1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Creating an Internal Audit Program That Works for Your Organization

Discussion in 'Process Audits and Layered Process Audits' started by RoxaneB, Oct 20, 2015.

  1. MarkMeer

    MarkMeer Well-Known Member

    Joined:
    Dec 3, 2015
    Messages:
    138
    Likes Received:
    62
    Trophy Points:
    27
    I know the feeling...
    With regards to Internal Audits, I don't see the "conflict of interest"... Senior management is (presumably) interested in company improvement, and the purpose of IA is improvement, so there really should be no "conflict".

    It seems as though certification has poisoned internal audits. There is only a "conflict of interest" if senior management is interested only in maintaining certification. ...otherwise, the situation is exactly the opposite: senior management is in the BEST position to conduct internal audits because they a) have in-depth knowledge of company goals and idiosyncrasies; and b) have the most incentive to use IA as an improvement tool...
     
    normzone likes this.
  2. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    I was going to begin a new thread, but this seems like an appropriate place to capture this - although I'll use my intended title here:

    " Internal audits as current state process maps ? "

    I don't know if my peers here will approve of my approach, but here's a data dump of how I'm currently using our internal audit program.

    The ISO 9001 requirements are broken down, line by line, into a group of audit checklists comprising how the corn goes through the goose here at our little operation.

    There is overlap between some of the process groups as appropriate - the whole shebang is sorted as:

    Customer Service
    Design
    Integration & Test
    Quality Assurance
    Monitoring Processes, Product & Equipment
    Sales
    Control of Changes, Documents & Records
    Management / Human Resources
    Purchasing

    These handles make it possible for me to present the internal audit process as readily recognizable functions to my team of internal auditors, all either drafted or recruited. The attrition rate varies based on attitude, aptitude, and available bandwidth. I have an ever-shifting roster of prospects, rookies, and veterans.

    It's double or triple work for me - instead of conducting the internal audits myself, I train and accompany auditors through their audits, ask them to write the reports and them I edit the reports and explain to them why I made the additions or changes I did. I try hard not to crush their spirits, and encourage them to make decisions regarding documenting findings as nonconformances, encouraging the auditee to correct issues on the spot instead of documenting the issue, or recording it as an observation. I reserve the option to overrule their decision if appropriate.

    The audits are emerging as a series of current state process maps, with detailed descriptions of how we meet customer requirements and all the ancillary work that entails.

    Each time an audit is conducted the previous audit report is reviewed and used as a model. Since we're an organization that only recently emerged from the primordial ooze and began experimenting with legs, a detailed look at the process and it's supporting documentation is required since " please listen carefully, as our options may have changed ".

    Objective evidence is cited for each claim of conformance to or noncompliance against the ISO 9001 standard and our own process documentation.

    Am I doing it right, or is this way off the mark for what you folks would expect ?
     
  3. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Norm: Great description of the current state of play with your auditor resources. As a starting block, however, I wouldn't begin with "ISO". What I think you have described seems, at least from what I've garnered to be a pseudo-CB audit. That's where I experience/believe there's a fundamental shift required to help the organization get out of the ooze and well on the way to the 1st century AD!
     
  4. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    I have the usual challenge of conducting our internal audits in a manner that our ISO 9001 external auditor is unable to find fault with - by documenting the correlation between our processes and the elements of the standard I attempt to achieve that.

    Once that hurdle is crossed, looking at our own processes with an eye towards eliminating waste and managing risk seems to be the next objective - is that what you intend by " fundamental shift " ?
     
    Andy Nichols likes this.
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    You've got it! :D
     
  6. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    i should have clarified in my initial post that I do stress this in my training for my internal auditors - We flat out tell the auditees " are there any process improvements you recommend ? Are there any good ideas you've been trying to get implemented but have been unable to get traction for ? "

    Then depending on the responses we get, we evaluate whether the idea is sensible or fanciful - Usually the process owners know what needs improvement, but sometimes they can't get top management engaged, or sometimes there's reasons why what seems like a good idea from their perspective will not work. I was trained that you always have to listen, and if you're unable to implement at the very least you are obligated to go back to the source and explain why it won't work, or where you were unable to get support.

    The psuedo-CB auditor approach also allows me to turn a trainee loose with what constitutes a map and a shopping list. I also stress that the audit checklist completion is a requirement of the audit, but in no means is it a limit to the audit - follow the audit trail where it takes you.

