How to Process Audit Effectively
Maximizing the effectiveness of your internal audits will enable you to continually improve efficiency and effectiveness and manage risk.
6 tips for better Process based audits
The following tips are simple yet powerful techniques to deliver an effective internal audit; you can use all of them or be selective – each one has a place in the internal auditors tool box.
Tip 1: Plan your audit with the v-cycle
To conduct a process based internal audit correctly, you will first need to identify the sequence of all organizational processes from the process for creating the organizations strategy, policy and objectives through to the process for delivering continuous improvement. This isn’t as daunting as it might sound once the processes are listed in a logical sequence.
A useful tool for developing your audit plan is ‘THE V CYCLE’. Designed to start with management processes, it guides you down through processes that interact with the customer and then through the support processes that enable product or service development and delivery.
Top Management Oriented Processes
To apply the above model for a process based auditing approach, you will first need to start at the top left of the V with the requirement to address top management oriented processes includes:
- The mission statement
- The organizational business plan
- Strategic objectives
- Management reviews
- Internal and external audit results
An understanding of the context of the organization will need to pervade all of the above management processes.
The organizations purpose should be clear within its mission statement, the internal and external influences on your business should have been considered in the formulation of objectives, KPIs and business plans.
Management Reviews and subsequent results should demonstrate reactive and proactive approaches to stakeholder concerns or potential risks.
Customer Oriented Processes
Working down through the lower-left and central section of the V moves you in to the assessment of Customer Oriented Processes, including:
- Contract reviews
All of the above processes should be influenced by customer specifications and compliance obligations.
Support Oriented Processes
By this point you should have a more in depth understanding of the organizations overall plans for delivery and be able to see how closely these plans are met, dependencies on support processes, in order for the organization to meet objectives.
It is at this point, you should continue from the base of the V to the top right section to assess Support Oriented Processes. These include:
- Problem Management
- Corrective and Preventive Actions
Each of these processes should connect top management plans with product or service delivery; assessment of these processes in the sequence adopted by The V Cycle mirrors the Plan, Do, Check, Act (PDCA) cycle.
Tip 2: Question top management to link strategy to process
Following on from the V-Cycle, interviewing top management should be a key element of your audit. It should focus on establishing a connection between Context, Strategy, Objectives, Processes, Resources and Outputs.
This is especially useful in preparing for a third-party of certification audit, as the assessor will want to establish top management commitment and an active input to the continual improvement to the management system.
Top Management should be able to demonstrate:
- Awareness of the macro environment and industry sector factors that determine the external context
- Evidence that strategic decisions have been established using rational approaches
- The application of ‘Risk Based Thinking’ in the formulation of objectives
- Your position in the market place relative to competitors
- Consideration of the internal context including systems, skills, shared values (culture), knowledge
Interviewing top management regarding the above should not require deep analysis – you are looking for indicators that the above considerations have been factored into decision making. Evidence of this may be demonstrated in tools like PESTLE, 7S and SWOT analyses.
At this point you should highlight that individuals selected at any level of the organizational structure should be able to reflect top management claims to a reasonable degree – i.e. that policy and objectives have been communicated and cascaded effectively.
Tip 3: Probe the management review
Management review should occur at planned intervals and documented evidence of the content and occurrence should be available. Significant business justifications would have to be given for absence of management review.
Evidence of monitoring and measuring performance should feature within the evidence of management review, together with actions and improvements to processes, products and services.
Where customer complaints occur there should be evidence of these complaints being followed up with root cause analysis, actions for isolating and eliminating them, and a risk based thinking approach for continual improvement.
A good starting point is to evaluate that the management team understand the output requirements of management review.
The following steps will help to evidence reviews in line with ISO management system standards requirements:
- Record judgments as to whether the inputs have been deemed as robust or otherwise
- Assign responsibilities and timelines
- Monitor the progress of assigned tasks to raise any requirements for additional support to meet desired deadlines
REMEMBER: All audit outcomes must feed back into action for improvement within the PDCA model.
Tip 4: Identify process owners
Identifying the most suitable process owner does not always mean going directly to the manager of a particular process. It could mean approaching an operative who spends the most time within a process, who may have important tacit knowledge of the process and its interactions within the management system.
Ensuring that any process critical knowledge that you discover is documented will enhance the operational integrity of the process.
Tip 5: Use the CAPDo technique
Everything an organization does is an activity that takes an input and converts it into an output, which should be measurable in terms of effectiveness and efficiency.
A method you can use to complement the PDCA cycle when auditing a process is by adopting a CAPDo approach, whereby you start half way through the PDCA cycle.
REMEMBER: Before asking your questions, you should identify the ‘process owners’ (see Tip 4), then apply the following type of questions:
- Who is the customer of the process and what are their expectations?
- What are the KPI’s / objectives / targets?
- Are these appropriate to the risks?
- What risks have been identified?
- How do they know the process is working well or not?
- How are inputs to various process categories recorded?
- Is information correct and up to date?
- Are processes effective and efficient?
REMEMBER: Asking the right questions will probe the process, but how well you record the answers can determine how much value you get from the audit.
Tip 6: Use the turtle-tool to structure your audit
There are two questions you need to keep in mind when you are interviewing process owners:
- How could we record inputs to various process aspects?
- How could we audit risk in the process?
Failure to consider the above could have a seriously negative impact on your audit results.
Using the Turtle-tool will help you to capture and structure the comprehensive range of information required to ensure that process risk is identified, assessed and eliminated/mitigated.
The Turtle-tool, demonstrates the points of interaction within process by detailing things like:
- What equipment is used in the production process
- What resources are required to operate it
- Who is involved in managing and operating the process
- How required actions are carried out
- How work instructions and procedures are communicated
- The availability of documented references
- What results are achieved e.g. process capability
- What support processes support the main process
Collating and verifying this information properly will help to pre-empt and avoid process failures; it is important to record the identity of:
- Equipment, to enable checking of maintenance records, including gauges to check calibration records
- People, to check their competency
- Drawings, control plans, work instructions, records etc. to check document control and risk mitigation
- Process performance measures, to check against KPIs, objectives and targets
summary: Start again
In the spirit of continual improvement and the PDCA cycle, once your audit is complete, it should naturally lead to improvement focused action. Once implemented, you should repeat the process based audit – not only will this lead to improvement of the management system, but improvement of the audit itself.