AS9100 Internal Audit Frequency - Audit all AS9100 elements within a specific timeframe?

Crusader · Feb 14, 2024

Yeah, we tried to fight back in person but lost. And this is what makes getting certified and maintaining certification disappointing. It’s the constant misinterpretation by every set of auditors that walk thru the door.
would you all believe they wrote us up for the quality policy statement too. I mean these guys were really reaching the entire audit. And typically, an auditor takes a sample and determines if it’s only 1 of x and then no finding. These guys it was any 1 item not compliant was a finding…irregardless of how many were compliant.

Sidney Vianna · Feb 14, 2024

Internal audits have ALWAYS been expected to be planned, scheduled, performed and reported based on a risk approach - status, importance and changes -. If an organization decides they do not have to cover all requirements of the standard on a 1, 2, 3, etc, year cycle, what would be the red line? 5 years? 10? Whenever the Halley comet shows up in the night sky? As a minimum, I would demand to see the proposed audit program/schedule and delve into the "risk analysis" supposedly performed to decide something does not need to be internally audited during the certificate validity period. I have a feeling that such risk analysis was totally based on someone's feelings and not backed up by data on performance.

jmech · Feb 14, 2024

Crusader said:
AS9100D, ISO 19011, and AS9104 do not have a direct requirement for the client to audit all elements of the standard. It does not state over a 3 year period either. Our Auditing is risk based. The registrar is required But the client is not. i see 9.2.1 a.2 - it’s all in interpretation.

I think you are technically correct but, as others have pointed out, this can get unreasonable. Are there some areas you just never audit because you call them low risk? How much extra effort would it take to cover all clauses over a 3-year period?

Crusader said:
These guys it was any 1 item not compliant was a finding…irregardless of how many were compliant.

One nonconformance is still a nonconformance. If there are a bunch of one-off nonconformances then you probably should fix them rather than blaming the auditor for pointing them out.

Sidney Vianna said:
I have a feeling that such risk analysis was totally based on someone's feelings and not backed up by data on performance.

To be fair, I think that describes a lot of so-called risk analysis (especially where risk analysis is required by a standard or procedure but data is lacking).

Mike S. · Feb 14, 2024

Sidney Vianna said:
I have a feeling that such risk analysis was totally based on someone's feelings and not backed up by data on performance.

But your "feeling" isn't any more or less valid than "someone's" feeling that you are doubting.

Feelings aren't requirements.

If the auditor is going to demand everything be audited at least every 3 years, no amount of risk analysis documentation is going to change that, despite everyone being able to see there is no time frame in the standard and even ISO APG documents say there is no time period.

I call BS on anything other than this being an OFI unless the registrar has a requirement that was flowed to the auditee or the auditor can prove no risk analysis was done.

I'm tired of auditors pulling so-called "requirements" out of their ear and issuing NC's on them.

Crusader · Feb 14, 2024

jmech said:
One nonconformance is still a nonconformance. If there are a bunch of one-off nonconformances then you probably should fix them rather than blaming the auditor for pointing them out.

did not have multiple findings in any one area.

most auditors do not write up a finding if most samples are conforming. That’s my experience. So when we have 10-20 samples and 1 is not compliant, I am not used to getting a finding. Again, auditor interpretation and implementation of auditing varies. Frustrating.

Mike S. · Feb 14, 2024

Crusader said:
did not have multiple findings in any one area.

most auditors do not write up a finding if most samples are conforming. That’s my experience. So when we have 10-20 samples and 1 is not compliant, I am not used to getting a finding. Again, auditor interpretation and implementation of auditing varies. Frustrating.

The auditor is under no obligation to not issue a NC for one-offs. Some do this at their discretion, but this is much different than creating their own requirements.

Crusader · Feb 14, 2024

Mike S. said:
The auditor is under no obligation to not issue a NC for one-offs. Some do this at their discretion, but this is much different than creating their own requirements.

Yup, I know that. Just saying…experience and trend is most auditors weigh the finding….

Sidney Vianna · Feb 14, 2024

Mike S. said:
But your "feeling" isn't any more or less valid than "someone's" feeling that you are doubting.

Feelings aren't requirements.

So, if you are auditing an organization and they schedule their audit program to take a 25 year cycle to cover the whole system, you can’t say nothing?

Mike S. · Feb 14, 2024

Sidney Vianna said:
So, if you are auditing an organization and they schedule their audit program to take a 25 year cycle to cover the whole system, you can’t say nothing?

IMO....

There is either a fixed time requirement, or there isn't. And there isn't. So you as the auditor don't get to create a fixed time requirement. Period, not comma.

Sidney Vianna · Feb 14, 2024

Mike S. said:
IMO....

There is either a fixed time requirement, or there isn't. And there isn't. So you as the auditor don't get to create a fixed time requirement. Period, not comma.

So, I take it you would accept a 25 year internal audit schedule then.

AS9100 Internal Audit Frequency - Audit all AS9100 elements within a specific timeframe?

Crusader

Sidney Vianna

Post Responsibly

jmech

Mike S.

Happy to be Alive

Crusader

Mike S.

Happy to be Alive

Crusader

Sidney Vianna

Post Responsibly

Mike S.

Happy to be Alive

Sidney Vianna

Post Responsibly

Similar threads