Friday, 10 September 2010

Advice for the First Time Internal Auditor

Internal auditing is one of the most vital tools for continual improvement, and as such, this tool is intended to provide Top Management with objective, fact-based information upon which strategic decisions may be based.

One of the most important requirements of an internal audit is that it is fully focused on assessing the effectiveness of the processes that are inherent to the quality management system. Where such processes are found to be deficient, the audit will ultimately lead to improvement in those processes, since a non-conformance in a process is, more often than not, to do with a failure to comply with the relevant standard or procedures.

Why do Internal Audits?
Clearly, the purpose of internal auditing is to measure the effectiveness of the quality management system and its associated processes and the auditor’s role is to gauge how well this system is functioning through the gathering of objective evidence. The auditee will often be a processes owner; they are the experts of that process and as such will provide an invaluable insight into the mechanics of that process.

The auditor is there to verify that the processes are documented, implemented and understood. He will also seek confirmation that the processes complies with the necessary requirements, that the process is effective and that it continually improves.

The Human Aspect of Auditing
Good auditors realise very early on that they are dealing with personalities as much as processes and systems. Whilst the intent of the audit a serious one, often light humour, politeness and diplomacy are the best ways to build rapport. It is vital that every effort is made to reassure those being audited that its primary function serves as a tool for improvement and not to name and shame.

If you new are new to auditing, acknowledge this fact, be open and honest. It is also important that you explain to those being audited that they are free to openly express their views during the audit. Remember that you, the auditor, are also there to learn.

Always discuss the issues you have identified with the people being audited and always provide guidance as to what is expected in terms rectifying any non-conformances or observations that you have raised. Let those being audited know that they are welcome to read your notes and findings; the audit is not a secret. Be careful not to be drawn into arguments concerning your observations and it is never appropriate to name people directly in the audit report, if you do, people automatically become defensive.

Preparing for the Audit
Preparation is the key to a meaningful audit, and as such, you should have an audit schedule and a well defined audit plan for each process. Be sure to communicate the audit plan to all parties involved as well as Top Management so that they are aware of the audit, this helps to reinforce your mandate.

The audit schedule should be a living document and should not be cast in stone but instead, it should be allowed to evolve organically with the needs of the business.

Always review previous audit reports and non-conformance reports and check that any previous corrective actions are still operating.

Six Elementary Audit Questions
Often these basic audit questions will help guide the audit in the right direction since they will often unlock the doors to information the auditor requires in order to accurately assess the particulars of a process.

- What are your responsibilities? (5.5.1)
- How do you know how to carry them out? (6.2)
- What are the objectives of your processes? (5.4.1 & 7.1.a)
- What is the quality policy and where is it found? (5.3.d)
- How do you know which documents to use and whether they are correct? (4.2.3)
- What outputs does your process create and how are your records maintained? (4.2.4)

Define what you want to measure; decide how are you going to measure it and decide what objective evidence should be provided to convince you that an activity is performed in accordance with the process. An audit of your key quality management activities will always be more relevant and produce more meaningful results than a simple procedural audit.

Download a free internal audit checklist example courtesy of ISO 9001 Checklist.

ISO 9001 templates for sale from £27.50 here:

ISO 9001 Document Control Procedures - Advice for Auditors

The document control procedure (4.2.3) and record control procedure (4.2.4) are usually the first of the six mandatory procedures to be initiated when implementing an ISO 9001:2008 quality management system.

A robust document control process invariably lies at the heart of any compliant quality management system because almost every aspect of auditing and compliance verification is determined through the scrutiny of documented evidence. With this in mind, it becomes apparent that the ongoing maintenance of an efficient document management system must not be overlooked.

Difference between Documents and Records
What does ISO 9000:2005 tell us about the difference between documents and records and furthermore; why it should matter?

The standard tells us that documents are considered as being information (e.g. specifications or procedures) and its supporting medium (e.g. paper or electronic). The standard implies that over time these documents will evolve as new information supersedes old and that change must be managed. Documents are active and dynamic.

Records, on the other hand, are more static since they are historical in nature. They are the documents that state the results of activities undertaken in accordance with the product realization, measurement, analysis and improvement processes (e.g. calibration logs and non-conformance or corrective action reports). They also provide evidence that an activity was performed in the manner specified (e.g. inspection records).

Requirements for Controlling Documents and Records
What does ISO 9001:2008 tell us about ensuring compliance with the principal requirements of document control procedures?

Clause 4.2.3 tells us that an organization must control the documentation required by the quality management system and that a suitable document control procedure must be implemented to define the controls needed to; approve, review, update, identify changes, identify revision status and provide access. The document control procedure must clearly define the scope, purpose, method and responsibilities required to implement these parameters.

ISO 9001:2008 does not define how an organization should format its documentation, since most organizations maintain a consistent corporate image, it is expected that any corporate format will suffice.

Similarly; Clause 4.2.4 demands that an organisation must implement a documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention and disposition of records and that these records must remain legible and identifiable throughout their retention period.

It is acceptable to combine the control of records procedure with the document control procedure but care should be taken not to obscure the differences between records and documents.

What’s so important about Records?
Records are an important organizational asset; they provide the primary route for evidence based verification and traceability, and are able to demonstrate compliance with customer requirements. Records also prove the efficacy of the quality management system.

Delivery of such records to a client is often a contractual and legal requirement. In certain industries, such as civil engineering, assurance records become a fundamental point of reference when determining compliance with the intended design as well as helping to satisfy the requirements prescribed by building control authorities and the health and safety executive. These records are demonstrative of a contractor’s duty of care and that the end product is fit for purpose.

The Document Control Function
The document control function is an administrative management activity and operates on the frontline by ensuring compliance with Clause 4.2 and the associated document control procedures and record control procedures. Generally, the document control function should have a direct report to the Quality Representative.

Remember; keep it simple and allow the process owners to write or revise the documents they need. Use the document control function to apply formatting and revision changes as well as distribution and retention. It is best to interpret the requirements as they apply to your company; there is no hard and fast method.

Looking for document control procedure advice and interpretation?

Please check out our documentation management solution.