1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Creating an Internal Audit Program That Works for Your Organization

Discussion in 'Process Audits and Layered Process Audits' started by RoxaneB, Oct 20, 2015.

  1. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    At Andy's suggestion, a new thread has been created by copying some of the off-topic posts from another thread.

    And many organizations mirror the CB approach via their internal audit program. We've seen examples of that here and in our former home. Organizations may not be able to change how 3rd party audits go, but they can change their own behavior. I am a fairly vocal advocate that there is more value to be gained from an internal audit than an external one. We're looking at ourselves in the mirror. We have the opportunity to be our strongest critic...and strongest champion.

    With New Year's quickly approaching, resolutions will soon be made by many. One of the more popular ones is "To lose weight." Having a bunch of people tell us how is all well and good, but it is up to us, as individuals, to do the work and change our lifestyle. Family and friends are a great support and they can recognize our efforts, but the actual efforts and results will only happen if we take action ourselves.

    It's the same thing with an organization attempting to develop a value-added QMS. Make it work for you...not the CB.
     
    Last edited: Oct 21, 2015
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    ^^^ So true! I'd like to see a different model of internal audit training used, but it seems that few see anything inherently "wrong" with what's been taught for the past 25+ years - yet those same people don't see that those behaviours don't get good results (unless making a CB happy is your aim).
     
  3. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    As with many aspects of education - from grade school to university to professional development (such as documentation systems and auditing) - it is tailored to provide a general understanding for the majority of the users. If we are fortunate to have opportunities to test the theory - such as lab work or mock audits - great...but it's still done in a controlled environment where little innovation or self-discovery happens. Yes, I recognize that there are exceptions to that...life is full of exceptions. The point is that academia is controlled and limited and has boundaries so that we all learn the same things in the fairly consistent (and unchanged) way we are taught.

    It is up to us as the students to figure out how to apply that knowledge. This is the message that is missing from those auditing courses. We're taught the fundamental tools. We're given examples of what the CBs use (and often they're the ones teaching the course). We learn the requirements. We learn the expectations. What we are NOT taught...or told...is the importance of making it work for us and our organizations. Everyone needs the tools and knowledge first...you need that foundation. But to develop a robust, sustainable and eventually mature system, a good student will question how the foundational knowledge will add value to the organization and minimize waste.
     
  4. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Probably time for another thread...
     
  5. Sidney Vianna

    Sidney Vianna Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    127
    Likes Received:
    172
    Trophy Points:
    42
    How insightful, Roxane. Excellent comments all around. As discussed so many times at The Cove, internal audits are one of the biggest wasted efforts many organizations self inflict. Given the proper context, resources and expectations, internal audits could be one of the most powerful tools any organization could have to drive evolutionary and revolutionary improvement.

    Unfortunately, too often, internal auditing ends up being a "go through the motions", pretend to audit exercise where very little is gained. If oversight entities, such as customers, regulators and certification bodies, were more demanding of the effectiveness of internal audits, forcing organizations to elevate their internal audit game, the business world would be a much better place.
     
  6. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    It's not perfect and still in the development phase as I work with the process owners and subject matter experts, but I've attached what our internal assessment program is starting to shape into. With so many inputs, it was becoming difficult for us to truly understand what we were doing and for whom...not to mention all the paperwork...we were forgetting the original reason we exist! While I wanted to call it something like Business Standards Assessment or anything that wasn't so Quality-centric, I lost that battle and, to be honest, right now, it's not the top priority as this is rolled out.

    The sections are part of our internal framework and we've been slowly identifying processes, not departments...a conversation that was uncomfortable for some, but happily embraced by many (to my delight!). :)

    Using Service as the example, the output of the internal assessment program provides a "basketweave" matrix. If you're familiar with those images that can look like one thing or another depending on your mindset, focus, and so on, the basketweave matrix allows for a similar exercise. If you look along the horizontal line, you can see how well a site conforms to the documented standards of the various processes. If you look along the vertical, you can see how well a process is conformed to by the various sites. There would be numbers in there instead of coloured circles - these are used to simply communicate the intent of the matrix.

