by Roderick A. Munro, Ph.D.
Internal auditing for ISO 9001 (as defined in Wikipedia) “is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing is a catalyst for improving an organization’s governance, risk management, and management controls by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.” However, for many internal audits far too many are still only being conducted as simple compliance—what does the work instruction (procedures or process) say and is that being done?
How can management improve the internal audit process? There is no one answer for this, and the individual auditor’s background and/or training in auditing makes a big difference as to how to proceed. Also, the upcoming revision to the ISO 9001 standard may change some of the requirements for internal auditing.
There are many methods for training internal auditors, including on-the-job auditing and formal internal or external classes that sometimes incorporate practice audits. In some cases management sends people straight into an approved five-day lead assessor training class with little to no auditing experience. Sending someone to a lead assessor class is the least desirable method because it’s way beyond what someone needs to conduct internal audits. An even worse scenario is when a manager sends someone to a lead assessor course and then expects that individual to come back and set up a quality management system from scratch—a definite mismatch of skills!
The primary question to ask of the manager who wants to continually improve his or her organization’s internal audit process is how much auditing experience/skill does the team have and do they have a coach (internal, corporate, or external) who really understands the concepts of the process approach as outlined in ISO 9001 and ISO 14001 and further defined in ISO 19011? There are far too many internal auditors who are still using crude check sheets that barely conform to compliance audits. They either never learned about the process approach or they don’t have a manager or coach who understands this process. At a bare minimum, the manager could assign the internal auditors to be the guides when the third-party auditors arrive to allow their personnel a chance to observe and take notes. (We usually get the quality manager or senior quality engineer as our guides.)
Given the large potential knowledge/skills gap, the challenge is to find some common ground to work from. There are many approved internal audit courses available and a quick internet search can easily give you lists of what is needed from those classes.
Typically, approved ISO 9001 internal auditing courses include the following content and structure based on ISO 19011:
- An introduction to internal auditing
- A complete review of ISO 19011:2011
- Auditing for improvement
- Purposes for internal audits
- Benefits of internal audits
- The audit cycle
- Keywords and definitions
- A complete review of ISO 9001:2008 (perhaps something on the ISO 9001:2015 CD)
- Audit planning and preparation (scope, purpose, depth, duration, etc.)
- Audit meetings
- Audit documents (based on internal forms)
- Auditor responsibilities
- Auditor attributes and skills
- Communication dos and don’ts
- Interviewing skills and the type of questions to ask and not to ask
- Documenting the audit findings
- Reporting the audit results
- Corrective action and follow-up (effective closure of issues)
A great internal auditor resource is the American Society for Quality’s Certified Quality Auditor (CQA) Body of Knowledge (BOK). This isn’t necessarily designed to be used an internal auditor exam; however, it’s a good tool for managers to use to help improve their people’s auditing skills and a very good goal post to measure progress against as they strive to improve their skills. The current CQA BOK can be found at: http://asq.org/cert/quality-auditor/bok.
Here’s an outline of the CQA BOK:
- AUDITING FUNDAMENTALS
- Basic terms and concepts
- Purpose of audits
- Types of quality audits
- Audit criteria
- Roles and responsibilities of audit participants
- Ethical, legal, and professional issues
- AUDIT PROCESS
- Audit preparation and planning
- Audit performance
- Audit reporting
- Audit follow-up and closure
- AUDITOR COMPETENCIES
- Auditor characteristics
- Resource management
- Conflict resolution
- Communication techniques
- Interviewing techniques
- Team membership, leadership, and facilitation
- Presentation techniques
- Verification and validation
- AUDIT PROGRAM AND BUSINESS APPLICATIONS
- Audit program management
- Business applications
- QUALITY TOOLS AND TECHNIQUES
- Fundamental quality control tools
- Quality improvement tools
- Descriptive statistics
- Sampling methods
- Process capability
- Qualitative and quantitative analysis
- Cost of quality
It’s often helpful to create a matrix out of the ASQ CQA BOK or even both lists in this article and to do a gap analysis against each of the internal auditors in your organization. This helps identify patterns or trends in potential knowledge gaps around certain topics that can then be addressed. Also, and just as important, is to analyze the past audit reports (beyond following the checklist) of the internal auditors against these criteria or what is considered a leading audit report to see if any patterns or trends are visible from that analysis. This is very useful when trying ascertain which internal auditors need additional coaching or training.
The internal audit process should be used as a management tool and not just a compliance act to meet ISO 9001 requirements. Internal audit results are usually mentioned in the management review minutes, but there are almost never any comments about how the management team might be directing or using the internal audit process to help in the efforts to continually improve the business. Thus, for many organizations, the true benefits of having an internal auditor process are being missed. How useful is your internal audit program?
About the author
Roderick Munro, Ph.D, has more than thirty-five years of process improvement experience in the service and manufacturing industries working from the shop/store floor up into the managerial ranks. He is an ASQ Fellow and a Fellow of The Chartered Quality Institute (CQI) of England. He has extensive experience with lean, Six Sigma, quality engineering, and has worked with the automotive core tools, ISO 9000, QS-9000, ISO/TS 16949, ISO 14000, BS 18001, and Healthcare Systems Engineering. Additionally, he has been active with the Michigan Quality Leadership Award (MQLA) which is the Michigan-level Baldrige process and is an Accreditation Board for Engineering and Technology (ABET) trainer and program evaluator. He is the co-author of The ISO/TS 16949 Handbook, published by Paton Professional.