Tuesday 3 May 2016

Internal Audits INTERNAL AUDIT OF QUALITY MANAGEMENT SYSTEM



 INTERNAL AUDIT OF QUALITY MANAGEMENT SYSTEM
K. R. Singhal

Conducting internal audit is a vital tool to assess organization’s quality management system. The organization gets information in a planned way by conducting internal audit from a variety of sources. The purpose of conducting internal audit is to find out the answers to following questions:
- Is quality management system of the organization conformed to the planning of product realization carried out in the organization?
- Is the quality management system of the organization conformed to the requirements of ISO 9001:2008 QMS Standard?
- Is the quality management system of the organization conformed to the quality management system requirements established by the organization?
- Is the quality management system of the organization effectively implemented and maintained?

An internal audit is a tool to monitor and determine the health of the quality management system of the organization. For an organization, a properly conducted audit is beneficial and we need to conduct value added internal audit that is useful to the organization, auditee department, management representative and top management.

Clause 8.2.2 of ISO 9001:2008 QMS Standard deals with internal audit requirements. As per requirements of ISO 9001:2008 QMS Standard, an organization needs to conduct internal audit at planned intervals. An audit process should include the following aspects:
- Planning of internal audit – such as planning of audit schedule, assignment of auditors, auditee area, and scope of audit, status and importance of processes, results of previous audits.
- Examining and reviewing the quality management system documentation of the organization,
- Examining and reviewing other relevant information of the organization, such as production reports, failure trends, customer complaints, customer survey reports etc.
- Examining and reviewing the quality management system procedures and processes by visiting the audit area spot, interviewing relevant personnel and looking to relevant processes.
- Reporting the internal audit results (including corrective action requests from auditors).
- Verifying corrective actions taken.

An organization should have a documented procedure for conducting internal audit that define and narrate the following aspects:
- Audit criteria
- Scope of the audit
- Frequency of audit
- Audit methods
- Responsibilities and requirements for planning and conducting internal audit
- Relevant audit records (including results of audit) to be established and maintained
- Reporting results of the audit.

Chandrakant Agrawal, Manager (Risk and Compliance team), points out the following to add the value of internal audit:
(i) One more item that would be added is usage of checklist as a tool to make sure all aspects are covered. Also focus on documentation and continuous improvement should be there.
(ii) The Corrective action log would be the most valuable source to support the focus on Quality from the team's perspective.
(iii) The team awareness on policies and procedures and the feel of Quality should also be part of the audit process.
(iv) Sharing of Best practices should also be output of audit so that all involved are benefited.
Internal Audits
http://www.qualitysystems.com/image/51b7ee3a4c8dbd1f72000003/Qwordle-hooked.png/300
An audit is simply another form of inspection and testing – except that in this case the product being inspected is the management system itself.
Like a product inspection, an audit simply compares how things actually are, to how we think they are and how they ought to be.
Audits help uncover areas that are in need of attention and they can be an opportunity to draw back from the day-to-day details and to take look at the whole process with fresh eyes. Despite being such a (potentially) positive tool in the management system toolkit, audits often induce the same kind of stress as end of year exams!
Obviously a great deal rides on a successful external audit so some anxiety is expected. However, a good Internal Audit process can reduce the stress, since you can uncover the problems yourself and resolve them before the external auditor begins.
We suggest you enrol in a professional development course before jumping into the role of Auditor. An alternative is to use an external consultant to perform your internal audits for you.
Quality, safety and environmental management standards all require audits to monitor and report on the effectiveness of the management system. This process is also one of the six documented procedures required by ISO 9001:2008.
A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results.
You are also required to keep records.
What does an internal audit process look like?
http://www.qualitysystems.com/image/51b6ba3d4c8dbd459d000689/Internal%20Audit.png/300
Each company will have their own particular method, but it will generally follow the same process.
Plan your Audit Programme
Internal Audits need to be scheduled at planned intervals to check that the quality system conforms to requirements and that the system is effective. ‘Requirements’ include the standard itself, as well as the company’s own requirements (i.e., it’s own procedures and policies).
You don’t need to audit every process all at one time. The External Audit may be like this, but internal audits can be spread out with different processes audited at different times – a series of ‘mini-audits’.
The standard does not set out a required audit frequency. Instead, it recommends that you consider how important the processes are, their risks, their prior history of problems, and also your quality objectives. With a series of ‘mini-audits’ you can set different audit frequencies for different processes.
If you are implementing a new management system, we recommend that you should have audited all the processes identified in your management system at least once prior to the initial Certification Audit.
Work out who will audit.
An auditor should be objective and impartial. You cannot audit processes that you manage / control yourself. This means you will need to have at least two internal auditors trained and available. However, due to lack of resources, or sometimes with the crossover of responsibilities that is common in small businesses, having two impartial auditors may not be possible. In this case, you may need to consider using an external resource.
Large organisations may use a team of auditors.
Define the requirements for each audit.
The plan already identifies the area you will audit, now you need to define what criteria you will audit against. Sometimes this takes the form of a formal checklist with a pre-determined list of questions. You can also use a copy of the procedure being audited and mark this up with questions and points to verify. You’ll need to identify what records should be checked to verify the process.

