ISO 19011 - Auditing Archives -

Internal Auditing Roles?

Manufacturing, inspection, exclusions

Question

I’m quality manager for R&D department and have several persons as Software Quality Assurance for our software development process. My question is can I act as Internal Auditor to audit the compliance of ISO 9001: 2015 requirements and the software development process execution?

Answer

Let’s look at this differently. Say you are the quality manager and have several persons doing final product testing in a test lab. Clearly you are not impartial – you have a responsibility of the persons doing the testing. Since you cannot be impartial, you cannot act as the internal auditor or even be on the auditing team.

James Werner

For more on this topic, please visit ASQ’s website.

Internal Audits

Employees, Training, Working, Learning, Duties, Tasks, DFSS, Innovation, Audit, Auditing

Question

Can the Management Representative be part of the internal auditor team?

Answer

Thank you for contacting ASQ’s Ask the Experts program. Concerning your question, ISO 9001:2008, clause 8.2.2, only prohibits persons from auditing their own work. So provided that the Management representative is assigned to audit processes that are outside his/her work responsibilities, there is no other restriction in with regard. ISO 19011:2011,clause 4.0, “Principals of auditing” as well as clause 6.3.3, “Assigning work to the audit team”, should be reviewed for additional insight and understanding.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

Lead Auditor Qualification

Audit, audit by exception

Question

My manager and I have a question about internal lead auditor and auditor qualification. As stated in section 8.2.2 of ISO 9001:2008, “the organization shall conduct internal audits at planned intervals to determine whether the quality management system…”

Our question is do internal lead auditors and auditors have to be certified by an organization or trained by a certified lead auditor? May a person read ISO 19011:2011 and with his/her experiences in his/her field then perform audit tasks as stated in section 8.2.2 of ISO 9001:2008? If yes, would an ISO registrar consider it to be a non-conformance finding?

Thank you in advance for taking time to answer our question.

Response

Thanks for contacting ASQ’s Ask the Experts program. With regard to your question, it is important to know that ISO 9001:2008 does not prescribe any specific requirements for the qualifications of persons conducting QMS audits. ISO 19011:2011, provides guidance not mandatory requirements for determining Auditor qualifications. As you are aware, an internal audit is one of the most valuable tools that an organization has to determine the effectiveness of its quality management system as well as to identify opportunities for improvement.

For this reason, it is essential that the personnel or consultants used to conduct audit activities, have the qualifications and experienced needed to provide these services. As a minimum, I would suggest that your internal audit personnel attend Auditor classroom training accredited by ASQ, RABQSA or IRCA. This training should be supported by arranging for their participation in future audits as an audit team member. This audit should preferably be conducted by an individual who has a current certification as an ASQ CQA or an RABQSA or IRCA Lead Auditor.

Another consideration is to ensure that the Lead Auditor can provide an audit log as evidence of his/her past audit experience. The Lead Auditor should also provide evidence of their continued training to maintain their competency as an Auditor. Another key point, is to ensure that the Lead Auditor has a working knowledge of your organization’s product line, processes or services. The importance of using trained and experienced Auditors can’t be overstated.

I hope this helps.

Best regards,
Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more about this topic, please visit ASQ’s website.

Remote Auditing

Q: I am a consultant and I have helped a dozen of companies receive certification to ISO 9001-2015: Quality management systems–Requirements. A recent client requested a specific registrar that is different than the one I have used before. That registrar states that per ANAB, the stage 1 audit must be conducted on site at the company being certified. My prior registrar claims that they do not know of this requirement. After a review of the documents and records sent to them, they conduct the stage 1 in a teleconference. Who is right?

A: No one can speak for ANAB and the requirements they have for certification bodies (CBs) for each standard except ANAB. For some standards, ANAB documents specifically state that stage 1 audits can be conducted on-site or remotely. However, in some cases, ANAB requires CBs to apply for accreditation to use Computer Assisted Auditing Techniques (CAAT).

I would recommend that a representative of the organization seeking certification formally ask for an explanation as to why remote auditing techniques cannot be used to conduct a stage 1 audit for conformity to ISO 9001:2015.

For more information about remote auditing techniques for internal and external audits you may want to consider reviewing material in the book eAuditing Fundamentals: Virtual Communication and Remote Auditing published by ASQ Quality Press.

