by Shannon MacFarlane
It was January when our registrar informed us that our lead auditor needed to move our scheduled June ISO 14001:2004 certification audit to March. As with any large project, we had carefully planned the timeline for implementing the standard’s requirements before the audit and losing three months seemed insurmountable. We’d planned for a full internal audit in April and management review in May, and the revised timeline required that they both needed to happen by the first week of March—at the latest—to be ready for the certification audit the following week. We needed to plan and conduct a full internal audit quickly. Out of sheer desperation, I created an internal audit module planning matrix.
My organization’s audits are modular, with a full set that covers all aspects of our management systems. We used Chad Kymal’s How to Audit ISO 9001 (Paton Professional, 2011) for inspiration on the module concept and adapted his modules to suit our organization. Because our auditors have full-time jobs outside of internal auditing, conducting audit activities in modules on an annual cycle is easier for our auditor’s schedules. We have also found that auditing different aspects of the system throughout the year is an excellent way to help prevent our employees from gaining what we call “audit flab”—that cushion of comfort which sometimes separates even the best employees from their management system responsibilities if they sense accountability is waning. Employees who receive more than one annual visit from a friendly internal auditor are more likely to be mindful of the quality, environmental, and health and safety concepts we expect them to remember and practice. We currently have two modules: business planning and management responsibility; and support services and service planning and provision.
Even with these audit modules in place our audit team began each audit plan from scratch. We sat around the conference room table and discussed who we needed to visit within each functional area to audit which processes. The auditors developed a list of clauses they needed to support in addition to the list of items we needed to verify from previous audits or corrective actions. Although this was an excellent exercise to keep our clause muscles sharp, we needed to compress our schedule wherever possible. In just six weeks we needed to plan, conduct, and report on a full system audit. Considering we were accustomed to twice that amount of time for a modular audit, well, let’s just say I was in a moderate state of panic.
The internal audit module planning matrix was intended to be a failproof method of organizing and assigning priority levels to our audit activity to accomplish the most auditing in the least amount of time possible. Our senior managers were looking forward to touting a new certification to current and potential customers, so it was vital that we not overlook barriers to certification during our internal audit.
To give our internal auditors a boost through the planning stage of our audit, I wanted to create and provide a reference that would reduce the amount of time they previously spent identifying which clauses they must cover and with whom. If I could help the audit team quickly recognize the areas of the standard that needed to be addressed, they could use that recovered time for developing checklist questions or researching past performance. We typically spent as much time, if not more, planning the audit as conducting interviews and observations. Consequently, shortening our planning stage without compromising the quality of work had the potential to shave weeks from our total audit timeline.
Because audit questions are often focused on an individual’s direct responsibilities within a process or system, I reasoned that a truncated version of our job descriptions would be a useful tool. Rather than catalog the responsibilities of each employee, I created entries for individuals with unique positions and then grouped other employees by management level or function. For example, our environmental manager, information technology infrastructure manager, and president perform work that isn’t shared by other employees and therefore have their own line items within the matrix. Management-level groups are the executive team (vice presidents), senior management team (directors), managers, and supervisors. Functional groups include customer service, sales, and accounting. The related clauses for each title or functional area were based on information in job descriptions, as well as management system policies, manuals, and procedures.
The matrix is divided into our defined audit modules. Each module of the matrix organizes audit information by employee title or functional area, location, primary clauses, secondary clauses, and customer clauses. Figure 1 is an example from our business planning, management responsibility, and support services module. We use colors to coordinate clauses from each of our three certified management systems: blue represents ISO 9001:2008, green represents ISO 14001:2004, and red represents OHSAS 18001:2007. The first version of the matrix focused on ISO 14001:2004; later revisions included ISO 9001:2008, and OHSAS 18001:2007. We’ll walk through this example to discuss the differences between primary, secondary, and customer clauses.
