Internal Audit Format and Content question

S

silentrunning

Long before I ?volunteered? to take over the Quality Assurance department my predecessor set up the format for Internal Audits. It is an audit by the ISO 9001:2008 elements. It covers the bases but does not lend itself to allowing auditors to follow trails. It also hasn?t caused any real improvement in the last couple of years. I have wanted to do audits by function and have been trying to lay out a format for the auditors. Some elements lend themselves perfectly to this ? purchasing, training and customer owned property fit in this group. Others like Management responsibility, product planning and QMS planning don?t. I have been working on this so much lately that it has become a jumble in my head and I have stopped making any forward progress. Does anyone have an outline of their audit format they would care to share? I also would like any input on auditing to the function that anyone would care to share. :thanks:
 
W

William_55401

Re: Internal Audit Format question

Good morning. I would suggest you think about audits not by function but rather by process. The processes cut across the organization and create linkages / dependencies where functions must collaborate. If you continue to audit by function, that will tend to reinforce the "our group is fine" mentality. Getting the organization to think about and improve based on the process approach will drive improvement.
 

Mikishots

Trusted Information Resource
Long before I “volunteered” to take over the Quality Assurance department my predecessor set up the format for Internal Audits. It is an audit by the ISO 9001:2008 elements. It covers the bases but does not lend itself to allowing auditors to follow trails. It also hasn’t caused any real improvement in the last couple of years. I have wanted to do audits by function and have been trying to lay out a format for the auditors. Some elements lend themselves perfectly to this – purchasing, training and customer owned property fit in this group. Others like Management responsibility, product planning and QMS planning don’t. I have been working on this so much lately that it has become a jumble in my head and I have stopped making any forward progress. Does anyone have an outline of their audit format they would care to share? I also would like any input on auditing to the function that anyone would care to share. :thanks:

Pay close attention to what William 55401 has said. This is the key to your success if you want to get your head around this. You MUST get away from the mentality of auditing "Purchasing, "Training" etc as individual elements; this is not an audit of a system at all.

Think of it like a car being built: even if all the individual components have been inspected 100% and have been proven to function flawlessly, does this mean that the car will function flawlessly once it's been assembled? Not at all. It's the interactions of the components that must also be verified; the "HOW".

My buddy works in a lab at MIT, and he had a funny analogy that lends itself well to this. He said "You'd think that having a room full of guys that are at the top of their class, literally geniuses in their fields would mean our lab would be an absolute powerhouse, right? Not so. As a group, we're a complete disaster". An audit of each person would yield impressive results, but wouldn't reflect at all the reality - as a system, it's completely disfunctional.

This also is the reason why checklists are so limiting - one checklist cannot work for everyone (or even for the person that created it - you just don't know where the audit will take you). Start with basic questions, and follow the paths that the auditees reveal to you.
 
Last edited:

insect warfare

QA=Question Authority
Trusted Information Resource
Pay close attention to what William 55401 has said. This is the key to your success if you want to get your head around this. You MUST get away from the mentality of auditing "Purchasing, "Training" etc as individual elements; this is not an audit of a system at all.

Think of it like a car being built: even if all the individual components have been inspected 100% and have been proven to function flawlessly, does this mean that the car will function flawlessly once it's been assembled? Not at all. It's the interactions of the components that must also be verified; the "HOW".

My buddy works in a lab at MIT, and he had a funny analogy that lends itself well to this. He said "You'd think that having a room full of guys that are at the top of their class, literally geniuses in their fields would mean our lab would be an absolute powerhouse, right? Not so. As a group, we're a complete disaster". An audit of each person would yield impressive results, but wouldn't reflect at all the reality - as a system, it's completely disfunctional.

This also is the reason why checklists are so limiting - one checklist cannot work for everyone (or even for the person that created it - you just don't know where the audit will take you). Start with basic questions, and follow the paths that the auditees reveal to you.

Damn straight. Good responses so far...

