ASQ CQA – 4. Audit Program Management and Business Applications Part 5

9. 4A9 Management Review Input

In the topic of audit program management. The next topic is management review input. Now, here I have a requirement from ISO 9001 2001 five, and this is clause number 9. 3. 1. This says that the top management shall review view the organization’s quality management system at planned interval to ensure its continuing suitability, adequacy effectiveness and alignment with the strategic direction of the organization. So what does this require is basically that top management shall review whether the quality management system is being implemented properly in the organization or not.

So they do this review at a specified period. In many companies this is every year. In some companies this will be every six months. So every six months or every year there is a management review done. Then there are some inputs to the management review and there are few outputs to the management review. Here in this video we will be focusing on management review input.

So, when the management is reviewing the quality management system, what are the inputs to that? So, here I have ISO 9001, clause 9. 3. 2, which is management review inputs. And this says that the management review shall be planned and carried out, taking into consideration these following things. So, first thing is that management review should be planned. It’s not an unplanned activity.

So this happens every six months or every year in most of the organizations which have implemented ISO 9001 standard. So, the first input is the status of actions from the previous management review. So, whatever happened in the previous management review, if there were some actions identified in that, what is the status of that? The second input to the management review is changes in the organization, changes in the internal or external issues that are relevant to the quality management system.

What all has changed? We have launched a new product, we have expanded and made a new factory. Something or external demand has changed, people are shifting to newer products. So, whatever are the internal and external issues? So those are the inputs to the management review.

The next item which is item number C in management review inputs is information on the performance and effectiveness of quality management system, including trends in so here we are looking at various trends. Trends related to customer satisfaction, whether the customer satisfaction is going up or down, the extent to which quality objectives have been met.

So, organization would have set number of objectives, whether those objectives have been met or not. This is another input. The next input is process performance and conformity of products and services. So, how our processes are performing, let’s say if we are doing welding, what is the weld rejection rate? If we are making valves, what is the leakage rate of that? So this is process performance and whether the product is conforming or not. So this is another input to the management review.

The next input is nonconformities and corrective actions. So these non conformities and corrective actions would have come from previous audits and then monitoring and measurement results. So if the organization has agreed for some measurements and monitoring how those are performing, many organizations have KPIs, which are key performance indicators or QPIs quality performance indicators. They have established that. So those KPIs or QPIs could be the input to the management review. The management review also includes audit results. So whatever audits have happened earlier, what are the results of that and the performance of external providers? And when I say external providers, that means suppliers. However suppliers are performing. Point number D is adequacy of resources, whether we have sufficient resources. Point number E is effectiveness of action taken to address risks and opportunities. So during the period some risks and opportunities would have been identified, some actions would have been identified. What is the effectiveness of those actions? Some companies might have a risk register set up where they will list down all the risk and what are the actions proposed for that and whether those actions have been taken or not. That risk register or the highlights from the risk register also forms the part of management review inputs and then if there are any opportunities for improvement, identified. So these are basically the items which go as an input to the management review.

So if your management review finds out that the defect rate is going up in one particular process, then that might require some additional audits somewhere. If things are going fine, then you might need to reduce the level of auditing. So the audit program management basically depends on this management review. So based on this review, the management might allocate the required resources for the audit program. So this completes our discussion on management review inputs. The last last item in audit program management is electronic records and computerized system considerations. Let’s talk about that in the next video.

10. 4A10 Electronic Records and Computerized System Considerations

In this topic of audit program management, we have talked about number of things. Things such as getting senior management support, things such as staffing resourcing and training of auditors, evaluating the audit program, internal and external audit program management. We talked about how do we deal with best practices in the organization and we also talked about organizational risk management and this was a partial coverage on the risk management. There will be further coverage on risk management later in this course and we also talk about management review inputs. Now, coming to the last topic in audit program management, which is electronic record and computerized system considerations. More and more organizations are now moving towards electronic records or electronic systems. The companies are moving towards artificial intelligence, machine learning, et cetera.

