Auditing

ISO and API Auditing Services

The ISO and API standards emphasize the importance of audits as a management tool for monitoring and verifying the effective implementation of an organizations’ management system, be it Quality, Environmental, Occupational Health and Safety, or Information Security management system.

Mireaux can help your organization perform successful audits that can add value to your business activities while ensuring that you meet the requirements of the standards you subscribe to.

Call Mireaux at 713-589-4680 and let us help you implement an audit program that is suitable to your organization and that can be carried out effectively and consistently.

AUDITS CONDUCTED ON-SITE AND VIA REMOTE AUDITING

Mireaux’s Auditing Services encompass the following types of audits:

Internal Audit Icon

Internal Audit

Organizations certified to an ISO or API standard, or in the process of certification, are required to conduct internal audits at periodic intervals. Internal audits can be conducted by employees internal to the organization, however, they can also be “outsourced” – to a competent organization like Mireaux.

All ISO and API standards require Internal Audits, including:

Mireaux Management Solutions can help your organization accomplish this continual improvement requirement by conducting your Internal Audits at the locations and dates required by your management system, your Internal Audit procedure, or ultimately your Internal Audit Schedule.

AUDITS CONDUCTED ON-SITE AND VIA REMOTE AUDITING

Analysis Icon

Gap Analysis

The purpose of the Gap Analysis or Gap Assessment is to find the gaps between an organization’s management system and the ISO or API criteria they are aiming to conform with or certify to.  The results of the Gap Analysis should outline, clause by clause, what requirements of the defined criteria are not being met or cannot be verified as being fulfilled; and what needs to be completed in order to meet those requirements.

A Gap Analysis is an exhaustive exercise, in which every clause of the ISO or API standard is checked for compliance. While a thorough Gap Analysis includes verification of implementation, it is highly focused on reviewing required documentation and records– usually performed from a desk or meeting room. This is why Gap Analyses are also called “Desktop Audits”.

AUDITS CONDUCTED ON-SITE AND VIA REMOTE AUDITING

Process Audit Icon

Process Audit

Process audits seek to improve selected processes by finding out how they perform against a defined criteria.One of the benefits is the intense focus on the selected process(es). This means the Auditor may spend 1, or more days on a single process, reviewing all aspects of it, from top to bottom, within the defined criteria. Such an exercise is bound to find several opportunities for improving the process in a significant way.

AUDITS CONDUCTED ON-SITE AND VIA REMOTE AUDITING

Product Audit Image

Product and Monogram Audits

Product Audits evaluate actual product, product family, parts, or product components against a certain specification(s), which is the criteria for the audit. Product Audits seek to find out if the product meets the exact requirements called out in the criteria used, or if the product performs as expected. Those requirements can be self-imposed, customer-driven, governmental, or industry requirements. Many products can also be certified to a specification, and therefore require an audit to verify compliance, such as the case of API monogrammed products.

AUDITS CONDUCTED ON-SITE AND VIA REMOTE AUDITING

Supplier Audit Icon

Supplier Audit

A Supplier/Vendor Audit seeks to verify physically or on-site at the supplier’s premises, that they are complying with certain criteria. This criteria can be dictated by your organization and may encompass the following but not limited to:

  • A specific ISO or API standard, such as ISO 9001 or API Q2
  • Your organization’s own requirements for Suppliers/Vendors
  • Product specification
  • Procurement requirements

In general, a Supplier/Vendor audit should provide certainty that the Supplier/Vendor has the capability to provide products and/or services to your organization, that meet your own Quality, Environmental, Safety, Information Security, On-Time Delivery, or other requirements as applicable.

AUDITS CONDUCTED ON-SITE AND VIA REMOTE AUDITING

ISO & API Audit Criteria

Audit criteria are a set of policies, procedures, or requirements that are used during the Audit to audit against. Essentially, Auditors use the Audit Criteria to gauge whether the organization is conforming successfully to such criteria. Based on the required audit criteria, Mireaux approaches its audits somewhat differently. Each criterion may require a different set of documentation, different angles of implementation, and Mireaux’s expert Auditors are aware of that. Mireaux has the capability to audit to any or all of the criteria presented below, however, if your standard or specification is not listed, contact us and we will happy to discuss our capabilities.

