The Chartered Quality Institute

Qualityworld

Insider job

Being an internal auditor can be a lonely job. But it doesn't have to be, says Denise Robitaille. With a little forward planning and preparation you can get the best from the auditing process and from the auditees themselves

As with any business process, auditing requires planning, definition, consistent implementation and control to be properly effective. Without these features, auditing is likely to be a resource-draining waste of time. Internal auditing is one of the elements that makes your quality management system (QMS) complete. It fits snugly into the 'check' component of your plan-do-check-act cycle. Internal auditing isn't a haphazard or optional occurrence that you tolerate to maintain certification. It's an assessment tool that provides a reliable indicator of the integrity of your organisation's systems and processes and their capacity to support your goals.

Audits help you to identify problems, risks, good practices and opportunities to better serve your customers. The information garnered from well-conducted audits is a company asset that far outweighs the modest investment in time and training it is presently afforded. The degree to which the organisation values and uses this asset is dependent on how audits are performed.

Executive management, through visible support and allocation of resources, has primary responsibility for ensuring the effectiveness of the internal audit program. Auditors have the responsibility for good stewardship of management's support, as demonstrated by their commitment to good auditing practices and the production of meaningful audit reports.

The person in charge of the internal auditing programme asks management to support the endeavor. In exchange for the trust and confidence implicit in this support, auditors strive diligently to provide valuable information that management can utilise for strategic planning and other decision making.

What follows are some of the practices that will help your organisation reap benefits from its internal auditing programme. Although the comments are directed primarily at the first-party (or internal) audit, most of the tips are equally valid for second-and third-party audits.

Plan your audits

Make sure that the audit schedule and the defined frequencies reflect your organisation's needs. You must give appropriate consideration to criticality of activities, identification of areas that are more subject to change or to turnover of personnel, and processes that have experienced problems or breakdowns. It is essential that you review your audit schedule periodically and revise it based on these considerations.

If you have a mature product line and no new hires in recent history, assessing training more than once a year is a redundant paper exercise. Conversely, if you handle a lot of customer-owned materials, and their requirements vary significantly, ensure that those activities are included in the schedule at a greater frequency.

Once you've established your audit schedule, stick to it. Don't get into the habit of revising dates and moving audits off to the next month to accommodate other people's priorities. As long as you allow it, some individuals will always find a way to put you off. Acceding to procrastination perpetuates the impression that auditing is an 'extra' task to be performed only when time permits. This mindset devalues the process and minimises the organ-isation's ability to derive useful and timely information.

Prepare for the audit

Have an audit plan. Probably the single best reason to have a plan and to communicate it is so that you can tell people in advance when you'll be in their area - it's common courtesy. This goes a long way toward dispelling the witch-hunt mentality with which people usually perceive the arrival of an auditor. Failing to alert process owners of planned audits carries other negative consequences: as long as individuals feel that an audit is a surprise attack designed to catch them in error, they'll conceal problems. They won't look upon the audit as a fact-finding event designed to foster a culture of improvement. They'll look upon it with the dread of miscreants afraid to be punished for their transgressions - even though they've probably done nothing wrong. Problems recur cyclically because they're covered up out of fear of punitive action.

Efficiency is another reason for having an audit plan - it saves time. The auditor has a sequence that makes the audit flow smoothly and logically from input to output through a series of processes. Effective planning brings an element of lean management to the auditing process. It minimises the backtracking and repeat visits that eat up precious time without adding value.

Review the documents that describe the processes you'll be auditing. This helps you to frame the questions you'll be asking the auditee, and ultimately will promote more comprehensive answers. Reading the documents ahead of time also helps you distinguish the most critical requirements and the points at which ownership of a product (or process) changes to a new person or function.

Review the last audit report and any corrective action requests that emerged. This will help you to assess if things have improved or if a problem has persisted or gotten worse. If your corrective action process is well-linked to your internal audits, you can verify the implementation and effectiveness of corrective actions as part of the audit process.

This applies to all corrective actions, regardless of origin. One of the areas in which this is particularly useful is in verifying the results of supplier corrective actions. Through the questions that you ask, you can augment purchasing staff's understanding of the verification process. This helps them to discern if the response they've received from a supplier actually provides evidence of an effective action plan. Without such verification, all the purchasing department really has is evidence that the supplier can fill out a form. Opportunities for learning and improvement are lost.

Easy questions an auditor might ask are: 'How do you know that the plan worked?' 'Have you asked them to send final test reports for the last orders they've shipped us so we can review them against our own records?' In this way, the auditor furtively drops hints that increase other individuals' comprehension of how the organisation's QMS works to improve their processes - in this scenario, through the effectiveness and productivity of supplier relationships.