Any previous findings or issues related to the audit area should also be checked.
Even with pre-defined questions, an auditor will still need to ‘follow their nose’ if something is not quite right.

You can define the criteria for the audit prior to each audit rather than having to set this up at the planning stage.

These requirements (checklists, documents, records, etc) should be communicated to the auditee some time prior to the actual audit taking place. (Specify the time in your audit procedure – a week is reasonable)
Conduct the audit
An audit usually starts with an opening meeting where the auditor meets the auditee(s), sets the expected timetable and out how the audit will be conducted.
During the audit, the auditor will work systematically through the checklist or procedure, examining evidence that the process meets the criteria. It’s common to markup the checklist with notes and a quick finding result, e.g.,
C = compliant,
NI – needs improvement,
NC – non-conformance,

http://www.qualitysystems.com/image/51b7efb84c8dbd1f720003ca/Audit.png
When recording the audit, it is important to write down exactly what evidence was examined to establish the finding – regardless of the finding. e.g. auditing employee training records the auditor writes:
http://www.qualitysystems.com/image/51b7f5a64c8dbd22e6000113/audit%20notes.png
(Note that the date is an important part of the evidence).
Usually the auditor will discuss the finding with the auditee before recording it. This is to ensure the finding is understood and to confirm there is actually a problem, e.g. the auditee above may reveal that Joe Bloggs’ personnel folder includes a separate safety briefing record with the required signature. This can sometimes negate the finding, or just change it – i.e. the signature is there, but it is not following the procedure. In this example, the consequences of not following the procedure are minor and the audit finding should reflect that.
The audit will finish with a closing meeting where the lead auditor gives an overall summary of the audit and discusses each audit finding to ensure they are understood.
Document the Audit findings
An external certification auditor will submit a formal written report on the audit to management several days later and it’s common for an internal auditor to do the same. However, there’s no requirement in the standard for a formal audit report. You simply need to ensure the findings are recorded and communicated to management. You could just record the findings and their details in your non-conformance form & register (or as an ‘Issue’ in QSToolbox).
You will need to retain records of the audit which will typically include:
  • Completed Audit Checklists and/or marked up procedures
  • Notes on objective evidence examined, and personnel interviewed
  • Audit Findings (cross referenced to your Nonconformance Register)
  • Audit Report
Take Action on those findings!
Findings raised at both Internal and External Audits need to be addressed with corrective actions. If the audit reveals that we don’t do as we say, then we either change what we do, or change what we say…

At the next audit, the auditor will verify that the corrective actions taken were effective in bringing the management system into compliance.

