I am new to this forum, and to the ISO 9001 world. Let me give you a brief description of how our Internal Audit department is structured, and I'd really appreciate your thoughts on whether you think the structure is effective or harmful to the certificate.

I work for a large service company that has a single corporate Internal Audit Department with 150+ auditors who perform audits of the internal control environment for financial, operational and IT processes/systems (are the controls adequate to prevent, detect or correct problems). Several years back, a small group of ISO auditors were restructured under the IA department. It used to belong to a Quality Department, but that was basically done away with and the "auditors" needed a home.

A new member of management wants to "integrate" the ISO audit function into the "typical" audit function thinking it will increase coverage, and since the auditors are already in an area, why not do some review against the ISO standard.

And I can buy that, but what I can't get on board with is completely losing the expertise of the ISO auditors and letting 150 people with very limited exposure and understanding of ISO to be "let loose". I'm afraid we are diluting our efforts for no real reason. The ISO program has been extremely sucessful in the past, and I feel like we are being forced to change for no reason. For those of you that are familiar with IIA (Institute of Internal Auditors) standards, these ISO audits are now going to have to abide by IIA stds, which requires statistical sampling and over-scrutinization of the audit work. Our ISO auditors can crank out audits in 80 hours, but abiding by these stds will probably double their time, which in effect, makes them half as productive.

Has anyone else seen this integration and has it worked? If so, what were some key aspects that helped it work?

I'm really looking for validation that this is not the right avenue to pursue, but I'd like to get your objective opinions.

Thanks in Advance!

1st let me say Welcome to the Cove:bigwave:

2nd...What you are asking about is nothing new or something that hasn't already been done 100's of times already across the globe.

Here's a big secret...please don't tell...ISO Auditors aren't any better, smarter, or more capable than any other type of auditor...They just like to think and portray that image.

All you really need to do is make sure that whatever auditor you use possess's the requisite competencies and that the objectives, scope and criteria of the audits to be conducted are clearly defined and understood.

That's it, and it ain't nuttin' but a thang.;)

Welcome to The Cove, GG! :bigwave:

The management person who said your company's IA members can just swing into doing ISO audits apparently has little idea of what goes into said audit.

That doesn't mean these people couldn't do the work; it means I doubt they're any more ready than I would be to say, "I think I'll go do a financial audit now." I'd have to learn some things, like accounting... :notme:

My recommendation is to press for Lead Auditor training for each of these persons.

But why do that when you already have internal auditors?

It seems common for some people to think, "Since you're there, you can just do this extra audit," perhaps in the same basic time frame but maybe with just a little extra time. What such a person is forgetting is that the time is going to be taken away from the regular auditing work. Can't stop the clock, ya know...

Auditing corporate operations is a little different from auditing production processes. If the corporate folks are being pulled into the audit schedule for the first time (I've seen this) they'll need to start from the beginning and be led through how their activities fits into a quality system. This handholding is not the job for someone who is inexperienced in the quality discipline.

Doing all that hand holding (making them ready for a registrar's visit or an audit by some other outsider) can perhaps take 80 hours, including the time to make process maps, flow charts and maybe turtle diagrams, plus coaching them on how to answer the auditor's questions (don't babble, don't go off on this or that tangent). Normally, however, auditing a department for ISO shouldn't take anywhere near that long. Oh my, no.

Nor am I familiar with the need to take a large sample, or hold yourself to any statistically designed audit method. I'd like to know why ISO auditing is being held to IIA standards. It's not a regulated function.

Key aspects to make it work are, as I mentioned, being willing to behave as internal consultant for corporate support functions being audited for the first time. What also works is competence, which is required for registration...proven in ways like passing an ISO Lead Auditor class and/or certifying for Quality Auditor with American Society for Quality. The auditor might as well be competent at the git-go.

I hope this helps!

Here's a big secret...please don't tell...ISO Auditors aren't any better, smarter, or more capable than any other type of auditor...They just like to think and portray that image. Well then! I guess I am feeling pretty full of myself. :lol:

My recommendation is to press for Lead Auditor training for each of these persons.


Auditing corporate operations is a little different from auditing production processes.

What also works is competence, which is required for registration...proven in ways like passing an ISO Lead Auditor class and/or certifying for Quality Auditor with American Society for Quality. The auditor might as well be competent at the git-go.



