By Mickey Christensen
While I am a staunch supporter of good internal audits, I also place a lot of value on the limited resources available in small businesses. Since the introduction of the 1987 versions of the ISO 9000 series of standards, I have worked with both large international organizations and small businesses of less than 30 employees. One client is a supplier to the oil and gas industry who has seven employees and is struggling to keep the doors open. With the price of oil and gas low, the whole industry is working hard to stay afloat.
When I received the new ISO 19011:2018, I read the standard with a focus on small businesses and what they need to do to comply. Here are my thoughts where the writers of the standard could consider making changes in the next update.
While there are sections of the standard that address the whole audit process, the amount of sections dealing with managing the audit process is overkill for small businesses. Sections that are part of the “managing” process include: managing the program, establishing audit program objectives, determining and evaluating audit program risks and opportunities, and establishing the audit program. The standard goes on to reference a further 31 sections relating to managing the audit process. A lot of this is system work and should be administered by the person managing the system—not the auditor.
While some audit activity should be undertaken relating to these sections, the detail required can overburden a small company. When one person goes out to audit the company and talks to four or five people out of the seven employees, how much “audit system management” is necessary? When many people in the small company are asked to do several jobs and know the work processes, they need to focus on “is the work being done according to customer requirements following the documented procedures and are the records kept properly?”. In some small businesses it is hard to ensure auditor independence since most employees do many of the various jobs.
The actual auditing sections of ISO 19011:2018 include: principles of auditing, conducting an audit, initiating audit, establishing contact with the auditee, determining feasibility of audit, and preparing audit activities. The standard goes on to mention a further 17 sections relating to managing the audit process. Some of this could be a duplicate of what the system manager does.
In many small businesses an opening and closing meeting are not value added. Discussions during the audit let people know the status and when the auditors meet with management to inform them of the findings, it may be several days later. The report is presented to management for management review and/or actions necessary due to findings. Correction of findings may already be under way by the time management hears about the findings. Top management in some small businesses are out of the office making sales calls when an audit may be undertaken. They need to be informed as soon as practical.
The person managing the audit system should have some documented information about qualifying the auditors, what should be audited, a schedule of when they will be audited, how the results are to be reported, what corrective action process for findings, and they should monitor the performance of auditors. The KISS process (keep it simple, but sufficient) should be followed so people do not get intimidated with too much paperwork.
In my opinion, the standard should include some guidance on doing a proper audit using techniques or methods that have been shown to work in other facilities. I am not proposing that auditors audit by a checklist. Too many times I have seen auditors more intent on answering the questions rather than following the audit trail presented. The use of a hand-written checklist to aid in covering aspects that may be in question is good and should be used as an aid.
Internal auditors should be briefly trained in the ISO 19011 requirements and should spend more time on audit techniques. Then the person who manages the system should be trained and follow the ISO 19011 standard. Role playing can be a training tool, however it can be difficult without the system documents and people to interview. If there are only a few people in the company, the auditor may have to audit their own work.
Internal auditors should be free to follow the audit trail provided and not be held to following a prescribed checklist or published list of questions. Depending on the response to questions asked of the workers, the audit trail may be totally different than what is planned. Usually these trails lead to more opportunities for improvement than by bypassing them to follow the “plan.”
This is just food for thought when dealing with small organizations. The percent of people’s time spent on auditing should be adequate, but too much system work may be a deterrent.
About the author
M.M. “Mickey” Christensen, MSME, P.E. retired, is president of TQM Systems in Baton Rouge.
TQM Systems consults, trains, and audits for clients pursuing quality/environmental management system implementation and system maintenance. Mickey is a registered QMS Lead Auditor with Exemplar Global. He has work experience in several manufacturing processes.
He chaired the committee that developed the Louisiana State Quality Award and served as charter president of the Louisiana Quality Foundation, which administers the State award. He is a Fellow member of American Society for Quality (ASQ) and is the past chair for the ASQ Healthcare Division. He was a co-developer of the first ISO International Workshop Agreement (IWA) document. The IWA-1 was a guidance document based on ISO 9004 for use in implementing ISO 9001 in healthcare. He worked with the ASQ/AIAG group, the Standards Council of Canada, Canadian Standards Association, and ISO to review/revise the IWA-1 to make it a more useable document. He co-authored the Automotive Industry Action Group (AIAG) Business Operating Systems (BOS) for healthcare organizations document based on the Malcolm Baldrige National Quality Award Healthcare Criteria with ISO 9001 and IWA-1 text inserted.
He has assisted an international registrar develop the Integrated Health Care System (IHCS) criteria for a system that also combines CMS Conditions for Participation with ISO 9001.