Internal auditing, when effectively implemented, can arguably be considered the most important tool in the quality system tool box. It’s the primary method for continuously monitoring a company's quality management system (QMS). In fact, the feedback from internal auditing is critical to the growth of the QMS.
Through an audit, an organization can identify a system’s ineffectiveness, take corrective action, and ultimately support continuous improvement. Unfortunately, a poorly deployed internal auditing system can lead to increased, nonvalue-added costs, many hours of wasted resources, and an eventual, inevitable QMS breakdown.
So, what sets apart an effective, well-executed internal auditing system, and how do you know if you have one? After 10 years of conducting third-party audits, I’ve surmised that the difference between the most and least effective QMS depends on the strength of management’s support of the auditing process.
Management must buy into the fact that the internal audit process is just as critical and important an activity as any other process within the QMS. An internal auditing system must have the commitment of senior management. Without their approval, support, and encouragement, the internal audit process is doomed for failure and worse–time and money wasted.
When scheduled audits are routinely postponed, management is sending a clear message, “Auditing is a low priority, and we only perform them because it’s a necessary evil.” It’s remarkable to me that some companies that have been ISO-registered for 10 years or more still fail to demonstrate the QMS maturity one would expect. In these cases, it always comes back to management understanding and supporting the internal audit process and its powerful value. Ironically, these same organizations can't understand why, over time, their QMS fails.
Consequently, companies that understand and support their internal audit systems sharpen their QMS edge. Their internal auditors have acquired the skill to identify a system’s effectiveness as well as ensure compliance. These companies have progressed and understand the subtlety of continuous improvement.
How? It's simple. The more committed senior management is to the success of its QMS, the better and more effective that system is likely to be. But, this is only the first block of the quality system foundation.
What happens, for instance, when senior management demonstrates or even encourages QMS participation and continual improvement while customer feedback paints a contrary, unfavorable picture? In other words, what must be done if customer concerns climb while internal audits aren’t recognizing and defining the cause(s)? What are the grounds for this disconnect?
There could be many possible reasons, however, in almost all cases, the root cause of constantly failing to identify and eliminate QMS nonconformance can be found in an underdeveloped internal audit process. The following are some of the most common pitfalls to poor and ineffective internal auditing deployment:
Pitfall No. 1: Not understanding the definition of, and not basing audits on, status and importance
Status and importance can be interpreted differently, but their intent is often misunderstood.
Status can be defined as how a particular department, discipline, facility, or process is performing against established policies, goals, objectives, and expectations. Some questions to ask when considering status include:
What are the performance indicators for an area, group, or department reflecting?
What does the performance history indicate?
Have these indicators been the result of root cause corrective actions? Are they recurring?
Have there been changes in process, equipment, personnel, or management?
Has the area or department been restructured or reorganized?
If the performance history of a given department, process, or group is meeting established expectations, then its status can be considered healthy. Remember, everything needs to be considered on a case-by-case basis, according to the size and type of the organization. The management representative or the process owner of internal audits ultimately makes that determination.
Importance is an entirely different aspect, yet it is still directly linked to status. Assume that those performing a final inspection process have found no nonconforming product, and the goals and objectives of the process are consistently meeting expectations. Therefore, one could ascertain that the status of the final inspection process is operating as expected and all is well. If nonconforming product is distributed, the customer is the next in line to receive it. The importance is with respect to the power to produce an effect—nonconforming products will not ship out.
Therefore, concentrate on the areas that are critical (importance). Increase the internal audit focus on areas that are the root cause or otherwise not performing to expectation (status). This is especially true when companies implement new departments, processes, or initiatives (i.e., lean manufacturing, Six Sigma projects, etc.). During these situations, time is usually a major concern to get things operating as soon as possible. Then it's the auditing of the general implementation and functionality of the new system, area, or process that becomes an importance. (Its status will unfold, as it’s monitored and measured.)
When scheduling internal audits, consider other aspects such as:
What’s been the past performance history?
Are there new employees, equipment, or management?
How effective is the training system?
What do past audit results indicate?
How critical is that area?
Truly effective audit schedules concentrate on potential, not just obvious, shortcomings or weaknesses. Utilizing control plans along with related design or process failure, mode, effect, analysis (FMEA) can also be helpful as a guide to aid in identifying critical areas. The key is to focus the audit schedule on the areas that are or could potentially be a root cause for nonconforming situations as well as areas critical for maintaining product conformity.
The audit schedule is a living document and should be revised as appropriate. The individual responsible for scheduling audits should be fully aware of management review output data; customer, internal, and supplier concerns; and organizational infrastructure changes.
Pitfall No. 2: Ineffective internal audit scheduling. If status and importance aren’t properly understood, then this pitfall is sure to follow.
Audit schedules must reflect the reality of the QMS. A third-party auditor expects to see an internal audit schedule that reacts to the organization’s key performance indicators.
In reference to status and importance, processes that fall below expectations must receive internal audit attention. Processes that meet or exceed expectations do not necessitate audit focus.
When a third-party auditor examines an audit schedule that never changes, is never revised, that neatly lists each process just once with all processes given equal weight, that appears more like a decorative pattern on a calendar rather than a thought-out living document. This is a clue that the internal audit process is probably not understood and not being utilized to its fullest potential.
