Audit by Exception

Audit, audit by exception

Question:

I would like information regarding the use of the internal auditing method referred to as “audit by exception”. While this method sounds like it may provide a much more efficient use of my time and my Manager’s/employees time, I have no idea how this is accomplished in a manner that can still be compliant and what proof would be deemed acceptable when going through my external RAB certified audit. I am referring specifically to ISO 9001:2008 in regards to auditing. I currently audit every process/process owner every 6 months in a calendar year and it is a full week of audit time each audit. Thank you.

Response:

Thanks for contacting ASQ’s Ask the Expert program. With regard to your inquiry, I suggest that you continue to use an audit methodology that best serves your organization’s requirements. As you are aware, “auditing by exception”, is a practice that is utilized in the financial sector. The terminology “audit exception” in this case, has the same meaning as an “audit finding”. Since internal audits are one of the most important tools that an organization has to assess the effectiveness and continual improvement their quality management system, auditing by exception may not provide the level of information needed to keep your organization’s top management and it’s process owners adequately informed.
In my opinion, an effective internal audit will focus as much on identifying opportunities for improvement (OFI) as documenting audit findings. A robust internal audit report will identify nonconformances, but will equally focus on areas that can be improved or that have improved. To sustain continual improvement of a new or a matured QMS, the process owners and employees must be kept informed and engaged. One of the ways to accomplish this, is to share audit results that report on findings, OFI and the status of objectives or targets that have been established. Auditing by exception, usually will not provide this level of reporting.

Please note, ISO 9001:2008, clause 8.2.2, does not prescribe any particular audit methods to be used for 1st, 2nd or 3rd party audits. Each organization is expected to select audit techniques that best suit the scope and objective of the audit to be conducted.

I hope this helps.

Best regards,

Bill Aston, Managing Director
Aston Technical Consulting Services
Kingwood, Texas

Use of Correction Fluid to Modify ISO 9001 QMS Documents

ISO documentation practices, requirements

Q: During a recent audit, I discovered that my supplier was using correction fluid and scrubbing out the training records of its employees with no control over the documents. I said that would be a major finding, but they state that there is nothing in ISO/ANSI/ASQ 9001:2008 Quality management systems–Requirements specifically telling them that they can’t correct records on the fly without any control.  Can you clarify this practice for me? I can’t find anything definitive in the standard.

A: This is an interesting question. Sometimes, people complicate standards rather than recognize them for the friendly guides they can be. It is true, as written in clause 6.2.2 of ISO 9001:2008,  that records for education, training, skills and experience need to be maintained per clause 4.2.2. However, the standard does not designate a specific process for this.

Clause 4.2.4 expresses a requirement to establish a documented procedure, and also states that the records should be legible. While the practice of using correction fluid or scrubbing out training records is probably not the best and most professional way of handling things, it’s not a cause for a finding of nonconformance.

Records which have a direct affect on customer products would definitely need better controls. However, I think in this case, you might find it wise to work with the supplier to find a better way of recording employee training. The records must remain legible, readily identifiable and retrievable. If that is what they are doing and product quality is not affected, there should be no major finding. A recommendation for continual improvement would be appropriate.

I hope this helps.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Related Content:

Browse the free, open access resources below, or find more in the ASQ Knowledge Center.

Related Content:

Browse the articles below, or find more open access articles and resources about documentation practices in ASQ Knowledge Center search results.

Geometrica Builds ISO 9001 QMS on Wiki, ASQ Knowledge Center

Geometrica, a manufacturer of domes and free-style structures, used a wiki to document its ISO 9001:2008 quality management system. The company attributes its fast track to certification—nine months from beginning to certification—to the ease and efficiency of wikis. Read the case study.

Consultants’ Style: Sometimes Less Is More, Quality Progress

Many small to medium sized organizations hire consultants to help them attain ISO 9001 and ISO 14001 registration. Consultants who base their advice on the organization’s existing practices and do less documentation are usually more effective. Ten companies share their experiences. Read the article.

Explore the ASQ Knowledge Center for more case studies, articles, benchmarking reports, and more.

Browse ASQ magazines and journals here.

