
By Denise Robitaille
Business is good and people are busy. There’s a lot to be done. Along with all the regular stuff that goes into running an enterprise is the need to ensure that quality management system requirements such as internal auditing don’t get ignored.
Increasingly, organizations are outsourcing their internal audit process. There’s nothing wrong with having a contracted third party do your audits. However, the downside is that some of the benefits implicit in having co-workers and internal associates conducting the audits are lost. There’s less ownership and lost opportunities for learning.
However, the simple reality is that it isn’t always practical or workable. You look at the risk versus benefits and make a decision. There are several risks to continuing to keep the process in house. The audits may be done hurriedly and without due diligence, netting lackluster results and no opportunities for improvement. Or, the whole program could crash and burn with some audits missed, findings ignored, and resentful managers begrudging the wasted time.
So, if the organization wants to have productive audits, but has to deal with the reality of stressed workers with limited time, then the other viable option is to outsource the process.
Having made the decision to hire a contractor to do the audits, there are several things to consider. Make no mistake. You are outsourcing the process. But you are not abdicating responsibility for its effective implementation. Regardless of who is conducting the audits, you still own the process.
I’ve conducted certification audits where the internal audit program was outsourced and found some glaring problems. I’ve also seen some very diligent, thorough audit reports with excellent follow-up by the organization.
But, let’s get back to the problematic cases. I’ve seen audits that were done in scant time—one day for a facility with more than 100 employees and three shifts. And, I mean one day for the entire year! I recently wrote up a nonconformance during a surveillance audit for an internal audit program that had a one-day outsourced audit. The report was a listing of five findings attached to eight pages of illegible chicken scrawl that was the only evidence of what had been audited.
The client was taken aback by the nonconformance until I explained the ISO 9001 requirements. To his credit, the manager listened and contacted the auditor to explain what was required. I was appalled. The credentials this auditor had provided showed him to be a certified lead assessor. There was no excuse for his shoddy work.
What then should organizations consider when they decide to outsource their internal audit program?
First and foremost, never forget that you own this process. You need results. You are the customer and the contractor must deliver the requisite results. That is the organization’s right and the contractor’s responsibility. What are the intended results?
The contractor should conduct the audit utilizing established fundamental auditing practices. These include process approach, appropriate sampling of evidence and productive interviews. The organization should be provided an audit report that is complete, providing evidence of the processes audited and the results of the assessment—good and bad. There should be findings of nonconformance and opportunities for improvement. I say there should be findings. Some of you will balk and respond by asking: “Suppose there aren’t any nonconformances?” It’s not impossible but it’s unlikely. Things change and we aren’t always vigilant. Errors occur. People come and go. Nonconformances are apt to arise; they should be viewed as good things—as chances to catch problems before the customer or a regulator does. This leads me to a small sidebar. If you’ve intimated to the auditor that you don’t want any nonconformances or that you just want to have a piece of paper to wave under the registrar auditor’s nose, you will probably get your wish. That also means that your organization will probably perpetuate problems and bad practices. And, you’ll get a certification auditor like me who will notice that your audits don’t conform to requirements.
How should you ensure that your outsourced auditing process is working for you? Follow the guidance in ISO 9001. Make sure that the audits are planned taking into consideration importance, changes that affect your system, and results of previous audits.
Select an auditor with good credentials. Lead assessors, ASQ certified quality auditors and auditors with regulatory experience and credentials are good qualifying criteria. If you have the ability, try to get someone with experience in your industry. The audits will be proportionately more efficient since the auditors don’t have to go through the learning curve of understanding your products and processes.
Have the auditor participate in the planning of the annual schedule. Don’t scrimp. Allocate the time needed to do it right. If you have more than one shift, ensure that the other shifts get audited at some reasonable frequency.
Arrive at an agreement with the auditor as to the format of the audit report. Ensure that the format facilitates responding to findings so that there can be appropriate follow-up.
Review the reports when you get them. If they aren’t detailed enough or don’t provide the information you need, contact the auditor. Remember you are the customer. The integrity of that report is no less important than the verification that the components you ordered meet the drawing specifications.
Communicate with your auditor about revisions to the schedule or major changes to your organization. If the auditor has presented credentials that have an expiration date, make sure to get updated certificates as they become available. If the standard changes, such as what’s recently occurred with ISO 9001, ask for evidence that they’ve had training on the new requirements.
Expect to get good results from your audits and use them to improve your business. And always remember that you have ultimate ownership of the audit results.
About the author
Denise Robitaille is the author of numerous books on various quality topics. She is an internationally recognized speaker who brings years of experience in business and industry to her work in the quality profession. Denise is an active member of U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She is also an Exemplar Global-certified lead assessor, an ASQ Certified Quality Auditor, and a fellow of the ASQ.
Denise’s latest book The (Almost) Painless ISO 9001:2015 Transition was published by Paton Professional in late December.