Audits must do more than check whether people “are following their procedures / work instructions”. Each process making up your management system must be scheduled for audit.
Internal Audit Objectives :
“The organization shall conduct internal audits at planned intervals to provide information on whether the ISO management system:
a) conforms to:
1) the organization’s own requirements for its environmental management system
2) the requirements of the International Standard
b) Is effectively implemented and maintained”
Audit Rating System
A risk-based internal audit approach allows the internal audit to concentrate on reviewing all significant risks to your organization so as to ensure that they are well controlled.
Ratings range from “compliant” to “major non-conformance” to convey a concise and consistent method for rating each audit finding.
Principles of Auditing
Auditing has two, related, key objectives:
- To support your organization's management system
- To provide objective information that you can act upon to continually improve its performance
To achieve these objectives, it is necessary to adhere to the following principles, if the conclusions derived from the audit are to be accurate, objective and sufficient.
- Ethical conduct - trust, integrity, confidentiality and discretion are essential to auditing
- Fair presentation - audit findings, conclusions and reports must truthfully and accurately reflect the audit activities
- Professional care - auditors must exercise a level of care that reflects the importance of the task they perform
- Independence and objectivity - auditors must be independent of the activity being audited and be objective
- Evidence-based approach - evidence must be verifiable and based on samples of the available information
Adherence to these principles also allows auditors working independently from one another to reach similar conclusions when auditing in similar circumstances.
The adoption of the “process approach” is mandated by ISO and is one of the most important concepts relating to management systems. Process auditing is about auditing your organisation’s processes and their interactions, which together comprise the management system.
The principle behind the process approach is that “consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system”.
A process audit provides assurance that the processes have been implemented as planned and provides information on the ability of the process to produce a quality output.
Undertaken properly, a process audit is much more than the verification that processes are being properly followed.
A process is a set of interrelated activities that transform inputs, such as materials, customer requirements and labour, via a series of activities into outputs, such as a finished product or service.
Various clauses of the standards are applicable to stages of the process.
There are six characteristics to look out for when auditing a process:
- Does the process have an owner?
- Is the process fully defined?
- Is the process fully documented?
- Have links to other processes been established?
- Are processes and their links monitored?
- Are records maintained?
As part of the process approach, process audits must be scheduled in accordance with your management system . The audit schedule should be based on the importance and criticality of the process itself.
The audit should be based on a three stage process:
- preparing for the audit (desk review)
- auditing the process and its linkages
- preparing the executive summary and audit report
The audit should begin with the process owner in order to understand how the process interacts with the other process inputs, outputs, suppliers and/or customers.
The auditor should be able to determine whether the outputs are complete and that process measurements demonstrate whether all of the outputs are consistently efficiently managed and fit for purpose.
Each process audit should:
Determine whether the process conforms to planned arrangements
Determine whether the process is properly implemented and maintained
Provide information on process performance to top management
and include the following considerations:
Is there continuity between the various support processes?
Is the task done consistently from day-to-day and operative-to-operative?
Do the interfaces between different operational functions operate smoothly?
Does product information flow reliably and freely?
Is the process practice right?
Does it meet the requirements of the standard and/or specified requirements?
Is it process effective is supporting the organisation?
Thorough preparation is essential to an efficient and accurate audit!
Gather all relevant documents and records for the process you are auditing, such as process metrics, instructions, turtle diagrams, flowcharts, etc. If applicable, collect control plans and FMEAs too.
Review these documents thoroughly, and mark what you plan to audit. By marking directly on the documents, they become audit records.
Also, review relevant sections of the ISO standard. Your organisation’s documents may not include all the ISO requirements, and this is how you would discover that. If certain information is not available, it may become an audit finding, even during the preparation stage.
Sources of information might include:
Audit Scope, Audit Objectives, Audit Criteria:
- the “audit scope” defines which areas are included and which excluded from the audit.
- the “audit objectives” define the purpose of the audit and what it should achieve.
- “audit criteria” define which systems, standards, and documents are to be be audited
ISO requires that this information is defined and documented. Often this is routine information, but when there are exclusions or unique situations, it can be significant.
Process Criteria, Metrics, Objectives and Performance :
Each process is required to define this in the management system. Evaluate metrics and objectives to determine strengths and weaknesses. Compare actual performance to targets. Where goals are met, focus more on other areas with greater issues.
Previous audit findings
Verify that previous corrective actions remain effective. Past areas of concern may yield more opportunities for improvement or may require re-auditing.
Customer complaints and other corrective actions
Verify that previous complaints have been properly addressed and that corrective actions remain effective.
Process Inputs and Outputs, Internal Suppliers and Customers
The management must define and document the inputs and outputs for each process. If your system relies on flowcharts, turtle diagrams, process maps, etc., they should be documented.
Relevant Sections of the ISO Standards
Identify those sections in the applicable ISO Standard (ISO 9001, ISO 14001 etc.) that are relevant to the process. Print those pages and mark significant requirements to ensure they are documented correctly within the management system, and that they get audited.