FDA Regulation for Food and Beverage Labels

Inspection, FDA, Packaging, Requirements

Question
I have been asked to do a quality audit of a label manufacturer whose products are used on beverages and food packaging. They are currently asking to be audited using 21CFR211 (pharmaceuticals). Is there another standard that is more appropriate for their product?

Answer
21CFR211 is the FDA regulation for cGMP for finished pharmaceuticals. This regulation does not apply to the labeling of food and beverages. The proper FDA regulation is 21CFR101. I suggest that you first start on the FDA web page on food labeling and nutrition.

John G. Surak, PhD
Surak and Associates
Clemson, SC
A member of Stratecon International Consultants
www.stratecon-intl.com/jsurak.html

Related Resources: 

Browse the free, open access content below, or find more in the ASQ Knowledge Center.

Can Do: An effective overseas food-safety audit is possible—if you know what to expect,” Quality Progress

The challenges inherent in food-safety audits become more problematic when foreign suppliers are targeted. Language and social barriers, as well as varying compliance requirements, are the biggest hurdles. With a careful plan and an emphasis on keeping things simple, auditors can overcome the challenges. Read more.

Kano’s Theory of Attractive Quality and Packaging,” Quality Management Journal

The role of consumer products packaging has moved beyond that of merely protecting the contents to a more vital role as a marketing vehicle. This raises the issue of how packaging should be designed to relay an association with high quality to the consumer. An empirical investigation based on Kano’s theory of attractive quality was conducted to determine how 24 quality attributes of packages are perceived by customers. Read more.

Explore the ASQ Knowledge Center for more case studies, articles, benchmarking reports, and more.

Browse articles from ASQ magazines and journals here.

Dock to Stock

Suppliers, supplier management

Q: I have been tasked with implementing a dock to stock policy. Does an expert have any advice or information to share towards forming a dock to stock policy?

A: To begin, here is a brief definition of dock to stock (DTS):

Dock to stock is a receiving method whereby materials are delivered directly to point of use (storage or manufacturing), skipping the normal receiving inspection.

For most organizations, parts which are given a DTS status are those which have been “proven” to be compliant. It is common practice to perform a receiving inspection on the parts for a minimum of five deliveries (some companies choose 10).

After a supplier has proven to deliver a compliant product five times, that individual item/part number is given DTS status. It is then general practice for production/assembly departments or line personnel to verify compliance as needed. If a product is found to be noncompliant, it is put on a contingency list and must prove its validity again — usually through five to 10 compliant shipments before it is returned to DTS status.

Keep in mind that the DTS process is rarely used in some industries/companies. For example, a company certified to ISO 13485 (medical devices) would not use DTS due to FDA regulations — here’s an excerpt from 21 CFR 820.80 (b):

“Receiving Acceptance Activities: Incoming product shall be inspected, tested or otherwise verified as conforming to specified requirements.”

In short, determining how many acceptable shipments to qualify a supplier for DTS status is up to the company. Requesting a certificate of compliance with each shipment can tend to encourage a supplier to ensure their own quality, as does a yearly audit of the supplier’s facilities (if appropriate).

I hope using the guidelines above will help lead you toward your goal.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Related Content:

Browse the free, open access resources below, or find more in the ASQ Knowledge Center.

Chinese OEM Reduces Returns With Improved Product Testing, ASQ Knowledge Center case study

When Continental Automotive Systems, Tianjin, China, began producing an electronic component known as the silver box, the return rate was more than 1,200 parts per million (ppm), versus a goal of less than 100 ppm. A Six Sigma improvement team used quality tools including trend charts, Pareto charts, and cause-and-effect diagrams to analyze the failure modes for the reported defects, finding that many were not being covered by product testing processes. Read more.

Cost-Effectiveness Based Performance Evaluation for Suppliers and Operations, Quality Management Journal

This research establishes a cost-effectiveness based  performance evaluation system for suppliers and operations. The purpose is to provide a methodology for “integrating supplier and manufacturer capabilities through a common  goal, profitability improvement, based on lowering the cost of purchased materials.”  Read more.

Expert Answers: Stock and Standards, Quality Progress

The advisability of implementing dock-to-stock is discussed. Read more. 

