CLOSE
Monday, January 18, 2016
Tags Posts tagged with "audit"

audit

    0 326
    Effective Internal Audits

    Internal audits are one of the most important aspects within any management system. It is through audits that gaps, potential problems and possible solutions will be identified in order to maintain and improve the effectiveness of the management system.

    However, not all audits add value to the system and in order for them to be truly effective it is essential that they are:

    1. Planned and programmed.

      The organization needs to carefully determine which processes will be audited (not all have to be audited at once or with the same frequency). In order to do this, they will need to take into consideration the results of previous audits, the complexity and risk of its processes and the maturity of each process.

      Auditors should consider the natural rhythm of the process being audited, including the synchronization of processes and time and the availability of trained and experienced auditors.

      Specific timetables should be elaborated and these must be informed in advance within the organization, detailing which processes are to be audited and when.

    2. Carried out by competent auditors.

      Auditors must be competent, objective and impartial. They must demonstrate comprehensive knowledge of the processes and the standard which they are auditing against.

    3. Findings and results are communicated effectively.

      The findings and their details (nonconformities, positive areas and areas for improvement) should be communicated during the audit’s closing meeting to everyone involved. These findings should also be discussed with the auditee during the audit and before recording it.

      This information must be communicated in an objective and friendly manner and any suggestions should be informed in a constructive manner.

    4. Results are recorded and monitored.

      The results and the corrective actions encountered during the audit must be recorded and monitored in order to ensure that non-conformities are taken care of and improvements made.

      It is also important to establish who will be responsible for monitoring the actions necessary for closing a non-conformity or implementing an improvement.

    For internal audits to be effective, it is essential for this process to be carried out together with auditors and auditees. The planning and programming of internal audits must be done taking into consideration information given by all the people involved. Also, everyone must understand that the purpose of internal audits is to identify possible weaknesses and areas for improvement in order to ultimately increase the effectiveness of the organization’s processes and its management system in general.

      0 263
      Process Approach
      Process Approach

      In the past, most auditors used a formal clause approach when auditing a management system; today, many auditors are leaving behind the checklist that served as a useful guide to identify the conformance with applicable requirements, and are now using a process approach to perform their audits.

      Some aspects that give importance to this approach are the following:

      1. Process Approach focuses on results, not on procedures.

        Management systems are not just a set of documented procedures; they are an active system of processes that address business risks and its applicable requirements. By reviewing the process and not just the procedures, it becomes easier to evaluate the results of the process and how effective these really are.

      2. Process Approach determines the effectiveness of the management system.

        Audits conducted using a process approach provide information on whether performance targets are being met, they identify opportunities to improve performance through better process control and determines how processes can be more effective and efficient in meeting the system’s applicable requirements.

      3. Process Approach evaluates links between departments and processes.

        Interactions between the processes of an organization can often be complex, resulting in a network of interdependent processes where the output of a process can be the input of another. By following the flow and continued work throughout the organization, it’s possible to review and evaluate the sequence and interactions of processes, their inputs and outputs and the effectiveness of these interactions.

      4. Process Approach determines whether the operations are under control and whether the controls are effective.

        The process approach not only focuses on whether controls are in place but also on how efficient these really are in maintaining and improving the effectiveness of the process and the system.

      5. Process Approach helps determine the depth of the problems through the organization.

        When a problem is found, it is easier to determine the severity of its impact on the system by reviewing the entire process and it’s interactions with other processes.

      6. Process Approach focuses on the benefits of correcting non-conformities related to improving organizational effectiveness.

        Process based audits help organizations in evaluating the effectiveness of their processes. It serves as a tool to identify weaknesses and opportunities to improve the existing connections between policy, requirements, performance, objectives and goals, which will ultimately contribute to the overall success of an organization.

      Management systems are a complex set of interactions between different activities carried out in different areas of an organization. When these activities are viewed as being part of a process, it is easier to understand these interactions and how they go beyond the boundaries of a specific functional unit. Also, by auditing an entire process, the people involved in it will have a greater understanding of how their activities influence the overall effectiveness of the organization’s management system.

