A successful internal audit program is essential to the success of any management system. A successful internal audit program also requires successful auditors. Auditing isn’t taught in school and doesn’t always come easily to those just starting out. Fortunately, bestselling author Craig Cochran has distilled down the essential elements of a successful internal audit program into plain English that anyone can understand.

Just as he did with his bestselling ISO 9001:2015 in Plain English book, Cochran has written a comprehensive yet easily understandable guide to internal auditing. Internal Auditing in Plain English was written so that anyone at any level of the organization can understand the basics of a successful internal auditing process. Plus, the book goes beyond the basics with comprehensive detail about establishing an internal audit program, selecting and training auditors, auditing requirements, interview techniques, planning audits, reporting, audit follow ups, and much more.

This straightforward book is ideal for people who are new to internal auditing, experienced auditors who want to get more out of their audits, and for employees who just need a basic understanding of what internal auditing is and how it applies to them.

Cochran uses real-world examples and frequently asked questions to help build a comprehensive understanding of a successful internal audit program and to build the skills of successful internal auditors. Click here for your copy of Internal Auditing in Plain English. 

The Most Important Audit Questions for ISO 9001:2015

By Craig Cochran

If you’re preparing to start auditing against ISO 9001:2015, you’ve probably already asked yourself the timeless question: What the heck am I going to ask these people? There’s no worse feeling in the world than being in the middle of an audit and realizing that you don’t have anything to say in the way of questions. Preparation and planning can remedy this, of course, but the fact remains that ISO 9001:2015 includes a lot of new requirements that have never been part of most audits. In order to expedite your thinking, these are what I believe to be the most important audit questions for ISO 9001:2015:

1. What can you tell me about the context of your organization? This question is the starting point of ISO 9001:2015, appearing in section 4.1. The standard uses the clunky term "context," but this could easily be substituted by asking about the organization’s internal and external success factors. Questions about context are usually directed at top management or the person leading the QMS (formerly known as the management representative). As an auditor, you’re looking for a clear examination of forces at work within and around the organization. Does this sound broad and a little vague? It is. Thankfully the standard provides some guidance, saying that context must include internal and external issues that are relevant to your organizations’ purpose, strategy, and goals of the QMS. Many organizations will probably use SWOT analysis (strengths, weaknesses, opportunities, and threats) to help get their arms around context, but it’s not a requirement. What the organization learns with this will be a key input to risk analysis. (NOTE: Not everybody will understand the term ‘context.’ Be prepared to discuss the concept and describe what ISO 9001:2015 is asking for.)

2. Who are your interested parties and what are their requirements? The natural follow-up to context is interested parties, found in section 4.2. The term "interested parties" has a bizarre, stalker-like ring to it, so smart auditors might want to replace it with "stakeholders." Remember, effective auditors try to translate the arcane language of ISO 9001:2015 into understandable terms that auditees can grasp. Typical interested parties are employees, customers, supplier, business owners, debt holders, neighbors, and regulators. As an auditor you’re making sure that a reasonable range of interested parties has been identified, along with their corresponding requirements. The best way to audit this is as an exploratory discussion. Ask questions about the interested parties, and probe what they’re interested in. If you’ve done some preparation in advance of the audit, then you’ll know whether their examination of interested parties is adequate. That brings up an important planning issue: You will have to do a bit more preparation before an ISO 9001:2015 audit. Why? So you’ll have a grasp of context and interested parties. How can you evaluate their responses if you don’t know what the responses should be?

3. What risks and opportunities have been identified, and what are you doing about them? Risks and opportunities could accurately be called the foundation of ISO 9001:2015. No fewer than 13 other clauses refer directly to risks and opportunities, making them the most “connected” section of the standard. If an organization does a poor job of identifying risks and opportunities, then the QMS cannot be effective, period. Auditors should verify that risks and opportunities include issues that focus on desired outcomes, prevent problems, and drive improvement. Once risks and opportunities are identified, actions must be planned to address them. ISO 9001:2015 does not specifically mention prioritizing risks and opportunities, though it would be wise for organizations to do this. Risks and opportunities are limitless, but resources are not.

4. What plans have been put in place to achieve quality objectives? Measurable quality objectives have long been a part of ISO 9001. What is new is the requirement to plan actions to make them happen. The plans are intended to be specific and actionable, addressing actions, resources, responsibilities, timeframes, and evaluation of results. Auditors should closely examine how the plans have been implemented throughout the organization, and who has knowledge of them. Just as employees should be aware of how they contribute to objectives, they should be familiar with the action plans.