Ask A Librarian

ISO 9001 Certification to Meet Customer Requirements

Training, completed training, competance

Q: My company is a small manufacturer that makes one product that I designed and engineered. We have a contract to produce the part for a much larger company. The larger company wants us to become certified to ISO 9001:2008 Quality management systems — Requirements. The company has sent its auditor/Six Sigma black belt to our plant for the third time and stated that our operators (three employees, myself included) are not trained because the training matrix is not filled out.

The auditor also stated that our work instructions are not adequate, that our process flow charts are not good enough, and that our forms (all five forms we use in-house) are not compliant because they lack a form number printed on them. Is there a clear definition of what is required by ISO on any of these items?

We currently have a 2.5 percent nonconformance rate on our parts. These are identified at our 100 percent inspection points – at three, four, or five. Out of the 2.5 percent nonconformance, the 2 percent are able to be reworked and the 0.5 percent is scrapped.

A: Your question has several layers so I will try to offer what answers I think will help.

To begin with, I have to assume that you have a copy of the ISO 9001 standard. If you do not have a copy, you must get one.

At the same time, it would benefit you to acquire the services of a consultant or you can purchase one of the many books that are available which would help you along the way.

(Editor’s note: Browse a list of popular ISO 9001 titles below this Q&A)

Now, in ISO 9001:2008, clause 6.2.2 states that you “shall” do five things with regard to competence, training and awareness.

In ISO documentation, the word “shall” indicates a requirement.  Basically, you are required to identify (document) the training requirements of those whose work can affect conformity to product requirements. There is nothing in the standard that says you must have a “matrix.”

You must have a record showing the training has been completed and of its effectiveness. You must also verify each employee’s competence in doing his/her job on their own. Competence is important. Keep that in mind.

You mentioned in your inquiry that your customer states your work instructions are not adequate, that the process flow charts are not good enough, and that your forms are not compliant because they lack a form number printed on them.

To begin, the standard requires just six documented procedures.

  • Clause 4.2.3 Control of documents
  • Clause 4.2.4 Control of records
  • Clause 8.2.2 Internal quality audits
  • Clause 8.3 Control of nonconforming product
  • Clause 8.5.2 Corrective action
  • Clause 8.5.3 Preventive action

Your written procedures need to be compliant with the standard they are for. (By the way, Most companies have more than just six documented procedures, as it helps their Quality Management System to operate more efficiently)

As for process flow charts I am thinking you are referring to work instructions. The 9001:2008 standard says that work instructions should be available “as necessary.” If you have work instructions written and they are readily available, the auditor should have no cause for concern there.

In addressing your mention of “flow charts,” in all fairness, I cannot respond completely without actually seeing the flow charts in question.  If you mean the process flow charts which often accompany a documented procedure to show a “map” of the process, then you should read clause 4.1 of the standard. You would find that you are required to show “interactions” of the processes. There are no actual ISO requirements for flow charts, but many companies use that format to show the interactions, often in their quality manual. You would need to determine if flow charts are needed to ensure consistent quality.

Finally, let’s talk about forms. How you control your forms or the format should be mentioned in your document control procedure (4.2.3).

Each type of form would need a title, a revision number or letter, and a revision date.  Having a record of these makes it easy to identify which version of a document you are using and if it is the correct revision.

I know that approaching ISO compliance can seem like a bigger than life challenge at first. However, for every step you take, you will realize that standards are beneficial and not nearly as complicated as they might first appear to be.  As noted above, you might want to consider a consultant and/or acquire some reference material. Your customer’s auditor can become a friendly associate.

As a senior member of ASQ, I salute you for running a business dedicated to quality.

Bud Salsbury
ASQ Senior Member, CQT, CQI

ASQ Quality Press books to help you implement ISO 9001:

ISO 9001:2008 for Small and Medium-Sized Businesses, Second Edition

This handbook was developed to help small and medium-sized organizations better understand ISO 9001:2008. It is intended to facilitate implementation and improvement. The establishment, implementation, and maintenance of an ISO 9001–compliant quality management system (QMS) should allow the organization to experience multiple benefits beyond the achievement of certification. Organizations should also see improvements in the quality of products, customer satisfaction, and process effectiveness—all of which ultimately have a positive impact on the bottom line.

