During the last two decades, enlightened business leaders began to move their organizations' operations beyond independent, departmentalized activities into integrated business processes. Realizing that serialized hierarchies, which throw products and services from one department to the next, are bureaucratic and wasteful, these leaders quantified the high costs of tollgate inspections and adversarial interdepartmental relationships and deemed them obsolete. Instead, they formed successful cross-functional process teams that take responsibility for their specific operations.
This break from traditional management practices turns away not only from organizational enemies such as redundancy, problem solving (because enlightened companies pride themselves on avoiding problems altogether) and adversarial rivalries but from some old friends as well. In vertical organizations, employees can count on someone a step below them to shoulder the blame when outcomes prove less than optimal. Likewise, usually someone a step above can serve as a shield from the bullies on mahogany row. And, typically, a separate department buffers customers from defects inadvertently passed along the hierarchy.
In organizations positioning themselves as leaders in the new millennium, process owners are responsible for their own work as well as to their teams for ensuring that products or services are defect-free and compliant with all stated and implied requirements. These organizations are removing past buffers and introducing new methods to ensure that internal problems don't become customer problems. For as proficient as we may become with process control, the human dynamic will always introduce as much operational deviation as tool wear or late supplier deliveries.
Successful, team-based organizations must find nonconfrontational ways to minimize process variation and human dynamics productively, thereby producing winners and winners instead of winners and losers.
Because many successful quality management systems use ISO 9000 as a launching pad, this article will examine internal auditing from that perspective. But even without an ISO 9000-based quality management system, internal auditing can help companies evolve a team-oriented culture. Internal auditing represents a departure from traditional, detect-and-punish auditing methods that quality professionals have used since the Industrial Revolution.
Assessing processes, not people
ISO 9000 recommends that a company document its successful processes in a way that all process owners can understand, then operate within those process procedures to implement objective methods that ensure employees follow procedures. This is commonly paraphrased as "write down what you do, do what you write down and make sure you are doing it." The standard suggests a program of ongoing, nonconfrontational internal audits to guarantee conformance compliance. The same truism applies to any quality management system.
Internal auditing is a proactive process of identifying whether documented procedures are being followed and are effective. It means co-workers helping co-workers achieve process efficacy, as opposed to quality cops "writing up and shooting down" violators. Internal auditing proponents constantly demonstrate that refining processes is much easier and more cost-effective than punishing people.
Unlike most conventional conformance monitoring, internal auditing goes beyond providing statistical failure data; it sets the stage for a culture of continuous improvement. When a process is continually audited for conformance, ineffective procedures are identified and replaced, process anomalies are uncovered and corrected, and operators are engaged in refining their own processes. Properly implemented, internal auditing is one of the most effective tools of incremental improvement available today.
The most effective auditors have a little bit of Sherlock Holmes imbedded in their makeup. They can follow a clue and develop a deductive analysis of a given situation.
Internal auditing basics
An internal audit appraises processes to determine if they are operating within their documented procedures and are effective for their stated intent. Let's dissect this straightforward definition to clarify its intent and meaning.
Process appraisal -- An appraisal means rendering an expert judgment of something's value or merit. From an internal auditing perspective, appraisal means methodically examining a business process. The examination begins by asking those who perform the process regularly to explain, in their own words, how the process works. Their statements are compared with the written process procedures, and compliance and deviations are noted. Next, the trail of paperwork or electronic data generated by the process is examined to determine whether it follows the written procedures' intent and is consistent with the process operators' verbal explanations.
If all three steps yield positive results, an internal auditor has evidence that the process is operating in accordance with its documented purpose. Any discovered deviations are noted as discrepancies -- or "findings" in ISO 9000 parlance. Findings are documented as "should be" and "are" conditions and usually categorized as major or minor in nature.
For example, an internal auditor might document the following during an audit: "Procedure 5.01, Document Control, states that 'all reproduction requests are approved by a supervisor before being presented for processing by the document clerk.' Document clerk stated that she sometimes signs the requests when a supervisor is busy. Examined 15 documentation requests and found four that were not signed; three were approved by the documentation clerk."
In the example, the auditor read the procedure being audited, interviewed the person who usually operates the process and searched for objective evidence that the process was being followed as it was documented. The audit documentation contained only a factual statement of observations and evidence.
After noting the "should be" and "are" conditions, an auditor forms an expert opinion about the process's effectiveness for the purpose stated in the written procedure.
Effectiveness for stated intent -- The most effective auditors have a little bit of Sherlock Holmes imbedded in their makeup. That is, they can follow a clue and develop a deductive analysis of a given situation. This trait is key to assessing the effectiveness of what was observed during the audit and to presenting an objective body of evidence supporting why the process can be judged effective or ineffective for its stated intent. Let's look at the previous example in terms of purpose:
"Procedure 5.01, Document Control. This procedure controls the issuing of documents used to manufacture our products. Due to our products' critical natures, precise document control is essential to ensure our customers receive only the most current revisions of our product."
A well-trained internal auditor would analyze the deviation from the procedure noted earlier, read the purpose stated in the written procedure and conclude that the deviation is more significant than a few missed signatures. A single procedural lapse is considered minor, but findings that represent a lack of required procedure or breakdowns in the quality management system would be categorized as major.
