BACK TO BASICS
Best Practices in Auditing
by Anil Gupta
Organizations conduct audits to examine a business process and evaluate the process’s compliance with internal and external requirements. They also use audits to implement continuous improvements. Internal and supplier audits allow management to:
- Learn about potential problems before they become burning issues.
- Identify failure points within a process so relevant stakeholders can implement corrective actions in a timely manner.
- Determine the effectiveness of controls within a process.
Supplier audits: Organizations audit their suppliers to ensure the suppliers’ internal processes adhere to a defined quality standard. Key suppliers are typically audited yearly. Those that have poor quality metrics, however, are audited more frequently. Organizations use the audit results to identify process, training or documentation issues that affect their suppliers’ quality metrics. They then ask their suppliers to address the issues in a specific timeframe.
Internal audits: These are integrated into organizations’ corrective and preventive action processes. They take a snapshot of the current environment, map it to defined specifications and identify nonconformities. The nonconformities then are fed into a corrective action process that recommends specific actions and solutions. This process also verifies whether the corrective actions have been implemented and the root causes of the original nonconformities have been eliminated.
Process owners in organizations that conduct internal audits can clearly answer these questions:
- Are the processes and metrics clearly defined so the internal audit process can uncover unambiguous nonconformities?
- How does the process incorporate the results of prior audits to track progress against previously discovered nonconformities?
- What process is used to identify potential root causes of nonconformities in a timely way? Are corrective actions always taken to eliminate such root causes?
- How are the data on corrective and preventive actions reported and analyzed?
- How do employees receive feedback on their respective nonconformities?
An internal or supplier audit is most successful when an auditor is able to complete these five activities:
- Schedule: This list of events includes the audit dates, the name of the person who will lead the effort, the high level processes included in the audit and the types of resources and documents needed from the process owner.
- Plan: The plan details an audit’s scope, objectives and agenda. It provides a chronology of the audit from start to finish and notes which specific processes and subprocesses will be audited, when they will be audited and who will perform the audit.
- Manage: The lead auditor
manages the overall process. He or she manages and communicates
any changes to the audit plan, communicates progress to
all stakeholders, ensures the schedule stays on track, reviews all nonconformities to ensure they’re logical, valid and clear, resolves conflicts constructively and ensures the audit is conducted professionally and positively.
- Report: Stakeholders receive a copy of the written audit observations and a list of nonconformities. These reports form the basis of the discussion about the audit results.
- Verify: The process manager responds to audit nonconformities by an agreed on date. His or her response includes a probe into the root cause, a proposed corrective action and a completion date. The lead auditor then reviews the response to determine whether the probe and proposed corrective actions are adequate. If the lead auditor thinks otherwise, he or she can reject it and request a redo. The second stage of verification occurs when the process manager notifies the lead auditor the corrective action has been implemented. Then, the auditor verifies the implementation and that the root cause of the original nonconformity has been eliminated.
The most successful auditing programs automate these five steps so they’re easily repeatable. Quality management systems also can help with implementing the steps and ensuring audit management is executed as a closed loop cycle—an end-to-end process that extends from audit management through corrective actions to change control.1
Organizations that apply these auditing best practices will be well on their way to attaining impressive business results.
1. ANSI/ISO/ASQ QE19011S-2004 is a good source for additional guidelines on internal and supplier auditing processes and steps. For more information, visit http://qualitypress.asq.org/perl/catalog.cgi?item=T19011S (case sensitive).
ANIL GUPTA is vice president of marketing at MetricStream in Redwood Shores, CA. He is also a research advisor on IT performance management at Ventana Research in San Mateo, CA. Gupta received an MBA in operations from the University of Santa Clara, CA, and is a member of ASQ.