by Larry Whittington
Have you considered using an audit checklist? Were you told they are no longer recommended and may even cause audits to be ineffective? Maybe you discontinued use of audit checklists. You might want to reconsider that decision. Your checklist may simply have been the wrong type to be an effective tool.
Before deciding that audit checklists are really dead, learn about a different type of audit checklist—one without canned questions limited to the requirements of a standard; instead, use an audit checklist that includes an answer key of expected evidence. This article will explain how audit checklists can use the information from a process diagram and the plan-do-check-act methodology to identify the key requirements from all applicable sources.
What is a checklist?
A checklist is a list of items to be checked or remembered. If you go to the grocery store without your shopping checklist, for example, you’ll probably return with items you didn’t need and forget to buy the food you need for dinner. In business, we also use checklists. They are memory aids to remind us of the items to perform, verify, or check. They can help ensure consistency and completeness in performing an activity.
When organizations adopt ISO 9001, they often use an audit checklist to ensure all of its requirements have been adequately addressed in their new quality management system (QMS). Although this implementation checklist can be a valuable tool to verify that no requirements were overlooked, it’s usually structured along the clauses of the standard and doesn’t include any customer, legal, industry, or organizational requirements.
An ISO 9001-based checklist can help set up your ISO 9001-based quality management system (QMS). However, it may not be appropriate for an internal audit of your business processes because it doesn’t follow the natural flow of the business. Some even say audit checklists shouldn’t be used to avoid restricting the assessment to a canned set of questions.
Are audit checklists required?
Clause 8.2.2 of ISO 9001:2008 doesn’t say anything about audit checklists. It does say your audit methods must be defined and the documented audit procedure must cover the responsibilities and requirements for planning and conducting the audits. If audit checklists are used, they must be addressed in the internal audit procedure.
Clause 6.3.4 of ISO 19011:2011, which addresses auditing guidelines, says work documents should be prepared for use during the audit and that these work documents may include audit checklists. It goes on to say that these audit checklists should not restrict the extent of the audit activities, which can change as a result of the information being collected.
So, audit checklists are optional, but are they dead in actual practice? In some forms, they may be. The use of clause-based audit checklists is being limited. Process-based audit checklists are alive, but may be a healthier tool if used in a different format.
We use checklists to remind us of the audit criteria against which we are to compare the audit evidence. In other words, we should compare evidence (statements, observations, documents, and records) to the applicable requirements (customer, organization, standard, and legal).
Use of audit checklists
The typical questions on an audit checklist may cause auditors to restrict themselves to only those questions and not develop their own questions based on the evidence being gathered. Auditors may feel obligated to ask all the checklist questions and ignore important process questions.
Traditional audit checklist questions are usually limited to the requirements expressed in the applicable standard, procedures, and work instructions. Missing will be questions about requirements that are undocumented, but still relevant. In addition, audit checklists may fail to consider the process linkages with other processes, e.g., the links with internal suppliers and internal customers. The proposed audit checklist doesn’t include any canned questions. Instead, it identifies key requirements to be sampled and encourages auditors to develop their own questions.
When an auditor hears reasonable answers to the canned questions, he or she may accept the responses and not recognize nonconforming situations. A typical checklist gives auditors the questions to ask, but doesn’t provide the expected answers.
If you are an instructor, you’d want access to the answer key for grading the exam responses. Likewise, an audit checklist should provide expected answers to judge conformity. Rather than listing only questions, we should use audit checklists that contain no questions, only the key requirements and expected evidence. Auditors, even new auditors, can develop questions to ask during the interview that are based on the applicable requirements. By not providing the questions, each audit is unique and does a better job of sampling the area under audit.
Identifying the expected evidence on the audit checklist helps the auditor decide if the statements made, operations observed, documents reviewed, and records examined are conforming.
Traditional audit checklist
A traditional audit checklist for the document control process might contain a question like:
“Are the documents approved before they are issued?” The response might be, “Yes, I receive an e-mail note from the document owner approving the document before I make it available.” That might sound like a reasonable response, especially if the auditee shows you records matching that practice.
