Increasing the Value of Your Internal Auditing Program

Introduction: ISO 9001:2015 mandates the determination of methods necessary for Quality Management System (QMS) processes to achieve their desired results and implement changes to ensure their effectiveness. This requirement extends beyond operational processes to include QMS support processes like Internal Audit. Unfortunately, Internal Audits often fall short of expectations, seen as minor or inconsequential tasks. This article explores how to transform the auditing process into a valuable management tool using the Plan-Do-Check-Act (PDCA) methodology.

ISO 9001:2015 requires that we determine the methods necessary for Quality Management System (QMS) processes to achieve their desired results and implement the changes needed to ensure the process is effective.  We usually think of these requirements in the context of operational processes like production, purchasing, design, etc.  However, they apply equally to QMS support processes like Internal Audit.  Too often, 

  • Companies experience internal audit results as minor, inconsequential, not adding any value, and not moving the company toward really impactful improvement activities 
  • Management views internal audit findings as lacking a perspective on “the big picture” and thus deems them unimportant
  • Internal audits are viewed as a “necessary evil” rather than a valuable management tool

This article explores how to transform the auditing process into a valuable management tool using the Plan-Do-Check-Act (PDCA) methodology.

The Power of PDCA:

PDCA is a versatile tool within your QMS toolkit, offering a structured framework for various initiatives, including process improvement. It not only guides planning and implementation but also gauges success, making it a valuable asset in your quest to maximize the value of internal audits.

PLAN:

In the PDCA cycle, planning is paramount, yet it is often overlooked. To increase the value of the internal audit process, we must begin with a clear goal. In this case, the goal is to enhance the value of internal audits. To set the stage effectively, we need to answer critical questions:

  1. What is the purpose of the internal audit? ISO 9001 tells us the purpose is, at minimum, to provide information as to whether the QMS is both conforming to requirements and is effective in achieving the results the organization desires from the system. Do you have secondary objectives (benchmarking, identifying best practices, etc.)?
  2. Who are the intended users (or customers/stakeholders) of the information gleaned in the internal audit program? Identify the intended users of audit information, which typically includes senior leaders and operational managers. Think of the internal audit process as an information service aimed at these “internal customer groups”.
  3. What does a successful internal audit program look like?  The “customers” of the internal audit process will actually consider and use the results/information as meaningful input into decisions and actions to be taken to improve the system, allocate resources and resolve systemic problems.
  4. What are the internal audit customer/stakeholder expectations of the internal audit process, what do they deem as useful and meaningful information, and how do we find that out?   There are a number of ways to do this depending on the make-up and culture of the organization, e.g., surveys of or interviews with internal audit information customers (both senior and operational) to find out:
    •  what they think is the purpose/objective of the internal audit process;
    •  what they consider valuable audit results/what they are looking for;
    •  their satisfaction with audit information provided currently;
    •  their thoughts on what can be improved, where to concentrate/prioritize audit efforts, etc. 
  5. What should be the objective(s) of the internal audit process to demonstrate that we are meeting the needs/expectation of the audit process customers/stakeholders, i.e., that the audit program is successful?  This objective(s) must, of course, be consistent with the expectations of the internal audit customers.  Priority should be given to allocating audit program resources to those matters/processes of significance for the audit customers and within the QMS, i.e., processes of key importance to management, to product quality and with significant impact on organization customers.  In addition, the audit program objective(s) should:
    • Define the required results of the program
    • Direct the planning and conduct of audits
    • Ensure effective implementation of the program in addressing internal customer needs/expectations
    • Examples of audit program could include: 
      • senior leader and manager satisfaction with the information produced by the internal audit.
      • evaluation of the capability of the QMS to produce conforming product at the lowest possible cost, and points out priority areas for system improvement
      • the alignment of the QMS with/contribution to overall business goals
      • the ability to fulfill external certification requirements
  6. What information (measurements/key performance indicators (KPIs) do we need to know if we are achieving the objective(s)? Measurements need to be tangible and provide information to evaluate the extent of achievement of audit program objectives, including providing information in contributing areas.  One avenue is to take a “balanced scorecard” approach to factors that could contribute to audit program objective achievement, e.g., 
    • Customer/stakeholder value (akin to customer satisfaction)
    • Audit quality
    • Audit timeliness
    • Auditor competency
    • Nonconformity resolution effectiveness and timeliness
  7. What are the sources of this information?  What is necessary to collect it?  How often is it collected, analyzed?  Who will do this? How often and to whom is it reported? How will the measurement information be used to improve the audit program?  The answers to these questions will, of course, depend on the extent of your IT systems and whether or not such information is electronic or must be collected manually.  If you are collecting the information manually, you will need to include in your implementation plan a very detailed definition of the information and a method to ensure the information can be verified for accuracy and consistency.
  8. What are the actions, steps, tasks that need to be completed to achieve the objective (s) of the audit program?  This is the implementation plan/map; what road do we take to get from here to there?  This roadmap should include not only the required tasks/actions, but also (for each task) the owner and planned due dates.  Examples of such tasks could include, but would not be limited to: 
    • determination of stakeholder requirements
    • establishment of aligned program objective(s)
    • establishment and data collection of measurement(s) to achieve objectives
    • determination of audit program  measurement data analysis and evaluation applications
    • determination of audit program resource requirements to achieve objectives (auditor pool requirements or outsourcing, travel and logistics, remote audit capabilities, if needed, audit schedules, etc.)
    • establishment of auditor training, competency evaluation and improvement actions
    • determination of, effective audit follow-up and corrective action programs
    • determination of audit program risks (to objective achievement) and mitigations, as needed
    • determination of audit program effectiveness evaluation methods and timelines
  1. How do we check our progress along the way? What are the milestones?  Are there any dependencies among the tasks?  Can tasks be performed in parallel? Do I need a formal project management approach or can I do this simply with a word table?  How often do I need to check progress and task status, etc.? In defining the implementation plan, there should also be determination of what are the risks to achieving the plan; what could go wrong; and how to mitigate such issues.
  2. What should be included in a program for evaluating and improving auditor competency? This step is of the highest importance in ensuring that internal audits result in information valuable to leaders and operational managers.  Quality of the audit program can be directly correlated with the competency of the program auditors.  Auditor competency evaluation should include:
    • Determination of the auditor competency needs (including personal behaviors, knowledge of the QMS standard and, if applicable regulations; auditing skills, and business/technical knowledge)
    • Establishment of auditor evaluation criteria, including:
      1. Qualitative (e.g., demonstration of personal behaviors, performance of audit skills, knowledge of business operations, etc.) 
      2. Quantitative (e.g., number of audits conducted, hours in audit training, timeliness of audit reports, etc.)
    • Establishment of auditor competency evaluation methods (e.g., witness audits, stakeholder surveys, review of audit results, etc.) 
    • Evaluation and measurement of both individual auditor competency and aggregate auditor pool competency
    • The outcome should provide for:
      • Ongoing auditor performance evaluation
      • Determination of both individual and aggregate competency improvement options (e.g., training, coaching, assignment rotation, etc.)

