Does Your Organization Really Benefit from Internal Audits? Time for a Change?

Hopefully you are still seeing findings like 'Not following a procedure' when you do what you call effectivity audits as well, somewhere in the goal of auditing needs to include compliance.

I actually do understand and agree with what you are saying but I believe that a checklist is a good way to train new auditors. There is no reason why a checklist can't be used as a reminder for the auditor to to take time to understand what objectives are in place and to ensure that the objectives are being met and that actions are being taken when they are not being met. And also understand how that all works to benefit the company.

My concern with all this is that Quality professionals tend to make things more difficult by speaking in terms of complaince and effectivity audits. To me it's "INTERNAL AUDITS" and part of the internal audits should ensure the company is both compliant and effective. I hope you are not taking my opinions as being negative. What you say makes sense to me and I plan to take some of this discussion to my audit teams. Thanks.....

goodtimes said:

My concern with all this is that Quality professionals tend to make things more difficult by speaking in terms of complaince and effectivity audits. To me it's "INTERNAL AUDITS" and part of the internal audits should ensure the company is both compliant and effective. I hope you are not taking my opinions as being negative. What you say makes sense to me and I plan to take some of this discussion to my audit teams. Thanks.....

Click to expand...

If the QMS has been designed such that compliance is built into the documentation (hence the processes), you can audit processes without direct reference to the standard. If a process complies with your internal documentation--and is effective--but doesn't comply with ISO 9001, something is seriously wrong with the design of the system, not with the processes. IMO, if you find yourself in a position where you have to reference ISO 9001 in order to justify the existence of a nonconformity, you're missing an important point, which is that the QMS should be designed first and foremost with the needs of your business in mind, and compliance with the standard should be a secondary consideration.

Added in edit: Think of it this way: do you operate your processes in a controlled manner because "ISO says" you must, or because it's the only sensible way to do business?

Believe me, first and foremost we want to make money and have happy customers. I believe our company sees the benefit of ISO but if we felt we had to do something to meet the standards requirements that would sacrifice that....there would be issues.

QMS should be designed first and foremost with the needs of your business in mind, and compliance with the standard should be a secondary consideration. We did not have a well defined QMS before ISO and it's hard for me to believe that many companies did. We performed very well without it but ISO help us to structure ourselves and stay focused on what we feel is important. Our QMS and ISO were built together.

Thanks for the input.....more good stuff!!!

Goodtimes:

No, I didn't see anything negative in your posts - quite the reverse, actually! I was delighted to see someone interested in auditing for effectiveness.

I would take a different perspective about the use of checklists tho'. Checklists are, in many ways, used as a crutch to a crumbling audit program, where hapless auditors are given imprecise audit tasks, for which they've only had 2-5 days of classroom training (if they're lucky) and then often no previous knowledge of the process they're going to audit (in the name of independence). The auditor defaults to simply asking the checklist questions which are pre-ordained without the benefit of knowing what the answer should be......result? A (poor) compliance based audit.

Checklists are, as I've posted before, like a shopping list. Each shopping trip is slightly different, although often the basics are purchased - depending on the 'scope' of the audit - the content is somewhat different. You can't use the same shopping list every time and, with an inexperienced shopper, (teenager for example) you'd have to write very specifically what you wanted them to get. When they don't come back with what you wanted, who's responsible?

I'd suggest that coaching auditors, while a lengthy process in some cases, is far, far better than arming them with a canned shopping list. Getting them to create their own, while being coached on planning is much more effective.

You mention the "scope" of the audit. I have a 3 year audit plan. Basically I plan to cover all processes a minumum of once in a three year period. Unless of course there has been a change in the status/importance of that process or if there have been an unusal number of customer complaints. I've created a matrix that consists of all of our processes and I've identified what elements of the standard apply. My auditors are supposed to use that matrix, review the standard and applicable internal documentation, then create their checklist. Additionally I have quarterly meeting to discuss things such as effectiveness/conformance auditing. I do stuggle with how to identify the scope of the audit and why it would be different from one time to the next.

goodtimes said:

You mention the "scope" of the audit. I have a 3 year audit plan. Basically I plan to cover all processes a minimum of once in a three year period. Unless of course there has been a change in the status/importance of that process or if there have been an unusual number of customer complaints. I've created a matrix that consists of all of our processes and I've identified what elements of the standard apply. My auditors are supposed to use that matrix, review the standard and applicable internal documentation, then create their checklist. Additionally I have quarterly meeting to discuss things such as effectiveness/conformance auditing. I do stuggle with how to identify the scope of the audit and why it would be different from one time to the next.