Learn more.

A Practical Field Guide for ISO 9001:2008

The purpose of this field guide is to assist organizations, step by step, in implementing a quality management system (QMS) in conformance with ISO 9001:2008, whether from scratch or by transitioning from ISO 9001:2000. It examines each sub-clause of Sections 4–8 of ISO 9001:2008, which contain the requirements, and gives a list of the documentation/documents required, internal audit questions, a summary of management’s responsibilities, and a flowchart of the steps that need to be undertaken to satisfy the requirements. It also includes a sectional cross-evaluation that shows where the requirements in each sub-clause within ISO 9001:2000 appear in ISO 9001:2008.

Learn more.

ISO 9001:2008 Explained, Third Edition

This book explains the meaning and intent of the requirements of ISO 9001:2008 and discusses the requirements as they relate to each product category. Where appropriate, it elaborates on why the requirements are important. It includes a list of typical audit-type questions that an organization may use to appraise compliance with the requirements.

Learn more.

Rescheduling an ISO 9001 Surveillance Audit

Schedule, calendar, timeline

Q: Our organization had its last external (third party) audit in December 2011 for ISO 9001:2008 — Quality management systems — Requirements. We planned to have our next audit the week of November 26, 2012, but the auditor has become ill and cannot come at that time.

Do we need to have our surveillance audit within one year of the last audit? I am considering rescheduling for the first quarter of 2013.

A: Thank you for contacting ASQ’s Ask the Experts.  With regard to your inquiry, surveillance audits are usually conducted by most registrars on an annual basis.  Your registrar has complete responsibility for ensuring the availability of their audit staff to conduct these audits as they are required.

In the event that no other auditors can be provided by your registrar, it would be their responsibility to ensure the audit is rescheduled to another mutually agreed upon date and, if necessary, extend your organization’s ISO 9001:2008 certification status as appropriate.

Your organization’s ability to maintain to an active QMS certification status should not be dependent upon the availability of the registrar’s auditor.  I recommend that you contact your registrar to confirm the next date for your surveillance audit.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Related Content:

ISO 9000 and Organizational Effectiveness: A Systematic Review, Quality Management Journal, open access

The authors conduct a systematic review of empirical studies of the ISO 9000 standard’s impact. Most of the reviewed studies focused on positive impacts. This review highlights the need for more critical and diversified approaches to examining ISO 9000. It also reveals some of the practical implications of ISO 9000 for managers. Read more.

ISO Survey Reveals Increase in QMS Certifications, Journal for Quality and Participation, open access

According to the ISO Survey of Certifications, the numbers of ISO 9001:2008, ISO/TS 16949:2009, and ISO 13485:2003 certifications all increased in 2010. Over 1.1 million ISO 9001:2008 certifications had been awarded by the end of 2010, representing a four percent increase over 2009. Central and South America saw an 11 percent increase in ISO 9001 certifications, while 18 percent of certifications in Africa and West Asia were lost in 2010. The Far East represented the largest share of the increase in ISO/TS 16949 certifications, and Africa and West Africa saw the largest percentage increase in ISO 13485 certifications. ISO 13485 was also the only certification that saw growth in North America; North American certifications for the other two standards declined in 2010. Read more.

 

Scope of ISO 19011:2011

ISO documentation practices, requirements

Q: During a quick review of a recently revised standard, ISO 19011:2011– Guidelines for auditing management systems, we noticed that it is shorter than ANSI/ISO/ASQ 19011S:2008.

Also, we are wondering why there are no references to auditing the requirements in ANSI/ISO/ASQ Q9001-2008 Quality management systems.

Could someone please address our concerns?

A: With the expansion in scope of ISO 19011:2011 to cover all management system audits, the intent of the ISO 19011 standard is to provide guidance that is applicable to every management system discipline – not just quality management system audits.

One of the problems with the more general scope of ISO 19011:2011 is that it less helpful for addressing specific issues – such as internal audits of an organization’s quality monitoring and measuring processes.  This is why the ASC Z1-auditing subcommittee has initiated the process of developing supplemental guidance documents for internal audits and supply chain audits.  If there are specific issues or questions that you are interested in, you can ask that it be included in this supplemental guidance document (email standards@asq.org).

