Sunday, June 25, 2017
Tags Posts tagged with "audits"

audits

    0 1644
    Auditor Training

    Internal Auditors require theoretical and practical auditor training. Usually, when organizations train a group of internal auditors, the theoretical training is done by an outside organization.

    This formal auditor training will have to consist of the following:

    • Audit principles
    • Objectives of an audit.
    • Types of audits.
    • Benefits of implementing internal audits.
    • Different auditing approaches.
    • Competences of an auditor.
    • Responsibilities of an auditor.
    • How to prepare for the audit: Establishing the audit program, defining the elements of the management system to be audited, preparation of checklists, selecting the audit team.
    • How to conduct an audit: How to contact the auditee, developing the audit plan, carrying out the opening meeting, how to gather evidences, defining findings, conducting the closing meeting.
    • Reports and Follow-up: Categorization of findings, preparing the report, approval and distribution of the report, monitoring.
    • Competence and evaluation of auditors: General, personal attributes, knowledge and skills, training and work experience, maintenance and enhancement of skills, auditor evaluation.

    In addition to this basic auditor training regarding the skills, knowledge and competences of auditors and how to prepare, conduct and monitor audits, it is essential for internal auditors to fully know and understand the standard that they will be auditing against. Here an additional training session will be required. The most frequent standards that organizations use that require the execution of internal audits are ISO 9001, ISO 14001 and OHSAS 18001; however, the standards use will depend on the needs and objectives of each organization.

    After an auditor has received this theoretical auditor training, they can now begin their practical training by participating in an internal audit. This practical auditor training usually is done following these steps:

    1. Participate in at least 2 audits as an observer or auditor in training. Here they usually participate in the planning stage of the audit but when the audit is being conducted they only observe; they do not take any actions in any of the activities during the audit.
    2. Participate in at least 2 internal audits with supervision of a lead auditor. Here they take a more active role in the preparation and in the conducting of the audit.
    3. After having successfully carried out a number of internal audits and having sufficient skills, knowledge and experience as an internal auditor, he or she may start to conduct audits as an internal auditor leader. This leader takes full action in all of the stages of the audit.

    The above explanation is how internal auditors are usually trained; however, each organization may decide which way to train their auditors is best for them. What is important is for auditors to receive a constant and progressive auditor training that allows them to acquired the necessary skills and knowledge to conduct objective and impartial audits that meet the objectives for which they audits are carried out for.

    Looking for auditor training? Check our listing to see what’s available near you.

      1 1408
      Effective Internal Audits

      An Internal audit is one of the most important aspects within any management system. It is through audits that gaps, potential problems and possible solutions will be identified in order to maintain and improve the effectiveness of the management system.

      However, not all audits add value to the system and in order for them to be truly effective it is essential that they are:

      1. Planned and programmed.

        The organization needs to carefully determine which processes will be audited (not all have to be audited at once or with the same frequency). In order to do this, they will need to take into consideration the results of previous audits, the complexity and risk of its processes and the maturity of each process.

        Auditors should consider the natural rhythm of the process being audited, including the synchronization of processes and time and the availability of trained and experienced auditors.

        Specific timetables should be elaborated and these must be informed in advance within the organization, detailing which processes are to be audited and when.

      2. Carried out by competent auditors.

        Auditors must be competent, objective and impartial. They must demonstrate comprehensive knowledge of the processes and the standard which they are auditing against.

      3. Findings and results are communicated effectively.

        The findings and their details (nonconformities, positive areas and areas for improvement) should be communicated during the audit’s closing meeting to everyone involved. These findings should also be discussed with the auditee during the audit and before recording it.

        This information must be communicated in an objective and friendly manner and any suggestions should be informed in a constructive manner.

      4. Results are recorded and monitored.

        The results and the corrective actions encountered during the audit must be recorded and monitored in order to ensure that non-conformities are taken care of and improvements made.

        It is also important to establish who will be responsible for monitoring the actions necessary for closing a non-conformity or implementing an improvement.

      For an internal audit to be effective, it is essential for this process to be carried out together with auditors and auditees. The planning and programming of internal audits must be done taking into consideration information given by all the people involved. Also, everyone must understand that the purpose of an internal audit is to identify possible weaknesses and areas for improvement in order to ultimately increase the effectiveness of the organization’s processes and its management system in general.

        0 1013
        Process Approach
        Process Approach

        In the past, most auditors used a formal clause approach when auditing a management system; today, many auditors are leaving behind the checklist that served as a useful guide to identify the conformance with applicable requirements, and are now using a process approach to perform their audits.

        Some aspects that give importance to this approach are the following:

        1. Process Approach focuses on results, not on procedures.

          Management systems are not just a set of documented procedures; they are an active system of processes that address business risks and its applicable requirements. By reviewing the process and not just the procedures, it becomes easier to evaluate the results of the process and how effective these really are.

