Auditing the CEO - How? What should our Internal Auditor ask?

I

Ingeniero1

#1
The CEO/President (owner) of our 80-employee company has about 15 people reporting to him - every manager and several key individual contributors report to him. I know, I know... let's not go there. The point is that he is directly involved in every aspect of the company, albeit due to time constraints, this definitely is a problem, as you can imagine.

Anyway, he has had very little to do with the ISO 9001:2000 quest, and although he appears to understand the underlying principles, I doubt if he has read the manual completely, and I know he has read just a small number of our 24 procedures. On the other hand, he is rather well versed in how the company operates in every aspect.

What sort of questions should our internal auditor ask him, and about what areas should he be quizzed? What sort of questions may the registrar auditor ask him? What records (evidence) may he be asked to produce?

Thanks!

Alex
 
Elsmar Forum Sponsor
R

Rachel

#2
Are you sure we don't work together???

Hey Alex,

We went through something very similar. Our President is actually pretty plugged into what goes on here...but still, the processes that a president would manage are usually fairly confidential (like sales projections, financials, etc.). My problem was - what do I ask this dude so that it's actually value-added, rather than just filling a mgmt review requirement?

Here's a list of my questions from our last internal audit cycle:
  • How do you influence/oversee the quality policy?
  • What quality targets have been set for each department for this fiscal year? What about plant-wide targets? How did you influence these targets? What is your basis?
  • How do you ensure that the integrity of the quality management system is maintained when changes are implemented? (i.e., costdowns, new products, hirings/layoffs...)
  • How do you use our "Key Measurables" information to ensure continual improvement in quality?
  • What do you see as the strengths/weaknesses of our on-site databases? (i.e., CAR, internal audit CAR, OFI, customer issues)
  • What are some of the major improvements that you've seen over the last year?
  • What would you still like to see change?

The whole audit took me about half an hour, and a lot of good feedback came out of it (both negative *and* positive - one of the things I really like about our President).

Now, having said all that, those questions may not apply to your business. For example, when I close a CAR in our database, copies are e-forwarded to the President and the managers associated with the CAR - so he's pretty tuned into the system. (Once, he even re-opened one! :frust:) Your President/CEO may not even consider that system as something he needs to dive into - he may just look at the figures at KPI-time. Basically - customize them - but make sure that they're value-added questions - the last thing you want to do is tick off the President by "wasting his time".

Hope this helped.
Cheers,
-R.
 
G

Graeme

#3
Top management SHALL ...

Ingeniero1 said:
The CEO/President (owner) of our 80-employee company has about 15 people reporting to him - every manager and several key individual contributors report to him. I know, I know... let's not go there. The point is that he is directly involved in every aspect of the company, albeit due to time constraints, this definitely is a problem, as you can imagine.

Anyway, he has had very little to do with the ISO 9001:2000 quest, and although he appears to understand the underlying principles, I doubt if he has read the manual completely, and I know he has read just a small number of our 24 procedures. On the other hand, he is rather well versed in how the company operates in every aspect.

What sort of questions should our internal auditor ask him, and about what areas should he be quizzed? What sort of questions may the registrar auditor ask him? What records (evidence) may he be asked to produce?

Thanks!

Alex
Good morning!

In my opinion, the first thing the CEO should do is read and understand section 5 of ISO 9001:2000, with particular attention to the fact that almost every clause of that section starts with "Top management shall ..."
5.1 Management commitment
5.2 Customer focus
5.3 Quality policy
5.4.1 Quality objectives
5.4.2 Quality management system planning
5.5.1 Responsibility and authority
5.5.2 Mangement representative
5.5.3 Internal communication
5.6 Management review (5.6.1 General)
It may also be helpful to gently emphasize these points:
  • Where the standard says "shall", it is not optional.
  • In a small company like yours, "top management" = "CEO/President/Owner".
  • In any business, "quality management system" is approximately the same as "business management system".
  • 5.5.2 requires top management to appoint a member of management to perform defined roles -- which do not include taking total responsibility for the quality management system! Since one role of this person is to ensure that processes are established, implemented and maintained, it follows that he/she must have the power to make resources available, make executive decisions, and generally "speak with the voice of the CEO". This further implies that a person in a staff position cannot effectively fill the role. Note that I have heard of a few companies where the CEO has personally taken on the role of management representative.
Questions that might be asked: there are a number of sample audit checklists with questions for this section - search here in The Cove and on other web sites. Some staring points from the past year in The Cove are:
A good rule to create a starting point is to write down everything that says "shall", ask where the quality manual addresses it, ask how it is accomplished, and then find the objective evidence that it is actually being accomplished in that way. This applies to auditing the roles of top management as well as the production machinist - and everyone else.
 
I

Ingeniero1

#4
Rachel - good examples.
Graeme - Good point regarding Clause 5.

I will bring these up to our fearless leader. Thanks.


Does anyone else have any other examples of what their CEO/President may have been asked during the audits?

Thanks!

Alex
 
Last edited by a moderator:

RoxaneB

Super Moderator
Super Moderator
#6
We've had the following asked of our VP/GM:

  • What is your involvement in the management sytem?
  • What is Roxane's involvement in the management system?
  • What is the crane operator's involvement in the management system?
    • Basically, trying to ensure that he knows what's happening beyond his door.
  • How is this location trying to improve? What is this location trying to improve?
  • What is your role in these improvement programmes?
  • How are the progress and results of these improvement programmes reviewed with you?
  • What happens if actual results do not match the planned results?
  • What kind of interaction do you have with the Customer?
  • You have some Customer-based processes that are outside of your control and located off-site. How do you ensure that this location still obtains the information it needs to verify that it is meeting Customer expectations?
  • How would you describe your management system and its current maturity/level of performance?
  • Why do you have a management system?