As to the difference in length –  with the U.S. adoption of ISO 19011:2011, the 2008 U.S. Supplement was made obsolete. What the Z1-auditing subcommittee is planning to do is to capture whatever guidance in that document is still important in the new supplemental guidance documents being drafted.

Thea Dunmire, JD, CIH, CSP
Chair, ASC Z1-Audit Subcommittee
ENLAR Compliance Services, Inc.
http://www.enlar.com/
Largo, FL

Related Content:

Read more open access content from ASQ about auditing:

Explore more using ASQ Knowledge Center search.

ISO 9001:2008 and Reasons to Obtain Third-Party Certification

Reviewing confidential files, training records, human resources files

Q: I have a question regarding an excerpt about ISO 9001:2008 — Quality management systems –Requirements, from the ISO webpage, which is below:

“…Although certification is not a requirement of the standard, the quality management systems of about one million organizations have been audited and certified by independent certification bodies (also known in some countries as registration bodies)…”

Our ISO 9001 quality management system (QMS) has been registered through third-party audits since 1994. But according to this statement, we should be able to represent ourselves as an ISO 9001 organization by simply meeting the requirements of the standard. These requirements, of course, don’t require third-party certification.

Is this the case? If not, isn’t the statement on the website misleading, in as much as certification is an implicit requirement of the standard?

A: I am a U.S. Technical Expert for ISO 9001 and associated QMS standards, have been involved with QMS standards since 1975, and I am a coauthor of ISO 9001:2008 Explained, Third Edition from Quality Press as well as a co-editor of the ASQ ISO 9000 Handbook, also from Quality Press.

You are correct when you state, “we should be able to represent ourselves as an ISO 9001 organization by simply meeting the requirements of the standard. These requirements, of course, don’t require third party certification.” Many organizations use ISO 9001 as the basis for their quality management system without engaging in third-party audits. If you want to claim certification, I guess you could claim that you are “self-certified,” but I am not sure this would mean anything to anybody.

There are a variety of reasons for incurring the cost associated with obtaining an ISO 9001 certification:

  • Internal use: Many do this based on a perception of market advantage and use the certificates in advertisements promoting their goods and services. Some organizations use third party audits and certification to verify for their own management the adequacy of their quality management system.
  • Supplier qualification: The historical use for a quality management system standard is as a basis for qualifying the quality management system of suppliers. Development of quality management system standards dates to the 1950s. One of the early standards of this type was MIL-Q-9858A used by the Department of Defense for use in qualifying some of their suppliers.

Today, ISO 9001 is widely used as a qualification requirement for suppliers in many different product and service sectors. The automotive, aerospace, telecommunications and other industries have sector specific versions of ISO 9001 that are used with suppliers. These all require third-party certification.

  • Regulatory requirement: The European Union, FDA, Japan, Australia, Canada and many other countries use ISO 9001 as the quality management system for meeting certain regulatory requirements. Some regulatory bodies require third-party certification, others conduct their own audits (second-party audits) to verify compliance.

Bottom line: you should determine for yourself if you have a need for certification to ISO 9001 and act accordingly.

Joseph Tsiakals
Voting member of the U.S. TAG to ISO/TC 176 on Quality Management and Quality Assurance (ASQ)
Voting member of the U.S. TAG to ISO/TC 210 Quality Management and Corresponding General Aspects for Medical Devices (AAMI)

More content about the value of quality management systems and auditing are available from the ASQ Knowledge Center:

Explore more.

Restructuring an Internal Auditing Program

Reporting, best practices, non-compliance reporting

Q: For the last 15 years, my company has employed a small cadre of full-time, dedicated safety management system auditors.

A current proposal in our company is to recast those auditors as HES Superintendents under the supervision of an operations or safety manager who has significant management responsibility within the safety management system.  This change will give HES Superintendents (persons performing audits) additional, non-audit tasks for performance on the premises of the auditee immediately before, during or after the audits.  Those non-audit tasks could include workforce training, management mentoring and evaluation, facility inspection, etc. In addition, this change will reduce about 50% of the number of audits performed per person in a given time period.

