Tags Posts tagged with "audit"

audit

0 2990
ISO Implementation Process

Preparing for an ISO implementation process of any ISO standard can be overwhelming and frightening for many. How an organization prepares for implementation will depend on factors such as size and complexity of its processes, the current knowledge and culture related to the standard (quality, environmental, safety, etc), the maturity of any other existing systems related to the standard wishing to implement, and many others. Despite the differences there may be between organizations, there are a few tips that will facilitate the implementation process of any management system, these are:

Know the standard.

It is essential that some personnel knows the management system’s requirements. Everyone does not need to be an expert on the requirements of the specific standard that will be implemented, but key workers need to fully know and understand all of the requirements of the standard.

Inform everyone what is going on.

The implementation process is not a task of just a few chosen ones. Everyone needs to be involved in this process. Every worker needs to know what is being implemented, why is it being implemented, which are the benefits for the organization and for themselves, and how they will be involved in the process. When people are informed, they will be more open and willing to collaborate in the implementation.

Analyze the organization’s current situation.

Before starting to implement any ISO management system, an organization needs to know its level of compliance with the standard. This will allow the organization to understand beforehand its strengths and weaknesses regarding the ISO management system wishing to implement and estimate the time needed for implementation.

Map your processes.

Establish and record current processes in order to know the relationships between departments and how the processes flow within the organization. This will allow organizations to plan their implementation by processes and not just by areas and departments.

Review existing procedures and work instructions.

Many processes need written and documented information that will guarantee that activities are carried out in the correct manner. Organizations need to review which processes are documented and how many work instructions there are. It is not the same to develop a few documents and just review work instructions than to develop them from scratch. Organizations need to have an idea of how much time they will have to invest in developing and reviewing documents.

Review current training programs.

Evaluate existing training and awareness programs. Training and awareness are an important part in the implementation process and if an organization has not considered training its workers, it would be best to redefine these programs to make sure that a large percentage of workers are trained and informed about policies, procedures, regulations, etc that will be a part of their daily activities.

These are some recommendations that will help organizations prepare for the implementation process of any ISO management system. The most important aspect to keep in mind is to make sure that the whole organization is working for the same objectives and pulling in the same direction.

 

0 2448

No matter how many audits someone has gone through, knowing that someone will come and check your work always generates some tension and anxiety. Here are some recommendations to get rid of the fear and prepare for a successful ISO 9001 audit.

Prepare employees.

  • Refresh the quality policy and make sure everyone understands it. There is no need for workers to memorize it, but they should have a clear understanding of what the organization has committed to in terms of quality.
  • Refresh quality objectives. Workers should know what the organization’s quality objectives are and how they contribute in achieving them. They should know and be able to explain how their day to day activities can influence these objectives.
  • Ensure that everyone has been properly trained to perform their tasks.
  • Make sure everyone knows where to find procedures, work instructions and forms relevant to perform and record correctly a specific activity or process.
  • Let everyone know the scope of the audit, what will auditors be checking in their areas and when they will be audited.
  • Workers should have the confidence to answer what they know, and have the same confidence to say ‘’I don’t know” when they are not sure what they are going to answer.

Check all documented information.

  • Make sure document and record list has been updated.
  • Check that all documents have been reviewed, approved, communicated and followed by everyone involved in the process or activity.
  • Make sure no one is using obsolete documents.
  • Verify that all records are being used and that they are being filled out correctly.

Ensure all processes are being performed correctly.

  • Make sure that all the procedures (whether they are documented or not) are being followed.
  • Ensure that critical processes are being performed in the same way (correct way) by everyone.

Review the corrective and preventive action process.

  • Review the findings from previous audits and make sure they have been attended.
  • All nonconformities must be properly recorded, investigated and actions need to be in place or concluded by the time of the audit.
  • Corrective actions that have been executed and closed need to have a proper verification of its effectiveness.

Organize the workplace.

  • It is very hard for quality control and assurance to happen in a messy, dirty and unorganized workplace, and auditors know that. So, take time to organize the workplace (offices, desks, warehouses, workshop floor, etc.).
  • Make sure records, forms, procedures and any relevant documents are at hand and easy to find.

Prepare to have a nice and professional audit.

  • Make a good first impression. Treat auditors professionally and with respect from day 1.
  • Do not be predisposed. Auditors are not enemies, they will come to help the organization uncover their defects and weaknesses in order to take the necessary actions to improve.

Do not wait for the last minute to prepare for the audit.

  • Preparing for an audit takes time and effort. The sooner the organizations begins to prepare for their audit, the more successful it will be. So start soon!

 

1 3166
Effective Internal Audits

An Internal audit is one of the most important aspects within any management system. It is through audits that gaps, potential problems and possible solutions will be identified in order to maintain and improve the effectiveness of the management system.