      Documented Quality System Audit

–Onsite audit of QMS

•Certification Audit

–Sample of business processes

•Process Audit

–Optional
1.       
     Final Certification Audit

–Determines system’s effective implementation

•Continual Certification Audits

–After certification

–Ensure continued implementation
1.      Documented Quality System Audit – an on-site audit of the QMS compared to the set ISO standards.

1.      Certification Audit – during the course of all of the audits, everything included in the ISO 9000:2008 standard will be evaluated multiple times to become certified. Then in three year cycles, all of processes in the organization will be audited so as to keep the certification current.

1.      Process Audit – this audit is generally optional. It is an audit focused on a set of processes within the organization chosen by the organization to make sure procedures and specifications are adhered to during production or service activities. (This is in addition to the processes audited in the certification audit.) Because this audit is optional, it may be a good way for the organization to see the registrar’s style of auditing.
 
2.      Final Certification Audit – the process of audits will lead to continued improvement in the organization and a refinement of the QMS until it meets the ISO 9000:2008 standards. Once the documented QMS has met these standards, the registrar conducts a final audit to determine the system’s effective implementation.

1.      Continual certification audits – Once the organization has completed all of the audits and is ISO 9000:2008 certified, it does not mean that everything is complete. The organization will continued to be audited on a set schedule (usually every six or twelve months) to make sure that the QMS continues to be in compliance with the ISO standards.
Managing Your Registrar's Audit
Tips for Success
by scott dawson
The purpose of the registrar's audit is to assess the effectiveness of your Quality Management System (QMS) by evaluating evidence of its performance. Their goal is to determine conformance of your QMS to ISO 9001:2008 and your own internal requirements.
Some examples of evidence during an audit include:
·         Documentation - what you say you do
·         Records - what you say you did
·         Interviews - how you explain what you do
·         Observations - how you show what you do
The auditors will record all evidence of conformances and nonconformances found. During the audit, they are not looking for nonconformances per se but they will review evidence of nonconformance when it is found during the audit. If they find evidence of a nonconformance they will note the details and likely look more closely at the issue in question to ensure there is an actual nonconformance. If confirmed, this will result in a finding.
Audit findings can results in one of three levels of nonconformance, each requiring a different response:
1.      Major Nonconformance - a neglect to implement a significant requirement in the ISO standard (e.g. no working internal audit program). ISO certification cannot be granted until after the discrepancy is resolved and possibly re-audited.
2.      Minor Nonconformance - a single incident of nonconformance to ISO or internal requirements that does not indicate a complete breakdown of the system, but only an isolated occurrence (e.g. an incomplete management review). This will normally require submission of a corrective action plan to eliminate the nonconformance.
3.      Observation - an incidental discrepancy or an opportunity for improvement noted during the audit (e.g. a document numbering scheme that is confusing or overly complicated). This does not require a formal response to the audit but you may choose to implement the recommendation at your discretion.
Following the audit, you will be given a period of time to respond to nonconformances (typically 30 days). This usually requires completion of a Corrective Action form from the registrar and may require including an example of a corrected document or other appropriate evidence.
Preparing for the Registrar's Audit
·         Any employee may be audited so every employee must be prepared.
·         Notify all staff of the dates of the upcoming audit.
·         All employees should be prepared to:
o    Discuss the quality policy and quality objectives (not quoted verbatim but generally understood)
o    Show procedures, work instructions and records that pertain to their job.
o    Answer the auditors' questions if asked.
·         Be sure that your internal audit and management review has been completed and that corrective actions have been issued for all nonconformances.
The Opening Meeting
·         Invite several key staff to the opening meeting. This should include department heads and other key individuals. You may want to invite the same group to the closing meeting.
·         The auditors will have a prepared introduction to the audit to review the audit scope and objectives.
·         The top manager of your organization should offer a "welcome" and introduction stressing the organization's commitment to ISO and reminders to all staff to fully participate in the audit if called upon and that this is an opportunity to learn.
·         Review the audit schedule and request changes to accommodate staff availability and other potential conflicts. Notify all departments of the audit schedule, keeping in mind that the schedule may change as the audit progresses.
