1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

When to Do Internal Audits?

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Jun 2, 2020.

  1. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    In another thread, Qualmx posted:

    What I have implemented is the next:

    I do monthly audits (5 processes each month)
    and opportunities of improvements, when detected
    are included in the audit report.
    Is known that for OFI, Actions are not required, but....

    Is common that even if any OFI it may have benefits to the process,
    the auditee doesn´t do anything.

    Quarterly the QMS responsible gathers the audit reports, organizes
    a meeting, invites the auditees and discuss about the OFI´s
    and if qms coordinator/auditees agree, implement the necessary OFI´s.

    My two cents


    My interest is understanding and discussing the information/data on which to base the selection of the specific process and quantity of processes etc to be audited in any period of time. Why 5 Process each month? What is the rationale? Why once a year, as others do?
    As we know, ISO 9001:2015 requires an audit program to be established and audits to be planned etc. including "frequency". Nowhere does it state that a calendar of (say) monthly audits is necessary.
     
  2. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Good morning @Andy Nichols ;
    Your observations are certainly sound.

    Here is my assumption based on my past experiences....
    1- Convenience
    This is not a completely 'bad" reason. As we know, the more convenient something is, the more likely it is to get done.
    2- Consistency
    A contributor to "convenience". If the audit planner/facilitator/"lead" can establish manageable "chunks", then the work load is dispersed somewhat easily over
    time.

    3- Available auditors/auditee/planning
    Items "1" and "2" contribute directly towards this. Most internal auditors are on a different hamster wheel of tasks/responsibilities, and often have a difficult time pulling themselves aware from their direct responsibilities in order to conduct internal audit(s). The further in advance the auditor knows his/her audit responsibilities, the easier it is to "convince" them and arrange for them to complete their audits.
    In my experience, this is the biggest challenge specific to the planning/execution of internal audits and the most significant reason that "calendars/schedules" are often utilized.
    4- Calendar/schedule
    This directly contributes to all of items 1~3, and can be "helpful" for the same reasons listed above.

    You are correct to point out that the standard does not require any specifics related to these four considerations. In fact, as you elude to, simply establishing an audit program based solely on these four considerations misses the intent/benefits of the standard, and can lead to a 3rd party non-conformance.

    I have, however, seen the principles of these four "items" considered effectively IF/WHEN it is demonstrated that changes to the management system, past performance (both internally and to the customer), and importance of the process(es) cause changes to the "calendar/schedule" and that these changes don't derail the internal audits based simply on the challenges they put towards 1~3 above. Internal auditors are often promised something like "you won't need to do more than three audits per year' and calendars/schedules are established in an attempt to facilitate that. This is fine, as long as it does not negatively impact the need to review and modify audit "schedules" based on the aforementioned changes and past performance and importance of the process(es).

    In regards to your "once a year" reference, I would never affirm or justify or give any credibility to such and infrequency. That would be akin to looking at the scoreboard AFTER the match is over. That example would provide no benefit to the organization.

    These are my "2 cents" on the topic.

    Be well.
     
    Andy Nichols likes this.
  3. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Nice post, John. Since most organizations' internal audit program is established in order to become certified, the idea of auditing "everything" in a given period - whatever that may be - can be justified on the basis of ensuring only minimal risk (or mitigation thereof) of a major non-conformity being issued by the CB. When viewed through the CB optics, this works. No CB likes to find "majors". In preparing the QMS for certification, everyone's focus was on that goal, after all, who wants to be the reason for "failure" and the internal audits are frequently seen as a key to avoiding that event. Little planning was necessary. Even less auditee involvement was anticipated as being necessary. Once again, the CB optics are one of emulation of their process. Even "Lead Auditor" training gives scant consideration to the true needs of the internal audit process, since auditing has and continues to be modelled after external audit techniques.

    That's where the vast majority of Internal Audit programmes languish, without ever being considered as needing a change while "majors" aren't written by a CB. The "low bar" has been set.