        0 540
        Exploring the Pre-Assessment Audit

        A pre-assessment audit is one that is performed before a certification/registration audit takes place. This pre-assessment audit determines the degree of conformance of an organization’s management system(s) with the requirements of a standard (e.g. ISO 9001, ISO 14001, ISO 27001, etc.)

        After putting the time and effort to implement a management system and before diving into a certification audit, many organizations choose to contracting the services another organization or person to perform a pre-assessment audit. This is a full audit of a management system against the requirements of a specific standard that allows organizations to identify any nonconformities and implemented corrective actions before the certification audit.

        A pre-assessment audit is performed with the same independence and objectivity as a certification audit. The auditor(s) will conduct activities such as documentation review, process review, interview of process owners, etc, in order to gather the necessary information that evidence compliance.

        A pre-assessment audit is performed on-site and are a complete assessment of the management system against the requirements of the relevant standard. As any other audit, all nonconformities and observations found will be presented in an audit report that will be delivered at the end of the process; this report will serve as a baseline for the organization to improve its processes and implement the necessary corrective actions.

        Any organization that has implemented a management system and wishes to determine its readiness to undergo a certification audit can seek a pre-assessment audit. Some of the benefits of performing this audit are:

        • Helps organizations identify any non conformities and implement corrective actions.
        • Contributes in the optimal preparation for the certification audit.
        • An organization can focus its resources on weaknesses that might lead to nonconformities.
        • Depending on the outcome, organizations can decide to postpone a certification audit that has already been scheduled or, on the contrary, face the certification audit with a renewed confidence.
        • Helps organizations avoid unnecessary additional costs.

        This type of audit can be conducted by qualified consultants, registrars, or competent individuals with experience and knowledge regarding the relevant industry sector and standard. It is important to remember that, just as an organization carefully chooses  a certification body or any other service, it should also take the time to choose the correct organization or person to perform its pre-assessment audits.

          2 641

          A Certification Audit is the first step for those organizations that have decided to undergo an assessment process with a Certification Body (CB) or Registrar to determine if their management system complies with the requirements of a given standard (ISO 9001, ISO 14001, OHSAS 18001, etc). This Certification Audit is divided into two stages: Stage 1 Audit and Stage 2 Audit.

          These audits differ in many ways: their purpose, duration, information reviewed and sometimes even in the location where it will take place.

          Purpose
          The Stage 1 Audit purpose is to determine if an organization is ready or not for a certification audit. Here the Registrar will confirm that the standard’s key requirements are met, it will confirm legal compliance, implementation status and the scope of certification. The output of this audit will be a report identifying any non-conformances or potential non-conformances that the organization will have to correct before Stage 2 audit.  If Stage 1 audit is successful, the next audit will be scheduled.

          The Stage 2 Audit evaluates the implementation and effectiveness of the organization’s management system(s). During this audit, the Registrar will determine the degree of compliance with the standard’s requirements, and report any non-conformances or potential non-conformances that the organization will have to correct before the compliance certificate can be issued. If Stage 2 audit is successful, the organization’s management system(s) will be certified.

          Information assessed
          In the Stage 1 Audit the Registrar will normally review the following information:

          • Policies and procedures.
          • Legal and technical requirements.

          During Stage 2 Audit the information assessed will be:

          • All relevant documentation (records, procedures and policies) that evidences the management system’s compliance with all the standard’s requirements.
          • Evaluation of internal audits, management review and objectives.
          • Audits of all relevant processes.

          Duration
          Stage 1 Audit usually will be carried out in one day. During this audit, the Registrar can do an on-site visit to the organization’s premises and interview the ISO management representative, all of which will be done in one day.

          Stage 2 Audit can be performed in approximately three or four days. This will depend on the complexity and size of the organization being audited.

          Location
          Both audits take place in the premises of the organization being audited. Only in some cases, Stage 1 Audit can be performed off-site; this will be done if the Registrar doesn’t consider necessary an on-site visit (usually for small and simple organizations). Stage 2 Audit is always performed on-site.

          These are the main differences between Stage 1 and Stage 2 Audit. Nonetheless, every organization undergoing a certification process should maintain an open and clear communication with their Registrar in order to clarify any doubts that may arise before the audits take place.

