Help Has Arrived
by J.P. Russell
Change or pay a price for remaining the same. This saying applies to life in general and the auditing profession in particular.
The third edition of The ASQ Auditing Handbook1 is now available. The U.S. version of the ISO 19011 system auditing guideline standard2 was issued in 2004.
The new edition of the handbook and system auditing standard are not ho-hum updates. They reflect the changes in the auditing profession and audit program management demanded by customers of system and process audits. Functional managers, audit program managers and auditors must heed the changes and be ready to change their own processes.
Many recent audit handbook changes are a result of the need for the auditing process to be an effective management tool to verify systems and processes are compliant or conformant, effective and continually improved.
The expanding scope of auditing brings about increases in competency requirements for existing and new auditors. Auditors need the knowledge and skills to meet customer expectations. Considerations such as ethical conduct are with us all the time, but changes in society can result in new challenges.
Help From the Handbook
The chairs of ASQ’s Quality Audit Division or Certification Committee can’t learn what changes are taking place in the auditing profession from personal observations or sitting in meetings in Milwaukee.
Therefore, every five years or so, a survey is sent to industry experts and thousands of audit practitioners to find out what is important for auditors to know. The survey reveals what needs to be deleted and what needs to be added to or changed in the ASQ certified quality auditor (CQA) body of knowledge (BoK).
General New Topics
The newly modified BoK then becomes part of the specification for a new handbook edition.
General new topics and practices in the 2004 CQA BoK include:
- Common audit elements. Many auditing techniques are common to most process and system audits. The audit purpose, standards to audit against and some data collection techniques may vary, but the basic auditing steps and activities are the same.
There can be process or system environmental, quality and safety audits. Hence the new audit handbook provides guidance for all types of audits and refers to quality only when discussing a quality process or system audit. It does the same for environmental, safety, health, aerospace and medical audits.
Audit Beyond the Standard
Start thinking of audits as process and system audits, with the standard being audited against being only part of the audit criteria.
- Process method. The redesign of the ISO 9001 standard using the plan-do-check-act cycle and the process approach for establishing a management system have popularized the use of process auditing techniques for both process and system audits. Auditors should use the process method instead of the element method when auditing to improve overall audit process effectiveness and add value.
- New terms
and concepts. New terms auditors must be familiar with and able to explain to others
include: performance audit, pro-cess methods, continual improvement, effectiveness,
efficiency, value, audit criteria, objectives, risks, flowcharts, process flow
diagrams, process maps, audit evidence and noncompliance compared to nonconformity.
- Corrective action and closure. The corrective action process and audit follow-up steps are included in the 2004 BoK as part of the audit process. This emphasizes the need to ensure organizations benefit from the audit process and improves auditor accountability for finding important systemic issues that need to be addressed. Auditors should actively promote corrective action that prevents recurrence of findings and discourage superficial and remedial actions except as temporary containment actions.
Specific New Topics
Specific new topics included in the 2004 CQA BoK include:
- Managing audit teams. There has been little guidance for qualification of lead auditors and how to manage teams. Auditors are assigned to lead audit teams, but I cannot think of any auditing course that I have presented or taken that has a lecture on audit team management.
I have observed lead auditors who did not communicate enough with the team, failed to discuss assignments, did not review strategies for achieving the audit object and had people skills that needed a lot of improvement. If you know good practices for leading teams, facilitation techniques, team member roles and the classic team development stages of forming, storming, norming, performing, you have a good start on this topic.
Lead auditors and audit team leaders need to know how to lead. Lead auditors need auditor to auditor and auditor to auditee management people skills.
- Verification or validation of audit criteria. Auditors need to be familiar with available data collection techniques and have a level of confidence for ensuring audit criteria are being met. Auditors may verify or validate requirements (audit criteria) are being met.
In general, verification is checking or testing, and validation is actual performance of its intended use. Validation of requirements is a higher level of assurance than verification but may not be necessary or desirable due to risk-benefit considerations. Given audit process constraints, auditors must determine the appropriate level of investigation and evaluation considering risk and cost.
- Change control (as in management/business change controls). This is not to be confused with document and records control. Organizational changes must be controlled so unnecessary risks are avoided.
Configuration management is an oversight activity for monitoring and controlling changes to configured products, services and systems. It ensures existing product, service or system configuration is documented, traceable and current (accurate) during its life cycle. A configuration management program may include a plan, procedures and identification conventions, change, records and self-audit processes.
At minimum, auditors should be familiar with configuration management system processes and the need for them.
- Risk management. The kind and degree of risk must be managed. There may be safety (worker or customer injury), environmental (pollution, fines), financial (loss of revenue, excessive cost) and customer goodwill (loss of future sales) risks.
Management needs to be informed of risks to the organization as input into the decision making process. Risk management is about identifying project, process and product risks and providing the resources to reduce or mitigate risks.
