Essential Elements Of Quality Management System INTERNAL AUDITING

Essential Elements Of Quality Management System INTERNAL AUDITING

What is Internal Auditing? Internal auditing is an internal process for facilitating organizations to meet their objectives. It is concerned with checking and improving the effectiveness of different management systems in an organization. What is auditing? Auditing is defined in international standard ISO 19011: 2011—Guidelines for auditing management systems as a “systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [set of policies, procedures or requirements] are fulfilled. ”

The Concept Behind Internal Auditing An audit can be termed as a type of inspection and testing, except that in this case the product being inspected is the management system itself. Similar to a product or process inspection, an audit compares “how things really are” to “how they are supposed to be”. Audits attempt to reveal areas that should be given attention and areas that are veiled during routine activities; audits look at the whole process with fresh eyes, which can detect such shortcomings. Although it is such a constructive tool in the management system, audits often evoke a level of stress that is equivalent to the stress of completing an exam. A positive external audit carries a lot of weight, so it is natural that there is some concern and worry from the auditee. However, a robust internal audit cycle can minimize the stress, as an audit might reveal the problems within department and perhaps even solve them before an external audit ever begins.

Comparing the Old and New ISO 9001 Standard All types of management standards need audits to observe and present findings on the efficiency of the management system. A comparison of the internal audit between the old ISO 9001: 2008 and the new ISO 9001: 2015 is shared next.

ISO 9001: 2008 This internal audit process is required in one of the documented procedures mandated by ISO 9001: 2008, which explicates that companies will implement a documented procedure with defined tasks owners. The procedure should also state how internal audits will be planned, conducted and results reported. The records should also be kept.

ISO 9001: 2015 does not mandate a procedure for Internal Audit which is supposed to be documented. However organizations should keep an audit program and keep documented information of the audits held, their findings and closure records.

Phases of an Audit There are four phases of an audit program: Audit Preparation Audit Proceedings Audit Reporting Audit Follow-Up and Closure

Audit Preparation Audit preparation contains all steps that are made in advance by concerned parties ( such as the lead auditor, the auditee, and the audit program manager) to make sure that the audit acts in accordance with the client’s objective. The preparation part of an audit starts with the decision to perform the audit. Preparation finishes when the audit starts.

Audit Proceedings This is the actual implementation phase of an audit and it is frequently known as the evidence collection. This phase comprises of the time period when the auditor appears at the audit location to the last closing meeting. It comprises of audit proceedings which comprises of on-site audit organization, discussion with the auditee, comprehending the procedures and system controls and confirming that these controls are effective, collaborating with team members, and interacting with the auditee till closing meeting.

Audit Reporting The objective of the audit report is to discuss the findings of the audit proceedings. The report should contain evidence of findings that will be operative in solving imperative organizational matters. The audit activities are completed when the report is presented by the lead auditor or when follow-up actions are done.

Audit Follow-Up and Closure The final phase of an Audit is verification of follow-up actions. Once the follow-up actions are verified, the audit is considered closed.

First, Second and Third Party Audits A first party audit is also known as internal auditing. It is conducted within an organization to gauge strengths and flaws for an organizations own procedures, work instruction, or external standards like ISO 9001, which are voluntarily adopted or mandated by a regulatory body. A first party audit is performed by auditors who are part of the organization being reviewed but who have no interest in the falsification of audit results. A second party audit is an external audit that is conducted on a supplier by a client or by a third-party organization in lieu of a customer. Second party audits usually focus on the rules of contract law. Second-party audits tend to be more official than first party audits as the audit results could affect the customer’s buying conditions. A third-party audit is conducted by an audit organization free from the purchaser-provider association and is free from any conflict of interest. Impartiality of the audit organization is an important element of a third-party audit. Third party audits may end in recognition, award, registration, certification, license endorsement, a reference, or a penalty given by the third party organization. ISO 9001: 2015 certification is also awarded based upon a third party audit, but this audit verifies a system of first party audit i. e. internal audit for certification.