Perhaps, the worst practice is when a company takes the "granddaddy" audit approach. This tactic generally involves scheduling a full-system audit of the entire QMS just once or twice a year. There is so much ineffectiveness and inefficiency with this practice that it’s easier to just list the few positive aspects. Besides the fact that there is virtually no consideration given to status and importance, this practice of infrequent internal audits is also statistically unsound. It’s not possible for management to conduct an effective management review of the QMS based on the sample of one or two grand-system audits. Conducting only two full-system audits is the equivalent to sitting down at Thanksgiving, eating the entire meal, and then not eating again until Memorial Day. No one, of course, could eat just two huge meals twice in one year and expect to be suitably nourished. It’s the same when developing the internal audit schedule. Audits should be spread out so that audit activity is “digestible” to the organization, not overwhelming it.
Full-system audits pose other problems as well. It absolutely places strain on all resources involved—auditors and audited alike—and it’s also a major disruption to the operation. When such an endeavor is undertaken, the focus of the audit tends to lose itself under the enormity of the task. Full-system audits don’t allow the auditor to concentrate on the specific aspects of the process. The scope of a full-system audit is so wide that inconspicuous and subtle nonconformances may exist and be easily overlooked.
When developing the audit schedule, consider the following:
Focus on the “climate” changes within the QMS (i.e., keep abreast of customer feedback, new employees, new equipment or processes, quality initiatives, new departments, root cause areas of concern, etc.).
Try short-duration, highly-concentrated audits in lieu of long, drawn-out audits where focus is prone to be lost. Consider weekly audits (for 30 to 60 minutes) instead of auditing on a monthly or quarterly basis. This method is much easier to manage, takes less time, increases focus, and is much less disruptive.
Utilize a wide variety of trained internal auditors. In fact, some of the best auditors are new employees or the employees that have no clue of the area, function, or process that they are auditing. These individuals ask simple, childlike questions and aren’t satisfied until they understand the answers provided. These are the types of auditors that ask the “why?” question at least five times, which almost always leads to revealing the underlying root causes.
Use a checklist only as a guide and ensure it’s based on a process approach. Otherwise, if the checklist becomes the basis of the audit, it can become stale in a short period of time. Admittedly, checklists are great for first-time auditors to generate an audit trail. Just be careful not to rely on them solely, as they tend to keep the blinders on and generally don’t allow the auditor to think outside of the box.
Rotate auditors to keep the system fresh. Spread them around. Take advantage of new thoughts, perspectives, and ideas. Share the audit results with the entire organization as a lessons-learned exercise; one person’s corrective action could be someone else’s preventive action.
Consider scheduling additional activities such as corrective action effectiveness validation, customer web site examination (to ensure customer-specific requirements are current), and assessing company statutory/regulatory requirements, if applicable.
Pitfall No. 3: Internal auditors not effectively utilized
Auditing is an acquired skill just like playing a musical instrument, cooking, or playing golf. Simply put, the more one audits, the better and more comfortable they become with the auditing process. Honed auditing skills shortly follow. It’s a wasted opportunity when a company invests time and money to train their audit team and yet uses them on a minimal basis.
Consequently, it’s also equally beneficial for the audited to be engaged in the audit process as well. The more one is exposed to the auditing process, the less intrusive and threatening the process becomes.
Pitfall No. 4: The internal audit and the corrective action process are not timely.
Many audit schedules I’ve assessed allow the internal audit team a wide time allowance to complete a scheduled audit. Typically, if an auditor is given a month to complete an audit, then it will be a month (or more) before that audit is complete. You know the saying, “Give an inch, take a mile.”
Effective audits are scheduled to take place during specific days and conclude within specific weeks, at most. Any time extension only dilutes the effectiveness and importance of the system. Even worse, when corrective action responses are equally relaxed, the timeframe between initial audit schedule, deployment, finding and response can be spread out so far that the audit’s effect is completely nullified.
Pitfall No. 5: Internal audits don’t reflect a process-based approach.
When ISO 9001 was released, there was much emphasis placed on the requirement for conducting audits using the process approach. This requirement’s original intent was to focus the audit on assessing process effectiveness (including interface activities with other processes). This was a departure from focusing solely on element/clause compliance.
Unlike third-party auditors, many companies didn’t pursue formal ISO 9001 training and hence never fully grasped the intent nor understood process-based approach auditing. In fact, some companies still don’t fully understand their process inputs and outputs, process sequences and interfaces, and process monitoring and measuring. As a result, this has created a disconnection between the third-party auditor and the organization. Organizations that are still struggling with the process-approach concept are highly encouraged to pursue formal training or consulting assistance.
The bottom line is that internal auditing is a cornerstone of the QMS—a vital tool to identify and improve the effectiveness of the QMS. With the advent of the process-based approach to auditing and process-layered audits, its value and importance has been significantly raised. Management reviews simply cannot be effective without effective internal auditing and reporting.
The pitfalls mentioned in this article represent only some, not all, ineffective auditing practices. If an internal audit system is disciplined to the point that it’s supported by senior management, carried out as scheduled, and coupled with effective corrective and preventive action in a timely manner (as required by the standard), then the benefits will justly be realized—through continual improvement and customer satisfaction.