1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.
  1. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Too many Internal Auditors have been trained using the wrong audit model! Too many Internal Audit programs are failing because auditors were taught to emulate CB audits. Too few Organizations see any reason to do audits except to pass CB audits. Too many CB auditors (who got the same training) accept lack luster Internal Audits because they don't know any better. Time to change the focus of Internal Auditor training courses and the delivery of same! As they say, "when you only have a hammer..."
     
    John C. Abnet likes this.
  2. Bev D

    Bev D Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    605
    Likes Received:
    663
    Trophy Points:
    92
    Location:
    Maine
    I so agree with you. I know the standard says to audit for compliance but this is redundant to external audits and pretty lame. It drives trivial annoyance NCs and we then completely ignore ‘auditing’ for real improvement: lessons learned, monitoring data for effectiveness of processes, et. The current method enables quality leadership to avoid leadership.
     
    John C. Abnet and Andy Nichols like this.
  3. S1D3K1CK

    S1D3K1CK Active Member

    Joined:
    Nov 5, 2018
    Messages:
    73
    Likes Received:
    26
    Trophy Points:
    17
    Location:
    The Central Valley

    I agree! I am actually trying to push for better audit training in our MRM's. We went from our internal auditors answering "yes or no" with no specifics, to having an external consultant conduct the internal audits. Our "audits" were "acceptable" to a CB auditor because most of our NC's were 'caught and in-process to improve' (but rarely fixed, just swept under the rug) prior to our main audits. NO! I don't like that, for the sole reason of the consultant doesn't fully understand our operations as we do. It's time to upgrade and improve.
     
    John C. Abnet and Andy Nichols like this.
  4. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    Change it then. You started a blog on here...why not use that as a platform to start not just advocating for change but also offering a solution or two (including not just what to do, but also how to do it)?

    One of those leadership mantras is "Don't come to me with problems...bring me solutions, too." I'm sure with your experience and knowledge, you could develop a solid framework and even a prototype for delivering the necessary skills.
     
    John C. Abnet and Eric Twiname like this.
  5. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    My Dad's boss (it's that old) had a sign over his desk...

    "If you aren't the solution, you're part of the problem...there is no middle ground."
    Amen to Roxane's post.

    (My sign said "If you're not part of the solution, you're part of the precipitate."...didn't pack the same punch, but was funnier...)
     
  6. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Well well, @Andy Nichols ;
    Looks like you've successfully kicked the nest again my friend.

    In general, I agree with your assessment. I believe, however, as with most "things", it goes back to an organization's leadership (or lack thereof).

    As many of you on this thread, I have endured countless audits, performed countless audits (within my orevious organizations and for my clients), and trained individuals to perform audits.

    From my experience,...

    1- Many organizations do not invest the time - effort- $ , to ensure that within their organization's there is a proper understanding of the intent and purpose of a QMS (all to be saved for a different conversation).

    2- SO--- it starts with poor vetting and/or assignment(s) related to "1". Some poor guy/gal is assigned as the whipping boy or girl, with little or no training, experience, or understanding.

    3- Individual from "2" barks at leadership and says "STANDARD REQUIRES WE HAVE TRAINED INTERNAL AUDITORS" (not "wrong", to have "trained" internal auditors, but....that brings us back to the OP.)

    4- Leadership fails to vet and /or invest in individuals selected (voluntold), who are then sent out to sit through a 3-5 day immersion into the standard (again, not "wrong", but to @Andy Nichols point, this does NOT prepare a poorly chosen or ill-equipped individual to become a proficient and competent internal auditor).

    I have an internal auditor curriculum (this was not intended as a plug) which I offer to my clients. My goal (intent) is to approach all attendees assuming auditing and the personal interaction needed are NOT part of their existing skill set. In other words, the curriculum assumes that many (most?) of the attendees have....
    a) no basic understanding of the INTENT of the standard (much more important than a line for line memorization)
    b) no exiting auditing skills.
    c) insufficient INTERPERSONAL relationship skills (i.e. those needed to be a successful auditor)
    d) a desire or passion to be an internal auditor.
    e) a "real job" on an existing hamster wheel of activity without being afforded the time needed to perform proper audits.

    For these reasons, much of the auditor training I lead focuses on the broader intent and purpose of the standard. i.e. preparing the individual for....
    - how to interact with their peers (who may not respect them)
    - how extract information without being locked into some sort of checklist
    - how to avoid defensive responses (i.e. deescalate)
    - how to follow answers to questions
    - etc..etc..etc...