5. How has the QMS been integrated into the organization’s business processes? In other words, how are you using ISO 9001:2015 to help you run the company? This is asked directly of top management (see section 5.1.1c) and is a very revealing question. The point is that ISO 9001 is moving away from being a quality management system standard and becoming a strategic management system. It’s not just about making sure products or services meet requirements anymore. The standard is about managing every aspect of the business. Remember sections 4.1 and 4.2 of ISO 9001:2015? There we examined the key topics of context and interested parties. These concepts touch every corner of the organization, and this is exactly how ISO 9001:2015 is intended to be used. Top management should be able to describe how the QMS is used to run the company, not just pass an audit.

6. How do you manage change? This topic comes up multiple times in ISO 9001:2015. The first and biggest clause on the topic comes up in section 6.3. Here we identify changes that we know are coming, and develop plan for their implementation. What kind of changes? Nearly anything, but the following changes come to mind as candidates: new or modified products, processes, equipment, tools, employees, regulations. The list is endless. An auditor should review changes that took place, and seek evidence that the change was identified and planned proactively. Change that happens in a less planned manner is addressed in section 8.5.6. Here the auditor will seek records that the changes met requirements, the results of reviewing changes, who authorized them, and subsequent actions that were necessary.

7. How do you capture and use knowledge? ISO 9001:2015 wants organizations to learn from their experiences, both good and bad. This could be handled by a variety of means: project debriefs, job close-outs, staff meetings, customer reviews, examination of data, customer feedback. How the organization captures knowledge is up to them, but the process should be clear and functional. The knowledge should also be maintained and accessible. This almost sounds like it will be “documented” in some way, doesn’t it? That’s exactly right. One way to audit this would be to inquire about recent failures or successes. How did the organization learn from these events in a way that will help make them more successful? It’s the conversion of raw information to true knowledge, and it just happens to be one of the most difficult things an organization can achieve.

These are by no means the only questions you’ll want to ask. They’re just the starting point. We didn’t even mention management review, corrective action, or improvement—all of which are crucial to an effective QMS.  The seven topics discussed here are the biggest new requirements that auditors will need to probe.

About the Author

Craig Cochran has assisted over 5,000 companies since 1999 in QMS implementation, problem solving, auditing, and performance improvement. His most recent book is ISO 9001:2015 in Plain English, available from Paton Professional: http://www.patonprofessional.com/iso-9001-2015-in-plain-english/

Also on Amazon:

http://www.amazon.com/ISO-9001-2015-Plain-English/dp/1932828729/

Thanks to Quality Digest for the interview they did with me on Friday (Dec 10, 2015) during their Quality Digest Live show. What a professional and fun organization to work with. 

My friends at Quality Digest were kind enough to publish this great article about the new book, "ISO 9001:2015 in Plain English." A big thanks to Mike Richman (QD Publisher) and Dirk Dusharme (QD Editor in Chief). ISO 9001:2015—An Introduction | Quality Digest

Records, Retained Documented Information, and ISO 9001:2015

ISO 9001:2015 does a lot of things right, but using clear language is not one of them. One of the most glaring examples is the transformation of the word “records” into “retained documented information.” That’s right, they took one word and turned it into three. And the three words are not nearly as intuitive as the one word they replaced. Regardless of what you call them, records are the proof of something happening. They are historical, referring to past events. As such, they are not revised. Records might be “corrected” in some cases, but they are never revised. Only documents are revised. (We’ll address documents and their status in ISO 9001:2015 in a future article.) The primary control of records is that of housekeeping: knowing where they are stored, who is responsible, how long they’re kept, etc.

Here is a summary of records requirements in ISO 9001:2015:  

·         24 records are required in ISO 9001:2015. This is compared to 21 records required in ISO 9001:2008. Some of the 24 records required by ISO 9001:2015 are actually repeat requirements.

·         20% of all the record requirements come from section 8.3, Design and development of products and services. That amounts to 5 records, which is the same number required by ISO 9001:2008.

·         A completely new record that is required in 9001:2015 is retained information on changes: review of changes, persons authorizing the change, and necessary actions arising from change (section 8.5.6)

·         ISO 9001 continues its redundant ways. ISO 9001:2015 requires records of evidence of processes being carried out effectively TWICE, once in section 4.4.2 and again in section 8.1.e.1.

·         More redundancy: ISO 9001:2015 requires records that demonstrate conformity of products & services processes TWICE, once in section 8.1.e.2 and again in section 8.6.

·         5 of the records in ISO 9001:2015 have qualifiers. They are “to the extent necessary” and “as applicable.”