My concerns are as follows:

•  Supervision of the HES Superintendents (especially assignment, evaluation and compensation determination) by an operations manager, safety manager, or someone under their supervision, could constitute auditee control of the audit program, and a thwarting of the principle of auditor independence.

•  The addition of non-audit tasks to auditors’ work seems to open possibilities for audit conflicts of interest. Since HES Superintendents will participate materially in the ongoing safety management of the company, their independence and impartiality as safety management system auditors would be subject to question.

•  The 50% reduction in number of audits per auditor would result in dilution of auditors’ audit experience and therefore their expertise, leading to attenuation of the company’s capability to audit expertly.

In terms of the principles of management system auditing, are my concerns valid?

Do you know of other instances of this part-time-auditor approach being used in high-risk industries?

Any comment on the wisdom of this proposal?

Occasionally, mutiple experts offer their expertise and viewpoints to assist quality practicioners. Add your voice by commenting on posts!

Bill Aston’s take:

A: You’ve mentioned valid concerns that should be assessed by top management prior to restructuring their organization’s audit program.  As I understand your concerns, they include two primary items:

1.    To ensure that the restructure of the audit program continues to provide auditors with independence, objectivity and impartiality from the processes and process owners to be audited.

2.    Potential result of a 50% reduction of the number of audits conducted per auditor diluting auditor experience and expertise.

With regard to the first item, this is a matter that top management should thoroughly evaluate to ensure that the requirements of ISO 9001:2008 — Quality management systems — Requirements, clause 8.2.2b internal audit, continue to be met.  This clause requires that The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process.  Auditors shall not audit their own work.

In addition, although the requirements in ISO 19011:2011– Guidelines for auditing management systems are not auditable requirements, section 3.1, Terms and Definitions, (note 1), does mention the need for ensuring internal auditor independence.

The key point is that your organization’s registrar will most likely look very closely at how the audit program has been restructured to ensure that auditor independence, objectivity and impartiality have been maintained.

Regarding item number two, although maintaining an auditor’s level of expertise and experience are important, the primary purpose of internal audits is to assess the effectiveness and continual improvement of the quality management system and its processes.  If maintaining auditor expertise and experience becomes an issue due to the reduction in the number of available audit assignments, management should consider adjusting the number of auditors needed to meet the actual workload.

As you’re aware, ISO 9001:2008 requires internal audits to be conducted at planned intervals, but it does not prescribe any frequency for performing audits.  So this area is strictly a decision that must be made by each organization to meet their own specific requirements to ensure the continual improvement of the quality management system (QMS).

In summary, ISO 9001:2008, clause 5.4.2b Quality management system planning, requires top management to ensure that the integrity of the quality management system is maintained when changes are planned and implemented.  This includes the restructuring of processes such as the audit program.  Internal audits are one of the most important tools that an organization has to assess the effectiveness and continual improvement of their quality management system.   Therefore, it’s essential that the personnel performing these audits are trained, experienced and independent of the area being audited.

It has been my experience that there are few organizations that maintain a staff of fulltime QMS auditors.  Most organizations utilize staff personnel who are familiar with the processes to be audited and have been trained and are experienced as auditors.  Although they perform audits, this is usually not their only responsibility.  However, in some cases, large organizations may have one or two fulltime auditors who function corporate-wide and are supported by trained and experienced staff personnel on an as needed basis.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Thea Dunmire’s take:

A: Given that this question involves audits of a safety management system rather than a quality management system, the more applicable standard would likely be OHSAS 18001:2007 Occupational health and safety management systems – not ISO 9001:2008.  However, OHSAS 18001 also specifically states – “Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process.”  Although OHSAS 18001 does not include the statement – “Auditors should not audit their own work,” that is definitely true.   As a general rule, auditors should not audit activities for which they are responsible or accountable.

It is common for organizations to utilize individuals as internal auditors who have other staff responsibilities.  Few organizations have dedicated environmental, health and safety management system auditors.  Most internal environmental health and safety (EHS) auditors have other responsibilities.  In addition, based on surveys conducted by the Auditing Roundtable, the overall management of the EHS audit program is often located within the EHS department, not in a separate internal audit function.  This can make ensuring the independence of the EHS audit program very challenging.

