1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Extent of auditing of documented processes

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by 4Matic, Jul 20, 2020.

  1. 4Matic

    4Matic Member

    Joined:
    Jul 20, 2020
    Messages:
    9
    Likes Received:
    3
    Trophy Points:
    2
    Hi all,
    I'm an internal auditor and my client has an ISO 9001:2015 QMS. They are a manufacturing company based in the UK. Prior to obtaining ISO 9001:2015 certification, they had a vast array of processes that have now been stored on their ERP system. However, these processes are not included in their QMS documentation and they try to keep them separate. These processes are in use and they describe in detail, to the work instruction level, certain operations that are only carried out rarely e.g. once per annum, e.g. shut down methodology for machinery that needs to be shut down for annual inspection. This is not routine work and so no one remembers all of the 50 - 100 steps of the complicated processes. I have never audited these processes and although they are mentioned in the MDR in a general way, listed as Annual Processes Guide Book, this Guide book has not been reviewed annually as specified, and there is no date on each of the complicated processes - so how is anyone to know if they are still correct or need revising etc?
    The client does not want to audit these Guide Books or all of the processes within them as they say it would take forever.
    My question is this - do they need to be audited annually? Or at all?
    Could they be audited over a planned period of 3 years as the CB's do for example?
    Thank you in advance for your advice!
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    The answer to your questions is the above. As an auditor, regardless of the implications, the client of the audit have clearly stated these procedures are not within the scope of the audits they wish you to perform.
     
    4Matic likes this.
  3. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    @Andy Nichols and OP (@4Matic {welcome by the way !} )....

    I want to make sure I understand @4Matic 's question clearly.

    I agree @Andy Nichols that the CLIENT does not want their provider (@4Matic ) to audit said processes and so, indeed @4Matic should not audit those. I agree because that is not within the scope of what the client has hired @4Matic for.

    IF there is a broader question implied, however, (i.e. DO the said processes support the scope of the QMS and, therefore, SHOULD the client arrange for potential/periodic auditing of said processes. THAT is an entirely different question. Can you clarify for us @4Matic ?

    Be well.
     
  4. 4Matic

    4Matic Member

    Joined:
    Jul 20, 2020
    Messages:
    9
    Likes Received:
    3
    Trophy Points:
    2
    Thank you so much for your response Andy, I do understand that I have not been asked to audit these processes. However, the client also wants to know if these items 'should' be audited - i.e. if the CB looks at the MDR, and says 'let's have a look at when these processes were last audited' then is there a risk of a nonconformance?

    As the internal auditor, I don't want my client to receive a nonconformance based on inadequate internal auditing!
     
    Andy Nichols likes this.
  5. 4Matic

    4Matic Member

    Joined:
    Jul 20, 2020
    Messages:
    9
    Likes Received:
    3
    Trophy Points:
    2
    Hi John,
    Our posts crossed over. As you can see, this is what I was driving at..."SHOULD the client arrange for potential/periodic auditing of said processes"
    Thank you!
     
    John C. Abnet likes this.
  6. 4Matic

    4Matic Member

    Joined:
    Jul 20, 2020
    Messages:
    9
    Likes Received:
    3
    Trophy Points:
    2
    Hi John,
    Just to clarify a bit further the processes in the Guide Books do support the scope of the QMS in operations, as they are used by service operatives and field engineers, and repair technicians in their daily work both at client sites and on equipment returned to the factory.
    I hope that answers your question!
     
  7. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    I would, therefore, put "these" (or similar) questions back to the client...

    1- Why (other than time/cost) should those processes NOT be included in the internal auditing?
    2- The requirement of internal audits (per clause 9.2.1) =
    …to provide information (9.2.1) on whether the…management system”
    a)conforms to:
    1)the organization’s own requirements for its quality management system
    2)the requirements of (the governing) international standard(s)
    b) is effectively implemented and maintained.


    Based on this requirement, what is the RISK associated with NOT auditing these processes?

