Energize your Internal Audit Program

Planning for the Internal Audit

The key to an effective, thorough and value added internal audit is in the preparation.  If internal auditors are spending one to two hours preparing for an internal audit, it is not enough time.  To properly prepare for an audit, it should take twice to three times that.  If the actual audit time will take an hour, there should be at between two and three hours spent in preparation.  A good rule of thumb to spend about two and half times as much time in preparation as the audit will take.  Often times, auditors plan for a two hour internal audit and spend 1 hour preparing which leads to them running out of questions about 30 minutes into the audit.  I can’t stress this enough if you want to be a successful internal auditor or manage a successful internal audit program then make certain you spend adequate time in preparation for the audit.

This sounds easy, but it is actually very difficult.  The major obstacles to allocating enough time for preparation are time restrictions placed on the internal auditors.  Chances are they have other responsibilities aside from internal auditing that compete for their precious time.  One method to help remove that obstacle is to have as many trained internal auditors as possible to spread the work load.

Effective planning for an internal audit requires following a few simple steps that are listed below.

1. Learn the process (turtle diagram)
2. Identify the interfaces with the standard
3. Document review (compliance to standard)
4. Identify process interfaces
5. Identify potential process failure modes (pFMEA)
6. Value stream map process to breakdown activities
7. Review old audits
8. Develop audit questions
9. Develop audit plan.

1. Learn the processBefore you can audit a process you must become familiar with it.  You need to learn how it is supposed to work, what it supposed to do, what are the inputs, outputs, activities, resources and controls.  The first step would be to create a turtle diagram of the process (This may have already been done by the organization as part of their documentation, or in previous audits).
A turtle diagram looks at the suppliers, inputs, activities, controls, resources, outputs, and customers.   A turtle diagram is laid out such that the process activity is a box in the middle, the inputs come in from the left and outputs exit from the right of the box.  The supplier is listed in the upper left hand corner and the customer is listed in the upper right hand corner.  The controls are above the process activity and the resources are below the process activity.  The feedback loop is an arrow from the output to the input.

Let’s do an example of a turtle diagram for a process.  For this example, the process will be one that applies to about every business in some way and that’s purchasing. 

Inputs:
This is what the process needs for the activity.  It can be in the form of information or a product.  For this example the inputs are: Demand (what is driving the purchase), Quantity, Type, Specifications and Requirements, Due date and Budget (how much can be spent).

Supplier:
This is who is supplying the inputs to the process.  The supplier can supply information or a material product.  For our example the supplier would be whoever is specifying what to purchase, when to purchase and how many to purchase.

Process Activity:
This is the process.  There are a number of associated tasks contributing to the process.  For our example the process activity is purchasing

Outputs:
This is the result of the process.  It can be information, energy or material.  In our example the output of the purchasing process is the desired product or service delivered when needed.  For our example it could be a product like a computer or piece of test equipment.  It could be information such as a failure analysis, training materials, book or manual.  It could also be a service such as mowing the grass, doing the laundry or processing payroll.

Controls:
These are the items that regulate the rate at which inputs are converted to outputs.  Without controls, the process would operate continuously generating the output.  The controls for our example could be the material requirements planning software, the purchase requisition approval process and inventory analysis.

Resources:
These are the items used or consumed in the process activity.  It could be people’s time, machine time or money.  For our example, the resources would be the buyer or purchasing agent, money, the representative for the company supplying the product or service and possibly other support functions who have input for the purchase.    Additional resources are in the form of computers, material planning software, phones, fax, office space, etc. 

Customer:
The customer is the group that takes the output and uses it.  It is most likely used as an input to another process or as a resource. 

Feedback Loop:
This is the mechanism used to monitor the process.  What metric is used to tell the process owner how the process is performing and when action needs to be taken to correct it.  For a purchasing process it could be supplier performance, dollars spent, on-time delivery or receiving inspection information.
2. Identify the Interfaces to the Standard

The interfaces are the points where the process intersects the standard.  In simple terms it is where the requirements of the ISO 9001:2000 standard are applicable to the process being audited.  The easiest way to accomplish this is to use a matrix with the elements of the standard on one axis and the process name on the other. 
 
To better discern the interfaces of the process to the standard you could break the elements down into the sub elements.  For example, 7.2 Customer Related Processes is comprised of 7.2.1 Determination of requirements related to the product, 7.2.2 Review of requirements related to the product and 7.2.3 Customer communication.   The left side of the matrix would become larger, but you would have a more definitive intersection of the process and standard.  This activity provides you with the understanding of what areas of the standard apply to the process.  You will be developing questions to ensure compliance to the standard and this tells you what areas of the standard to focus on.

