Getting More Out of Your Internal Audits

(Part I of III)

By Donna Jarvie

Throughout my 10 years or so as a management system auditor, trainer & now consultant, I have worked with many organizations who struggle with the requirements for ‘Continual Improvement’ and ‘Competence, Awareness and Training’ in ISO 9001:2000.  In conjunction with this requirement, I have also received feedback from Management Representatives and Internal Auditors alike that “ISO audits are a waste of time”, or “We aren’t getting anything out of our ISO audits”.  Both of these perceptions can lead to an organization not fully realizing the benefits of their Management System implementation and/or third-party Registration.

One of the areas in common with these organizations is a lack of additional training and/or support for internal auditors.  Most internal auditors attend a two-day course and are then expected to conduct effective, comprehensive audits that add value to the organization’s management system.  Unfortunately, two days of classroom training is not always sufficient to build an effective management systems auditor.  Just as external, third-party auditors need to continue to hone their skills, internal auditors should be building their own toolkit of competence.  In ISO 19011, clause 7 provides insight as to the competence requirements for auditors.  Unfortunately, many organizations perceive that this document is intended for third-party auditors and basically ignore the guidance provided.  In addition, their focus is on competence for ‘real’ positions in the organization and, as a result, competence of internal auditors is either not defined at all, or it addresses the bare minimums.

One Business Growth Training Inc. client has been examining the overall effectiveness of their Quality and Environmental Management Systems and has identified some gaps in their internal audit programme. He explains: “To have better internal audits, I examined how we were doing things and what may be roadblocks (root cause) to good efficient audits. Two items stood out immediately: 1. If an internal auditor only conducts 1 audit per year, they need to

re-train themselves each year for the audit. This produced a lack of confidence, wasted our preparation time and resulted in poor review of processes. 2. A two- day course and even a week long certification course, will not train a person sufficiently to conduct one audit a year.”

As a result, they requested development and presentation of some ongoing workshops to address specific auditor needs: Collecting Objective Evidence, Effective Questioning Techniques and Effective Note-Taking, just to name a few.  In my experience, these are the ‘top 3’ skills with which new auditors struggle, and are beneficial areas for any organization to bridge the gap between their existing audits and audits that will provide real results and true value. We will be expanding on the development and delivery of these three workshops over the next three newsletters.

Part I - Collecting Objective Evidence

Auditors are often so focused on ‘getting the audit over with’ that they conduct a ‘checklist-style’ audit – only examining enough evidence to confirm a ‘Yes’ or ‘No’ on their checklist.  Part of this stems from inadequate preparation prior to conducting the audit.  Auditors need to review the process they have been assigned to audit and review any associated documentation.

Now, we can’t blame it all on the auditors.  They also need management support to provide them with sufficient time to effectively prepare for the audit as well as conduct it.  Some of this stems from how organizations plan their audit programme (schedule).  In order to follow the true intent of ISO 9001, clause 8.2.2: “An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits”, organizations should be auditing their critical processes and problem areas more frequently throughout the year, rather than a ‘standard’ once-a-year full QMS audit.

Our client recognized this through their own investigation: “Multi tasking is in today’s business environment. Therefore, doing one audit a year leads to inexperienced internal auditors. My plan was to make ISO a common theme in the auditor’s life over the year. By setting up smaller more focussed process audits with more frequency and then supplementing with training in the between times, an auditor is exposed to the world of ISO up to six times a year instead of only once. The expected result I am looking for is a more confident auditor that can prepare their audit more efficiently and recognize issues that would normally go unnoticed.”

As well, the adoption of the ‘process approach’ means that the auditor’s review considers specific process factors to focus the audit (see diagram below).  Every process consists of factors that control or influence the ability of the process to achieve the desired results:

During this workshop, we began with a review of the ‘Principles of Auditing’ and how these principles lead to effective, consistent audit findings and reproducible audit conclusions. We then reviewed some ‘standards for audit evidence’ to ensure that auditors understand the characteristics of adequate audit evidence and how to corroborate information that is given during interviews to determine the validity of the evidence in identifying any audit findings.

The next step was to identify key words both from the relevant ISO 9001:2000 requirements as well as the organization’s own QMS/EMS documentation to assist in the development of the checklist.  This, in turn, helped to focus the auditors on ‘what to look for’ and ‘what to look at’ when conducting their audit and to evaluate evidence that was presented against specific requirements included in their checklist.

Lastly, we developed ‘checklists from scratch’ that used the organization’s ‘template format’, but included input from the activity of identifying ‘key words’ for use by the auditors in developing their interview questions.  This was reinforced by the conduct of a short interview by the attendees & a discussion of how this improved their overall approach to the audit.

The overall benefits of using these techniques is that it reinforces the analogy that internal audits should be ‘a mile deep and a foot wide’ versus the third-party auditor’s approach of ‘a mile wide and a foot deep’. Internal Auditors are better prepared and, the more they audit, the ‘tougher the questions get’, which reinforces the audit programme as a tool for continual improvement of individual processes as well as the effectiveness of the overall management system.  It is equally applicable in Quality, Environmental and Health & Safety management systems and can be applied to integrated systems as well.  It improves the auditors’ confidence in conducting interviews and reviewing evidence presented through a more focused approach in conducting the audit.  The more useful the internal audit results become, the more management support the auditors will gain and, gradually, we will change those perceptions regarding the usefulness (or lack thereof) of the internal audit programme.

So, what’s the plan going forward for our client?  “Each auditor has been scheduled for 3 eight hour audits over the year, and training is planned to take place three times over the year. The training plan is also to have the specific skill classes repeated a number of times in order to continue to reinforce the key skills that take an auditor from being good to excellent.”

In the next issue, we will take a closer look at the Effective Questioning Techniques Workshop as Part II of this three part series.