    So, back to the OP. While I agree completely with @Andy Nichols that there needs to be a different training/preparation for INTERNAL auditors vs 3rd party auditors, it goes beyond the type of auditing that is taught/performed. It has (in my experience) MUCH more to do with the individuals we select and prepare. And that, my friends, points the finger directly at leadership.

    Hope this helps.

    Be well.
     
    Last edited: Jan 15, 2021
  7. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I whole-heartly agree, @John C. Abnet (odd, that).

    I see the challenge being that, faced by leadership in this respect, the ISO 9001 requirements are both arcane and not an easy read to help management "connect the dots" across the requirements. Why is internal audit useful to them beyond being a) a requirement in 9.2 and b) being part of the Management Review agenda? If it's not clear to them what value the activity is (if ISO 9001 is a value, beyond getting certified), why would they take care to select the most appropriate people and ensure they got the most worthwhile training?

    My belief is based in human psychology: Management won't understand the value of audits as long as audits/auditors don't do anything to bring value to management. Since when did an internal audit program ever address the key areas of performance/risk/customer perception as a PRIORITY? Slim to none! When did auditors ever sit down with management to ask "Why do you lose sleep at night?" And then audit the process(es) to reveal the reasons? Never.

    Instead, internal auditors are trained to nit-pick ISO interpretations, to write corrective actions for "not following procedures" or something equally banal. This is, for the most part due to the wrong model of auditing being used.

    To Roxane's point: I do know how to fix it, I have been teaching a more effective model for years, however, part of the industry awareness is recognizing there's a problem. The bar is low - "What Have I Got To Do To Be Certified". Certified organizations don't want to change. CBs don't want to change (it costs too much, it's a commodity and hey, look how many happy customers we certified). So, I figure, the way to stimulate change is to address those who oversee/govern both the auditor qualification process and also hold the auditor training and course provider accreditation requirements to help them see the need for change after 25+ years of ineffectively addressing the needs of the market...
     
    John C. Abnet likes this.
  8. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    As covered in many other threads, my experience is rather different than yours...perhaps it can be a place or state to shoot for? Your call.

    "In my world", the internal audit has two purposes...(1) to make sure the system is running the way it should be, (2) to make sure that the governing docs line up to the way it should be...in that order.
    In this way, it "ensures compliance" to the desired state.
    If it is compliant to the desired state, ISO compliance is a shoo-in.

    I've said it before, but since nothing ever is perfect...the internal auditor should find stuff wrong. Real stuff wrong, not nit-picky stuff. If there are no real findings, they're fired and I'll get someone with better eyes.
    Each finding then gets assessed as to whether (1) we're doing it wrong (not the way desired), (2) the doc needs updating, (3) the auditor is full of it.
    Note that this does require the internal auditor to have a decent grasp of what "should be" looks like in the view of the process designer(s).

    Conclusion: the internal audit is one of the most valuable parts of ISO, or any QMS...it is the most thorough "Check" part of PDCA.
    It isn't about being certified, it isn't about ISO...internal audit is about finding what is not going as intended so it can be addressed...which increases NPAT. What top management doesn't get excited about that?
     
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Who wants to be told that their process isn't going as intended? No-one I've ever met. I cannot agree that is the purpose of Internal Audit. My understanding (after giving it too much thinking) is it should be VALIDATION (y'know, the "independent" thing) that the process ARE being implemented as planned. My analogy is like the time you (or your kid) stays at their BFF's house and the other parents say how well you (or your kid) behaves. Your parents (or you) weren't there to control the behaviors, the process was followed which was how it was always intended... (if you get my drift)
     
  10. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    Eight people (me being #9) that I've met. The owner, and the directors whose bonuses were tied to NPAT.
    But we already know that your and my experiences are widely different...I offered what I did in case it might be helpful to your work.
    No one wants to be told "you're doing it wrong"...but it isn't about what people want...if you're doing it wrong, somebody better tell you or it wont change.

    I understand your "should"...mine is quite the opposite (also covered extensively elsewhere).

