22 replies to this topic

[maricmargot]

Hello!

In this week we did the external audit with the body certification for safety quality system . The body certification finds the major nonconformity like: we didn’t do the internal audit for all the activity, for all the process until the certification.

We planned to do it this year but not until the certification (we did five internal audit until certification)

My question: is mandatory to audit at all the activity, all the process until the certification or is enough to plan to do it in this year?
I didn`t find this requirements in any standards.

]Than you!

[Simon]

Hello!



In this week we did the external audit with the body certification for safety quality system . The body certification finds the major nonconformity like: we didn’t do the internal audit for all the activity, for all the process until the certification.

We planned to do it this year but not until the certification (we did five internal audit until certification)
My question: is mandatory to audit at all the activity, all the process until the certification or is enough to plan to do it in this year?
I didn`t find this requirements in any standards.



Than you!

What standard are you working to?

[maricmargot]

ISO 9001 and ISO 22000

[Tony-C]

You need to ask yourself if you have only carried out 5 audits have you verified your whole Food Safety/Quality Management System?
The most likely answer is no unless you have verified all other areas with a different type of verification activity.

Regards,

Tony

[Charles.C]

Dear maricmargot,

I suppose, pragmatically speaking, it might hv helped if you had done a "preliminary" internal audit of the overall system. As Tony suggested, the auditorial crunch is probably how much (and how important) of yr system is so far unaudited ? No doubt the auditor made an opinion on that also.

Rgds / Charles.C

[maricmargot]

Hello!



Thank you for your opinions.

I understood want you suggest but didn’t answer my questions: Is mandatory or not to do internal audit for all the process until the certification?

I put this question again because I want to know were is written for the future don’t repeat the same mistake.



Regards.

[Tony-C]

You need to ask yourself if you have only carried out 5 audits have you verified your whole Food Safety/Quality Management System?
The most likely answer is no unless you have verified all other areas with a different type of verification activity.
Regards,
Tony

I understood want you suggest but didn’t answer my questions: Is mandatory or not to do internal audit for all the process until the certification?

The short answer is no it isn't mandatory have to completed all of your internal audits but any auditor will need to be convinced that you have effectively implemented an internal audit system for ISO 9001 and in addition to this ISO 22000 requires you to have verified your FSMS.

ISO 9001 8.2.2 Internal audit
“An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits”
ISO 9004 Clause 8.2.1.3
“Top management should ensure the establishment of an effective and efficient internal audit process to assess the strengths and weaknesses of the quality management system. The internal audit process acts as a management tool for independent assessment of any designated process or activity. The internal audit process provides an independent tool for use in obtaining objective evidence that the existing requirements are fulfilled, since the internal audit evaluates the effectiveness and efficiency of the organization”.
ISO 22000 Clause 8.4.1
"The organisation shall conduct internal audits at planned intervals to determine whether the food safety system .............is effectively implemented and updated"

So although technically you don't have to complete all of your audits but you need to demonstrate you have effectively implemented an internal audit system based on status and importance of the processes and areas.

ISO 22000 Clause 8.1 The Food Safety team shall plan and implement the processes needed to verify .......the food safety management system

ISO 22000 Clause 8.4.3 The Food Safety team shall analyse the results of all verification activities, including the results of internal audits...... to confirm that the overall performance of the system meets the planned arrangements and the food safety management system requirements established by the organization

So if you have only carried out 5 audits have you verified your whole Food Safety Management System? If you need to do all your audits to verify your FSMS then it will be mandatory to have completed all your audits.

I hope this helps

Regards,

Tony

[Penard]

hi maricmmargot,

to complete Tony-c's point of view :

- just a comment : the french version is more requiring : translating the 8.2.2 it's written 'the company must plan some internal audits' - but right it doesn't clearly demand to audit all the processes.

- usually at the conclusion of the audits the auditors clearly establish the gap/ the norm. Which clause did they refer to? How did they explain to establish this gap as a major gap?

Let's keep in mind that :

- if the first certification audit -usually to be sure that the top management is involved and involved the whole company the management of the internal audits is a very good proof. For my last experiences all the factories have audited all their processus - even though some of them were audited for more than 10 years.
The question is : 'how would you be able to prove that your processes are under control are are compliant to your quality management system if you do not audit all the processus when you put your SMQ into service?'

Does anyone know a company deciding to audit only a representative part of their processes? Perhaps it happens - honestly I don't know.

- anyway if you didn't mention last week for the conclusion of the audit that you didn't agree with auditor' point of view it would be extremely difficult to try and find an agreement to turn in into a minor gap. Unless the management has written the reasons why they decided not to audit all the processus - relevant to the management involvment

- last 'only' one non-conformity for a first certification it isn't so important - moreover it isn't so difficult to solve the gap. If there were some other gaps could you please give us the content? perhaps it could help us in having further elements to understand the reason why the auditors gave you a major gap,

Regards,

Emmanuel

[Simon]

I Agree with Penard. It would help if you could tell us what clause numbers were mentioned against the nonconformity, what did the nonconformity say exactly and what other nonconformities were given. Again details would help.

[Charles.C]

Dear Penard,

Does anyone know a company deciding to audit only a representative part of their processes? Perhaps it happens - honestly I don't know.