        2. Process Approach determines the effectiveness of the management system.

          Audits conducted using a process approach provide information on whether performance targets are being met, they identify opportunities to improve performance through better process control and determines how processes can be more effective and efficient in meeting the system’s applicable requirements.

        3. Process Approach evaluates links between departments and processes.

          Interactions between the processes of an organization can often be complex, resulting in a network of interdependent processes where the output of a process can be the input of another. By following the flow and continued work throughout the organization, it’s possible to review and evaluate the sequence and interactions of processes, their inputs and outputs and the effectiveness of these interactions.

        4. Process Approach determines whether the operations are under control and whether the controls are effective.

          The process approach not only focuses on whether controls are in place but also on how efficient these really are in maintaining and improving the effectiveness of the process and the system.

        5. Process Approach helps determine the depth of the problems through the organization.

          When a problem is found, it is easier to determine the severity of its impact on the system by reviewing the entire process and it’s interactions with other processes.

        6. Process Approach focuses on the benefits of correcting non-conformities related to improving organizational effectiveness.

          Process based audits help organizations in evaluating the effectiveness of their processes. It serves as a tool to identify weaknesses and opportunities to improve the existing connections between policy, requirements, performance, objectives and goals, which will ultimately contribute to the overall success of an organization.

        Management systems are a complex set of interactions between different activities carried out in different areas of an organization. When these activities are viewed as being part of a process, it is easier to understand these interactions and how they go beyond the boundaries of a specific functional unit. Also, by auditing an entire process, the people involved in it will have a greater understanding of how their activities influence the overall effectiveness of the organization’s management system.

          0 1540
          Exploring the Pre-Assessment Audit

          A pre-assessment audit is one that is performed before a certification/registration audit takes place. This pre-assessment audit determines the degree of conformance of an organization’s management system(s) with the requirements of a standard (e.g. ISO 9001, ISO 14001, ISO 27001, etc.)

          After putting the time and effort to implement a management system and before diving into a certification audit, many organizations choose to contracting the services another organization or person to perform a pre-assessment audit. This is a full audit of a management system against the requirements of a specific standard that allows organizations to identify any nonconformities and implemented corrective actions before the certification audit.

          A pre-assessment audit is performed with the same independence and objectivity as a certification audit. The auditor(s) will conduct activities such as documentation review, process review, interview of process owners, etc, in order to gather the necessary information that evidence compliance.

          A pre-assessment audit is performed on-site and are a complete assessment of the management system against the requirements of the relevant standard. As any other audit, all nonconformities and observations found will be presented in an audit report that will be delivered at the end of the process; this report will serve as a baseline for the organization to improve its processes and implement the necessary corrective actions.

          Any organization that has implemented a management system and wishes to determine its readiness to undergo a certification audit can seek a pre-assessment audit. Some of the benefits of performing this audit are:

          • Helps organizations identify any non conformities and implement corrective actions.
          • Contributes in the optimal preparation for the certification audit.
          • An organization can focus its resources on weaknesses that might lead to nonconformities.
          • Depending on the outcome, organizations can decide to postpone a certification audit that has already been scheduled or, on the contrary, face the certification audit with a renewed confidence.
          • Helps organizations avoid unnecessary additional costs.

          This type of audit can be conducted by qualified consultants, registrars, or competent individuals with experience and knowledge regarding the relevant industry sector and standard. It is important to remember that, just as an organization carefully chooses  a certification body or any other service, it should also take the time to choose the correct organization or person to perform its pre-assessment audits.

            0 1070
            External Audits

            An audit is a process performed to gather evidence that support an organization’s compliance to specific requirements. Audits can be Internal (first party audits) or External (second and third party audits). The differences between the two types of external audits generates some confusions that we will clarify in this article.

            The main differences rely on the interests between the organization performing the audit and the one being audited, and in the purpose of the audit.

            • Second party audits are external audits that occur when one organization audits another with which it either has, or is going to have, a contract or agreement for the supply of goods or services. They can also be done by regulators or any other external party that has a formal interest in an organization. These are usually done to verify operating conditions of a supplier to ensure it meets applicable requirements.
            • Third party audits are also external audits that are done independent of the organization being audited. They are performed by independent organizations such as registrars (certification bodies) or regulators, usually for certification, registration or verification purposes.

            The reasons why these are performed also serves to set them apart.

            Second party audits are carried out to:

            • ™Help customers ensure that suppliers have proper capabilities and controls in place.
            • ™Improve communication between both organizations.
            • Promote a clear understanding of the customer’s expectations.
            • ™Provide a path for the transfer of knowledge and good practices between both organizations.
            • Build customer confidence that the supplier will comply with legal and other applicable requirements.
            • Create good and mutually beneficial working relationships.

