QMI SAI Global

Adding Value to Internal Audit Programs
One of the most valuable tools in a good quality system is the internal audit. A good audit can prevent performance deficiencies, identify process constraints and even give positive reinforcement that your business is running as planned. Good audits can also affect your bottom line.

On the other hand, if you’re still doing annual audits and have a checklist that follows all the elements of the standard, then you’re probably not getting the benefit of a good internal audit process. So let’s explore what can be do to put the wow into your internal audit process.

The main goal of your internal audit process should be to provide confidence and informative feedback about your company’s processes on an ongoing basis to help your organization improve its processes, and not just to meet goals and objectives, but to exceed them. This article will outline areas to focus on throughout the phases of the auditing process. Further information is also available in ISO 19011, Guidelines for Quality and/or Environmental Management Systems Auditing.

Determining What to Audit and the Audit’s Objective(s)
Like every tool in your tool box, you need to know when and how to use it in order to be most effective. Having a good method of determining what is to be audited can be the most important part of any organization’s auditing program. There are two critical things to think about when determining audit needs: status and importance.

In all organizations, there are objectives to meet that involve different levels of importance and risk to the organization. Thinking back to things that have gone wrong in organizations, it’s usually because something has changed. It’s also important to recognize that internal audits can consist of auditing specific processes or events based on status and importance that your organization determines.

Examples include planning based on status and importance, as well as the management team looking at new or changed processes, equipment, personnel, customers, suppliers, materials, performance, improvements, etc. Importance can mean many things as well, for example if there are key gates regulatory requirements, poor performance or high risk activities in your system that need to be monitored or a new product introduction or new customer, these may be important things your organization wants to focus on. It is key to determine status and importance of processes, but this is not always an easy task. We can determine status and importance in a number of ways but the best method is communication and analysis within your organization.

Using the status and importance methodology, a good place to find out what to include in your audit schedule is to either plan a meeting with a cross functional group in your organization or use existing management meetings to communicate within your company. If your organization has meetings to monitor operations, production, health and safety, engineering, customers, suppliers or others, then these can be good platforms for working with your organization to determine what is important and changes in status.

The next task after determining what is going to be audited will be to determine the objective of the audit. This is an important activity, and if not done properly can eat up resources. You could have very simple objectives, for example if new software programs or equipment were going to be put into service, the organization may want to know if the output has changed, or there may be multiple objectives requiring specific questions relating to performance or looking for constraints. What’s important to recognize when using this methodology is that you can plan to audit single or multiple process events with single or multiple objectives. This turns your audit to a very focussed activity.

Assigning resources and responsibilities
Any internal audit program requires planning to report and follow-up on activities, and management needs to assign a person who can coordinate all audit activities. In addition to any defined qualifications your company has for personnel auditing or coordinating audits, the person responsible needs to be familiar with your company’s processes and be able to communicate with each part of the organization.

The person assigned should also have defined authority and responsibility for performing tasks so the audit process is completed effectively and supported by management.
Keep in mind that another good reason for involving management in determining audit needs is that this will play a key roll in their involvement of assigning resources.

Scheduling Internal Audits
Since we can see that determining what to audit and audit objectives are so dynamic, the same approach that needs to be taken with scheduling audits. For example, after learning of a new product launch, you may want to time audits to coincide with each phase of product realization. Auditing before a product is launched can allow for feedback before the product reaches the customer, as many times it’s then too late. It will all depend on what you plan to audit and the objective(s) of the audit, as well as what resources are available.

Another problem is that you may want to schedule several audits, but only have resources for a few audits. This is where status and importance comes into the process, as well as communicating to management so the needs of the organization are met.

Audits schedules should be dynamic because status is always changing and what your organization deems as important may change. Because of this your audit schedule will always be subject to change, based on the organization’s needs.

Implementation of the Audit
There are many ways to perform and document audits. Try to make sure its not a cumbersome process, and that necessary records and documents are established, maintained and clearly outlined in your process procedure. Required documents and records will depend on the scope, criteria and objective of the audit. For example, if the audit is being done to verify compliance to a regulatory requirement, then it may be necessary to have a checklist and report as records of the completed audit; but, if you were just verifying a task was completed, maybe only a report of the findings are required but no checklist is required. There does not have to be a multitude of documents and records for every type of audit completed.

Checklist or No Checklist
Since an audit may be very broad in scope or specific to one activity, we may or may not need a checklist. For example, you may want to use a checklist if the audit planned has multiple objectives and activities to audit, whereas if the scope of the audit is a single event and/or objective no checklist may be necessary. Although a checklist may not be required, we should always understand the benefits of having a good list of tasks to keep focus on the objectives of the audits. A good checklist with well defined inputs and outputs can save time and resources on the audit.

Keep in mind that there are many checklist formats that can be used. It is a good idea to experiment with variations to see what works best for the organization. For example you could use a summary page to record findings attached to a process map that defines required inputs and outputs and use this as a guide. Or you could use a checklist that defines specific questions that relate to the audit objectives.

Reporting Findings
The conclusions from your audit should give feedback relative to audit objectives. Although the audit report may indicate needs for corrective or preventive actions, you should also include opportunities for improvement and positive findings.

When reviewing findings requiring corrective action, the impact needs to be evaluated by those involved in disposition in order to confirm timing of actions. If a finding indicates a serious problem, then corrective action may need to be addressed immediately; or if it’s less serious, then actions may be taken over a period of time, taking into account the risk to the organization and its customers. Conclusions should be well summarized and supported with information that explains the findings clearly, and information should be verifiable. Also, if the audit findings indicate requirements have been met, its also an opportunity to advise your organization if there were any constraints found in the process that could be targeted for improvement. Action these according to where your management sees them relative to importance.

Any actions required as a result of findings should be documented with assigned timing and responsibilities according to the risk and impact to the organization and customers.
When reporting findings, stay focused on reporting about the objective being met, but if there are any improvements or positive aspects observed, then these should be reported in findings as well. Feedback on successes is just as important as identifying things gone wrong.

Reviewing and Improving Your Company’s Internal Audit Process
Internal audits can be a valuable tool, and it is important to recognize the need to review your internal audit process on an ongoing basis to make it a preventive tool versus a reactive tool.

Review can be a planned event, or done when your management team meets for its regular operations, planning or management review meetings. Feedback should come from your management representatives, auditees or even regulatory organizations or customers where applicable to see if needs are being met and to get ideas for improvement and streamlining the audit process.

The review should first look at if your current methods of auditing are meeting requirements and adding value to the organization, or if alternative audit practices need to be implemented. If there are continuing poor performance trends or unplanned events occurring, and your internal audits are not showing any findings in these areas, then you should look at your audit methods and see if change can be implemented.