“I am here to audit you.” That phrase can strike fear in most of us, thanks in part to our good friends at the IRS. In the business world as well, those five words can send a chill down the spine of everyone from the Finance VP to the shipping department clerk. But it shouldn’t if you have a well run Audit process for Internal Audits. So what is an ISO audit process?
Preparing for audits is just one reason to have a proper Internal Auditing process or program. Another good reason is that it is frequently a requirement. ISO 9001, for example, Clause 9.2.1 clearly states that the organization shall conduct Internal Audits at planned intervals. A similar provision exists in many other standards and regulations as well.
As noted above, Internal Audits can ensure your policies, procedures and processes comply with all the required standards and regulations. Do you really want to wait for external auditors to show up in order to know how your organization’s internal control or Quality Management System is doing?
If compliance, however, is your only goal in creating and maintaining a system of internal control, or for instituting a Quality Management System like ISO 9000, (and its associated Internal Audits), then you may be missing a great opportunity.
If your business or organization is taking the trouble to institute internal control and management systems, shouldn’t you use the system to continually monitor and improve performance? And Internal Auditing has an important role in the continual improvement mindset. Using control and management simply for compliance is just doing the bare minimum. Few businesses truly succeed with that philosophy.
Putting an Internal Auditing process or program in place isn’t difficult or expensive. The key to an internal auditing process is commitment to applying a small amount of resources in assembling and training an Internal Audit team, and then scheduling Internal Audits according to your organizational needs. For example, a pharmaceutical company complying with FDA regulations will probably want to have a more aggressive Internal Audit schedule than, say, a tool company that is ISO 9001 registered.
The ISO Audit process is a cycle of Planning the audits, Performing or Doing the audits, Checking the audits, and then adjusting the audit plan based on the results of the first audits. This is the PDCA or process approach to auditing.
Start the audit process with audit program plan: who is going to audit what by when. Create a schedule of when each audit is going to take place. Determine the audit scope or area to be audited and who the appropriate auditors would be for each audit based on auditor qualifications: skill, technical knowledge, or experience. Make sure to plan for any needed training for new auditors or refresher training for experienced auditors. This is especially important for IATF 16949 automotive auditing, which has a lot more requirements for auditors including understanding Advanced Product Quality Planning (APQP), Core Tools, and types of process audits (product, manufacturing, and supplier).
Important Note: The ISO standard requires that all Critical To Quality (CTQ) processes be audited and that all clauses of the ISO standard that apply to each process be included in your audit program.
Then implement the plan with a series of audits at planned intervals throughout the year. Make sure to check the audit program schedule regularly to ensure each audit is actually getting done. This is a very common audit finding. The audits are planned but something comes up and the audits are not completed as scheduled. Remember, you can always perform a full system audit at the and of the audit year to ensure that all CTQ processes have been covered.
Check the audits program plan. Did each audit go according to plan? How well was each audit planned? Was each audit report well written with actionable findings. The worst audit report is one that has no findings, positive or negative. If the process being audited is perfect and meeting all metrics 100%, then state the process objectives, process performance, and conclude it’s perfect. Then state what the improvement goal is and the expected date of completion. This is rare, but can happen. More than likely the process is less than perfect, then state what actions are being taken to reach the target and the expected date. There is always an action that can be followed up on for the next audit.
If there are nonconformances or gaps in performance, either with the standard or with your quality objectives, then that is a finding that goes in your audit report. Now check that all findings were acted upon in a timely manner and corrective actions were completed. If you find any discrepancies, then you have something to act on in the Adjust phase.
What were the results of the check step? Was it perfectly executed? Great, then raise the bar and try for higher levels of performance. If not, initiate some action, change the audit program plan, and run it through another year of the cycle.
Besides committing the appropriate resources (personnel, budget, and time), training and clear communication are the most important elements of an Internal Audit process. The Internal Audit teams should be trained on the audit process as well as the standard or regulation to which audits are being conducted. Audits, whether internal or external, should always be conducted to a specific standard, regulation, or internal control system (policies and procedures). This allows auditors to base objective findings on very specific requirements.
Communicating the objectives of the Internal Audit Process throughout the organization is also important. If everyone in the organization understands that auditing is always about improving the system, and never about catching someone doing something wrong, this knowledge goes a long way to alleviate the fear and dread. This can be especially true if they understand that the audit will provide meaningful information for continual improvement and effective management as well as preparation for external audits.
Bizmanualz can help with your Internal Auditing program. We have recently redesigned and improved our Internal Auditor Training class. The two day course covers key areas on which all Internal Audit team members should be trained, such as audit techniques, the importance of clear communication, appropriate auditor behavior, how to conduct audits that stay within scope and schedule, and audits that provide meaningful information for compliance and continual improvement.
While the Bizmanualz Internal Auditor class uses the ISO 9001 standard, the techniques and information can be applied while auditing to any standard or regulation including:
Bizmanualz Managing Director Chris Anderson developed and teaches the course. Chris has years of auditing experience across numerous fields and industries, including AS 9100 Aerospace, ISO 9001 manufacturing, IATF 16949 Automotive, FDA/ISO 13485 medical device, Sarbanes-Oxley Accounting, and ITIL Information Technology compliance. Chris also holds certifications involving quality management and auditing from the American Society for Quality (ASQ).
If your organization has an aggressive and well run Audit system, when an external auditor shows up (whether from a customer, a regulator, or third party registrar), then nothing they do or find will be a surprise to you. In fact, if the Internal Audit system has already identified areas for improvement, and plans and activities for improvement are in place, including Corrective Actions, then most external auditors will view your proactive management very positively.
So the next time someone says, “I am here to audit you,” instead of reacting with fear and dread, think of it as what it really is: an opportunity to improve your department and your organization. Bizmanualz is here to help you make auditing a pleasure, not a pain.