Internal Auditor Resources

I know we've listed this before, but it is worth repeating. The Cayman Cove at: www.16949.com is one site on the web that all quality professionals need to keep handy. They offer Forums, checklists, and way too much to list.

top of page

Featured Book of the Month:

Title: Puzzling Auditing Puzzles
Author: Janice Russell
Publisher: Amer Society for Quality
Notes: Just what it says, it contains crossword puzzles, word-finds, mini-case studies and test-your-knowledge questions and answers.

You can order this book from internal-auditor.com at: http://www.internal-auditor.com/books.htm

This Month's Feature Article

Performing Credible Audits

The purpose of a Quality Management System internal audit is to achieve three separate goals; to ensure the QMS meets requirements, to make sure it is effectively implemented and to provide a means for continuous improvement. None of these goals can be obtained if the audits are under some type of suspicion. 

Suspicion may be the result of any number of sources, but one of the most common is the feeling that the audit might not be objective. In a recent internal auditor class, two participants from the same company indicated their reason for wanting to be an internal auditor is so they could "get Joe!" Although their comments were in jest (at least I hope so), even joking can put a cloud of doubt over the entire audit process. That is not to say we can't have fun, but we must be judicious about what we joke about, when we joke, and who is around. 

Of course, performing credible audits goes much farther than just saying things in jest. In order to perform a credible audit, three attributes must be present.

• Audits must be accurate

•  Audits must be impartial

•  Audits must be meaningful

Let's take a look at each of these attributes with an eye on using them to build credible audits and how they assist continuous improvement.

Audits must be accurate:

This is probably the greatest diversion from audit credibility. If your audits are not accurate, it is nearly impossible to achieve any level of credibility. Inaccurate auditing can stem from many sources. Lack of knowledge, of either the standard or organizational requirements, can lead to errors in judgment. 

Each nonconformance written should have three characteristics. All nonconformances need to be understandable. Auditees should have no problem in determining what the nonconformance is. Nonconformances also must be actionable. That is the auditee must be able to take appropriate corrective action on the nonconformance. Nonconformances must also be unarguable. By understanding the requirement and articulating the nonconformance correctly, the auditee should not be able to argue the validity of the nonconformance. They might not like it, but they can't argue.

By following these steps, the auditor quickly earns a reputation of fairness and thoroughness. The credibility of both the audit, and the auditor increases.

The audit must be impartial:

Every QMS standard and set of requirements attempts to make the audit process objective. 9K2K goes as far as to require audits ensure objectivity. We already know that auditors should not audit their own work, and we know that auditors need to be free from bias. But credible audits go much further that that. Credible audits include impartiality in the audit schedule and auditor selection. The audit program manager has a large role in establishing the impartiality of the audit. Which auditor is assigned is a major factor.

Using a checklist, which is provided to the auditee well in advance of the audit will also add credibility. Should the auditee feel bias, the checklist can be challenged long before the audit is to take place.

The audit must be meaningful:

In order for an audit to be meaningful, the auditee must come away from the audit feeling that the audit was impartial and accurate. The auditee must also clearly see what the necessary next steps are. The auditee must be able to act on the audit results. Those results must arrive in a timely manner. Undue delay in reporting audit results will dramatically reduce the audit's meaningfulness. After all, if the audit isn't important enough for the auditor to get the report in, then why should it be important to the auditee?

The Auditor's Role:

Okay, so far we've been talking a\on a conceptual or audit administration level. But how does this impact the individual auditor, or how does the individual auditor impact the credible audit? In order to answer this, we must first acknowledge that it is the auditor's behavior that determines whether the audit is perceived as being credible. It is the auditor that the auditee sees, not the audit administration. With that in mind there are seven steps an auditor can take to help ensure credible audits. These are in no particular order:

1. Be responsive: Be responsive to the auditee. Answer their questions, provide information, and take their requests seriously. You must also be responsive to the audit plan and schedule.

2. Be punctual: If you are scheduled to be in purchasing at 9:00, then be there. This also applies to the audit report. Make sure you keep the timeline, even if the auditee doesn't!

3. Be prepared: Before the audit, make sure you understand each step of the procedure, each question on the checklist, and every form that is used. This will increase the preparation time needed, but it will also show the auditee that you are prepared, and are professional.

4. Do not be arrogant or stubborn…even if you are right! This might be tough for some of us. It can be quite thrilling to have the upper hand, but avoid the temptation. Humiliating the auditee will not add value to the audit.

5. Don't be afraid to ask probing questions: Sometimes auditees will answer the wrong question. Sometimes they will attempt to fool the auditor. If you are not sure, ask a deeper question.

6. Don't assume you know the answer: This tends to be a major problem with small organizations. The auditor "knows" how things are done, and biases the audit accordingly. This single event may have the largest negative impact on audit credibility.

7. Be interested: Just don't show interest. Be interested! If you are truly interested in the outcome of the audit, the auditee will know. If you are faking interest, the auditee will know that as well.

