Internal Auditing Roles?

Manufacturing, inspection, exclusions

Question

I’m quality manager for R&D department and have several persons as Software Quality Assurance for our software development process. My question is can I act as Internal Auditor to audit the compliance of ISO 9001: 2015 requirements and the software development process execution?

Answer

Let’s look at this differently.  Say you are the quality manager and have several persons doing final product testing in a test lab. Clearly you are not impartial – you have a responsibility of the persons doing the testing.  Since you cannot be impartial, you cannot act as the internal auditor or even be on the auditing team.

James Werner

Click here for more resources about internal audits.

Aerospace Surveillance Audits

Airplane, aerospace, AS9100

Question

In reference to AS9104/1 clause 8.2.2.f “Auditing of the entire AQMS standard on all shifts is required for initial and recertification audits. For surveillance audits, the planning shall include coverage of multiple shifts, when the audit plan activities occur across multiple shifts.”

The identified process is “Production” but shift one conducts assembly and shift two kits parts for assembly. Since “Production” spans both shifts but “activities” are distinct on each shift, do you have to audit both shifts during every surveillance audit?
Answer

It would be required that Production be audited on both shifts when it is planned for surveillance audits.  For example, if the acquire business, design & development, and procure parts/materials were audited in Annual Surveillance #1 and production and procure parts/materials were audited in Surveillance #2, then second shift would only require to be audited during Surveillance #2.

Buddy Cressionnie

Learn more about the AS9100 standards here.

Relocation Requires Audit?

Question

One of my contract manufacturers who is ISO 9001: 2008 certified, submitted a Supplier Change Notice to relocate their factory to a new site/location. This will trigger many activities including re-qualification, etc. My question is, for their ISO 9001 certificate, do they simply refresh their company location / address in their ISO 9001 certificate with the Notified Body or they actually need to go through a full scale quality system audit by the NB?

Answer

Yes. They do need to have a full scale audit. The reason is very simple, a business is a system. When you change the environment, you alter that system. A full audit will be an adequate representation of the scope and magnitude of the change, and will indicate if this supplier is still a reliable manufacturer. Think about your most recent home move, the family is the same, your belongings are the same; however, everything is different at the same time.

Aura Stewart

Special Process NCRs During Audit

Question

Recently one of our business units had an ISO 9001: 2008 audit and during the audit they received a couple NCRs on welding as a special process.
One of the NCRs was “Some welders are not qualified prior to welding on product.”
As a matter of fact, our company has developed its own qualification program based on the our needs consisting of the following steps:
– The minimum requirement of least 2 years or more experience as a welder before starting the job.
– In class training for weld specifications, blue print reading, equipment, weld supplies, visual acceptance/ rejection criteria and equipotent TPM program conducted by our QE.
– Hands on exam – the result of this test is reviewed by a QE and weld supervisor without performing any bend test, pull test or other types of DT.
– Annual recert. program based on a written exam and weld coupons visual inspection results.

The CB auditor is asking us to send the coupons out to a certified lab for bend testing or having all the welders certified by AWS. Is that required per ISO 9001? As a side note, every time we design and develop a new model we conduct all types of crash tests, FEA and durability testing in design validation phase.
Answers

From George Hummel:

I would not accept the auditor’s comments.  He/she is consulting.

From Charles Cianfrani:

No. It appears that the CB auditor is adding requirements. The organization has a process, and if it is effectively implemented that should be satisfactory evidence of conformity.

Work Instructions and Audits

Chart, graph, sampling, plan, calculation, z1.4

Question

Regarding ISO 9001: 2008 (or 2015) auditing, I have always been trained that a work instruction when implemented as supporting the QMS can be audited as it is supporting the effectiveness of the QMS. I was recently told by a business owner that not only is that not true, he does not have to show me his work instruction.  I would like to reply with a clear technical response. Can anyone share their view on this?

Answers

Thank you for your question.   Of course you know you’re right.  It sounds like you have a major nonconformance against Clause 5.1 on your hands.