Perhaps no exceptions possible for the purist iso 9001 ( ) but surely the concept of a prioritising risk evaluation strategy is applicable to iso 22000 just as is found everywhere in brc et al?

Rgds / Charles.C

[maricmargot]

Hello,

Which clause did they refer to? How did they explain to establish this gap as a major gap?”

They didn’t explain me very well haw establish this gap only the system is not effectively implemented.

I put this question for understand the explications and thank you for answers. I didn’t establish in my audit plan to do audit only for same process, I established to do audit for all the process but not until the certification that was a problem.

Regards.

[Simon]

Surely the Certification Body documented the details of the nonconformities found. Can you share these with us - it would help to get you a more firm opinion.

Regards,
Simon

[Penard]

Hi Maricmargot,

to complete Simon's opinion, auditors have to refer to concrete clauses for the conclusion of the audit; if you don't remember them or if they haven't give you the reasons/ clauses (!! : I've never heard something similar) it could be interesting to give us their comments when you'll receive their audit report,

Regards,

Emmanuel

[maricmargot]

Hello,





They give me the clauses: 8.2.2 Internal audit ISO 9001 and 8.4.1. Internal audit ISO 22000 but I put the same question like yours and they didn’t answer me.


When I receive the audit report I give more details about their comments.
Now I put the same question for supervision audit (must to do the cycle internal audit before external audit).

Is better to know for the next year.



Regards.

[Costel Rusu]

Hello!
Your question is simple.
I agree with Tony-C argumentation, with a explanation.

I am external auditor for QMS and FSMS. I assess conformity and effectiveness.
For conformity assessment (8.2.2 a)/8.4.1a) I am considering enough the objective evidence presented by you.
But, for effectiveness, I assess the process. When I found a production process without evidence for internal audit, I understand that the management system have a break. For an certification audit is a nonconformity, because is not comply with 8.2.2.b)/8.4.1.b). For an surveillance audit is not a nonconformity.

Best regards,
Costel Rusu

[maricmargot]

Hello,


Tkank you for your answer.

Regards.

[Charles.C]

Dear Costel Rusu,

Thks for yr input (and welcome to the forum) but could you explain one thing -

What is a surveillance audit ?

Rgds / Charles.C

[Tony-C]

What is a surveillance audit ?
Charles.C

Hi Charles

Surveillance audit is another term for a surveillance visit.

Following certification, surveillance visits are audits to confirm that you are maintaining your management system in accordance with the standard, and are normally carried out twice yearly.
At each surveillance visit the auditor reviews any changes to your system, your activities and performance.
All elements of the standard and all activities will be assessed at least once over the three years.

Regards,

Tony

[Charles.C]

Dear Tony,

Thanks for the clarification.. I presume yr use of the word “activities” includes the process and any related internal audits etc.

I deduce that nonconformances are not issued at surveillace visits ? In which case, what is the point ? A tap on the wrist to suggest a likely NC at the next certification audit? ie a bonus follow-up visit for the auditor. Sounds equivalent to the pre-audit visit offered by consultants as a warm-up to the real thing. This results in what you might call “unofficial” NCs.

A pre-audit would probably hv been a good idea for the poster of the present thread also.

Rgds / Charles.C

[Simon]

Dear Tony,

Thanks for the clarification.. I presume yr use of the word “activities” includes the process and any related internal audits etc.

I deduce that nonconformances are not issued at surveillace visits ? In which case, what is the point ? A tap on the wrist to suggest a likely NC at the next certification audit? ie a bonus follow-up visit for the auditor. Sounds equivalent to the pre-audit visit offered by consultants as a warm-up to the real thing. This results in what you might call “unofficial” NCs.

A pre-audit would probably hv been a good idea for the poster of the present thread also.

Rgds / Charles.C

I think surveillance audits are the ongoing audits for re-certification. Just another name, I think they call it this in BRC, but could be wrong.

Regards,
Simon

[Costel Rusu]

Dear Charles,

For an initial certification audit is mandatory to assess evidence about conformity to all requirements of the applicable management systems (9.2.3.2 a / 17021).

After a year, the next audit is a surveillance audit. It is not necessarily a full system audit (9.3.2.1 a / 17021). If the objective evidence resulted from the internal audits performed until the date of the external audit confirm the maintenance of conformity and effectiveness it would be an abuse to request the organization to complete all the scheduled internal audits before the external audit.

Best regards,
Costel R.

[Charles.C]

Dear Costel R.,

Appreciate yr clarification. I did look up an overview of the standard you mentioned. (Rapidly followed by paracetamol.) (eg http://mineco.fgov.b...o17021belac.pdf )
Nonetheless, a fascinating document.

Frankly, as far as the initial audit is concerned, I could interpret the standard as (+) or (-) with respect to the poster’s original query, eg see para 9.2.3.2 ? Typical ISO . Was that yr opinion also ?

(Personally, I still hold to my own risk-based opinion)

Hope all this is helpful Maricmargot.

Rgds / Charles.C

[Costel Rusu]

I respect your opinion. I can`t give a answer now. It depends on PAS 220 evolution.
C.R.