Long before I ?volunteered? to take over the Quality Assurance department my predecessor set up the format for Internal Audits. It is an audit by the ISO 9001:2008 elements. It covers the bases but does not lend itself to allowing auditors to follow trails. It also hasn?t caused any real improvement in the last couple of years. I have wanted to do audits by function and have been trying to lay out a format for the auditors. Some elements lend themselves perfectly to this ? purchasing, training and customer owned property fit in this group. Others like Management responsibility, product planning and QMS planning don?t. I have been working on this so much lately that it has become a jumble in my head and I have stopped making any forward progress. Does anyone have an outline of their audit format they would care to share? I also would like any input on auditing to the function that anyone would care to share. :thanks:

If you want to assess your system by clause, I suggest a gap analysis as a better alternative. An internal audit is more holistic as it lends itself better to the process approach. The reason you feel "jumbled" is because of the overlap between clauses and processes. The process approach allows you to focus your energies on how "processes" are performing.

To build on what Mikishots has said, your internal audit itself should have clear objectives (what you would like to see accomplished based on planning / performance indicators), but the path should theoretically always be unknown. If you audit a process (while at the same time) harboring pre-conceived notions of how it will turn out, it is then you start to lose objectivity and bias is thus introduced. Of course we would all like to be psychic here, but subscribing to such a belief would defeat the purpose of internal auditing altogether.

BTW - I have an audit checklist form that has worked well for me over the years, but I cannot post it right this minute. You can PM me (if only to remind me) and I can post it in this thread later.

Brian :rolleyes:
 
S

silentrunning

After reading these responses and having a great phone conversation with AndyN I feel that I have to go back to the drawing board and start from scratch. I want to do this right and not just make a change for changes sake. I would greatly appreciate any other input anyone wants to give. I sure am glad the Cove is here so I don't have to tackle this alone!
 

insect warfare

QA=Question Authority
Trusted Information Resource
A little late, I know, but here is what I've been using at my place of employment. Note that the XYZ company is fictitious, just because...

For the audit plan, I've added my key processes which are identified in my quality manual, and I've updated it to show how I would set up an initial audit schedule. Future audits would be scheduled at the discretion of the auditor, who (based on the audit findings) would make a recommendation on when to schedule the next audit, and have it concurred with the Lead Auditor (or another auditor if the process is owned by the Lead Auditor) before signatures are obtained. I don't bother with setting predetermined frequencies, although I won't let a process go unchecked for more than 12 months, so a subsequent audit can potentially be scheduled any # of months ahead of the original audit, based on the risk of the findings encountered. Note that auditors can also be switched to different processes using this format.

For the audit report, I prefer to have the team use a pad & pen to take notes during the actual audit. They will only use the form after the audit to document their results. I want them to be able to interview, on their own, the people involved and ascertain the effectiveness of activities without the comfort of an itemized checklist. They can, however, choose "themes" or "topics", with the aim of providing some focus and direction for the audit. Plus I will re-iterate to the team periodically on certain auditing pitfalls, such as relying on documentation findings too heavily, as this does not always support the justification for auditing.

I also will not bother with a separate NCR form, as any nonconformities encountered during internal audit would trigger the corrective / preventive action process, per our procedures.

Let me know what you think, Covers...

Brian :rolleyes:
 

Attachments

  • XYZ-04-01F1 Internal Audit Plan & Schedule Ver. A.doc
    108.5 KB · Views: 1,077
  • XYZ-04-01F2 Internal Audit Report Ver. A.doc
    69.5 KB · Views: 1,008

Colin

Quite Involved in Discussions
Some very good advice has already been given in this post but I would like to throw in another angle. I agree entirely with auditing processes but there are potential issues with this e.g. the size of the processes.

If an organisation has a very well 'processed based' QMS in place, how do you break up the audits into manageable pieces without breaking the 'process flow'? You could end up auditing the whole organisation in 1 go - which works great for a small business but not for a large/complex one.

Similarly, I don't recommend auditing by procedure, as such, but if the procedures have been written around the processes, where is the problem? The other issue is auditing against the standard - clause 8.2.2a states that we must determine whether the QMS conforms to 'this International standard'.

My preference is to encourage each audit to include the basics such as document control, records, elements of training, responsibilities etc. and then to use any specific clauses which apply to the processes being audited e.g. if you are in sales, look at 7.2, purchasing 7.4, etc.

