We invite your comments on the write-up. Thanks.
Dr. Divya Singhal
&
Keshav Ram Singhal
AUDIT TYPES
Audits are categorized under three types:
• First party or internal audit
• Second party or supplier audit
• Third party or certification audit
First party or internal audit: First party or internal audit is conducted by the organization itself (or conducted on behalf of the organization) for management review and other internal purposes. It is an internal management tool. People within the organization generally conduct this type of audit. First party (internal) audit may form basis for self-declaration of conformity to management systems. Many organizations in the world are now stopping third party certification. Internal audit is a mandatory requirement of ISO 9001:2008 QMS Standard.
Second party or supplier audit: Second party or supplier audit is conducted on supplier or organization (excepting customers) by parties having an interest in the organization (such as customer), or other persons on their behalf. Such type of audit provides a vendor assessment facility for an organization as it audits its supplier to assess their suitability for future or continuing contracts.
Third party or certification audit: Audits conducted for certification fall in this category. An assessment to achieve certification to the ISO 9001:2008 QMS Standard would fall under this category. Third party (certification) audit is conducted by external, independent auditing organization (generally known as certification body or registration body).
Who is the customer for audit?
ISO 9000:2005 defines customer as “the organization or person that receive a product.” Accordingly, a customer may be a consumer, client, end-user, retailer, beneficiary and purchaser. Customer with respect to different audit situations may be as under:
• First party audit customer: Management Representative, top management and the auditee department.
• Second party audit: Typically the purchasing department of an organization, who use the results of the audit as a basis for supplier qualification.
• Third party audit customer:
Contractual customer: Organization interested in certification or the certified organization, next time different perspectives: Management Representative, Top management
Ultimate customer: Those who purchase or receive product from the organization. (The certification body should never loose sight to this point and the body should act in the interest of the ultimate customer.)
Value-added audit situation
Value-added internal audit should be useful to the auditee, management representative and top management.
• To the auditee: by describing areas of weakness (i.e. noncompliance of requirements) and by promoting a better understanding of the organization’s quality management system or environmental management system.
• To the management representative: by having an overview of the organizational processes and interactions, by promoting a better understanding of internal supplier / customer relations, and by stimulating better communication between functions (i.e. breaking down interdepartmental barriers).
• To the top management: by verifying effective deployment of policies and objectives throughout the organization.
Value-added third party audit should be useful to the certified organization (or organization seeking certification), to the organization’s customers and to the certification body in the following manner:
• To the certified organization: by providing information to the organization’s top management regarding organization’s ability to meet strategic objectives, by identifying problems (if resolved, will enhance the organization’s performance) and by identifying improvement opportunities and possible areas of risk.
• To the organization’s customers: by enhancing the organization’s ability to provide conforming product.
• To the certification body: by improving the credibility of the third party certification process.
What is an internal audit?
Internal audit is used as a tool to monitor and determine the health of the quality management system implemented in the organization. The findings of internal audit can help in initiating appropriate measures. Internal Audit is used to measure the effectiveness of an organization’s quality management system. The ISO 9000:2005 Standard defines audit as “systematic, independent and documented process (set of interrelated or interacting activities which transform inputs into outputs) for obtaining audit evidence (records, statements of fact or other information which are relevant to the audit criteria and verifiable) and evaluating it objectively to determine the extent to which audit criteria (set of policies, procedures or requirements relating to audit) are fulfilled.”
Accordingly, we can come to following conclusions:
• An audit is a systematic process.
• An audit is an independent process.
• An audit is a documented process. There must be a documented procedure.
• An Audit is conducted for obtaining audit evidence.
• An audit is conducted for evaluating audit evidence objectively.
• An audit determines the extent to which audit criteria are fulfilled.
Organizations, implementing ISO 9001:2008 quality management system for certification / registration, periodically go through two types of audits:
1) Third party audits by certification/registration body, and
2) Internal audits.
Internal audit is called first-party audit. It is conducted by the organization itself or conducted on behalf of the organization. Internal audit is self-audit by the organization and generally conducted by its own auditors. Internal audit can form the basis for an organization’s self-declaration of conformity.
Internal audit is a systematic process. A process is defined as set of interrelated or interacting activities, which transforms inputs into outputs. Accordingly, audit evidences are inputs to internal audit process and audit results are its output. Audit results become the input to management review process (Please refer to clause 5.6.2 of ISO 9001:2008.)