3. Document Review

The document review section requires reading and understanding the associated documentation for the process you are auditing.  Start with the level 1 document, the quality manual.  The quality manual should provide an overview of the process and should describe how the process fits into the overall quality system.  The quality manual will explain what processes feed the process you are auditing and what processes are supported by it.  It will describe the interaction and interrelationship of processes within the quality system. 

The main output from the review of the quality manual will be an understanding of all the processes that make up the quality system and how they interact.  The quality manual should provide a good description of how the processes work.

Next, review the level 2 documentation or procedures.  Procedures should describe the process in more detail than the quality manual.  There could be many procedures outlining the quality system, or there could be the minimum required by the ISO 9001:2000 standard, six.  The six required procedures are:

  Control of documents
  Control of records
  Internal Audits
  Control of nonconforming product
  Corrective action
  Preventive action

Since the ISO 9001:2000 standard requires less documentation than previous versions of ISO 9000, there may not be as many procedures to evaluate.  In this case the document review portion will be reduced.   During the document review of the manual and procedures your are trying to understand the process and the system and ensure the requirements of the standard are met.    
4. Identify Process Interfaces

Process interfaces are the “hand off” points from one process to another.  This is where the previous process in providing an input to the audited process and the audited process is providing input to another process.  How are process interfaces different from inputs and outputs?  An input is the deliverable the process uses and the process interface describes how and when the deliverable is achieved.  For example, an input into the purchasing process is the requirements of the purchased item.  Looking at the process interface we want to understand how are the requirements delivered to the purchasing process, when are they delivered and by whom?   In essence we are not looking at do the requirements exist, but are they clearly defined and understood by the process using them.  We want to investigate are the requirements delivered on time and are they accurate?

On the output side, we will look at those things the purchasing process provides to other processes.  Clearly one output is the purchased item on time, to specification and in the correct quantity.  Another consideration is how is it moved from purchasing to receiving and inventory.  There are other outputs of the purchasing process used by other processes.  One could be supplier selection for the item purchased.  Engineering or Quality may need to interface with the supplier and if the selection process is delayed, it could affect the design, or ability to qualify the product.

Understanding the process interfaces can lead to some audit questions concerning how smooth the hand off is between processes.
5. Identify Potential Process Failure Modes

Another tool we want to utilize is the pFMEA, which stands for “process failure modes and effects analysis.  You may have some background in FMEA’s and you may not.  Either way is alright because we are not going in depth in the FMEA process.  An pFMEA is a method to identify potential problems with a process before the process is implemented.  It is a preventive measure that aims to resolve problems before they occur.  For our purposes we will be concerned with the process function, the failure mode and the cause of the failure mode.  Below is an example of an pFMEA for the purchasing process:

Process Function      Failure Mode      Potential Cause               
get good product       bad  product       requirements not understood
                                                                  supplier is not capable
                                                                  not inspected enough
       

product on time        product is late    lack of capacity
                                                                 ordered late
                                                                 supplier out of product

low total cost             too costly            excessive rework
                                                                 excessive freight
                                                                 excessive testing

       
pFMEA’s are an exhaustive approach that generates a large quantity of potential audit directions.  By evaluating the prospective problems associated with a process, you can develop audit questions and an audit approach to ensure the potential problems are addressed.  This can lead to some findings that can have positive impact on the quality management system.      

6. Value Stream Map the Process
If you really want to energize the efficiency factor of your internal audits, then conduct a value stream map.  Value stream mapping is a lean manufacturing tool that aids in finding the activities in the process that are non value added.  Similar to the pFMEA example we will approach this tool in an overview so it can be used but we won’t go into great detail and explicit flowcharting that a lean project might require.  Lean initiatives would include takt time, inventory, etc, we will not include those for this use of the tool.  For this purpose you will flowchart the process activities and look for steps that could be eliminated or reduced.

7. Review Old Audits

A key source of information to develop your audit strategy is to review old audits.  Review both internal and external audits if available.  Look for areas of weakness or where findings were noted and see if action has been taken and if it’s still effective.  In reviewing an old audit of purchasing you find that there was a nonconformity written for the buyer not conveying to the supplier all of the requirements of the product.  Based on this you may want to gear some of the audit to see how effective the process is now at conveying the requirements to the supplier.
8. Develop Audit Questions
What we want to do now in the planning process is develop some questions based on the excercises listed above.

1. Turtle Diagram generated questions
How are the requirements for the purchased item documented and communicated?
Who specifies a budget and who monitors it to ensure it is not exceeded?
What training has the purchasing agent received and what is scheduled?
How is inventory monitored to ensure correct purchases at the right time?
What is the measure of the process?  Who monitors it?  What are the planned results and what happens when they are not achieved?

