By Andrew Milner
The need for an organization to implement an internal audit program is a fundamental requirement of both AS9100 series standards and the ISO 9001:2015 standard. Here are four ways you can take an internal audit program beyond compliance—and really add value to your organization.
No. 1: Create a positive perception of internal audits
Let’s start with the culture around auditing. Comments such as, “Look out, here come the quality police!” or similar are often commonplace when setting out to perform an internal audit in some organizations. Although comments like this are clearly made in jest, they can be indicative of longstanding negative attitudes towards internal audits. This is perhaps a legacy issue from days gone by, when previous iterations of the standards focused more on the principles of quality control rather than quality assurance.
Increasing understanding that an internal audit is a two-way, open forum for reviewing current businesses processes will help greatly in changing this mindset. Auditees should be encouraged to be open and honest as part of the process and view it as an opportunity drive positive change in their department. It will help significantly to bring in comments such as: “Don’t like that old procedure you’re working to? Now’s the time to raise the issue and change it!” or “Can’t find a record? Let’s figure out why and put a control in place to make sure they’re always available when you need them in the future.”
The advantage of being an internal auditor over an external, third-party auditor (like myself) is that you have a lot more leeway to make recommendations on how to fix the problem and offer practical solutions. Internal auditing can be an ideal icebreaker to start discussions if you feel that change needs to happen in a particular process.
No 2: Assemble a diverse audit team
It’s a myth that only quality professionals can become internal auditors. Some of the greatest internal audit teams I’ve come across consist of personnel from a variety of backgrounds and functional areas. Everyone brings something different to the table—and with the right training on audit techniques and AS/ISO standards, anyone has the potential to become a really good internal auditor. Having different personalities on the team is also helpful. Those of a highly personable nature might be more effective at opening up conversation with more nervous auditees and be able to address some of the longstanding cultural issues referred to earlier.
Carrying out internal audits can also be a great career development tool for more junior members of staff. Early in my career in quality assurance, I was tasked with conducting internal audits to a number of different airworthiness regulations and international standards. Creating my own checklists was a brilliant way to learn about the intent of each one—and through carrying out the audit, I was able to network with lots of different departments.
No. 3: Check against intent, not just procedural content
Understanding why a requirement exists and what drives the current process is key here. There is often a temptation for an organization to just audit against local procedures and not properly understand what really sits behind them.
Taking the time to ask why a procedure is written a certain way or why certain records need to be kept will really add value to an internal audit. You may begin to find there are better ways to demonstrate compliance—and the process can be simplified.
Another area to consider looking at during the internal audit is process performance against defined key performance indicators. If a process is not achieving its planned results, e.g., an order management function is failing its target of orders processed right first time, this may be a strong indicator that something is wrong with the intent of the process—especially if it seems local procedures are being followed to the letter. Ask yourself: “Are sufficient checks and balances being undertaken before the order is released?” and “Is enough information gathered from the customer up front before order processing starts?” These are good points to think about in this hypothetical situation and may indicate that the current processes/procedures being followed are not robust enough.
Don’t be afraid to ask more general questions like this and go beyond what is written in the local procedure.
No. 4: Treat any findings with a sense of urgency
So, you’ve completed a deep dive internal audit and thoroughly tested the quality system, with several nonconformities and opportunities for improvement raised… then nothing happens for several months. Don’t let that added value go to waste!
All too often I see audit great improvement actions sitting on the back burner, and as a third-party certification auditor this is probably the No. 1 reason a nonconformity is raised within the 9.2 section set of requirements for internal audits, specifically the need to take actions without undue delay.
However, at the same time you really need to avoid completing any actions on behalf of other people, and ideally make sure the department fixes the problem by their own accord. Getting this done in a timely manner can be difficult sometimes, and how you do it will very much depend on the status quo of your organization, but here are a few suggestions:
- Schedule a formal closing meeting with the head of the department being audited to ensure any findings are properly explained.
- If you operate a digital nonconformity and corrective management system, it would be beneficial to raise any internal audit findings on this system so that it is subject to the same level of rigor as a product-related issue or external complaint.
- Keep time free in the diary to go back and verify effectiveness of actions to address findings raised. Knowing that you’ll be back in 30, 60, or 90 days to see how things are going could be a good motivator to get actions completed on time.
The above identifies four possible ways you could maximize the added value from your internal audit program. This article is by no means a guide on how to comply with the standard, but more my views on how you can achieve a better state of maturity. I really hope this gives you some ideas on how things can be done differently in your organization—and helps change the perception that an internal audit is nothing more than just a tick-box activity.
About the author
Andrew Milner is the quality assurance and aerospace specialist for Lloyd’s Register, Australasia.