Denis Devos
A Fellow of the American Society for Quality
Devos Associates Inc.
(519) 476-8951
www.DevosAssociates.com

ISO 9001:2015 clause 7.5.1b states the following :
The organization’s quality management system shall include: documented information determined by the organization as being necessary for the effectiveness of the quality management system/

 Documented information includes both procedures and records see appendix A.3 (Documented information). 

 Since the work instructions are supporting the QMS, it is part part of the QMS, and can be audited as part of both the internal audit and external audit.  It appears that part of the confusion may be caused by a lack of understanding of the new term “documented information.”

John G. Surak, PhD
– Providing food safety and quality solutions –
tel: 1-864-506-2190
skype:  john.surak
email: jgsurak@yahoo.com
A member of Stratecon International Consultants
http://www.stratecon-intl.com/jsurak.html

Audit Timeline

Question

What is the ASQ recommended time frame between an auditee receiving a final audit plan and the audit commencing at the auditee’s site?

Answers

From Charlie Cianfrani:

ASQ does not have a recommendation!

From George Hummel:

This is not an ASQ requirement.  A CB generally sends an audit schedule/plan three weeks before the audit.

From Jim Werner:

Typically, the final audit plan has been agreed to by both the auditor and the auditee and it includes the date(s) the audit is to take place. This means that the audit plan includes the audit schedule in one document.  There are many books written, with examples, on this topic.  The ASQ Audit Division is a good source.

Internal Audits, Third Party Audit

Question

Shouldn’t a company audit its own processes and procedures to ensure compliance before a third-party audit is scheduled?

Answer

Thanks for contacting ASQ’s Ask the Experts Program.  In response to your inquiry, yes, it would be a good idea for the organization to conduct an internal audit before a third party audit is performed, especially if no previous internal audit has been completed.  It’s important to remember that the primary purpose of conducting an internal audit is to assess the continued implementation and effectiveness of the quality management system and its processes.  Not conducting internal audits on a scheduled basis could jeopardize the organization’s ability to maintain its ISO 9001 certification as well as increase the probability of the occurrence of nonconformances and customer complaints.  An internal audit process is an indispensable tool required for the assessment of the QMS, its processes as well as to identify opportunities for improvement.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Website: www.astontechconsult.com

Unsigned Audit Report

ISO documentation practices, requirements

Question

Is it acceptable for an auditor to submit an UNSIGNED audit report in Word version? I’m QA director at a pharmaceutical CRO. We were recently audited by one of our clients. They refuse to provide a signed audit report because they say it is not their policy to do so. This seems wrong to me on many levels. Is this acceptable?

Answer

Thank you for submitting this question to ASQ’s Ask the Experts Program.

I’m not aware of any requirement that states that the auditor must sign the audit report. In situations, where an audit organization is involved, the audit organization’s management or representative signs the audit report cover letter. The name of the lead or principal auditor, as well as the names of all audit team members, should be included in the audit report. The actual audit report may or may not include a signature sign-off from the auditor or audit team members.

If an audit organization is not involved, then it would be the responsibility of the lead or principal auditor to sign the cover letter or audit report to approve its content. As you’re aware, the audit report serves as a record to document the audit results. For this reason, the signature of the auditor or audit organization is essential since it confirms the content of the audit report. This sign-off may appear on the cover letter or the report.

If your organization requires sign-off on the audit report in addition to the cover letter, then this requirement should be identified and agreed upon by all parties prior to conducting the audit. In the future, if no audit organization is involved, consider requiring independent auditors to provide copies of their qualifications and auditor certifications (ASQ CQA, Exemplar Global, IRCA, PECB or other) before the start of the audit. Aforementioned could minimize a recurrence of this or a similar concern.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Website: www.astontechconsult.com

Audit Versus Inspection?

Audit, audit by exception

Question

Would you please tell me what the differences between audit and inspection are?

