Internal Auditing in SMEs - Q&A
Q1: Is the max periodicity of internal auditing the same 3 year surveillance periodicity to allow you to make full use of this based thinking to add value to audit schedule?
A: In the example mentioned in the webinar a 3-year internal audit programme was adopted to match the certification body’s 3-year certification cycle, and included less focus on areas which had demonstrated stability and conformity in past audits.
The ISO Standards do not set out any maximum interval between internal audits, typically saying only that the planning of the programme (including audit frequencies) should consider “the importance of the processes concerned, [changes to the organisation] and the results of previous audits.” So in theory you could adopt any frequency you felt comfortable in justifying as still representing an effective level of control of the Management System. (However see also Question 2 below.)
The ISO 9001 Auditing Practices Group has also issued a Guidance document on auditing Internal Audits in which it specifically highlights risk-based thinking to prioritise critical or higher-risk processes in planning the audit programme, and points auditors towards evaluating the effectiveness of the internal audit process in leading to any tangible improvements to the QMS.
Q2: Would you visit the lower risk departments at some point to ensure full coverage?
A: Yes – at least once within a 3-year recertification cycle if you are certified by a third party audit body. (They in turn will need to see some evidence that the internal audit programme is an effective control over the entire Management System, even lower-risk processes).
Q3: Can you identify any pitfalls when internal auditing integrated systems (e.g. ISO 9001, ISO 14001)? Some clauses are common to both standards.
A: Auditing integrated systems should in principle be more efficient and co-ordinated than auditing separately to the individual Standards (this is the rationale for having integrated systems in the first place). However one does need to watch out for “integrated” aspects where the requirements of certain Standards are different from – and often more specific than – the common elements.
For example – an integrated Quality and Environmental System Management Review may make perfect sense: however subtle differences in the wording of ISO 9001 and 14001 require certain different specifics to be considered (customer satisfaction, performance of external providers under ISO 9001: compliance obligations and their fulfilment under ISO 14001). The auditor would need to verify that an integrated Management Review covered both sets of requirements.
In the same way – “Competence” requirements under Clause 7.2 are broadly similar under ISO 9001 and ISO 14001: however if the system is integrated with an Occupational Health and Safety Management System the wording of ISO 45001 includes the extra element of competence specifically to identify hazards – which may imply further evidence for certain roles.
Q4: What would you think the best advice to new internal auditors would be based on your experience?
A: Beyond some of the points covered in the webinar, I would say be prepared, be thorough and be honest:
Audit preparation is absolutely key. You need to be flexible to new evidence and audit trails as they arise, and open to the unexpected – but going in unprepared and expecting to just talk to an auditee (as one delegate on an internal auditor training course had expected!) will not maximise the opportunities of the audit, and will lose respect for the audit process in general.
You can be thorough without being pushy or obsessive. Among the “desired professional behaviours” of auditors listed in ISO 19011 are being “tenacious, i.e. persistent and focused on achieving objectives” and “able to act with fortitude.” Keep following an audit trail until you are satisfied with the evidence you have found (or satisfied you can justify a finding based on lack of evidence!), and don’t leave “loose ends” without appropriate follow-up.
Be honest with yourself and with others. You are not suddenly Superman (or woman) just because you are carrying the auditor’s clipboard. If you don’t know something about a process or area it’s OK to say you don’t know – and ask the auditee to take you through it (evaluating it against your audit criteria). If you are unsure of the wording of a Clause or requirement – check it out, don’t wing it and turn out to be wrong. ISO 19011 again talks about auditors being “open to improvement i.e. willing to learn from situations.” Every audit is an opportunity as much for personal development for ourselves as it is a coaching opportunity for auditees – it’s not just a one-way process.
Q5: I have recently started at a small/micro business and am new to the external annual audit review, how would you recommend I prepare for this?
A: NQA expert Tim Pinnel has recently hosted a on 'How to Prepare for your Audit' – so would recommend watching the recording for further views and tips.
