Does ISO 9001 Audit fit in within the Corporate Internal Audit department?

[BradM]

Re: Does ISO Audit fit in within the Corporate Internal Audit department?

Hello, GG! If you don't mind me calling you that!

First, by reading the comments in your posts, I have a feeling you have been in the auditing arena for a while. The Cove would welcome your input/opinions on the other posts. We hope to see you around some more.

You state that the internal audit program to date has been successful. Can you measure that success? Can you provide dollars of what the internal audit program has saved/made?

As far as the additional IA requirements... Is that an additional requirement for the scope of work they were doing, or is it a certification/group of people requirement? Could you provide a cost estimation to your managers of what it will cost additionally to perform the additional IA requirements for ISO internal audit activities?

It would be an intriguing drill to have IA auditors (like next week) audit area A, and ISO auditors audit area B. Then have them switch. I bet there would be a vast discrepancy in findings and concerns. Not good or bad; just different.

I guess I get bummed out when questions in posts start with "manager wants to...", as they are management. However, any decent manager is driven by numbers and cost. Just wondering if you might could get the additional expenditures by this idea and promote the idea of not combining them.

To your point... If you ever watch UFC, they will always talk about fighters cross-training. However, when it comes down to it, the fighter will always revert to their basic/core type of fighting. Those IA auditors can get some ISO-type training all day long. But without retraining and reinforcement, their auditing style will revert to what they are comfortable with.

 

[Sidney Vianna]

Re: Does ISO Audit fit in within the Corporate Internal Audit department?

They'll gloss over it, to get to the important stuff...regulatory risk, financial risk, etc.

Any meaningful audit should use risk assessment as an underlying approach. Maybe your internal auditors don't realize the fact that one of the largest risks an organization might fail to manage is keeping customers happy in a cost effective manner. If you fail to retain your customers and/or attract new ones, you won't have financial and regulatory risks to assess because you won't have a business to run.
Allowing unqualified people to audit systems they are not competent to assess is not only a waste of time, but counter productive approach.

Most large organizations want to reduce the number of internal and external audits they endure. So, multidisciplinary and integrated management system audits are a welcome initiative. But auditor and audit team competence to handle such complex audit approaches are a must.

 

[Randy]

Re: Does ISO Audit fit in within the Corporate Internal Audit department?

If they specialize in financial audits, it's a different world.

I suggest a lead auditor's class as a fast introduction. A person needs some knowledge of quality systems.

Yeah you're right, I wouldn't now anything about Financial auditing and it's realationship to systems auditing with just an MBA specializing in Finance Management.

As for knowledge of quality systems from a Lead course? I dunno, I've always thought those courses were more about auditing.

 

[Jen Kirley]

Re: Does ISO Audit fit in within the Corporate Internal Audit department?

Yeah you're right, I wouldn't now anything about Financial auditing and it's realationship to systems auditing with just an MBA specializing in Finance Management.

One of the tricky things here is how little we know about the people discussed in these posts. They could be ready to go for ISO auditing (just add water and stir vigorously) or they could know next to nothing about quality systems. I can't tell from here.

As for knowledge of quality systems from a Lead course? I dunno, I've always thought those courses were more about auditing.

Well, it's not much but the idea was to introduce the financial auditor to the methods ISO auditors use: how to plan a process audit, ask questions, analyze responses for compliance, do follow up and report based on ISO. But maybe they already know all about it. I don't know, but I got the sense from GG that they're not ready to switch back and forth.

Maybe my problem is that I have been mistaken about two things from the outset. First, I thought we were discussing a company trying to use auditors for Sarbanes Oxley to do ISO audits. Second, I thought auditing for Sarbanes Oxley would be a different sort of audit than for ISO.

If I'm wrong about these two things then I am just wrong in the whole thread.

One thing that occurs to me is a guess that your extensive qualifications may give you the sense that these audit things are easy for the rest of us too.

 

[Randy]

Re: Does ISO Audit fit in within the Corporate Internal Audit department?

First, I thought we were discussing a company trying to use auditors for Sarbanes Oxley to do ISO audits. Second, I thought auditing for Sarbanes Oxley would be a different sort of audit than for ISO.

If I'm wrong about these two things then I am just wrong in the whole thread.

One thing that occurs to me is a guess that your extensive qualifications may give you the sense that these audit things are easy for the rest of us too.

