A Guide to Effective Internal Management System Audits
eBook - ePub

A Guide to Effective Internal Management System Audits

Implementing internal audits as a risk management tool

  1. 122 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

A Guide to Effective Internal Management System Audits

Implementing internal audits as a risk management tool

About this book

Are your internal audits adding value?
Organizations hoping to comply with any of the International Standards for management systems (e.g. ISO9001, ISO27001) must carry out internal audits. However, the requirements set down by accreditation bodies for auditor courses make little distinction between internal and external audit programs. As a result, many organizations instruct their internal auditors using resources designed for external auditors. Such internal audit programs often fail to develop beyond simple compliance monitoring, and risk becoming 'box-ticking' exercises, adding little value to the organization.

Transform your internal audits and improve your systems
A Guide to Effective Internal Management System Audits provides a model for the management and implementation of internal audits that moves beyond simple compliance to ISO requirements and turns the internal audit into a transformational tool that the organization can use to assist with the management of risk, and implement improvements to management systems.

This book shows you how you can transform your internal auditing process to become a tool for development and continual improvement in your management systems.

Start adding value to your internal auditing program.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access A Guide to Effective Internal Management System Audits by Andy Nichols in PDF and/or ePUB format, as well as other popular books in Business & Operations. We have over one million books available in our catalogue for you to explore.

Information

Publisher
IT Governance Publishing
Year
2014
eBook ISBN
9781849285612
Topic
Business
Subtopic
Operations
Index
Business

CHAPTER 1: MANAGEMENT SYSTEMS AUDITS – A BACKGROUND

Auditing of organizations has been a regular occurrence in various industries for many years. Before the advent of the most commonly known international standards for management systems, major procurement organizations and regulatory agencies were auditing throughout the supply chain as a means to evaluate those suppliers involved.
For the purposes of this guide, it is worth beginning by defining what an audit is, in the context of a management system requirement such as ISO9001, ISO14001 and so on. In some industries, the term audit and inspection (Quality control activities) are used interchangeably.
In the context of a management system internal audit, the following definition is applicable:
“Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled”.
ISO19011:2011, 3.1
Note:
Other common types of audit may be associated within the context of a management system and should not be confused with the subject of this guide:
  • Control Plan (Process) Audits
  • Product Audits
  • Layered Process Audits
Control plan (process) audits are common in, for example, the automotive manufacturing supply chain and are usually an audit of the manufacturing line, evaluated against the “process control plan.” In the food industry the audit is carried out against an H.A.C.C.P (hazard analysis and critical control points) plan.
Product audits are also common in a variety of industries: automotive, food processing, and pharmaceuticals. These audits are carried out usually on finished, packed product against the relevant product-related specifications.
Layered Process Audits is an audit method mainly required by top-tier customers of their lower-level suppliers in the automotive supply chain, to determine if their suppliers’ process controls are in place on the product manufacturing line and that they are working effectively. Typically, the “layers” relate to the various levels (or layers) of management involved in performing the audits.
Using a predetermined checklist, an audit of the process controls and other requirements, such as training, maintenance/calibration and so on, is performed by the line/area supervisor, on each shift running. Any issues are noted in an audit log and brought to the attention of the relevant department for action. The next layer of management/supervision then performs a similar audit, usually at a lesser frequency (weekly) and includes a review of the status of any actionable items from the first layer of audits. As each successive layer of management undertakes their audit (once again, at a reduced frequency), the focus becomes more on the actions to ensure they are, effectively, escalated to the level of management that can direct resources/budget and so on.
Apart from some very basic instructions, no training of auditors is required and, for other reasons, these layered process audits should not be considered as a replacement for the management systems audits required by the applicable ISO Standard, or “Technical Specification” (such as ISO/TS 16949).
The requirement for internal management systems audits has been present in ISO9001 and its predecessor BS5750 since their publication in 1987. The arrival of third-party certification of organizations to the ISO Standard wasn’t until 1989–1990, so we can safely conclude that the reason for including internal audits in the ISO9001 Standard wasn’t much to do with preparing for certification.
So why then, would the ISO9000 technical committee, TC176, responsible for authoring the Standard, have included this requirement?
Just as with other types of audits they are mainly used (by or on behalf of stakeholders) as an independent verification of the conditions prevailing (sometimes historic) at the time they are performed. They should be an evaluation of facts of whatever the objective(s) of the management system is, be it financial, regulatory, supply chain, or something else.
ISO9001, 8.2.2 states:
The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
b) is effectively implemented.
 
