Effective Internal Audit Planning:

(1)

Effective Internal Audit Planning:

ISO 9000 Users Group - ASQ Section 509,

Wednesday, January 20, 2010

By David Collingham, CQA/CQE

(2)

Outline

• Definitions of Key Audit Terms

• Types of Audits

• Nonconformance Types

• ISO 9001:2008 Internal Audit Requirement

• Common

NCR’

s

i

s

ued

by

Regi

s

t

r

ar

s

r

el

at

ed

t

o

Audi

t

s

• Miss-Conceptions About Auditing

• What does the Industry and Product/Process have to do with Planning an Audit?

• How much do I invest in Auditing?

• Why do we Audit?

• First Party Audit Process Steps

• Planning Audits

• Typical Audit Schedules and Forms

(3)

Definitions of Key Audit Terms

• Effective

- producing or capable of producing an intended

result

or

having a

striking effect

• Planning

- the act or

process

of

drawing

up plans or layouts for some

project

or

enterprise

• Audit

- a methodical

examination

or

review

of a

condition

or

situation

(4)

•First Party

When a Company uses an internal person to perform an Audit on itself.

•Second Party

When a Company uses an internal person to perform an Audit

on its Supplier or an other organization.

•Third Party

When a Company is Audited by a third party independent of the

Compa

ny’

s

Cus

t

ome

r

.

Audit Types

(5)

Nonconformance Types

•Major

When the Quality System exhibits a void where an element of the

system has not been documented, implemented or is not effective.

In addition, the nonconformance does risk the shipment or delivery

of nonconforming material to the Customer

•Minor

When the Quality System is documented, implemented and effective, but

has exhibited a random nonconformance. The nonconformance does not

risk the shipment or delivery of nonconforming material to the Customer

•Comment

When an Auditor identifies an improvement opportunity that is not

a major or minor

(6)

ISO 9001:2008 Key Elements

Key

Value-adding activities Information flow

Continual Improvement of

the Quality Management System

Customers Customers Requirements Satisfaction Management Responsibility Resource Management Measurement, Analysis and Improvement Product

Realization Product Output Input

4.0

5.0

6.0

7.0

8.0

(7)

ISO 9001:2008 Internal Audit Requirement

Measurement,

Analysis and

Improvement

8.2.2 - Internal Audit

The organization shall conduct internal audits at planned intervals to determine whether the quality management system:

a) conforms to the planned arrangements, to the requirements of this ISO Standard and to the quality management system requirements established by the organization, and

b) is effectively implemented and maintained.

The audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and

methods shall be defined. The selection of the auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

8.0

(8)

Common

NCR’

s

i

s

ue

d

by

Re

gi

s

t

r

ar

s

r

e

l

at

e

d

t

o

Audi

t

s

• Audit Plan/Schedule does not address all elements (major paragraphs)

of the ISO 9001:2008 standard

• Audit Plan/Schedule does not address multiple facility locations, work

shifts (shift 1, 2 & 3) or scope of business/registration

• Audit plan/schedule is not approved

• Audits are not completed as scheduled

• Audits are performed by personnel who audited their own work

• Audit results do not have written signature or electronic signature by

Auditor with date

• Audits were not conducted in an effective manner

• Auditor(s) received no internal auditor training

(9)

Miss-Conceptions About Auditing

• There needs to be 35 Internal Audits performed for ISO 9001:2008

(i.e.4.1-4.2.2, 4.23, 4.24, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.4.3, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.6, 8.1, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.3, 8.4, 8.5.1, 8.5.2, 8.5.3)

• I can not conduct 1 audit of the ISO 9001:2008 QMS each year

• We must use an outside contractor to perform our audits

• All the ISO 9001:2008 elements need to be audited every year

• I

f

you

don’

t

s

pend

2-5 hours on each audit, then you are not doing your job

• The Auditor must prepare a checklist list using his or her own questions in

order to perform an effective audit

• I can use typed audit checklists with typed in results with typed in names and

dates (no written or electronic signature)

• If the Audit Report does not weight 3 pounds, then it must not have been

performed correctly

• We

can’

t

us

e

t

he

r

ecept

i

oni

s

t

or

f

i

nance

per

s

on

t

o

conduct

audi

t

s

,

becaus

e

she/he does not know what we do

(10)

What does the Industry and Product/Process have to do with

planning an Audit?

• Critical, High Risk and High Exposure Industries/Products/Processes:

(11)

•High Risk

•High Complexity •Critical to End Mission •High Maintenance •High Failure/Reject Rate

Appraisal/ Prevention Investment; Audits High $

Risk Level

1

2

3

4

5

6

7

8 9 10

High

How much do I invest in Auditing?

Effective Internal Auditor Planning

(*) Graph not to scale Point 2 Point 1

Industry/Product/Process

•Low Risk •Low Complexity

•Not Critical to End Mission •Low Maintenance

(12)

Why do we Audit?

• Provides Senior Management an independent examination of business

processes

• To identify improvement opportunities in processes/products/services

• Proactive approach to prevent/reduce the risk of producing defective

product/services

• To identify needs for training, tools/fixtures, methods, etc.

• Enhances communication and training

• Provides a means for operator feedback

(13)

• Audit Process Steps:

A - Prepare Audit Schedule and Obtain Management Approval

B - Schedule the Audit(s)

C - Obtain Audit Requirements

D - Examine prior Audit Results and Corrective Actions

E - Prepare Audit Check List(s) and Any Other Support Questions

F - Conduct Audit Investigation

G - Record Audit Finds and Obtain Auditee Acknowledgment

H - Prepare Audit Report

I - Obtain Corrective Action(s)

J - Follow-Up On Corrective Action(s)

First Party Audit Process Steps

(14)

Effective Internal Auditor Planning

Planning Audits

• What is the budget for conducting audits? Hours? Dollars?

• How many audits do we need to do?

• How

I

’

m

I

goi

ng

t

o

be

val

ue-added?

• What does Senior Management feel is critical to the business success?

• Gain a clear understanding of what is expected from conducting the audits?

• If we spend money from the Overhead Budget for conducting audits, what is

expected for the investment?

• What are the critical processes/products that need to be examined?

• What does our past internal audit results tell us to focus on?

• Do we have any new areas/processes/staffing/equipment/vendors that requires

more focus than other areas?

• What facility locations, functions, processes/products and work shifts need to