My general view, as discussed at the end of the webinar, is, “Don’t prepare. Treat the audit day(s) just as ‘Business as Usual’ and don’t spend time running round arranging the shop window specially for the auditor.” If your organisation is genuine in its commitment to the Management System, and in using it as a tool for maintaining standards and continually improving, then the greatest benefit of the third party audit is gained through a fair and objective assessment of how the system is running over all 365 days of the year – not just the one or two when the auditor is there.
Having said that – of course you’d be unusual if you didn’t want to check up on a few things before subjecting them to external assessment. Make sure there is appropriate (and well evidenced) follow-up to any concerns raised at the last third party audit (and ideally internal audits too). Check that the usual records are up to date – especially with recent changes, where applicable (personnel and induction records for new starters, validation tests for new processes or plant, appropriate risk assessments or documentation of environmental aspects and impacts if things have changed in your factory or your operations).
More generally, things which will help the audit to run smoothly will include:
Making sure any logistical arrangements for the auditor are in place – e.g. somewhere for auditor to sit, any required car-parking, induction or permit requirements applicable at the site, any refreshments or catering arrangements you may be making (no, it generally isn’t a requirement that you provide the auditor with lunch – unless your agreement with your certification body expressly says so!).
Making sure relevant people are teed up and clued up for the visit. That is, if the audit plan includes (for example) HR or training records and they live with the HR Manager – make sure the HR Manager is on site, and is aware of the nature and purpose of the audit and what they may be asked to discuss or produce. (Also at least one member of the top management team – particularly if the audit scope includes, as it usually will, assessment against Clause 5 of the Standards, Leadership.)
Similarly, making sure relevant supporting evidence is readily accessible and available. Much of what an auditor is going to ask for in terms of evidence (records, supporting files, Legal Registers etc) is reasonably foreseeable with a modicum of forethought. There really is little excuse for having to tell an auditor, for example, that a critical equipment Register sits with a particular Engineer but because that person is on annual leave the week of the audit no-one else can show the auditor what it looks like.
Q6: During the internal audit process, have you got any tips, tricks, advise on how to identify a concern, as no process is perfect?
A: Often, as we discussed in the webinar, audit interviewees will themselves highlight areas of concern, or lead you to them – if you haven’t already picked them up yourself.
Examples of the sort of things which might trigger curiosity to investigate further would include:
An apparent deviation from a specified requirement (a process step not being followed, method not being observed, supporting documents not available or completed etc).
A process or activity not delivering its expected results (not just product failures or customer complaints – but also e.g. repeated raw materials failures despite suppliers “passing” the supplier approval process, or problems assigned to “human error” despite personnel being supposedly trained and competent).
Partial or missing information – e.g. missing reports or files in a numerical sequence – where are they? Why are they missing?
Incomplete filling-out of forms or records may indicate a process which is regularly not observed or enforced (e.g. customer sign-off at the end of a job). This, in turn, might generate a discussion as to the value of the requirement in the first place, and whether it is the practice or the requirements which needs to be changed.
Evasive or vague answers to audit questions, and
Anything the auditee doesn’t want to show you! (“You don’t need to look at that stack of boxes over there, that’s a special case,” or, “These are all the orders for the past 6 months but that specific project is different and did not follow the usual rules.” These cases may or may not yield cause for concern – but if nothing else they may establish how flexible and robust a Management System is in dealing with “special cases” or exceptions.
Q7: Our Accounts department has never been included on our audit schedule or been audited. I feel the department has many risks but it's always left out. Am I correct?
A: The Accounts department is often seen as not relevant to the objectives of the Management System and omitted from both internal and external third party audit programmes.
The key is establishing why it may be relevant to the Management System processes, or what impact it may have upon its objectives. I have, for example, been asked to audit “adherence to internal procedures” in an Accounts Department which also dealt with customers over billing issues and any queries, so any problems related directly to customer delivery and customer satisfaction.