Our Auditing Approach

A successful audit is the result of having competent Auditors following a structured audit approach. Mireaux’s Auditing processes are certified to the ISO 9001 and ISO 27001 standards and follow the ISO 19011:2018 Auditing Standard.

Mireaux’s Auditing approach may vary based on the type of audit being conducted. The following are general steps common to most types of audits:

This includes a review of pertinent documentation appropriate to the type of audit to be carried out, and the standard or audit criteria being used.  Typical documents include:

This includes preparing an agenda that outlines the start and end times for each audit day as well as the allocation of time for each process/area.  If multiple Auditors are involved, this will also include the name of the Auditor and the process/area each of them will audit and when.

Mireaux’s Audit Agenda is typically reviewed internally by 2 or 3 people before being sent to the Client for their review and approval.

For optimal results, the Audit Agenda is issued and approved ahead of time and distributed to all the parties involved, so everyone can prepare and plan for it. Mireaux typically sends the Audit agenda 2 weeks to 1 month in advance to allow our Clients to review and provide feedback and distribute as necessary.

Executing the Audit means conducting the Audit as planned and agreed to in the Audit Agenda, and as required by the standard or criteria used. An audit usually has the following elements:

Mireaux ensures all our Auditors are well qualified for the standard or criteria used and makes the Auditors’ certifications available before the Audit.  Mireaux is also very keen on ensuring that Auditors spend most of the time on the shop floor or interviewing personnel, rather than in an office filling out paperwork.

The Audit Report is perhaps the most important part of any Audit, as it is the only tangible deliverable that is generated from the auditing process. Regardless of how well the Audit was conducted, if the report is either late, poorly written, or lacking information; the organization may not fully benefit from the Audit.

In general, organizations that outsource their Audits to Mireaux see a higher degree of success in their External Audits. This could be attributed to the following:

Just like the Audit Agenda, Mireaux’s Audit Reports go through a series of 2 or 3 reviews before being sent to the Client. And our Audit Report turnaround time is 3 business days, part of our agreement and commitment to our Clients.

Depending on the results of the Audit, Mireaux has the resources available to assist your organization with closure of the nonconformities issued during the Audit.  Using Root Cause Analysis techniques, we can facilitate sessions among process owners and stakeholders that can help with the following:

If your organization uses Mireaux’s Web QMS software, our staff can assist in publishing the following documents in your Web QMS’ Internal Audit module, in order to ensure your Internal Audits records are kept up to date:

Frequently Asked Questions

Planning for the audit is essential in order to ensure the audit achieves the goals and objectives desired. Poor planning may turn the audit into wasted time and effort. Mireaux can assist your organization plan for the audit, by helping you determine the following:

The steps involved in an audit depend on the type of audit being conducted. The following are general steps common to most types of audits:

1. Review of documentation:

This includes a review of pertinent documentation appropriate to the type of audit to be carried out, and the standard or audit criteria being used.  Typical documents include:

2. Preparation of Audit Agenda

This includes preparing an agenda that outlines the start and end times for each audit day as well as the allocation of time for each process/area.  If multiple Auditors are involved, this will also include the name of the Auditor and the process/area each of them will audit and when.

Mireaux’s Audit Agenda is typically reviewed internally by 2 or 3 people before being sent to the Client for their review and approval.

For optimal results, the Audit Agenda should be issued and approved ahead of time and be distributed to all the parties involved, so everyone can prepare and plan for it. Mireaux typically sends the Audit agenda 2 weeks to 1 month in advance to allow our Clients to provide feedback and distribute as necessary.

