Adding Value to Internal Audit Programs
On the other hand, if you’re still doing annual audits and have a checklist that follows all the elements of the standard, then you’re probably not getting the benefit of a good internal audit process. So let’s explore what can be do to put the wow into your internal audit process.
The main goal of your internal audit process should be to provide confidence and informative feedback about your company’s processes on an ongoing basis to help your organization improve its processes, and not just to meet goals and objectives, but to exceed them. This article will outline areas to focus on throughout the phases of the auditing process. Further information is also available in ISO 19011, Guidelines for Quality and/or Environmental Management Systems Auditing.
Determining What to Audit and the Audit’s Objective(s)
In all organizations, there are objectives to meet that involve different levels of importance and risk to the organization. Thinking back to things that have gone wrong in organizations, it’s usually because something has changed. It’s also important to recognize that internal audits can consist of auditing specific processes or events based on status and importance that your organization determines.
Examples include planning based on status and importance, as well as the management team looking at new or changed processes, equipment, personnel, customers, suppliers, materials, performance, improvements, etc. Importance can mean many things as well, for example if there are key gates regulatory requirements, poor performance or high risk activities in your system that need to be monitored or a new product introduction or new customer, these may be important things your organization wants to focus on. It is key to determine status and importance of processes, but this is not always an easy task. We can determine status and importance in a number of ways but the best method is communication and analysis within your organization.
Using the status and importance methodology, a good place to find out what to include in your audit schedule is to either plan a meeting with a cross functional group in your organization or use existing management meetings to communicate within your company. If your organization has meetings to monitor operations, production, health and safety, engineering, customers, suppliers or others, then these can be good platforms for working with your organization to determine what is important and changes in status.
The next task after determining what is going to be audited will be to determine the objective of the audit. This is an important activity, and if not done properly can eat up resources. You could have very simple objectives, for example if new software programs or equipment were going to be put into service, the organization may want to know if the output has changed, or there may be multiple objectives requiring specific questions relating to performance or looking for constraints. What’s important to recognize when using this methodology is that you can plan to audit single or multiple process events with single or multiple objectives. This turns your audit to a very focussed activity.
Assigning resources and responsibilities
The person assigned should also have defined authority and responsibility for performing tasks so the audit process is completed effectively and supported by management.
Scheduling Internal Audits
Another problem is that you may want to schedule several audits, but only have resources for a few audits. This is where status and importance comes into the process, as well as communicating to management so the needs of the organization are met.
Audits schedules should be dynamic because status is always changing and what your organization deems as important may change. Because of this your audit schedule will always be subject to change, based on the organization’s needs.
Implementation of the Audit
Checklist or No Checklist
Keep in mind that there are many checklist formats that can be used. It is a good idea to experiment with variations to see what works best for the organization. For example you could use a summary page to record findings attached to a process map that defines required inputs and outputs and use this as a guide. Or you could use a checklist that defines specific questions that relate to the audit objectives.
When reviewing findings requiring corrective action, the impact needs to be evaluated by those involved in disposition in order to confirm timing of actions. If a finding indicates a serious problem, then corrective action may need to be addressed immediately; or if it’s less serious, then actions may be taken over a period of time, taking into account the risk to the organization and its customers. Conclusions should be well summarized and supported with information that explains the findings clearly, and information should be verifiable. Also, if the audit findings indicate requirements have been met, its also an opportunity to advise your organization if there were any constraints found in the process that could be targeted for improvement. Action these according to where your management sees them relative to importance.
Any actions required as a result of findings should be documented with assigned timing and responsibilities according to the risk and impact to the organization and customers.
Reviewing and Improving Your Company’s Internal Audit Process
Review can be a planned event, or done when your management team meets for its regular operations, planning or management review meetings. Feedback should come from your management representatives, auditees or even regulatory organizations or customers where applicable to see if needs are being met and to get ideas for improvement and streamlining the audit process.
The review should first look at if your current methods of auditing are meeting requirements and adding value to the organization, or if alternative audit practices need to be implemented. If there are continuing poor performance trends or unplanned events occurring, and your internal audits are not showing any findings in these areas, then you should look at your audit methods and see if change can be implemented.