by Denise Robitaille
As with any other process, auditing requires planning, definition, consistent implementation and control to be effective. Without these features, auditing is a resource-draining waste of time.
Internal auditing is one of the elements that makes your quality management system (QMS) complete. It fits snugly into the "check" component of your plan-do-check-act (PDCA) cycle. Internal auditing isn't a haphazard or optional occurrence that you tolerate to maintain certification. It's an assessment tool that provides a reliable indicator of the integrity of your organization's system and processes and their capacity to support your goals.
Audits help you to identify problems, risks, good practices and opportunities to better serve your customers. The information garnered from well-conducted audits is a company asset that far outweighs the modest investment in time and training. The manner in which the organization values and uses this asset is partially dependent on how audits are performed.
Executive management, through visible support and allocation of resources, has primary responsibility for ensuring the effectiveness of the internal audit program. Auditors have the responsibility for good stewardship of management's support, as demonstrated by their commitment to good auditing practices and the production of meaningful audit reports. The person in charge of the internal auditing program asks management to support the endeavor. In exchange for the trust and confidence implicit in this support, auditors strive diligently to provide valuable information that management can utilize for strategic planning and other decision making.
What follows are some of the practices that will help your organization reap benefits from its internal auditing program. Although the comments are directed primarily at the first-party (or internal) audit, most of the tips are equally valid for second- and third-party audits.
Make sure that the audit schedule and the defined frequencies reflect your organization's needs. You must give appropriate consideration to criticality of activities, identification of areas that are more subject to change or to turnover of personnel, and processes that have experienced problems or breakdowns. Review your audit schedule periodically and revise it based on these considerations.
If you have a mature product line and no new hires in recent history, assessing training more than once a year is a redundant paper exercise. Conversely, if you handle a lot of customer-owned materials, and their requirements vary significantly, ensure that those activities are included in the schedule at a greater frequency.
Once you've established your audit schedule, stick to it. Don't get into the habit of revising dates and moving audits off to the next month to accommodate other people's priorities. As long as you allow it, some individuals will always find a way to put you off. Acceding to procrastination perpetuates the impression that auditing is an "extra" task to be performed only when time permits. This mindset devalues the process and minimizes the organization's ability to derive useful and timely information.
Have an audit plan. Probably the single best reason to have a plan and to communicate it is so that you can tell people in advance when you'll be in their area. It's common courtesy. This goes a long way toward dispelling the witch-hunt mentality with which people usually perceive the arrival of an auditor. Failing to alert process owners of planned audits carries other negative consequences. As long as individuals feel that an audit is a surprise attack designed to catch them in error, they'll conceal problems. They won't look upon the audit as a fact-finding event designed to foster a culture of improvement. They'll look upon it with the dread of miscreants afraid to be punished for their transgressions—even though they've probably done nothing wrong. Problems recur cyclically because they're covered up out of fear of punitive action.
Efficiency is another reason for having an audit plan. It saves time. The auditor has a sequence that makes the audit flow smoothly and logically from input to output through a series of processes. Effective planning brings an element of lean to the auditing process. It minimizes the backtracking and repeat visits that eat up precious time without adding value.
Review the documents that describe the processes you'll be auditing. This helps you to frame the questions you'll be asking the auditee, and ultimately will promote more comprehensive answers. Reading the documents ahead of time also helps you distinguish the most critical requirements and the points at which ownership of a product (or process) changes to a new person or function.
Review the last audit report and any corrective action requests that emerged. This will help you to assess if things have improved or if a problem has persisted or gotten worse. If your corrective action process is well-linked to your internal audits, you can verify the implementation and effectiveness of corrective actions as part of the audit process. This applies to all corrective actions, regardless of origin. One of the areas in which this is particularly useful is in verifying the results of supplier corrective actions. Through the questions that you ask, you can augment purchasing staff's understanding of the verification process. This helps them to discern if the response they've received from a supplier actually provides evidence of an effective action plan. Without such verification, all the purchasing department really has is evidence that the supplier can fill out a form. Opportunities for learning and improvement are lost.
Easy questions an auditor might ask are: "How do you know that the plan worked?" "Have you asked them to send final test reports for the last orders they've shipped us so we can review them against our own records?" In this way, the auditor furtively drops hints that increase other individuals' comprehension of how the organization's QMS works to improve their processes—in this scenario, through the effectiveness and productivity of supplier relationships.
Prepare a checklist. Even if your organization uses canned checklists, it's important to prepare and revise them, based on the documents you've reviewed, so the audit trail you map out is complete. This also helps you to develop questions so you don't waste time, and it serves to keep you from meandering outside of the scope of the audit.
Regardless of whether this is an internal or an external audit, there's no excuse for ignoring good audit practices.
Conduct an opening meeting. For a third- party certification audit, this is a fairly formal event with a whole list of items that must be covered: scope, purpose, standard, duration, schedule, confidentiality and nondisclosure agreements, rules for reporting nonconformities, safety equipment, escorts and the appeals process. For an internal audit, it's appropriate to have an abbreviated version that outlines what processes are being audited, how long you expect the audit to take and the individuals you may wish to interview. Arriving in an area and beginning the audit without some initial remarks or a simple greeting only serves to increase tension and the likelihood of alienating those who can facilitate a productive audit.
Pay attention to how you ask questions. Here are a few pointers to remember.
• Bear in mind at all times that auditees weren't hired to answer your questions. They're paid to do their jobs, so they probably won't be quoting text verbatim from a procedure. They should be describing their process in a way that lets you understand it, and that demonstrates how well they understand it.
• Ask open-ended questions, as opposed to the kind that will get only yes or no responses. Give the auditee an opportunity to explain what she does. The person will provide more complete information if she isn't being steered toward the auditor's preconceived notion of what the answer should be.
