Audit Programs for large corporations - Time frame for auditing 150 sites

I have a question - My company was recently purchased and I have been fortunate enough to be retained - The new company was not previously certified to ISO 9001:2000 but has made the decision to retain the certification. My job going forward is to get us through our scheduled recertification audits and transition everything over to the new company (in process now) - and then to implement RC14001 (will integrate) immediatley following. My question is this. They already conduct seperate audits such as:

Safety Dept - Safety Audits
Loss Prevention - Claims Dept
Operations Audits - Industrial Engineers

I am trying to come up with some creative ideas for internal auditing programs as there are over 150 facilities scattered throughout the country. I have already received authorization to train the current staff conducting the above audits to be qms auditors as welll - I think I just need to pull the above together as one audit and fill in the gaps…

My concern is the time frame for auditing 150 sites over a one year period - Wondering what type of concern anyone one would see if designed this to happen over a three year certification period?

I will say - the processes are consistent throughout - compliance to those processes and opportunties for improvements would be main objectives - would it be feasible to set up the audit program to sample so many sites within a specfic region as opposed to individual sites?

Just looking for opinions…thoughts…

The pros of having one certificate for 150 facilities is some cost savings as a matter of scale. Is this what you are imagining?

If so, there are distinct pitfalls. If one facility fails, no one gets the certificate. They would all need their audits from registrars, I imagine, as well as surveillance audits along with your internal audit program. Everyone’s registration would be subject to the weakest link.

That’s why different sites often have their own certificates.

However, managing the rampup as a whole can be done from a central nerve center. But 150 facilities…oh my!

It seems more easily doable, however, to supervise overall metrics and contributions by each as compared to the other. Cost of poor quality, cycle time, benchmarking continuous improvements in a central web site…I can imagine this but it’s still a very big job.

I have been through a similar process with 200 offices in 40 countries so I may be able to shed some light on this. I have just fallen upon this forum for the first time in over 2 years whilst I was looking for something else so apologies if what I write is already well known to all.

Although you are talking about internal audits it may be worth mentioning that for external audits the certification body does not need to visit all 150 of your facilities in order to grant a certificate to the company. The certification body will have guidance from their accreditation body or higher national organisation describing the statistical basis for selecting a sample set of offices and how to cycle this over a three year period. This is based on a number of factors such as the number of offices, the regional structure, the number of people in each office and the processes undertaken etc.

If you have a good relationship with your external audit company you could ask them if they can share that guidance with you BUT it does not mean you can use exactly the same method for your internal audits because they expect you to be more thorough.

Perhaps the main thing to consider in your internal audit planning is the wording in section 8.2.2 of ISO 9001 that says “The audit program shall be planned , taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits”.

That gives you a lot of flexibility to determine which facilities need to be audited, how deeply and how often.

I would first determine the criteria you would use to assess the audit needs, including the factors above plus management requirements and the many sources of risk and consequences, then list all the facilities and against each score them against the criteria, to come up with an overall rating per facility. Then, using that analysis and statistical sampling guidance draft a plan.

Then, once you are happy that the plan meets your organization’s requirements, budget and resourcing but before actually implementing the plan I’d discuss it with your certification body to make sure that they would be satisfied by the program too.

Oops, went on a bit, still I hope it was of some use.