INTERNAL AUDIT REQUIREMENTS
Internal audit requirement are mentioned in clause 8.2.2 of the ISO 9001:2008 Standard. The purpose of internal audit is to ensure that the quality management system of the organization conforms to the planned arrangements to the requirements of the ISO 9001:2008 Standard and the quality management system requirements established by the organization. The purpose of internal audit is also to ensure that the quality management system is effectively implemented and maintained in the organization.
Requirements of the ISO 9001:2008 Standard with regard to internal audit are as under:
• The organization needs to conduct internal audits at planned intervals. Accordingly, frequency of internal audit is to be decided by the organization. The International Standard has not stipulated any time period.
• An audit programme must be planned taking into consideration of the following:
• The Status and importance of processes,
• Areas to be audited, and
• Results of previous audit(s).
• The organization must define audit criteria, scope, frequency and method.
• Selection of auditors and conduct of audit must ensure objectivity and impartiality of the audit process.
• Auditor is not allowed to audit his own work.
• The organization is required to define in a documented procedure the responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records.
The management responsible for the area being audited must ensure that actions are taken promptly to eliminate detected nonconformities and their causes. Follow-up activities must include the verification of the actions taken and reporting of verification results.
Nonconformity
ISO 9000:2005 Standard defines nonconformity as “non–fulfillment of a requirement”. Accordingly, non-fulfillment of need or expectation (stated, generally implied or obligatory) is termed as nonconformity. In simple terms, nonconformity is something that did not go according to plan. Nonconformity is a deviation from the requirement. Nonconformity provides improvement opportunity to the organization.
Why may internal audit useless?
Ellen Willoughby (Management Consultant and Owner, All About Quality, Northampton, UK) says, “The main reason internal audits are useless because they are being carried out to a check-list that is designed against the Quality Management Standard you are working to and not your business.”
Adding value to QMS Internal Audit
Felix Dlamini, a Project Manager in Swaziland, says, “Focusing on specific areas or clauses of the standard to which the internal audit is conducted is one way of increasing the understanding of the requirements of a QMS and to ensure the organization complies. This however requires that the internal auditors are competent and are able to bring together related concepts within a standard even if they appear on different clauses of a standard.”
Madhavi Shrivastava, a Quality Management Professional in Houston, USA says, “Often it happens that external auditors are able to find gaps and improvement areas but internal audits portray a highly satisfactory picture of QMS.” She suggests a few points that can increase value addition of internal audits: (1) Senior management and management representative are successful in creating a climate where internal audits are valued and taken seriously by all. (2) QMS objectives and targets are linked to business results. And internal audits are able to bring out what is the trend of improvement of key business processes. (3) Internal auditors are selected, trained and coached well to conduct a useful audit. Compliance verification is the basic requirement but as time progresses auditors need to go beyond that to keep QMS really adding new improvement.
Important point we believe that an internal audit requires internal auditor(s) that should be well trained in auditing techniques and knowledgeable in effective, improvement and cost reduction methods to provide value added results. Most organizations that are certified to ISO 9001:2008 QMS Standards use organization’s internal auditors who do internal audits on an as needed basis. Training and conducting audits is such a small amount of their job that they never have time to tune and improve their audit skills. Employees often get promotions, get busier, or may even leave the organization. All of these circumstances cause organizations to be in a constant internal auditor training mode, leading to ineffective audits costing money each year, which normally are not resulting in a positive result. When an experienced, trained staff conducts audits for a living, which is well trained, and very knowledgeable about improvement methods and techniques, then the internal audit will result in a positive outcome. The internal auditor must undergo training each year to ensure continuing to improve his knowledge and skills. Every internal audit must provide results in opportunities for improvements and/or preventive actions, which will reduce risks, increase customer satisfaction, reduce costs, improve product and service quality, and much more.
We give below a few tips by which internal auditors will be able to add value. Internal auditors should use PDCA methodology for conducting internal audit. It can be done by proper audit planning, using audit techniques that should focus on processes and results, obtaining and reporting objective audit findings and carrying out follow-up for eliminating nonconformance. Accordingly, it is better for the internal auditor to use following tips:
• The internal auditors should understand the intent of ISO 9001:2008 QMS Standard, expectations of the top management towards continual improvement and corporate culture
• The internal auditors should peruse the output from previous audits (both internal as well as external) to identify any specific issue or concern still requires improvement
• The internal auditor should understand what are customers’ and applicable legal requirements
• The internal auditor should seek adequate time for auditing
• The internal auditor should focus more on the process, process performance and results.
