1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Internal Audit - Training Required?

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by xrat86, Apr 11, 2017.

  1. xrat86

    xrat86 Member

    Joined:
    Mar 31, 2017
    Messages:
    33
    Likes Received:
    5
    Trophy Points:
    7
    Several questions regarding the internal audit that is required pre Stage 1 and pre Management Review ~

    1) does the person conducting the audit have to be a current employee of the company?
    2) If the person is an employee of the company, do they have to be detached (i.e. separate department) from the quality department?
    3) For a small company (<50 employees), is one auditor sufficient?
    4) Does that person (or persons) conducting the audit require formal audit training?
    4.1) Are there accredited training and non accredited training classes out there?
    5) What is the scope of the audit?
    5.1) Entire QMS?
    5.2) A section of the QMS as determined by the auditor?
    5.3) A section of the QMS as determined by the Quality Department?
    5.4) A section of the QMS as determined by management?
    6) What are the possible outcomes of the audit?
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    1) does the person conducting the audit have to be a current employee of the company?NO
    2) If the person is an employee of the company, do they have to be detached (i.e. separate department) from the quality department?NO
    3) For a small company (<50 employees), is one auditor sufficient? NO
    4) Does that person (or persons) conducting the audit require formal audit training? Probably
    4.1) Are there accredited training and non accredited training classes out there? Yes
    5) What is the scope of the audit? Whatever you want it to be
    5.1) Entire QMS? NO
    5.2) A section of the QMS as determined by the auditor? NO, a collaboration with management
    5.3) A section of the QMS as determined by the Quality Department? See above
    5.4) A section of the QMS as determined by management? Yes
    6) What are the possible outcomes of the audit? Compliance, non compliance, go back and do the audit again, you're fired?
     
    tony s, Jennifer Kirley and xrat86 like this.
  3. xrat86

    xrat86 Member

    Joined:
    Mar 31, 2017
    Messages:
    33
    Likes Received:
    5
    Trophy Points:
    7
    #6) Compliance to what? Can it be as simple as an opportunity to baseline your progress WRT to adherence to the QMS?
     
  4. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Internal auditors verify conformance to a standard and their own organization's requirement - and those of their interested parties.

    Interested parties may include regulators. In this way, verifying compliance to legal/statutory requirements may also occur.
     
  5. yodon

    yodon Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    198
    Likes Received:
    115
    Trophy Points:
    42
    I don't necessarily disagree with Andy's response but maybe clarification on a couple of points?

    3) For a small company (<50 employees), is one auditor sufficient? NO

    Is this in reference to auditing the audit? Otherwise, if that one person was assigned full-time audit responsibilities, isn't it possible one person would be sufficient.

    4) Does that person (or persons) conducting the audit require formal audit training? Probably

    I think it should be noted that the person has to be competent to perform the task. That could be through training or experience.

    5.1) Entire QMS? NO

    Is this response for a particular audit activity? The entire QMS does need to be audited over an appropriate time period (typically 1 year), right?
     
  6. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    [yodon], it seems highly unlikely that a small outfit would have a full time auditor that was not tasked with competing duties - oh, wait, that's my job we're referring to ;-)
     
  7. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    This is NOT a requirement (however, check you arrangement with your CB because some "expect" this to be done, which makes it, IMHO, totally bogus, or it'd be in ISO 9001)
     
  8. yodon

    yodon Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    198
    Likes Received:
    115
    Trophy Points:
    42
    Indeed, every auditor I've worked with does expect the whole system to be audited (which, again, it was acceptable to spread over time).

    I read (9.2.1) "...shall conduct internal audits ... to provide information on whether the quality management system... conforms to the organization's own requirements for its quality management system" to mean the entire QMS must be audited. How would this not require the entire QMS to be audited?
     
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    OK, so I don't read it that way. As for external auditors buying into it, I'd guarantee they never asked about "status and importance"! In fact I still see clients who do one or two system-wide audits a year and THAT's ALL.

    I certainly don't subscribe to the annual timeframe, despite that it's "typical", when if it was in some way required it would be in the standard (or even the guidance 19011). It also depends on your audit methods. Those who create a schedule of audits to "fill up" a year seem to think that's the way to interpret other parts of 9.2.2, however, they completely overlook the status of the process, being more worried about such arbitrary things as covering "all the elements/clauses" which is simply (some) external auditors lack of knowledge being perceived as appropriate. It's one of those myths of ISO. Yes, some CBs put that in their registration agreement, so the client is forced into something which makes zero actual sense.

    This is one of those aspects of ISO 9001 which is rarely covered in any training - certainly NOT the fabled Lead Auditor course and yet, it's one of the least well understood and managed requirements. Maybe I'll create a course JUST for this aspect...
     
    yodon likes this.
  10. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    I have not seen any of my associates expecting an entire system to be audited in every year. An exception is of course being made for the transition year, in which the entire standard is expected to be audited to the new requirements for certification.