Prepare a checklist. Even if your organisation uses canned checklists, it's important to prepare and revise them based on the documents you've reviewed so that the audit trail you map out is complete. This also helps you to develop questions so you don't waste time, and it serves to keep you from meandering outside of the scope of the audit.

Use accepted audit practices

Regardless of whether this is an internal or an external audit, there's no excuse for ignoring good audit practices.

You need to conduct an opening meeting. For a third-party certification audit, this is a fairly formal event with a whole list of items that must be covered: scope, purpose, standard, duration, schedule, confidentiality and nondisclosure agreements, rules for reporting nonconformities, safety equipment, escorts and the appeals process.

For an internal audit, it's appropriate to have an abbreviated version that outlines what processes are being audited, how long you expect the audit to take and the individuals you may wish to interview. Arriving in an area and beginning the audit without some initial remarks or a simple greeting only serves to increase tension and the likelihood of alienating those who can facilitate a productive audit.

Following these basic audit practices should ensure that the information management gets is accurate, reflects the status of the organisation and is detailed enough so that it results in good decisions. This is what makes audits effective. Anything less is a meaningless paper shuffle

Biography

Denise Robitaille is an RABQSA-certified lead assessor, a quality auditor and a member of the US technical advisory group to ISO/TC 176. This article originally appeared in the US magazine Quality Digest. For more information visit www.qualitydigest.com

Inside information

Here are a few pointers to remember during your internal audit.

Ask the right questions

  • auditees weren't hired to answer your questions, so they won't be quoting text verbatim from a procedure. They should be describing their process in a way that lets you understand it, and that demonstrates how well they understand it
  • ask open-ended questions, not the kind that will get only yes or no responses. Give the auditee an opportunity to explain what she does and she will probably provide more complete information
  • ask how the auditee does his job. You're not just verifying that something is done but that it's done correctly - as defined. A report on nonconforming product will tell you something's wrong, but assessing the process will help you pinpoint what
  • remember to use documents to help you frame your question as this will determine if they accurately reflect the requirements of the process
  • don't be afraid to repeat or restate your question. Sometimes we need to come at a subject from a different angle.
  • give the people time to answer. Don't assume that a delayed response is an indication that the person is lying
  • avoid quality speak. If you're trying to determine what the output of a process is, simply ask: 'What happens next?' rather than: 'What's the output of the process?'
  • suggest a scenario and ask, 'What would happen if…?'This will help you verify how well the process is controlled if there is a deviation or if something goes wrong. It will also help you assess the effectiveness of communication and the definition of authority and responsibility
  • ask why. People who do tasks mindlessly are less likely to ensure that they are consistently and correctly implemented
  • practise your listening skills. Are you hearing what the person says, or what you anticipate her answer to be? Looking directly at the person who's speaking helps you remain focused and shows you're interested in what she has to say
  • if you're writing while the person is speaking say: 'I'm listening to you, but I need to write this down.' If the auditee is afraid that your report will result in punitive action, explain why you write things down. Try: 'I have a brain like a sieve. If I don't write things down, I'll forget'
  • always tell the auditee if you're planning to report a nonconformity uncovered in his area. No one likes to be blindsided two days after an audit by a report that appears to say that he made a mistake
  • never leave without saying: 'Thank you'

Write a comprehensive audit report

The report doesn't have to be lengthy, but it should convey a balanced summary of the status of the organisation. It should mention good practices that have been observed, risks that have been perceived and problems that you have identified. It should include the following:

  • date of the audit. This provides evidence that audits are being conducted within schedule. It's also appropriate to record the duration of the audit so that management can see how much time and money the organisation is spending on internal auditing
  • areas audited, especially if the company has multiple locations
  • standard used. For a third-party audit, it's generally a QMS standard like an ISO while for internal audits, it's usually a list of the internal documents associated with the functions and activities audited
  • lead auditor and audit team
  • interviewee names provide evidence that the people who answered questions were actually the process owners who have responsibility for the activity. It's not uncommon for people to try to be helpful and answer an auditor's question for someone else
  • an audit report should mention any good points that were observed
  • when writing up findings of nonconformity, be clear and complete. A well-articulated nonconformity statement should provide enough direction and clarity that the process owner can use it to initiate root cause analysis and eventually develop a viable corrective action plan
  • make statements about perceptions of risk. Don't specifically say something is wrong but you can intimate what might go wrong. Like nonconformities, observations should be tied to requirements to allay the misconception that they are just ideas that the auditor thought up
  • write down the answer so you don't forget. Record the evidence you've assessed. Take copious notes. This provides the foundation for the audit report and it also allays any confrontation. The auditor doesn't need to defend his conclusion. All that's needed is a reference to the evidence upon which the observation is based