• The internal auditor should remember eight quality management principles and use of PDCA approach to evaluate the process effectiveness – (i) Whether process planning carried out? (ii) Whether the process carried out according to the process planning? (iii) What are the expected results? (iv)Whether expected results are being achieved? (v) What is the nonconformance?
• The nonconformance identified by the internal auditor should be based on an objective evidence
• The internal auditor should provide adequate opportunity to correct the nonconformity
• The internal auditor should make effort to identify root causes of problems
• The internal auditor should not see who is responsible – rather consider why and what caused the problem (please see here-in-below note in this regard)
• The internal auditor should adopt a ‘holistic’ approach while gathering objective evidence during auditing
• The internal auditor should analyze the finding and relate to the organization’s ability to provide product that meet customer and applicable legal requirements
• The internal auditor should report audit findings
• The internal auditor should also emphasize positive findings as appropriate
• The internal auditor should consider solution/correction proposed by the auditee in response to the ‘negative finding’ (nonconformance)
• The internal auditor should carry out process audit by following the path the auditee takes to carry out the process
Rob De Leur, Process Risk Advisor at Amsterdam, Netherlands is of the opinion that the internal audit often brings to little serious input for improvement and says, “I am auditing now for almost 20 years and think that a lot (most) of the internal audits performed don't bring much for the management. Auditing is a profession and when you do this now and then with all the good effort, it results to many times in some non-conformity that can't really improve the system or the organization. Too many times the internal auditor is happy when he/she finds something and then the management of course always react 'great job'. When I do my ISO9001 audits combined with the approach and principles of risk management, then we are really talking serious auditing (and clients also confirm). My opinion is not negative but too many times realistic. I am sure that a good professional executed internal audit can be of great help.” Dominador, Jr. Garrovillas, Audit and Systems Compliance Manager in Philippines says, “We use the RFR approach, i.e., we write first the Requirements, second the Findings, and lastly the Risk to the business.” (From a discussion in ‘ISO 9001’ group at linkedin.com)
Do not see who is responsible. Rather consider why and what caused the problem or nonconformity
When you observe a problem or nonconformity, do not see who is responsible. Rather consider why and what caused the problem or nonconformity. When you consider why and what caused the problem or nonconformity, you may find:
• There was inadequate training.
• Applied procedures were unrealistic.
• Resources were insufficient.
• There was not enough time for doing things properly.
• There may be a better way of doing things.
What is most important? Find out fundamental cause of the nonconformity and stop it from happening again. We need to ask “WHY? WHY? WHY?” We should not ask – WHO?
WHY? WHY? WHY?
Why should we consider “WHY? WHY? WHY?” question? The simple reason is that we may be able to find root cause of the problem. The following examples may clarify this technique.
First example
• WHY was there nonconformity in the design department?
• “Because Mr. Jain did not follow the procedure.”
• WHY did not Mr. Jain follow the procedure?
• “Because Mr. Jain never received training.”
• WHY did not Mr. Jain receive the training?
• “Because Mr. Jain was on leave at that time.” Or “Because the department head did not relieve Mr. Jain for the training.”
• WHY did not the organization management realize this, and train him later?
• “Because the organization management or department people do not foresee this in the SYSTEM.”
Here we find that there is an area of improvement.
Second example
• WHY was there nonconformity in the manufacturing section?
• “Because Mr. Desai did not follow the procedure.”
• WHY did not Mr. Desai follow the procedure?
• “Because Mr. Desai did not have the right equipment.”
• WHY did not Mr. Desai have the right equipment?
• “Because our organization does not have a preventive maintenance plan.”
• WHY did not the organization have a preventive maintenance plan?
• “Because preventive maintenance plan is not in the system.”
Here we find that there is an area of improvement.
Third example
• WHY did not things go according to plan?
• “Because Mr. Sharma followed the procedure, even though he knew the procedure was wrong.”
• WHY did Mr. Sharma follow the procedure?