An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.
A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results.
Records of audits and their results shall be maintained (see 4.2.4).
The management responsible for the area being audited shall ensure that any corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes.
Follow-up activities shall include verification of the actions taken and the reporting of verification results (see 8.5.2).
By further analyzing how internal audits were intended to be applied to the management system, we can better understand their role and the service that should be provided to management – as a risk-management tool.
Audits are frequently performed upon an organization by representatives of customers, government agencies, and other external bodies – now including the third-party certifiers or registrars. The predominant model of how audits are performed is, therefore, based on the activities and behaviors of those from outside the organization. They are, almost universally, external audits.

Supplier Audits

Much of the background to management systems auditing has come from the practices of major procurement organizations in those industries where supplier audits are common. These include, for example:
  • medical device
  • defense
  • automotive
  • aerospace
Often, these audits were subsequently flowed down through the supply chain to lower-tier organizations.
There are basically two fundamental reasons for performing supplier management system audits:
  • supplier selection
  • supplier monitoring
Each has a somewhat different focus and may be performed by a variety of personnel from the procuring organization.

Supplier Selection Audits

When an organization seeks a new supplier it is often important to gather information about that supplier and its capabilities. While it is common to send detailed questionnaires to a supplier, these cannot represent its capabilities as effectively as actually visiting its facilities and seeing, first hand, its operations. Frequently, an evaluation of the supplier’s financial status is also undertaken, through a “Dunn and Bradstreet” report, or similar. The purpose of such an audit is to determine the risks associated with doing business with a supplier.
For example, the audit might focus on the potential supplier and what controls it has over its suppliers (perhaps raw materials), knows how to ensure incoming product is correct, and, therefore, protects the customer from non-conforming product. If the audit reveals the nature and effectiveness of the supplier’s supplier controls, the risks to the customer can be identified and a business decision made to work with the supplier – or abandon it.
The basis of supplier “Quality Assurance” was (originally) the purpose behind the use of ISO9001 and its predecessors, BS5750, NATO AQAP 1, and so on. These standards may be applied to the whole supplier organization, but often as not, the purchasing organization’s primary interest is in those aspects of the supplier’s arrangements for controlling the product to be purchased and, hence, understanding the risk in using that supplier.
Where a supplier organization is found to be adequate it is common to use contractually binding QA arrangements, such as Quality Plans or Control Plans that define the agreed upon activities to ensure a quality product is the result.
In regulated industries, such as those producing medical devices, to allow those products into the marketplace, the regulatory authorities make it a requirement to define the controls needed to assure the development and production to the approved specification(s). In the US this is (in part) known as the Federal Drug Administration’s “510(K).” Since the effects of making non-conforming products – drugs, pharmaceuticals and so on, or those involved in food production – can have serious and widespread consequences, the organizations throughout the supply chains involved are regularly audited to ensure conformity to the various regulations, with the intention of minimizing risk.

Supplier Monitoring Audits

Having established that a supplier organization is capable of meeting the procurement organization’s needs, periodic audits may be carried out to ensure the controls put into place are still followed. These may be performed to a schedule – perhaps annually, or timed to coincide with key events in production, such as start-up, changes in facilities, specifications, facilities, and so on. Once again, the main theme of these audits will be the product-specific quality assurance arrangements.
Furthermore, should a supplier deliver suspect or non-conforming product an audit may be initiated at the supplier’s site, focusing on the corrective actions taken to control and remediate the issue from reaching the customer.

Third-party Certification Audits

Originally being intended to reduce the need for multiple purchasing organization audits of suppliers, independent “third-party” certification is used to provide evidence of basic quality assurance being in place at the organization. When an organization is certified as complying with one or more international management systems standards by an accredited certification body, a purchasing organization may accept that supplier development will be minimal. Purchasing organizations may elect to augment this “ISO” certification with their own audits, as described previously, to fully understand the degree to which the supplying organization may suit their needs.
Third-party certification is described in chapter 4.

CHAPTER 2: THE ROLE OF ISO19011

In 1991, three years after ISO9001 was published, a guidance document was released by the International Standards Organization on the subject of quality management systems auditing, ISO10011. This was subsequently withdrawn and replaced, in 2002, by ISO19011, “Guidelines for quality and/or environmental management systems auditing.”
The current version of ISO19011 has been tailored to be more suitable for internal a...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Foreword
  5. Preface
  6. About the Author
  7. Acknowledgements
  8. Contents
  9. Introduction
  10. Chapter 1: Management Systems Audits – a Background
  11. Chapter 2: The Role of ISO19011
  12. Chapter 3: The Internal Audit Process
  13. Chapter 4: Third-Party Certification of Management Systems
  14. Chapter 5: Internal Auditor Competencies
  15. Chapter 6: Using the Results of Internal Audits
  16. Chapter 7: Risk Based Internal Audit Case Studies
  17. Case Study #1
  18. Case Study #2
  19. Annex 1: Comparison of Requirements for Internal Audits
  20. Appendix 1: The Football© Planning Tool
  21. ITG Resources