The important question isn’t whether specific individuals are auditing full or part time. Instead, it is whether all of the auditors utilized within the audit program have the appropriate independence, competence and resources to conduct the audits they have been assigned.  Independence I have discussed above.  By competence, I mean the general knowledge and skills needed for management system auditing (as set out in clause 7.2.3 Possess appropriate knowledge and skills of ISO 19011) as well as technical expertise appropriate for their audit assignments.  By resources, I mean that there is sufficient support, including adequate time, to conduct the individual audits needed to meet the objectives established for the audit program.

Identifying the resources needed for the audit program is one of the key responsibilities of the person assigned the role of audit program manager (as set out in clauses 5.3.1 Perform audit program management tasks and 5.3.6 Identify program resource requirements  of ISO 19011:2011).  Lack of adequate resources is a common weakness of many internal audit programs.  Often, internal audit programs have very broad and expansively-stated objectives, but lack the resources needed to achieve these objectives.  It is the audit program manager’s responsibility to point out this disparity to top management.  The solution is for top management to either adjust the objectives of the audit program, taking into account the policy commitments made by the organization, or provide more resources for the internal audit program.

A key requirement of a safety management system is identifying the organization’s legal and other requirements to which it subscribes.   These identified requirements must be taken into account when establishing management system programs and procedures.  This includes any legal obligations associated with establishing and maintaining internal audit programs.  For example, for organizations subject to the BOEMRE regulations (offshore oil and gas), the Safety Environmental Management System  (SEMS) regulations require that auditors be qualified and independent (see 30 CFR 250.1926).  Legal requirements, as well as the commitments made by the organization in its occupational health and safety policy (or its sustainability reports), must also be taken into account when identifying the resources needed for the EHS audit program.

Internal audits are one of the important ways of assessing the effectiveness of a management system.  The audit program itself should be reviewed to determine its effectiveness in accomplishing this task.  Changes can, and should, be made to internal audit programs but the potential impacts of proposed changes need to be fully assessed in light of the organization’s policy commitments and its legal obligations.

Here is a link to the Auditing Roundtable survey results I mentioned: AR Member Survey Results – Organizational Location of the EHS Audit Program

Thea Dunmire, JD, CIH, CSP
ENLAR Compliance Services, Inc.
http://www.enlar.com/
Largo, FL

Jim Werner’s take:

A: This is indeed a unique question.  I read and re-read this question over and over, and I have come up with the same opinion – “it depends.”  I am assuming “audit” is referring to an independent review of the quality system.  Some places use the term “audit” to mean an inspection activity.  If the past audits have consistently demonstrated the effectiveness of the quality system, then it is appropriate to reduce the number and frequency of the audits.

As far as the re-organization of the staffing of the auditing function – this is a management decision.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

Read more open access content about auditing from the ASQ Knowledge Center archive:

AS9100C: Scoring the Aerospace QMS

Airplane, aerospace, AS9100

Q: I’m reviewing the scoring method used for auditing AS9100 Rev. C  – Requirements for Aviation, Space and Defense Organizations, and I don’t see any verbiage to show what would be considered an acceptable overall score. I’m curious to know if the score is more subjective to the discretion of the auditor or if the threshold for “acceptable” or “not acceptable” exists somewhere as a guideline. Thank you to anyone able to offer insight.

A: The AS9101D auditing standard (currently not sold by ASQ) has scoring to provide an indicator of how robust your quality management system is operating (QMS), which is based upon the findings identified during your audit.  There is not a required score to “pass” the audit and receive certification.  The AS9101D score is recorded in the OASIS database, which your current and potential customers may review.

AS9100C requires the use of the AS9101D auditing standard, which has eliminated scoring.

Buddy Cressionnie
International Aerospace Quality Group Americas AS9100 Lead
Voting member of the U.S. TAG to ISO/TC 176
Southlake, TX

Editor’s note: Looking for additional resources on AS9100 auditing? Check out A Practical Field Guide for AS9100C.