    Nor do the majority of my clients audit everything every year. Most understand the standards' language, which has long been clearly stating (in 2008, 8.2.2) "...planned based on status and importance of processes, and result of previous audits" and (in 2015, 9.2.2) "...shall take into consideration the importance of processes concerned, changes affecting the organization, and the results of previous audits."

    It was covered in the Lead Auditor course I attended.
     
    yodon likes this.
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Is it? Why would you have to do that? Surely, if you look at the requirements - either under "status and importance" or "importance of processes and changes affecting the organization" some things haven't changed and aren't as important as the new/changed things. Indeed, if I had a client being told they had to audit the WHOLE of their management system before their auditor would accept it, they should change their auditor...
     
  12. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    I can't vouch for other CBs but this is a requirement in the circles I run. I said prior to certification to the revised standard. After that, by all means based on "importance of processes and changes affecting the organization" etc. While the process itself may not have changed, there will be risk(s) identified for each one, KPI(s) may be new etc. Get another auditor if you want, but we aren't the ones who make this rule.
     
  13. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Though I subscribe to Andy's position that organizations don't need to audit the entire QMS annually, but most, if not all, CBs demand that all processes, areas and clauses of the standard are to be covered at least once a year. Recently, we had the following Stage 1 audit findings:
    • some areas/processes were not audited (e.g. top management, QMS planning, IQA, Document Control);
    • some clauses were not covered on internal audit (e.g. 8.5, 9.1)
    Even IATF 16949 only requires all to be covered over a 3 year period, but ISO 9001 is silent on this. Since the term "requirement" is defined as "need or expectation that is stated, generally implied or obligatory", does having a complete QMS scope coverage of internal audit annually fall under the "generally implied" definition?
     
  14. xrat86

    xrat86 Member

    Joined:
    Mar 31, 2017
    Messages:
    33
    Likes Received:
    5
    Trophy Points:
    7
    ^^perhaps these kind of discussions / disagreements / misinterpretations are good for business if you are a consultant or CB. As an end user, they do not inspire confidence that "certification" means nothing more than persistence and perhaps deep pockets. Which is sad, because the intent is clear and could add value to the end user.
     
  15. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    xrat86 makes a good point. However, without this sort of context in the process it is hard to understand CB auditors are not all-seeing or all-knowing, we do have internal procedures we're required to follow, and the client (you) has rights to push back if you think findings are not correct, not clear, not actionable, and/or not objective.
     
  16. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    The pertinent phrase would be in 9.2.1 b), "...effectively implemented and maintained."

    Without having covered all the clauses covered in audits prior to the certification, the question is how the organization has determined if the QMS conforms to (all of) the standard's requirements. This is probably the reason for insisting complete coverage prior to the certification; the certificate can't be issued until the system has been audited, so there would be a delay in any case. Such a delay might cause problems if the certificate expiration date is coming up soon.

    So, ensuring for coverage of all the clauses makes at least one full sweep sensible the first time around, to prepare for the first certificate. Once process performance is established, of course the scheduling should be done as per the standard's language, as described in Post #10 above. I don't know any auditors who insist on full coverage every year.
     
  17. xrat86

    xrat86 Member

    Joined:
    Mar 31, 2017
    Messages:
    33
    Likes Received:
    5
    Trophy Points:
    7
    Jennifer,
    Where you lose my in your position - "rights to push back" is the simple fact that others contend that basically we MUST hire a consultant to help us. This implies that our independent understanding is insufficient; therefore, on what basis do we push back? Through our consultant? What if we fundamentally disagree with them? Who is the higher authority to push back against?
     
  18. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    The Accreditation Body is there to bring into the discussions about such situations.
     
  19. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Tony, is it the actual CBs or the auditors who work for them? Often the CBs have no position on this (my last employer, for example) however, I've often heard the individual auditor bringing this bias to the audits.
     
  20. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    When I say you have the right to "push back" I mean you have the right to appeal both findings and recommendations that auditors leave in the audit report. The process would take place directly with the certifying body, possibly starting with your Customer Service representative.

    You absolutely do NOT need a consultant unless you think you really want one or need one. ISO 17021, which certifying body (CB) auditors and their programs must conform with, requires "The audit team shall ensure that observers do not unduly influence or interfere in the audit process or outcome of the audit." The explanatory note says "NOTE Observers can be members of the client’s organization, consultants, witnessing accreditation body personnel, regulators or other justified persons."

    It is my hope that your organization will not need one, that your understanding and awareness would be sufficient to develop and run your own system. That said, if you want help, you absolutely have that right. There should be training for internal auditors, at least. If you believe your consultant's services are not adequate, pushing back against your consultant is a contractual matter between you and that person or organization he/she works for.

    I hope I am being more clear now.
     
    xrat86 likes this.