Why a Lead Auditor class Jennifer?

The only real difference between corporate and production auditing is the conference room and maybe lunch.

Passing a Lead Auditor exam means you pass, not that you are competent.

To address the training issue, we are having one of our Lead Auditors train the corporate internal auditors. But in only a 4 hour class. Basically giving them the ISO 101 class. To train 150 people by an accredited Lead Auditor instructor would cost more money than management's willing to spend, and take too much time away from the "real" audit schedule...i.e. financial risk areas.

Here's a big secret...please don't tell...ISO Auditors aren't any better, smarter, or more capable than any other type of auditor...They just like to think and portray that image.



The opposite is true in our company...the corporate IA's think they are better than the ISO auditors. So I don't think they will spend very much time really looking at the elements of the standard like a qualified ISO auditor would. They'll gloss over it, to get to the important stuff...regulatory risk, financial risk, etc.

Why a Lead Auditor class Jennifer?

The only real difference between corporate and production auditing is the conference room and maybe lunch.

Passing a Lead Auditor exam means you pass, not that you are competent.If they specialize in financial audits, it's a different world.

Like GG said, without understanding what needs to be done, they may just skim over it and get to the "real auditing" work.

I suggest a lead auditor's class as a fast introduction. A person needs some knowledge of quality systems.

To address the training issue, we are having one of our Lead Auditors train the corporate internal auditors. But in only a 4 hour class. Basically giving them the ISO 101 class. To train 150 people by an accredited Lead Auditor instructor would cost more money than management's willing to spend, and take too much time away from the "real" audit schedule...i.e. financial risk areas.Yes, it's the desired answer for a question that was frankly a set-up. The logical idea is to use the qualified auditors you already have.

The only real difference between corporate and production auditing is the conference room and maybe lunch.

Passing a Lead Auditor exam means you pass, not that you are competent. I don't agree with the first one, but I do agree with the second one, especially if the corporate types have not been through the ISO process before. The blind leadeth the blind...:cool:

Although I want to keep in mind we know almost nothing about these people, we do know how wide the range of auditing skills can be. My understanding was that these corporate auditors are financial types and IS. To audit ISO, a person needs some experience with quality, don't you think?

Hello, GG! If you don't mind me calling you that! :)

First, by reading the comments in your posts, I have a feeling you have been in the auditing arena for a while. The Cove would welcome your input/opinions on the other posts. We hope to see you around some more.

You state that the internal audit program to date has been successful. Can you measure that success? Can you provide dollars of what the internal audit program has saved/made?

As far as the additional IA requirements... Is that an additional requirement for the scope of work they were doing, or is it a certification/group of people requirement? Could you provide a cost estimation to your managers of what it will cost additionally to perform the additional IA requirements for ISO internal audit activities?

It would be an intriguing drill to have IA auditors (like next week) audit area A, and ISO auditors audit area B. Then have them switch. I bet there would be a vast discrepancy in findings and concerns. Not good or bad; just different.

I guess I get bummed out when questions in posts start with "manager wants to...", as they are management. However, any decent manager is driven by numbers and cost. Just wondering if you might could get the additional expenditures by this idea and promote the idea of not combining them.

To your point... If you ever watch UFC, they will always talk about fighters cross-training. However, when it comes down to it, the fighter will always revert to their basic/core type of fighting. Those IA auditors can get some ISO-type training all day long. But without retraining and reinforcement, their auditing style will revert to what they are comfortable with.

They'll gloss over it, to get to the important stuff...regulatory risk, financial risk, etc.Any meaningful audit should use risk assessment as an underlying approach. Maybe your internal auditors don't realize the fact that one of the largest risks an organization might fail to manage is keeping customers happy in a cost effective manner. If you fail to retain your customers and/or attract new ones, you won't have financial and regulatory risks to assess because you won't have a business to run.
Allowing unqualified people to audit systems they are not competent to assess is not only a waste of time, but counter productive approach.

Most large organizations want to reduce the number of internal and external audits they endure. So, multidisciplinary and integrated management system audits are a welcome initiative. But auditor and audit team competence to handle such complex audit approaches are a must.

If they specialize in financial audits, it's a different world.

I suggest a lead auditor's class as a fast introduction. A person needs some knowledge of quality systems.

