Google Analystics

Friday, 28 April 2017

Internal Audit Question: What about out-of-scope NC's?

So your company is certified to ISO 9001:2015 and you are the lead auditor on a team of two for an internal audit. The scope for this audit is Planning (Clause 6), for which you are interviewing, and Operation (Clause 8), for which the other auditor is interviewing. On reviewing the records for Design and development inputs (8.3.3) the other auditor finds that the latest specifications have not been reviewed and approved as is required in the Product Design SOP and writes up the following:
7.5.2(a) When creating and updating documented information, the organization shall ensure appropriate review and approval for suitability and adequacy.
Interviewed Engineer Abel Baker. Sampled design specs for Project "Daisy Chain". The following design records have not been reviewed and approved: DES-677, DES-678, DES-679.

The Engineering Manager cries foul, that the finding is out of scope.
What do you do?

This case is easy because the requirement for review and approval is stated in the company's own requirements for its quality management system: the Product Design SOP.

Internal audits are mandated by clause 9.2 of the ISO 9001:2015 Standard which states in 9.2.1:
The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:
a) conforms to:
1) the organization’s own requirements for its quality management system;
2) the requirements of this International Standard;
b) is effectively implemented and maintained.

The Engineering Manager was half right. The N/C as stated was, indeed, out of scope. Nevertheless, it was an N/C, but against the organization’s own requirements for its quality management system. The wrong requirement was stated by the internal auditor.

Third Party (CB) auditors have to audit to the Standard - whichever standard they are certifying to. But it is a mistake to think that internal auditors have to audit in the same way as third party auditors and always quote a requirement from the ISO Standard. The Standard merely states WHAT is required. It is the Quality Management System (QMS) in the form of a Quality Manual (QM), Standard Operating Procedures (SOP's) and Work Instructions (WI's) that describe HOW the requirements of the Standard will be implemented in the form of integrated processes.

On certification the CB auditor has already declared that the QMS effectively implements the Standard. Really, employees of the company, including internal auditors, should only have to worry about the processes documented in the QMS.