Alternative Internal Audit Methods - Seeking Enlightenment

[CliffK]

Juliana,

Are you aware of Hoshin planning? There are some tantalizing possibilities in the goal/progress review cycle.

You can buy a pretty good handbook at TQE (I'm not affiliated) for pretty low bucks.

Also, how robust are your corrective and preventive action processes?

[Juliana - 2008]

CliffK
To be honest I had to look up "Hoshin planning". "Strategy Deployment" is something our corporate headquarters is just starting to implement across all company divisions. I believe that is what you call Hoshin planning. For a company whose motto was "Ready, Fire, Aim" for over 30 years, the shift in management principles has been quite a shock. I am not really familar with the theory specifically, although following PDCA to set, reach & maintain goals is the way I function and how I've been trying to get people to look at correction and process improvement for a long time. I will look up the handbook and see if it helps me in developing something for a system audit.

Our "documented" corrective action process is very robust and incorporates a very strong preventive aspect to it, as well as the check and act to maintain - in practice people do try but they have a hard time moving beyond just correcting the problem. Our preventive action process is another story, hasn't been used for over two years to my knowledge (other than as part of corrective action), went out the window with audits - if it was used I'd faint!

[AndyN]

Quote:

In Reply to Parent Post by Colpart

I don't know about the RAB criteria but the IRCA criteria for audit training insists on the use of ISO 19011 to structure audits. Whilst I support much of what is in 19011, I do not think much of it is applicable to most organisations when conducting their internal audits. It tends to suggest a very formal structure when often an informal one would work better.

I agree too. The use of ISO 19011 is a very 'nice idea' but it can't be a 'one-size-fits-all' guide. I would state here, that much is useful and should not be ignored, but there are also many aspects of ISO 19011 which are heavyweight and more suited to major supplier QA functions (does anyone have those anymore?) and registrars/CB's.

[CliffK]

Juliana,

Quote:

I am not really familar with the theory specifically, although following PDCA to set, reach & maintain goals is the way I function and how I've been trying to get people to look at correction and process improvement for a long time.

You have the basics right there, I believe. Policy deployment/Hoshin is a formalized PDCA system. A key feature, and the one most likely to be forgotten, is progress reviews against the objectives. These progress reviews can provide objective evidence that things are going as they ought to and are fixed when not.

But I don't think deployment reviews quite paint the whole picture.

Quote:

Our "documented" corrective action process is very robust and incorporates a very strong preventive aspect to it, as well as the check and act to maintain - in practice people do try but they have a hard time moving beyond just correcting the problem.

A strong corrective action process can fill in the blanks left by deployment reviews. The search for root causes should include a look at the "universal" elements of the quality system. Questions like these need to be asked (and should be part of the corrective action investigation in any case): did this problem come about or was it made worse because of poor document control? Could we prevent future recurrence by improving our document control system? Same thing for control of records, training and so forth.

The good thing here is that you can look at this data and get a pretty good idea of the health of the quality management system. And the data is nearly free. It's a by product of activities that people should be doing anyway.

I don't think this will work in all situations. You might want to do a traditional compliance/process audit on a new process. A compliance audit might give you some idea if a remote branch is following procedures.

Update: credit where due. A lot of this post is a synthesis of thoughts expressed on the cove, particularly in this thread, along with a few off-line conversations. My main contribution is impatience with traditional audit methods and the mashup.

[Helmut Jilling]

Quote:

In Reply to Parent Post by Denis9001

hjilling

Surely the key point is whether the audit was effective and not how it was done. If the audit was remote and the auditor never went onsite, that's irrelevant. BUT he should be able to show that the area being audited could be effectively audited remotely. I can see areas where it's not a problem eg management reviews could be done by teleconferencing and file exchange. But then there are obviously areas where it would not be. And let's not forget the nature of the business is important. I imagine an internet business could be audited entirely remotely.

Nope, must sincerely disagree. I'm a pretty darn good auditor, and very much into auditing for effectiveness, not just basic compliance. But even I can't begin to suggest that an audit from a remote distance would even remotely come close to doing the same level of review as an onsite visit. And I'm a full-time professional auditor. You are discussing internal auditors?

As a road warrior, I would love to believe it can be done.

There are too many audit trails, nuances, clues, etc that you only pick up when you are discussing things and looking around. Touching things, looking at people. There is a reason that business travel is growing even as technology is exploding. Why don't we just teleconference every meeting? Because a lot gets lost. Only a basic compliance audit can be done remotely.

Let's test my hypothosis. How were the audits effective? Of the last 3 audits that were performed this way, how many meaningful findings were identified. Meaningful findings that made the company better, provided significant improvements and made everyone feel good about ISO?

That should be the acid test, not to mention it would not meet the requirements.

[AndyN]

[QUOTE=hjilling;199048]

There are too many audit trails, nuances, clues, etc that you only pick up when you are discussing things and looking around. Touching things, looking at people. There is a reason that business travel is growing even as technology is exploding. Why don't we just teleconference every meeting? Because a lot gets lost. Only a basic compliance audit can be done remotely.

Let's test my hypothosis. How were the audits effective? Of the last 3 audits that were performed this way, how many meaningful findings were identified. Meaningful findings that made the company better, provided significant improvements and made everyone feel good about ISO?[QUOTE]

Helmut, you've got it! (but then I knew you would)

As a 'seasoned' auditor myself, there's way too much useful 'stuff' going on around you that would be missed by auditing remotely. All the wrong reasons come to mind and I'm wondering what kind of internal audit this really is, if a) the audited organization isn't being audited by one of its own and/or b) why management don't provide the resources to go to that location (if it's not sufficiently resourced to audit itself)????

[Helmut Jilling]

[quote=Denis9001;198698]

Quote:

CliffK

Of course it's the job of the manager to make sure people are doing what they're supposed to BUT that is in addition to NOT instead of audits.

On this point, I agree with you.

Quote:

Policing is the only goal I can see from the perspective of 9001. What's the purpose of an accounting audit? To improve your accounting system or to verify the books are correct? You are looking to add value to audits with reviewing processes and improvement. That's fine and great but that's not the purpose as regards 9001. If the auditors are measuring processes, reviewing processes and initiating improvement then what's the purpose of management review and the other clauses which address those activities?

And if policing is not the function of audits, I would ask how then is the system policed. The fact that it's archaic is irrelevant. Do we do away with a police force because thats archaic? If you have a more effective method of policing then that's great. That then is your procedure for internal audits. Computers are a great example. If you have software controls that are 100% self policing then your internal audit would be a simple case of verifying these controls worked and the results proved they worked.

I would suggest you read the ISO 9001 documents again, and perhaps some of the writings of the leaders behind the standard. Also, APG and ANAB have written some useful documents.

It is about customer satisfaction and continual improvement. It stopped being a policing document years ago. Even the intent of the 1994 document had some leanings toward improvement.

If policing is the only goal, I might see where the idea of remote audits came from.

[Denis9001 - 2007]

hjilling

I say the principle purpose of the audit is policing simply because that is how it seems to be in the 9001 model and isn't that what auditing is by nature. What's a financial for? Sometimes I prefer to call it a "systems check" instead of audit. If the purpose isn't policing, then I ask the question "how do you know the system is being followed?".

Yes you are right that the powers-that-be have now tried to add value to the audit and make it something more that what it was. I suspect this was done for commercial reasons or to make the audits more attractive. But if you add value to a car by putting a stereo inside it's still a vehicle for travel and doesn't suddenly become a music centre! Maybe they should rename the clause to make it clear.