With the proposed audit checklist, there would be no questions. Instead, under the requirement column would be: “Approve documents before they are issued.” Under the evidence column might be something like: “Document owner and quality manager must both sign the approval form, DC-01.1.” Based upon the listed requirement, the auditor might ask, “How are documents approved?” If the same earlier response was received, the auditor would see from the expected evidence that approval from the quality manager was missing and that the required form was not being used.
Audit checklist format
This style of audit checklist would contain:
- Reference (source): Document, section, and revision level
- Requirement (to look at): Legal, organization, customer, or standard
- Evidence (to look for): document, observation, record, or statement
- Notes (comments): evidence found, actual results, any concerns
Auditors will develop their questions based on the requirements of the audit checklist and then compare the responses to the expected evidence.
A process diagram, sometimes referred to as a turtle diagram, helps illustrate the process elements to be audited. A process audit is an objective evaluation of a process to determine the extent to which the process is meeting its requirements. Because a process is a set of interrelated or interacting activities that transform inputs into outputs, a process audit includes an examination of the process inputs, activities, and outputs. A process is part of a large set of processes that make up an overall QMS. Therefore, a process audit must also consider the linkage and interaction of the process with these other processes.
- Inputs: What received, when, and from whom
- Outputs: What delivered, when, and to whom
- What: Resources (Equipment, skills, and experience)
- Who: Resources (People, skills, and experience)
- Methods: Procedures, instructions, and controls
- Measures: Performance results and objectives
In addition to the requirements for process inputs, resources, methods, measures, and outputs, the checklist can also include requirements on internal supplier processes for the content and delivery of its inputs. Similarly, the checklist can be used to verify that the process output meets the input requirements of its internal customer processes.
As an example of the turtle diagram, let’s look at a breakfast process:
- Inputs: Order, food
- Outputs: Meals, checks
- What: Resources (Utensils, appliances)
- Who: Resources (Cooks, waiters)
- Methods: Recipes, cookbooks, and inspections
- Measures: On-time delivery, complaints, and returns
Plan do check act
In addition to the process diagram, the plan-do-check-act (PDCA) methodology can be applied to any process and be helpful in creating audit checklists.
- Plan: Establish the objectives and processes necessary to deliver results in accordance with the customer requirements and your organizational policies.
- Do: Implement the activities of the process.
- Check: Monitor and measure the process and its deliverables against the policies, objectives, and requirements for the process outputs and report the results.
- Act: Take action to continually improve the process performance.
Remembering this cycle can help you develop process-oriented audit questions, such as:
- Plan: How do you know what to do?
- Do: How do you do it?
- Check: How do you know it is right?
- Act: What do you do if it is not right?
Likewise, PDCA can help you identify evidence. For example:
- Plan: Procedures, instructions, and flowcharts
- Do: Observations, explanations, and records
- Check: Standards, specifications, and targets
- Act: Accept, reject, adjust, rework, and repair
As an example of the turtle diagram for the audit process itself:
- Inputs: Audit schedule, audit plan, requirements, prior reports, and evidence
- Outputs: Audit notice, audit plan, oral report, written report, and audit records
- What: Resources (notebook, laptop, and audit software)
- Who: Resources (audit program manager, qualified auditors, auditee)
- Methods: Audit procedure, checklist, forms, guidance
- Measures: On-time audits, repeat nonconformities, on-time reports, and overdue actions
The primary aim of a checklist is to help an auditor ensure the consistency and completeness of an audit. The planning involved in creating an audit checklist saves time during the audit and helps the auditor come to a more informed judgment. An audit checklist serves as a sampling plan and helps auditors better manage their time. An audit checklist is also a repository for auditor notes and becomes a record of the investigated areas.
Checklists aren’t dead. However, for an audit checklist to be a healthy audit aid, you should drop the canned questions, focus on the process requirements, and identify the expected evidence for conformity. Using the proposed audit checklist will help ensure your audit objectives are met.
About the Author
Larry Whittington is president of Whittington & Associates, a training, consulting, and auditing company founded in 1993 and located in Canton, Georgia. He is an RABQSA and IRCA-certified Lead QMS Auditor, as well as an ASQ Certified Quality Auditor and Software Quality Engineer. Larry has developed requirements, implementation, documentation, and auditing courses used by multiple training firms, and has taught hundreds of classes to thousands of students. You can contact him at email@example.com.