    The matrix can be used to identify benchmark performers (be it a site and/or a process). It should also be noted that 'red' is not necessarily bad. Red simply means that the there is a lack of conformance to the documented standards. Further discussions may indicate that the site is actually performing the process at a level superior to the current documentation, and that it could be time to improve the process for all.

    This style of auditing (or using the audit results) is seldom taught during any auditing course I've attended. The connections between audit results and analysis of data seldom goes beyond counting the number of findings per department or per section of the standard - I don't think I've ever heard an instructor discuss how to actually ACT on the data or "read the story" that the data could be telling. Granted, I doubt many CBs (who often teach these courses) analyze data to that level for their Clients...nor should they. But if the Clients are the students, somewhere in the course structure (being it for auditing or QMS implementation or something else), there should be some discussion on how to use data and trend analysis for preventive action and continual improvement beyond product requirements.
     

    Attached File(s): 1. Scan for viruses before using. 2. Report any 'bad' files by reporting this post. 3. Use at your own Risk.:

    Last edited: Oct 21, 2015
  7. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I agree Roxane. While the various training course requirements/accreditors cling to a model based on supplier auditing from the 80s, nothing will change. I was trained by the architect of one of the 4 first ever IA/LA courses, before ISO and certification came along. Then I taught the B*I IA/LA courses (written by a colleague of the first chap) throughout the 90s. Very little had changed. There's ZERO requirement to address the planning of either a CB type audit or an internal audit, other than a specific event. No audit program. As a result, the vast majority of the auditors go to these courses, written around this singular model of actually doing an audit (NOT program management) and they all recognize what they were taught and everything's good, because that's what they were taught. Until a second model - that of IA - which doesn't drill on opening/closing meetings, or dealing with evasive clients, or grading no-conformity statements etc. etc. nothing will improve - which itself is an indictment on auditing when you consider that people tell you audits are for improvement, but the training criteria etc hasn't changed one iota in 25+ years!
     
  8. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    So, we either accept that this change isn't going to happen anytime soon in the courses and continue to flounder as we develop non-value-added systems within our organizations...OR...we do something about it. I opt for the latter. It is part of the training within my own internal assessment program. It is part of the message I communicate when identifying areas for improvement and innovation...or, in some cases, establishing a daily routine. Perhaps someday these external courses will understand what organizations truly need - and could benefit from - beyond an exercise in red tape and paperwork, but until then, I'd rather implement a beneficial solution than simply accept the status quo. :)

    As egotistical as this may sound, the CBs need to catch up to me...I'm not going to wait for them.
     
    Andy Nichols likes this.
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Sadly, some CB auditors have tried to help clients realize that one/two audits a year, which emulate the CB process ISN'T what it's about - but then, often, clients push back, citing "You're consulting..."
     
  10. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    I guess I was lucky to have a ten year relationship with the CB auditors that came our way in my previous position. It also helped that the organization's senior leadership not only asked us to be creative and innovative in our problem solving, but encouraged and supported such approaches. Some middle managers wanted to "do the minimum" but they were usually hushed and, in some cases, ignored by leadership...which sounds pretty good until they realized they were also ignored when budget time rolled around. ;-) For those that came around and understood that simply "meeting the requirements" was frowned upon, we started to see some pretty impressive results.
     
  11. BradM

    BradM Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    394
    Likes Received:
    314
    Trophy Points:
    62
    Location:
    Arlington, TX
    I still contend to the notion that many of the arguments set forth by this core group over the past seven years or so are... really progressing and cutting edge.
    I liken an internal audit program to the preventive maintenance program. If it is effectively managed, there is a lot of value to be gained by it.
    I still see mountains to be climbed in internal auditing:
    • Lack of properly trained internal auditors
    • Auditor not given enough (or too much) authority
    • Lack of resources given to establish effective internal audit schedules
    • Poorly communicated goals and benefits
    • Because goals and benefits are not communicated effectively, the perception and response to internal audits are tepid at best.
    A good internal audit program is cash in the bank. But getting it established (like all other initiatives) requires upper management support.
     