3. Execution of the Audit

Executing the Audit means conducting the Audit as planned and agreed to in the Audit Agenda, and as required by the standard or criteria used. An audit usually has the following elements:

Mireaux ensures all our Auditors are well qualified for the standard or criteria used, and makes the Auditors’ certifications available before the Audit. Mireaux is also very keen in ensuring that Auditors spend most of the time on the floor shop or interviewing personnel, rather than in an office filling out paperwork.
4. Issuing the Audit report

The Audit Report is perhaps the most important part of any Audit, as it is the only tangible deliverable that is generated from the auditing process. Regardless of how well the Audit was conducted, if the report is either late, poorly written, or lacking information; the organization may not fully benefit from the Audit.

In general, organizations that outsource their Audits to Mireaux see a higher degree of success in their External Audits. This could be attributed to the following:

5. Following up with closure of nonconformities

Depending on the results of the Audit, Mireaux has the resources available to assist your organization with closure of the nonconformities issued during the Audit.  Using Root Cause Analysis techniques, we can facilitate sessions among process owners and stakeholders that can help with the following:

6. Updating Web QMS

If your organization uses Mireaux’s Web QMS software, our staff can assist in publishing the following documents in your Web QMS’ Internal Audit module, in order to ensure your Internal Audits records are kept up to date:

When organizations outsource their Internal Audits to Mireaux, there are many benefits to enjoy.  Some of the benefits are listed below:

  1. Our Auditors are seasoned professionals with decades of experience in various industries.
  2. Our Auditors have been in different job positions, and have experience wearing different hats, such as:
    • Managers for organizations being audited
    • Conducting Internal Audits themselves
    • Running Audit Programs within their organizations
    • Being External Auditors for Accredited Registrars
  1. As opposed to your own employees who may only conduct audits once or twice per year, our Auditors conduct Audits on a weekly basis, which allows them to keep their auditing skills fresh and sharp-witted.
  2. Our staff will reach out to you ahead of time to plan for your audit.
  3. Timely provision of the Audit Agenda to help you get ready for the actual audit.
  4. Three-day turnaround on Audit Reports, to help you act quickly on the audit findings issued.
  5. Thorough, independent, and objective auditing reduces conflicts among members of your team, since the findings will come from “the Auditors” and not another employee.
  6. Less disruption of your internal resources.
  7. If you have our Web QMS software, our staff can input your audit findings on Web QMS.

Call Mireaux today at (713) 589-4680 to get a quote and let’s work together to schedule your next Audit.

In general, Mireaux uses the following nomenclature for reporting its findings:

1. Noteworthy Efforts

These are strengths and positive attributes that help an organization comply with the standard over and above what may be considered normal or what is typically seen. These type of findings do not require a response.

2. Opportunities for Improvement

Opinions made by the Auditor, about activities that can be done more effectively based on experience and best practices. Since the requirements of the standard are being met, albeit not efficiently as seen by the Auditor elsewhere, these type of findings do not require a response.

3. Observations or Concerns

Views made by the Auditor regarding areas of the process or management system which could become nonconforming should objective evidence become available or the right conditions appear. These could be treated as “near misses” and while some registrars do not require a response to them, Mireaux does encourage its Clients to document these findings and treat them as Preventive Actions in order to proactively resolve or prevent any future problems.

4. Minor Nonconformance

An isolated lapse of either discipline or control during the implementation of a management system element or procedural requirements is considered a minor nonconformity. A minor nonconformity also must not indicate a management system breakdown, and must not raise doubt that products or intended services will meet requirements. Overall the management system requirements are defined, implemented, and effective.

5. Major Nonconformance

The absence or lack of implementation of one or more required management system elements or clauses constitutes a major nonconformity.  These encompass situations which indicate that:

A group of minor nonconformities indicating inadequate implementation or effectiveness of an element of the management system or the standard may also result in a major nonconformity.

A Gap Analysis is an exhaustive exercise, in which every clause of the ISO or API standard is checked for compliance. While a thorough Gap Analysis includes verification of implementation by interviewing some employees, it is highly focused on reviewing required documentation and records– usually performed from a desk or meeting room. This is why Gap Analyses are also called “Desktop Audits”.

Yes, starting on April 1, 2020, Mireaux began providing Remote Auditing, which applies to Internal Audits, Gap Analysis, or other types of audit. When an audit is conducted remotely, the Mireaux Auditor is at their home office where they can review documentation or records made available electronically. Interviews are scheduled appropriately based on the Audit Agenda and conducted via a conferencing app like Zoom.

