Internal auditing focus - Opinions on "what direction" so to speak

[ALM]

Originally posted by Dawn:
ALM,
Do you have a blank sample of one of these audits I could take a look at? I have tried to do this but failed.

I've emailed you to send me a fax number and I will send the audit schedule right over to you.

To give you some insight:

1) Some things you will audit by element, and follow-up by looking for objective evidence, such as 4.1 Management Responsibility, and 4.3 Contract Review. Typically, those "elements" are in and of themselves "functions."

2) In our facility, we would audit manufacturing - we have the following relevant elements: 4.8, 4.9, 4.10, 4.12, 4.20. In other words, all of these "elements" can be audited while checking out what goes on in the entirety of manufacturing. To demonstrate how this helped - We USED to audit, say 4.10 - and go through the shop looking to see that we met it. Then, we would audit 4.11 - and go through the shop again. Then 4.12 - you see the monotony of the situation? On the same audit trail, auditing by function, I can check jobs to see if they have process control instructions (4.9), if it has been inspected/tested (4.10), if an appropriately calibrated tool has been used to inspect it (4.11), if the inspection and test status is readily apparent (4.12), if the results have been recorded (4.16), and, if applicable, whether the appropriate statistical data has been compiled (4.20). So, on one pass through the shop, I am now looking for a variety of elements, instead of making 5 or 6 different passes through the shop auditing each element. (I only wish I had realized this sooner.)

3) You can verify 4.16 while auditing just about every function with exception of lunch and break!

4) While checking out nonconforming product (4.13), you should also be checking out 4.14, and of course, 4.16.

5) 4.2, 4.5, and again, 4.16 should all be relevant during an audit of the Document & Data Control functions.

It has really made for a much smoother audit flow. Of course, you are flipping back and forth through the QSA making notes and verifying compliance, but again, it is much easier to look at ALL RELEVANT ELEMENTS that are occurring in a specific function, than to repeatedly visit a function over and over and over again as you go through the QSA element by element. Also, you change the flow of the audit from one to the next, too.

I hope I have provided some insight.

[This message has been edited by ALM (edited 27 April 2000).]

 

[Wallybaloo]

Although I read Marc's 'rant' about the idiocy, and agree to an extent, I think there is room for the use of both types of auditing. I schedule my audits on the basis of the 20 sections. This allows me to schedule based on the impact and history of the particular requirement, and dig more deeply into the subject. But then also, several times a year I schedule teams to do the 'audit trail' approach, where they pick a product that's on the shipping dock, ready to go. They follow this backwards through the shipping, packaging, assembly, etc. process, looking at many elements of the standards (we also have FDA, ISO 13485 & MDD). On one trail we may deliberately track back to a machined part, whereas on another we look for a purchased part.

I realize that there may be better ways, but this seems to work well, also.

 

[barb butrym]

the funny thing is there is no right or wrong...just an expected result (a comprehensive report or recommendation) and a couple rules.

As I tell my auditor trainees....i can give you the rules and share my techniques and tools, help develop some skills... but in the end its an art that you must develop...you have to fill your own tool box with stuff that works for you.

 

[Marc]

Originally posted by Wallybaloo:

....I think there is room for the use of both types of auditing.

I do not disagree. When I look at internal auditing I look at two things:

1. Real World
2. Utopia

In Utopia, all employees would be appropriately trained for internal auditing and compliance to the specification. As well as trained in many other things. The real world is each company takes a stand in how far they will go with this. We're all big kids here and with all our talk of ideal systems and intents, most companies do not go thru ISO or QS because they want to improve. QS folks tried a move to requite 'certified' internal auditors. I understand the reasoning and ideally that would be the case. But we start looking and asking at what cost? Have we reached a point where we have to hire someone full time to do this? Have we added a functionary to the company tree?

If I want to take the least intrusive route I'll out-source the audits.

Next level may be: I want internal auditors but they have their regular jobs. I don't want to have to train them to interpret the specifications involved. So - I'll let the management rep audit our top systems (level 1 and level 2) to the requirements and we'll let the internal auditors audit the meat - functional area (departmental, however you want to say it) procedures.

Next level may be: I want all our internal auditors to understand all the requirements. To do this we'll send each to lead auditor training.... etc.

Company size is often a significant factor. I won't begin to talk about the tenor of upper management (which is to say the company). If you have 5000 employees you're probably going to have a pretty well structured internal auditing function. You'll probably have some people dedicated to internal auditing.

As company size drops to 10 people, how you fulfill the requirement, and it's cost factor, changes. Does a company of 10 people want to spend the money for training and such to have a 'certified' internal auditor? Some do - some don't.

Another significant factor is the industry and the specific product(s). If you're making High Rel military equipment or air bags, you do need more positive control than if you make springs for seats. An air bag failure is a lot more significant than a failure of a seat spring failure.

A mixture is fine and for the most part typical and realistic. My only point is to think about how far you want to take internal auditing. My belief is that the more internal audits reveal, the more fundamental problems a company has.