DO:

With a well-crafted plan in place, it’s time to execute. Monitor progress closely, address unforeseen challenges, and adjust the plan as needed to maintain momentum.

CHECK: 

After implementation, it’s essential to assess whether the audit program is achieving its objectives:

  1. Objective Achievement: Determine if the audit program has met its objectives.
  2. KPI Analysis: Analyze KPIs to gain insights into program effectiveness.
  3. Current Situation: Assess whether the current situation aligns with envisioned success.
  4. Identifying Risks/Opportunities: Identify any additional risks or opportunities for improvement in the audit program.

ACT: 

Based on the results of the Check phase, the organization should take appropriate actions to further enhance the audit program’s effectiveness or continue monitoring progress toward objectives.

Summary:

Identifying clear objectives for your QMS audit program is crucial to evaluating its effectiveness.

Utilizing a balanced scorecard approach for measuring audit program effectiveness ensures both value and quality are considered. Auditor competency plays a pivotal role in audit program success and should be formally evaluated and improved. By implementing the PDCA methodology and addressing these critical aspects, organizations can transform their internal audit process into a valuable tool that drives meaningful improvements and aligns with strategic objectives.

Contact Quality Auditing today if you are interested in taking your internal audit program to the next level. 

Other Articles

ISO 9001 Documentation Requirements vs Myths

Introduction: The ISO 9001:2015 standard brought a significant shift in how the terminology around documentation. Unfortunately, misunderstandings and misconceptions have clouded the true requirements. This article aims to clarify ISO

Read More »

Related Standards

10 CFR 50

What is NQA-1? How Did it Start?   The NQA-1 quality assurance standard relates to the design, construction and operation of nuclear facilities in the US. The American Society for

Read More »

ISO 9001

What Is ISO 9001? How Did It Start? ISO 9001 is a standard related to quality management systems and is designed to help organizations ensure that they meet the needs

Read More »

ISO 45001

AS9100 – How Did It Start? Prior to AS9100 aerospace-specific standard being established, companies used ISO 9001, Boeing’s D1-9000, or the automotive QS9000 standards to govern their quality management system.

Read More »