Figure 1: Internal audit planning matrix–President
|Title||Location||Standard||Primary Clauses||Secondary Clauses||Customer Clauses|
|President||Corporate||ISO 9001:2008||4.1, 5.1, 5.2, 5.3, 5.4.1, 5.4.2, 6.1, 5.6||8.1, 8.4, 8.5||8.1, 8.2.1, 8.2.2, 8.2.3, 8.3, 8.4, 8.5|
|ISO 14001:2004||4.1, 4.2, 4.3.3, 4.4.1, 4.6||4.5.3||4.4.3, 4.5.1, 4.5.2, 4.5.3, 4.5.5|
|OHSAS 18001:2007||4.1, 4.2, 4.3.3, 4.4.1, 4.6||4.5.3||4.4.3, 4.5.1, 4.5.2, 4.5.3, 4.5.5|
Each title or functional area in the matrix has related primary, secondary, and customer clauses for each of the three management systems (quality, environmental, and health and safety). Primary clauses are assigned to employees who are directly responsible, or share direct responsibility, for them. If an audit finding is issued, it will be assigned to a person who has primary clause responsibility. Secondary clauses are assigned to employees who have indirect responsibility and are expected to contribute to their achievement. Employees with customer clauses assigned rely on another employee, usually with direct responsibility, to provide a product or service related to these clauses. They are customers of someone with direct responsibility. In the example shown in figure 1, the president’s direct responsibilities (defined in the job description, policy, manual, and procedures) include establishing policies for the quality, environmental, and health and safety management systems (ISO 9001:2008 section 5.3, ISO 14001:2004 section 4.2, and OHSAS 18001:2007 section 4.2). Although the president isn’t directly responsible, he is expected to contribute to continual improvement through participation in corrective actions, preventive actions, and incident investigations as needed (ISO 9011:2008 section 8.3, ISO 14001:2004 section 4.5.3, and OHSAS 18001:2007 section 4.5.3). The president relies on other positions to provide information and data for his decision making (ISO 9001:2008 section 8.4, ISO 14001:2004 section 4.5.1, and OHSAS 18001:2007 section 4.5.1).
The matrix summarizes what an auditor can expect to see regarding inputs (customer clauses) and outputs (primary and secondary clauses) for a particular position or process. Because the information in the matrix is based on the flow and relationship of clauses as identified in our audit module map, auditors can use the module map to anticipate the sequence of applied clauses for a particular position or process.
In the example of our company president, we see that although he doesn’t have direct responsibility for the improvement clauses (primary clauses), he’s expected to contribute to improvement (secondary clauses), and also receives information from employees (customer clauses). He occasionally analyzes data (ISO 9001:2008 section 8.4) that he receives from others for decision making and presentations to our parent company. He also participates in corrective and preventive actions (ISO 9001:2008 section 8.5, ISO 14001:2004 4.5.3, OHSAS 18001:2007 4.5.3) as needed. He receives information and data from employees regarding customer satisfaction (ISO 9001:2008 section 8.2.1), internal audit results (ISO 9001:2008 section 8.2.2, ISO 14001:2004 section 4.5.5, and OHSAS 18001:2007 section 4.5.5), and process performance (ISO 9001:2008 section 8.2.3, ISO 14001:2004 section 4.5.1, and OHSAS 18001:2007 section 4.5.1). Of course, he needs to receive the information before he can do anything with it.
For our internal auditors, combining the audit matrix and the map reduces preparation time and allows more time for researching current issues and past performance when planning audit questions. Although each auditor has a different preference in method, all rely on the matrix to help focus on the audit’s scope.
Results and improvement
Although the matrix was designed to help cope with an isolated incident, our internal audit team now uses it for every audit. I review the content for the relevant module prior to audit planning and make necessary revisions so the auditors have current and accurate guidance to help them plan their observations and interviews. Our experienced auditors appreciate the convenience of having the basics documented and organized for quick reference, and our new auditors like having the International Organization for Standardization (ISO) and occupational health and safety (OHSAS) clauses applied in relation to one another.
Although we don’t have empirical evidence of this, as the audit manager I have noticed that the matrix reduces stress during the planning stage of the audit. Our auditors are less concerned about overlooking a clause because they have confidence in the matrix. This became especially important as we collected certifications—we now have three standards to audit against and because the matrix addresses each standard it’s easy for internal auditors to see how the clauses across standards are related.
It seems a small detail, but color-coding our standards has also been helpful to not only our auditors, but also the audience for the audit report. Our auditors now immediately associate blue with quality, green with environmental, and red with health and safety; readers of the audit report are beginning to catch on as well.
Initially I was concerned with the long-term use of such a tool. I didn’t want our auditors to rely so heavily on the matrix that they disengaged from the planning process and resorted to cookie-cutter checklists or other interview and observation aids. Fortunately, just the opposite has happened. The matrix liberates our auditors from the consistent and repetitive tasks of audit planning; as a result I have seen more meaningful, thoughtful, and well-connected audit questions and conclusions come from the team.
The next planned improvement is to identify the supplier functions for each function or process (to whom the information goes next) and restructure the matrix to a supplier-input-process-output-customer (SIPOC) format. This information is currently in the matrix but is buried with the other primary clause responsibilities. We will maintain the primary and secondary designations for responsibilities and continue to review the matrix for accuracy prior to each audit.
About the author
Shannon MacFarlane is a quality specialist for Totem Ocean Trailer Express Inc.
Tags: audit planning, audit matrix.