In other cases I have followed audit trails through into Accounts departments to follow up things like materials supplies (where hard copy Purchase Orders ended up stapled to the Delivery Note and Supplier Invoice for reconciliation): customer complaints (resulting in Credit Notes – controlled by Finance); or even Engineering projects for CapEx sign-off documentation. Some of these people had never seen an internal (or third-party) Management Systems auditor before!
As Management Systems auditors we may not be interested in a financial “audit:” but I would not automatically rule the Accounts Department out of the audit schedule on the basis that “It’s Accounts, we don’t need to go there.”
Q8: I was advised by our then QA manager not to include Observations or Suggestions for Improvement to the BMS within our Internal Audits which has been difficult. He has now left the company and I feel it beneficial to go back to using them, should I? Also, when during an audit you realise a suggestion for improvement can I as the auditor make the suggestion or do I have to wait or see if the person being audited makes the suggestion?
A: In general, as I emphasised in the webinar, I would strongly advocate the use of Observations or Suggestions for Improvement as widely as possible in Internal Audits. For me these are the most powerful, flexible and useful tools in the Internal Auditor’s toolbox, and doing an audit without the ability to raise them would be like trying to talk without using my hands (which I also do a lot)!
As to whether you can raise the suggestion yourself or wait until the person being audited makes the suggestion – we are not, as internal auditors, bound by the constraint of ISO 17021 against offering “consultancy” so – absolutely, if an audit discussion appears to offer a suggestion for improvement, let us take the opportunity to raise it and add value through the audit process, every time.
Q9: Not auditing everything makes sense but the new standards say we need to audit every clause - how do we do that?
A: I am not aware of any Standards stating explicitly that every Clause has to be audited. This may be an “interpretation” or perhaps an implied understanding of the Clause 9.2 requirements.
I would refer back to the discussion during the webinar and under Question 1 above, and apply the same risk-based approach to Clauses of the Standard as I would to areas of a business or organisation. Where there is less risk – carry out fewer (or, for a defined period, perhaps no) audits.
Perhaps the idea of stretching the audit programme over a longer period might help (e.g. planning audits over a three year programme, such that some evidence relating to each clause will be demonstrated and evaluated at least once in every three year cycle). Provided this is done on a managed and justified basis (and in the absence of any explicit requirement for an annual audit) I don’t see a problem.
Q10: Could the aforementioned Management review reflect the same thing as auditing a Business Plan?
A: The requirements in the ISO Standards for top management to review the Management System at planned intervals include a number of specified “inputs,” several of which might be covered if the organisation has (and maintains) a Business Plan – or indeed other formats such as a SWOT Analysis or Risk Register.
Here, as elsewhere throughout the Standards, there is no requirement to adopt the structure or terminology of the Standards themselves – so if it means more to the management of the organisation to review a “native” document, and if that review covers off some of the required elements of the Standard(s) – so much the better. I have a number of clients whose “agenda” for their “Management Review” doesn’t follow the exact formulation in the Standards, but by reviewing their own Business Plans or similar documents they address all the requirements in a presentation which is “Made here” rather than an imposed agenda “Made somewhere else” just to tick off points on a checklist.
Q11: What advice do you have when employees try to get out of a situation or work method in an audit, against a clause... they say “it is down to interpretation”. How can I encourage them to be more involved?
A: Part of the auditor’s job is often “interpreting” the Clauses of Standards and bringing them into the context of an auditee’s working environment. Where there is a “difference of interpretation,” a mutually acceptable understanding may be reached through a collaborative, rather than an authoritative approach. So, I would rather engage with someone at the level of, “Let’s look at the requirement and work out what it is trying to achieve – then see how that fits into what you are doing” (how can we achieve that objective in a way that helps and supports you and your organisation) – than tell someone, “This doesn’t mean what you think – I’m telling you that your interpretation won’t hold water” (even if that is sometimes what we want to say!).