That's all that comes to mind right now...
 
A

AllanJ

#7
Rachel, Graeme and RCB all make valid points. Rachel seems to be assuming the CEOs processes are known. Graeme seems to take the view that a compliance audit is being called for. (Problem with compliance audits is they do not necessarily deliver VA results, as their output is of a binary nature.)

In any audit it is essential for the auditor to understand something about the tasks (processes) being audited. This frequently necessitates mobilising an expert onto the audit team. Of course, in a small company, the CEO may baulk at the cost, if that means going outside for help, unless he/ she is genuinely interested in receiving a thorough assessment of his/ her "processes".

As I have remarked elsewhere, the greatest avoidable costs occur in a form when the decisions made at the top are unsound i.e those decisions lack "quality". Examples are legion, so I will not dwell on that.

In order to offer some VA outcome tto the audit, ask how the CEO goes about his/ her decision-making tasks. As examples: how do you decide CAPEX issues? how do you determine forward strategy and business plans? How do you determine product and market policy? How do you review the company financials? How do you use those reviews for executive decisions you make? And so forth. This will reveal the decision-making capabilites and methods, the extent to which valid input is obtained (and its sources) and how the CEO then communicates/ uses the associated decisions as outputs.

To an extent this audit ought to be done (or attended) by someone from the board of directors. At the risk of annoying people, I do give guidance on how to audit top managers in my book, "Management Audits" in the chapter entitled, "President's Audit". Its advice can be used for auditing your CEO/ President whatever. So, another useful question to that CEO is, what audits do you do of your top managers?
 
Thread starter Similar threads Forum Replies Date
S ISO 9001:2015 Internal Auditing Internal Auditing 8
H Auditing Santa's workshop General Auditing Discussions 0
C List of MDSAP Auditing Organizations Medical Device and FDA Regulations and Standards News 1
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 7
cscalise Suggestions for MDR Auditing tools EU Medical Device Regulations 1
J Auditing of Support Function IATF 16949 - Automotive Quality Systems Standard 9
D ISO 13485, FDA 21 CFR 820 and Auditing the Accounting Department ISO 13485:2016 - Medical Device Quality Management Systems 5
S Risk based internal auditing Internal Auditing 6
Randy Remote auditing (for disaster, disease, disturbance etc...) during the Neo Coronavirus Pandemic and Social Distancing Registrars and Notified Bodies 7
K ANVISA B-GMP Auditing requirements for Contract Manufacturers Other Medical Device Regulations World-Wide 1
F AS9100D Internal auditing requirements Internal Auditing 11
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
G Best Practices for IT auditing - Is a session-id necessary for a complete audit trail? IEC 27001 - Information Security Management Systems (ISMS) 0
I Questions to ask when auditing for Organizational Leadership and Planning for the QMS? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
tony s What is the automotive process approach for auditing? IATF 16949 - Automotive Quality Systems Standard 2
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
R I've been auditing for a CB for 18 years General Auditing Discussions 10
P Consultant Auditing Qualifications Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 23
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 149
M We still have not received our certificate due to a 'backlog' with our auditing body Registrars and Notified Bodies 25
N Online Internal Auditing Course for ISO 13485 - Suggestions ISO 13485:2016 - Medical Device Quality Management Systems 8
A Agenda for 8D audit on Supplier's side - Auditing Corrective Actions General Auditing Discussions 5
U Internal auditing - Company employees or contract second party Internal Auditing 10
J Recomended Values - Auditing process in a supplier IATF 16949 - Automotive Quality Systems Standard 18
M Canada - Registrars that allow e-auditing for ISO 9001? Registrars and Notified Bodies 4
K Internal Auditing - Umbrella QMS and Multiple Standards Oil and Gas Industry Standards and Regulations 4
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
supadrai Auditing Organization dragging their heels on issuing our MDSAP Surveillance Audit Confirmation Letter - everyone is nervous ... are we the only ones? Canada Medical Device Regulations 7
Ed Panek Supplier Auditing - No purchases from our key suppliers in the last 24 months ISO 13485:2016 - Medical Device Quality Management Systems 5
P Auditing "process validation" process 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
qualprod Effective Auditing advice needed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
M Acceptance of remote auditing techniques - Can you help me with my research? General Auditing Discussions 0
GStough Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay? General Auditing Discussions 11
qualprod Auditing Product and Services doubts ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
R Auditing support and management processes General Auditing Discussions 7
F It is acceptable moving remote locations staff to manufacturing plant for auditing? IATF 16949 - Automotive Quality Systems Standard 3
D MSDS / GHS Walk-through / Auditing Occupational Health & Safety Management Standards 6
Pmarszal Supplier Auditing Services (Audit Needed?) General Auditing Discussions 4
S ISO 9001 Audit Observations - Transitioning my career into auditing Career and Occupation Discussions 16
G AS9101 Rev F - Worksheets for internal auditing AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
N API Q2 clause 6.2.2.1 Auditing Outsourced Suppliers Oil and Gas Industry Standards and Regulations 5
M Auditing processes followed by employees placed on client's site Internal Auditing 4
S ISO 13485:2016 and MDSAP internal auditing ISO 13485:2016 - Medical Device Quality Management Systems 6
M Auditing a Contractor in EMS and Non Conformity Report General Auditing Discussions 1
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
S ISO 9001:2015 - Internal Auditing - Audit to the Standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6

Similar threads

Top Bottom