    Hmmm, how does that old wilderness saw go? " Take nothing but memories and photographs, leave nothing but footprints " ? How the hell do I paraphrase the equivalent for an audit? I may need to choose a different analogy. :D
     
  7. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Norm: Here's what worries me: Process Owners who aren't top management...

    Improvements are considered improvements unless top management see something in it for them! Everything else is change and change isn't good, in it's own right. May I suggest that you revisit the whole process ownership idea? Then, instead of soliciting the voices in the wilderness for improvements (which will be perceived as "blah, blah, blah") go after (auditing) the processes which TELL YOU they need improvement to get the attention of Top Management (because you can assign $$$$ to the report)
     
  8. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    Let me unpack that and see if I understand this the way you intend it...

    Let's start with the second word - did you mean "aren't"?

    I have a pretty close view of the processes, with about forty people in the company. But it's true that I focus on those process functions that I can justify getting involved with using ISO 9001.

    Dollars are a great way to get Top Management's attention. In a previous life I used to track nonconforming material not yet returned to the vendor first by quantity, then eventually by age, and nobody gave a damn. After I converted my data to dollars sitting in a cabinet first there was a lot of shouting and shortly afterwards it became somebody's problem. " I don't know what you did, Norm, but I just got a new assignment ".

    Are we talking about the same thing but perhaps I'm not communicating it clearly from my end? Not every process I can affect can be quantified as $ - although it can usually be viewed as risk reduction or more reliable end result.
     
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Yup, Norm. Process owners ARE top management. It's they who get held accountable for the performance of the process (one way or another). If they have control over budget, they OWN the process - no one else. And budget is the key. Your example is a good one. I've done the same thing. Except the people (top management) who started trying to minimize the $$$ with much obfuscation etc. and did nothing, no longer have jobs...
     
  10. David Graham

    David Graham Member

    Joined:
    Apr 22, 2016
    Messages:
    15
    Likes Received:
    5
    Trophy Points:
    2
    Location:
    Calgary, Alberta. Canada
    Solution #1 | There is nothing that says an internal auditor needs to attend an externally-provided session. Organizations can develop their own training courses. Heck, maybe WE should here on QFO...just an idea. Might help out the smaller organizations and is a potential revenue stream to support QFO...

    I have developed Internal Auditor Training for my company, and I provided multiple choice exams and essay exams to keep my auditors current on not only our standards and regulatory agencies but to be intimate with our business processes that make up our QMS, after all we audit our business to ensure we do what we say we do. I have had military auditor training and QMI training, but I have always walked to the beat of my own drum. I always pass the Registrars audits, they are not overly fond of my program but they accept what I am doing as my audit schedule is based on critical areas as revealed by data.

    Opportunity #2 | Auditor not given enough (or too much) authority

    Solution #2 | Authority to do what exactly? Identify findings? This is, in my opinion, the secondary objective of an auditor. The primary objective is to highlight strengths. Let's recognize and celebrate the good stuff. Too often, auditors and organizations forget about this. However, while auditors have the authority to identify gaps and/or nonconforming activities, they do not have - nor should they have - the responsibility to correct them. This is oftentimes missed by organizations. The lead internal auditor and/or owner of the auditing process may also have the authority to identify, summarize and analyze audit results and responses to audit findings. Again, however, it is not - nor should it be - the responsibility of this individual to correct...unless the issue lies within the audit process.

    Absolutely, it is not my role as a lead auditor to fix the errors I sometimes come across. That lies with the process owner. My job is to prevent facts, not my feelings, facts, supported by objective evidence. I cannot worry about how the audit is taken. It is also my job to follow up on observations to see if CA has in fact taken place. Authority is not important to me, what is important for me as an auditor is independence from influence. As for audits and audit reports we always, under my term as QM, identify the process audited, the scope of the audit, best practices, and then findings.

    One of the best compliments I have received came from my Director who stated that he has never seen me auditing but the audits were always done and never intrusive, and that the auditees have often commented on how well we prepared for out audits and how professional myself and staff have been. We never stopped the machine from running as we audited.

    I spend a lot of time observing our work processes, I engage staff casually every day, asking how things are going, is there things they need, better ways of doing things. I guess I really never stop auditing.


    Opportunity #3 | Lack of resources to establish effective internal audit schedules

    Solution #3 | In my opinion, creating the schedule isn't held back by a lack of resources. Commitment and communication seem to be more likely reasons that a schedule isn't properly developed. Unless, this is an area where auditors lack authority (i.e., the ability to, if necessary, forcibly develop a schedule). The lack of resources happens in the prepping, conducting and reporting phases. If internal auditors are pulled from other departments, conflicting priorities may restrict their ability to dedicate the appropriate amount of time and focus to effectively complete each phase so that the organization gains the most from the audit. This can lead to belief that audits are simply a pencil-whipping exercise.

    I agree 100% with your response. I develop my

    Opportunity #4 | Poorly communicated goals and benefits

    Solution #4 | Change management. Change management. Change management. If you're trying to sell your organization on the value of a robust, meaningful assessment program, you better understand and articulate the goals and benefits in such a way that it resonates with people. As Simon Sinek says - "People don't buy WHAT you do, they buy WHY you do it." Why should anyone care about audits? Why are audits a value-added activity? If you want people to drink the Kool-Aid, you better make it tasty!

    Opportunity #5 | Because goals and benefits are not communicated effectively, the perception and response to internal audits are tepid at best.

    Solution #5 | Keep it simple. There is no need to bog the entire organization down with the details of checklists and matrices and requirements. Get them excited on the WHY...briefly explain the HOW...bullet-point the WHAT. Any initiative, be it internal audits or doc control or a brand new product line, should follow the Why-How-What sequence. I also recommend an elevator pitch. If you've looked for a job over the past few years, maybe you've heard the importance of developing a 30 second "Why You Should Hire Me" or "Why I'm the Best Candidate" speech. It even comes in handy at networking sessions. Try developing one for a beneficial, effective, efficient, robust (hey, that spells BEER!) audit/assessment system. I'm willing to bet that kind of messaging will not only stick with people, it will resonate and they may even want to know more.[/QUOTE]
     
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Audit "schedules" aren't required! Coming up with some 12 month calendar of audits and expecting management to resource them is missing the point... If each audit is focused on something management WANT to know about, will drive support for the necessary resources...
     
  12. David Graham

    David Graham Member

    Joined:
    Apr 22, 2016
    Messages:
    15
    Likes Received:
    5
    Trophy Points:
    2
    Location:
    Calgary, Alberta. Canada
    Andy what you quoted above were not my words, my response was truncated, it started out as "I agree 100% with your response. I develop my" it is found just below your quote. The rest of my thoughts went missing for some reason. So this is where I was going with my response to #3 above.

    My audits are based on our core processes, quality objectives that have been set for us by contract as a measureable (we are an incentivized program with DND)in relation to our core processes, process metrics analysis, the results of that analysis, management input, criticality of the process, the result of process change, the results of contract change, program changes resulting from new Allied defense departments seeking our repair capability (which I must say are considerable) and man power turnovers, including follow up on previous observations. I plan out my audits and assign audits, I target specific months for the audits to be done by, that is the schedule I keep.

    I cannot agree with you thinking that I am missing the point of audits, my audits have supported management decision in hire new staff to meet the work load (including one more in my department), I have performed audits as directed by management and I audit based on the trends appearing as a result of my data analysis.
     
  13. MarkMeer

    MarkMeer Well-Known Member

    Joined:
    Dec 3, 2015
    Messages:
    138
    Likes Received:
    62
    Trophy Points:
    27
    Depends on your quality system requirements.

    For example, by ISO 13485:2003 - "8.2.2. Internal Audit...The organization shall conduct internal audits at planned intervals..."

    I'd interpret this as involving some sort of "scheduling", and in that sense, audit "schedules" are required in our system...
     
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    That's a common misinterpretation, based on what CB auditors often expect (it's the same words in ISO 9001, too as well as other Management Systems audit requirements).

    In the past versions of ISO 9004 it gave some useful guidance on this too. I've had successful registrations without filling a calendar full of audits which forced an auditor to turn up and look at a process maybe several months too late!
     
  15. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    " I liken an internal audit program to the preventive maintenance program. If it is effectively managed, there is a lot of value to be gained by it..."

    I like this approach. Posters above are correct in that the auditor training commonly available does not address auditing outside of the CB standard compliance model.

    That model is a valuable starting point, but expanding the internal audit into " what's best for the organization ? " has not been defined in a user friendly manner yet. That will be an interesting transformation.