AS9100 Internal Audit Frequency - Audit all AS9100 elements within a specific timeframe?

Hello! Been a very long time since I have been here…

need advice - see title - Is that required? Where is the shall? I’ve looked at ISO 19011 and AS9100. Zero requirement.
I have looked at AS9100, ISO 19011, and AS91-4 for grins….no shall statement For the client.

I have an action request to cover all of the AS9100 standard in our internal audit plan…said within a 3 year cycle was not performed. And, the requirement is to audit all unaudited elements to close out the action request!

and this was written up as a Major finding.

our audit plan is risk based and importance based so it does not cover the entire AS9100 standard in a 3 year cycle.

Thoughts?

A certification body would expect to see all clauses audited as part of the Audit Schedule over a 3 year certification cycle.
Using a risk-based program, low risk activities could only need one audit during the 3 year cycle, medium risk maybe annually and high risk as often as required due to the criticality of the process.
The reasoning used by the auditor is based on the internal audit requirement that internal audits are planned to ensure that the management system conforms to the requirements of the international standard.

An Internal Audit is required to review the QMS agains the requirements of the standard (as per 9.2.1 a) 2). If you are not reviewing all of the shalls over that three year period, how have you documented your acceptance of the risk?

If not over a three year cycle, then how does the organization plan to verify all the shalls have been met? A six year cycle?

I would argue for my own organization should an auditor say we didn't look at all the requirements over a 1 year period, but over a three year period? Not sure I how I could justify that.

AS9100D, ISO 19011, and AS9104 do not have a direct requirement for the client to audit all elements of the standard. It does not state over a 3 year period either. Our Auditing is risk based. The registrar is required But the client is not. i see 9.2.1 a.2 - it’s all in interpretation.

Who wrote the "action request"? Registrar auditor? Customer?

Do you mean "corrective action request" as a result of an audit nonconformance?

What was the exact wording of the "request"? Any good auditor will clearly cite the source of the requirement.

I've never gone over 3 years, regardless of what the standard and/or my registrar may allow.

Mike S. said:

Who wrote the "action request"? Registrar auditor? Customer?

Do you mean "corrective action request" as a result of an audit nonconformance?

What was the exact wording of the "request"? Any good auditor will clearly cite the source of the requirement.

I've never gone over 3 years, regardless of what the standard and/or my registrar may allow.

Click to expand...

Registrar
yes
quoted 9.2 (which does not state 3 years)

If this is a hill you are willing to fight for, I would ask the auditor where the specific 3 year cycle he specified is stated.

FYI, the ISO APG document on internal audit says this:

The organisation should be able to maximize the use of available resources during
the conduct of internal audit activities. This can be facilitated by the adoption of a risk
based approach to the planning of internal audits. The results of this risk based
approach will enable the organization to define the audit program, the frequency,
duration and scope of internal audits, as 9001 does not specify these criteria.

One last thing from me, from being on both sides of the table and having faced a similar situation many years ago,
From the point of view of certification body and their auditor, who have to re-issue a certificate every 3 years.:
They have to demonstrate to an accreditation body like UKAS that they have ensured that the client has met all the clauses and requirements of the standard during the certification cycle, prior to a new certificate being issued.
If the internal audit program has not audited all of the clauses of the management system, how can they demonstrate to UKAS that the system is effective, because they can only carry out a sample-based audit themselves.
What i did (and still do now for clients, as i am a consultant) is to keep a simple matrix of which clauses have been audited and plan in an audit which will catch any low risk clauses that haven't been covered so that there in no reason to pick up a nonconformance.
- i do believe that raising a Major is wrong and should be downgraded, as clause 9.2 has been met as you have an audit program, just not fully, so it should be a minor (or an OFI).

Brian Joyce said:

i do believe that raising a Major is wrong and should be downgraded, as clause 9.2 has been met as you have an audit program, just not fully, so it should be a minor

Click to expand...

Pretty much right on advice.......I'm the person that issues NC's and I'd be pretty weak a*s pushing a major.

So based on what Brian and Randy are saying, IMO, if ISO or SAE don't make the 3-year requirement a "shall", the registrar should clearly do so in its contract with the client. A basic tenant of auditing is there cannot be a NC without a requirement, and one should not need to torture the standard to find such requirement.