by J.P. Russell.
Managing audit programs is covered in ISO 19011’s clause 5—Managing the audit program/department, which provides very important guidance for management and valuable knowledge for auditors when they audit other audit programs. The clause provides guidance for establishing (plan), implementing (do), monitoring (check), and improving (act) the audit program.
Note: This column is devoted to a review of ISO 19011 topics. In each post, I’ll discuss a different topic and follow that with a quiz so readers may evaluate their understanding of the information. Readers are encouraged to share this column during short informal meetings with other auditors or interested parties, which I believe will result in more effective audits. Text from ISO 19011 is in italic.
Managing audit programs: ISO 19011 clause 5.1
When there is a need to establish an audit program, either because it is required by a standard, regulation, or as a business strategy, it should be designed as an audit program that contributes to the determination of the effectiveness of the auditee’s management system. Performing audits is a service and it must be designed like any other service or product. Good planning will result in an efficient start-up and smooth ongoing operations. Poor planning will result in false starts and trial-and-error solutions until all unintended consequences are resolved.
Auditing management systems
The management system auditing standard provides guidance for system audits, but the guidance could also be used for product/service audits as well as process audit programs. The audit program can include audits considering one or more management system standards, conducted either separately or in combination. The number of management system standards (MSS) continue to increase. They include quality, safety, environmental, food safety, business continuity, and so on. The audit program can include both internal and external audits, such as supplier audits.
Sidebar Discussion: Why audit?
Why do we need to conduct audits? Why can’t people do it right the first time? Why do we need someone checking up on us? Isn’t it true that people don’t like someone looking over their shoulder (so to speak)? Those are tough questions to answer. However, we can say auditing is part of the plan-do-check-act[i] cycle. It’s a prevention tool to identify problems and undesirable situations before they become significant problems. I have stated in the past, “Results come from checking, not expecting.[ii]” The success of an audit program may depend on its demeanor. Is it policing and enforcing or identifying and sharing?
Top management should ensure that the audit program objectives are established and reflect the needs of the organization. Top management should assign one or more competent persons to manage the audit program. Management should decide if the program is going to be run by one person or if the program responsibilities will be divided up and several people are involved. The competencies for the audit program manager(s) may be in a job/position description. We won’t discuss the detailed competency needs of the audit program manager here. The overall expectations would be someone with management knowledge and skills such as budgeting, managing people, and a record of successes. Plus, auditing knowledge and skills would be very desirable.
The magnitude of the audit program will vary depending on the organization’s needs and the context of the organization[iii]. The extent of an audit program should be based on the size and nature of the organization being audited. Consideration of the size of the organization may be number of employees, number of facilities and locations, number of operations, and annual budget or revenue. The nature of the organization may be whether they sell office supplies or artificial limbs. Is it a job shop with a dozen different machines or does the organization assemble airplanes? I think of an organization as having its own personality. Also, the nature, functionality, complexity, and the level of maturity of the management system to be audited. These same factors will be important when deciding the size of the audit team or number of audit days for individual audits. The nature, functionality, and complexity of the quality management system (QMS) may align with the context of the organization. The maturity of the QMS would be a short-term consideration.
Priority should be given to allocating the audit program resources to audit those matters of significance within the management system. This is a key strategy for many management decisions. We all know to work on the important stuff but many times we find we don’t. We work on the easy things that take less effort or we work off a routine list so that we don’t need to think about what we should work on next. Perhaps the most important job for management and top management is the allocation of resources. Resources should go to the things that are the most beneficial to the organization in terms of improvement or avoiding negative consequences.
Significance may relate the key characteristics of product quality or hazards related to health and safety, or significant environmental aspects and their control. Significance may also relate to key processes or suppliers. There is risk in everything we do. It’s management’s job to decide which risks are acceptable or unacceptable (effect of uncertainty). If unacceptable to the organization, it must be eliminated, treated, or avoided.
There is a note in ISO 19011 that this concept is commonly known as risk-based thinking. Risk-based auditing is linked to risk-based thinking. Top management and audit program managers should integrate the concept of risk-based thinking into the audit program. Audits should focus on the areas, processes, and activities where risks are higher.
Risk-based thinking is a management prevention tool similar to auditing. The organization must understand its context (who are we) and determine risks as a basis for planning.
The concept of risk-based thinking has been around for a long time. If you are planning an activity or strive for a goal (objective), you might brainstorm what could go wrong or even if it were possible to far exceed expectations. For example, perhaps you decide to design and produce wooden-handled can openers.
