Featured Book of the Month:

Title: The Quality Audit Handbook

Author: Russell Smith (Editor)

Publisher: ASQ

Notes: Written by auditors, each with a multitude of real-world experience, this is not a book that deals with theories and principles as they exist on library shelves. New to this edition is the expanded coverage on ethics, the correlation of auditing to business performance, and the expansion into areas not covered by the Certified Quality Auditor Body of Knowledge. This single resource is designed for auditors, audit managers, audit teams, and quality assurance professionals to use as the definitive resource for nearly every aspect of the auditing function. (Notes taken from Amazon.com)

You can order this book from internal-auditor.com at: http://www.internal-auditor.com/books.htm

This Month's Feature Article

A couple of months ago, we looked at auditing documentation. This month, we will look at auditing records, and the role records play in our QMS. In many ways, records are similar to documents. In fact, ISO 9001:2000 states that "Records are a special type of document..." In the August newsletter, we discussed the differences between documents and records.

When auditing records, the internal auditor has several things to consider. First, are those records that are required by the standard. Second are the records required by the organization, or its customers. Another thing that needs to be considered is what the audit scope is going to be. In some cases, we might be auditing the records as an output of a process. In other cases we will be auditing how we handle records. 

We will look at records as evidence of process next month, so for now we will focus on auditing our record keeping process. When auditing our record keeping process, we look at two separate things:

• Are we keeping the required records?

• Are we compliant to the standard for record maintenance?

Required Records:

There are times when the standard requires us to keep records. The list below represents the requirements laid out in ISO 9001:2000. As internal auditors we can audit these when auditing our record keeping process, or auditing the process that is covered by that particular part of the standard. By maintaining a list, such as this, an audit can incorporate questions to ensure all required records are being kept. Records required by the organization, customers or by regulatory agencies can easily be added to the list. 

• 5.6.1 Management reviews 

• 6.2.2 (e) Education, training, skills and experience 

• 7.1 (d) Evidence that the realization processes and resulting product fulfill requirements 

• 7.2.2 Results of the review of requirements relating to the product and actions arising from the review 

• 7.3.2 Design and development inputs 

• 7.3.4 Results of design and development reviews and any necessary actions 

• 7.3.5 Results of design and development verification and any necessary actions 

• 7.3.6 Results of design and development validation and any necessary actions 

• 7.3.7 Results of the review of design and development changes and any necessary actions 

• 7.4.1 Results of supplier evaluations and actions arising from the evaluations 

• 7.5.2 (d) As required by the organization to demonstrate the validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement 

• 7.5.3 The unique identification of the product, where traceability is a requirement 

• 7.5.4 Customer property that is lost, damaged or otherwise found to be unsuitable for use 

• 7.6 (a) Standards used for calibration or verification of measuring equipment where no international or national measurement standards exist 

• 7.6 Validity of previous results when measuring equipment is found not to conform to its requirements 

• 7.6 Results of calibration and verification of measuring equipment 

• 8.2.2 Internal audit results 

• 8.2.4 Evidence of product conformity with the acceptance criteria and indication of the authority responsible for the release of the product 

• 8.3 Nature of the product nonconformities and any subsequent actions taken, including concessions obtained 

• 8.5.2 Results of corrective action 

• 8.5.3 Results of preventive action

Record Maintenance

Auditing the maintenance of records is a fairly straight forward task. The standard requires a procedure, and that should be checked to ensure it addresses all of the shalls in 4.2.4. Once this is accomplished, then audit the procedure. Some of the key things you will be looking for are things such as:

• How records identified?

• How and where are thy stored?

• What steps are taken to protect the records?

• What is the process for retrieving records?

• How long are records kept?

• How are they disposed of?

The answers to each of these questions should also contain who has the responsibility for that particular aspect. The answers may vary from one type of record to another. Different type of records will have different rules applied. Not all records will be have to be disposed of in the same manner, nor kept the same length of time. A matrix is useful, but not required,  in demonstrating the rules for various types of records. One of the most common violations regarding records is retention time. The procedure calls for keeping a record for a length of time, then disposing it, yet we find records years past the retention date.

Summary: 

When auditing records, we are mostly concerned with the rules for record maintenance, and ensuring we are keeping the right records. The record keeping procedure outlines those rules, and we ensure they are being followed. Don't forget to include internal auditing records in your record keeping process audits. They have to be controlled to the same extent as other QMS records. Records hold the proof that we are doing what we should, your internal audits should verify that.

