The need for an organization to implement an internal audit program is a fundamental requirement of both AS9100 series standards and ISO 9001:2015 standards.
Here are four ways you can take an internal audit program beyond compliance – and really add value to your organization.
1. Create a positive perception of internal audits
Let’s start with the culture around auditing. Comments such as ‘Look out, here come the quality police!’ or similar are often commonplace when setting out to perform an internal audit in some organizations. while comments like this are clearly made in jest, it can be indicative of a long-standing negative attitude towards internal audits. Perhaps a legacy issue from days gone by, when previous iterations of the standards focussed more on the principles of quality control rather than quality assurance.
Increasing understanding that internal audits are in fact, a two-way, open forum for reviewing current businesses processes will help greatly in changing this mindset. Auditees should be encouraged to be open and honest as part of the process and view it as an opportunity drive positive change in their department. Bringing in comments such as: ‘Don't like that old procedure you're working to? Now's the time to raise the issue and change it!’ or ‘Can't find a record? Let's figure out why and put a control in place to make sure they're always available when you need them in future,’ will help significantly.
The advantage of being an internal auditor over an external, third-party auditor like myself, is that you have a lot more leeway to make recommendations on how to fix the problem and offer practical solutions. Internal auditing can be an ideal ice-breaker to start discussions if you feel that change needs to happen in a particular process.
2. Assemble a diverse audit team.
It's a myth that only quality professionals can become internal auditors. Some of the greatest internal audit teams I've come across consist of personnel from a variety of backgrounds and functional areas. Everyone brings something different to the table – and with the right training on audit techniques and AS/ISO standards, they have the potential to become a really good internal auditor. Having different personalities on the team is also helpful... those of a highly personable nature might be more effective at opening up conversation with more nervous auditees and be able to address some of the long-standing cultural issues referred to earlier.
Carrying out internal audits can also be a great career development tool for more junior members of staff. Early in my career in quality assurance, I was tasked with conducting internal audits to a number of different airworthiness regulations and international standards. Creating my own checklists was a brilliant way to learn about the intent of each one – and through carrying out the audit, I was able to network with lots of different departments
3. Check against ‘intent’ not just procedural content.
Understanding why a requirement exists and what drives the current process is key here. There is often a temptation for an organization to just audit against local procedures and not properly understand what really sits behind them.
Taking the time to ask why a procedure is written a certain way, or why certain records need to be kept will really add value to an internal audit. You may begin to find there are better ways to demonstrate compliance – and the process can be simplified.
Another area to consider looking at during internal audit is process performance against defined key performance indicators. If a process is not achieving its planned results e.g. an order management function failing its target of orders processed right first time, this may be a strong indicator that something is wrong with the ‘intent’ of the process. Especially if it seems they are following local procedures to the letter. Ask yourself ‘are sufficient checks and balances being undertaken before the order is released?’ and ‘is enough information gathered from the customer upfront before order processing starts?’ Would be good points to think about in this hypothetical situation and may indicate that the current processes / procedures being followed are not robust enough.
Don't be afraid to ask more general questions like this and go beyond what's written in the local procedure
4. Treat any findings with a sense of urgency.
So you've completed a deep dive internal audit and thoroughly tested the Quality Management System (QMS), with several non conformities and opportunities for improvement raised... then nothing happens for several months. Don't let that added value go to waste!
All too often I see audit great improvement actions sitting on the back burner, and as a third-party certification auditor this is probably the number one reason a non conformity is raised within the 9.2 section set of requirements for Internal Audits, specifically the need to take actions without undue delay.
However, at the same time you really need to avoid completing any actions on behalf of other people, and ideally make sure the department fixes the problem by their own accord. Getting this done in a timely manner can be difficult sometimes, and how you do it will very much depend on the status quo of your organization but here are a few suggestions:
- Schedule a formal closing meeting with the head of the department being audited to ensure any findings are properly explained to them.
- If you operate a digital Non Conformity & Corrective Management System, it would be beneficial to raise any internal audit findings on this system so that is subject to the same level of rigour as a product related issue or external complaint.
- Keep time free in the diary to go back and verify effectiveness of actions to address findings raised. Knowing that you'll be back in 30, 60 or 90 days to see how things are going could be a good motivator for them to get actions completed on time.
Summary
The above identifies four possible ways you could maximize the added-value from your internal audit program. This article is by no means a guide on how to comply with the standard but more so my views on how you can achieve a better state of maturity. I really hope this gives you some ideas on how things can be done differently in your organization – and helps change the perception that they can be so much more than just a tick-box activity.