2. Interface with the Standard generated questions
Is there a procedure or work instructions describing the process?
Is the purchasing process covered in the quality manual?
Does the current process reflect what is documented?
How does the purchasing agent know what their responsibilities and authorities are?
Do they know and understand the quality policy and quality objectives?  What does it mean to them?
How are suppliers selected and rated?  Is it effective?
How are purchased items evaluated when received?
What happens when a purchased item is received and does not meet requirements?
Who reviews the data from the purchasing process?  Does the data get delivered to management?
How has the purchasing process been improved?  Has it shown improvement and what is currently being done to improve it.

9. Develop Audit Plan
Up to now you have developed an understanding of the business process you will audit, you have also used various tools to identify some audit questions or paths.  Now we will take this one step further and develop the audit plan.  The audit plan is your playbook for the audit.  If you fail to plan, then you plan to fail.  This statement couldn’t be any more true than in the auditing functions.  You develop the audit plan based on the questions and who you will audit.

Based on our previous work, we will develop our audit plan as follows:

Auditee:  Purchasing agent

1. Explain to me how the purchasing process works?
Verify that it is consistent with whatever is documented.
Document what is said, does it match what you had perceived?  If not make adjustments in your audit plan.  
2. How are the requirements for the purchased item documented and communicated to you?
Pick a critical purchased part and look for evidence of requirements being specified.  Are they clear and do they communicate the quantity, time frame and budget?       
3. How are the requirements communicated to the supplier?
Look for records that the supplier has acknowledged the requirements or was sent them.  You can also later review the incoming inspection or records relating to problems with this part, quality, delivery, quantity or price, this can be a reflection of how well they understand the requirements.  
4. How are the suppliers selected?
Look for evidence they followed their process and verify the effectiveness based on complaints or issues with the product. 
5. How is it verified the suppliers are capable?
Look for evidence that someone evaluated them for ability to meet the requirements.  Can they produce to the specifications?  Was capability studies done?  Do they have the capacity?

You can continue this process to develop a larger audit plan.  You can even develop questions and expected responses for other people such as engineering, quality, manufacturing, material control, etc.  It depends upon the scope of the purchasing process and who is involved. 
 

Transition from Quality Management System to Business Management System

Many organizations develop and maintain a quality management system.  The system was created out of an internal desire, customer requirements or simple need.  The quality management system is an excellent building block for a company to grow from.  The problem with quality managment systems is that they do not evolve and morph into anything different, they remain a quality management system.

The ISO 9000 series of quality management standards is an excellent choice when starting from the ground up implementing a quality management system.  The eight principles of ISO 9000 provide the foundation upon which a solid quality managment system can be developed, deployed and mantained.  When you achieve that where do you go?  Many are left with an empty feeling that ISO 9000 is a bit simplistic for their needs and they require more demanding criteria, such as TQM or Baldrige criteria. 

Both TQM and Baldrige criteria are good directions to choose for advancing management of your business model but your first step should be to move you quality management system to a business management system.   If you are managing a quality system separate from the rest of your business and you are looking at lean, six sigma, kaizan or any of a number of improvement strategies, STOP.  I am not suggesting these other improvement activities can’t help, they most certainly can, but before you embark on them I would suggest you create a business management system. 

A business management system applies all the requirements of your ISO 9000 quality management system to the rest of your business.  I know it is not a requirement of ISO 9001 but are you looking at improving or meeting the minimum requirements?  Incorporate the strategic planning process into your business management system.  The strategic planning process would include strategy development and deployment.  You should have a process for this and a metric that indicates how the process is performing.

The next section of your business to get incorporated within the business management system is the accounting processes.  There are multiple processes occuring within accounting that go uncontrolled, monitored or improved.  If you doubt this, at the next staff meeting try to determine the true costs of some of the products or services you provide.  Then try to assign costs to the transactional activities occurring within your business.  In order to understand the accounting processes you must measure them, be able to predict the output and continually improve them.

The next portion to be included within the business management system is sales and marketing.  You won’t find them mentioned in ISO 9000.  But chances are, you have those processes and activities occuring within your business model.  Again, there must be metrics combined with actions to continually improve the performance.  

Once you align the business activities and processes along with measurements for them you will be able to discern improvement plans.  It will be very clear what areas require activites for improvement and for corrective action. 

Implementing ISO 9000

You may be in a position where your customers are demanding you implement an ISO 9000 quality system or you would like to do it for the benefits it can provide your organization.  You don’t have the resources to hire a consultant to help you.  Can you achieve this task on your own, without the help of a consultant?  Yes.  You can do it with the resources you have.