Types of Audit Product Audit: This type of audit is carried out on a particular product or service to observe whether or not these products and services conform to specifications and customer requirements. Process Audit: This type of audit is carried out on a process to check whether process parameters are maintained within defined limits. This audit assesses an operation or technique in comparison to guidelines or criterion. This audit may comprise of following: • Verify conformance to prescribed requirements such as instance pressure, time, temperature, composition, voltage, and blend. • Observe the resources (i. e. machinery, materials, human resource) allocated to convert the inputs into outputs, the surroundings, the standard procedures, and instructions followed, and the methods identified to control process performance. • Verify the capability and efficiency of the process controls formed by procedures, flowcharts, work instructions, awareness sessions, and process specifications. System Audit: A system audit is performed on a management system. This type of audit is an evidence finding activity that is conducted to confirm, assess and verify that the appropriate elements of the system are present and effective. Furthermore, this audit ensures that elements have been aligned, recorded, and applied with stated requirements. ISO 9001: 2015 is a quality management system. Internal audits and third-party external audits are also system audits against the requirements of ISO 9001: 2015.

Internal Audit Planning Internal audit planning is one of the most important activity of internal audit process: Internal Audits should be planned at scheduled intervals to verify that the management system fulfills requirements and that the effectiveness of the system is maintained. 'Requirements' comprise of the standard itself, along with the organizational requirements (such as the organization’s procedures and policies). One does not need to audit an entire organization at any given time. The external audit (third party audit) can cover the complete scope of organization, but internal audits can be done by flexible means with different departments audited at different point of times. The standard does not mandate a mandatory audit frequency. Instead, it endorses making your plan on the basis of importance of the processes, their associated risks, their former past issues, and the associated quality objectives. One can set different audit frequencies for different processes. If an organization is applying a new management system (such as ISO 9001: 2015), then all processes and departments covered under the management system scope should be internally audited at least one time before third party external audit.

Who Will Perform Internal Audit? There a number of things that should be considered before selecting an internal auditor. There are different approaches to perform internal audit. Some things that should be considered before selecting internal auditors for a process include: An auditor should be unbiased and independent. One cannot audit processes that he/she organize or has any stakes involved in it. Auditors should be competent with the auditing process itself. Internal auditors should be aware of the requirements of ISO 9001: 2015 and organizational procedures.

Approaches to internal auditing used by organizations include: Organizations can use consultants to carry out internal audits to implement a management system. Some organizations employ full-time, permanent, internal auditors. Big organizations may utilize a team of internal auditors. Cross-function internal audits are also popular. These internal auditors are trained by various departments and are allocated to audit other departments as per designated plan.

Requirements for Each Audit requirements should be well studied by internal auditors before going into the audit process. Some methodologies include: The internal audit plan should have previously recognized the region that one will audit. Now the auditor needs to recognize what criteria he/she will audit. At times this will be done with a formal checklist that has a list of relevant questions. One can also consider the procedure and identify check points. Internal auditors will check those records to verify. Findings from previous internal audits, or external audits can also help internal auditors to identify weak areas and thus can re-audit those point to check whether follow-up actions were effective or not. The criteria for internal audits should be communicated to the auditee before audit. It is a good practice to communicate to the auditee to arrange required documents before the audit to save time. Last but not the least, the use of observation and listening skills during the questioning of the audit helps to identify gaps within the systems.

Perform the Internal Audit Step 1 Performing an internal audit should follow a series of steps that are based on international protocols. These steps should be followed while conducting an internal audit: Step 1: An audit normally begins with an opening meeting where the auditor interacts the auditee(s), states the projected schedule, and informs the auditee about how the audit will be performed.

Perform the Internal Audit Step 2: Throughout the audit, the internal auditor will work logically from the checklist or procedure, observing evidence that the process fulfills the required criteria. It is usual for internal auditor to write a finding summary and a finding result, which can be defined below: ◦ C = compliant or fulfillment of a requirement ◦ NI = needs improvement or an area of potential gap ◦ NC = non-conformance or non-fulfillment of a procedural or standard requirement

Perform the Internal Audit Step 3 When reporting the audit, it is vital to note what evidence was observed to institute the finding - irrespective of the finding. For example, while auditing the management review process, the auditor writes, "management review conducted on 21 st June 2017, an important agenda item was missed during the review i. e. analyzing context of organization. "

Perform the Internal Audit Step 4 Commonly, the internal auditor will inform the auditee of the finding result before reporting the results. This is to make sure that the auditee comprehends the results and to ensure that there truly is a problem.

Perform the Internal Audit Step 5 The internal audit will end with a closing meeting where the lead internal auditor will provide a complete summary of the internal audit and information about each audit finding to make sure that they are agreed upon and understood.

Audit Findings Kept as Documented Information Audit findings should be maintained as documented information. An external third-party auditor will give an official written report on the external audit to management a few days after the audit and some companies do the same internal audits. However, there is no obligation in the ISO 9001: 2015 standard for an official internal audit report. Internal auditors should make sure that the findings are documented and communicated to top management. Auditor can just record the findings and their particulars in an organization’s non-conformance form and the associated register. Auditors should keep records of the audit which will normally be available in following forms: Filled-in internal audit checklists Observations against procedures Minutes on objective evidence observed, and employees cross-examined Audit findings which can be referenced to your non-conformance report and register A formal audit report Non-conformance report on a software managed through the cloud or the organization's local server

Process Improvement Through Internal Audits Internal audits can serve as a vital tool to maintain the effectiveness of the system and can act as the “Check” part of the PDCA cycle. Through internal audits, organizations highlight the failures within management system that develops over time of the implementation and thus can address such gaps. Through internal audits process owners can also see underlying gaps in their processes which are camouflaged as part of the process. This provides them the opportunity to fill those gaps which they are not able to perceive due to routine work cycles.

Process Improvement Through Internal Audits Steps Organizations can make a culture of process improvement by internal audits by carrying out the following steps: Step 1: Awareness by process owners that internal audits help them to improve their processes and that audits add value to the process. They should value the cycle of internal audits. Step 2: Maintaining compliance of standard is not a big deal for organizations. However, making use of internal audits to ensure that the processes are effective and to add value in process streams, this is the real challenge that organizations face. Through internal audits non-value streams in a process can be removed, saving unnecessary cost of over processing through those non-value streams. Internal audit processes can also identify a vital process that can increase customer satisfaction which can yield more business which means more profitability. Step 3: Internal audits can help organizations to identify barriers to some processes that would help them to meet their quality objectives. Through this process top management can be made aware of such barriers, which can then be removed to improve the processes.

Internal Audits for Risk Management System ISO 9001: 2015 focuses on risk management of organizational processes. The organization is required to identify risks and opportunities for its business processes as well as for internal processes. An internal auditor will have to check following: Has the process owner identified its associated risks and opportunities? Has the process owner has identified the acceptable risks and opportunities which require no further action? Have they identified significant risks and opportunities for which a plan must be made to mitigate the negative impact of the risk and maximize the positive impact of the opportunity? Are the plans for risk mitigation or opportunity optimized to ensure they are achieved? Are the plans implemented and residual risk is acceptable? Does the process owner reassess the process risk if there is a change in workforce, machinery, material, or the process after a shutdown activity begins? Has the internal auditor verified that the process of risk management is being implemented?

Internal Audit for the Context of an Organization ISO 9001: 2015 requires organizations to identify its context. The organization should highlight internal and external issues. The organizations should identify a list of interested parties. The organizations should also identify needs and expectations of the interested parties. When an internal auditor audits management representatives or top management for clauses related to top management responsibilities, all requirements can be audited there. However when auditing a process owner, following the requirements of context of organization can be addressed: Process owner should understand how his/her process is linked with the organization’s goals and the context in which it operates. What are the external issues that influence that process (such as the material supply of that process)? What are the internal issues that influence the process (such as the work force, support activities from other departments, machinery, internal software applications, etc. ) How are the issues related to the processes managed? How the need and expectations of interested parties are fulfilled. For example, the employee running the process is an internal party and they expect to be rewarded for their hard work. Annual appraisal programs in their organization provides incentives for their hard work.

Internal Audits for Organization Knowledge ISO 9001: 2015 also requires organization to manage knowledge. Each process owner has an adequate amount of knowledge regarding their processes. During an internal audit, the auditor can examine whether the knowledge possessed within that process are documented in checklists, work instructions, or some documents related knowledge management. Internal audit can provide a continual way for organizations to document knowledge within those processes which are not yet documented. Thus, the reliance of organizations on old employees possessing the knowledge about processes is reduced to a level manageable by the organization. Therefore, internal audits can serve as a tool for improving the organizational knowledge by documenting it and reduces the dependency of an organization on just a few individuals. Therefore, the risk of organizational knowledge being lost when the old employees leave the company is taken care of. Internal audit will act as the "check phase" of the whole knowledge management cycle.