So how does this trend of moving towards electronic systems and data, how does this affect the audit program? That’s what we will be talking in this topic. When we are looking at the considerations related to electronic data or electronic systems, let’s look at what are the opportunities and what are the problems or what are the challenges. Let’s look at the opportunities. First, as organizations are moving towards electronic records or computerized systems, the opportunity for the audit program is that the scope of audit program could be increased because now the data is easily accessible to auditors. So auditor could do more coverage in the limited time. Another important thing is that auditors can have direct access to data which they require for internal audit. Now, auditors can perform trend analysis. So rather than just looking at individual data points, looking at individual things, now auditors can look in the trend itself because they have the comprehensive data access. So if you are doing the audit of a welding process, so rather than looking at the welding record of let’s say one or two days, auditor can do the analysis of weld repair rate for the whole year.

In audit generally you look at sample in case of hard copy or non electronic data. Generally you will check five pieces or ten pieces or five or ten documents. But when it comes to the electronic records here you can look at a much bigger sample rather than looking at the small sample because those samples were physical samples. Here if you are looking at electronic data, you can look at much more number of sample points in addition to doing audit and looking at data during the audit, if companies want, they can set up a system where the data is automatically audited every week, every month, or even online continuously. That data could be monitored.

So these are some of the opportunities which are related to electronic record and computerized systems. But then there are some challenges as well which auditors need to be aware of. So here are some of the challenges and one of the important challenge is that auditors need to enhance their skill how to handle electronic record and how to use analytical tools. So that knowledge they need to enhance. And in addition to that, auditors need to be aware of data integrity issues, cybersecurity issues, and frauds, because these are happening more when it comes to electronic data as compared to the hard copy data which we had earlier.

Now, let’s quickly look at the data integrity and cybersecurity issues on next two slides. So, what is data integrity? The data integrity refers to the reliability and trustworthiness of data throughout its life cycle. So how much you can rely on this data? This is data integrity. So when you have electronic records, when you have electronic systems, then you need to make sure that the data which you are collecting is reliable, the data integrity is maintained. And now, how do you maintain data integrity? So, there are techniques related to that. The first one is input validation. As you would have seen, when you fill in form and where it asks you for, let’s say, your date of birth.

And in date of birth, you put 32 November. Then this will not accept because there is no 32 November. The data is validated as you input the data. So this is one way to make sure the integrity of the data. Another one is removing duplicates. So many times you will have duplicate records. So make sure that there is a system to check if there is any duplication of records so those duplicates are removed. Access control is another approach to ensure data integrity. If everyone has access to the database, they can enter anything in the database. So you need to have access control. Different level of people will have different access level. Some people will have write access, some people will have read access, and so on. So, access control needs to be maintained to maintain the integrity of the data. The fourth one here is maintain audit trail. So, audit trail basically tells that who did what.

So if I log in into a certain database and I delete a record, then the history is kept that Sandit Kumar entered into this database on this particular date and deleted that record. So those audit trails can help you in identifying any problem if something happens later. And then you need to make sure that the data is backed up regularly. So these are some of the approaches to ensure data integrity. As an auditor, you need to make sure that the data which the organization or the auditor is maintaining, they are maintaining the integrity of that. So you can check these points that when you input data, how that data is validated, how they make sure that there are no duplicate records, how access is controlled, how the audit trails are maintained, and whether they are maintaining data backup or not. So these are some of the questions you can ask as an auditor to make sure that the data integrity is maintained. Coming to the next challenge, in case of electronic data which is cybersecurity issues and frauds.

So with the use of electronic data, the cybersecurity issues and frauds also have gone up. You would have heard number of news related to the database getting hacked. This particular store, the data got hacked, all the consumer records were stolen. So this is something which is happening and organizations need to be aware of that and take necessary action to avoid hacking. And if something happens then the consumer needs to be informed immediately. Next one is ransomware. Ransomware is that this is a sort of a virus which goes into your system and locks your system. So let’s say if I get ransomware in my laptop, then my laptop will be logged and I will not be able to access any data in my laptop until I provide certain amount of money to those people who have hacked your system. Denial of service Attack here a lot of people log into your website and then the website goes down because there are so many people logged into that. So this is denial of service attack. The next one is phishing. This is another important thing which you need to be aware of.

In phishing you get sort of an email which looks like the email from your bank or email from your financial manager or someone and in that they ask you to change your login password or something. So once you click on those link in the email then you get virus in your system or they might steal your password or login information. This is phishing. The next one is social engineering. In social engineering basically people look at your information and act on behalf of you. There was a recent news where an email was sent or the phone call was given to a person and this person was acting as a CEO of the company and asking to transfer certain amounts of fund because this fellow is dealing with some negotiations and without knowing the branch manager sent that money to that particular account.