Category Archives: Internal Audit

9001:2015, Internal Audit, Quality Tools, Risk Based Auditing

Internal Audit Schedule Part 3 – How To’sday!

Leave a comment

Risk Based Internal Audit Schedule

The past two “Toolsdays” have explored various options for generating an internal audit schedule. This week, I wanted to spend a little dedicated time on what is called a “Risk Based Audit Schedule”. There are versions of this found out in the Interwebs, and frankly – I think most of them are just too complicated for most companies. If you’re a multinational aerospace company or deal with medical device directives then yes, by all means, investigate and ensure you’re doing all you can to mitigate risk by every means necessary.

But for most of us, simply adding the concept of risk to their management system is a huge gain for very little effort. This is especially true for those who are ISO 9001 registered. Starting with the audit schedule; going through the process of determining risk, is a stepping stone to finding opportunities for improvement in every area.

While the concept of Risk has been in place for some of the other ISO standards, notably ISO 13485 for Medical and in the Aerospace standards (AS9100 et al) it is new to ISO 9001 – or will be, when the next version arrives in 2015.

Companies will likely be searching for ways to incorporate risk awareness into their management systems. The Internal Audit Schedule is a common-sense early target.

What is Risk?

Risk-based Internal Auditing is a method that considers the intersection of Likelihood and Consequence to help determine where, and sometimes, how – audit resources are put into play. Resources in terms or time, frequency and auditor expertise.

Risk DeterminationBasically if, in a given process, something catastrophic could result and it is likely to occur then it will be given a higher priority and prime resources over a process where catastrophe is unlikely.

Consider the process of welding support structures compared to stenciling the company logos on them .

The welding operation should receive more detailed, deep and frequent audits versus the logo-application process.

Sometimes, however, there may be a seemingly benign consequence – say a missing manual, but it is quite likely to occur. This should be given added attention (and a good investigation for process capability, as an aside).

Similarly, there may be an unlikely event with tragic consequences. Even though tight process controls and inspection steps nearly ensure detection of a weld error, because the consequence may be dire and tragic, then this too is worthy of heightened attention.

Scoring Risk

Part of the process in creating a Risk Based Audit Schedule is generating a relative score for risk. This can be calculated based on likelihood and consequence.

If you’re familiar with FMEAs then this concept is familiar as well, but it can be simplified for our purposes. If you aren’t familiar with FMEA then – well, another day, my friend – another [Tues]day (okay, I made you a link to the Wikipedia entry – just make sure you come back!).

Basically we need a few pieces of information – or, technically, data:

  1. Function or Process
  2. What could go wrong
  3. A rating (L) from 1-10 of our confidence in the controls in place to identify or prevent the occurrence (10 being no confidence in detection or prevention)
  4. What will happen if that went wrong
  5. A rating (C) from 1-10 of that Consequence (10 being tragic)

This may take some doing and require a knowledgeable cross-functional team, but it is a worthy exercise for creating an audit schedule – and quite useful beyond that.

For each auditable area simply take the L and multiply it by the C to get a number – let’s call it “Ra”.

The Risk Based Schedule

With each process, along with its Ra score identified we can lay down our risk based audit schedule. Should look something like this:

RBA basic sched

The higher the Ra score, the stronger the team and the more frequently it will be audited.

Naturally, yours will be fleshed out more, and you’ll define somewhere the compositions of the audit teams. “A” in this example would be your more experienced day shift auditors, “C” possibly an experience night shift auditor, and “B” is a team with some trainees.

Those are the basics of creating a risk based internal audit schedule, and I hope it’s enough for you to sink your teeth into and run with it. Feel free to message me with questions, or leave a comment below.

Thanks again for listening, and now – please – go forth, and calibrate thyself.

Sal

Improvement, Internal Audit, Quality Tools

Internal Audit Schedule Part 2 – How To’sday!

Leave a comment

The Internal audit schedule, covered partially in last week’s Toolsday is something with which many companies struggle. We’ve covered how the various standards state the requirement, and what is expected. And some other considerations such as should they be done by an outside party, how they can be used to help prepare for formal auditor credentials and what parts of the business should be included.

There are many styles and formats used in the wild to accomplish the task. Regardless of the format, the internal audit schedule will involve, primarily, some event occurring at some point in time.

Audit Schedule Event vs Time
Fig. 1

The events will be related to the requirements against which we are auditing; expressed perhaps as locations or documents or processes or some combination of these.

The time can be expressed as any calendar date, in any granularity that is consistent with the culture of the company. If I’m asked which time-frame resolution is best, and not given any other considerations, I will always say quarterly. Some corporate cultures dictate the schedules be defined down to the day – whatever works.

And, while you’ll not find any specific requirement for the time period in which a “full cycle”, or in which the entire scope of registration is covered – the correct answer is “within a calendar year”.

Options to consider

Process-based

Typically, the best audit schedules are process-based. What is a process? The fairly common definition says it is something that has inputs and outputs.