• Ask how the auditee does his job. You're not just trying to verify that something is done; you want to verify that it's done correctly—as defined. Reading a report on nonconforming product will tell you something wasn't done right, but assessing the process will help you pinpoint what went wrong.
• Remember to use documents to help you frame your question. This lets you determine if the documentation accurately reflects the requirements of the process.
• Don't be afraid to repeat or restate your question. Sometimes we need to come at a subject from a different angle. Restating a question helps the auditee to grasp what you're trying to ascertain.
• Give the process owner time to answer. Be patient. He may be thinking. Don't assume that a delayed response is an indication that the person is lying or making stuff up.
• Ask what happens next. Avoid quality speak. If you're trying to determine what the output of a process is, simply ask, "What happens next?" Asking a customer service technician, "What's the output of the process" will probably get you a blank stare followed by an awkward moment in which you'll get the sense that you've just made her feel incompetent—which isn't the case. She knows perfectly well that when the order is entered in the database, it next gets routed to the scheduler, who confirms the ship date so that the order can be acknowledged to the customer.
• Suggest a scenario and ask, "What would happen if…?" This will help you verify how well the process is controlled if there is a deviation or if something goes wrong. It will also help you assess the effectiveness of communication and the definition of authority and responsibility. Does the person know what he is authorized to handle, and what incidents require input from a supervisor?
• Ask why. People who do tasks mindlessly, without understanding the reason for the activity, are less likely to be diligent in ensuring that the process is consistently and correctly implemented. It's hard to care about something that makes no sense.
• Listen to the auditee. Practice your listening skills. Are you hearing what the person is saying, or what you anticipate her answer to be? Listening is facilitated by the simple practice of looking directly at the person who's speaking. Not only do you remain better focused, you convey to the other person that you're interested in what she has to say.
• Write down the answer so you don't forget. Also, record the evidence you've assessed. Take copious notes. This provides the foundation for the audit report and it also allays any confrontation. The auditor doesn't need to defend his conclusion. All that's needed is a reference to the evidence upon which the observation is based.
• If you're writing while the person is speaking, make sure that she knows it. Say, "I'm listening to you, but I need to write this down." If you get the sense that the auditee is afraid that your report will result in punitive action, explain why you write things down. My favorite line goes something like this: "I have a brain like a sieve. If I don't write things down, I'll forget, and I won't be able to do my report."
• Always make sure you tell the auditee if you're planning to report a nonconformity uncovered in his area. This goes back to the fear of punitive action mentioned earlier. No one likes to be blindsided two days after an audit by a report that appears to say that he screwed up. Tell the person what will be reported and provide reassurance that the intent is to make the process better for everyone.
• Never leave an area without saying, "Thank you."
The report doesn't have to be lengthy, but it should convey a balanced summary of the status of the organization audited. It should mention good practices that have been observed, risks that have been perceived and problems that have been identified.
The audit report should include the following:
• Date of the audit. When did the audit take place? This provides evidence that audits are being conducted in accordance with the established audit schedule. If management wants to know what resources are being expended, it's also appropriate to record the duration of the audit. How much time and money is the organization spending on internal auditing?
• Areas audited. If the company has multiple locations, this is even more important.
• Standard used. For a third-party audit, it's generally a QMS standard, e.g., ISO 9001, ISO/TS 16949, ISO 13485, etc. For internal audits, it's usually a list of the internal documents associated with the functions and activities audited. Examples would include procedures, work instructions and detailed travelers.
• Lead auditor and audit team. If there's only one auditor, that person is the lead.
• Persons interviewed . This provides evidence that the persons who answered questions were actually the process owners who have responsibility for the activity. It's not uncommon for people to try to be helpful and answer an auditor's question even it's not part of their regular jobs. Sometimes the auditor finds out too late that she wasn't speaking to the right person. What you hear is a manager saying, "Francine doesn't take care of patient intake, so she wouldn't know where those forms are kept."
Recording names of persons interviewed helps auditors provide objective evidence that they've fulfilled the requirements of the auditing process.
• Good points. An audit isn't an attempt to observe a collection of bad processes. Therefore, an audit report should also mention good points that were observed. "The newly developed design software is facilitating the control of new projects," "The records show evidence that operators have had training on the CNC machine" or "The corrective action tracking system is better able to calculate the cost of nonconformities and the money saved when problems are solved" are examples of this.
• Nonconformities. When writing up findings of nonconformity, it's important to be clear and complete. What is the actual nonconformity? What is the standard that defines the requirement? What evidence did you use to conclude that there was a nonconformity? A well-articulated nonconformity statement should provide enough direction and clarity that the process owner can use it to initiate root cause analysis and eventually develop a viable corrective action plan.
• Observations (also called opportunities for improvement). It's appropriate for auditors to make statements about perceptions of risk or the identification of a process that may not be controlled as well as it should be to prevent problems. They shouldn't specifically say something is wrong but should intimate what might go wrong. Like nonconformities, observations should be tied to requirements to allay the misconception that they are just ideas that the auditor thought up.
Following these basic audit practices should ensure that the information management gets is accurate, reflects the status of the organization and is detailed enough so that it results in good decisions. This is what makes audits effective. Anything less is a meaningless paper shuffle.
Denise Robitaille is an RABQSA- certified lead assessor, ASQ-certified quality auditor and a member of the U.S. TAG to ISO/TC 176. She's the author of numerous articles as well as The Corrective Action Handbook , The Preventive Action Handbook, The Management Review Handbook and Document Control, all published by Paton Professional. Robitaille also writes "The Standard Answer" column in Quality Digest's Inside Standards e-mail newsletter. Visit http://qualitydigest.com/standards/index.lasso to read recent columns or subscribe for free.