One of Mireaux’s requirements is to have direct access to the organization’s management system, which may be in a software like Web QMS or on the network.  By having direct access to the documentation and records repository, Mireaux will have full availability to the records, and thus will be able to select the sample size and the actual samples. In cases where direct access to the data is not available, Mireaux Auditors are trained to ask the right questions in order to obtain the valuable records.

Yes, starting on April 1, 2020 Mireaux began providing Remote Auditing, which applies to Internal Audits, Gap Analysis or other type of audit. When an audit is conducted remotely, the Mireaux Auditor is at their home office where they can review documentation or records made available electronically. Interviews are scheduled appropriately based on the Audit Agenda and conducted via a conferencing app like Zoom.

While most ISO or API standards require PERIODIC or ANNUAL Internal Audits, the expectation nowadays is that a full cycle of Internal Audits be conducted “every 12 months”. This may be seen as contrasting the requirements of the standards, which may say:

Therefore, even though the language may not be consistent among standards, the expectation is that you will conduct a full cycle of Internal Audits, EVERY 12 MONTHS.

Your Audit Plan, Program, or Schedule should outline when you will conduct the Internal Audits. Mireaux recommends pinpointing the month and year, rather than just the year, as this may be seen as too broad and not a good plan.

A full cycle of Internal Audits signifies that you have audited all of the processes in your management system within the 12-month period. Whether you audit one or more process per month, or all processes at once, you have to audit all of the processes that are part of your management system.

A full cycle of Internal Audits also implies that you have conducted the actual audit, issued the findings, and closed out all nonconformities appropriately.

Depending on how your Internal Audit Schedule is setup, Mireaux’s Auditors can help you meet this requirement. For efficiency reasons, we usually propose Internal Audits be conducted all at once, meaning your processes are audited in the same timeframe one after another.

There are a few consequences to be expected during your Registrar’s External Audit if you do not conduct your Internal Audit on time according to your Internal Audit schedule, or prior to your Registrar’s External Audit. Below are three possible outcomes based on your Internal Audit schedule’s modus operandi.

1. If you conduct one Internal Audit per year

If you only conduct one Internal Audit per year, meaning all of your processes are audited at once; missing an internal Audit should be cause for concern. More than likely, you will get a minor Nonconformity during your External Audit, which could possibly be a major nonconformity, especially if you do not even have it on the schedule.

2. If you conduct several Internal Audits per year

If you conduct several Internal Audits per year, each focusing on a few processes of your overall management system, then missing one Internal Audit may not be as serious. Nevertheless, expect a minor Nonconformity during your External Audit.

3. If this is your first Internal Audit

If you missed conducting an Internal Audit prior to your initial certification or Stage 2 Audit, then this is serious. Having an Internal Audit prior to your certification audit is a critical requirement and definitely a showstopper:

Yes, starting on April 1, 2020 Mireaux began providing Remote Auditing, which applies to Gap Analyses. When conducting a Gap Analysis remotely, Mireaux will allocate a similar amount of time for the auditing portion however there will be additional planning and setup to ensure that all needed information is available during the audit.

A Gap Analysis is beneficial when an organization has implemented some elements of the ISO or API standard desired. In this case, a thorough Gap Analysis will provide a clear indication of how close or how far the organization’s management system is in relationship to the ISO or API standard being sought.

However, if the organization does not have any elements of a management system in place, and has not worked much towards meeting any of the requirements of the ISO or API standard desired; then a Gap Analysis is not recommended. In fact, having a Gap Analysis in this situation, is likely to yield a huge gap –as you are lacking just about everything – which may already be evident to your team. If this is your case, save your money and put it towards resources for implementation.

A Gap Analysis may be conducted once or twice while the organization prepares for their certification audit – to get reassurance that their implementation efforts are moving them closer to meeting all requirements of the ISO or API standards being sought.