            Third party audits are performed to:

            • Verify compliance to a specific standard or regulation.
            • Demonstrate compliance with all the requirements of a standard such as ISO 9001, ISO 14001, OHSAS 18001 to customers and other stakeholders.
            • Give confidence to customers that the best business practices are being implemented regarding quality, environmental or other management systems.

            As mentioned before a second party audit is usually done by a customer and a supplier that wish to establish a business relationship and, in some cases, the audit is one of the requirements necessary to seal the deal.

            On the other hand, third party audits can be mandatory (depending on the standard/regulation and the industry sector) or they can be voluntary. In both cases, the organization wishing to be audited will have to contract the services of a qualified organization to perform an independent and objective audit.

            Both types of audits are done prior to executing a contract (Second party) or obtaining a certification/registration (Third party) and they both require periodic surveillance audits for verification purposes.

              0 2873

              There are different approaches to auditing; these can be performed by clause, department, tasks, etc. The most commonly used by auditors is the clause approach,  where the auditor goes by each clause, usually with a checklist, searching for evidence of requirement conformance and writing nonconformities (minors or majors) if any are found.

              These approaches tend to focus mainly on procedures and not on the performance, outcomes and results of the organization’s processes. Hence, audits result in the correction of minor problems and not in the improvement of the system and its processes.

              The process approach to auditing focuses on reviewing the sequence and interaction of processes and their inputs and outputs. It analyzes the management system not just as if it were a set of documented procedures, but rather as an active system of processes that addresses business risk and its applicable requirements. The main elements that a process-approach audit reviews are:

              • Process Owners
              • Inputs and Outputs of the process
              • Resources
              • Methods/ Procedures/ Instructions
              • Controls/ Measurements/ Metrics
              • Documents/Records
              • Efficiencies/ Effectiveness

              In order to take this approach, it is required to plan and perform the audits so they are based on the processes that achieve organization’s objectives. The audit needs to be conducted through business processes and across department boundaries; some of the processes that need to be audited are:

              • Business management
              • Marketing and sales
              • Resource management
              • Purchasing
              • Product / service production processes

              Audits conducted with a process approach provide information on whether performance targets are being met, they identify opportunities for improving performance through a better control of processes and determine how processes can be more effective and efficient in meeting the applicable requirements. Some of the aspects that make this approach a valuable one are:

              • It focuses on results, not on procedures.
              • Determines the management system’s effectiveness.
              • Evaluates the outcomes and results of the system.
              • Evaluates linkages between departments and processes.
              • Follows flow of work throughout organization.
              • Determines if operations are under control and if controls are effective.
              • Allows judgment on significance of findings.
              • Helps determine depth of problems across organization.
              • Focuses on benefits of correcting nonconformities related to improving organizational effectiveness.

              Organizations that wish to comply with a standard have to meet the requirements established in it, but in some cases, just meeting these requirements does not necessarily add value to the organization. In order for an organization to be competitive and successful, its operational processes must work together in achieving its goals and objectives. A process based audit assists organizations in assessing the effectiveness of these processes; it serves as a tool to identify weaknesses and opportunities to improve the connections between policy, requirements, performance, objectives and targets, which will ultimately contribute to an organization’s overall success.

                0 7581

                A Certification Audit is the first step for those organizations that have decided to undergo an assessment process with a Certification Body (CB) or Registrar to determine if their management system complies with the requirements of a given standard (ISO 9001ISO 14001OHSAS 18001, etc). This Certification Audit is divided into two stages: Stage 1 Audit and Stage 2 Audit.

                These audits differ in many ways: their purpose, duration, information reviewed and sometimes even in the location where it will take place.

                The objective of a Stage 1 Audit is to determine an organization’s readiness for their Stage 2 Certification Audit. Here the Registrar will review the management system documented information, evaluate the client’s site specific conditions and have discussions with employees.  The auditor will look to see that objectives and key performance indicators or significant aspects are in place and understood.  They will review the scope of the management system and obtain information on the organization’s processes and operations, the equipment being used, the levels of control that have been established as well as any applicable statutory or regulatory requirements.  Internal audits and management reviews will be evaluated to ensure they are being planned and performed and the overall level of implementation of the management system to determine if they are ready to move forward with the Stage 2 Certification Audit.

                The Registrar will use the Stage 1 Audit to complete Stage 2 Audit planning, including the review the allocation of resources and details for the next phase of the audit.  Documented conclusions will be given to the organization that will outline the readiness as well as identifying any areas of concerns that could be classified as a nonconformance during the Stage 2 Audit.

                Stage 1 Audit usually will be carried out in one or two days.  This audit typically occurs onsite.  For organization’s with more than one location the audit would usually be carried out at their head office location.

