ASQ CQA – 4. Audit Program Management and Business Applications Part 3

5. 4A5 Internal Audit Program Management

This next topic which is internal audit program management. So when you want to manage the audit program for internal audits, what are the things to be considered? And the next topic will be external audit program management. Many things are common between internal and external audit program management. Let’s talk more of these things in internal audit program. And then we will be talking talking about few important things in regards to external audit program in the next video.

So let’s come back to the topic of this video which is internal audit program management. So here we are looking at the internal audit. What are the things to be considered here? In this I will be talking about these five points. The first one is defining objective of the audit program because that’s important, what is the objective of the internal audit program and then developing policies and procedures for conducting audit. So you need to have set of rules, set of procedures, set of forms for having internal audit program. And then I will be talking about audit program schedule and training and selecting auditors specifically focusing on internal audits.

And then I will be talking about reviewing audit results and management review. At the end I will be looking at ISO 9001 2015 requirements related to internal audits. Let’s start with the first point here, which is defining objective of the audit program. This we have talked earlier also when we were talking about audit program evaluation that you need to have objective for the audit program. Now, objective could be to maintain ISO 9001 certification or any other management system certification.

So this could be one objective for having internal audits. Or else the objective of internal audit program could be to check compliance, compliance with internal work processes. Because using audits you want to check whether the internal work processes are being implemented or not. Or you might want to check the statutory and regulatory requirements, whether these are being met or not, checking compliance with these.

Or you might want to check compliance with the customer requirements. So you have set up customer requirements whether your organization is meeting those requirements or not. So these could be some of the objectives for internal audit program. Now, once we know the objective, the next thing is set up policies and procedures. Now, internal audit will be done by number of auditors.

So you will have a team of auditors. So if each person works in its own way, that’s not going to help organization. So what you want to do is you want to set up some rules, some procedures, some forms which every auditor needs to use. So when I’m talking about policies and procedure, I’m talking about policies and procedures for planning the audit, doing or conducting the audit, reporting follow up, summarizing the results and lessons, learn and record retention.

So you need to look at all these aspects and need to have established the procedures for these so that everyone does the audit in a consistent way. And in addition to policies and procedures, you need to have standardized forms and report formats for audit plan, how the audit plan will be prepared, how the agenda will be prepared, how the audit report will be prepared, how do we record NCR and corrective actions. So you need to have forms for these. Some organizations will have paper form for many of these. Some will have automated systems or computerized systems for these. Some will be using Excel, let’s say, for managing nonconformities and corrective actions. Some might be using some sophisticated software. Whatever your organization is doing, you need to set the policies and procedures in regards to the audit program.

Coming to the third point, which is audit program schedule. And here I am not talking about a single audit here, I am talking about all the audits which need to be done, let’s say in next year, or let’s say in next quarter or let’s say in next half year. Whatever frequency you want to have in your organization, you need to have the audit program schedule. Many organizations make the audit program for a year. Some organizations which are project based, they make the audit schedule for the project duration.

So project duration is for two years, then your audit program schedule will be for those two years or three years. So you need to set up your audit schedule which will tell that what discipline, what function will be audited, when and when you are making audit schedule, you need to consider the horizontal and vertical audits. We have talked about that earlier as well. So how you want to split audits. You need to decide when you are setting up the audit program scheduled, coming to the frequency of audits, how frequent these audits need to be.

Some organizations have one audit done every one year for each function. Some functions might have more audits than one because those functions are critical. So instead of having one audit, they might have two audits or three audits in a year. But this all will depend on these three things, which are the importance of the process concerned, how important is the process, how critical is the process, how risky is the process? And then changes affecting the organization.

There has been some restructuring in the department, there has been a new manager, there has been some new processes established. So if there are changes, then you need to adjust your audit frequency, audit schedule based on those changes, and you set up your audit schedule based on the result of previous audits as well.

So if your previous audits did not result in number of nonconformities, everything was fine. So in that case, the frequency of audits could be reduced. But if you have a function where you find lot of issues, lot of problems there, you might want to have more frequent audit. So these are some of the things which you need to consider when deciding on the frequency or when you want to set up your audit program schedule. And this audit program schedule need to be shared with audit. So auditing are those functions which are getting audited.