As always...Good Auditing!

top of page

www.nsf-isr.org

Q – How "well" do records have to be protected?

Q- How long should we keep records?

A – These are probably the two most common questions regarding records. The easy answer is to say that it all depends on your needs. However, in many cases the organization does not what their needs are. So let's try a different approach. First, on the protection side, you needn't worry about every contingency. For example, I don't think there would be any value in protecting your records should the sun go supernova! But rather look at the possible situations where your records could be damaged or lost. Is your area subject to flooding, or tornados? What about fire? 

The length of time you keep records will depend of several factors. If you are keeping them for legal purposes, then the retention time will be considerable. If you are keeping them for other reasons, the reason will be the determining factor. Customer and organizational requirements are the most common factors in determining how long to keep records. 

top of page

We recently had the opportunity to review a new software for controlling documents. The software, called Veraccess, is a database driven process for maintaining document control. It does not generate documents, it only controls them. It can be used for both your QMS and EMS. The best part is the price (below $500). For the price, this is the best software we've seen! You can visit them at http://www.veraccess.com. 

Know of good software, let us know at software@internal-auditor.com. 

top of page

ISO 9001:2000 Clause 4.2.4 Control of Records

"Records shall remain legible, readily identifiable and retrievable. A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records. "

The objective of this clause is for the records to "remain legible, readily identifiable and retrievable". You need to ensure records are maintained so they will be reliable should you need to refer to them. The documented procedure outlines the steps you take to meet those objectives. There is a lot of open ground in this requirement. How you identify the records, how you store them, how you protect them, the rules for retrieving them, how long they will be stored, and how they will be disposed of is strictly up to you, provided that while they are in your care, they remain legible, readily identifiable, and retrievable. 

top of page

December 2002’s question:

You are auditing the prototype area. You observe several uncontrolled work instructions, parts that aren’t labeled and test equipment that is not in the calibration scheme. When asked about this, the Engineering Manager states that this particular project is being conducted by the customer. Customers often use your facilities to perform prototype work associated with your product. All of the materials in question belong to the customer and the prototype employees know what items are yours and what items are the customer’s. They do not use the customer’s material unless they are actually assisting the customer at that time, then the customer is billed for them and they act as employees of the customer and not subject to your QMS. All prototype shop employees gave a similar version when asked.

The answer:

This scenario presents all kinds of issues. Prototype is in itself a difficult thing as far as documentation. In many cases the prototype process is where the documentation comes from. The important thing is how does this activity impact your customer's satisfaction? Will your company get blamed for things the customer's employees do? One could make the argument that the activities are out of the scope of your QMS, but that would be a dangerous position to hold. If the work being done by the customer was not related to your product, then it might pass, but as it is , a nonconformance would be in order.

 top of page

Changing of the Seasons

Fall is a great time of year in Michigan. The leaves finish their change in color. The wind picks up and becomes more refreshing. Activities seem to increase, as folks begin getting ready for the approaching winter. Boats are removed from the lake, and stored. In some cases, even the docks are removed to prevent ice damage. People take their cars to the shop for the fall check and tune up. Yards are cleaned and fertilized. The lawn mower gets put to the back of the shed, and the snow blower is moved to the front. In the olden days, we used to dig out the storm windows and put them up in place of the summer screens. A friend of mine, who heated only with a wood stove, said that he could tell how bad the winter was going to be by the amount of firewood he had prepared by the end of October. The less firewood, the harder winter was going to be. 

Fall is about preparing for winter. Winter is hard, long and cannot be approached without preparation. The same can be said for auditing. Without preparation, internal audits can be long and difficult. Without preparation (read audit plan), your internal audit cannot be effective. Part of the plan is to identify what records you are going to audit. Part is understanding what evidence you are looking for (we will talk about that next month), and part of the plan is determining your sample size (see December's issue). Just like the folks on the lake, you have to be prepared.

Dave

...Good auditing!

Copyright notice: internal-auditor.com is fully protected under US and International copyright laws. Copying, or re-transmitting all, or any part of internal-auditor.com is expressly forbidden without prior written consent from Ruth Ellen Carey Communications.
internal-auditor.com is a publication of Ruth Ellen Carey Communications.