J.P. Russell
ASQ Fellow, ASQ CQA
ASQ Quality Press Author
Member of the U.S. TAG to ISO/TC 176 on Quality Management and Quality Assurance
Quality WBT Center for Education/J.P. Russell and Associates
www.jp-russell.com

Related Content:

Find more about remote auditing on ASQ’s website.

Making Remote Work
Quality Progress

10 Auditing Rules
Quality Progress

Scope of ISO 19011:2011

ISO documentation practices, requirements

Q: During a quick review of a recently revised standard, ISO 19011:2011– Guidelines for auditing management systems, we noticed that it is shorter than ANSI/ISO/ASQ 19011S:2008.

Also, we are wondering why there are no references to auditing the requirements in ANSI/ISO/ASQ Q9001-2008 Quality management systems.

Could someone please address our concerns?

A: With the expansion in scope of ISO 19011:2011 to cover all management system audits, the intent of the ISO 19011 standard is to provide guidance that is applicable to every management system discipline – not just quality management system audits.

One of the problems with the more general scope of ISO 19011:2011 is that it less helpful for addressing specific issues – such as internal audits of an organization’s quality monitoring and measuring processes. This is why the ASC Z1-auditing subcommittee has initiated the process of developing supplemental guidance documents for internal audits and supply chain audits. If there are specific issues or questions that you are interested in, you can ask that it be included in this supplemental guidance document (email standards@asq.org).

As to the difference in length – with the U.S. adoption of ISO 19011:2011, the 2008 U.S. Supplement was made obsolete. What the Z1-auditing subcommittee is planning to do is to capture whatever guidance in that document is still important in the new supplemental guidance documents being drafted.

Thea Dunmire, JD, CIH, CSP
Chair, ASC Z1-Audit Subcommittee
ENLAR Compliance Services, Inc.
http://www.enlar.com/
Largo, FL

For more on this topic, please visit ASQ’s website.

Restructuring an Internal Auditing Program

Reporting, best practices, non-compliance reporting

Q: For the last 15 years, my company has employed a small cadre of full-time, dedicated safety management system auditors.

A current proposal in our company is to recast those auditors as HES Superintendents under the supervision of an operations or safety manager who has significant management responsibility within the safety management system. This change will give HES Superintendents (persons performing audits) additional, non-audit tasks for performance on the premises of the auditee immediately before, during or after the audits. Those non-audit tasks could include workforce training, management mentoring and evaluation, facility inspection, etc. In addition, this change will reduce about 50% of the number of audits performed per person in a given time period.

My concerns are as follows:

• Supervision of the HES Superintendents (especially assignment, evaluation and compensation determination) by an operations manager, safety manager, or someone under their supervision, could constitute auditee control of the audit program, and a thwarting of the principle of auditor independence.

• The addition of non-audit tasks to auditors’ work seems to open possibilities for audit conflicts of interest. Since HES Superintendents will participate materially in the ongoing safety management of the company, their independence and impartiality as safety management system auditors would be subject to question.

• The 50% reduction in number of audits per auditor would result in dilution of auditors’ audit experience and therefore their expertise, leading to attenuation of the company’s capability to audit expertly.

In terms of the principles of management system auditing, are my concerns valid?

Do you know of other instances of this part-time-auditor approach being used in high-risk industries?

Any comment on the wisdom of this proposal?

Occasionally, multiple experts offer their expertise and viewpoints to assist quality practitioners. Add your voice by commenting on posts!

Bill Aston’s take:

A: You’ve mentioned valid concerns that should be assessed by top management prior to restructuring their organization’s audit program. As I understand your concerns, they include two primary items:

1. To ensure that the restructure of the audit program continues to provide auditors with independence, objectivity and impartiality from the processes and process owners to be audited.

2. Potential result of a 50% reduction of the number of audits conducted per auditor diluting auditor experience and expertise.

With regard to the first item, this is a matter that top management should thoroughly evaluate to ensure that the requirements of ISO 9001:2008 — Quality management systems — Requirements, clause 8.2.2b internal audit, continue to be met. This clause requires that “The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.”

In addition, although the requirements in ISO 19011:2011– Guidelines for auditing management systems are not auditable requirements, section 3.1, Terms and Definitions, (note 1), does mention the need for ensuring internal auditor independence.