    Again "in my world", Internal digs the holes and finds the bodies....External (CB) is there for validation.
    Right or wrong, as originally intended or not...our way worked exceptionally well.
    Internal auditors were hated, CB audits were a breeze, customer audits were a breeze, and everyone was on the same page.
    I had a surprise TS16949 audit in a snowstorm where I wasn't going to be there that day...I showed up halfway through...zero findings and a compliment from the customer.
    {re-edit: we were not certified to TS16949...only ISO9001:2008 at the time}

    If you think it should be different and work to make it so...go for it. FWIW, our way never led to the annoyance I see in your threads...that's why I offer it to you for consideration.
     
    Last edited: Jan 15, 2021
    S1D3K1CK likes this.
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Advocating for Internal auditors to find things is a return to the bad old days of QC inspecting quality into the product! No wonder your internal auditors were hated! What a great story when recruiting people to participate. "You're gonna be hated for doing your job"...
     
  12. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    our company drastically needs this role filled because it is of paramount importance to us.
    ...and that's why why we are offering this lavish compensation package...that is how important this is to our business well being.

    Dude, I am internally auditing you and your posts for the last time. You are doing it wrong...and I am telling you so, for the last time...and no, I don't think you'll appreciate me saying so.
    You have become Sidney...such a waste of a wonderfully talented mind such as yours.

    You can appreciate it or not, you can correct it or not, there is no Top Management to hold you accountable.
    I am off this thread now, and will think three times before I join any thread you post on...as I do with Sidney.
    You already have my private contact info...and I am happy to talk with you privately, but I am through with sparring with your beliefs on forums.

    FWIW, I have been PM'd 3 times so far from this thread alone asking for guidance on how we did things that worked so well.... while you vent your annoyance with how your way doesn't work.
    You are griping, I am not. Please, please, please learn.
     
  13. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I am a firm believer that to get the best out of Internal Audits, the people who do them should have gone through some kind of qualification process (call it training if you will) more along the lines of a Six Sigma "Green Belt". We have come to accept and utilize 6S Green Belts for a very similar outcome as (some) espouse for Internal Auditors, that of Continuous Improvement. Indeed, LEAN/6S has become a common qualification and far closer to the actual skill set required for an Internal Auditor to be effective. Instead, the auditor training industry has plowed/ploughed s furrow which has barely changed in its focus since auditor training was launched - back in the mid-late 1980s. Speaking of blogs - I wrote about the benefits of Internal Auditors receiving LEAN training in my "other" blog, here https://www.the-center.org/Blog/September-2019/How-LEAN-Are-Your-Internal-Quality-Auditors

    From just the past four years working with many, many companies who implement ISO 9001, AS9100D and IATF 16949, both guiding them and training their auditors, it's clear (to me) that there's a lot of room for improvement in just the basics. CB auditors certainly don't understand or at least perpetuate ineffective internal audits. Many, many trainers never get beyond emulating those CB audits. And to get any change, there has to be an understanding of the existence of a problem...
     
    Last edited: Jan 17, 2021
  14. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    I agree. Having been an internal auditor for several years in Semiconductor (9k 14k, 18k and Process Safety), a 3rd party auditor for several years for the same standards, and now a 2nd party auditor in a medical device manufacturer, I can certainly appreciate the concerns involving competencies and performance of internal auditors and the programs in which they are performing.

    However, I also see management whose goals and targets include "Maintain ISO X001 certification" so what else should an audit group be expected to do in that case? This of course does not recognize whether or not the many Andy clients have a similar objective.

    Having been on both sides of the line, I can appreciate it is not easy for internal auditors to perform on both sides. While employed in Semiconductor, I can vouch that Quality Management wished I would do more technically oriented process audits. And that concern was valid, but that was not the objective I had been hired for and I was not an expert in Semiconductor process engineering. Nothing stops an organization from having different internal auditors support these different needs. What stops them is shortcomings in managing and resourcing these disciplines.

    What I am trying to say is: there is a place for both. An organization could have a cadre of 6S gurus and yet get their ISO certificates pulled. I have yet to see anyone deploy an internal auditor team with the extent and depth of skills described. I see internal auditors assigned as a collateral duty, or paid an Administrator's wage. Both are nearly guaranteed to return less than ideal results.

    If I had another 20 or so years, I would enjoy working in a job that values expertise in both management systems and process performance. I would really enjoy being fairly compensated for that. As it is now, I would like to see it even once. Management gets what they ask for and are willing to pay for.
    Just my 2 cents
     
    Andy Nichols likes this.
  15. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Oh, and it occurs to me that while CBs and their auditors are allowed to provide training, that compounds the issue of all audits looking like CB audits...
     
