Hi
I know there are a number of forum discussions on determining internal auditing frequency and I have read these but they tend to recommend monthly to annual audits depending on the area and risk assessment.
What I want to know, is it acceptable to audit areas far less frequently, say every two years? I'm not talking about GMP or the regular inspections that must be done but for auditing our pre-requisite programs for example, do you think it is ok to audit only every two years?
This was actually suggested by our last ISO 9001/ FSSC 22000 auditor. Since we never have many non conformances surface from internal audits, usually only a few improvement opportunities, and we are a bit stretched for willing auditors, it might be a more valuable use of resources to audit the areas only every two years. There would still be some kind of risk assessment such as ensuring certain areas are audited annually if required by a customer or increasing frequency if there is a non conformance raised during an external audit.
The potential risks I can see with going to two yearly are 1) if an issue arises, it may be a long time before it is noticed and 2) another auditor may not agree with the method. If an issue arose that was important, I think it would be picked up before an audit anyway. And if we have a documented risk assessment to support the audit frequency I think that should be sufficient for an auditor given that ISO standards do not specify frequency.
Appreciate your thoughts on the matter.
Chobbsy