Yeah you're right, I wouldn't now anything about Financial auditing and it's realationship to systems auditing with just an MBA specializing in Finance Management.:confused:

As for knowledge of quality systems from a Lead course? I dunno, I've always thought those courses were more about auditing. :confused: :confused:

Yeah you're right, I wouldn't now anything about Financial auditing and it's realationship to systems auditing with just an MBA specializing in Finance Management.:confused: One of the tricky things here is how little we know about the people discussed in these posts. They could be ready to go for ISO auditing (just add water and stir vigorously) or they could know next to nothing about quality systems. I can't tell from here. As for knowledge of quality systems from a Lead course? I dunno, I've always thought those courses were more about auditing. :confused: :confused: Well, it's not much but the idea was to introduce the financial auditor to the methods ISO auditors use: how to plan a process audit, ask questions, analyze responses for compliance, do follow up and report based on ISO. But maybe they already know all about it. I don't know, but I got the sense from GG that they're not ready to switch back and forth.

Maybe my problem is that I have been mistaken about two things from the outset. First, I thought we were discussing a company trying to use auditors for Sarbanes Oxley to do ISO audits. Second, I thought auditing for Sarbanes Oxley would be a different sort of audit than for ISO.

If I'm wrong about these two things then I am just wrong in the whole thread.

One thing that occurs to me is a guess that your extensive qualifications may give you the sense that these audit things are easy for the rest of us too.

First, I thought we were discussing a company trying to use auditors for Sarbanes Oxley to do ISO audits. Second, I thought auditing for Sarbanes Oxley would be a different sort of audit than for ISO.

If I'm wrong about these two things then I am just wrong in the whole thread.

One thing that occurs to me is a guess that your extensive qualifications may give you the sense that these audit things are easy for the rest of us too.

1st..You're not wrong at all, but now you may be a bit stimulated..woo, woo

It all boils down to the same thing, regardless of type of audit or whatever:

1. Competence of the auditor in being an auditor;

2. and well defined objectives, scope and criteria for the auditor

Auditing isn't much different than a detective conducting an investigation, both tasks are a search for evidence (Did I mention that I also studied Criminal Investigation at the FBI Academy in Quantico and taught it as well?)


:topic: On another subject...Jennifer, how is your work going?

Auditing isn't much different than a detective conducting an investigation, both tasks are a search for evidence (Did I mention that I also studied Criminal Investigation at the FBI Academy in Quantico and taught it as well?)

There is a difference. You are correct that they are both looking for evidence; but the auditor is looking for evidence of innocence. :notme:

1st..You're not wrong at all, but now you may be a bit stimulated..woo, woo Well, whew.
It all boils down to the same thing, regardless of type of audit or whatever:

1. Competence of the auditor in being an auditor;

2. and well defined objectives, scope and criteria for the auditor

Auditing isn't much different than a detective conducting an investigation, both tasks are a search for evidence (Did I mention that I also studied Criminal Investigation at the FBI Academy in Quantico and taught it as well?)Yes, this is all true. I also think your studies in investigation may have helped developed your compentency, which I'd like to acknowledge is vast. I wonder how much of this sort of thing those financial and IS auditors have?

Auditing isn't rocket science anyway. Some people can do it with talent and/or the aggregate of their schooling and work experiences, while others need specific training. Get the unschooled, uninspired and unskilled in there and you'd just have a bunch of checklists with Yes and No in them. Why bother?

All in all I think it will come down to how well the audit program is managed. If there's no one at the wheel who knows much about quality systems, no one may know if the auditors are competent or if the audits were done properly.

Last thing I wonder about is the what-next of managing corrective actions...hmmm.

:topic: On another subject...Jennifer, how is your work going? Forgot to answer this one. Very well, thanks, though I guess the perspective that depends on which side of the CA one is on... :D

There was a lot of compliance auditing happening here before I got in and churned things up. I am enjoying being able to use all of my training and experience--quality, environemental and safety, even the education skills help in less than obvious ways.

Well, I'm certain that the system won't suffer much if all these corporate auditors are inspector gadget clones...and a 4 hour "okie dok you're ISO pro's" training session is indeed all they'll need to be experts in quality systems.

