Familiarity breeds contempt!
Somebody once told us that auditing is 80 per cent preparation and 20 per cent actual auditing, which sounds like a bit of an old wives’ tale until you actually carry out an audit in a way that delivers business effectiveness fndings and then you realize just how true it is!
Preparation starts right back with a basic understanding of the principles of ISO 9001:2008 and the PDCA cycle and goes right through to familiarizing yourself with the organization’s management system, specifc processes and their outputs.
Having been witness to numerous audits by both certifcation organizations and internal auditors over many years, I have rarely seen an auditor who has prepared adequately for an audit. Whether it is failing to arrange meetings in advance, losing sight of the audit objectives or not understanding the links of effective process management, auditors are normally simply not spending enough time preparing for their audits.
People who regularly carry out audits do become blasé as they become increasingly relaxed about the style they have adopted and their knowledge of ISO 9001:2008. In doing so they show a certain contempt by rarely using checklists or feeling the need to effectively plan ahead.
Even though we have carried out hundreds of audits over many years I still prepare and use an audit plan and checklist every time I am asked to conduct an audit, and so should you.
32
Process Management Auditing for ISO 9001:2008
It’s all in the planning…
An audit plan needs to consist of more than the audit date, start and fnish times and the department name being audited, to avoid being promptly put in a fle and forgotten about. A good plan will be developed well in advance of the audit, by the auditor, and certainly not in isolation. They will confer with the appropriate members of the organization to ensure they agree to the timings.
A good audit plan is likely to cover the following:
• objective of the audit;
• what standard(s) are being used as the audit criteria, e.g. ISO 9001;
• date the audit is to be carried out;
• who the auditor(s) will be;
• any special requirements the auditor may have, e.g. working lunch, desk, power supply for laptop computer;
• what processes/activities are going to be audited;
• what methods of auditing are to be used;
• the names of individuals to be seen during the audit with specifc meeting times; and
• date by when the report will be issued and who it will be distributed to.
Please refer to Table 5.1 for an example of an audit plan. By far and away the most important parts of any audit plan are the details concerning the people who will be seen and the specifc meeting times that have been agreed. Auditors cannot expect to turn up and have people sat around all day or over many days, waiting for the auditor to audit them. As an auditor you should assume that no one is going to see you unless you have prearranged the meeting. Apart from anything else, it is just bad manners, and it will lead to a poor relationship with the auditees, so it is critical if the audit is to be successful.
We have lost count of the times auditors turn up at an organization and commence the audit expecting people to automatically be available. They then wonder what they are going to do for the remainder of the day when they discover all the people they need to speak to are either on a course, on holiday or have other meetings! It’s all in the planning.
In preparing your audit plan you will need to take into consideration the overall time available to you to carry out the audit and then work backwards ensuring that you allocate the most appropriate amount of time to each of the people you need to interview.
Planning and preparing a process audit
33
Table 5.1 Example of an audit plan
PROCESS AUDIT PLAN
Objective of the audit To assess the maturity of the process in order to identify any gaps in current performance against the audit criteria detailed below
Date(s) audit to be carried out 25 and 26 June 2009
Criteria/standard to be used ISO 9001 :2008 and the organization’s stated business objectives Process(es) to be audited ‘Managing our capital assets’
‘Purchasing plant and equipment’
Auditor(s) Carl Ford
Date audit report to be issued 7 July 2009 to the fnance director and managing director Any special requirements:
Meeting room for the two days with power, telephone and videoconference facilities.
No need to organize lunch, the staff canteen will be fne.
People to be seen, when and how:
25 June 2009
9.00 am Finance director (process owner) Face to face London 1 0.00 am Finance assistants × 4 Face to face as a group London 1 1 .00 am Finance assistant Videoconference Paris 1 2.00 noon Finance assistant Videoconference Frankfurt
1 .00 pm Lunch Canteen
2.00 pm Finance assistant Videoconference New York
3.00 pm Financial controller Telephone Nairobi
4.00 pm Managing director Face to face London
4.30 pm Consolidate information Meeting room, London
26 June 2009
9.00 am Production director Face to face London
1 0.30 am Production staff members × 8 Face to face as a group London 1 2.00 noon Production manager Videoconference Paris
1 .00 pm Lunch Canteen
2.00 pm Production manager Telephone Nairobi
3.00 pm Finance director Face to face London
4.00 pm Gather information and close audit
34
Process Management Auditing for ISO 9001:2008
One of the major issues facing you is the time available, as this impacts on your ability to test the responses you get with the greatest range of people possible, thus assuring yourself that the evidence you are fnding is a true refection of what is happening. This is not something new and auditing has never pretended to be anything else other than a sample, but you must be satisfed that the sample size is large enough.
