done on a sampling basis.
     
    Astrojack98 and Phil Scott like this.
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,137
    Likes Received:
    1,100
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    The fundamental answer is no. However, as with all things in life there’s more to it than that.
     
  9. Phil Scott

    Phil Scott Member

    Joined:
    Jul 26, 2018
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    2
    Thank you Andy and Tony for your insights. My biggest concern with interpreting 9.2.1.a.2 to mean internal audits must provide information, on a sample basis, on whether an organization's QMS conforms to the requirements of the International Standard is that registrar auditors will not see it that way. Is it possible that the sampling applies to the objective evidence and not on the applicable clauses/sub-clauses?

    Phil
     
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,137
    Likes Received:
    1,100
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Actually, I disagree with Tony's comment about sampling. That's a caveat regarding external audits - their "get out of jail free" card. For internal audits, if the scope and criteria are well defined, it won't be a "sample" it'll be very focused to the specific process management want to have audited.
     
  11. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    160
    Likes Received:
    84
    Trophy Points:
    27
    Good day @Phil Scott;
    The summary of the good council you have received thus far provides an accurate response to your original question, which is "no".

    The standard leaves much of the audit activity up to the organization. ...
    - "...planned intervals"... (no specific time frame dicated)
    - " ...plan...including frequencies..." (again, frequency is left for the organization to plan)
    - "define the audit criteria and scope..."


    Regarding your comment ...
    It may help you here to remember that the standard requires us to use a Process Approach (sections 0.3 and 0.4 in the standard to a good job of describing this). Clause 5.1.1 requires leadership to promote the process approach. In short, this is a migration from the old method (consistent with your understanding which forward engineered via the
    "...elements, clauses, sub clauses, and letters...") to the current Process Approach which now has us auditing the processes within your organization's scope (e.g. stamping, labeling, painting, etc..etc...) and looking back at the standard to ensure that the control methods for those processes are conformant to the applicable "...organization's own requirements..." and "...requirements of...standard."

    Hope this helps.
    Be well.
     
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,137
    Likes Received:
    1,100
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'd like to clarify that ISO 9001:2015 doesn't require processes, per se, to be audited. It mentions that consideration should be given to the importance of process(es) but stops short of actually requiring processes to be audited. This "requirement" is "mission creep" from other sectors, such as the automotive industry and from the Registrar perspective, since they were "leaned on" for only doing element audits. The "scope" and "criteria" of an internal audit can be anything which management decide needs evaluating. Experience shows it's often in the interface/hand off between processes where problems manifest themselves.
     
    Astrojack98 likes this.
  13. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    681
    Likes Received:
    443
    Trophy Points:
    62
    Location:
    Laguna Philippines
    ISO/TS 9002:2016 - Guidelines for the Application of ISO 9001:2015 has these statements to answer the above question:

    upload_2018-8-7_18-38-4.png
     
  14. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    681
    Likes Received:
    443
    Trophy Points:
    62
    Location:
    Laguna Philippines
    So, Andy how do you carry out each scheduled audit? Do you audit every "shall" on all organization's own and ISO 9001 requirements for every area/process? On each scheduled audit?
     
  15. Phil Scott

    Phil Scott Member

    Joined:
    Jul 26, 2018
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    2
    That's a very helpful reference Tony. Thanks!
    Phil
     
    tony s likes this.
  16. Phil Scott

    Phil Scott Member

    Joined:
    Jul 26, 2018
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    2
    Thanks to you all for your insights!
    Phil
     
  17. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,137
    Likes Received:
    1,100
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Tony: I learned to audit processes back in 1985! As a result, I have used the following visual metaphor (link here to description http://blog.mmtc.org/2018/06/how-football-can-help-with-auditing.html ) to describe to "auditors in training" how to plan their audit assignment. From the diagram, you'll see that the "bubbles" around the "football" are all the supporting parts of the QMS (roughly in the sequence they support the core - manufacturing example - process).

    I use the football planning tool and I know others have taken to the use of this approach too. I've even had CB auditors be impressed when they see it!
     
    tony s likes this.
  18. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    681
    Likes Received:
    443
    Trophy Points:
    62
    Location:
    Laguna Philippines
    I was actually a fan of your "football". I've actually created my own visual metaphor using the football as the model. What I have is like this:
    upload_2018-8-11_13-4-6.png
     
    Gio26 and Rajkumar like this.
  19. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,137
    Likes Received:
    1,100
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I believe that's what other refer to as a "turtle". One thing the football does over and above the turtle is to make the auditor think about the sequence of the supporting processes and it actually fits the PDCA cycle, too.
     
  20. Astrojack98

    Astrojack98 New Member

    Joined:
    Aug 16, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Alexandria, VA
    I think this is the most sensible, and appropriate approach. If management is concerned about one business unit / process - do a detailed audit, or audit more frequently.

    If management is comfortable with how another process or business unit is operating, audit it less frequently and/or in less detail - ‘spot check’
     

Share This Page