Click to expand...

Oh, man. And there I was thinking you'd got something new and exciting to offer us in the way you do audits! My bad, and I don't mean to sound critical, but why, why, oh, why have a three year plan? Do you use a crystal ball? I don't even know in my own life what I'm going to be doing in the next year! None of us can reasonably predict what's worth auditing in anymore than about the next 6 months! Business is too dynamic to 'fit' your schedule. I guess if you want to keep changing the schedule, but I have better things to do!

Adjusting the audits based on customer complaints is too reactive! Water under the bridge, too darned late - it got out, it affected the customer - shame on you! An effective audit program (not a 'plan') senses when things are not performing, have changed etc. and goes to review what's going on, so the impact is mitigated (from the customer's POV) as soon as possible. It's dynamic...........and covering all the requirements every three years is a waste of your time, frankly....sorry to be blunt!

If you are having a problem identifying the scope of an audit - there's a clue to the ineffectiveness of audit program planning! The scope of an audit is what you want the auditors to focus on! It's often not the whole process that causes problems, or is changed or is new. It's a part of it. That's the scope you want to go after, in your audits.

I bet you've never had your CB auditor comment about your audit plan - why, because they are flattered that you're emulating what they do! Indeed, you're doing their work for them!

By the same token, what would your management team tell me if I called them to ask "what benefit they get from internal audits"? (if I promised not to tell you what they said!)

BTW - internal auditors don't need to know what elements of the standard apply where. They need to know 1) the objectives for the process, 2) the process and 3) what results the process gets. Then they can audit to see if the process is being controlled effectively to confirm the numbers are credible. It's no use - IMHO - filling their heads with 'ISO'. I know they probably got trained that way, but they didn't attend my class (when I ran them) and its really not necessary for them to rely too heavily on that aspect. They do, however, need a better than basic understanding of the 'blocking and tackling' of an effective management system!

I hope I didn't bruise anything........honestly!

Friends,

Great thread! Great posts!

Stijloor.

Wow...it's been nothing but bad weather here in Ohio and I haven't had time to respond. But here goes....

Why have a 3 year plan?....First of all, no crystal ball is used here. I don't actually look forward three years and decide what to audit. I base the number of audits I plan to do each quarter by taking the number of processes we have and spreading them over a three year period. We have approx. 32 activites, I'd like to look at each of them at least once in a three year period which means I need to plan a minimum of 3 audits per quarter. I look backwards at my schedule to determine what processes have not been audited within the three year period. No process should go on forever and not be audited.

I also plan audits each quarter based on the status and importance of the activities as well as customer compliants. I agree that auditing based on customer complaints is reactive but no company gets by without some customer complaints. Therefore, I feel that it is always a good idea to take a look at what those complaints are and determine if there is a problem area that I should audit.

The scope of my audits are basically the same each time. Inputs/outputs, elements of the standard that apply and objectives and measures and taking appropriate actions should always be looked at.

If you plan to ask management what benefit they get from internal audits, please also ask them what benefit they get from being ISO certified. Believe it or not I once suggested that we drop our certification and continue our internal audits and invite customers to audit us to see if they feel we have a good QMS in place. In all fairness, I do understand that this is not really a good option for many reasons but I think it's a good question.....

What do you think of the idea to give checklist/questions to auditee/s before the compliance audit ?

By this way, we give them time to prepare necessary documents, quality records, etc. beforehand. Because audit is not a sort of exam. We just want to control whether things were done according to standards, procedures and other company requirements. And also I think this will reduce auditee's stress and thus audit time (finding out documents among bunch of folders, calling up someone knowledgeable etc.)

Chatman said:

What do you think of the idea to give checklist/questions to auditee/s before the compliance audit ?

By this way, we give them time to prepare necessary documents, quality records, etc. beforehand. Because audit is not a sort of exam. We just want to control whether things were done according to standards, procedures and other company requirements. And also I think this will reduce auditee's stress and thus audit time (finding out documents among bunch of folders, calling up someone knowledgeable etc.)

Click to expand...

I have no problem giving auditees information about what to expect during the audit. If you are using a checklist there is nothing wrong with giving them a copy.

During the audit though, I don't want them to decide what documents and records they will show me. If they show me evidence that they've carefully checked over before the audit, I may not find issues that need to be addressed. I always want to be in control of the sample so that I can collect evidence representative of what is actually going on in the system.