Internal Auditing Pitfalls
- and Some Preventive Actions Common / Frequent Stumbling Blocks
Some Preventive Actions
and Some Helpful Auditing Tools
Presented to ASQ Louisville Section, October 11, 2012
by Robert A. Abbott, CQE, Fellow, ASQ
Former ANAB Accreditation Assessor
Former RAB-QSA QMS Lead Auditor
1
Internal Auditing Pitfalls Rev. 1, 9/17/12
Four Phases to Internal Audits
Planning and Preparing for the Audit
 Conducting the Audit
 Reporting Results and Writing NCRs
 Performing Root Cause Analyses and
Implementing and Verifying Corrective
Actions
All four phases must be addressed for
internal audits to be effective !

2
Planning and Preparing

“We always scramble to get our audits
done – sometimes we don’t finish them”
– P.A. Suggestion: Schedule defined
processes within your QMS to be done
each month – don’t overload auditors
– Alternate: Schedule an annual “blitz” of
whole system (Ref.:The Auditor, Nov-Dec
2007 issue, “Ready, Set, Blitz”)
3
Planning and Preparing

“Some of our processes always seem to
have more problems or take longer to
audit because they are more complex”
– P.A. Suggestion: Schedule additional
audits of certain processes based on
“status” or “importance”. This is a
requirement of ISO 9001:2008, 8.2.2
Internal Audits
4
Planning and Preparing

“Our auditors say they are not sure what
to look for when they audit”
– P.A. Suggestion: Auditors should study
applicable sections of the standard, quality
manual and procedures, customer and
legal requirements. Make a “Turtle”
diagram and a flow diagram (Process Map)
of the process, make a checklist. Have a
professional auditor coach your auditors
– Alternate: Outsource: Hire professional
“external” auditors (Ref. The Auditor, Nov5
Dec 2007 issue, “Outside Looking In”)
The Turtle Diagram
With What?
(Materials & Equipment)
Inputs
How?
(Support Processes,
Procedures & Methods)
With Whom?
(Competence, Skills, Training)
Process
Outputs
What Results?
(Performance Indicators)
6
Source: AIAG 2003
Planning and Preparing

“Can we use trained employees as
auditors (aside from regular job)?”
– Pro: Absolutely. What a great way for
employees to get to know the company
and to conduct a “Learning Audit” by
explaining the “WHY” of requirements.
Training is key!!
– Con: Internal auditors can develop “blind
spots” to actual nonconformities. They can
lose their keen inquisitiveness if their
regular job requirements are nagging or
their boss resents their absence to audit. 7
Conducting the Audit

“Our auditors rarely report any problems.
What they do report is inconsequential”
– P.A. Suggestion: Audit for effectiveness
by asking four challenging questions:
– “How are you (or your job) doing?”
– “How do you know that?”
– “Are you improving?”
– “How do you know that?”

How connected are employees with the
company’s Quality Objectives?
8
Conducting the Audit

“Our registrar’s auditor often finds that
our procedures don’t match the work”
– P.A. Suggestion: Audit for three contrasts:
– Policy – Is it clearly stated in our manual?
– Procedure – Is it up to date, support the
policy? Do our people understand it?
– Practice – Do we do what we say? Are
innovative ways of doing things better
being considered, evaluated, approved?

When did you last review procedures ?
9
Conducting the Audit

“Our auditors don’t know how to follow
audit trails or ask the probing questions”
– P.A. Suggestion: Conduct a “Learning Audit”.
Evaluate auditors regularly using a more
experienced auditor. Use “Turtle Diagrams”
and process maps as sources of questions.
Ask “Why?” five times when something
doesn’t jive with the QAM or procedures. Get
copies of evidence for better reporting.