 

[llamb]

I am employed by a small company approx. 70-100 employees total. I have been very concerned about the quality of our internal audits. Of course we all must do our "regular" everyday work and fit auditing in somewhere. We only have a couple individuals who have taken a basic internal auditing course. Other employees we use as auditors are "trained" by sitting in on ONE of our internal audits. Not enough in my opinion. I have brought up the idea of hiring (outsourcing) our internal audits, or at least some of them. My question to all of you is "Who can I contact for this service?" and "What would be the cost factor?" We have to weigh the cost of hiring out vs. the cost of professional auditor training for our current employees.
I also think by doing our own audits we all become more aware of the what is going on throughout the plant. So this tips the scale in favor of doing our own internal auditing.
I would like to hear some opinions.

 

[Jim Biz]

Just a collection of thoughts - I agree with Barb there is no real "right or wrong way" to accomplish auditing of the system no matter which side of the focus is being used (standards approach or functional approach)..

Costs/outsourcing - usually prohibitive in my expierience - our local consultant is VERY reasonable - close to unheard of cheap in some areas-- but still commands a 60.00 per hour fee. Figuring it takes 80 - 90 hours to audit our system, an added 5500.00 per year would be dificult to justify..

Our company is of similar size - 100-150 folks... We do hold classes and train to the standards plus an overview of our supporting documentation prior to auditing assignments...takes 12- 16 hours training time.. no one is qualified to conduct an audit without the "formalized" training. However I find that the internally conducted audits may not be as "value added" or helpful to the improvement of our system as could be the case.

Most of our 6 internal auditors have been with the company for quite awhile - and it is difficult to "get past" the "lets not be too hard on ourselves and/or each other" outlook. (The auditor- will be the auditee eventually) Although I'm sure that there are companies out there that are more strict with internal audits than an external auditor would be...

Time factors - I schedule one auditor for one element/functional-section every other month and expect an audit to take 2-3 hours (prep time included)13-15 hours per year for each of the 6 auditors.. If it looks like the schedule is "lagging" I then use our local consultant to "fill in" where needed to bring the schedule up to date.

Other Possibilities:
Possible to "trade" auditing personnel time with other local companies in a similar business? Some advantage to both Independance Factors - Unbiased Outlook.
Disadvantage: Some top management folks "Frown" on having another companies personnel around "snooping"?

OR Hold an "audit week"- just turn you auditors loose on a scheduled basis for a "short set/schedule" time period - - audit the entire system in a weeks timeframe.
Advantage - system audited and covered quickly.. management has all the information in hand and ample time to correct where need be prior to external auditors visits.
Disadvantage: Focus on procedural/functional aspects is maintained through-out the company only during "audit week".

 

[Idotson]

The company I work for was registred back in '97. Until just a last year our audit focus was compliance to the QS. What I noticed was that the longer we went the less the auditors found. What was happening was that the procedure and work instruction covered all the question the auditors were asking. We have redirected our focus to make sure the everyone is doing what the procedures and work instruction state, and we become less conserned with compliance to the standard because at this point the quality manual been reviewed at least 100 times.

 

[AJPaton]

We're in the midst of a giant Internal Audit push, to correct problems uncovered in the last external audit.
We're going clause by clause, but I never even thought of just auditing the paperwork. Don't you have to go out where the product is being built/serviced/whatever and see that you are "Doing what you document." Also, what improvement can you do if you don't audit what is actually happening.
We have a wonderful set of procedures, some of which are followed. However, after a few years, your product changes, your production lines vary, and the wonderful procedures are outdated. Then you can guarantee that not only they won't be followed, but they will be considered useless.
Quality should not be a non-value added policy!
Sorry, I think I've got Audititis
AJP

 

[Jim Biz]

Aj - I'd hafta Agree with you - If anyone is "Just auditing the paperwork" clause by clause - I'd be inclined to agree with one of Marc's earlier comments -

Your MGT REP should be responsible for doing "Desk Audits". Internal audits should be scheduled after a desk audit cofirms the standards have been addressed with direct contact/observation of the function/actions responsible for following them.

A good value added system improvement audit can't be effective until/unless the personnel preforming the function being audited are at least observed & questioned. This can be done "briefly" and effectivley if the audit itself is well planed ahead of time.

Regards
Jim

[This message has been edited by Jim Biz (edited 04 May 2000).]

 

[Marc]

Originally posted by AJPaton:

We have a wonderful set of procedures, some of which are followed.

Some of which are followed? At least you're honest - but if the rest aren't followed why even have them? If you're having problems internally, I suggest this statement alone is evidence that you should be focusing on people doing what they are supposed to be doing. How do they decide which ones they will comply with and which ones not to? This statement is disturbing.

However, after a few years, your product changes, your production lines vary, and the wonderful procedures are outdated. Then you can guarantee that not only they won't be followed, but they will be considered useless.

This does nothing less than proclaim to the world that your company is failing in the basics. If your procedures do not change as your systems change and/or your procedures "...become outdated..." then your system is not a living system and your implementation of ISO is a total sham. Just a single point (of many, many I could make): If your systems procedures become outdated then the proper people are not reviewing and approving them - I would can the management rep. If your departmental and/or process related documents "...become outdated..." I sure don't want to buy your product.

I'm sorry, AJPaton, but if this is the case your company has, in my opinion, serious problems.

From Idotson:

We have redirected our focus to make sure the everyone is doing what the procedures and work instruction state, and we become less conserned with compliance to the standard because at this point the quality manual been reviewed at least 100 times.

This has been, and is, my point exactly.

Don't you have to go out where the product is being built/serviced/whatever and see that you are "Doing what you document."

Yes - In fact it should be your focus.