·         Discuss the time and arrangements for lunch. You would normally be expected to provide lunch and should plan to join the auditors for lunch. This is a good time to get to know your auditors and build the relationship.
·         Ask questions on anything you don't understand.
During the Audit
·         Accompany the auditors at all times. It is often best if this is the Management Representative or Internal Auditors.
·         Take notes of all actual and potential nonconformances. Use these notes when the auditors are reviewing their findings at the end of the audit.
·         Help the auditors determine who to speak to during the audit.
·         Offer clarification for the auditors and auditees during the audit, as appropriate.
·         Do not let the auditors look for documents or records on their own. The auditee should locate and present what is requested.
·         If the audit spans more than one day, ask for a short debrief meeting at the end of each audit day to discuss what was seen that day. This will give you a chance to understand any concerns the auditors has with what was found and possibly give you a chance to explain further to avoid a nonconformance.
·         If something is found that can be fixed quickly before the audit is complete, you can sometimes present the fix to the auditors and avoid a nonconformance.
·         The auditors should not offer their own opinion about how you run your organization. Their findings and discussions should be limited to the documented requirements in ISO and your internal documentation. If you believe something is being suggested that is outside of the audit scope, you can ask, "Where does it say in the standard that your suggestion is required?"
·         If you have not closed a corrective action from an internal audit finding before the registrar's audit and the same issue is found, you should produce the issued corrective action from your audit for review by the registrar. This might avoid a nonconformance finding by the registrar because you are showing that your internal process is working.
·         It is normal for auditors to find nonconformances during an audit and rare that none are found. This is often because of the higher level of skill and experience they have in auditing and the "fresh set of eyes" they bring to the process.
The Closing Meeting
·         The auditors will need an hour or two of private time to prepare for the closing meeting. You should provide a work area or room for them to work.
·         The auditors will have a prepared summary of their findings to review during the closing meeting that will include positive things found as well as nonconformances.
·         All nonconformances will be formally documented on a Corrective Action form.
·         Follow your notes taken during the audit as the registrar's report is given. If there are details they overlooked or misunderstood, you can offer clarification during the meeting.
·         If it is not clear what exactly is discrepant in your system vs. the ISO standard, ask for clarification.
If You Disagree with a Finding
·         During the closing meeting, you should discuss any nonconformances reported by the auditors that you do not believe are accurate. This might include something that the auditors misunderstood during the audit or did not see all of the available evidence. Keep in mind that this is not your last chance to address a finding you do not agree with.
·         You may discuss findings you do not agree with or understand, but avoid arguing with the auditors.
·         Occasionally, auditors may include a "suggestion" as a nonconformance rather than an observation. A suggestion is something that might improve a process or simplify something, but is not out of compliance with a documented requirement, whether an ISO requirement or an internal requirement. In this case, you may be able to convince the auditors to change the nonconformance to an observation.
Following the Audit
·         It is suggested that you communicate with all auditees and perhaps all employees the results of the audit, thanking everyone for their participation and reassuring them that nonconformances (if any) will be responded to appropriately.
·         Keep in mind that a nonconformance, even if major, is not the end of the world. You will always be given a chance to correct anything that is found.
Responding to Corrective Action Requests
·         Once the auditors leave you should review each Corrective Action request and determine the proper response. Evaluate each one based on its value and relevance to your organization.
·         Keep in mind that the corrective action you take is up to you. You might decide to change a documented requirement (if it doesn't conflict with an ISO requirement) and avoid the discrepancy altogether. You might decide to retrain staff. You might need to rearrange a work area. But avoid actions that seem to only satisfy the audit but add no value to your organization.
·         Call the registrar if questions arise while you are developing your response.
·         Respond to the Corrective Action requests within the required deadline.
·         Every registrar has an "appeal" process you can use if you simply do not agree with a finding and find it inappropriate.

No comments:

Post a Comment