                The Stage 2 Audit evaluates the implementation and effectiveness of the organization’s management system(s). During this audit, the Registrar will determine the degree of compliance with the standard’s requirements, and report any non-conformances or potential non-conformances that the organization will have to correct before the compliance certificate can be issued. If Stage 2 audit is successful, the organization’s management system(s) will be certified..

                The Stage 2 Audit will include:

                • All relevant documented information that evidences the management system’s conformity with all the standard’s requirements.
                • Key performance objective and targets, looking at performance monitoring, measuring and reporting
                • Evaluation of internal audits, management review and management responsibility for the organization’s policies
                • All relevant processes, looking at operational control and the ability to carry them out as planned

                The duration of the Stage 2 Audit is determined in accordance with IAF MD5.  Depending on the size and complexity of the organization this audit can range anywhere from 1 to many days.

                These are the main differences between Stage 1 and Stage 2 Audit. Nonetheless, every organization undergoing a certification process should maintain an open and clear communication with their Registrar in order to clarify any doubts that may arise before the audits take place.

                  0 1292

                  The internal audit process is essential for any organization that aims to maintain and improve their management system(s).  However, achieving an effective internal audit process can be a challenge, especially for small and medium-size organizations.

                  Audits need to be performed by trained and qualified auditors with the sufficient knowledge of the standard being used in order to ensure independence and objectivity. Some organizations do not have the time or budget to train existing workers to become their internal auditors or to employ someone with the required skills to perform these audits. For those organizations, contracting out their internal audits is a feasible option. Some of the benefits organizations can obtain by doing so are:

                  • Assure independence. Independence is likely to increase when the auditor does not belong to the organization. In some cases when a close relationship exists between auditors and auditees, independence and objectivity may be jeopardized.
                  • Assure knowledge and skills. Most auditors from external organizations have years of training and experience. These auditors not only have the technical skills, but they also follow strict ethical guidelines.
                  • Reduce costs. Employing an expert to perform the organization’s internal audits can be expensive. Contracting out will reduce the overall cost of internal audits.
                  • Assure an up-to-date knowledge. As any other market, the internal audit market is competitive. This drives audit organizations to become more efficient and constantly improve the services they offer, which benefits the organization being audited.
                  • Efficient use of time. Internal audits are time consuming. When they are outsourced, management has more time to focus on the core activities of their business.
                  • Decrease the risk of disrupting internal audit. If an organization relies on one person to perform internal audits, a reliance on that person is created, which increases the vulnerability of process. This risk is reduced when the process is outsourced.

                  Outsourcing internal audits is an option that should be considered by small and medium-size organizations. However, each organization has its particular needs and circumstances and they should assess if it would suit them better to outsource internal audits or to create their own auditing team.

                  There are many organizations that offer audit services, and choosing one is a decision that should not be taken lightly. The time spent choosing the right one will assure an independent and objective audit which will contribute to the improvement of the organization’s management system(s).

                   

                    3 7664
                    Exploring ISO 9001 vs 9004
                    Exploring ISO 9001 vs 9004

                    Management systems such as ISO 9001, ISO 14001 and OHSAS 18001, require that internal audits are scheduled at planned intervals; they do not established a specific frequency nor do they establish that all processes need to have a yearly internal audit.

                    Organizations need to establish a frequency that is right for them. They decide if the audits will be performed monthly, quarterly, twice a year or once a year. However, there are some criteria that should be considered before defining a frequency that adjusts to an organization’s context and needs. These are:

                    Complexity of the processes.

                    • Crucial or high risk processes should be audited on a more frequent basis, perhaps quarterly or twice a year.
                    • Low risk processes can be audited just once a year or every other year.

                    Maturity of the processes.

                    • Well established processes that run efficiently can be audited once a year or every other year.
                    • New developed processes should be audited quarterly until they are stable.

                    Past experience.

                    • Processes that have a history of frequent deficiencies or non-conformities, can be audited quarterly or twice a year.
                    • Processes with troubles achieving targets and objectives can also be audited quarterly or twice a year.

                    There are other factors that can influence the frequency of auditing, such as:

                    • An organization’s budget for the execution of internal audits.
                    • Regulatory or customers’ requirements.

                    Another important fact is that there is no need to audit every process all at once, from past experiences, it is more suitable to spread out the internal audits throughout the year auditing different processes at different times; auditing many processes all at once can be exhausting and process deficiencies or areas for improvements may be overseen.

                    As mentioned above, most standards do not require that all process be audited every year; nonetheless, that is a common practice in many organizations. There are even some organizations, with mature and well-establish management systems, which schedule their audits over a three year time plan. Every organization needs to take a close look at each of their processes, their management systems and other applicable requirements in order to establish a rational schedule that fits their needs and that is right for them.