“All systems need to be checked and regularly maintained to keep them on track – quality systems are no exception”.
Staying on track - it doesn’t just happen, and systems don’t work perfectly forever. They need regular checks and maintenance to keep them on track.
- Most people wouldn’t consider buying a new car or motorcycle and then expecting to run it for 10 years without inspection or service.
- Our own bodies can be considered as systems – and most people these days would have periodic eye tests, dental check-ups etc.
Management systems also need checks and maintenance to ensure that they still meet requirements and are being effectively implemented. They may get feedback when a complaint is made, or an incident or nonconformance occurs. However, that is re-active. They can’t just rely on waiting until something goes wrong, but need a pro-active verification that planned arrangements are happening in practice, and are working to achieve objectives.
What has become widely accepted is that the best, structured form of such pro-active verification is a programme of internal audits. Not surprisingly, internal audits are a mandatory requirement of standards like:
That highlights the importance attributed to internal audits. It also means that your management system cannot be certified without them. In fact, failure to adequately schedule and perform internal audits is one of the most common reasons for nonconformances being raised at external certification audits. Even when organisations are doing enough to pass certification, they often don’t achieve the full benefits they should from an efficient and cost-effective internal audit programme. So what goes wrong? And what can be done to improve the situation
Getting genuine commitment - not lip service
Many a certification auditor will recognise this situation: When visiting an organisation for a certification or surveillance audit, they find that no internal audits had been performed for 11 months, until a whole series of them were carried out yesterday. That is a sure sign that the organisation’s senior management has no appreciation of the importance or benefits of internal audits. They were just done at the last minute – because they are necessary for certification. Because of the rush, they were probably not been well planned, or well performed, and failed to deliver many tangible benefits. They just served to tick the box.
If we are looking to get a genuine commitment from senior management to properly resource and support the audit programme, they have to be convinced of the value. This can be a catch 22 situation – how can they know the value without trying, and why would they try if they don’t think there is any value? One solution might be to pick some low-hanging fruit. Take just one known problem area of the business, and perform a sufficiently thorough audit that can clearly identify issues that are either costing the organisation money, affecting morale, or putting its reputation at risk. If a small team of interested parties can then resolve some of those issues, results can be shown, and a good case can be made for a genuine audit programme on cost-benefit grounds.
Spreading the load
In some small and medium-sized organisations, all internal audits are performed by just one person. As the auditor should be impartial and objective, this can pose problems when audits need to be conducted of the auditor’s own activities. The solution here is an obvious one. At least one other person should be provided with training and encouragement to perform at least some audits. This will also provide a back-up in the event of the key person not being available at any time.
There are other benefits in spreading the auditing load, such as:
- The task of performing an audit can be a good learning experience for the auditor – providing them with more thorough understanding of the business
- Each individual will bring their own unique perspective – perhaps identifying issues and potential improvements that might otherwise go undetected
- Simply reducing the workload on what is often a key person in the business
In light of the above, you might consider involving quite a few people in your organisation’s audit team.
Working to a smart schedule
Think back to the analogy of our body being a system, and having regular ‘audits’ like dental check-ups and eye tests. As we go through life, we also have other checks performed – depending on our age, our gender, and other factors. Those checks are risk-based and offer a great example for our management system audits.
Often, an organisation will perform an internal audit against each documented procedure once per year. That’s what you might call a dumb schedule. The same amount of resources is put into auditing each procedure – regardless of its importance to the business, the known performance level, significant changes taking place or other risk factors. Of course, the scheduler hasn’t set out to make a dumb schedule – they probably just didn’t think about it, or didn’t realise there is a choice. Well there is. ISO 9001’s clause on internal audits states that you can adjust the scope and frequency of your audit programme based on status and importance – in other words, risk!
Your audit should be on a smart schedule that is flexible, and is adjusted as necessary to take into account results from previous audits, other sources of information, and actual events.
Whilst individual internal audits are often based on processes or documented procedures, there are many other subjects worthy of consideration e.g. tracking one particular job or order through your system, specific contracts or projects, utilisation of I.T. or other resources, and monitoring / management of waste.
The smart audit schedule will allocate resources where they are most needed to give the best cost-benefit ratio.
Developing audit skills
We shouldn’t just assume that anyone can step in to do an audit and immediately achieve good results. An auditor must be able to appreciate the concept and understand the purpose of the exercise, develop a checklist, conduct an interview, obtain evidence, and write a report. While that might seem daunting, most people can do it well once they have been provided with just a day or so of training. They can learn the ‘do’s and don’ts’, and tools and techniques to achieve good results. It only needs the trained auditor to find one or two problems that can be fixed to pay off the investment in their training.
The buddy system can also help the new auditor in their first few audits by leaning on the assistance of a more experienced colleague while they get comfortable with their new role.
Using IT resources to help you audit smarter
Just like many business activities, technology can now help us to work smarter in many aspects of the internal audit process.
Traditionally, audits would be scheduled on a list, with audit reports either hand-written and saved in filing cabinets, or word-processed and saved in an audits folder on a computer. Moving on from that, some organisations started to create schedules in Microsoft Excel or similar. Hard-copy reports may be scanned as PDF files, and then the spreadsheet is updated to indicate completion.
Technology now offers much greater opportunities to improve the audit process whilst also saving the valuable time of those involved. Dedicated software applications can eliminate duplication of effort and automate parts of the process. For example,
- Auditors and contacts can be automatically emailed when an audit is scheduled that involves them
- Your business rules for conducting the audit can be instantly available in an associated procedure
- Checklist and Results can be entered on-screen
- Relevant evidence can be attached to the audit report e.g. PDF files, images etc.
- Any required actions identified at the audit can be automatically emailed to the responsible person – and then tracked
- The schedule can be automatically updated when the audit is completed
- The audit profile and checklist can be replicated for use again at a future date
- Network and cloud options can make the resources available almost anywhere, and help to integrate systems across various sites
They say that a picture is worth a thousand words. With the availability of digital cameras and photographic capabilities built into mobile phones, audit reports can easily be supplemented with relevant images to illustrate an observation.
For all but the very smallest of organisations, it’s certainly worth considering the process improvement and time-saving benefits that software and other IT resources can offer.
Using the data for decision-making
In a quality management system, internal audits are a key part of the ‘Check’ phase in the PDCA or (Plan-Do-Check-Act) cycle on which the ISO 9001 standard is based. The next step is obviously, to ‘Act’ on the results of the audit. So, data from the audit needs to be made available to decision-makers to decide on the necessary action.
- At the local level, there might be an ‘exit’ meeting between the auditor and the manager or supervisor responsible for the area that was audited. A copy of the audit report would also usually be made available to them.
- At the corporate level, top management should be given an overall report on how the audit programme is going. That should be done as part of that of ‘Management Review’ (the subject of the next article in this series). The report might include:
- Resources: Availability of adequate trained auditors
- Resources: Methods / IT resources used
- How many audits were scheduled/complete since the last review
- Numbers of actions that arose
- Significant issues found / benefits achieved
For a truly successful quality system, it’s critical that data from internal audits is effectively made available for – and is used – in business decision-making. Once again, the use of I.T. resources can make that happen more effectively and efficiently.
- At the local level, the Audit Report can be made quickly available to the responsible manager or supervisor, and any required actions identified automatically emailed to them.
- At the corporate level, one example would be for the ‘Quality Manager’ or ‘Compliance Manager’ to attend the management review armed with a laptop and perhaps a data projector. Any items of interest can then be explored further by directly accessing the system software application or file
See 'Services' menu for information on professional Internal Audit Service and Training options.