    3- ISO 9001:2015 does not require an audit schedule (simply 'planned intervals"), and audit activity and frequency is to be based on "...importance...,"...changes...", "...previous audit results". For these reason the standard ALONE does not mandate that the said processes be audited. However, the question still remains (with the client, and the need, including any past failures, etc....),why should the said processes NOT be audited?

    Only the client, the risk involved, and the results of past audits/performance can answer that question.

    Hope this helps.
    Be well.
     
    Andy Nichols likes this.
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I echo @John C. Abnet's comments. I'm somewhat concerned that these volumes of "Organizational Knowledge" don't seem to be held within the QMS, yet seem to be vital. I wonder what the understanding behind that was. I'd wager, there's a root cause in there, somewhere.

    If we're going to try to predict the unpredictable - what auditors will ask for/react and so on - there's no good answer, other than your organization gets to decide what's in/out of the scope of the QMS. It seems, from the description:
    that these documents ARE, practically speaking, part of the QMS (unless the scope is different). In that case they should be audited. BTW - doesn't the management team want to know if these documents are even of value? Being followed etc? Or, are they happy to simply feed a monster which has been created?

    Since each internal audit should have a scope (focus) and criteria defined, you may well be able to allay the fears of auditing them taking too long/costing too much. How many audits are done a year, typically?
     
    4Matic and John C. Abnet like this.
  9. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
  10. 4Matic

    4Matic Member

    Joined:
    Jul 20, 2020
    Messages:
    9
    Likes Received:
    3
    Trophy Points:
    2
    Hi John,
    Thank you for that. I tend towards the advice in the ISO guidance which is 'if these documents exist then they should be audited'. However, I don't want to be nitpicking and want to give my client good advice as she is asking me for my opinion on this. She wants me to say they don't need to be audited and I wish I could but I feel this would be the wrong answer/bad advice and expose the org, to risk of nonconformance at external audit.
     
    John C. Abnet likes this.
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    This is the root of the issue! It sounds like she doesn't understand the purpose of internal audits. How many audits has she participated in? Let's exclude the CB audits, since they aren't the same thing.
     
  12. 4Matic

    4Matic Member

    Joined:
    Jul 20, 2020
    Messages:
    9
    Likes Received:
    3
    Trophy Points:
    2
    Hi Andy,

    Quarterly audits of one day each. The thing is that these are not volumes of unnecessary documents; they are actually extremely well-written, useful, necessary and a lot of good work had gone into them. They are as pared-down as can be - there is not a lot of extra material in the QMS, it is well put-together, and so these documents definitely have value to the organisation.

    Thank you both for your help, I am sure I have my answer here - they should be audited. However I can only advise, and if they don't want to do this then it is their risk. This leads to the further question - do they ALL need to be audited within a 3-year cycle such as the certificate cycle? Or could I suggest to put them on a 5-year cycle? What I am really wondering about here is what the CB will accept? It's BSI btw. Thank you so much.
     
  13. 4Matic

    4Matic Member

    Joined:
    Jul 20, 2020
    Messages:
    9
    Likes Received:
    3
    Trophy Points:
    2
    Hi Andy,
    They have had their certificate for about 5 years. She has been in charge the whole time and is a director. They are a great and very efficient organisation and very well run. (I don't say that often!). In order to deliver value to shareholders and parent company they all work very hard, (even the directors - they are all very hands-on and hard-working, there is not the 'golf-course culture' there) and constantly eliminate time-wasting activities, etc. The pressure is on me not to introduce tickbox, unnecessary, paperwork into an organisation like this.
     
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Glad we can help. So there's really a couple of answers. Let's deal with the easier one, first. YOU get to choose on the audit cycle. CB auditors can and often do have a low threshold of pain for this.

    The thornier issue is what management don't see a value to confirming that these (value-added) documents are indeed, just that. The audits, when scheduled and conducted properly, are a validation that process performance is achieved as a result of following the docs. Most audit programs fall down because they don't address this vital point - many audits are done to a calendar, without reference to business needs, results etc. The planning frequently doesn't look at this and the audit criteria is often the standard and not internal documents.

    What's your current approach?