Can I conduct Internal Audit for combined ISO 9001, ISO 13485 and ISO 14001?

John - I do not want to mimic the CB at all that is why I am on here and asking questions. I am so frustrated because I want to conduct these internal audits the right way and benefit from them not just slide by. I feel like I want to rewrite our internal auditing procedure from scratch because it has become so convoluted over the years that I don't know what should stay and what should go.

I will contact asq and see if anyone is available.

Sorry about that, I completely misread the numbers!

qmshotpeen said:

John - I do not want to mimic the CB at all that is why I am on here and asking questions. I am so frustrated because I want to conduct these internal audits the right way and benefit from them not just slide by. I feel like I want to rewrite our internal auditing procedure from scratch because it has become so convoluted over the years that I don't know what should stay and what should go.

I will contact asq and see if anyone is available.

Click to expand...

Shotpeen,

I wish you every success in getting the training and coaching you need to be a competent internal auditor.

John

shotpeen,

Welcome to the cover... relax you are in good hands here.

You sound like you are wanting to make some changes to make the IA program more functional and logical. There are a lot of good suggestions here. Take one or two at a time and try to slowly change your system.

I am pretty much in the same situation as you: CB auditors 'do not like, but accept' our IAs as clause-based vs. process-based, I have no "quality" degree, I am a 'black-and-white' type person, keep butting heads with Top Management that ISO is more than just "pass the audit, keep certificate on the wall", etc. I have been auditing in various organizations previously and I keep getting accused of going "outside the scope" (yes, "training records" are a part of the of "welding" process)! I am sure that many here at the Cove, at one time or another, could relate to more than one these.

Yes, you can combine the systems as well as the audits for similar processes. Why do you need to audit the 'Internal Audit process' three times? IA is pretty much the same. I have a schedule for my 9001 audits and another for my 14001, but they use the same procedure. IA, (and a few other processes), gets covered as a combined-system audit. Unfortunately, management has not allowed me to combine our two systems... yet. But it will happen in the next few years when they will have to be revised anyway (QM: "processes will will be numbered to match the ISO clause").

A few things I have found helpful:
- If you are the process owner of Internal Audits, re-write the procedure so it covers all your systems, is logical, keep it short, and, where possible, general. Originally, my 9001 and 14001 IA processes were vastly different, I now have one procedure for IA.
- One recommendation I got from one of my CB auditors was to 'trade IA services with other companies in my area'. Just like John recommended, I am currently trying to work with my local ASQ chapter (closest two are about 200 miles away and I am right on the border of both) to see who I might be able to work with.
- Pick you battles and use the ISO document(s) and audit NCs to support your modifications. On more than one occasion, my "recommendation" has been shot down by management, then the CB auditor finds it and writes the NC (no, I did not tell nor guide the auditor to find it, either)... I think I bloodied my lip trying to keep from uttering "I told you so!")
- Make up process (turtle) diagrams for your processes. My 9001 auditors are currently doing "checklist audits", (no, I can't change them, top-management won't allow it). I need to get them to adjust and open their thinking to process-based. They are going to have to when the 2015 version is issued and their checklists will not be carried to the new system.

drgnrider

Andy a question,

My company is supplies to automotive and non-automotive. If I audit one of our non-automotive jobs would it be wrong to find a non-conformance against one of the TS clauses or would I just audit against 9008. Just having this conversation in the office, I have always applied the TS requirements to all jobs as we have the certificate, however does this only apply to auto jobs we do?

Hello Everyone,
I came across this thread in my own attempts to create our Internal Audit checklist.
I hit the brakes after seeing the recommendations to make the internal audit process based. Unfortunately I am several pages through listing all clauses of the standard (21 CFR 820 for my specific purposes), and having the checklist Results intend on listing our applicable procedures or comment otherwise.

I am assuming you are all recommending the process be that you look at or list each of your processes, ensure they are effective for the organization, and show that each fulfills the relevant standard you claim compliance to?
If this is the intent, what are your methods of comprehensively doing a gap assessment of the standards to your QMS?

If I'm understanding the methodology incorrect (top down vs bottom up), please elaborate with a generic example if you could. Thanks!

keldez,

Once you've completed a system audit you have a pretty good idea of the overall degree of conformity of your system to the standard. You then switch to auditing processes probably in more depth than you audited the system.

As you audit your processes for effectiveness (including conformity) you can bring many clauses to bear as audit criteria.

You may ask the process team members about policy, objectives and how they know their process is effective and what they do to correct it; and what happens when they find they have to keep correcting it. You may ask the supervisor how they monitor processes or how they endure the process is monitored, ask how they verify competence and what they do with employees who are not yet competent.

As you can see there really is no limit to the sampling you can do to verify effectiveness and conformity except every line of inquiry you take is in scope and contributing to your fulfillment of your audit objective.

Your audit record can be tied back to the relevant parts of the quality management system and to the relevant parts of the standard or regulation. Eventually your audit record will cover the entire set of audit criteria over say a year. You may review your audit record from time to time to verify progress but mainly you are auditing according to your audit client's risk assessment when they agreed the audit objective with you.

Your fresh-every-time process auditing checklist may have only six samples specified in terms of what you are going to sample, who you may talk to, why you are seeking this information and your conclusion from your evaluation of the evidence. Between each line of investigation you leave room for adding lines of inquiry prompted by what you discover during the audit. You can add the relevant clauses at the planning stage, during the audit or when you are reviewing the audit record.

It is very different from the canned system audit checklists you often see.

Too often we see internal auditors trying to mimic the external auditors. Not only is this wasteful duplication it also deprives the organization of the considerable benefits of process auditing.

Lastly, you have to be careful not to replace process monitoring with process auditing. Indeed, you should be auditing the process monitoring too.

John

Eredhel said:

I think you should buy a copy of 9001 so you can start practicing "show me the shall". Have the standard so you can ask auditors to show you where in the standard something is specifically required.

Click to expand...

Very important to understand that there are two words that you need to know.
SHALL = Not a debate, it must be done. How you do it is your problem.
Should = If you need to, but it is not a SHALL.

Have you noticed that the auditors always give advice off the record? If it is a legit finding, it will be documented as such in the report. If you dont agree, always ask the auditor to explain why. You don't have to accept their reasoning - constructive argument is always healthy.

Hi everyone, little bit similar situation with me. small organization and 9001 certified since last 30 years and now this year achieved ISO 13485 successfully. now planning to work for 14001. I have develop the integrated system for three above standards. process, procedure's are quite same but planning the internal audit and develop the comparison list of clauses. It is very helpful to check same clause and now working on few EMS related clause.
already have combined ISO 9001 and 13485. now thinking to develop 9001 and 14001 integrated manual. we do have separate audit for 13485 and will be separate for above both don't want to have gap in certification.
any advice regarding integrating these standards very welcome. Thanks