The example's process variation obviously is critical to business success. It should be categorized as a major finding because precise document control is stated as "essential," not just a check-and-balance exercise, and the process was clearly ineffective in its current state. A process breakdown may stem from a procedure that is ineffective for the stated intent, too cumbersome to be followed every time it's used or from insufficiently trained process operators.
To determine which of these options is truly the case, a corrective action request is issued to the process owner, and an in-depth investigation is performed. To guide those who will examine the deviation and recommend corrective action, the internal auditor must provide an expert opinion of whether the audited process, on evidence, meets its stated purpose.
Now that we've examined internal auditing components, we can more precisely define it as the objective appraisal of business processes by analytical observers who are chartered only to uncover objective evidence of process effectiveness.
The internal auditor
Perhaps internal auditing's most dramatic departure from classical quality training is its corps of auditors. Effective internal auditors often come from ranks other than the quality professional's. Recruited from all segments of the work force, they are selected because they are passionate, caring, analytical process operators who claim ownership for the outcome of their work.
Viable internal auditor candidates work in warehouses, clerical pools, accounting and sales. Their most critical attribute is a relentless desire to see their company succeed; everything else can be taught. Internal auditors are selected from cross-functional segments of a company so they are not placed in the compromising position of auditing areas in which they are team members.
Ideally, every employee would be an internal auditor because performing internal audits of other departments or processes enriches auditors' understanding of their organizations' strategic vision and makes them more valuable employees in their own fields. Unfortunately, human dynamics enter into the equation again, and some of us who are judgmental in nature or uncomfortable prying into other people's business don't make viable auditors. Candidates will succeed best when trained by a qualified internal auditor and after witnessing well-conducted audits.
Conducting internal audits
As with every aspect of quality management system implementation, no single prescribed approach to internal auditing is universally effective. Internal auditing must fit a company's culture and take into consideration business size and environment. In very small companies, every employee could be trained to be an internal auditor. Some large companies require a separate internal audit group, very much like financial auditors. Still other organizations find it cost-effective to use consultants as paid "internal" auditors. The chosen approach remains irrelevant to the training, however; effective internal auditors follow the same steps, regardless of their functions within their organizations.
Whatever the plan to conduct internal audits, it's essential to keep in mind that their only purpose is to verify that the company follows its own procedures. When conducted correctly, these compliance audits differ from classic financial and quality audits because they are non- confrontational and designed specifically for objective procedural evaluation.
An internal audit begins with a definition of the process being audited. Continuing with the previous example, this would be defined as Procedure 5.01, Document Control. During the second step, the audit team -- a synergy of minds is essential for objectivity and to keep audits focused on their missions -- develops an audit checklist, which would likely include the following:
Is there evidence that manufacturing documents are controlled?
Is there evidence that customers are receiving only the latest documents?
Are all reproduction requests approved by a supervisor before being processed?
The third step involves scheduling the audit with the process owners at a mutually agreeable time and with enough advance warning for them to prepare. Again, this should be a win-win scenario, not a pop quiz. The audit team usually asks the process owners to appoint a spokesperson. In larger organizations, the team may randomly pick more than one person to interview.
The employee being interviewed describes the steps detailed in the written procedures. This person should exhibit an understanding of the procedure's purpose as well as its content. The process representative walks auditors through the process and provides an audit trail of objective evidence to support the explanation.
Returning to the document control example, after discovering the checklist's third item wasn't being followed, auditors would have concluded there was no objective evidence that supported compliance to checklist items one and two.
During an audit, deviations from procedure are noted on the checklist and afterward documented as nonconformities in an audit report. They are then incorporated into a corrective action request and forwarded to the process owner. These reports describe the process breakdown and ask the recipient to answer three questions: What was the actual problem? Why did it occur? and What steps will be taken to prevent recurrence?
At this point, internal auditing diverges radically from traditional quality audits and inspections. For one thing, the responsible manager is asked to diagnose a problem with a process, not to find faults with staff. Also, establishing a problem's root cause is only the beginning. The process owner must then demonstrate that steps have been taken to preclude recurrence of the same or similar process problems. During a well-run audit, a closed-loop system of cause, effect, root-cause analysis and corrective action is followed to its practical and cost-effective conclusion, i.e., defect resolution and future defect prevention.
When a company contemplates or implements a process-based value delivery system, it should consider internal auditing as an effective conformance monitoring and control mechanism. With an ISO 9000-based quality management system, internal auditing is fundamental to successful implementation. Well-performed internal auditing identifies process inadequacies, while formal corrective action allows process owners to perform effective root-cause analysis to discover underlying causes of process deviations. Follow-up and re-auditing will ensure that costly problems don't recur. As Gen. George Patton said, in a different but still applicable context, "I only want to pay for this real estate once!"
About the author
Tom Taormina is managing partner of Productivity Resources LLC. As a consultant in ISO 9000 and strategic quality improvement, he has developed seminars on ISO 9000 for Productivity Inc. and the American Productivity and Quality Center.
Taormina, a certified quality manager, regularly writes, trains and speaks on quality and management topics. He is the author of Virtual Leadership and the ISO 9000 Imperative (Prentice Hall, 1996). His new book, Internal Auditing to ISO 9000, will be published by Prentice Hall this fall. He can be contacted by fax at (702) 847-7930 or e-mail firstname.lastname@example.org.