|
|||||||||||||
|
Title: Internal Quality Systems Auditing Author: Paul F. Lewis Publisher: Customer Focused Operations Notes: Professional guidance for initial implementation, performance, and ongoing management of the internal auditing function. This book identifies and explains the fundamental auditing skills and techniques needed to ensure your internal audit function is effective and efficient and addresses all requirements of International and National Standards
|
|
|||
|
You can order this book from internal-auditor.com at: http://www.internal-auditor.com/books.htm |
||||
This Month's Feature ArticleInternal Audit PreparationIn several previous issues we've discussed the need for internal auditors to properly prepare for audits. But just what exactly does that mean? How does one go about preparing? How much time should be dedicated, and who can afford to take the time necessary for proper internal audit preparation? These questions are often asked by participants in internal auditing classes. They are as valid as they are common. The answers are not as easy as the questions. Internal audit preparation requirements are based on many factors. The size of the organization, the complexity of the audited processes and skills and abilities of the auditor all play an important role in how much preparation is needed. Probably the largest variable in determining preparation time is the amount of resources that can be committed to the audit. Preparation, in order to be effective must occur as several levels.
The auditor must be prepared for auditing at each level if the audit is expected to be successful. The method used to prepare for each level is different, as is the time needed to prepare. Let's look at each in greater detail. Organizational Level At this level the internal auditor must have a working knowledge of the processes used throughout the organization. In order to properly audit a process, the auditor needs to have some base information about the process. This includes the process inputs and outputs, and the materials and resources necessary for proper process function. Without this information, the auditor will not be able to determine if the process is functioning The best method of preparing at the organizational level is to begin at the "big picture" level. Understand your organization's mission, customers and product lines. A SIPOC diagram is a great way to look at your organization at a macro level. SIPOC stands for: Supplier (who do you purchase/acquire what from?); Input (what inputs, such as material, information, resources, etc. are needed for the organization to operate?); Process (what does your organization do?); Output (what is generated by your process?); Customer (who buys the output of your process?). By identifying the parts of the SIPOC, the auditor can have a better feel for how the organization operates. In many cases, the auditor must look deeper than the big picture. Audits are focused on specific processes, and the internal auditor must have a certain amount of working knowledge of those processes in order to ask meaningful questions and identify what evidence will need to be collected to show evidence of conformance. In multi-location organizations, internal auditors may be required to gain a sense of the processes of other locations. This is usually more difficult than single-location organizations because the auditor typically have minimal contact with other locations. Coordination through the Management Representative will undoubtedly be required in order to meet the needs of auditor preparation. Standards Level The auditor must be aware of the requirements of the standard. Knowing how to interpret the standard is vital in determining whether situations are conforming or not, even though most internal audits rely more on the organization's documentation than the standard. The auditor must still know and understand what the standard is trying to achieve and what evidence would show that the letter and the intent of the standard is being met. The best method of achieving this level of audit preparation is to thoroughly digest the standard. Know what it says, as well as any supporting documentation (such as ISO 9004). Reading trade journals, publications (such as Internal-Auditor.com) and even books on the subject are good methods of increasing knowledge of the standard. Auditing Level One of the key requirements for effective QMS internal auditing is for the auditor to have auditing skills. The three main skills are:
Although much of audit level preparation is based on growing experience, there are still things the internal auditor can and must do prior to each audit. Preparing the audit plan and determining/developing an adequate checklist can be real time-savers during the audit. When determining the audit schedule, attempt to make the audit flow, to prevent continual walking from end of the facility to the other. Sequence the audit based on location, rather than the standard. If you are auditing based on processes, then the process flow should be of help here. If it is not, then you might want to raise the issue of whether the organization needs to investigate lean manufacturing (office)! The checklist also helps outline your fact-finding strategies. On the checklist, the internal auditor annotates what evidence they are seeking, how many of which records to examine and what questions to ask. Knowing the checklist questions prior to the audit is crucial in maintaining credibility and conducting an effective audit. The audit checklist can be used to determine who you are going to ask questions to, what you will be asking and what other evidence you are seeking. As you develop the checklist, consider how much time to dedicate to each question/examination and try to predict time needs and check them against the proposed schedule. The audit scope and sample size may have to be adjusted in order to fit within the time constraints. Even audit reporting requires some preparation. Which forms are used, if any, what will the reporting format be and how the report will be presented must all be pre-planned. Typically, the auditor's role in reporting is minimal, however the auditor must be prepared to perform their role in the reporting plan. A significant part of audit level preparation is to review previous audit results. From this inform, the auditor gains valuable insight on what items are critical and what items are trivial. This allows the auditor much more flexibility during the audit and