By Mickey Christensen
While I am a staunch supporter of good internal audits, I also place a lot of value on the limited resources available in small businesses. Since the introduction of the 1987 versions of the ISO 9000 series of standards, I have worked with both large international organizations and small businesses of less than 30 employees. One client is a supplier to the oil and gas industry who has seven employees and is struggling to keep the doors open. With the price of oil and gas low, the whole industry is working hard to stay afloat.
When I received the new ISO 19011:2018, I read the standard with a focus on small businesses and what they need to do to comply. Here are my thoughts where the writers of the standard could consider making changes in the next update.
While there are sections of the standard that address the whole audit process, the amount of sections dealing with managing the audit process is overkill for small businesses. Sections that are part of the “managing” process include: managing the program, establishing audit program objectives, determining and evaluating audit program risks and opportunities, and establishing the audit program. The standard goes on to reference a further 31 sections relating to managing the audit process. A lot of this is system work and should be administered by the person managing the system—not the auditor.
While some audit activity should be undertaken relating to these sections, the detail required can overburden a small company. When one person goes out to audit the company and talks to four or five people out of the seven employees, how much “audit system management” is necessary? When many people in the small company are asked to do several jobs and know the work processes, they need to focus on “is the work being done according to customer requirements following the documented procedures and are the records kept properly?”. In some small businesses it is hard to ensure auditor independence since most employees do many of the various jobs.
The actual auditing sections of ISO 19011:2018 include: principles of auditing, conducting an audit, initiating audit, establishing contact with the auditee, determining feasibility of audit, and preparing audit activities. The standard goes on to mention a further 17 sections relating to managing the audit process. Some of this could be a duplicate of what the system manager does.
In many small businesses an opening and closing meeting are not value added. Discussions during the audit let people know the status and when the auditors meet with management to inform them of the findings, it may be several days later. The report is presented to management for management review and/or actions necessary due to findings. Correction of findings may already be under way by the time management hears about the findings. Top management in some small businesses are out of the office making sales calls when an audit may be undertaken. They need to be informed as soon as practical.
The person managing the audit system should have some documented information about qualifying the auditors, what should be audited, a schedule of when they will be audited, how the results are to be reported, what corrective action process for findings, and they should monitor the performance of auditors. The KISS process (keep it simple, but sufficient) should be followed so people do not get intimidated with too much paperwork.
In my opinion, the standard should include some guidance on doing a proper audit using techniques or methods that have been shown to work in other facilities. I am not proposing that auditors audit by a checklist. Too many times I have seen auditors more intent on answering the questions rather than following the audit trail presented. The use of a hand-written checklist to aid in covering aspects that may be in question is good and should be used as an aid.
Internal auditors should be briefly trained in the ISO 19011 requirements and should spend more time on audit techniques. Then the person who manages the system should be trained and follow the ISO 19011 standard. Role playing can be a training tool, however it can be difficult without the system documents and people to interview. If there are only a few people in the company, the auditor may have to audit their own work.
Internal auditors should be free to follow the audit trail provided and not be held to following a prescribed checklist or published list of questions. Depending on the response to questions asked of the workers, the audit trail may be totally different than what is planned. Usually these trails lead to more opportunities for improvement than by bypassing them to follow the “plan.”
This is just food for thought when dealing with small organizations. The percent of people’s time spent on auditing should be adequate, but too much system work may be a deterrent.
About the author
M.M. “Mickey” Christensen, MSME, P.E. retired, is president of TQM Systems in Baton Rouge.
TQM Systems consults, trains, and audits for clients pursuing quality/environmental management system implementation and system maintenance. Mickey is a registered QMS Lead Auditor with Exemplar Global. He has work experience in several manufacturing processes.
He chaired the committee that developed the Louisiana State Quality Award and served as charter president of the Louisiana Quality Foundation, which administers the State award. He is a Fellow member of American Society for Quality (ASQ) and is the past chair for the ASQ Healthcare Division. He was a co-developer of the first ISO International Workshop Agreement (IWA) document. The IWA-1 was a guidance document based on ISO 9004 for use in implementing ISO 9001 in healthcare. He worked with the ASQ/AIAG group, the Standards Council of Canada, Canadian Standards Association, and ISO to review/revise the IWA-1 to make it a more useable document. He co-authored the Automotive Industry Action Group (AIAG) Business Operating Systems (BOS) for healthcare organizations document based on the Malcolm Baldrige National Quality Award Healthcare Criteria with ISO 9001 and IWA-1 text inserted.
He has assisted an international registrar develop the Integrated Health Care System (IHCS) criteria for a system that also combines CMS Conditions for Participation with ISO 9001.
Mickey,
Thank you for confirming what I have always thought regarding small businesses, which all of my clientele are. I always have to explain, and calm down, these clients and it’s good to know I am not the only one addressing such “over kill” or requirements.
Thank you Mr. Christensen for a sensible article. I often think that the standards writers do not provide for small businesses, which in many cases may be a part of a much larger, maybe multinational, organisation. Death by auditing is becoming far too common because the “rules”, such as ISO 19011, are required to be followed precisely, no matter what the size of the business unit is. The problem is that these audits do not provide value but are conducted to satisfy the parent company’s certification requirements. An addendum, qualification or separate section in ISO 19011 relating to small business would appear to be warranted.
Thank you Mr. Christensen for the article. For some reason the industry still thinks of business size in terms of the number of its employees , where in reality in a digital automation age – the business should be classed based on revenue. Another point is that the audit is aimed to check company processes to meet policies and objectives and risk controls . Process failure can cause catastrophic impact regardless if the business is small or large. With this in mind , I am not sure if creating separate sections in ISO 19011 specifically related to small business would not cause at the end a diminishing effect on the audit
As a fellow auditor from Baton Rouge, I truly enjoyed your article, given my greatest professional challenges is to conduct audits that provide value to all involved without being a participant in “Death By Audit”.
Couldn’t agree more Mickey. I also find there is a LOT around managing the audit programme which can become confusing for small business. In some instances, as you mention this is part of the system OR it could be part of the process that the auditor also manages. It does seem overly complicated.
A very interesting opinion piece – thank you. In my opinion, ISO ISO 19011 is not designed to be a standard or requirement, rather it provides guidance for businesses of all sizes as they undertake their audit activities. As stated on page vi, “this guidance should be adapted as appropriate to the scope, complexity, and scale of the audit programme” – there’s no need to approach anything like “death by audit”. The business needs to audit as much as it needs to and not because it has to. So I view ISO 19011 as a framework for organisations to adopt a sensible and pragmatic approach to first and second party audits and the activities described within the guidance. I would add that there is no need for any auditor to audit his or her own work. I am currently setting up my own one-person business and I will be employing an experience management systems auditor to undertake the handful of audits I think my business will need – I will not be auditing my own work. There is lots of good stuff in this guidance – perhaps it just needs better interpretation in the audit arena?
Hi Mickey, An eloquently written article with full of valuable information and guidance on internal audits. Use of automation for audit programs may minimize the burden on SME’s and increase efficiency and effectiveness of audit programs. With the advent of industry 4.0 there are many tools available to do so. One tool that comes to mind is the use of augmented reality (AR) for training as well as documenting the audit process and reporting results. Other tools may include use of apps, artificial intelligence and data analytics. Of course audit program managers need to consider the ROI in use of automation tools to get leadership buy-in.