However, not all audits add value to the system and in order for them to be truly effective it is essential that they are:

  1. Planned and programmed.

    The organization needs to carefully determine which processes will be audited (not all have to be audited at once or with the same frequency). In order to do this, they will need to take into consideration the results of previous audits, the complexity and risk of its processes and the maturity of each process.

    Auditors should consider the natural rhythm of the process being audited, including the synchronization of processes and time and the availability of trained and experienced auditors.

    Specific timetables should be elaborated and these must be informed in advance within the organization, detailing which processes are to be audited and when.

  2. Carried out by competent auditors.

    Auditors must be competent, objective and impartial. They must demonstrate comprehensive knowledge of the processes and the standard which they are auditing against.

  3. Findings and results are communicated effectively.

    The findings and their details (nonconformities, positive areas and areas for improvement) should be communicated during the audit’s closing meeting to everyone involved. These findings should also be discussed with the auditee during the audit and before recording it.

    This information must be communicated in an objective and friendly manner and any suggestions should be informed in a constructive manner.

  4. Results are recorded and monitored.

    The results and the corrective actions encountered during the audit must be recorded and monitored in order to ensure that non-conformities are taken care of and improvements made.

    It is also important to establish who will be responsible for monitoring the actions necessary for closing a non-conformity or implementing an improvement.

For an internal audit to be effective, it is essential for this process to be carried out together with auditors and auditees. The planning and programming of internal audits must be done taking into consideration information given by all the people involved. Also, everyone must understand that the purpose of an internal audit is to identify possible weaknesses and areas for improvement in order to ultimately increase the effectiveness of the organization’s processes and its management system in general.

0 1284
Process Approach
Process Approach

In the past, most auditors used a formal clause approach when auditing a management system; today, many auditors are leaving behind the checklist that served as a useful guide to identify the conformance with applicable requirements, and are now using a process approach to perform their audits.

Some aspects that give importance to this approach are the following:

  1. Process Approach focuses on results, not on procedures.

    Management systems are not just a set of documented procedures; they are an active system of processes that address business risks and its applicable requirements. By reviewing the process and not just the procedures, it becomes easier to evaluate the results of the process and how effective these really are.

  2. Process Approach determines the effectiveness of the management system.

    Audits conducted using a process approach provide information on whether performance targets are being met, they identify opportunities to improve performance through better process control and determines how processes can be more effective and efficient in meeting the system’s applicable requirements.

  3. Process Approach evaluates links between departments and processes.

    Interactions between the processes of an organization can often be complex, resulting in a network of interdependent processes where the output of a process can be the input of another. By following the flow and continued work throughout the organization, it’s possible to review and evaluate the sequence and interactions of processes, their inputs and outputs and the effectiveness of these interactions.

  4. Process Approach determines whether the operations are under control and whether the controls are effective.

    The process approach not only focuses on whether controls are in place but also on how efficient these really are in maintaining and improving the effectiveness of the process and the system.

  5. Process Approach helps determine the depth of the problems through the organization.

    When a problem is found, it is easier to determine the severity of its impact on the system by reviewing the entire process and it’s interactions with other processes.

  6. Process Approach focuses on the benefits of correcting non-conformities related to improving organizational effectiveness.

    Process based audits help organizations in evaluating the effectiveness of their processes. It serves as a tool to identify weaknesses and opportunities to improve the existing connections between policy, requirements, performance, objectives and goals, which will ultimately contribute to the overall success of an organization.

Management systems are a complex set of interactions between different activities carried out in different areas of an organization. When these activities are viewed as being part of a process, it is easier to understand these interactions and how they go beyond the boundaries of a specific functional unit. Also, by auditing an entire process, the people involved in it will have a greater understanding of how their activities influence the overall effectiveness of the organization’s management system.

0 1948
Exploring the Pre-Assessment Audit

A pre-assessment audit is one that is performed before a certification/registration audit takes place. This pre-assessment audit determines the degree of conformance of an organization’s management system(s) with the requirements of a standard (e.g. ISO 9001, ISO 14001, ISO 27001, etc.)

After putting the time and effort to implement a management system and before diving into a certification audit, many organizations choose to contracting the services another organization or person to perform a pre-assessment audit. This is a full audit of a management system against the requirements of a specific standard that allows organizations to identify any nonconformities and implemented corrective actions before the certification audit.

A pre-assessment audit is performed with the same independence and objectivity as a certification audit. The auditor(s) will conduct activities such as documentation review, process review, interview of process owners, etc, in order to gather the necessary information that evidence compliance.

A pre-assessment audit is performed on-site and are a complete assessment of the management system against the requirements of the relevant standard. As any other audit, all nonconformities and observations found will be presented in an audit report that will be delivered at the end of the process; this report will serve as a baseline for the organization to improve its processes and implement the necessary corrective actions.