So let’s say you have a design department. Procurement Department. Packing Department. So you need to tell them that, okay, this is the schedule for the audit. In internal audit program management, the next thing which I want to discuss here is auditor training and selection. So when it comes to internal auditors, what most organizations do is they have very few full time internal auditors. These internal auditors could be part of Quality department or some other department.

So these are full time internal auditors. And then in addition to that, they use number of part time auditors. These part time auditors are people who are working in different disciplines, different departments, different functions. Those people are trained to act as internal auditor. So let’s say you have one auditor which is trained which is working in Production department. So this person is actually working in production department. But once in a while, this person will be used for doing internal audits. Same thing could be in Design Department and some other department.

So these internal auditors need to know about the fundamentals related to auditing. They need to know the auditing processes, how to write report, how to write a non conformity, et cetera. So these people need to be trained. This training could be internal training or external training. Some organizations which have lot of internal auditors which are working part time, they might have their own internal training program. On the other hand, some other organizations might be using external training for training their internal auditors.

So they send their internal auditors for one day or two days internal audit training. So you could choose any of these options depending on the budget, depending on the size of your organization. So, in addition to these trainings, some of the auditors might have some auditor certifications. And these certifications include CQA certified quality auditor certification offered by the American Society for Quality. And this is the course based on CQA body of knowledge. So some of your auditors could be certified as CQA. So they would have taken Exam and got themselves certified as CQA.

Some would have IRCA. IRCA is internationally registered for certified auditors. This is a UK based organization. So some of your auditors might have IRCA certification, some might have got Exemplar Global. This was previously called as rab QSA. So if a person has one of these certifications, that means this person might not need to go for a training because they already have certifications. So you need to look at these things and then you need to select auditors and conduct audits to ensure objectivity and impartiality of audit process.

And when I say objectivity and the impartiality of the audit process, I will talk about this line. When we go to the end of this video where we will be talking about ISO 9001 requirements. There we will talk about this particular line which is to ensure the objectivity and impartiality of the audit process. And the next point here is review audit results. So here you want to review the audit results annually. And we have talked about this as well earlier when we were talking about evaluating audit program. So you look at the trends and these things become part of management review input. So ISO 9001 requires management review to be done and one of the inputs in management review is audit results. Now let’s quickly look at ISO 9000 and 120 15 requirements. So this is clause 9. 2. 22 which is related to internal audits. What does this clause require? Let’s look at that.

So, point number A here is plan, establish, implement and maintain an audit program including the frequency, method, responsibilities, planning, requirements and reporting which shall take into consideration the importance of the process is concerned changes affecting the organization and results of previous audits. So this is something which we have talked earlier as well when we were talking about the audit program schedule. That schedule is based on these three things importance of the processes, changes affecting the organization and the results of previous audits. Point number B here is define the audit criteria and scope for each audit. We have talked earlier about this when we were talking about individual audits. And then point number C here is select auditors and conduct audits to ensure objectivity and impartiality of audit process. So here ISO requires that when you select auditor, make sure that the audit is objective and impartial.

Here, let’s not assume that audit needs to be done by a person who is not working in that function. ISO doesn’t say that. ISO only says that whatever auditor you select, make sure that the objectivity and impartiality is maintained. Some organizations might have just one or two persons in the organization. So if they want to go for ISO 9001 certification, they might not be able to get a person who is outside the function being audited. So many times people get confused and assume that ISO requires that the auditor should be from outside the function. This is a good idea because that way it will ensure that objectivity and impartiality is met. But many times this might not be possible. Coming to point number D, it says that ensure that the results of audits are reported to relevant management because these are the people who need to take action.

So make sure that the results of audit are properly reported. And then the last point is take appropriate correction and corrective action without undue delay. Previously, also I was talking about the timing of closing the nonconformities and corrective actions. The only requirement here is that there should not be any undue delay. People should not be just sitting on those corrective actions and doing nothing. Some of the corrective actions might take a lot of time. That is understood. So don’t assume that corrective actions need to be closed in 30 days, 60 days or some other time period. The only requirement ISO poses is that there should not be any undue delay. Another thing which I want to highlight here is correction and corrective action.