    Katherine, Alpine and RoxaneB like this.
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'm thinking 3 of your list would be addressed if the likes of IRCA and Exemplar (and others?) would take a look at the indicators all around places like this and LI, to see what the legacy of their sanctioned training has created... I even just looked up some a*r*s*a*e sanctioned internal auditor training and the agenda was 1.5 days of 3 JUST going through the standard! WTH?
     
    BradM likes this.
  13. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    Opportunity #1 | Lack of properly trained internal auditors

    Solution #1 | There is nothing that says an internal auditor needs to attend an externally-provided session. Organizations can develop their own training courses. Heck, maybe WE should here on QFO...just an idea. Might help out the smaller organizations and is a potential revenue stream to support QFO...

    Opportunity #2 | Auditor not given enough (or too much) authority

    Solution #2 | Authority to do what exactly? Identify findings? This is, in my opinion, the secondary objective of an auditor. The primary objective is to highlight strengths. Let's recognize and celebrate the good stuff. Too often, auditors and organizations forget about this. However, while auditors have the authority to identify gaps and/or nonconforming activities, they do not have - nor should they have - the responsibility to correct them. This is oftentimes missed by organizations. The lead internal auditor and/or owner of the auditing process may also have the authority to identify, summarize and analyze audit results and responses to audit findings. Again, however, it is not - nor should it be - the responsibility of this individual to correct...unless the issue lies within the audit process.

    Opportunity #3 | Lack of resources to establish effective internal audit schedules

    Solution #3 | In my opinion, creating the schedule isn't held back by a lack of resources. Commitment and communication seem to be more likely reasons that a schedule isn't properly developed. Unless, this is an area where auditors lack authority (i.e., the ability to, if necessary, forcibly develop a schedule). The lack of resources happens in the prepping, conducting and reporting phases. If internal auditors are pulled from other departments, conflicting priorities may restrict their ability to dedicate the appropriate amount of time and focus to effectively complete each phase so that the organization gains the most from the audit. This can lead to belief that audits are simply a pencil-whipping exercise.

    Opportunity #4 | Poorly communicated goals and benefits

    Solution #4 | Change management. Change management. Change management. If you're trying to sell your organization on the value of a robust, meaningful assessment program, you better understand and articulate the goals and benefits in such a way that it resonates with people. As Simon Sinek says - "People don't buy WHAT you do, they buy WHY you do it." Why should anyone care about audits? Why are audits a value-added activity? If you want people to drink the Kool-Aid, you better make it tasty!

    Opportunity #5 | Because goals and benefits are not communicated effectively, the perception and response to internal audits are tepid at best.

    Solution #5 | Keep it simple. There is no need to bog the entire organization down with the details of checklists and matrices and requirements. Get them excited on the WHY...briefly explain the HOW...bullet-point the WHAT. Any initiative, be it internal audits or doc control or a brand new product line, should follow the Why-How-What sequence. I also recommend an elevator pitch. If you've looked for a job over the past few years, maybe you've heard the importance of developing a 30 second "Why You Should Hire Me" or "Why I'm the Best Candidate" speech. It even comes in handy at networking sessions. Try developing one for a beneficial, effective, efficient, robust (hey, that spells BEER!) audit/assessment system. I'm willing to bet that kind of messaging will not only stick with people, it will resonate and they may even want to know more.
     
    Last edited: Oct 22, 2015
    drgnrider, Andy Nichols and BradM like this.
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    ^^^ Me likey!;):D
     
  15. drgnrider

    drgnrider Member

    Joined:
    Nov 30, 2015
    Messages:
    44
    Likes Received:
    17
    Trophy Points:
    7
    Location:
    Kansas, USA
    Roxane, thank you for this thread.