When risk assessment is part of the audit purpose, auditors should assess over- or underachievement, performance strengths and weaknesses, process responsiveness and the degree of optimization needed.
- Interrelationships between business processes. An organization may have a management system that includes sales, marketing, purchasing, production, operations, research and engineering. Customers provide inputs to and receive outputs from a business management system. The input starts with customer requirements.
The organization plans, secures resources and provides the product or service to meet the need. The system outputs can be information, products or services that satisfy customer needs.
Some of the more significant system breakdowns that impede system effectiveness and efficiency are the coordination and flow of information from area to area or process to process. Process auditing techniques should verify and validate the process flow of work from customer order (inquiry) to providing the product or service.
Auditors should be able to explain a process and know how to follow process steps to test linkages and interactions for system weaknesses.
- Changing roles of auditors. An auditor may audit, consult or advise either auditees or management. This topic is about how auditors may take on different roles but still maintain the integrity of the audit process and avoid conflicts of interest. As a resource, auditors’ knowledge and skills need to be shared to their fullest extent. Think of ways to be a management team member and how auditing is an important management tool for oversight and leadership.
- Cost of quality. This is a new topic but not new to many process and system improvement professionals. What is new is linking auditing to organization wealth. When allowed, auditors should link audit results to organizational objectives and economics. Know how to link audit results to cost reduction, and understand cost of quality program tools.
For More Information
For complete information on the new topics, overall tenor of the changes and refinement of existing BoK topics not covered in this column, I suggest using The ASQ Audit Handbook for self-study or taking one of ASQ’s e-learning classes that cover the additions to the 2004 CQA BoK.
Some have complained to me that perhaps the CQA BoK has gone too far and auditors don’t need to know about continual improvement tools such as Six Sigma, lean, the cost of quality or statistical sampling techniques.
But we do know auditors should not isolate themselves; they need to gain more knowledge about various aspects of an organization. To ensure auditing is an effective management oversight tool and meets customer needs, auditors need to continuously improve.
Help From ISO 19011
There are many good things about ISO 19011—Guidelines for Quality and/or Environment Management Sys-tems Auditing.
It contains much information that adds value to auditing, is professional and is organized in a logical manner. I am pleased the idea of auditing as a process has caught on.
Unfortunately, the ISO 19011 standard still has a third-party audit orientation, but it nevertheless has much to offer all audit programs.
I particularly like the lists of activities to consider during the audit process, and the clause on auditor competencies is a good resource for determining auditor competency needs.
I would also like to bring your attention to a seemingly unimportant item that has the potential to loom large. As a reviewer for the development of the ISO 19011 standard, one comment I (and likely others) submitted was about expanding ethical code responsibilities beyond the auditor’s actions. We don’t want an Enron or Global Crossing to recur.
One suggested corrective action element required a more holistic process approach to professional ethics. In addition to auditors being required to adhere to a code of ethics, audit program managers should be responsible for promoting and monitoring ethical behavior.
The ANSI/ISO/ASQ QE19011S-2004 Guidelines for Quality and/or Environ-ment Management Systems Auditing, U.S. version with supplemental guidance added, includes the following clauses:
- Clause 5.3.1, audit program responsibilities. The audit program is also responsible for addressing the adherence of auditors and audit program managers to proper ethical conduct.
- Clause 5.6, audit program monitoring and reviewing. Audit program review should also consider the audit program performance (schedule completion, auditor performance, effectiveness of audit follow-up and ethical conduct of auditors and audit program managers).
Higher levels of ethical conduct can only be achieved when it is actively promoted by management and when auditors are supported instead of being left on their own.
The ASQ Audit Handbook represents input from audit practitioners and is a hands-on, self-help type manual. The ISO 19011 system auditing standard provides international consensus on what quality and environmental auditing practices should be. Together, they advance the quality audit profession and its practitioners.
- J.P. Russell, editor, The ASQ Auditing Handbook, third edition (formerly called The Quality Audit Handbook), ASQ Quality Press, 2005.
- ANSI/ISO/ASQ QE19011S-2004, Guidelines for Quality and/or Environment Management Systems Auditing, U.S. version with supplemental guidance added, ASQ Quality Press, 2004.
J.P. RUSSELL is president of J.P. Russell & Associates, Gulf Breeze, FL, and operations director for Quality WBT Center for Education at www.QualityWBT.com. He is a Fellow of ASQ, secretary of the American National Standards Institute/ASQ Z1 committee, member of the U.S. technical advisory group for International Organization for Standardization, known as ISO, technical committee 176 and secretary of ISO technical group 9001/4. Russell is an ASQ certified quality auditor and author of several Quality Press books, including Process Auditing Techniques, Internal Auditing Basics and ISO Lesson Guide 2000.