If the relevant requirement is part of the organisation’s own Management System then there may be internal arbiters to refer to for an authoritative “ruling.” With ISO Standards there are many guidance Standards (ISO/TS 9002, ISO 14004, ISO/IEC 27002 etc) as well as other publications and information sources on ISO or certification body web pages. And of course you could ultimately ask your certification body for their interpretation (or refer to a consultant if the problem is not, “What does this mean?” but rather, “How do we implement this here?”).
Q12: How do you evidence/document how you assess the risk and frequency of each audit?
A: In a small organisation (the context of this webinar) systems and processes are generally less formal and require less extensive documentation. So I would certainly not expect a detailed 'risk assessment' against each and every audit scope, or Clause of the Standard(s).
Where I am planning the audit programme for my clients I will generally provide a brief outline of areas I am focusing on (or not), and why. Typically this could be in a covering e-mail, or at most a one-pager highlighting any key considerations behind the thinking. In my experience this is more than sufficient (a) for me to develop and explain my own thinking, and (b) for the client to understand the rationale for any changes.
Even where there is only one major Management System Internal Audit every year, as discussed in the webinar - an Audit Plan might include changes of emphasis or approach, perhaps with explanations in a covering e-mail. Also in the Audit Report itself, a simple note, as suggested during the webinar (“No changes since last year in personnel, training requirements or competency levels”) can indicate that a particular area has been considered, assessed to present a low risk in terms of the Management System, and has accordingly been less extensively audited than other areas.
Q13: When auditing a process would you use the 5 Why's method?
A: I have not used this explicitly as an auditing tool, though in principle there is no reason why you could not.
I have seen – and audited – very good instances of '5 Whys' being used within SMEs as an investigative method into the root causes of problems, and determination of correction and corrective actions. However for straightforward issues it can seem a bit like the Spanish Inquisition, so if using it in an audit environment one might want to pick one’s occasions selectively!
Q14: How would I go about conducting an internal audit on clause 4.4.1?
A: It is possible to adopt a point-by-point approach to Clause 4.4.1 of ISO 9001 and look for specific examples of each of the listed bullet points being put into effect. A Quality Manual may set out what is often a “copy and paste” of the general commitments in the Clause. QMS documentation may well state “inputs and outputs” for key processes. It may include a flowchart, diagram or other representation of the “sequence and interaction of these processes.” And so on. One could, at face value, take these statements as “evidence” of the requirements of the Clause being implemented.
Personally I prefer to take this Clause as a case for applying the guidance from ISO 19011 as referred to in the webinar – i.e. that “Some ISO management system standard clauses do not readily lend themselves to audit in terms of comparison between a set of criteria and the content of a procedure or work instruction.” There is no explicit requirement to have any directly equivalent documented version of Clause 4.4.1: many of my clients’ Quality Management Systems address the requirements in other ways (e.g. by relevant procedures etc at the process level, where applicable – or simply by unwritten demonstration of the requirements being present in practice). In other words, the proof of the pudding is in the eating; one needs to audit the processes – then relate back to Clause 4.4.1 if appropriate, to see whether the general requirements set out therein are satisfied.
If the Management System is working well and delivering its intended outcomes – there should be little need to revert to Clause 4.4.1 itself. In satisfying all the other requirements of the Standard, this Clause should be evidenced across the entire organisation – not just on paper in the Manual.
Author - Stephen Singer, Infralogics
NQA does not provide consultancy in order to remain impartial from management systems implementation.
NQA shall not imply that certification would be simpler, easier, faster or less expensive if a consultancy listed on the APP is used.
APP Consultants shall not imply that NQA certification would be simpler, easier, faster or less expensive if their services are used.
NQA remains impartial from our partners on our Associate Partner Programme and does not endorse one partner over another.
‘Our consultants’ do not work for NQA, they work as independent bodies in partnership with us through our Associate Partner Programme. In accordance with the accreditation standard ISO 17021-1:2015 NQA does not provide consultancy in order to remain impartial from management systems implementation.