Flowcharts, Turtles, Procedures, Instructions, Records, Process Sequence
Review the documents that describe and control the process and identify all of the important steps and activities. Check that this information is documented within the management system.
Evaluate how effectively the process flows through the steps and note any issues directly on the company documents (saves time). During the audit, use them as checklists, and audit the trails and notes you marked.
Links to Skills, Competencies and Training
The skill requirements for each process should be documented. Review skill lists for the process being audited.
Are there clear lists of skills, with sufficient detail, for each position? This is a common failure where lists are generic and the detail is inadequate. Training is a key process of any system. Are there specific people or new members of staff that you wish to review?
Are there particular skills you wish to evaluate? Identify the names of those you wish to review later.
Links and Interactions with other processes
Each process connects and interacts with other processes and it is important to identify and audit those links. Often processes work well within their own scope but link poorly to other processes, so these are often areas for improvement.
These links you have identified must be documented in the management system. Plan how you will audit the relevant links and interactions.
Prepare these documents and audit materials carefully as it is faster and easier to audit if you have well organised and marked up information at hand. A well prepared auditor is a confident and authoritative auditor.
Using the documented information in this way ensures they become audit records.
Use your preparatory work to develop an audit checklist for use in the future.
An audit checklist is just one of the various tools available to help ensure that your audits address the necessary requirements.
The checklist creates a basic reference point before, during and after the audit process and provides the following benefits:
- ensures the audit is conducted thoroughly, systematically and provides objective evidence
- promotes audit planning
- ensures a consistent audit approach
- provides clear support for your audit process
- ensures that different auditors audit uniformly
Your organisation’s documented information may not cover all of the requirements that may be relevant to the process. If certain information is not available, it may become your first audit finding, not bad for the pre-audit review!
Review metrics and performance with appropriate managers, supervisors and operators.
They should know how well things are running, objectives, customer issues and problem areas. If they do not, the requirements are not being met.
Audit the sequence of the process with the people actually performing the process.
Do people know and follow the steps? Is what they do the same as what is documented? Are best practices documented and followed? Do personnel have changes they would recommend?
Review all the relevant steps of the assigned process. Evaluate how the process flows through the steps.
Are the process steps effective? Do you see roadblocks or issues?
Notate and follow audit trails you find with the relevant personnel. Observe their work. Look for things that are not as they should be.
Training, skills and competencies are always a potential area for improvement. Training and competency is vital and you should always review whether training could be improved.
Pay particular attention to newer employees or people who do not demonstrate good skills or competencies. Put people at ease, so they are not nervous.
If there are people who do not seem to be “up on their game” note their names and review this with the training process owner.
Review Linkages & Interactions
Linkages and interactions with other processes are always important. As you audit the assigned process, you will see how it connects and interacts with other processes. As you audit, also audit the relevant links to related processes and support processes.
These would include the input hand over from the previous process and the output hand over to the next process. It should include interactions with relevant supporting processes, such as training, quality, maintenance, calibration, record and document control, etc.
Review the Process
To audit, walk through the sequence of the process from start to finish. Review the same sections, sequence and details as described above. This is why preparing and organising is important.
Audit the notations and questions you documented and organised into a logical flow. Simply work through the pages and paths you identified. If you see something interesting, you can follow that trail to see if it leads somewhere.
If all is well, return to your notes and continue where you left off. If the trail leads to issues, follow through.
Performance is often best proven by looking at how well the output of Process A satisfies the input requirements of Process B.
For example: how often does Process B have problems with customer data entered on the system, how many customer complaints have arisen due to inaccurate or late information being entered?
If there is a documented procedure in place, it should define the process and the steps to be taken to ensure the objectives are achieved.
Review the Findings
Mark findings and issues as you go. When you finish auditing, you should have a collection of various findings to review.
Organise the notes you made, these findings need to be reported to management. As you audited, you should have noted the issues and potential improvements you observed.
These should have been marked clearly so you are now able to quickly review and capture them as you write the report.
When you have completed the audit, you will usually have “findings”. Findings can be both problems and opportunities for improvement.
Review your notes and collect the findings into the audit report. Audit teams should review findings with the lead auditor and/or management representative as it important to calibrate the findings and the review also acts a learning process.
If there is disagreement over some findings, the Lead Auditor has the final vote!
Prepare the Report
A good summary report is the output which is the value of the audit. It deserves an appropriate amount of attention and effort.
Your summary report should describe findings objectively, provide objective evidence to support the findings, and determine whether they should be classified as Corrective Actions, Preventive Actions, or Opportunities for Improvement.
Too often, the audit report only recites back facts and data the managers already know. The value is in identifying issues and opportunities they don’t know!
This summary should be reviewed first with the Lead Auditor, then the Process Owner and Management Team.
Make final revisions, and file the final audit report and all supporting audit materials and notes.