Per 8.2.2 of the Standard, the entire system has to be internally audited. If you have not had formal training as an auditor, you can't do the auditing yourself. That could be a problem. Plus, with your surveillance in just a month, there's not much time. I suggest that you find a qualified contractor to do the internal audit for you. That'll at least tell you where the system stands, before the surveillance audit happens.

111 work instructions is a ton of work instructions. First thing I'd suggest is that you look at reducing that population. Go over them with the people they pertain to and make them prove their value. If they are not really necessary, get rid of them! (Remember: a work instruction is necessary where their absence could adversely affect quality.)

With that said, I would recommend a ranking approach. Identify the work instructions whose tasks have a direct and consequential bearing on quality and/or the customer. Audit those once a year. The others, scale it back to 18 or 24 months.

"Criteria" means standard, rule, or benchmark.

An audit is really a comparison. It compares process activities with the "rules" governing them. These "rules" are the audit criteria.

For example, if I'm auditing the corrective action process, I'm looking at how the company is doing corrective action, and comparing what I see with their corrective action procedure and the ISO 9001 Standard. These are the audit criteria.

Lead auditor training has always been the most oversold training in the ISO business. As you say, it takes a lot of time and it costs a lot of money. What you get for it is an intensified version of internal auditor training: more intense coverage of the Standards, more instruction in the audit steps (including role play in many cases), a very stressful final exam, and the longest of long weeks. Such courses were designed for, and continue to be intended for, training registration auditors. Not for ISO system end-users.

Are certified/registered companies required to have "lead auditor" training graduates on their staffs? The answer is a resounding NO. Does such training add value to any aspect of a certified company's ISO system? In my judgment, the answer is an equally resounding NO. Not for the time and cost required. If you have time and money for ongoing training, there are much more fruitful topics to obtain training in: root cause analysis, statistical tools, etc.

For those individuals with a) an especially avid interest in management system auditing, and b) time and money on their hands, and c) a potential interest in becoming a registration auditor someday, lead auditor training could be worthwhile, if you get the training from a reputable source. (We do not provide this training, but we can refer you to competent organizations that do.)

We've been developing internal audit programs, and training internal auditors, for over a decade now. Often we're asked to describe the profile of an ideal internal audit team. Here goes:

Auditors should:

The Standard requires you to internally audit your processes on a planned basis, taking into account each process's criticality as well as prior audit experience. In other words, a process that is critical to customer satisfaction (in the case of 9001 or 16949), or the environment (for 14001), should be audited more often than others. And when an audit turns up significant problems, the audit frequency should be increased for that process.

Most clients establish a set audit frequency for each process (say, one time per year) and then adjust the schedule, perhaps annually, to take into account audit experience.

Rather than going through an annual schedule adjustment exercise, you could adjust the audit schedule for each process on a case by case basis. Here's how it works. After an audit is done, review the results, compared with past experience. Based on that, set the date for the next audit, right then. If the trend has been negative, schedule the next audit for sooner than you otherwise would (say, three, six, nine months). If the trend is positive, schedule the next audit for further out - to a year, perhaps.

This approach gives you a lot more flexibility in your audit scheduling, eliminates the need for a separate review exercise, and adheres to the requirement of the Standard for a planned audit program and schedule.

I'm reasonably sure that, if a registrar does not classify noncompliances major and minor, it's a company policy rather than something that's auditor-specific. I'm not aware of a registrar trend toward abandoning the major/minor ranking. Those that have abandoned it must have some other criteria for determining whether registration is recommended.

I do believe that internal audit processes should not bother classifying noncompliances as major/minor. In internal audit, it's a meaningless distinction.

It’s a very good idea to select, from the work instructions, key issues to verify during internal audits. Systems incorporating quality, environmental, and safety generally include many critical process steps in the work instructions and compliance with these should be verified during internal audit. But I would be selective about what work instruction steps to audit. Focus on the most important things and don’t bog audits down with trivial things.

Yes, yes, yes!

I strongly believe that the internal audit team should consist of as diverse a cross-section of the organization as possible. This includes salaried and hourly, management and production floor, office, factory, shipping dock, and everyone in between.

The Standard requires that auditor selection assure audit objectivity. Auditors can't audit their own work (duh). And auditors must be trained.

Beyond that, I feel the qualifications include:

As a matter of policy, I would automatically add anyone who volunteers to the internal auditor team. Get them the training and put them to work. You won't be sorry.

Ah ... That's a tad simplistic, IMHO. What's not necessary is that an assessor be an expert on the process audited, or the resulting product. What is necessary is that the assessor have the skills (and take the time! and do the planning!) to assess on an objective basis a) the extent to which the system complies with the standard; b) the extent to which the system supports the stated quality policy and objectives; c) the extent to which the activities audited comply with the documented system, and d) the degree to which the system itself is suitable and effective. There's clear linkage among these. A well documented system benefits when audited by a skilled auditor who thinks and works at the audit (vs. checking off boxes, grabbing the dough, and moving on to the next thing), even if the auditor is not expert (or even especially conversant) with whatever process is at issue.

Bottom line is, there's a lot more to it than checking to make sure that the right documents are where they're supposed to be.

"A bit understaffed" is in my opinion the understatement of the year. In my experience the vast number of firms with quality systems have internal audit teams of "part-timers" -- people who do their "regular" jobs most of the time and only audit on a part time basis. Personally I believe this is a much wiser approach than dedicating full time people to quality system auditing. If you use part-timers as I am describing, then my rule of thumb is 10% of your head count for your audit team -- to assure that no one is excessively burdened. They should be selected from as diverse a range of employees as possible -- every level, function, department, etc. should be represented on the audit team.