Any organization that has implemented a management system and wishes to determine its readiness to undergo a certification audit can seek a pre-assessment audit. Some of the benefits of performing this audit are:

  • Helps organizations identify any non conformities and implement corrective actions.
  • Contributes in the optimal preparation for the certification audit.
  • An organization can focus its resources on weaknesses that might lead to nonconformities.
  • Depending on the outcome, organizations can decide to postpone a certification audit that has already been scheduled or, on the contrary, face the certification audit with a renewed confidence.
  • Helps organizations avoid unnecessary additional costs.

This type of audit can be conducted by qualified consultants, registrars, or competent individuals with experience and knowledge regarding the relevant industry sector and standard. It is important to remember that, just as an organization carefully chooses  a certification body or any other service, it should also take the time to choose the correct organization or person to perform its pre-assessment audits.

0 9292

A Certification Audit is the first step for those organizations that have decided to undergo an assessment process with a Certification Body (CB) or Registrar to determine if their management system complies with the requirements of a given standard (ISO 9001ISO 14001OHSAS 18001, etc). This Certification Audit is divided into two stages: Stage 1 Audit and Stage 2 Audit.

These audits differ in many ways: their purpose, duration, information reviewed and sometimes even in the location where it will take place.

The objective of a Stage 1 Audit is to determine an organization’s readiness for their Stage 2 Certification Audit. Here the Registrar will review the management system documented information, evaluate the client’s site specific conditions and have discussions with employees.  The auditor will look to see that objectives and key performance indicators or significant aspects are in place and understood.  They will review the scope of the management system and obtain information on the organization’s processes and operations, the equipment being used, the levels of control that have been established as well as any applicable statutory or regulatory requirements.  Internal audits and management reviews will be evaluated to ensure they are being planned and performed and the overall level of implementation of the management system to determine if they are ready to move forward with the Stage 2 Certification Audit.



The Registrar will use the Stage 1 Audit to complete Stage 2 Audit planning, including the review the allocation of resources and details for the next phase of the audit.  Documented conclusions will be given to the organization that will outline the readiness as well as identifying any areas of concerns that could be classified as a nonconformance during the Stage 2 Audit.

Stage 1 Audit usually will be carried out in one or two days.  This audit typically occurs onsite.  For organization’s with more than one location the audit would usually be carried out at their head office location.

The Stage 2 Audit evaluates the implementation and effectiveness of the organization’s management system(s). During this audit, the Registrar will determine the degree of compliance with the standard’s requirements, and report any non-conformances or potential non-conformances that the organization will have to correct before the compliance certificate can be issued. If Stage 2 audit is successful, the organization’s management system(s) will be certified..

The Stage 2 Audit will include:

  • All relevant documented information that evidences the management system’s conformity with all the standard’s requirements.
  • Key performance objective and targets, looking at performance monitoring, measuring and reporting
  • Evaluation of internal audits, management review and management responsibility for the organization’s policies
  • All relevant processes, looking at operational control and the ability to carry them out as planned

The duration of the Stage 2 Audit is determined in accordance with IAF MD5.  Depending on the size and complexity of the organization this audit can range anywhere from 1 to many days.

These are the main differences between Stage 1 and Stage 2 Audit. Nonetheless, every organization undergoing a certification process should maintain an open and clear communication with their Registrar in order to clarify any doubts that may arise before the audits take place.

0 2985
Accreditation bodies allow organizations seeking accreditation can demonstrate to their customers that they have been successful at meeting the requirements of international accreditation standards.

Third-party auditors are those who perform an external and independent audit of an organization’s management system to evaluate if it meets the requirements of a specific standard; if successful, this third-party audit will provide the organization with certification or registration of conformity with the given standard.

A third party audit is carried out by a Registrar/Certification Body (CB) hired by the organization; therefore, in order for someone to be a third-party auditor, he/she needs to be employed by a CB. All CB, before hiring an auditor, need to ensure that the auditor possesses the knowledge and skills necessary to achieve the intended results of the audits they are expected to perform. Some of these are described below.

  • Personal attributes that will enable them to act in accordance with the principles of auditing, which include ethical conduct, fair presentation, due professional care, independence, and free use of an evidence-based approach.
  • Knowledge on the contents of ISO 19011: 2011, Guidelines for auditing management systems.
  • Knowledge and skills on audit principles, procedures and methods, which will enable them to conducted audits in a consistent and systematic manner.
  • They should be able to exhibit professional behavior during the performance of audit activities, including being ethical, open-minded, diplomatic, observant, perceptive, versatile, tenacious, decisive, self-reliant, open to improvement, culturally sensitive, and collaborative.
  • Knowledge and skills on management system and reference documents that will enable them to comprehend the audit scope and apply audit criteria.
  • Sector specific knowledge which will enable them to comprehend the organization’s structure, business, management practices and the legal and contractual requirements applicable to the organization being audited.