The key point is that your organization’s registrar will most likely look very closely at how the audit program has been restructured to ensure that auditor independence, objectivity and impartiality have been maintained.

Regarding item number two, although maintaining an auditor’s level of expertise and experience are important, the primary purpose of internal audits is to assess the effectiveness and continual improvement of the quality management system and its processes. If maintaining auditor expertise and experience becomes an issue due to the reduction in the number of available audit assignments, management should consider adjusting the number of auditors needed to meet the actual workload.

As you’re aware, ISO 9001:2008 requires internal audits to be conducted at planned intervals, but it does not prescribe any frequency for performing audits. So this area is strictly a decision that must be made by each organization to meet their own specific requirements to ensure the continual improvement of the quality management system (QMS).

In summary, ISO 9001:2008, clause 5.4.2b Quality management system planning, requires top management to ensure that the integrity of the quality management system is maintained when changes are planned and implemented. This includes the restructuring of processes such as the audit program. Internal audits are one of the most important tools that an organization has to assess the effectiveness and continual improvement of their quality management system. Therefore, it’s essential that the personnel performing these audits are trained, experienced and independent of the area being audited.

It has been my experience that there are few organizations that maintain a staff of fulltime QMS auditors. Most organizations utilize staff personnel who are familiar with the processes to be audited and have been trained and are experienced as auditors. Although they perform audits, this is usually not their only responsibility. However, in some cases, large organizations may have one or two fulltime auditors who function corporate-wide and are supported by trained and experienced staff personnel on an as needed basis.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Thea Dunmire’s take:

A: Given that this question involves audits of a safety management system rather than a quality management system, the more applicable standard would likely be OHSAS 18001:2007 Occupational health and safety management systems – not ISO 9001:2008. However, OHSAS 18001 also specifically states – “Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process.” Although OHSAS 18001 does not include the statement – “Auditors should not audit their own work,” that is definitely true. As a general rule, auditors should not audit activities for which they are responsible or accountable.

It is common for organizations to utilize individuals as internal auditors who have other staff responsibilities. Few organizations have dedicated environmental, health and safety management system auditors. Most internal environmental health and safety (EHS) auditors have other responsibilities. In addition, based on surveys conducted by the Auditing Roundtable, the overall management of the EHS audit program is often located within the EHS department, not in a separate internal audit function. This can make ensuring the independence of the EHS audit program very challenging.

The important question isn’t whether specific individuals are auditing full or part time. Instead, it is whether all of the auditors utilized within the audit program have the appropriate independence, competence and resources to conduct the audits they have been assigned. Independence I have discussed above. By competence, I mean the general knowledge and skills needed for management system auditing (as set out in clause 7.2.3 Possess appropriate knowledge and skills of ISO 19011) as well as technical expertise appropriate for their audit assignments. By resources, I mean that there is sufficient support, including adequate time, to conduct the individual audits needed to meet the objectives established for the audit program.

Identifying the resources needed for the audit program is one of the key responsibilities of the person assigned the role of audit program manager (as set out in clauses 5.3.1 Perform audit program management tasks and 5.3.6 Identify program resource requirements of ISO 19011:2011). Lack of adequate resources is a common weakness of many internal audit programs. Often, internal audit programs have very broad and expansively-stated objectives, but lack the resources needed to achieve these objectives. It is the audit program manager’s responsibility to point out this disparity to top management. The solution is for top management to either adjust the objectives of the audit program, taking into account the policy commitments made by the organization, or provide more resources for the internal audit program.

A key requirement of a safety management system is identifying the organization’s legal and other requirements to which it subscribes. These identified requirements must be taken into account when establishing management system programs and procedures. This includes any legal obligations associated with establishing and maintaining internal audit programs. For example, for organizations subject to the BOEMRE regulations (offshore oil and gas), the Safety Environmental Management System (SEMS) regulations require that auditors be qualified and independent (see 30 CFR 250.1926). Legal requirements, as well as the commitments made by the organization in its occupational health and safety policy (or its sustainability reports), must also be taken into account when identifying the resources needed for the EHS audit program.

Internal audits are one of the important ways of assessing the effectiveness of a management system. The audit program itself should be reviewed to determine its effectiveness in accomplishing this task. Changes can, and should, be made to internal audit programs but the potential impacts of proposed changes need to be fully assessed in light of the organization’s policy commitments and its legal obligations.