Will a consultant provide you a better quality system than you can implement yourself?  No.  I say that not as a disrespect to consultants but because quality systems are ever evolving and developing.  It’s not where you start that is important it’s where you’re going and where you end up in a year or two down the road.  A consultant can expedite the process and save you a great deal of time.  What takes you a day to do and figure out, a consultant can do in an hour or two.  Based on this, why would anybody hire a consultant?  The same reason some people hire someone to mow their yard and do their landscaping, they don’t have the time or they want it done quickly.

You’re in a position to implement ISO 9000 but you can’t afford the cost of a consultant, what do you do?  The first thing is to gain information.  You need to become educated in the ISO 9000 standards and what they mean and their intent.  Whether you hire a consultant or are choosing to implement a quality system on your own you need to purchase the following list of standards:        

ISO 9000:2005      Fundamentals and vocabulary
ISO 9001:2000      Requirements
ISO 9004:2000      Guidelines for performance improvements
ISO 19011:2002    Guidelines for systems auditing
ISO 10014:2006    Guidelines for realizing financial benefits

You can obtain these standards from the International Organization of Standardization (ISO), American Society of Quality (ASQ) and the American National Standards Institute (ANSI).Here’s the most important piece of advice I can give you, once you have purchased these standards, READ THEM.  Find yourself a quiet place and read them.  Read them several times.  The reading is dull and the wording is somewhat confusing, it’s alright, read them.  These are international standards, not a John Grisham novel.  You’re not going to be riveted to the reading and hardly waiting to get back to it. You may find yourself more confused after reading them, that is fine, keep reading.

 After a several readings, it will begin to make sense to you.  You will gain a new understanding of what the standards are saying and begin to realize what needs to be done and how to do it.  Now you’re to the point where you understand the standard and what needs to be done.  If you ever question anything or are not quite sure, refer to the standard.  Go back and read it again.  The first thing you need to do is provide an overview for your top management.  If you can’t afford to buy some training, (it’s fairly inexpensive), then provide the training yourself.  Chances are, your top management knows significantly less about ISO 9000 than you do.  That makes you an expert and should you travel greater than 50 miles you’ll be referred to as a consultant.

Your training to top management should answer the following questions, what is ISO?, what is it going to do for us? why are we implementing it? how much is this going to cost us and how long will it take? how are we going to do it?  what role does top management have?  Here’s a starting point for your answers.

What is ISO?  ISO 9000 is an internationally recognized quality management systems standard.  It’s premise is based on knowing customer requirements and continually enhancing customer satisfaction.  This is achieved by developing key business processes, monitoring them with metrics against objectives to ensure effectiveness and putting forth effort to continually improve those processes. What is it going to do for us?  The adoption of an ISO 9000 quality system allows us to consistently provides products and services to our customers that meet there expectations and continually enhance their satisfaction.  Why are we implementing ISO 9000?  Chances are it’s one of two reasons, one is your customers are requesting it or two you are interested in achieving the results in can provide. 

How much will it cost and how long will it take?  If you complete it internally you can plan on it taking about a year (depending on your size and available resources) and it won’t cost you anything other than what you are currently paying people.  You should plan on spending about $1,100 – $1,300 dollars for one person to go to internal auditor training.  That person can then train the rest of your designated internal auditors.  The registration audit will be $5,000 – $6,000 and the surveillance audits run $3,000 per year.  Roughly, you’re looking at a one time cost of $9,000 and annual cost of $3,000.

How are we going to do it?  We will perform a gap analysis to determine our deficiencies and develop an implementation team from that.  We will track the progress of implementation.  What role does top management have in ISO 9000?  Top management has the biggest role.  That group is responsible for the planning, development, maintenance and improvement of the system.  Top management is expected to be actively involved in reviewing the designated process metric data and making decisions based on that data. After you train top management, you must assess where you are now.  There are most likely processes in place that are being done even without documentation.  Write down all of your key business processes, accounting, purchasing, human resources, customer service, etc.   After you get them written down, now you need to flowchart them out to document how they work.  A simple downward flowing flowchart in one column with responsibility in another column and the last column has records. Once you get them documented, now go through the standard and write down any process, clause or section of  the standard that your current process does not address.  These are the gaps in your system.  They are the areas the standard states needs to be addressed that you are not.  Once you have this, put it into a document where you can track the action against who is responsible and time line agreed to.  Similar to this:

           Action                               Responsible                   Date      
Develop internal audit process          Joe  F.                      11-14-06

Train internal auditors                      Tom C                       12-18-06

After you have transferred the actions needed into the above format, you have developed your implementation plan.  Ensure this plan is reviewed and monitored by top management frequently.  They must be kept in the loop.  At some point of the implementation you will want to train the entire workforce on ISO 9000.  Work out a schedule that is flexible.  It does not have to be extremely detailed, but gives them a good understanding of what it is, why you’re doing it, how it impacts them.  Good luck, you can do it.