We have talked about this previously as well, but I still feel that we can talk about this once more. Correction is the action which you take to correct the situation. So if something is leaking, you do something to stop leaking. That is correction. And then corrective action is making sure that this problem is not repeated. So make sure that that leakage does not happen again. That’s corrective action.

6. 4A6 External Audit Program Management

Most of the things which we talked the previously in internal audit program management, those things apply to external audit program management as well. So I will not be repeating those things here. I’ll be just focusing on a few important things in regards to the supplier audit or the external audit program management. So these are the topics which I will be discussing here. In external audit program management, one is defined planning objective of the audit program. We talked about this in internal audits as well. But in external audits there is a slight difference in the objective of the audit program. So we will look at those objectives in regards to external audits. Then I will talk about audit program schedule in regards to external audits and then I will be looking at ISO 9001 2015 requirements related to supplier audits. So let’s start with the objective of external audits. And when I say external audits, let’s focus on supplier audits. External is anything outside the organization and suppliers play an important role in the quality of the organization.

So if you get bad quality, your own reputation as an organization will be damaged. So the objective of external audits could be supplier selection, supplier monitoring, or the surveillance or supplier development and improvement or a combination of these. So your audit program could be focused on one or more of these components. So these are the objectives of supplier audits coming to the scheduling of audit program. Now here we are looking at the supplier audits. Let’s understand here that the procurement department, the department who deals with suppliers, is generally the client for supplier audits. So they are the one who will be requesting this audit. The procurement department is the client here. So when you are preparing the audit program schedule, you need to work with the procurement department and make sure that the schedule aligns with their requirement. The audit frequency depends on two important aspects.

One is the past performance of those suppliers and the second one is the level of risk. Let’s look at these two things, the risk level and the past performance. Items which are of high value or items which have high risk will require more frequent audits. So let’s say if you are doing a project where you are buying nuts and boats and where you are buying compressors, which is worth let’s say 1020 or $50 million, so your focus will be on those items where there is a higher risk or where the value is high. So when you are making the audit program schedule, make sure that the high value or the high risk items, the suppliers of those are audited more frequently as compared to the low value or the low risk. Goods and Services the second aspect for deciding the audit program schedule is the past performance.

And when you are talking about the past performance of suppliers, you will be looking at the cost. Whether the supplier has previously provided things under budget or has provided some cost saving, whether the quality was good or bad, whether the rejections were more, whether you received a lot of damaged material, whether things came on time or whether there was a shortage or not. How willing the supplier is to accept the changes. So these are the things which will decide the past performance of suppliers. Your procurement department will be monitoring the past performance. So they will be keeping a record of these that will basically form the basis based on which you can decide the frequency of audits. If the past performance was good, you will have less number of audits or probably no audit. But if the past performance was bad, then you will have more frequent audits. So this was about the audit program scheduled for external audits. So let’s look at two requirements related to the supplier audits. But even before we look at those two requirements, let’s understand that in ISO 9001 2015, suppliers are called as external providers. So external providers are those who are outside the organization. So supplier is also an external party. So they are also called the external provider. So this is the term which is used in ISO 9001 when we talk of suppliers.

Now, let’s look at this first requirement, which is clause number eight, four, two. It says that the organization shall ensure that the externally provided processes, products and services. And when I say externally provided processes, products and services, that means things provided by suppliers. So, organization need to ensure that suppliers do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers. So, what an organization needs to do is make sure that those external parties, those external providers or suppliers, do not affect your own ability to provide good product to your customer.

So if your suppliers provide bad things to you, you might end up providing those bad things or not so good things to your customer. So the organization need to make sure and then how do they make sure they make sure to number of things? And one of those things is auditing. The second requirement in regards to supplier audit in ISO 9001 2015 is that the organization shall determine and apply criteria for the evaluation, selection, monitoring of performance and reevaluation of external providers based on their ability to provide processes or products and services in accordance with the requirement.

Let’s understand this in plain language. So when you are looking at suppliers, you need to have some rules, some criteria for evaluating those suppliers, selecting those suppliers, monitoring the performance, how these suppliers are performing and reevaluating time to time. So you need to have some mechanism for these, so that these suppliers provide acceptable quality of product or service to you. And one of the mechanism for ensuring this is having an audit program, external audit program.