Audit practices that add the most value! Effective Internal Audit Planning: ISO 9000 Users Group - ASQ Section 509, Wednesday, January 20, 2010 By David Collingham, CQA/CQE
Outline Definitions of Key Audit Terms Types of Audits Nonconformance Types ISO 9001:2008 Internal Audit Requirement Common NCR s isued by Registrars related to Audits Miss-Conceptions About Auditing What does the Industry and Product/Process have to do with Planning an Audit? How much do I invest in Auditing? Why do we Audit? First Party Audit Process Steps Planning Audits Typical Audit Schedules and Forms
Definitions of Key Audit Terms Effective - producing or capable of producing an intended result or having a striking effect Planning - the act or process of drawing up plans or layouts for some project or enterprise Audit - a methodical examination or review of a condition or situation
Audit Types First Party When a Company uses an internal person to perform an Audit on itself. Second Party When a Company uses an internal person to perform an Audit on its Supplier or an other organization. Third Party When a Company is Audited by a third party independent of the Company s Customer.
Major Minor Comment Nonconformance Types When the Quality System exhibits a void where an element of the system has not been documented, implemented or is not effective. In addition, the nonconformance does risk the shipment or delivery of nonconforming material to the Customer When the Quality System is documented, implemented and effective, but has exhibited a random nonconformance. The nonconformance does not risk the shipment or delivery of nonconforming material to the Customer When an Auditor identifies an improvement opportunity that is not a major or minor
Effective Internal Auditor Planning ISO 9001:2008 Key Elements Key 4.0 Value-adding activities Information flow Continual Improvement of the Quality Management System 5.0 Management Responsibility Customers 8.0 6.0 Customers Measurement, Analysis and Improvement Resource Management Satisfaction 7.0 Requirements Input Product Realization Product Output
ISO 9001:2008 Internal Audit Requirement 8.0 8.2.2 - Internal Audit Measurement, Analysis and Improvement The organization shall conduct internal audits at planned intervals to determine whether the quality management system: a) conforms to the planned arrangements, to the requirements of this ISO Standard and to the quality management system requirements established by the organization, and b) is effectively implemented and maintained. The audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. The selection of the auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.
Common NCR s isued by Registrars related to Audits Audit Plan/Schedule does not address all elements (major paragraphs) of the ISO 9001:2008 standard Audit Plan/Schedule does not address multiple facility locations, work shifts (shift 1, 2 & 3) or scope of business/registration Audit plan/schedule is not approved Audits are not completed as scheduled Audits are performed by personnel who audited their own work Audit results do not have written signature or electronic signature by Auditor with date Audits were not conducted in an effective manner Auditor(s) received no internal auditor training
Miss-Conceptions About Auditing There needs to be 35 Internal Audits performed for ISO 9001:2008 (i.e.4.1-4.2.2, 4.23, 4.24, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.4.3, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.6, 8.1, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.3, 8.4, 8.5.1, 8.5.2, 8.5.3) I can not conduct 1 audit of the ISO 9001:2008 QMS each year We must use an outside contractor to perform our audits All the ISO 9001:2008 elements need to be audited every year If you don t spend 2-5 hours on each audit, then you are not doing your job The Auditor must prepare a checklist list using his or her own questions in order to perform an effective audit I can use typed audit checklists with typed in results with typed in names and dates (no written or electronic signature) If the Audit Report does not weight 3 pounds, then it must not have been performed correctly We can t use the receptionist or finance person to conduct audits, because she/he does not know what we do
What does the Industry and Product/Process have to do with planning an Audit? Critical, High Risk and High Exposure Industries/Products/Processes:
How much do I invest in Auditing? High $ Industry/Product/Process High Risk High Complexity Critical to End Mission Point 2 High Maintenance High Failure/Reject Rate Appraisal/ Prevention Investment; Audits Low Risk Point 1 Low Complexity Not Critical to End Mission Low Maintenance Low Failure/Reject Rate (*) Graph not to scale 1 2 3 4 5 6 7 8 9 10 Risk Level High
Why do we Audit? Provides Senior Management an independent examination of business processes To identify improvement opportunities in processes/products/services Proactive approach to prevent/reduce the risk of producing defective product/services To identify needs for training, tools/fixtures, methods, etc. Enhances communication and training Provides a means for operator feedback
First Party Audit Process Steps Audit Process Steps: A - Prepare Audit Schedule and Obtain Management Approval B - Schedule the Audit(s) C - Obtain Audit Requirements D - Examine prior Audit Results and Corrective Actions E - Prepare Audit Check List(s) and Any Other Support Questions F - Conduct Audit Investigation G - Record Audit Finds and Obtain Auditee Acknowledgment H - Prepare Audit Report I - Obtain Corrective Action(s) J - Follow-Up On Corrective Action(s)
Planning Audits What is the budget for conducting audits? Hours? Dollars? How many audits do we need to do? How I m I going to be value-added? What does Senior Management feel is critical to the business success? Gain a clear understanding of what is expected from conducting the audits? If we spend money from the Overhead Budget for conducting audits, what is expected for the investment? What are the critical processes/products that need to be examined? What does our past internal audit results tell us to focus on? Do we have any new areas/processes/staffing/equipment/vendors that requires more focus than other areas? What facility locations, functions, processes/products and work shifts need to be included in the schedule? What is the best time to conduct the audits? High Volume? Low Volume? Before Lunch? After Lunch? At the end of work shift? Etc.
Example 1 Effective Internal Auditor Planning Planning Audits (continued) Approved By: Jim Brown Date: 01/14/10
Example 1 Effective Internal Auditor Planning Planning Audits (continued) s Approved By: Jim Brown Date: 01/14/10
Example 1 Planning Audits (continued) Approved By: Jim Brown Date: 01/14/10
Example 1 s Planning Audits (continued) Approved By: Jim Brown Date: 01/14/10
Example 1 Planning Audits (continued) Approved By: Jim Brown Date: 01/14/10
Typical Audit Schedules and Forms AUDIT FORMS & RECORDS Schedule Procedure
Typical Audit Schedules and Forms (continued) AUDIT FORMS & RECORDS Audit Summary Audit Checklist
Typical Audit Schedules and Forms (continued) AUDIT FORMS & RECORDS Audit Summary Example