Practice, evaluate, practice, evaluate !
10
Reporting the Audit

“Our supervisors resent internal audits
as useless fault finding”
– P.A. Suggestion: Start audit reports by
summarizing the good areas, especially
“best practices”. Include ideas/suggestions
for resolving nonconformities (Yes, internal
auditors CAN consult!!). Constantly preach
that nonconformities are not the end of the
world or cause for personnel punishment,
but Opportunities for Improvement !
11
Reporting the audit

“Is it appropriate for internal auditors to
provide consulting on their own findings?”
– Pro: Absolutely yes! How better to get open
discussions on problems and potential
solutions. Auditees and auditors often have
ideas that they can jointly explore.
– Con: Not if incompetent!! They must know:
•
•
•
•
•
Customer and stat/reg requirements
The audit criteria (e.g.; Mgt. system standard)
Process details, technology, and interactions
Business goals, objectives, status
Organization culture and resistance barriers
12
Reporting the Audit

“Our nonconformity write-ups are often
difficult to understand (What do I do?)”
– P.A. Suggestion: ALWAYS state three items
in Corrective Action Requests (CARs):
– The requirement violated (doc/para/text)
Take time to explain the “what” & “why”
– The nonconformity (text related to req’t)
– The objective evidence (what, where, when)

If you can’t cite the requirement, you
shouldn’t write a CAR ! (An OFI ???) 13
Closing the Audit

“Our corrective actions don’t work. The
problems keep coming back”
– P.A. Suggestion: Conduct formal Root
Cause Analysis and Effective Corrective
Action training for all managers/supervisors
– CAR responders must fully comprehend
the difference between containment,
correction, and corrective action and
understand that there is a system cause to
the nonconformity, not just “operator error”
14
Containment ( aka Quarantine )
In some cases, swift action needs to be
taken to contain the problem and
prevent any consequences of the
problem (“escapes”) from affecting
customers
 This containment action must lead to the
immediate fixing of the problem at hand,
which is referenced in ISO 9000 as
correction; it should not be confused
with containment or corrective action

15
Correction vs. Corrective Action
ISO 9000:2005 defines these as:
 Correction: Action to eliminate a
detected nonconformity (3.6.6)
 Corrective action: Action to eliminate
the cause of a detected nonconformity
or other undesirable situation(3.6.5)

– Note 1 There can be more than one
cause for a nonconformity
– Note 2 Corrective action is taken to
prevent recurrence
Bold = Abbott emphasis
16
Some More Advice ( from Ford )

Recognize that there are at least two
causes for each quality problem:
– A technical cause (and there may be more
than one !!!) such as a bearing failure or an
operator error
and
– A system cause such as an ineffective
preventive maintenance program or
incomplete employee training program or
incorrect procedure or work instruction
You Must Fix Both (ALL)
17
Even More Advice ( from Abbott )

Utilize all appropriate quality tools to get
at the root cause, such as:
– Ishikawa fishbone cause/effect diagram
with the seven M’s as the branches, Man,
Machine, Method, Materials, Measurements, Mother Nature, Management
– “Five Why’s” fault tree analysis diagram,
looking for common “grandfathers” as high
priority items to fix
– Kepner-Tregoe Cause Analysis
18
Assuring Effectiveness

Don’t forget to prevent recurrence by
changing the system as appropriate:
– Revise procedures, policies, QA Manual
– Train/retrain employees, adjust training
needs matrix
– Inform all who “touch” the process

Look at other processes/products. Can or
should the fix(es) be used on them?
19
Closing the Audit

“Our CARs seem to hang open forever”
– P.A. Suggestion: Set agreed completion
dates. Monitor CAR action timing, remind
owners, only accept corrective action plans
that address true root causes. Escalate
non-responses!
– Audit the process to verify that ALL actions
have been effectively implemented, other
processes have been considered, there
has been NO RECURRENCE since the
corrective action has been implemented
20
Only then can you close the CAR
Some Helpful References
The Auditor, a bi-monthly newsletter from
Paton Professional, $99/year, has
informative articles from auditing gurus,
available at www.theauditoronline.com
 Booklets by Denise Robitaille from Paton
Professional on Root Cause Analysis,
Corrective Action, others, typically ~$25,
available from
www.patonprofessional.com
 Root Cause Analysis, book by Duke Okes
21
ASQ H1363, $ 28 (member price)