Whatever you decide you should always start and end with the process owner. Start off with them:
• to gather information, which you can go on and test throughout the process;
• to understand if they have any particular areas they themselves may want you to assess or review and provide feedback on.
Finally, conclude the audit with them so that you can confrm your fndings and provide overall feedback on what you found.
Preparing your audit checklist
As an auditor you should never underestimate the usefulness of an audit checklist and just how important it will be to you. The purpose of the checklist is to:
• ensure you cover all the questions/areas required to meet the audit objectives;
• act as a focal point for the audit, as it is easy to become distracted as you follow the audit trail;
• allow you to record notes against specifc questions as you go, so you can easily reference them when talking to different people;
• ensure you can easily compile the audit report from the notes you have made without relying on just your memory.
But how do you decide what you should include in your checklist? Well, how detailed you make your checklist is a very personal thing and is likely to depend upon several factors not least how experienced you are and your ability to read the detail described on the checklist without disturbing the fow and focus of the audit itself.
Before you can begin to prepare your audit checklist you frst have to design it or, should you fnd it useful, copy the example shown in Table 5.2.
Your design will no doubt evolve over time to refect your own personal style and needs.
Having decided on what your checklist will look like you now have to populate it with all the questions you are going to need to ask in order to complete your audit. These are the questions that will test:
Planning and preparing a process audit
35
• the eight principles of ISO 9001:2008;
• the effective implementation of the Plan, Do, Check, Act methodology;
• auditor tool 1;
• auditor tool 2; and
• actual process activities.
This means all of the things we covered when looking at the auditor tools and objective evidence in the previous chapter.
In addition, your checklist should include questions or areas to look at that are specifc to the process or processes you are auditing. In order for you to do this you will have to undertake some research and make requests for information from relevant people. This is a relatively straightforward task if the audit is going to be carried out internally as you will know the organization and will be able to acquire the appropriate information. However, this can prove to be more of a challenge when you have no prior knowledge of the company.
Typically your research should focus on trying to obtain information on:
• what the organization does and who its customers are;
• its mission, vision, policies and business objectives;
• organization structure and process ownership;
• the management system structure and links between processes;
• copies of process maps; and
• company and process performance data.
You should allow yourself plenty of time in advance of the audit to gather the information and compile your checklist. Remember the audit starts from the moment you start compiling information and preparing your checklist, not from the moment you ask your frst question of the process owner; it is much too late by then to get it right if you have not planned thoroughly.
If you are not able to carry out the background research or obtain the information you would like in order to prepare thoroughly for the audit, then you must allow yourself more time to carry out the audit itself and to collect this as you proceed. This is certainly not the most effcient way to carry out an audit, but sometimes you will have no choice. Without this information your audit will be fawed, so you must obtain it early on if you are to be effective.
As I said right at the outset of this chapter preparation is 80 per cent of the audit and you have to ensure you have prepared adequately to avoid being led by people rather than you leading the audit. Remember that you are there to control the audit, not them.
36
Process Management Auditing for ISO 9001:2008
Table 5.2 Example audit checklist
PROCESS MANAGEMENT AUDIT CHECKLIST
Subject: Auditor: Date: Audit No.:
Checklist
Ref. No. Item Comments Report Ref.
Planning and preparing a process audit
37
To summarize the preparation required:
• make sure you fully understand the eight principles and the PDCA cycle;
• be clear on the objective of the audit;
• plan the audit carefully making sure you allocate the appropriate time to each element and sample enough people;
• book meetings with people well in advance, don’t expect them to just be waiting for you!
• understand the management system and process connections;
• know the business objectives and customer requirements and make the connections to process outputs; and
• always use a checklist!
38