I am often questioned how companies are training their internal auditors to be more effective. Since I am a full-time registrar auditor and not a consultant, I have to remind my clients that I (nor any registrar auditor) can NOT tell them what to do or how to go about making the changes that they are looking for. What I am allowed to do is to share what I consider best in class ideas/practices of what I have seen being done in industry today.
A common scenario that I see with many clients is a process where personnel are trained to be internal auditors and then they spend one to a couple of days per year performing internal audits for their organizations. There is limited to no updated training or discussions around what might work better or what tools the person might learn to utilize in conducting more effective audits. In one case, as I was reviewing an audit report for one company that was conducted by one of their quality engineers, it was obvious to me that the person was not putting much effort into the audit process. When questioned, the quality engineer admitted in front of the quality manager that they did not think that anyone would ever read the report! Yes, that was a nonconformance finding that I wrote for lack of effective audit.
Many organizations simply send the internal audits to the process operations to review a department or area using a predetermined checklist. The checklists are usually specific to the area that is to be reviewed, but rarely are they updated! And many times, when I see these reports, the internal auditor simply answers yes or no as to whether that question is being done in the process.
So how does a company encourage employees to perform and to seek to learn more about effective auditing? One answer would be that the management team needs to review the reports (at least during the Management Review Process clause 9.3) that they get and coach individuals if they feel things are lacking or missing. If management is not reading the reports, why bother doing audits – OK, the standard says the management team shall review inputs to the Management Review (9001 clause 9.3.2 C6, 14001 clause D4, and 45001 clause D4)!
Some companies do allow and encourage the internal auditors to add questions to the checklist based on various criteria or audit trails. A better approach that I see sometimes is when the checklists are accompanied by some form of process graphic (picture of the process: flow chart, swim lane diagram, turtle diagram, etc.) and the auditors will either review the graphic with the process owner or question personnel in the process about what they are doing in comparison to the graphic. Another common technique by internal auditors is to use the process work instructions to question or observe personnel doing the work.
One of the larger challenges here is to get the internal auditors outside of the habit of not being able to see the “forest for the trees.” I will even hear occasionally someone say: “That’s the way that we have always done it.” Training and encouraging the internal auditors to be more inquisitive around why things are being done the way they are can go a long way in having more effective audits. This usually takes practice and encouragement and the management team themselves should probably be going out with the internal auditors to help encourage questions on the production/service processes.
One question that I typically ask the top manager at a site is if they have any employees working there that they think might make good managers someday. The answer is always yes and then I ask if these personnel are internal auditors – I usually get no to that question. I point out that the best-in-class organizations use this idea as a form of success planning training for up-and-coming personnel to give them an opportunity to view various parts of the organization and to seek improvement ideas across the organization. This management coaching process is also used for other internal auditors to help them see a bigger picture of the company and develop them even though they may not be considered “high potential” personnel.
When reviewing the training of internal auditors, my common question is what were the training materials based on? While some companies use outside resources (and there are a lot of options), others train new auditors using in-house materials or trainers. In either case, the answer should be the same: ISO 19011:2015. However, I get blank stares many times from clients as to what that is. So, I have to point out in ISO 9001 in clause 9.2 after the letter “f” or in ISO 14001 or ISO 45001 in the bibliography. The ISO 19011:2015 Guidelines for auditing management systems is the primary guidance document from ISO relating to any of the 50+ management system standard (MSS) auditing processes. This guidance document should be the basis of all auditor training – first party, second party and what I do as a third-party auditor.
The main text of the guidance document covers: 4 Principles of auditing, 5 Managing an audit program 6 Conducting an audit, and 7 Competence and evaluation of auditors.
Principles of audit is based on seven basic principles (verbatim from ISO 19011 – clause 4):
- Integrity: the foundation of professionalism
- Fair presentation: the obligation to report truthfully and accurately
- Due professional care: the application of diligence and judgement in auditing
- Confidentiality: security of information
- Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions
- Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process.
- Risk-based approach: an audit approach that considers risks and opportunities
Managing an audit program covers several considerations that the auditor or auditing team leader should be considering. Some of these areas include (verbatim from the ISO 19001):
- objectives for the audit program;
- risks and opportunities associated with the audit program (see 5.3) and the actions to address them;
- scope (extent, boundaries, locations) of each audit within the audit program;
- schedule (number/duration/frequency) of the audits;
- audit types, such as internal or external;
- audit criteria;
- audit methods to be employed;
- criteria for selecting audit team members;
- relevant documented information.
Note that this list fits in well with the developing literature around “Risk Based Internal Auditing,” which is becoming more prevalent today. This is where a company looks at their various processes and labels them as high, medium or low risk areas and then changes the frequency of conducting audits in those areas based on the risks to the bottom line of the organization. I.E., high risk is audited twice a year, medium risk once a year and low risk every other year.