    If we set aside, for a few moments, the need for ISO Certification, starting with a clean sheet of paper in the initial phases of implementation of a QMS, which processes would be audited and when? Once audited, then what? What criteria should be used?
     
    John C. Abnet likes this.
  4. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Ah...., now you've opened a real can of worms @Andy Nichols ! (thank you :))


    a) ISO 9001 requires organizations to "...determine the processes needed for the QMS..."

    b) IATF 16949 requires we "...audit all QMS processes over each three calendar year period."

    c) IATF further delineates between "QMS process" and "manufacturing process..." (implying that if you are ISO 9001 certified only, the QMS would not include
    manufacturing processes !? Implying that "riveting" in a manufacturing company is not part of the QMS !?)

    d) IATF identifies (correctly) Internal Auditing as a process. Does "internal auditing" , therefore, require a specific dedicated "internal audit" of "internal audits" ?


    I have worked with some organizations that have listed 20 + processes. In context of those specific examples, few needed to list more than 6 or 8 processes, and in my professional opinion have gotten WAY too granular when establishing and identifying the "...processes required".

    So, if we are REALLY going to do a deep dive of internal audits, then we first must secure the foundation by clarifying how to "determine the processes needed" .

    Ponder, ponder, ponder...

    Be well.
     
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'd like to further muddy the waters in respect to adopting the so-called "process approach" when discussing auditing. There's no such requirement in ISO 9001. IATF 16949 mentions the "automotive process approach" but fails to actually explain what that actually is. Indeed, ISO 19011 is fairly imprecise too. Hence, internal audits don't HAVE (ie be required) to be performed on processes...
     
  6. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Hmmm..., I don't understand your thoughts on this @Andy Nichols .
    * In the context of ISO 9001 "...taking into consideration the importance of the processes concerned."
    * In the context of IATF, ..."...shall audit all quality management systems processes...."

    If not auditing processes, then auditing what ?

    Thanks in advance.
     
  7. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Aha, @John C. Abnet ! Let me explain: There is no explicit requirement in ISO 9001:2015 to audit "process(es)". The "taking into consideration" requirement relates to a lot more than just "doing" audits, including planning and maintaining the audit programme, including the frequency, methods, planning requirements and reporting and the IMPORTANCE of processes concerned (not just "processes"). A clue lies in the fact that "audit criteria" and "scope" have to be defined which could imply that audits should look at not simply process but other scopes. The "process approach" is referenced in the standard in terms of how the QMS is "constructed" i.e a system of processes. Even ISO 19011 doesn't uniquely specify audits of processes, iirc.

    Of course, the IATF focus is on (product) manufacturing processes since that's how they feel they will get good product (you notice how MUCH MORE emphasis is placed on auditor qualification than say, product or process engineers?). Oddly, they don't promote audit of engineering processes in the same manner, but that's where most problems are caused! The "automotive process approach" isn't defined anywhere, so it can't officially exist as a repeatable activity...

    A riddle, wrapped in a myth, covered in a conundrum (or something)
     
    John C. Abnet likes this.
  8. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Indeed! I "love" the emphasis put on a "made up" term that has no definition applied to it. Thank goodness the "automotive" gods, have discovered an approach far superior to any other when it comes to auditing and processes ;)
     
    Andy Nichols likes this.
  9. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Just checked 19011 and it says (in section 5.5.2):
    "The audit scope should be consistent with the audit programme and audit objectives. It includes such factors as locations, functions, activities and processes to be audited, as well as the time period covered by the audit".

    In my opinion internal audit schedules should be established base on the strategic direction of an organization. Audits tell where the organization are in realizing their strategic goals. When setting the schedules, the top management should be the one to dictate when they want to be updated on the company's performance.
     
    Andy Nichols likes this.
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    More options than just processes can fall within the scope of an audit... "Locations, functions, activities"
     
    John C. Abnet and tony s like this.