Having a Gap Analysis at the onset of the certification journey is worthwhile. It should provide clear guidance on the direction to take and provide assurance that you are (or are not) in the right track.

If time and budget allows, a second Gap Analysis could also be helpful before the External Audit or Certification Audit. At this point, the results of the Gap Analysis should provide confirmation that the organization is indeed ready for certification.  A type of audit called Pre-Assessment – often conducted by the Registrar or Certification Body themselves – can be equated to this Gap Analysis.

Mireaux can help your organization tremendously towards achieving your desired ISO or API goals, by conducting a thorough Gap Analysis that can provide a clear roadmap to certification. Having Mireaux conduct your Gap Analysis also provides a chance for your team to discuss face to face with an expert, areas that may need attention in order to close the gaps.

Additionally upon completion of the Gap Analysis, Mireaux issues a comprehensive Gap Analysis Report that contains a detailed clause-by-clause analysis of the ISO or API standards being sought, providing for each clause:

  1. Details of the Gap
  2. Recommended actions to close the Gap
  3. Evaluation compliance on a scale of 1 to 5

Mireaux’s Gap Analysis Report also provides an overall percent of compliance, to give the organization a good idea of their “grade” and the road ahead.

Yes, starting on April 1, 2020 Mireaux began providing Remote Auditing, which applies to Process Audits, however it may only be done partially remotely. Remote Auditing can be done fully remotely or partially, and for Process Audits, a partial remote audit may be more appropriate. A partial remote audit will allow for a certain amount on site in order to evaluate the process on a physical basis.

While the essence of the Audit process may be very similar, the differences between a Process Audit and an ISO or API Internal Audit are characterized below:

Internal AuditProcess Audit
Follows a specified Audit scheduleCan be scheduled anytime
Conducted by a qualified AuditorConducted by a process Expert and qualified Auditor
The criteria is the ISO or API standard, plus the actual organization’s own management system requirementsThe criteria could be an ISO/API standard, your own management system, a particular Customer specification or Industry specification; or a combination of all.
Encompasses all processes within the management systemNarrowed to one or more specific processes

A Process Audit can definitely be used as part of your Internal Audit program – provided that the criteria used included the ISO or API standard you are certified to, as well as your management system requirements.

If the criteria used was a particular customer specification, then the results of the audit cannot be used as part of the ISO or API Internal Audit, therefore you still need to include such process in your Internal Audit schedule.

Notice also that we said the results of the Process Audit can be used “as part” of your Internal Audit, and shall not therefore be used as a replacement for the Internal Audit.

Since the ISO or API Internal Audit is an audit of all the processes that are part of your management system, then yes, a Process Audit is definitely required. However, the key component here is ensuring that the criteria the Audit was conducted against is indeed the ISO or API standard in question, as well as the organization’s own management system requirements.

Process Audits conducted for the sake of improving the process -due to a high level of NCRs, or Corrective Actions for example- are not necessarily required by ISO, though it is a great exercise to perform in order to find root causes of problems, and ultimately a great tool for continual improvement.

To further reap the benefits of a Process Audit, it is important to use unbiased and seasoned professionals, who have great experience in the process and industry in question. Without these qualifications, the audit may risk becoming a mere documentation gap, and stop short of identifying the true practical opportunities for improving the process.

If you have one or more processes that you believe need improvement, Mireaux can definitely help your organization by auditing these processes in depth. Mireaux’s Consultants and Auditors are seasoned professionals with decades of experience in various industry sectors. We can help you analyze the process thoroughly and provide you with actionable recommendations that can be used to improve your processes.

Call us today at (713) 589-4680 and let us help you review your situation and provide a recommendation for conducting a Process Audit. 

Yes, starting on April 1, 2020 Mireaux began providing Remote Auditing, which applies to Product Audits, however it may only be done partially remotely. Remote Auditing can be done fully remotely or partially, and for Product Audits, a partial remote audit is definitely more appropriate. For example in the case of an API Monogram remote audit, work instructions associated with the monogramed product, and the Design Packaged may be reviewed remotely, while observation of the product, the manufacturing process and conditions will be done on-site.