·         One item listed as “retained documented information” (i.e., record) is actually a document. That is design outputs. Design outputs are living information such as specifications, engineering drawings, recipes, formulas, and bills of material. Since they are living, they are subject to revision, meaning they are documents.

·         A handful of requirements would be virtually impossible to have evidence of without records, and yet records are not required by ISO 9001:2015. These include context of the organization (4.1), interested parties (4.2), planning of changes (6.3), and customer feedback (9.1.2).

·         One of the strangest record issues of all is the omission of calibration records in ISO 9001:2015. This has been replaced by the requirement to ‘retain information on fitness of purpose for measuring instruments,’ which would include calibration. I expect many people implementing ISO 9001:2015 will get a bit confused by this. 

Do not let anyone tell you that the “correct” terminology is retained documented information. If you like that term, then by all means use it. If you prefer the term ‘records,’ you can use that in its place. Always remember that documents are records are two different things. That one fact alone will make any QMS easier to use and understand. 

Nobody believes in communication more than Darryl Keeler. As President of Tech Systems Inc., communication is possibly the single biggest part of his job. After all, Tech Systems Inc. (www.techsystemsinc.com/) is security systems integrator with employees in over 32 states, Canada, and Puerto Rico. Being a medium-sized company with business across such a wide geographic has its challenges. Darryl Keeler long ago decided that robust and continuous communication needed to be a guiding principle. “Communication is the key factor in maintaining a high level of employee satisfaction,” Darryl assured me. “And satisfied well-informed employees ensure that we have highly satisfied clients.” Darryl personally writes the Friday Finale, a company newsletter summary that ends each week and which goes out to every employee. It maintains a warm touch, covering birthdays, work anniversaries, and anything personal of importance that is happening with teammates. It also addresses business updates from the previous week. TSI Family Emails (TSI stands for Tech Systems Inc) is their way of communicating items that are of high importance to the entire company, sort of “red alert” emails. These include process changes, policy changes, and major customer developments. The TSI Family Emails are one step beyond the Friday Finale’s in terms of business importance. The Tour De Focus is one of the company’s most impressive communication processes. This is where Darryl Keeler travels around the country and meets with every company employee. He simply sits down and asks for comments or opportunities for the company to improve based on individual opinions.  These are all captured and recorded, and the leadership team works through all of them and gets back with the folks who suggested the improvements.  This entire list is posted on SharePoint for everyone to review, and the ideas always number in the hundreds. The employee portal is the live repository of information that team members use for their jobs. Only the most current versions of documents are available, and it also includes phone lists, updates, tutorials, and training materials. Finally, the leadership team of Tech Systems meets every Monday to go over financials, hot company topics, and opportunities for improvement. The Monday meeting also serves as the primary feeder of information into their monthly management review. Communication is clearly the oil that flows through the engine of Tech Systems Inc. And the president of the company, Darryl Keeler, is head mechanic and communicator. 

Control of production at I. Technical Services

Managing operations can be as simple as ringing a bell. That’s the philosophy that I. Technical Services has taken in Alpharetta, Georgia. I. Technical Services (www.itechserv.com) performs electronic manufacturing services, including PCB assembly, system assembly, test engineering, repair, and logistics. They compete against low-cost companies in Asia and elsewhere, so they have to be as efficient and lean as possible. One of their most efficient processes for managing production is their “bell meeting.” At 9 AM every morning, their production supervisor rings a ship’s bell mounted on the wall. All the managers and supervisors assemble under the bell for a stand-up meeting that lasts about 15 minutes. They discuss what is running that day, what needs to be shipped, and any obstacles or concerns. Important notes are recorded on a white dry-erase board right below the bell. “Everybody leaves that meeting knowing exactly what needs to happen,” Quality Manager, Hector Rivera, stated. “It’s the best investment of 15 minutes you can imagine.” Throughout the day, employees refer to the production notes on the white board, keeping themselves focused on what was agreed to. They ring the bell again at 3 PM every day, and the key players once more gather around the bell. The focus of this later meeting is to get everybody caught up on the current status of production. Where are we right now? What is left to be done? Will we meet all of our commitments today? Resources are re-arranged, as needed, and last minute roadblocks are removed. The General Manager, Lauren Thompson, summarized the process by saying, “When we come together under the bell, we’re not managers of different departments. We’re a single team working to wow the customer. It reminds us why we’re there in the first place.” I. Technical Services has conducted their bell meeting twice a day for years. It’s a very simple, yet powerful process for controlling production.