            2 586

            ISO 9001:2008 quality management system (QMS) standard requires for top management to appoint a Management Representative (MR). As stated in the standard, this Management Representative is someone who, regardless of other duties, is responsible and has the authority for:

            • ensuring that processes needed for the quality management system are established, implemented and maintained,
            • reporting to top management on the performance of the quality management system and any need for improvement, and
            • ensuring the promotion of awareness of customer requirements throughout the organization.

            NOTE: The responsibility of a management representative can include liaison with external parties on matters relating to the quality management system.

            Let’s take a closer look at these responsibilities:

            Ensure that processes needed for the QMS are established, implemented and maintained

            The Management Representative is responsible for assisting everyone (the process owners) in meeting the requirements of ISO 9001 and developing their processes according to what the organization’s QMS has established. The MR should provide guidance and training in order to motivate and ensure that everyone is carrying out their responsibilities within the QMS in an effective and efficient way.

            Here it’s important to highlight that the establishment and maintenance of the QMS is the organization’s responsibility; the success or failure of a QMS should never fall upon one person.

            Report to top management on the performance of the QMS and any need for improvement

            The Management Representative is required to inform to top management if the QMS is working well or not by providing details of the areas that are in need of attention and the ones that can be improved. He/she should also establish trends to determine the direction of the QMS’s performance.

            All the relevant information regarding the QMS doesn’t have to be collected and analyzed by the MR. Every process owner should handle and keep record of their process’s information and the Management Representative should only process this information to determine an overall view of the QMS in order for management to take the necessary actions.

            Ensure the promotion of awareness of customer requirements throughout the organization.

            One of the main objectives of ISO 9001 is to assist organizations in meeting customer requirements, thus, the Management Representative should ensure that everyone understands that their job can directly or indirectly influence this objective.

            The Management Representative doesn’t necessarily have to carry out all of these activities; he/she just has to make sure that they are all taking place.

            As it is obvious, the Management Representative should be a member of the organization’s top management. The Management Representative should be a competent person with a high level of knowledge and understanding of ISO 9001 since he/she will be the main coordinator of the establishment and maintenance of the organization’s QMS.

              0 512
              Accreditation bodies allow organizations seeking accreditation can demonstrate to their customers that they have been successful at meeting the requirements of international accreditation standards.

              Third-party auditors are those who perform an external and independent audit of an organization’s management system to evaluate if it meets the requirements of a specific standard; if successful, this third-party audit will provide the organization with certification or registration of conformity with the given standard.

              A third party audit is carried out by a Registrar/Certification Body (CB) hired by the organization; therefore, in order for someone to be a third-party auditor, he/she needs to be employed by a CB. All CB, before hiring an auditor, need to ensure that the auditor possesses the knowledge and skills necessary to achieve the intended results of the audits they are expected to perform. Some of these are described below.

              • Personal attributes that will enable them to act in accordance with the principles of auditing, which include ethical conduct, fair presentation, due professional care, independence, and free use of an evidence-based approach.
              • Knowledge on the contents of ISO 19011: 2011, Guidelines for auditing management systems.
              • Knowledge and skills on audit principles, procedures and methods, which will enable them to conducted audits in a consistent and systematic manner.
              • They should be able to exhibit professional behavior during the performance of audit activities, including being ethical, open-minded, diplomatic, observant, perceptive, versatile, tenacious, decisive, self-reliant, open to improvement, culturally sensitive, and collaborative.
              • Knowledge and skills on management system and reference documents that will enable them to comprehend the audit scope and apply audit criteria.
              • Sector specific knowledge which will enable them to comprehend the organization’s structure, business, management practices and the legal and contractual requirements applicable to the organization being audited.

              As indicated in ISO 19011, someone pursuing to become a third-party auditor can acquired all these knowledge and skills by using a combination of the following:

              • Formal education/training and experience that contribute to the development of knowledge and skills in the management system discipline and sector the auditor intends to audit.
              • Training programs that cover generic auditor knowledge and skills.
              • Experience in a relevant technical, managerial or professional position involving the exercise of judgment, decision making, problem solving and communication with managers, professionals, peers, customers and other interested parties.
              • Audit experience acquired under the supervision of an auditor in the same discipline.