will result in closer adherence to the audit scope. Summary: A properly prepared auditor will find auditing to easier, less problematic and more effective. The audits will contain less stress, have less conflict and more efficient. Audit preparation eliminates frustration on both the auditor and the auditee. It increases the credibility of the audit and the auditor. It is the internal auditor's responsibility to ensure there is sufficient preparation for the audit. It is the Management Representative's responsibility to ensure the auditor has sufficient time and other resources required to be adequately prepared for conducting the audit. Neither of these can occur without the commitment and blessing of top management. Auditors cannot be expected to be prepared with only minutes to prepare prior to the audit. One last thing. The auditee may also need some time for audit preparation, although not as much as the auditor. The auditee will need to make sure all records are available at the time of the audit (some organizations keep all records off-site). The auditee may also have to ensure personnel key to process operation are available on the day and time of the audit. The auditee must also make plans to keep interruptions and distractions at a minimum (auditors also need to do this.) As always...Good Auditing! |
||||
|
Advertisement: |
||||
|
Question and Answers: Q – How do you know if you are adequately prepared, as an auditor? A – There is no real good answer to this question. It is sort of like asking: "When are we wise enough?". I have found most internal auditors do no believe they are adequately prepared for the audit. They universally agree that they need just "just a little more time". It makes no difference how much preparation time they had initially. Normally, you can use two indicators to determine if you have prepared enough. First, how confident do you feel entering the audit? You might wish for more time, but you know that you are as prepared as you can be for the time allowed. The second indicator occurs during the actual audit. Are you able to follow the audit plan? Do answers fail to throw you off guard? If so, then you are probably prepared. |
||||
|
Observations from the Field To meet the requirements of ISO 9K2K, one company prepares in-depth process maps for each process. Once the maps are completed, they verify them and adjust them for maximum impact. When they are completely finished, they create large, laminated maps. These poster-sized maps are then placed in the area of the process as a guide for training and other purposes (yes, they are in the document control structure). They have found this helps all employees understand the process they are working on and leads to better "big picture" awareness. |
||||
|
Element Understanding: ISO-9001:2000 Clause 5.3 Quality Policy "Top management shall ensure that the quality policy c) provides a framework for establishing and reviewing quality objectives," The word "framework", as used here means providing the basic structure for the quality objectives. ISO 9004:2000 states: "it permits quality objectives to be understood and pursued throughout the organization." The policy must contain guidance necessary to ensure the quality objectives are in line with the organization's strategy and operational tactics. The policy does not have to include the words "objectives", but it needs to clearly reflect the organizational direction. Reviewing the objectives should point back to the quality policy. |
||||
|
Monthly Scenario Explained: February 2002's question While auditing the corrective action procedure, you notice that the procedure states only special cause variation items will be acted on. Any root cause that is found to be common cause, or if a root cause cannot be determined, the corrective action is closed without any required action The
answer: The requirement is to; a) review the nonconformity, b) determine the cause and c) evaluate the action to ensure the nonconformity does not recur. By nature, it is difficult to ensure that common cause variation does not recur. However, it would be too easy to state that all nonconformities have no determinate root cause, and fail to take any additional steps. The amount of energy spent to determine root cause needs to be justified by the nature of the nonconformity, but the procedure doesn't seem to give enough meat to determining root cause. If the wording of the procedure has not caused a problem, then it might be tough to write a nonconformance against the procedure. I would, at a minimum write an observation |
||||
|
The Back Page:
A New Year, a new opportunity Well, 2003 is upon us. Last year was another challenging year for business. For many, this meant either losing, or the threat of losing their position. Others found themselves performing more tasks and wearing more hats. The increase demands place greater stress on employees and on the organization, as a whole. Threats to the organization have increased in number and scope. Overall, the mood seems to be "dismal". Yet, there are signs of improvement. Apparently, 2002 was less dismal than 2001, and the outlook is that 2003 will be less dismal than previous years. Let's hope so. It appears that 2003 will offer more opportunities than 2002. ISO 9001:1994 will expire. ISO/TS 16949:2002 will continue to grow, and ISO 14001 mandates will be behind us. We, as internal auditors must seek out opportunities as well. We need to ensure we are prepared to audit to the new standards, and to audit by process, not by element. Organizations will be leaning on us harder than in the past, and will need our expertise more than ever. We in turn must rise to the occasion and make sure we are able to meet the demands of the future. Dave ...Good auditing!
|
||||
|
Copyright notice: internal-auditor.com is
fully protected under US and International copyright laws. Copying, or
re-transmitting all, or any part of internal-auditor.com is expressly forbidden
without prior written consent from Ruth Ellen Carey Communications.
Because this site uses information from many different sources, it must be pointed out that any advice, tips, information, etc., provided should be regarded as opinion and not fact! What works well for one company may be a disaster for another. Also, what one registrar, or auditor may allow, another may not. As always, reflect on what you read, see if it fits into your own quality system, and if it conflicts with your auditor...you've got to make a decision |
||||