    My “auditing” started a few decades ago in another organization by using checklists that came down from ‘corporate’. Then a few years ago I was tasked to be the LA and sent to the 36-hour class… that opened my eyes to the shortcomings of “the checklist”. Since that class I have been a strong proponent to eliminate our existing ISO-9001 checklists and the ‘what is the minimum we need to do’ attitudes. I have been able to pass along my ideals into the EMS (14001) auditors as I built this program vs. inheriting the 9001 and struggling to get them away from their checklists. I am also glad to see the new releases as I can adjust the QMS system to my ideals. With all that said…


    How are you going about this? While I have subtly been able to make a few improvements in our management systems, I am still trying to get past the minimalist attitudes of management.


    A BIG part of QMS/EMS acceptance is how the audits are presented to management, as has been noted, they need the positives as well as the negatives. So, after I get myself up to speed on the new 9001 & 14001, I am going to put together training for my IA’s (they are not going to let me spend the money to SEND them to training). Some of my, as I have been told, "radical ideas" are to: 1) combine my QMS & EMS auditors, 2) get IA's out of the "this does not get product out the door" mentality (reason for missed audit dates :( and if they have a more positive attitude... it will be catching), and 3) audit the process (shop floor), not the manager at their desk. ANY suggestions anyone is willing to share on this topic will be greatly appreciated!
     
    Katherine and normzone like this.
  16. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    Very interesting thread - I'm in it today because I had a well developed and growing internal audit team, and in attempting to grow it I came to the attention of our new president.

    In a nutshell, he took my well-oiled machine apart and made off with the best of the components I'd fine-tuned, and in exchange gave me a handful of novice talent in exchange.

    I could deal with that, but his justification was that senior management could not perform internal audits because they could not be objective. Have any of you ever entertained a supportable argument of that nature ? NOTE: "Senior management" would describe about 20% of our very small company.

    I think he was just entertaining himself, but I wanted to check with you folk to see if this is a commonly held position.

    As always, thanks to you for your contributions here -
     
  17. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    And to prove it, he's being totally subjective in his comment. Not going to win with THAT kind of ego... Sadly, too many "top" people base their view of the world on a skewed version of reality. Of course, they must be doing things well, how else did they get to that (top) position?
     
  18. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    Thanks Andy, I figured it was something of that nature.

    After I'd trained my (first and only) wild mustang, a wonderful experience, I met an old man who told me that in order to get away from the farm and all the animals he had to deal with, he joined the Army.

    When they asked him what skills he brought with him, he told them none in particular, he'd just wanted to get away from the farm and having to train a succession of wild horses for his father, among other livestock duties.

    They gave him to the cavalry - where he was put to work breaking and training mustangs. He said the frustrating part was when he turned a batch of the wild beasts into actual horses, the officers would take all the best ones and give him more green ones.
     
    Andy Nichols likes this.
  19. drgnrider

    drgnrider Member

    Joined:
    Nov 30, 2015
    Messages:
    44
    Likes Received:
    17
    Trophy Points:
    7
    Location:
    Kansas, USA
    Interesting.... a CB auditor tried to give us an NC on this (he had to call his manager to confer, who supposedly agreed with his auditor)... apparently, as our lead auditor, I am not supposed to give audit feedback to or review the audits of our IAs, *IF* I am also auditing! Tried citing it as a conflict of interest.

    Well, I'm still auditing, providing feedback and reviewing audits.
     
    normzone and Andy Nichols like this.
  20. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Sadly, too many CB auditors - even if they also function as consultants - don't know, or have ever contemplated, how their audits are different to the internal audits organizations should be employing. Of course, that's in part, due to the fact that Lead Auditor training is the only training they've ever undertaken and, worse, some CBs provide such training, without having instructors who understand the differences. Add to that the fact that many internal auditor training courses are simply a stripped down version of the LA course and guess what you get?

    Add to that basically flawed situation, the auditors who audit on "gut feel" instead of objectivity themselves...