              After acquiring all the necessary knowledge and skills and successfully being employed by a CB, third-party auditors must pledged to advocate a particular code of ethical conduct in the performance of an audit and they must abide the internal policies and rules of the CB that hires them. All these requirements must be followed in order to protect everyone involved in the audit process.

                0 966
                Exploring ISO 9001 vs 9004
                Exploring ISO 9001 vs 9004

                Management systems such as ISO 9001, ISO 14001 and OHSAS 18001, require that internal audits are scheduled at planned intervals; they do not established a specific frequency nor do they establish that all processes need to have a yearly internal audit.

                Organizations need to establish a frequency that is right for them. They decide if the audits will be performed monthly, quarterly, twice a year or once a year. However, there are some criteria that should be considered before defining a frequency that adjusts to an organization’s context and needs. These are:

                Complexity of the processes.

                • Crucial or high risk processes should be audited on a more frequent basis, perhaps quarterly or twice a year.
                • Low risk processes can be audited just once a year or every other year.

                Maturity of the processes.

                • Well established processes that run efficiently can be audited once a year or every other year.
                • New developed processes should be audited quarterly until they are stable.

                Past experience.

                • Processes that have a history of frequent deficiencies or non-conformities, can be audited quarterly or twice a year.
                • Processes with troubles achieving targets and objectives can also be audited quarterly or twice a year.

                There are other factors that can influence the frequency of auditing, such as:

                • An organization’s budget for the execution of internal audits.
                • Regulatory or customers’ requirements.

                Another important fact is that there is no need to audit every process all at once, from past experiences, it is more suitable to spread out the internal audits throughout the year auditing different processes at different times; auditing many processes all at once can be exhausting and process deficiencies or areas for improvements may be overseen.

                As mentioned above, most standards do not require that all process be audited every year; nonetheless, that is a common practice in many organizations. There are even some organizations, with mature and well-establish management systems, which schedule their audits over a three year time plan. Every organization needs to take a close look at each of their processes, their management systems and other applicable requirements in order to establish a rational schedule that fits their needs and that is right for them.

                  3 800
                  ISO 9001

                  All management systems require organizations to conduct internal audits in order to obtain information that will evidence the degree to which requirements are being met. In other words, internal audits check practice against policies, processes and procedures and thoroughly document any differences.

                  Although internal audits are an important tool for organizations to evaluate their management systems and to uncover areas that are in need of attention, for many, this process induces an enormous amount of stress. For audits to serve as a means to identify gaps and effective solutions, it is essential that these are formal, planned and organized. Other key characteristics internal audits should have are:

                  They are scheduled. Surprise audits are not welcomed by anyone. A schedule should be set and communicated to everyone, preferably at the beginning of the year. There’s no need to audit all processes at once; different processes can be audited at different times throughout the year, organizations just need to make sure that at the end of the year all processes have been audited.

                  Auditors are competent. Auditors need to demonstrate in-depth knowledge of the standard which they are auditing against and they should have an understanding of the processes being audited. They should be objective and impartial; this means that they can’t audit a process which they manage or control. Large organizations usually have a team of trained auditors, but that is not necessary; an alternative is to hire the services of an external consultant to perform the internal audits.

                  They are planned. The audit needs to be confirmed with the process owner. At this stage the auditor should review procedures and previous findings or issues related to the audited process. A checklist with a pre-determined list of questions can be sought to be used during the audit; this checklist should be provided to the auditee so they have time to organize any information.

                  It’s conducted in an objective and friendly manner. An audit should start with an opening meeting with the auditor and the auditee(s). It’s recommended that the auditor works systematically through the checklist or procedure, while reviewing records, observing the process, analyzing process data and talking to employees. During the audit, the auditor must discuss the findings with the auditee before recording it.

                  Audit findings are recorded. A closing meeting with the auditee is fundamental so information is not delayed. Here the auditor should point out possible weaknesses and areas for improvement. Findings and their details (these include non-conformities, positive areas and improvement areas) need to be recorded and communicated to the auditee(s) and management.

                  Findings are monitored. The auditor is responsible for ensuring that corrective actions have been taken to fix any problems found during the audit.

                  If everyone takes advantage of the positive results internal audits can bring, and if these aid organizations to improve their processes and management system- whether is a quality, environmental or any other system- an internal audit can be considered a success.

                  © ISOUpdate.com