The best way to internally

audit 

All too often, internal audits are done because ISO 9001 says they have to. Benefits of the programme are lost in the rush to make sure that each documented procedure is followed to the letter and internal audits become a ritual. Such audit programmes not only fail to meet the specific ISO 9001 requirements, but they also miss the opportunity for improvement. Steve Coles explains a better way

Planning

First, decide why you are going to audit and agree with senior management how the organization is going to benefit. If the management system doesn’t already look at the organization as a system of interlinked processes, now is the time to sit down and develop a process map, working from the mission and objectives set by management down to a level you feel is manageable to audit.


Don’t worry if your process map doesn’t fit the system documentation, because now you’re going to audit the organization, not just the paperwork.

If you want to demonstrate compliance with ISO 9001, now’s the time to draw a matrix with the requirements on one axis and your processes on the other; put a tick in the intersections where a process meets a requirement or a cross where you feel a requirement needs to be addressed. Check for any obvious gaps and then check the detail to make sure you are meeting the standard (on paper, anyway). Any remaining crosses become audit findings before a single checklist has been ticked.

Prioritise the processes you’ve listed and develop your schedule. Be realistic and plan for the resources (people and time) you actually have and remember, you don’t have to cover everything every year.

Finally, each audit should have a sponsor, somebody with authority for the relevant process(es).

Auditing

Agree the terms of reference (ToR) with the sponsor, with ideas from both the auditors and sponsor; you develop your checklist from the ToR. Your checklist is to be your guide to ensure you cover all relevant areas, but it should not become a document where you have to rigorously complete every box.

When auditing, it’s useful to realise there are only five basic audit questions to ask:

  • What are you trying to achieve? Establish what the auditee is actually setting out to do; is this in line with the organization’s objectives?
  • What are you actually doing? Have the auditee describe (or show) you the process; try to let them describe it in their terms although, at times, you will need to ask direct questions (this is where your preparation and checklist will help).
  • Are you meeting your objectives? Look for evidence to support the above responses.
  • Why are you doing this? This is the check against the formal system and procedures; if you’ve done your preparation, you’ll already know what the answer should be, but this is the opportunity for the auditee to demonstrate that he/she is working to the system.
  • Could you do it better? Get ideas for improvement – discuss your own and try to get agreement.

Reporting

Keep plenty of notes during the audit but don’t make the report a running commentary. People are far more likely to read (and act on) a short report than a long one – a long one gets put in the pending tray to await time to read it — time that rarely comes.

As a minimum, a report only need record the scope and a statement regarding compliance. However, it becomes much more valuable as a tool to initiate improvement so consider:

  • the title (and audit reference number if you use one)
  • a brief statement of the ToR
  • a list of the people involved (auditors, sponsor and auditees interviewed or observed)
  • a short narrative summary of the audit
  • a list of improvement opportunities; be precise in what was found and why it should be addressed, recommend what should be done (if you feel confident and competent to do so) and rank them for criticality or priority

Get agreement on the report from the auditee and sponsor before formally issuing it. If they don’t agree to the findings and recommendations then that’s the end of any opportunity for improvement. Depending on your management system, you may add the agreed actions to a tracking scheme. It’s then over to the sponsor to act.

The end

Looking at the requirements of ISO 9001, clause 8.2.2, we’re now in a position to verify that:

  • what is being done is what is planned to be done
  • the system meets the standard
  • the system is meeting the organization’s objectives
  • it is effectively implemented
  • with due regard to criticality and, where the system is not meeting the requirements, we’ve recommended corrective actions.

Most importantly, we’ve focused on the organization’s needs and moved beyond just ticking the box. You can start to feel like you’re making a real difference.

About the author

Steve Coles has worked as an independent quality management consultant for some 20 years, primarily in the upstream oil and gas sector where he has provided services to companies ranging in size from the just five employees to large multinationals. He has been involved with the development, refinement and operation of various auditing schemes, each with a focus on providing improvement rather than just ‘ticking the box’.

 
Online Forums logo
Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums.