Years of experience and lessons learned generated this month’s article on auditing tips and secrets. The goal of each of the approaches described here is to provide value in auditing a quality management system (QMS), and to make the experience more rewarding for yourself and the auditee.
The first rung of the ladder to a successful audit is to know and understand the client’s concerns. Most organizations develop a set of objectives that are easily measurable to pass an audit, but they may not contribute to their success. More often than not, the objectives are little more than a call to accomplish the obvious. Likely candidates include the old standbys of “on-time delivery” and “reduced scrap and rework.” Most auditors approach the subject through a direct question to the management team: “What have you identified as your quality objectives?” We prefer a different approach. Instead of inquiring about objectives, we ask, “What keeps you up at night?”
With few exceptions, top managers rarely cite the company’s objectives. What keeps management up at night is profitability, staffing issues, new-product development, competitiveness, and other related business concerns. Smile gently and record each concern. When the list is complete, ask permission to write them on the right side of the conference room whiteboard. With the discussion concluded, address the company’s objectives directly by asking the management team to examine its documented objectives.
The next step is pure value. Imagine the managers’ reactions when they see their documented objectives written on the whiteboard next to their top concerns. Sometimes, one or more of their objectives directly relate to items in the concerns list, but it’s more common that at least one of the concerns will never be fully addressed through the organization’s documented objectives.
Moreover, if the management team discounts its sleep-destroying concerns as “newly determined” issues, follow this line of reasoning into management’s responsibility for planning and the requirement to maintain the integrity of the QMS when changes occur. If these concerns are valid risks or threats, they are worthy of focus in management review and possibly preventive action if they’re not fully developed into updated or clarified objectives. In this deteriorating economy, many companies have vigorously hit their “reset” buttons, which should therefore be managed through objectives reflected by their new challenges.
Your skills and experience will be tested in the discussion that follows, but management’s recognition of the potential you’ve exposed will more than compensate for its trouble. In organizations where this approach has generated significant results, we’ve been gratified by management’s realization that the QMS can and should lead the way to business success.
ISO 9001 lists six processes that must be documented. Three are controls; three are engines for improvement. One of the latter three is the organization’s internal audit program. We’ve already outlined the damage that weak standardization compliance programs can do to organizations (The Auditor, January–February 2010). However, most managers have never been asked to assess their internal audit program’s ability to provide meaningful improvement. Even so, we typically do assess this through one or more “tricks.”
The first approach is to use ISO 9001’s subclause 5.6.2, Management review, element a), results of audits. Underperforming companies typically list audits conducted and resultant findings under the assumption that quantity is somehow more important than quality; that the ability of the program to stay on schedule is its greatest contribution. Of course, management review is where management should address this attitude, but when faced with this unfortunate scenario, ask “So what?” If there’s an extended silence, follow up with, “How has the internal audit program affirmed or offered direction to meeting your concerns or objectives?” Or, “Given the time and expense of the internal audit program, is it providing an acceptable return on investment?” These questions directly relate to value and effectiveness. The discussion that follows can be groundbreaking and emphasize that quality is the best ally of business.
A second approach is best managed during examination of the internal audit process with the QMS manager. There are several questions that we recommend to expand his or her appreciation of possible improvements to the program. First, ask if audit reports equally address both elements a) and b) of ISO 9001’s section 8.2.2. Most programs do not. In fact, most programs can only be assessed as “inferring” that 8.2.2 b), Effective implementation, is addressed.
Next, ask how audits are scheduled. Probe the value of the input. If the only reason to audit is to meet a schedule, the value of the output is already less than optimal. If this is the case, ask what comes to mind to improve the input: “Are there other possibilities for improving the input source?” And, “Can you imagine any regular meetings at which problems are discussed that might lead to a valuable follow-up audit?”
At this point, be prepared for the concern that there must be an audit schedule. Point out that ISO 9001 has no such requirement. All the standard requires is that the audit program be “planned.” A plan to audit based on input from analysis of data, management review, or any other activity within the QMS is clearly a plan. If the organization requires a schedule, all that’s necessary is the following statement in the footer: “Subject to change, based on need and importance.” Otherwise—and as long as it’s documented in the internal audit process—monthly audits citing the above input source(s) will more than satisfy ISO 9001’s requirements.
Leading the discussion along these lines can generate powerful realizations. Using questions to move through each of these understandings leads to the obvious value of “rethinking the input.” For those who object on the grounds that auditors cannot flirt with directing change, feel free to copy this article and leave it with the quality manager for a later discussion. We won’t mind.
Root cause analysis
A seasoned auditor will have seen countless examples of inappropriate or incomplete root cause analysis, often confusing a further explanation of the situation with what really caused the problem to occur. Here’s a “secret” question we’ve used countless times in this scenario: “How is the corrective action the inverse of the root cause?” Its power lies in the obvious connection between “check” and “act” in the plan-do-check-act (PDCA) cycle. Root cause analysis is an inquiry to discover why and how. Consider following this audit trail to determine if the root cause path and resulting actions considered the following: “How did the process go wrong?” “How did we fail to detect the condition of the faulty product or process?” “What other processes contributed to the situation?”
Corrective action is little more than not continuing to do what was identified in the root cause analysis. Asking the above questions forces the auditee to defend the logic of the corrective action and the validity of the root cause. Once the auditee understands this concept, enjoy the remainder of your examination of his or her recorded corrective actions.
The secret to finding value in preventive action programs is the realization that it is nothing more than risk management. Most organizations do a poor job of connecting the dots between what they do on a regular basis to prevent risk and recording significant risk mitigation projects as preventive actions. We often see preventive maintenance and safety program activities providing input to preventive actions, but just as often these obvious candidates are managed separately.
Here are a few questions that can unlock related value-added discussions: “Do you use failure mode and effects analysis (FMEAs) and/or advanced product quality planning (APQP) in developing new manufacturing processes?” Each process is an exercise in preventive action and worthy of recording as such. Another approach begins by asking, “Can you think of any projects that were implemented to ensure that some new activity would be successful?”
The power of a recorded preventive action is in managing the project according to ISO 9001’s various elements. Placing important preventive actions in the database enables accountability through management oversight. To emphasize this, we ask the auditee, “What would be the typical affect of taking action on a major project without having regular accountability reports sent to management?” Finally, remember what the managers said when you asked them what keeps them up at night. Those concerns and their associated consequences are likely candidates for preventive actions and worthy of further review.
Here’s the last of our auditing tips: Spend as little time as possible in comfortable conference room chairs. Get up, get out, and get going!
About the authors
Janine Johnson is a regional manager for QMI-SAI Global, an international provider of compliance, certification, and training services. She can be reached at firstname.lastname@example.org.
A senior member of the American Society for Quality (ASQ), Paul Palmes is president of Business Standards Architects Inc. in Fargo, North Dakota. He serves as vice chair and membership chair of the U.S. TAG to ISO/TC 176 and was the U.S. lead delegate and working group secretary during the development of ISO 10014. Contact him at email@example.com.
TAG: Auditing tips and secrets.