1st..You're not wrong at all, but now you may be a bit stimulated..woo, woo

It all boils down to the same thing, regardless of type of audit or whatever:

1. Competence of the auditor in being an auditor;

2. and well defined objectives, scope and criteria for the auditor

Auditing isn't much different than a detective conducting an investigation, both tasks are a search for evidence (Did I mention that I also studied Criminal Investigation at the FBI Academy in Quantico and taught it as well?)


On another subject...Jennifer, how is your work going?

 

[HSSE Auditor]

Re: Does ISO Audit fit in within the Corporate Internal Audit department?

Auditing isn't much different than a detective conducting an investigation, both tasks are a search for evidence (Did I mention that I also studied Criminal Investigation at the FBI Academy in Quantico and taught it as well?)

There is a difference. You are correct that they are both looking for evidence; but the auditor is looking for evidence of innocence.

 

[Jen Kirley]

Re: Does ISO Audit fit in within the Corporate Internal Audit department?

1st..You're not wrong at all, but now you may be a bit stimulated..woo, woo

Well, whew.

It all boils down to the same thing, regardless of type of audit or whatever:

1. Competence of the auditor in being an auditor;

2. and well defined objectives, scope and criteria for the auditor

Auditing isn't much different than a detective conducting an investigation, both tasks are a search for evidence (Did I mention that I also studied Criminal Investigation at the FBI Academy in Quantico and taught it as well?)

Yes, this is all true. I also think your studies in investigation may have helped developed your compentency, which I'd like to acknowledge is vast. I wonder how much of this sort of thing those financial and IS auditors have?

Auditing isn't rocket science anyway. Some people can do it with talent and/or the aggregate of their schooling and work experiences, while others need specific training. Get the unschooled, uninspired and unskilled in there and you'd just have a bunch of checklists with Yes and No in them. Why bother?

All in all I think it will come down to how well the audit program is managed. If there's no one at the wheel who knows much about quality systems, no one may know if the auditors are competent or if the audits were done properly.

Last thing I wonder about is the what-next of managing corrective actions...hmmm.

 

[Jen Kirley]

Re: Does ISO Audit fit in within the Corporate Internal Audit department?

On another subject...Jennifer, how is your work going?

Forgot to answer this one. Very well, thanks, though I guess the perspective that depends on which side of the CA one is on...

There was a lot of compliance auditing happening here before I got in and churned things up. I am enjoying being able to use all of my training and experience--quality, environemental and safety, even the education skills help in less than obvious ways.

 

[Benjamin28]

Well, I'm certain that the system won't suffer much if all these corporate auditors are inspector gadget clones...and a 4 hour "okie dok you're ISO pro's" training session is indeed all they'll need to be experts in quality systems.

Jennifer's suggestion is appropriate, and the question posed in the original post reflects those same concerns. Whatever they do, these auditors won't be able to offer comparable results to the ISO experienced auditors. Integrating the two types of audits is not necessarily a bad idea, but replacing the ISO auditors with personnel with minimal ISO experience, that is a bad idea. I agree with Jennifer though, to make this transition functional and useful the organization should first ensure that their corporate auditors are trained and competent in quality system audits, unless of course they just don't care what kind of results their continual improvement process acheives.

 

[gg-audit]

All of the comments have been great...thank you all for them.

My biggest concern was addressed in the last post...that the corporate auditors don't care about quality audits or continual improvement. Their primary focus, and training, has always been to look for controls...are they there and are they working. They really don't care if the department has documented processes and are following them...or what their performance metrics are and whether they are improving or not.

Can they be trained? Sure. But when it comes time to scope an audit, and they only have so many hours to dedicate to the project, which steps do you think will be the first to get cut? Not the steps testing controls...that is too important to the financial continuity of the company (big exposure if they find fraud or a major control issue that causes loss to the bottom line). The quality steps will be cut. And that's even in the short term, after they've all been trained and quality is fresh on their minds. What is going to happen 2 years from now, when quality isn't on the fore-front of their minds?

Another issue we are dealing with is the reporting structure. The corporate audits are seen by basically every top executive at the company and the Audit Committee of the Board of Directors. Our ISO audit reports have been held at the local management level to provide lay terms to those who understand them the most and where the report can add the most value. Having that level of exposure at the highest levels will add time to the reporting process to make every thing read just-so for an audience of uninformed readers. Will the local management gain any value out of those types of reports?

Your comments are great!! I REALLY appreciate them!

gg