If we encourage auditors to do that we not only verify that the system satisfies our own requirements but also that it meets ISO 9001.
 
S

silentrunning

Insect Warfare - this is exactly what I was looking for. I called them "functions" but you have them labeled as "key processes". I want to audit the entire system as Colin said, but have it broken down in bite sized segments. I was just having trouble deciding how to break it down. Your first attachment looks very logical. :thanx:
 

Stijloor

Leader
Super Moderator
Insect Warfare - this is exactly what I was looking for. I called them "functions" but you have them labeled as "key processes". I want to audit the entire system as Colin said, but have it broken down in bite sized segments. I was just having trouble deciding how to break it down. Your first attachment looks very logical. :thanx:

Doug,

One way to tie processes, their objectives, measurements and applicable ISO standard requirements/clauses together is the process matrix.

Look at this post + attachments for an example and explanation.

Each row in the matrix shows all information to get the audit planning started.
 

insect warfare

QA=Question Authority
Trusted Information Resource
Insect Warfare - this is exactly what I was looking for. I called them "functions" but you have them labeled as "key processes". I want to audit the entire system as Colin said, but have it broken down in bite sized segments. I was just having trouble deciding how to break it down. Your first attachment looks very logical. :thanx:

Thank you Doug. I agree that it is very logical for me, but more importantly, it is simple...no complex NC grading systems, no bureaucracy to hamper down the activities., etc.

The way it works at my organization I call them all "key processes" even though on my process interaction map they are divided into 3 sections (Manufacturing Processes, Procurement Processes and Support Processes). I'm sure you know by now that it doesn't matter what terminology you use as long as it is clearly understood throughout. All of what I told you here is documented in our quality manual. I think half of the audit planning is already done for you if you have a well-written quality manual with a clear description of each process.

Some very good advice has already been given in this post but I would like to throw in another angle. I agree entirely with auditing processes but there are potential issues with this e.g. the size of the processes.

If an organisation has a very well 'processed based' QMS in place, how do you break up the audits into manageable pieces without breaking the 'process flow'? You could end up auditing the whole organisation in 1 go - which works great for a small business but not for a large/complex one.

Similarly, I don't recommend auditing by procedure, as such, but if the procedures have been written around the processes, where is the problem? The other issue is auditing against the standard - clause 8.2.2a states that we must determine whether the QMS conforms to 'this International standard'.

My preference is to encourage each audit to include the basics such as document control, records, elements of training, responsibilities etc. and then to use any specific clauses which apply to the processes being audited e.g. if you are in sales, look at 7.2, purchasing 7.4, etc.

If we encourage auditors to do that we not only verify that the system satisfies our own requirements but also that it meets ISO 9001.

I think Colin raised some interesting points that I didn't really think about in my last post. One is conforming to the standard per 8.2.2(a): another way to do this is by using a gap analysis checklist, as it is just another form of audit. In my organization I have a table in the quality manual showing which elements are associated with what process, based on gap analysis results. This also allows ours auditors to focus strictly on process performance during internal audits. Is it the preferred method or the best method? Maybe not in every case, but I thought I would just spitball it here anyway.

The other one is that, as you've seen in my attachment, I am not above auditing some "common-denominator" processes distinctly (i.e. Document Control, Records Control, Training, etc.), since they exist as processes in their own right, and have inputs and outputs that link to other processes which deserve an appropriate amount of attention. I would want to be sure though that (as an auditor) those interdependencies are existent and are working as intended. But I also realize that those processes are peppered into the other key processes, albeit with varying degrees of intersection, and just because I audit "calibration" doesn't mean I will not audit the records control part of it because it is listed separately on my audit plan. Common-sense should take over at some point.

One more thing....make sure your auditors are competent. This is paramount to any company's audit program. Make sure they know the fundamentals of internal auditing and what it is really all about, not the common misconceptions you are probably used to. Design training materials that suit your organization's culture, create workshops that make sense to them, and practice, practice, practice - even after they become competent. The Cove contains so much information on internal auditing that it is possible to put the pieces together (what am I saying this for, you already know :lol:)

Brian :rolleyes:
 
Top Bottom