ISO 9001 defines it as “set of interrelated or interacting activities which transforms inputs into outputs”.

Audit Schedule - Process vs Time
Fig. 2

Some processes are documented, some are not – the different standards each have requirements for what is to be formally documented and what is not needed to be.

The standard schedule looks pretty much like Figure 2.

Floor plan

This choice is an interesting one, and I like it. What it entails, simply, is to take a floor plan of the organization and section it off in slices of time. And this covers, in most implementations, about 80 percent of what needs to be covered – the rest earns an honorary position in the schedule (I will explain).

It is important to include all areas of the company; all buildings, including outbuildings and designated outdoor functional areas (storage, for example).

It is essentially a process-based audit, with a different way of illustrating it. So in this way, interrelated processes could easily be grouped together, especially if they are physically proximate.

This method makes it easy to see logistical inefficiencies as well, which is a nice bonus. While it makes sense to group Receiving, Incoming Inspection, and Stock Room, for example, if these blocks are scattered at the four corners of the map then a potential inefficiency becomes obvious.

Floor plan-based audits work best when there is a good balance between complexity and compartmentalization. If the processes are very complex, then they should be compartmentalized (there should be an inverse relationship between complexity and compartmentalization).

There are some areas, however, that need to be artificially, or “virtually” added to the Floor Plan schedule and these are processes which are not contained within a physical boundary. These would typically be support functions, such as preventive maintenance (in the case where there isn’t a dedicated department), or occasionally Information System support which is either performed by an outside provider, or through a corporate office. Improvement activities, such as continuous Improvement, Corrective Action, and Preventive action, as well as the Internal Audit function itself are also not typically located in a physical area. These are simply added to the schedule as a separate, virtual area.

Depending on the standard, other areas will need to be considered virtual as well.

How to ensure the full standard is covered in a Floor Plan-based Schedule

Once you’ve created your floor plan, take the standard; each clause and subclause, and make sure it has a counterpart on the layout. You should have to do this once, before you start using the system – and again each time the Internal Audit function is audited.

Document-based

What is meant by a document-based audit? Well, using the documents that have been created within the Management System as a basis for the audit. This would be distinct from using your ISO standard of choice (I’m going to leave that to third-party audits). Let’s discount this one out-of-hand.

Audit Schedule Document-based
Fig. 3

Almost – baring two considerations. The first thing needed to do this is to include the Quality Manual as one of the documents used, with the caveat that the manual is of the sort that mirrors each requirement of the standard. I say this because some quality manuals are quite short (I know of one that is three pages long) – and as it stands now, ISO 9001:2015 won’t even require the use of a Quality Manual (though it will still be a convenient container for several sub-component requirements). Short manuals like mentioned above, are difficult to audit from without referencing the standard unless – here’s the second consideration, the management system has chosen to document every process. Not all standards require this (do any?), so this can be problematic.

If this is attempted then the schedule must include a provision to track the revisions of the documents over time, so nothing is missed (as I’ve shown in Figure 3).

Where this becomes problematic is when forms and other documents are involved. Should forms be included on the list? Or should there be an audit policy directing that whenever a document references another, then that document gets audited (and recorded) as well. It’s a bit of a logistical annoyance if you ask me. A document-based audit schedule is not my weapon of choice.

There is a hybrid of this and a process-based schedule that can work quite well, and that’s shown below (Figure 4).

Internal Audit Schedule - Process Document Hybrid

 
Fig. 4

 Risk-based

Definitely something to consider as risk management, or at least risk consideration becomes a familiar part of every ISO Management System standard.

The details of how this is done, along with a few other tidbits – will be covered in the next installment.

Next Time – Risk Based Audit Schedules

See you next week! And thanks!

Until then – go forth, and calibrate thyself.

Sal

Internal Audit, Quality Tools

Internal Audit Schedule Part 1 – How To’sday!

Leave a comment

A well-wrought Internal Audit Schedule is key to a healthy management system. It is part of one of the core elements within all the big hitters, from ISO 9001 to ISO 50001 (Energy Management), and beyond.Audit Schedule

An effective Internal Audit Schedule is the handle on the rake that finds nonconformities and potential nonconformities, and does so in a planned, repeatable way. Once found, improvement is possible – and that’s what we’re all about, right?

This can be a fairly broad topic, so in Part 1 we’ll focus on the requirements and a few other considerations, while in Parts 2 and 3 we can do a short recap and look at options for how to construct a great internal audit schedule, with useable examples.

What Needs Be Done?

Each of the more popular standards handles the requirement for Internal Audits in pretty much the same way, with slight differences reflecting that standard’s particular sector.