Jennifer's suggestion is appropriate, and the question posed in the original post reflects those same concerns. Whatever they do, these auditors won't be able to offer comparable results to the ISO experienced auditors. Integrating the two types of audits is not necessarily a bad idea, but replacing the ISO auditors with personnel with minimal ISO experience, that is a bad idea. I agree with Jennifer though, to make this transition functional and useful the organization should first ensure that their corporate auditors are trained and competent in quality system audits, unless of course they just don't care what kind of results their continual improvement process acheives.

All of the comments have been great...thank you all for them.

My biggest concern was addressed in the last post...that the corporate auditors don't care about quality audits or continual improvement. Their primary focus, and training, has always been to look for controls...are they there and are they working. They really don't care if the department has documented processes and are following them...or what their performance metrics are and whether they are improving or not.

Can they be trained? Sure. But when it comes time to scope an audit, and they only have so many hours to dedicate to the project, which steps do you think will be the first to get cut? Not the steps testing controls...that is too important to the financial continuity of the company (big exposure if they find fraud or a major control issue that causes loss to the bottom line). The quality steps will be cut. And that's even in the short term, after they've all been trained and quality is fresh on their minds. What is going to happen 2 years from now, when quality isn't on the fore-front of their minds?

Another issue we are dealing with is the reporting structure. The corporate audits are seen by basically every top executive at the company and the Audit Committee of the Board of Directors. Our ISO audit reports have been held at the local management level to provide lay terms to those who understand them the most and where the report can add the most value. Having that level of exposure at the highest levels will add time to the reporting process to make every thing read just-so for an audience of uninformed readers. Will the local management gain any value out of those types of reports?

Your comments are great!! I REALLY appreciate them!

gg

Another issue we are dealing with is the reporting structure. The corporate audits are seen by basically every top executive at the company and the Audit Committee of the Board of Directors. Our ISO audit reports have been held at the local management level to provide lay terms to those who understand them the most and where the report can add the most value. Having that level of exposure at the highest levels will add time to the reporting process to make every thing read just-so for an audience of uninformed readers. Will the local management gain any value out of those types of reports?

Your comments are great!! I REALLY appreciate them!

gg

Whoa, whoa, whoa!

Are you saying that the results of your system audits are not forwarded to your Top Management? As said in the movie The Music Man "trouble in River City"

Did you also say that they are uninformed? I wonder why that would be considering your quote above?

Anybody care to get on board with this one?

Perhaps the root cause of top management making this decision is that they are not in the loop when it comes to ISO compliance,continual improvement issues, improvements and benefits gained from your ISO audits?

I definately agree with Randy, top management needs to be involved and informed or they just might make some bad decisions....

Are you saying that the results of your system audits are not forwarded to your Top Management? As said in the movie The Music Man "trouble in River City"



The quality audit reports are sent to the director over the area, and his executive management chain. We are a large organization, so no, it is not sent to every EVP in the company. Again, the reports are very specific to that area...they aren't a representation of the quality system in every area, so the audience is more targeted to those who need to know and can fix the problem. We've been ISO certified for over 10 years now, so we very very very rarely have anything more than a 'requires correction'. If there was a significant problem, wider distribution may be warrented.

Let me throw another curve ball at you. As I mentioned in a previous thread, the company had disbanded it's quality organization years ago. They are now restructuring it to be reporting to the highest levels of the company. Because of the current migration towards integration with corporate audits, and my fear that ISO audits will be diluted and even less of a focus for executive management, I've been thinking we need to move into the quality organization. It would provide us visibility once again at the highest levels. And we have other Operating Companies we'd like to get certified, so we could be given the resources we need if ex mgmt is aware of what we are doing. Do you also think we should report to the Corporate Quality organization, versus the Internal Audit organization...knowing the IA focus is not on quality??

Audit results are reported in the manner that reflects the system's performance, compliance, effective responsiveness to problems, improvement trends, open actions and stuff like that.

Immediate managers should get the audit reports. If the details are of interest to higher persons in that department or area, the audit report can go higher.

Site management should get results of the audit program as I described in the top paragraph.

More distilled numbers should go higher, and make connections to how the audit results reflect the organization's policy, goals and objectives, strategy and vision. The audit results could be compared from site to site, but only if the same auditors are doing the assessments--or the audit results are reflecting variations in auditors and not auditees.

I didn't get the part where immediate management is being kept informed with the intent to act on results of audits.

