Internal auditing

Is internal quality auditing really necessary? Jim Wade doesn't think so. He believes that, as it is typically practised under the ISO 9000 regime, internal auditing leaves a lot to be desired. Mike Oak disagrees. Here, two sides of the debate air their views.

Does internal quality auditing
do more harm than good?

I have had the opportunity to ask people from hundreds of ISO 9000 certified organizations how they would describe internal quality audits. Many people view these audits as an imposition, a waste of time, and even a necessary evil – that is to say, they wouldn’t do it if they didn’t need the certificate. Experts in the field would argue that these reactions are caused by audits not being carried out properly. However, I’d like to ask:

  • If so many people dislike its effects, maybe the real problem is not so much that it isn’t being done properly but the fact that it is being done at all
  • If internal quality auditing is not a good thing, just how far can we go towards eliminating it while still meeting the requirements of ISO 9001?

I believe that internal quality auditing (as commonly practised) is not such a good thing. It encourages deployment of the wrong resources in the wrong place at the wrong time. An audit is one example of a check. The purpose of a check is to determine to what extent things are going to plan. In the case of internal quality audits, the focus is on checking the implementation of product realisation plans and the achievement of business objectives. The intention is to answer the question: ‘Are things going to plan?’

But here we run into the major flaw behind these audits – timing. Internal audits apply checks too late, disconnected from the normal business cycle. If the shortcoming is so important to the business, wouldn’t the effort to discover the problem have been better utilized in the process that produced it?

What we realize is that there are pools of people who are not only independent of the process but who are also well motivated to discover and fix problems. These people are internal or external suppliers and customers. These groups are more likely than internal auditors to be in a position to commit to any necessary corrective action and process improvement activities. So, for example, key people from a manufacturing process, actively and formally involved in a product design process, would not only serve the purpose of checking whatever needs to be checked to ensure readiness for manufacturing, but would also be able to do something about any issues in a timely way.

Imagine that we are dealing with an organization headed by people who really take seriously the management principles that underpin ISO 9000. Specifically:

  • continual improvement
  • process approach and system approach to management
  • leadership and involvement of people

So we can see how, in the case of committed management, routine checks are in place. Management is also systematically checking that the system is fully effective.

Through taking these sorts of actions, the organization already meets the internal audit requirements of ISO 9001 without the need for after-the-fact audits. There is one exception - ensuring continued compliance to ISO 9001. This can easily be kept apart from the activities needed to meet those other requirements by having a separate procedure.

By Jim Wade

Jim Wade is a director of Advanced Training and the driving force behind the Business Improvement Network. Visit www.bin.co.uk or contact him on e: jim.wade@a-t.co.uk


Internal audits have, by necessity, changed over recent years. Ten years ago audits tended to be carried out simply as a requirement of the standard, and were often just ‘tick-box’ exercises. As the standards themselves have evolved and organizations lean more towards business excellence and continuous improvement, so too has the nature of audits. It is perfectly feasible, in modern organizations, for quality auditing and other self-assessment programmes to be combined and integrated. For example, since there are now such close parallels between ISO 9001 and the excellence model, there is no reason why the results of an internal audit could not contribute to the findings of an excellence model self-assessment, and vice versa. The internal audit, therefore, can be closely linked to continuous improvement principles of, for instance, plan, do, check, act and can represent both the planning and checking stages.

Internal auditing is not always welcomed. There tends to be a fear of the consequences of the findings and general apprehension about the whole process. The reason for this is usually a general lack of understanding of the purpose and rationale behind the concept. This can be changed quite simply by communication and education. It is important to explain, prior to the audit, that the purpose is not to find faults but to identify areas for improvement and examples of good practice. This will result in a greater level of cooperation and even sometimes enthusiasm for the process. In support of this, of course, the entire organization needs to understand and take responsibility for the quality requirements.

Clearly, auditors need to be trained in every aspect of the standard or quality management system they are auditing against. If, for instance, the quality system is fully integrated across various standards then the auditors should be fully conversant with this. Auditors are effectively agents working on behalf of management, particularly in large organizations with multiple sites. They should have the skills to interpret the data they gather and its effect on the future of the organization, as well as the ability to communicate these findings in a manner that adds the appropriate value.

By Mike Oak

Mike Oak is an independent business improvement consultant. Contact Mike on t: 07825 041286 or e: mike.oak@ntlworld.com

 

 

Did you know that the IRCA discussion forum contains a current debate on internal auditing? Add your comments to the existing discussion of internal auditor competence and ISO 9001 requirements. It is free to register.