Summary:

In order for any audit program to be successful, it must have credibility. Audit credibility is gained from audit administration, and is magnified by auditor actions. Without credibility, the audit process quickly becomes another mandatory meaningless task, performed to satisfy the registrar. With credible audits, the process is much more dynamic, and participation is greater. Audits are performed for improvement, not because they are required. It is very important to remember it is the auditor that determines if the audit has credibility, or lacks it. Once the auditor and audit reputations are set, they are very hard to change. Once an auditor, or audit program comes under suspicion, clearing the name will be difficult - at best! Follow the seven steps listed. Make sure your audits are accurate, impartial and meaningful.

As always...Good Auditing!

top of page

Q - We need to become registered to ISO 9000. The management team wants to start with the 1994 version and upgrade later. I think we should just start with 9K2K. Which is better?

A - Without a doubt, most organizations will be better off starting with 9K2K. The main reason, is why implement a new system, just to change it? With that said, try to show them the advantages (in dollars) with 9K2K, as apposed to upgrading 1994 later. If there is still resistance, then go with 1994. The reason I say this is getting management buy-in is the largest hurdle for quality management system implementation. You seem to already have that. Forcing a shift to 9K2K could step on some toes, and you might lose any and all management cooperation.

top of page

To make internal auditing completely objective, we wrote our procedures in a very specific manner. Each line of each procedure tries to answer three questions:

1. What action is to be performed

2. Who is to perform the action

3. What paperwork is going to be generated as a result of the action or to prove the action was completed.

With this procedure, there is no subjectivity about whether something is being done, or done correctly. The auditee can either show the documented evidence that the action was performed or not!

Submitted by...Cecil Merriam

top of page

The International Automotive Sector Group (IASG) has issued a new set of sanctioned interpretations that take effect July 1. The major change is in Element 4.6. The interpretation reads in part:

"…Minimum subcontractor compliance shall be certification by an accredited certification body to a current version of the ISO 9000…"

This means that vendors to QS-9000 companies have 18 months to become at least ISO registered. You can get more information in our Element Understanding section, or visit the IASG website at:

www.qs-9000.org

top of page

QS-9000 4.6.2.1 Subcontractor Development

"Goal of subcontractor compliance" requires subcontractors to achieve compliance within a defined period of time not to exceed 18 months from the effective date of this sanctioned interpretation. Minimum subcontractor compliance shall be certification by an accredited certification body to a current version of the ISO 9000 Quality Management Series of Standards, excluding ISO 9003; plus any requirements specified by the customer. Assessment by an OEM or an OEM approved second party will be recognized as meeting subcontractor compliance requirements to 4.6.2.1"

This is the new sanctioned interpretation from the IASG. It does give flexibility in deciding whether to register to either the 1994 edition, or the 2000 edition of ISO. And it also provides 18 months to obtain registration. And folks thought QS was dead!

top of page

October's question:

You are auditing manufacturing. At a particular station, there is a poster showing product and various abnormalities that can occur during production. It is stamped "For Reference Only". The supervisor indicates that because it is marked as reference only, it does not have to be in the document control system. While interviewing employees, several indicate that they regularly use the poster to identify the abnormalities they discover. They further use the poster to help determine why the abnormality occurred, and how to make the necessary adjustments to prevent recurrence.

 The answer:

The practice of making things "for reference only", to avoid placing such items into document control, is common. Unfortunately, our focus should not be on how to avoid controlling documents, but how to ensure necessary documents are maintained. In this case, the document (a poster) was used extensively. It really needed to be controlled somehow. Marking it "For Reference Only" was a tactic to avoid dealing with how to control the poster. This tactic often ends with disastrous results. In this case the auditor found other examples of using tricks to avoid document control. The result was a major in 4.5.

 top of page

If you have been a subscriber for over six months, you have noticed that we recently changed the layout and look of Internal-auditor.com. Our goal was to provide a presentation that was visually pleasing, yet easily maneuverable. We received a considerable amount of email on the new look. Several had concerns, which made us re-think our layout. As a result, there will be another round of changes. Our layout will change again, and we will change some of the Subscriber's options. The Team Meeting will disappear and will be replaced by a Forum that will be in the general area. The format of the Scenario questions will change, and it too, will move to the general area. We are also looking at ways to rework the on-line newsletter for better printing, while keeping the hyperlinks. We expect these changes to occur within the month of July, or August. If you have any specific suggestions, let us know.

Thanks, 

Dave B

...Good auditing!

Copyright notice: internal-auditor.com is fully protected under US and International copyright laws. Copying, or re-transmitting all, or any part of internal-auditor.com is expressly forbidden without prior written consent from Ruth Ellen Carey Communications.
internal-auditor.com is a publication of Ruth Ellen Carey Communications. 

Because this site uses information from many different sources, it must be pointed out that any advice, tips, information, etc., provided should be regarded as opinion and not fact! What works well for one company may be a disaster for another. Also, what one registrar, or auditor may allow, another may not. As always, reflect on what you read, see if it fits into your own quality system, and if it conflicts with your auditor...you've got to make a decision