Let me throw another curve ball at you. As I mentioned in a previous thread, the company had disbanded it's quality organization years ago. They are now restructuring it to be reporting to the highest levels of the company. Because of the current migration towards integration with corporate audits, and my fear that ISO audits will be diluted and even less of a focus for executive management, I've been thinking we need to move into the quality organization. It would provide us visibility once again at the highest levels. And we have other Operating Companies we'd like to get certified, so we could be given the resources we need if ex mgmt is aware of what we are doing. Do you also think we should report to the Corporate Quality organization, versus the Internal Audit organization...knowing the IA focus is not on quality??I would share your concern. While it's popular and good to make quality everyone's business, there should be a center for audit management that is not beholden to the results. For that obvious reason the function's management should be in the quality group.

Less than obvious reasons include the tendency for people to focus the most energy and devotion to their main interest. Also, conflicts and pressure can result in corrective action management if it's not independent.

In my opinion, and this is a huge stereotype but it is my personal experience....


Financial auditors tend to be product auditors. They audit the output of the processes and not the process themsleves. They audit the books, reports, 10k and 10Q reports. With the introduction of Sarbanes Oxley, financial auditors are starting to look at the processes behing the product (reports.)


The functions can effectively be combined. Our organization did. The ISO internal auditors perform the SOX audits. We are the reverse of what is proposed at your organization.

Regards,

Dirk

We are having our first joint Financial and Quality Systems assessment. The differences I am learning are:

Finanical audit reports go to the board of directors (we are hoping to leverage that reporting route by doing a joint report)
Quality System audit reports rarely go to executive level management only aggregate reports during management review get to the executive level and often its only one executive.
Financial audits at my company take a siloed approach to controls, they are more used to doing department based audits and have no concept of the process audit or the whole being greater than the sum of the parts.
The FMEA risk assessment tool do not show cost as a risk...maybe we should add another column?
Neither audit entity can find a company metrics for planned vs. actual ROI per new device we are sure its out there...somewhere.
All of this is helping us to embark on a concept of not just process and product defects (called excursions) but "business excusions" or costly "defective" decisions.As long as there is mutual respect, a good audit methodolgy and plan, I think these audits can be well worth it. I have to say in my last company internal financial audit had no interest in quality system management audits. I am happy to see the change.

We are having our first joint Financial and Quality Systems assessment.

Who is performing the audit? Your quality system auditors, or financial auditors? Or have you created a mixed team with all experience?

Have your financial auditors received training on quality systems auditing?

Did you have a lot of changes to make to the financial audit approach, or was it pretty seamless?

I take it since this is your first integrated audit, then you are taking it slow, and only performing one integrated audit at a time? Versus trying to incorporate quality audits in with every financial audit at the same time. (for us, that could be about 20 large scale financial audits going on at one time, and I only have 3 trained Lead Auditors that could assist or consult with these teams)

I'm interested in the techniques that will make this work. I'm trying not to dwell on the negatives I see, so I think it will be good to learn best practices from groups like yours that have gone through the exercise.

ISO 19011:2002 has a few things to say about auditor qualifications. Here's what caught my eye relative to this discussion:

7.3.3 a) Quality related methods and techniques...quality terminology...quality management principles and their application...quality management tools and their application ... spc, fmea, etc.

7.3.3 b) Processes and products ... sector-specific terminology ... technical characteristics of processes and products ... sector-specific processes and practices

What's the chance the financial auditors have this knowledge?

How much damage do you suppose anyone would do without it?

Heck, why not download the sample CQA test from asq.org and see how a few of 'em do. It might be very informative. I suppose it would be fair to benchmark against the ISO auditors, too.

How much damage do you suppose anyone would do without it?Exactly. To have an assessment performed by people who are not competent/skilled/knowldgeable about the assessed subject can be more harmful than not having an assessment in the first place.

Heck, why not download the sample CQA test from asq.org and see how a few of 'em do. It might be very informative. I suppose it would be fair to benchmark against the ISO auditors, too.


It would be an intriguing drill to have IA auditors (like next week) audit area A, and ISO auditors audit area B. Then have them switch. I bet there would be a vast discrepancy in findings and concerns. Not good or bad; just different.



Great suggestion, Cliff! Notice how great minds think alike!!:lol: