Friday, August 15, 2008

High Impact Auditing


Internal auditing, the process by which an organization examines its ability to meet internal and external requirements, can be one of the most effective tools for triggering continual improvement. It can also be an expensive waste of time and a source of endless frustration and conflict. Which it becomes for you depends on how your organization plans and manages its audit system.

Auditing is not only a balancing act--identifying positive and negative aspects of a company’s performance--but also a planned activity, with auditors and auditees agreeing on the audit’s time, place and scope. Surprise audits are neither necessary nor desired. Internal audits generally use an organization’s existing personnel for the task, although outsiders are occasionally called in.

Internal audits offer huge benefits, both to the organization’s top management and the auditors. Top managers can:
* Discover what’s really going on within the organization, which allows for more objective decision making
* Learn of potential problems before they explode into issues that pose significant risk to the organization
* Ascertain where failures occur, enabling the containment of these problems and initiation of corrective action
* Identify where resources should be directed
* Determine how effective their training efforts are
* Learn which processes and personnel are particularly effective, which can trigger recognition

For their part, internal auditors:
* Gain exposure to other parts of the organization, which broadens their experience
* Are exposed to best practices they can implement in their own departments
* Learn how they contribute to the organization’s success, which increases motivation and employee retention
* Expand the organization’s competency and knowledge base through their experience

An effective internal audit system must work in concert with other systems, especially corrective and preventive action. An internal audit takes a snapshot of the organization, identifying nonconformities, opportunities for improvement and positive practices. Auditors don’t propose specific actions, fixes, solutions or recommendations. They simply identify where failures and successes occur. By their nature, audits typically identify more failures than successes, and these failures are called audit nonconformities.

Requirements vs. opinions

To identify a nonconformity, a requirement is needed. You might have a concern, remark or opportunity, but it’s not a nonconformity unless it’s clearly tied to a requirement, a fact that’s often overlooked.

Any activity, process or outcome that doesn’t meet requirements is a nonconformity. A number of sources, such as ISO 9001, inspection checklists, purchase orders and product specifications, could introduce specific requirements the organization must implement. The auditor’s opinions, notions, philosophies and personal experiences, however, don’t constitute requirements. When people audit with an eye toward driving continual improvement, requirements are sometimes “invented,” albeit usually with good intentions. One of the best techniques for ensuring audit nonconformities are written correctly is insisting that they’re structured in two parts:

Requirement--Exactly what the organization has committed itself to do

Finding--Exactly what the organization has or hasn’t done that contradicts the requirement

Objective evidence

Objective evidence is a factual recounting of what was seen, heard or experienced during the audit. Gathering this evidence takes the most time and effort.
It is recorded in the “finding” portion of the requirement and describes exactly how the organization failed to fulfill the requirement.
Objective evidence meets a number of criteria. Among other things, it’s:
* Not subject to bias or prejudice. Auditors can’t allow their personal feelings to influence their interpretation of the evidence.
* Traceable. As many identifiers as possible should be recorded (e.g., date, time, function, department, machine, customer, order number and product code).
* Expressed as simply as possible. Sometimes auditors will provide a paragraph or more of detail, thinking that more data will provide more convincing evidence. However, the objective evidence is best streamlined and to the point.

Objective evidence is stated in such a way that the first half of the nonconformity directly contradicts the requirement. Enough detail is provided to facilitate traceability--but not so much that it overwhelms. Auditees expect concise and clearly written findings.

Consider the following correct audit write-up:

* Requirement: The general manager stated that all employees are expected to understand the facility’s key measures and how to contribute to them. (Note that the requirement comes from the general manager’s statements, which function as requirements when he’s talking about something under his control.)
* Finding: Three out of five employees sampled randomly in the shipping department didn’t understand the facility’s key measures or how to contribute to them. (Note that the finding’s language mirrors that of the requirement, stating exactly how the organization failed to meet its commitment. The sample size is defined, and the location is also identified. Employee names, however, are appropriately omitted.)

Now look at this incorrect write-up:
* Requirement: All employees should understand key measures. (Note that it isn’t clear whether this is an opinion or a requirement. Where did this “should” come from?)
* Finding: Employees were ignorant of the organization’s objectives and strategic direction, and they were obviously unprepared to assist in continual improvement. (Note that here, the finding’s tone is subjective and accusatory. Sample size and other identifiers are omitted, which provides insufficient traceability.)
It generally takes a number of audits before an inexperienced auditor can confidently draw conclusions from objective evidence and write nonconformities clearly and concisely. Practicing the audit process with an experienced auditor is time well spent.

The system, not the people

One of the best ways to understand the system and its effectiveness is through people: how they receive and interpret information, carry out instructions, produce goods and deliver services according to requirements, and satisfy customers. Nevertheless, an audit must always focus on the system itself.

Some auditees might suspect that an audit constitutes a personal attack on their jobs, and auditors must be prepared for that reaction. They should calmly explain that the audit process is all about the system, put the auditees at ease and depersonalize the process as much as possible. If people are uneasy about the audit process, they won’t provide objective evidence, and the audit, in turn, won’t trigger continual improvement.

Does this mean people never screw up? Of course not. But when failures are identified during an audit, they’re system failures. Very few nonconformities occur due to willful employee misconduct. If someone makes a mistake or fails to carry out a job step, it’s usually because the system is flawed and error-prone. Fix the system, and people will have less opportunity to screw up.

Auditing strategic processes

Not all organizational processes have the same strategic significance. An internal audit system that’s oriented toward continual improvement will focus on strategic issues. Most management system standards such as ISO 9001 require that organizations schedule audits based on status, importance and prior audit results. This means organizational processes with more strategic importance will be audited more often.
The following audit questions reflect on processes that typically have high strategic importance:
* Customer satisfaction. What methods does the organization use to capture customer perceptions? How are data on customer perceptions reported and analyzed? Has overall customer satisfaction improved?
* Corrective and preventive action. Is there proof that root causes or potential root causes are being identified? Are actions taken to eliminate root causes or potential root causes? Are data on corrective and preventive actions reported and analyzed?
* Leadership. Has the organization determined its mission and strategy? Are organizational performance and direction communicated throughout the organization? Has top management led the review and action on key measures and other important information that indicates organizational success?
* Internal auditing. Do auditing schedules clearly reflect the strategic importance of processes and the results of previous audits? Does the organization’s management take corrective action on nonconformities raised by audits? Are the corrective actions effective, based on the evidence?
* Design and development. Are design inputs and outputs recorded and approved? Is progress against the design plan periodically reviewed? Is the design process’s output validated under conditions of application or use?
* Transformation. How is work planned and scheduled? What information guides work performance in general? How do employees receive feedback on their work? Do employees understand how their efforts affect key measures?
These audit questions are examples and might not be applicable to all organizations. Other processes could have strategic significance, depending on the organization’s nature and competitive environment.

Training auditors

Many audits produce poor results because auditors haven’t received proper instruction or been given opportunities to practice what they’ve learned. The organization must invest the necessary time and effort in making its auditors competent and confident before they’re assigned an audit.

Auditors must be familiar with:
* Practical interpretations of the standard adopted by the organization
* The audit’s purpose and how it drives continual improvement (i.e., by providing a balanced picture of the organization and triggering corrective and/or preventive actions)
* Phases of the audit and various activities within each phase
* Sources of audit requirements (e.g., the standard, procedures or sales orders)
* Methods of gathering objective evidence and drawing valid conclusions
* Diplomacy skills and effective interpersonal communication
* Audit role-playing under controlled conditions
* Writing nonconformities in the prescribed format
* Actual auditing with an experienced auditor

Auditor training doesn’t necessarily need to be formal or even classroom-based. The style and format of training will differ significantly from one organization to the next. However, auditors must have a conceptual understanding of the process and a practical grasp of techniques, both backed up by sufficient practice. When auditors truly understand their roles and responsibilities, the process should result in strategic continual improvement.

A successful audit almost always results when an individual takes personal ownership of the process. He or she must be able to carry out the following five complex and linked activities, which create strategic continual improvement.

Audit scheduling

An audit schedule defines the auditing that will take place during an extended period of time, usually six months or a year. The purpose of the schedule is to communicate when and where the audit team’s services will be needed, when the organization can expect to be audited, and what requirements will be included in the audit.

Audits scheduled far in advance always produce better results. Note, too, that the processes considered more strategically important to the organization are scheduled for audits more often. Processes and functions that have performed poorly in previous audits are also scheduled for frequent audits. Regardless of other considerations, all processes, functions and departments within the scope of the management system must be audited at least once a year.

The schedule can be keyed to organizational processes, departments, functions, facilities, an ISO standard element or something else. However, it must clearly communicate which audits are coming up and when. Audit schedules should provide enough detail to guide the overall process and help with the next step, audit planning.

Audit planning

An audit plan is focused, detailing a single audit’s scope, objectives and agenda. The plan provides a chronology of the audit from start to finish: which processes will be audited, exactly when they’ll be audited, who will do it and which requirements will be audited in each segment. Even details such as meetings, breaks and lunches are shown on the plan in order to clear up any timing conflicts between auditees and auditors and keep the audit on track.

Typically, the audit plan is distributed several days prior to the audit. Auditees often request alterations to the plan based on logical concerns and existing commitments. By all means, modify the plan to accommodate them. The one variable that usually never changes, however, is the audit’s scope.

Audit supervision

The audit’s on-site phase consists primarily of gathering evidence. The lead auditor takes part in this and also manages the overall process. These duties typically include:
* Leading the opening meeting
* Managing and communicating changes to the audit plan
* Ensuring that the audit stays on track
* Insisting that auditors remain objective, consistently evaluating all evidence
* Encouraging auditors to write up their findings during the audit to avoid a time crunch directly before the closing meeting
* Reviewing all nonconformities to ensure that they’re logical, valid and clear
* Providing performance feedback to audit team members so individuals can target areas for their personal improvement
* Resolving all conflicts constructively
* Apprising the auditee of the audit’s progress
* Leading the closing meeting
* Ensuring that the entire audit is conducted professionally and positively

If these duties sound difficult, it’s because they are. Many organizations have ineffective audit processes because the so-called lead auditor doesn’t understand his or her responsibilities. An accredited lead auditor course is a very good investment for individuals who function as lead auditors for their organizations.

Audit reporting

The first formal reporting that takes place during an audit is the closing meeting. The lead auditor presents a verbal summary of the audit, including positives and negatives. Depending on the audit’s size and duration, the closing meeting might last from 15 minutes to more than an hour. The meeting allows for back-and-forth dialogue between auditors and auditees. During the closing meeting, auditee management is presented with the written audit observations and/or corrective action requests, and these form the basis for discussion of the audit results.

Subsequent to the closing meeting (and occasionally during the closing meeting), an audit report is presented to the auditee management. This summarizes the audit’s overall themes and trends. Usually it’s written by the lead auditor, based on evidence gathered by the entire audit team. The report doesn’t belabor every audit observation because these should have already been addressed during the closing meeting. Audit reports should be as concise and streamlined as possible. Graphics such as matrices and Pareto diagrams are helpful.

Verification and closure

The auditee management is usually asked to respond to audit nonconformities by an agreed date. The response should include investigation into the root cause, proposed corrective action and a date when the action should be completed.

The lead auditor reviews the responses to determine whether the investigation and proposed corrective actions are adequate. This is the first stage of verification.
One of the most important jobs the lead auditor and auditing team can perform is a careful scrutiny of auditee responses. Accepting weak investigations and/or corrective actions does nobody any favors and certainly doesn’t trigger continual improvement. If a response doesn’t identify a plausible root cause or propose a corrective action related to it, the lead auditor must diplomatically reject the response and explain to the auditee why it’s adequate. The auditee is the audit process’s customer and should be treated with the same respect that any other customer would receive.

The second stage of verification occurs when the auditee notifies the lead auditor that corrective action has been implemented. At this stage, the lead auditor or a team member will verify that the corrective action has been fully implemented and the root cause of the original nonconformity has been eliminated.
Verification is sometimes performed by reviewing records or documents submitted by the auditee; alternatively, an on-site visit is made to review evidence in person. The nonconformity’s nature and significance will determine whether on-site verification is necessary.

Once all audit nonconformities have been addressed with effective corrective action, the audit is considered closed. However, this doesn’t mean it’s forgotten. A high-level discussion of audit results is an important input to the business review process, and audit trends influence resource allocation and strategic decision making.