You brainstorm issues with acquiring a sales team, wood, metal, equipment to fabricate the can opener, and so on. On the other side of things, what if sales are double what you forecast because you make the only organic can opener. Can you get the financing you need to expand? Will you be able to address irate customers because of shortages? I think of risk-based thinking as a prevention style management strategy.
Organizations need to understand its context and determine risks as a basis for planning. This represents the application of risk-based thinking to planning and implementing quality management system processes and will assist in determining the extent of documented information.[iv]
Simple tools such as brainstorming and creating a matrix that rates the risk levels are available. An organization might, however, choose to use more formal tools such as failure mode effects analysis (FMEA) or might create a company-wide risk management program. Audit program managers should identify the areas, processes, or activities with high risk. Areas could be rated by the audit program manager, the audit team or a cross-functional team looking at all aspects of a process.
For conformity assessment, every requirement is important and must be verified. The new MSS standards are more results- and performance-based and with fewer prescriptive requirements. In the future, management system auditors will need new competencies to properly audit the new style of MSS.
Study and improve
As part of the plan, the audit program should be monitored and measured to ensure its objectives have been achieved. The audit program objectives should support and complement the overall organization objectives. Objectives may relate to efficiencies or effectiveness of operations or relate to organization values. Finally, to close the loop, the audit program should be reviewed in order to identify possible improvements.
Managing audit programs: conclusion
Once the need for a management system audit program has been established, top management must provide guidance for creating and managing audit programs. The audit program should include information and resources necessary to organize and conduct its audits effectively and efficiently within the specified time frame. A lot of thought should go into the planning of an audit program. If done right, it will result in smooth operations. When auditors are auditing other audit programs they will want to know the basis for forming the audit program and how it contributes to organization objectives.
Quiz for clause 5.1 Managing audit programs
Please choose the best answer considering the guidance provided by ISO 19011.
1. An audit program should contribute to the determination of the ________________ of the auditee’s management system. (Fill in the blank.)
d. both b and c
2. If an organization has implemented more than one MSS, how should they be audited?
a. an audit team may audit different MSS separately or combining them, it is whatever they decide
b. it is best if audit teams are formed to audit each MSS separately
c. an organization may combine MSS audits but it is recommended that there be two audit team leaders, one for each standard
d. none of the above
3. What should the extent of the audit program be based on?
a. size and nature of the organization being audited
b. nature, functionality, complexity of the management system
c. maturity of the management system
d. all of the above
4. On what basis should audit program resources be allocated?
a. using risk-based thinking
b. nonconformities within the QMS
c. matters of significance within the QMS
d. legal consequences
Quiz answers are below the About the Author section.
About the author
J.P. Russell is the founder and managing director of QualityWBT Center for Education. He is also an ASQ fellow, ASQ-certified quality auditor, voting member of the American National Standards Institute/ASQ Z1 committee, member of the ASQ Z1 Auditing Committee, and member of the U.S. technical advisory group for International Organization for Standardization technical committee 176. Russell is a recipient of the Paul Gauthier Award from the ASQ Audit Division and author of several ASQ Quality Press books about auditing, standards and quality improvement.
- b. There has been a line in the sand that management systems should improve effectiveness but not efficiency. Efficiency is linked to monetary gains. Financial issues are very important but management systems are focused on increasing the confidence that organizations will provide quality and safe products and services while adhering to environmental rules.
- a. The audit program can include audits considering one or more management system standards, conducted either separately or in combination.
- d. The extent of an audit program should be based on the size and nature of the organization being audited. Also the nature, functionality, complexity, and the level of maturity of the management system to be audited.
- c. Priority should be given to allocating the audit program resources to audit those matters of significance within the management system is a key strategy for many management decisions.
[i] PDCA, Published by Walter Shewhart in the 1930’ and then popularized by W. Edwards Deming in the 1970s and 80s. Known as the Deming cycle. Also Plan-Do-Study-Act
[ii] Russell, J.P. Continual Improvement Assessment Guide: Promoting and Sustaining Business Results, Milwaukee, ASQ Quality Press, 2004, page 2.
[iii] Context of the organization is a combination of internal and external issues that can have an effect on an organization’s approach to developing and achieving its objectives. ISO 9000:2015, clause 3.2.2
[iv] ISO 9001:2015, Annex A.4.
TAG: managing audit programs.