Internal audit: what for?
Remember your student years. Have you ever graduated without passing an exam? No. To get a degree, in general, you must pass an exam. And the best way to succeed is to assess yourself. Remember your High School Diploma. Raise your hand if you have never prepared with previous sessions tests, . In Quality, it's the exact same situation.
To prepare for an external audit, one must start with a successful internal audit that serves as a mock exam.
The goal is thus to check compliance with normative or private references or even customer specifications. Internal audit is also a tool to monitor progress in Quality Management System. Moreover, and I often mention this in the course of articles or guides, if one takes a look at the Deming Wheel, one of the 4 faces that make it up expresses the necessity of CONTROLLING.
Besides the detection of failure vis-à-vis a reference framework, the audit also highlights what works well in your company. And this is done in order to use what is working well to solve what is not working so well.
Moreover, some large groups have created services whose only task (and which is no easy thing) is to carry out internal audits and monitor actions for all of the group's sites. They thus ensure better success in certification audits.
So, how to carry out an internal audit?
To frame internal audit (s), it may be useful to use the WWWWWH. But you should not limit yourself to this one if you want to go further. For reasons of logic, the WWWWWH will become for this article the WWWWHH (Why, What, Where, When, How many, How)
Why?
It has been answered previously, but when creating an audit plan, it is important to answer the "why?" question. Your company’s purpose when it comes to internal audits.
What?
First, define what the audit will be about. If you rely on ISO 9001, all activities can be audited except accounting. If the goal is to be certified about another normative reference, it is necessary to target the activities concerned (ISO 22000 audit on Food safety/quality process, OHSAS 18001 audit on security process, ISO 14001 environmental audit ...)
Where?
In a multisite context, it is of course necessary to identify the sites concerned by the audited activity. For example, if you are in a grain company, the silos involved in organic certification.
Who?
Auditor (s) must be chosen according to their competence in the activity or activities audited. In addition, beyond these skills in the defined activity, they must be trained to carry out an audit.
As far as possible, it is also preferable that the auditor be impartial. Indeed, if as a quality manager, you perform the audit of your service, it might be hard to demonstrate impartiality. And unfortunately that situation happens very frequently in small companies where the quality manager is sometimes the only one who is able to carry out internal audits. To find a way around it, you can call on an outside consultant, but this subcontracting will of course be invoiced to you.
This is the reason why internal audit services in large companies are so effective. They are audit experts, they are impartial, they received a training on the company’s processes and most importantly, they are very cost-effective if you have a lot of certification and a lot of sites.
When?
Of course, internal audit should be carried out before external audit and in such a way as to allow time to implement corrective actions if necessary.
Therefore, for organizational reasons, it is best to schedule it at least 2 months before, to ensure the attendance of auditors and auditees.
How many?
You can perform internal audit several times a day or once a day for several days. In any case, it is preferable to spend at least 2 hours per activity and to audit at least one activity per audit. In fact, do not rush any activity audit, and do not partition too much an activity audit in order not to lose the thread or omit elements..
How?
Before the audit, auditor (s) need to prepare for their audit. The goal here is to create the audit guide or questionnaire. Themes or specific questions must be anticipated. For this reason, it is imperative to know:
- The referred normative or private reference
- The internal documents related to the activity (Procedures, Action Plan, deviation sheet, etc.)
Depending on what has been identified, the auditor must provide the auditee with their schedule. Overall a plan that describes time spent for each requirement.
During the audit,
Before starting the audit, a kick-off meeting needs to be arranged. Go through the audit schedule again, the main points that will be discussed, the progress of the audit ... and of course introducing one another if people do not know each other.
During the audit it is important to maintain a stability of information exchange that is sometimes difficult to establish: the auditee needs to be the one that speaks the most, but be careful, the auditor should be the one leading the discussion!
The attitude of the listener is therefore essential! Open-ended questions should be asked (how do you do this?); they aim to establish a discussion and allow to politely interrupt the auditee if they get off topic. I like the idea of a red thread which runs through, for an audit, you should not get off topic, but sometimes, it is helpful to get a little away from it so as to identify a problem.
It is also helpful to rely on evidence and to identify where the problems are. Take "distant" recordings into account, those made at a critical stage (Change of machine, staff, etc.). For example, it is very likely that the last recordings will be flawless and the external auditor will surely ask for the old ones which might be in critical conditions. You should then adopt the same strategy.
If you identify deviations, it is important to be objective, scientific. Identified deviations are not assumptions, they are facts. A non-conformity cannot come from a “in view of this situation, I think that ...
It is also important to assess the danger of a nonconformity by taking into account its frequency of occurrence and its severity. A serious and one-time non-compliance that has been taken into account is always more instructive than a recurrent and moderately dangerous non-compliance. The stakes are different.
However, be careful with some standards that do not allow any serious failure at the risk of not achieving certification.
After the audit,
Conduct an audit closing meeting that presents the results of the audit. When starting the meeting, the auditor should aim to end the meeting on a positive note. It is then better to start with the big failures then the minor deviations and finally finish with the company’s strengths. Remember what’s written in the beginning of the article, the purpose of the audit is to evaluate, and most specially to strive for a continuous improvement approach, when it comes to internal audit. If we expose the problems followed by the positive points we give the auditee all the cards to improve!
It may be useful for the auditor to prepare their closing meeting before, when possible.
Once all these steps have been completed, next step is to write audit report. Do not wait 2 weeks, observations should be fresh. If there is a delta between what is written in the report and the audit closing meeting, you will not have the desired effect on the auditee.
When writing the report, there are several methods. Personally, I prefer a report that looks like an action plan. It makes it possible to obtain the information quickly and above all to follow up the corrective actions after the audit. Because yes, the internal auditor will then do a follow up of the implementation of corrective actions.
Overall, the success of an internal audit lies in the methodology of the audit, the attitude of the auditor and the involvement of the auditee.
Go further:
Emmanuel Nizon
1 Comment