The guidance document 19011 has a number of other considerations for managing an audit program and includes a process flow in figure 1 of the document.
Conducting an audit (clause 6)
Here most companies are following the basic guidelines found in the ISO 19001 guidance document. The ISO does not recommend risk-based auditing and that is where the best- in- class companies are heading next.
Competence and evaluation of auditors (clause 7)
Again, the guidance document has some ideas here, but this is a generic Management System Standard (MSS) auditing guideline and gives few details in how to train auditors for a specific scheme of auditing. Many companies still rely on local internal experts in a given area to be the auditors or at least the guides for those area audits.
The challenge being faced is how do we get beyond just the check sheets when conducting internal audits and integrate the auditors at the same time. Here is where the training in process approach to auditing comes in. And this centers around training the auditors to use some form of a graphical tool in their auditing process. These can include tools such as: flow charts, turtle diagrams, SIPOC diagrams, swim lane diagrams, cause & effect diagrams and others. An interesting idea for helping to teach a new auditor how to use one or more of these tools is to send the person to the local McDonald’s to sit somewhere where they can see what happens behind the front counter and to use one or more of the diagrams to map out what they are observing. Then come back to your organization and do the same thing by watching the process and talking to the process owners.
If your organization already incorporates flow charts into some or most of your procedures or work instructions, then have the internal auditor verify and mark up the existing graphics with what they are observing.
Internal Auditor Qualifications
As for training your internal auditors to be aware of the various MSS that you may be utilizing or at least the common big three of 9001, 14001 and 45001, there are a few things that could be useful in your internal training program.
Quality – look up in the ASQ Certification program the Body of Knowledge for the Certified Quality Improvement Associate (CQIA). This is in essence the Yellow Belt of quality and could be the basis of training for any auditor looking to conduct 9001 audits.
Environmental – look up on the web: Certified Environmental Specialist. These online courses are typically 24 hours and cover the basics of EPA regulations and an overview of the environmental area.
Health and Safety – look up on the web: 10-hour General Industry OSHA training. There are a number of these courses available, and they actually should be taken by all the supervisors in the organization besides the internal auditors. There is also a 30-hour course for those who need more advanced knowledge in the OHSAS field.
Another option for industry specific training – go to a local large public or school library and look in the reference section for the Encyclopedia of Associations. This reference, which is NOT available online, is a full listing of all IRS 503C organizations and you should be able to find an organization dealing with any technical information that you might be looking for.
Another common training tool that I have witnessed being used is for an organization to conduct a periodic lunch and learn session with their internal auditors to bring them all together (quarterly, bi-annually or annually) to discuss internal audit issues and/or to watch pre-screen training materials from sources as YouTube or ASQ TV.
One final tool that internal auditors should learn is the run chart! By utilizing the process approach and looking at a six month to one year run chart for a key metric in the area to be audited, the internal auditor should be able to ask any number of audit trail questions about how things have been running and to verify if the area has seen any improvements over the recorded timeframe. This could be as simple as looking at the total production for an area versus the scrap that has been produced in the same timeframe. Looking for any patterns that may have developed when production is running well versus not so well and asking about what was done to improve production.
The random audit versus more robust auditing. Here the key is to know that the Registrar is conducting what they call a random audit. Which is a sampling of the standard(s) to be reviewed by the registrar. So, what this means in simple terms is that we all know that the word “shall” is a mandatory requirement in the MSS process. If we look at the ISO 9001:2008, there were 136 times that the word shall was used. In ISO 9001:2015, the word shall appears 131 times. Does that mean that the 2008 was harder than the 2015 – NO. In reality, and I call the ISO ingenuous on this, that many of the shall’s have letters of specific items related to that requirement.
So, in ISO 9001:2008, the shall’s had 36 of these groupings (I call these shall statements) with only one of those having six items (a-e). However, in the ISO 9001:2015, there are 52 groupings with 11 of them going over six items being listed. If you count all of these shall statements up, instead of the 131 shall’s, you get 365 shall statements. The external auditor cannot possibly look at all of these, so will randomly select some to review during the external audit.
The internal auditors need to do a much more robust audit over the course of the three-year audit cycle to ensure full compliance by the company that they are meeting the intent of the scheme. Since your internal auditors do not know which specific items will be reviewed by the external person, a more robust internal audit should be performed which goes well beyond the use of simple check sheets.
Some of the common standards with their shall’s and shall statements include:
In Summary
In today’s world, even if your organization is only registered to one ISO scheme, it makes a lot of sense to train your internal audits to be fully integrated in how they conduct their audits for at least the ISO 9001, ISO 14001, and ISO 45001. This only makes good business sense, and I am seeing more and more companies gravitating to this approach to help the organization save bottom line results in their organizations. If you have not already done this, are you willing to start?