• “Because the procedure was a documented procedure and Mr. Sharma was scared to get nonconformity!!” Alternatively, “Because that is the easy way out, he followed documented procedure.” Or “Because then Mr. Sharma cannot be blamed.”
Here we find that there is an area of improvement.
It is not “value added”
We should understand that “Value-added” is NOT making the audit more difficult by adding on additional requirements. The auditor should not add additional requirement, which is not required. We should also understand that “Value-added” is NOT making the audit too easy, so nobody believes in the results of the audit.
Value added auditing aims to add value, the organization will find useful. Value added auditing encourages result-focused systems, with minimum bureaucracy. Value added auditing helps to identify strong and weak points and focus on the ways to improve. Value added auditing provides CONFIDENCE that the quality management system is king and the organization is providing CONSISTENT, QUALITY PRODUCT to its customers.
ISO 9001 Auditing Practices Group
The ISO 9001 Auditing Practice Group is an informal group of quality management system (QMS) experts, auditors and practitioners drawn from the ISO Technical Committee 176 Quality Management and Quality Assurance (ISO/TC/176) and the International Accreditation Forum (IAF).
The group has developed a number of guidance papers and presentations on various QMS auditing topics including the following:
• The need for a two- stage approach to auditing
• Measuring QMS effectiveness and improvements
• Identification of processes
• Understanding the process approach
• Determination of the ‘where appropriate’ processes
• Auditing the ‘where appropriate’ requirements
• Demonstrating the conformity to standard
• Linking an audit of a particular task, activity or process to the overall system
• Auditing continual improvement
• Auditing a QMS which has minimum documentation
• How to audit top management processes
• The role and value of the audit checklist
• Scope of ISO 9001: 2000, scope of Quality Management System and defining scope of certification
• Value- added Auditing
• Auditing competence and the effectiveness of the action taken
• Effective use of ISO 19011: 2002, Guidelines for quality and/or environmental management systems auditing
• Auditing statutory and regulatory requirements
• Auditing quality policy, quality objectives and management review
• Auditing the control of monitoring and measuring devices
• How to add value during the audit processes
• Guidance for reviewing and closing nonconformities
• Auditing internal communication
• Auditing service organization
• Third party auditor impartially and conflict of interest
• Auditing the effectiveness of the internal audit
• Auditing electronic based management systems
• Auditing the management of resources
• Auditing customer communications
• Auditing the design and development process
• Documenting a nonconformity
• Auditing Preventive Action
• Auditor code of conduct and ethics
The above mentioned guidance papers and presentations on various QMS auditing topics are very useful for auditors for adding value to their audit. These guidance papers and presentations can be downloaded from the website of International Accreditation Forum.
Training of internal auditor must be a regular process
Internal audits require a staff that is well trained in auditing techniques and knowledgeable in effective, improvement and cost reduction methods to provide value added results. Most organizations, implementing ISO 9001:2008 QMS Standard and also certified to ISO 9001:2008 QMS Standards, use organization’s internal auditors who do internal audits on an as needed basis. Training and conducting audits is such a small amount of their job that they never have time to tune and improve their audit skills. Employees often get promotions, get busier, or may even leave the organization. All of these circumstances cause organization to be in a constant internal auditor training mode, leading to ineffective audits costing huge amount of money each year, which normally are not resulting in a positive ROI. Experienced, trained staff when conduct audits for a living, they must be well trained, and very knowledgeable about improvement methods and techniques. They should undergo training each year on regular basis to ensure they continue to improve their knowledge and skills. Every audit they conduct must result in opportunities for improvements and/or preventive actions, which will reduce risks, increase customer satisfaction, reduce costs, improve product and service quality, and much more. Training of internal auditor must be a regular process in an organization implementing ISO 9001:2008 QMS Standard.
Courtesy:
- Reference Guide to ISO 9000 Certification, K. R. Singhal, 2000
- Implementing ISO 9001:2000 Quality Management System – A Reference Guide, Divya Singhal and K. R. Singhal, PHI Learning Private Limited, New Delhi, 2008
- ISO Website
- IAF Website
- IRCA Website
- Website - http://allaboutquality.net
- Group discussion at http://www.linkedin.com
Authors' Note: Suggestions to improve the article is invited. Thanks.
1 comment:
Thanks...
Post a Comment