Here is a link to the Auditing Roundtable survey results I mentioned: AR Member Survey Results – Organizational Location of the EHS Audit Program

Thea Dunmire, JD, CIH, CSP
ENLAR Compliance Services, Inc.
http://www.enlar.com/
Largo, FL

Jim Werner’s take:

A: This is indeed a unique question. I read and re-read this question over and over, and I have come up with the same opinion – “it depends.” I am assuming “audit” is referring to an independent review of the quality system. Some places use the term “audit” to mean an inspection activity. If the past audits have consistently demonstrated the effectiveness of the quality system, then it is appropriate to reduce the number and frequency of the audits.

As far as the re-organization of the staffing of the auditing function – this is a management decision.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

For more on this topic, please visit ASQ’s website.

What’s the Difference Between ISO 9001 and ISO 19011?

Reporting, best practices, non-compliance reporting

Q: What is the difference between the ISO 9001:2008 and ISO 19011:2011 literature on your web site? Please provide a detailed explanation and their use.

A: I can see where the confusion might arise, as the numbers are very similar! But the contents are quite different.

ISO 9001 Quality management systems–Requirements is the mother of all quality management systems. It lays out the minimal requirements for an acceptable way of managing your business for quality. In the beginning, it was developed as a requirements document to lay on your suppliers. Then it became the foundation for registration (other countries might call this certification) of your own management approach to quality. About a decade ago, various business sectors – aerospace, automotive, medical devices, laboratories, etc., all used the ISO 9001 document as the base for their specific approaches. They didn’t take anything away, but added additional requirements. By far, the greatest use today is for registration/certification. This is somewhat sad, in that the standard itself is a beautiful way of managing the resources within the enterprise. Registration can get quite bureaucratic and not worth the expense.

ISO 19011:2011 Guidelines for the auditing management systems is the international auditing standard (my specialty). It was first developed as a means to get all the various registration agencies around the world to do their audits in a consistent manner. It also had support from the multinational companies that had factories – and thus registrations – all around the world and often with different cultures. Norms in Canada are not the same as China! Unfortunately, this registration emphasis in the standard made it somewhat hard for internal auditors and supplier auditors to use it. Plus, there is no requirement to use the standard, other than within the registration industry.

For these reasons, the U.S. wrote a supplement for the 2002 version of this standard, giving guidance on how to use the principles for internal audits and small organizations [note: development is underway to offer similar supplements for the ISO 19011:2011 version — anticipated end of 2012/early 2013.]. ASQ is the only place to get this version, which includes the supplement, along with the base document. As this auditing standard was revised, it picked up environmental auditing and safety auditing in the scope.

Dennis Arter
ASQ Fellow
The Audit Guy
Columbia Audit Resources
Kennewick, WA
http://auditguy.net

AS9100 Rev. C Document References

Airplane, aerospace, AS9100

Q: My organization is getting ready for our registration audit to AS9100 C– Requirements for Aviation, Space and Defense Organizations. There is a debate regarding procedures and the document references with those procedures. If the procedure does not mentioned a document within the body of the document we normally do not include it in the reference section of the procedure. Our internal auditor says that we should reference all documents that show linkage in the process approach.

For example, the auditing procedure references corrective action, preventive action, etc., but does not have any of the document mentioned in the body of the procedure.

Can you settle this matter? Our auditor says that we will get a finding if this is not done.

A: The process approach is more than including references to documents, especially with AS9100 C requirements to identify your product realization processes. I would encourage you to examine some guidance materials available on the ISO website:
Introduction and support package: Guidance on the concept and use of the process approach for management systems action procedures, but the narrative of the procedure does not include how these procedures tie into the auditing practice? It would seem that the auditing procedures body should support the referenced procedures and explain how they are applicable within the auditing process. If I was your auditor, I would issue an observation or opportunity for improvement for that condition.

Your first paragraph seems to indicate the reverse scenario. If a document is not referenced within the body of the document, then it is not a referenced procedure. Yes, that appears reasonable.

It is a good practice to show the interrelationship of documents to include parent-child relationships and referenced documents when appropriate.

Buddy Cressionnie
International Aerospace Quality Group Americas AS9100 Lead
Voting member of the U.S. TAG to ISO/TC 176
Southlake, TX

For more on this topic, please visit ASQ’s website.