Let’s look at the meaty part of the requirement in ISO 9001:2008. “[… Internal audits determine if the] QMS conforms to the planned arrangements, to the requirements of this International Standard and to the quality management system requirements established by the organization…”

The 2015 version (in the last Draft) simplifies this slightly by saying “to the organization’s own requirements for its quality management system; and the requirements of this International Standard”

14001 is essentially the same as that, swapping QMS for EMS (Environmental Management System) and adding that it is also a means to provide audit results to management. 50001 does about the same as 14001 by using EnMS (Energy Management System) instead.

And, for completeness, ISO 27001‘s somewhat expanded angle is “[to] a) conform to the requirements of this International Standard and relevant legislation or regulations; b) conform to the identified information security requirements; c) are effectively implemented and maintained; and d) perform as expected”.

ISO 13485 (Medical) and ISO/TS 16949, by the way, since they contain and expand on ISO 9001, have the same text as 9001.

I’m going to make the leap and summarize that your Internal Audits have to cover two things:

  1. Your own system,
  2. The requirements of your standard of choice.

In all the standards mentioned above, if you’ve built your system according to the other requirements contained within the clauses, then you’ve covered everything else. The only concern the uninitiated would have might be 27001’s “relevant legislation or regulations” – but the requirement to consider and comply to those are in 4.2.1 “The organization shall do the following; define an ISMS …..that “takes into account business and legal or regulatory requirements…”, and similarly under control objectives and risk. And 4.3.3 under Control of Records – well, you get the point – there’s no sense making a special case for relevant legislation when it should be a preordained part of the system anyway.

So, The System and the Standard. It can’t be just The Standard, by the way, otherwise you’d miss whatever else has been deemed necessary, or helpful, along the way. And it can’t be just The System, even if it was all originally created to comply – because things, in the name of Improvement, tend to wander over time and “improve” on a requirement by eliminating it.

In-House Resources, or Hire Out?

One of those questions without a wrong answer. One common approach is to use internal resources for process-related audits and verify actual practice against what is supposed to happen (documented or not) – and to have an external resources, such as a consultant, audit against the standard.

This practice ensures associates and management stay close to the machine, while ensuring the whole ensemble stays on track.

A Few other Internal Audit Considerations

I do want to focus on the Internal Audit schedule itself, but it is worth bringing up a few of the other components to a healthy Internal Audit Program.

There’s a ISO For That

There is a secondary ISO standard specifically called “Guidelines for Auditing Quality Systems (you can buy one at ISO.org – here’s a link to ISO 19011:2011).

It covers audit program monitoring and management, audit performance and it’s various stages including reporting and follow-up. And it provides guidelines for auditor competence and evaluation. I really do recommend adding this one to your library as it is usually half of any test related to becoming an official auditor.

Becoming a Card Carrying Member

Since you’ll most likely be performing audits, it’s a wise idea to make it official; you’ll be able to use some of your internal audits as part of the requirements.

What this means is to become registered with an organization such as RABQSA or IRCA (International Register of Certificated Auditors). Both are recognized by the industry, Registrars in particular, as badges granting the qualifications to do audits. They have different levels of achievement and with them varying combinations of education and experience. One of the paths usually involves a one-week course with a test, along with a certain number of audits in particular capacities.

My advice is if you’ve got to take a course anyway – make sure it’s associated with one of the two organizations I’ve mentioned above, or sanctioned by them.

Contact the sites directly for more information and speak with a human being to start the process. The specific links are here:  RABQSA IRCA

Scope of the Internal Audit Schedule

For the sake of doing the right thing right, is important to make it clear what needs to be covered by the internal audit schedule – typically it should match the scope indicated on your ISO Certificate – at least as much.

There may be cases where there is a corporate requirement that is beyond the scope of your ISO registration (a slippery slope that I hope is defensible), that could be included as well. Information Security audits sometimes fall in this category, particularly for non-ISO 27001 companies.

It is a good time, however, to ensure that nothing has been left out of your process as an exclusion that should not be left out, or is not an allowed exclusion.

In 9001 , as a general rule, the only allowable exclusions are going to be Design and after-sales-service (including delivery). Occasionally the lack of what are called “special processes” will grant an exclusion, but it is hardly worth the trouble, in my opinion (simple enough to cover it, “just in case”).

Worth noting that it is very possible ISO 9001:2015 will do away with exclusions entirely as it is currently a topic of discussion – though I don’t know exactly how they will do it (seems impossible).

14001 and 50001 have a bit more leeway, so it is important to ensure the scope of your audit schedule matches.

For 27001, the only exclusions allowed are within the controls section – and these must be justified.

Next Time – Making a Great Schedule

See you next week! And thanks!

Until then – go forth, and calibrate thyself.

Sal

amazon prime

Here’s a special deal for my blog readers: Amazon Prime, 30-day FREE TRIAL gives you the ability to Instantly watch over 40,000 movies and TV episodes with titles for everyone on pretty much any device, Borrow books from the Kindle Owners’ Lending Library, and, something I take advantage of all the time, unlimited FREE two-day shipping with no minimum order size.  Clicking from here helps the site, and YOU; please do. Thanks!