Internal Auditing

This course will introduce the fundamentals of internal auditing. 

Fundamentals of Auditing

Why do we audit?

To identify opportunities for improvement

To determine intent 

To check implementation 

To evaluate effectiveness 

To meet the requirements of Coca-Cola, ISO, and other agencies

3 steps to auditing

First

Understand audit criteria. 

This includes procedures, policies, contracts, standard requirements, etc. that the organization has committed to

Then

Gather evidence.

Perform interviews, take note of observations, and records, etc.

Finally

Drawing conclusions.

Deciding if the evidence indicates the organization has met its commitments

Characteristics of an effective audit

Planned – Schedule audit/interview with area manager and associates (Don’t surprise) 

Balanced – Look for positive practices, not just negative

Objective – Approach every audit with a fresh set of eyes 

Focused – The focus is on improving processes, not finding fault with individuals 

Strategic – Understand how the process impacts the organization’s success

Leave the fix to the auditee

Auditors should not propose corrective actions; if they do, they take responsibility for improvement.

Besides, by determining their own solutions, auditees develop ownership and buy-in

Organizations need as much practice as they can get with problem solving

Process owners are the experts at their process, their solutions will be more effective than those coming from auditors

The exception to the rule:

Auditors can propose a specific course of action when:

The law has dictated a particular method or process or when the company policy has dictated a particular method or process.

Why do we audit? (select all that apply)

  • To check implementation
  • To evaluate effectiveness
  • To meet company, ISO, and other agency requirements
  • To annoy the auditee
  • To identify opportunities for improvement

Place the 3 auditing steps in order:

  • Understand the Audit Criteria
  • Gather Evidence
  • Draw Conclusions

Characteristics of an effective audit:

  • Planned
    Audits should not be a surprise - People know well in advance when the audit will take place and what the criteria is.
  • Balanced
    Auditors who are attuned to seeking out positives (as well as opportunities) are more effective and produce better results. (hint: think scale)
  • Objective
    To avoid bias - Auditors should avoid auditing their own departments or processes.
  • Focused
    During the auditing process, highlight the processes not people.
  • Strategic
    Processes that have a strong bearing on the company’s success may require more frequent audits.

True or False

  • The only time an auditor should suggest a specific corrective action is when the law or company dictates a particular method or process.

Audit Requirements

A requirement is:

Something the organization has committed itself to

Sanctioned by those with authority

Potentially generated by a wide range of sources within the management system scope

Some examples of requirements include:

Requirements in standards 

Procedures

Policies 

Contracts 

Sales Orders 

Regulations 

Verbal statements (in certain situations)

These do not constitute requirements:

Opinions 

Best practices 

Neat ideas 

World-class methods 

“What we used to do at my old company”

Nonconformities

What is a nonconformity?

A nonconformity is the failure to meet a requirement. This means that unless you can find a clear requirement, there is no nonconformity. Nonconformities are written in a two-part fashion, and you always start with the requirement. When auditors get in trouble and have disagreements with auditees, it is often because they try to write a nonconformity against something other than a true requirement.

The correct way to write an audit nonconformity:

Requirement: Exactly what the organization has committed itself to doing.

Finding: Exactly what the organization has done that contradicts the commitment in the requirement.

Standard reference: State the IMS standard

Evaluate the requirements:

  • Current contract stipulating the inspection frequency of a product.
  • The auditor's opinion on the correct way to track corrective actions.
  • Verbal statement by the General Manager that all sales personnel must make customer follow-up calls within 5 days of sale
  • Unapproved procedure stamped "draft" that was found on a supervisor's desk.
  • Corrective action #117 stating that a procedure will be revised.
  • A line in the Quality Policy says that the organization is committed to developing long term partnerships with their suppliers.
  • Verbal statement by the shipping supervisor saying that lab personnel are required to take samples twice an hour.
  • External specification provided by the customer (and addressed in the order) for verifying service quality
  • ASTM test method referenced in the Analytical Lab Procedure
  • ISO 9004:2000 document that the auditor downloaded off the internet
  • Management review record from one month ago stating that the organization will initiate a packaging process improvement
  • Photograph, marked with a document control label, used to describe acceptable product defects
  • Industry trade journal describing best practices for service excellence
  • Purchase order stipulating that all shipments will be accompanied by a certificate of analysis (COA)
  • Line on CEO’s business card that says, “We’re faster, better, and friendlier.”
  • A supplier brochure that recommends their product be used at 2000 RPMs or faster
  • Generally Accepted Accounting Principles regarding the appropriateness of taking one-time charges on a recurring basis.

Evaluate the descriptions below and determine if each is a requirement you could use during an audit. Keep in mind that some could be findings, but not requirements. Focus only on the question of whether each would make a good requirement - true for yes/false for no. Keep in mind that a requirement is:

  • Something the organization has committed itself to

  • Sanctioned by those with authority (even verbally)

  • Covered by document control, if the requirement is a document

  • Potentially generated by a wide range of sources within the management system scope.