Answer

This is a great question.   We can start with the definitions of inspection and audit per the new ISO 9000:2015 standard.  Inspection is “Determination of conformity to specified requirements”  (3.11.7)  and Audit is “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled”  (3.13.1).    Without parsing the words to much, the difference is one of scale:  Inspection is most often associated with inspecting a product or a service to make sure it is right, and an audit is most often associated with a higher-level review of the system that is designed to produce and inspect the product or service.    An audit of a manufacturing process wouldn’t just inspect the product, it would ensure (at a system level) that required inspections had already been performed on the product.  I have often made the differentiation in the following way… “An inspection is down in the grass, but to do an audit, you have to climb a tree.”  The reflects the difference in purpose and perspective for an audit.   Other authors, such as Arter, Sayle, and Russell refer to inspections as ‘backward looking’, that is, what was actually done to provide a product or service, while audits are ‘forward looking’.   Audits ensure that proper management controls are in place to ensure product quality into the future.   Instead of inspecting quality in (to a product produced in the past), an audit evaluates how well a quality system will predict and prevent quality problems (in the future).   My three favourite references are Quality Audits for Improved Performance by Dennis Arter, Management Audits, by Allan Sayle, and the ASQ Auditing Handbook, edited by JP Russell.

Thanks very much,

Denis J. Devos, P.Eng
A Fellow of the American Society for Quality
Devos Associates Inc.
(519) 476-8951
www.DevosAssociates.com

ISO 9001: 2015 Tools for Auditors and Risk Based Thinking

Mr. Pareto Head and ISO 9001 audit

Question

In addressing clause 4 of ISO 9001:2015 regarding organization context and interested parties, what type of tool (spreadsheet,diagram,flowchart,etc), would you recommend to use to simplify the practice and to give a proper  understanding for auditors ?  I understand that risk evaluation (ISO 9001:2015) should be accomplished not only at a high level of establishing and planning objectives, but also at the processes level. If this is right, could organization use some criteria to select processes to be evaluated?

Answer

Thanks for contacting ASQ’s Ask the Experts program.  Regarding your inquiry, your selection of tools such as spreadsheets, diagrams, flowcharts and etc., should be driven by whatever best fits your organization’s context, QMS scope and requirements of interested parties.  However, before proceeding with tool selection to “simplify” practices as mentioned in your inquiry, it is essential that the changes and new requirements of ISO 9001:2015 are fully understood and communicated throughout the organization.  As you know, transitioning from ISO 9001:2008 to ISO 9001:2015 will require much more than providing understanding to Auditors.  The transition process should begin with top management and then flow down to the process owners and others throughout the organization.  If a gap analysis hasn’t already been completed, consider doing so to identify those processes that must be improved to meet ISO 9001:2015 certification requirements.

As you know, risk based thinking (RBT) must be a part of an every organization’s process approach, to ensure risks and opportunities are identified and addressed.  Although RBT is not new, it is a changed approach.  ISO 9001:2015 supports the scalability of quality management systems which allows them to be specific to an organization’s  processes, products, and services.  The landscape of today’s quality management systems has changed.  It’s not a “one size fits all” situation.  For this reason, it’s essential for top management, process owners as well as the QMS Auditors to develop a thorough understanding of ISO 9001:2015 and its requirements.  Also of equal importance is the familiarization of top management, process owners, and Auditors with the principals of risk assessment, management and related terminologies (i.e., ISO 31000:2009).

The effectiveness of future QMS audits will depend upon Auditors that can apply their collective knowledge of ISO 9001:2015, risk assessment, and management requirements, as well as their in-depth knowledge of the industries, processes, products, and systems, audited.  Exemplar Global and other accredited ISO 17024 personnel certification bodies have developed online training courses for the purpose of explaining the requirements of ISO 9001:2015.  Other information about transitioning to ISO 9001:2015 is available on the International Accreditation Form’s (IAF) website at www.iaf.nu.  Click this link to read about the recent publication of ISO 9001:2015 http://www.iaf.nu/articles/Publication_of_ISO_90012015/443

About the second part of your inquiry (item b.), it’s important to be aware that RBT applies to every process that comprises your organization’s quality management system.  RBT should be integrated into your organization’s QMS and product planning processes to ensure risks and opportunities are identified and addressed.

A few key questions to consider include, how will your Registrar verify your organization’s conformance with ISO 9001:2015 requirements?  What is your Registrar’s timeline for transitioning existing clients to ISO 9001:2015 requirements?  What type of support will be provided to assist clients through the transition process?

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827)