  16. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    How do you know it's a more effective model? What measures are used to demonstrate its effectiveness...and increased value to an organization?

    Going to be blunt here - your "other" blog was an article posted in September 2019, correct? That's a lot of passed time between then and now. Same for your blog on here. If you want to nudge change, it can't be a "one and done" type of communication. It needs to be constant and visual and loud and engaging and tell one helluva story.

    So, let's say you have some pretty impressive results in whatever measure(s) you have to show that your teaching model is more effective. Showcase them. Showcase how Company A was performing at a lower level prior to your teaching and then the results post-training (immediate change) and then the results in an ongoing manner (sustainable change). And repeat with Company B. And C. And D. And you get the idea.

    People go to CBs for training because that's what they know is offered. Alternate solutions are not too often shown to them and the ROI not effectively shared. To say the bar is low is an excuse, in my opinion. It puts the blame solely with the organizations. As we've said in other posts, you don't necessarily blame top management if they don't "get" the message...you change your message (e.g., how you say it, what you say, why you say it).
     
    Jennifer Kirley likes this.
  17. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    I hear this a lot, but let's remember that CBs don't get to tell organizations how they should be qualifying their internal auditors. The standards leave the methods up to the organization, and rightly so. The CB identifies how the organization qualifies its internal auditors, and verifies that they have done so. We really are not allowed to do more. As effectiveness goes, it's a judgment call unless I find numerous major things that internal auditors ignored. What are the Internal Audit process goals and targets? Management sets them and the tone with their type and extent of support; that is the beginning of function or dysfunction.

    As always, I look to the Internal Audit process owner and recall that I have 100% seen this as a collateral duty which naturally adds pressure to limit the time spent to focus on applying 6S principles and even continual improvement. I never see them use tools that would effectively help manage such an effort, and I very seldom see top management show more than a passing interest in the whole thing past maintaining the certificate.
     
    John C. Abnet likes this.
  18. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    If only that were true. Check out how many of them offer auditor training...
     
  19. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    I think I didn't make myself clear. CB auditors don't get to tell organizations what kind of training and qualification their internal auditors should get while auditing for certification/continued certification. I actually have very few clients whose internal auditors had commercial training. Most often they got some kind of internal training. Between that and the process manager's oversight, I can say the results have too often been mediocre. I should note that as an RC auditor, many of my clients are heavily regulated chemical plants so they place a greater emphasis on their internal auditor preparation than the others. As a Supplier Quality Engineer I can offer that I have not seen any improvement over what I observed in over 250 3rd party audits over a 7-year period.

    We should keep in mind that the CB internal auditor training offerings are clearly advertised to focus on helping the students support continuing certification to whatever standard. Managers and individuals pay for these courses with the clear understanding of this intent; nothing more is promised. If they also want 6S Green Belt-type training that's fine, but we should expect it to last more than a week because that's content added on to content and CBs might not reasonably be expected to offer it, however desirable it may be.

    In short, I do question whether the effectiveness problem is accredited internal audit courses offered by CBs. As usual, look to management for effective process designs and outcomes.
     
  20. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Whenever training about management systems are delivered, trainers will always reference the particular requirement/s of the subject standard. The problem is the requirements under the clause for internal audit has no provisions to explicitly prescribe the organizations to look for areas that should be improved or simplified. The intent is somewhat limited to obtaining information about conformity/compliance. So, auditors are mainly trained to look for evidences that the system is "running the way it should be". Auditors, including the auditees, practically based "the way it should be" on the statements of the relevant standard, regulations, procedures, policies, planned arrangements, planned results, planned activities, etc. So, even if the standard prescribes the internal auditors to get information to determine whether their system is "effectively implemented and maintained", this is still about fulfilling the planned results and planned activities.

    ISO 19011 may have guidelines about identifying opportunities for improvement. But, this is not mandatory. IMHO, the standard should categorically mention that internal auditors must look for areas for improvement/s. This will, in turn, affect the subsequent requirement on selecting auditors, which is just making sure that the assigned auditors are objective and impartial. Auditors must have competence as well on the function or process he/she is assigned to audit.
     
    Rico Dynamite and Andy Nichols like this.