Process Audits evaluate a certain process against defined criteria, while Product Audits evaluate a certain product against a defined criteria.

ISO or API management system standards, such as ISO 9001 Quality Management System, ISO 14001 Environmental Management System, or API Q1 Quality Management System, do not require Product Audits. ISO or API product standards or specifications, such as API 4F, API 6A, API 7-1, API 11E, etc. do require it, as part of the verification of product compliance.

Mireaux’s Auditors have decades of experience in various industries including petroleum and gas industry, with hands on knowledge of API Monograms.  Call us at (713) 589-4680 and let’s discuss how Mireaux can help your organization conduct Product Audits.

Yes, starting on April 1, 2020 Mireaux began providing Remote Auditing, which applies to Supplier Audits, however it may only be done partially remotely depending on what the scope of the audit is. Remote Auditing can be done fully remotely or partially, and for Supplier Audits, therefore, the scope of the audit may dictate whether the audit can be done fully remotely or partially on-site.

There are many reasons that can spark the need to conduct a Supplier/Vendor Audit. Among them are the following:

  1. Your organization requires it for Supplier/Vendor approval
  2. Your organization requires it for Supplier/Vendor re-approval
  3. The Supplier/Vendor has shown a negative trend in the number of NCRs (product or service nonconformances)
  4. The Supplier/Vendor has been issued a Corrective Action and you would like to verify implementation and effectiveness
  5. A customer complaint was received, where the root cause was attributed to a failure or breakdown in the supplier/vendor processes
  6. Your organization wants to give the Supplier/Vendor additional work and wants to verify capabilities and capacity
  7. An information security incident, environmental impact, or safety incident occurred and it is evident that an error in the supplier/vendor’s processes, contributed to the problem.

In essence, reasons for conducting a Supplier/Vendor Audit abound. If your organization practices the ISO principle of “Relationship Management” formerly known as “Mutually beneficial Supplier Relationships”, then being able to audit your Supplier/Vendor should be welcomed as an opportunity for furthering the ties between you and your supplier/vendor.

The ISO management system standards do not require Suppliers/Vendors Audits as part of the evaluation/reevaluation of supplier or vendors. API however, is more prescriptive in its requirements for Suppliers/Vendors’ initial evaluation and selection, as shown on the following API Q2 excerpt:

The requirement above is clear in that an assessment of the supplier needs to be done at their facility (the facility from where the supplier is providing their product or service); however, the assessment can be conducted by your organization, an organization you outsourced to, or a third-party. Whichever method you decide, it should be part of your supply chain program and be documented as part of your management system requirements.

Audits should never be confrontational or offensive.  If you have a management system in place that follows the ISO principle of “Relationship Management” formerly known as “Mutually beneficial Supplier Relationships”, then the relationship between you and your supplier/vendor should be one of mutual cooperation and improvement.

In general, Mireaux discourages use of surprise audits or similar scare tactics. We like to send Audit Agendas in advance and make sure that the organization is fully aware of our visit. However, if you truly believe that there are major discrepancies that need to be verified, it is up to your organization to bypass early notification and just show up.

Having a management system in place means establishing a process to control suppliers, vendors, or external providers. While this process may vary based on the organization, the type of suppliers, or the requirements of the standard it subscribes to; in general it consists of having a program in place to approve and periodically reapprove the supplier. It is here where auditing the supplier could become a great tool to ensure that the approval or re-approval of the supplier is done thoroughly and not from a distance.

Mireaux Auditors have extensive experience conducting audits and have been at both receiving ends of the Audit spectrum, escorting an Auditor during External Audits, or leading audits themselves.  As an ISO 9001 and ISO 27001 certified company, Mireaux has its own set of standards and procedures that its Associates have to follow. From issuing the Agenda 2 weeks in advance, to providing Audit Reports within 3-days of Audit completion;Mireaux can help your organization verify your supplier/vendor’s management system for the benefit of all.

Free Essential Guide

The Essential Steps to Jumpstart your ISO/API Certification Journey!

These are the same steps our own Consultants use to successfully guide our clients to achieve ISO/API certification