As indicated in ISO 19011, someone pursuing to become a third-party auditor can acquired all these knowledge and skills by using a combination of the following:

  • Formal education/training and experience that contribute to the development of knowledge and skills in the management system discipline and sector the auditor intends to audit.
  • Training programs that cover generic auditor knowledge and skills.
  • Experience in a relevant technical, managerial or professional position involving the exercise of judgment, decision making, problem solving and communication with managers, professionals, peers, customers and other interested parties.
  • Audit experience acquired under the supervision of an auditor in the same discipline.

After acquiring all the necessary knowledge and skills and successfully being employed by a CB, third-party auditors must pledged to advocate a particular code of ethical conduct in the performance of an audit and they must abide the internal policies and rules of the CB that hires them. All these requirements must be followed in order to protect everyone involved in the audit process.

3 9465
Exploring ISO 9001 vs 9004

Management systems such as ISO 9001, ISO 14001 and OHSAS 18001, require that internal audits are scheduled at planned intervals; they do not established a specific frequency nor do they establish that all processes need to have a yearly internal audit.

Organizations need to establish a frequency that is right for them. They decide if the audits will be performed monthly, quarterly, twice a year or once a year. However, there are some criteria that should be considered before defining a frequency that adjusts to an organization’s context and needs. These are:



Complexity of the processes.

  • Crucial or high risk processes should be audited on a more frequent basis, perhaps quarterly or twice a year.
  • Low risk processes can be audited just once a year or every other year.

Maturity of the processes.

  • Well established processes that run efficiently can be audited once a year or every other year.
  • New developed processes should be audited quarterly until they are stable.

Past experience.

  • Processes that have a history of frequent deficiencies or non-conformities, can be audited quarterly or twice a year.
  • Processes with troubles achieving targets and objectives can also be audited quarterly or twice a year.

There are other factors that can influence the frequency of auditing, such as:

  • An organization’s budget for the execution of internal audits.
  • Regulatory or customers’ requirements.

Another important fact is that there is no need to audit every process all at once, from past experiences, it is more suitable to spread out the internal audits throughout the year auditing different processes at different times; auditing many processes all at once can be exhausting and process deficiencies or areas for improvements may be overseen.

As mentioned above, most standards do not require that all process be audited every year; nonetheless, that is a common practice in many organizations. There are even some organizations, with mature and well-establish management systems, which schedule their audits over a three year time plan. Every organization needs to take a close look at each of their processes, their management systems and other applicable requirements in order to establish a rational schedule that fits their needs and that is right for them.



1 2883
ISO 9001

All management systems require organizations to conduct internal audits in order to obtain information that will evidence the degree to which requirements are being met. In other words, internal audits check practice against policies, processes and procedures and thoroughly document any differences.

Although internal audits are an important tool for organizations to evaluate their management systems and to uncover areas that are in need of attention, for many, this process induces an enormous amount of stress. For audits to serve as a means to identify gaps and effective solutions, it is essential that these are formal, planned and organized. Other key characteristics internal audits should have are:

They are scheduled. Surprise audits are not welcomed by anyone. A schedule should be set and communicated to everyone, preferably at the beginning of the year. There’s no need to audit all processes at once; different processes can be audited at different times throughout the year, organizations just need to make sure that at the end of the year all processes have been audited.

Auditors are competent. Auditors need to demonstrate in-depth knowledge of the standard which they are auditing against and they should have an understanding of the processes being audited. They should be objective and impartial; this means that they can’t audit a process which they manage or control. Large organizations usually have a team of trained auditors, but that is not necessary; an alternative is to hire the services of an external consultant to perform the internal audits.

They are planned. The audit needs to be confirmed with the process owner. At this stage the auditor should review procedures and previous findings or issues related to the audited process. A checklist with a pre-determined list of questions can be sought to be used during the audit; this checklist should be provided to the auditee so they have time to organize any information.

It’s conducted in an objective and friendly manner. An audit should start with an opening meeting with the auditor and the auditee(s). It’s recommended that the auditor works systematically through the checklist or procedure, while reviewing records, observing the process, analyzing process data and talking to employees. During the audit, the auditor must discuss the findings with the auditee before recording it.

Audit findings are recorded. A closing meeting with the auditee is fundamental so information is not delayed. Here the auditor should point out possible weaknesses and areas for improvement. Findings and their details (these include non-conformities, positive areas and improvement areas) need to be recorded and communicated to the auditee(s) and management.

Findings are monitored. The auditor is responsible for ensuring that corrective actions have been taken to fix any problems found during the audit.

If everyone takes advantage of the positive results internal audits can bring, and if these aid organizations to improve their processes and management system- whether is a quality, environmental or any other system- an internal audit can be considered a success.