Internal Auditing Pitfalls - and Some Preventive Actions Common / Frequent Stumbling Blocks Some Preventive Actions and Some Helpful Auditing Tools Presented to ASQ Louisville Section, October 11, 2012 by Robert A. Abbott, CQE, Fellow, ASQ Former ANAB Accreditation Assessor Former RAB-QSA QMS Lead Auditor 1 Internal Auditing Pitfalls Rev. 1, 9/17/12 Four Phases to Internal Audits Planning and Preparing for the Audit Conducting the Audit Reporting Results and Writing NCRs Performing Root Cause Analyses and Implementing and Verifying Corrective Actions All four phases must be addressed for internal audits to be effective ! 2 Planning and Preparing “We always scramble to get our audits done – sometimes we don’t finish them” – P.A. Suggestion: Schedule defined processes within your QMS to be done each month – don’t overload auditors – Alternate: Schedule an annual “blitz” of whole system (Ref.:The Auditor, Nov-Dec 2007 issue, “Ready, Set, Blitz”) 3 Planning and Preparing “Some of our processes always seem to have more problems or take longer to audit because they are more complex” – P.A. Suggestion: Schedule additional audits of certain processes based on “status” or “importance”. This is a requirement of ISO 9001:2008, 8.2.2 Internal Audits 4 Planning and Preparing “Our auditors say they are not sure what to look for when they audit” – P.A. Suggestion: Auditors should study applicable sections of the standard, quality manual and procedures, customer and legal requirements. Make a “Turtle” diagram and a flow diagram (Process Map) of the process, make a checklist. Have a professional auditor coach your auditors – Alternate: Outsource: Hire professional “external” auditors (Ref. The Auditor, Nov5 Dec 2007 issue, “Outside Looking In”) The Turtle Diagram With What? (Materials & Equipment) Inputs How? (Support Processes, Procedures & Methods) With Whom? (Competence, Skills, Training) Process Outputs What Results? (Performance Indicators) 6 Source: AIAG 2003 Planning and Preparing “Can we use trained employees as auditors (aside from regular job)?” – Pro: Absolutely. What a great way for employees to get to know the company and to conduct a “Learning Audit” by explaining the “WHY” of requirements. Training is key!! – Con: Internal auditors can develop “blind spots” to actual nonconformities. They can lose their keen inquisitiveness if their regular job requirements are nagging or their boss resents their absence to audit. 7 Conducting the Audit “Our auditors rarely report any problems. What they do report is inconsequential” – P.A. Suggestion: Audit for effectiveness by asking four challenging questions: – “How are you (or your job) doing?” – “How do you know that?” – “Are you improving?” – “How do you know that?” How connected are employees with the company’s Quality Objectives? 8 Conducting the Audit “Our registrar’s auditor often finds that our procedures don’t match the work” – P.A. Suggestion: Audit for three contrasts: – Policy – Is it clearly stated in our manual? – Procedure – Is it up to date, support the policy? Do our people understand it? – Practice – Do we do what we say? Are innovative ways of doing things better being considered, evaluated, approved? When did you last review procedures ? 9 Conducting the Audit “Our auditors don’t know how to follow audit trails or ask the probing questions” – P.A. Suggestion: Conduct a “Learning Audit”. Evaluate auditors regularly using a more experienced auditor. Use “Turtle Diagrams” and process maps as sources of questions. Ask “Why?” five times when something doesn’t jive with the QAM or procedures. Get copies of evidence for better reporting. Practice, evaluate, practice, evaluate ! 10 Reporting the Audit “Our supervisors resent internal audits as useless fault finding” – P.A. Suggestion: Start audit reports by summarizing the good areas, especially “best practices”. Include ideas/suggestions for resolving nonconformities (Yes, internal auditors CAN consult!!). Constantly preach that nonconformities are not the end of the world or cause for personnel punishment, but Opportunities for Improvement ! 11 Reporting the audit “Is it appropriate for internal auditors to provide consulting on their own findings?” – Pro: Absolutely yes! How better to get open discussions on problems and potential solutions. Auditees and auditors often have ideas that they can jointly explore. – Con: Not if incompetent!! They must know: • • • • • Customer and stat/reg requirements The audit criteria (e.g.; Mgt. system standard) Process details, technology, and interactions Business goals, objectives, status Organization culture and resistance barriers 12 Reporting the Audit “Our nonconformity write-ups are often difficult to understand (What do I do?)” – P.A. Suggestion: ALWAYS state three items in Corrective Action Requests (CARs): – The requirement violated (doc/para/text) Take time to explain the “what” & “why” – The nonconformity (text related to req’t) – The objective evidence (what, where, when) If you can’t cite the requirement, you shouldn’t write a CAR ! (An OFI ???) 13 Closing the Audit “Our corrective actions don’t work. The problems keep coming back” – P.A. Suggestion: Conduct formal Root Cause Analysis and Effective Corrective Action training for all managers/supervisors – CAR responders must fully comprehend the difference between containment, correction, and corrective action and understand that there is a system cause to the nonconformity, not just “operator error” 14 Containment ( aka Quarantine ) In some cases, swift action needs to be taken to contain the problem and prevent any consequences of the problem (“escapes”) from affecting customers This containment action must lead to the immediate fixing of the problem at hand, which is referenced in ISO 9000 as correction; it should not be confused with containment or corrective action 15 Correction vs. Corrective Action ISO 9000:2005 defines these as: Correction: Action to eliminate a detected nonconformity (3.6.6) Corrective action: Action to eliminate the cause of a detected nonconformity or other undesirable situation(3.6.5) – Note 1 There can be more than one cause for a nonconformity – Note 2 Corrective action is taken to prevent recurrence Bold = Abbott emphasis 16 Some More Advice ( from Ford ) Recognize that there are at least two causes for each quality problem: – A technical cause (and there may be more than one !!!) such as a bearing failure or an operator error and – A system cause such as an ineffective preventive maintenance program or incomplete employee training program or incorrect procedure or work instruction You Must Fix Both (ALL) 17 Even More Advice ( from Abbott ) Utilize all appropriate quality tools to get at the root cause, such as: – Ishikawa fishbone cause/effect diagram with the seven M’s as the branches, Man, Machine, Method, Materials, Measurements, Mother Nature, Management – “Five Why’s” fault tree analysis diagram, looking for common “grandfathers” as high priority items to fix – Kepner-Tregoe Cause Analysis 18 Assuring Effectiveness Don’t forget to prevent recurrence by changing the system as appropriate: – Revise procedures, policies, QA Manual – Train/retrain employees, adjust training needs matrix – Inform all who “touch” the process Look at other processes/products. Can or should the fix(es) be used on them? 19 Closing the Audit “Our CARs seem to hang open forever” – P.A. Suggestion: Set agreed completion dates. Monitor CAR action timing, remind owners, only accept corrective action plans that address true root causes. Escalate non-responses! – Audit the process to verify that ALL actions have been effectively implemented, other processes have been considered, there has been NO RECURRENCE since the corrective action has been implemented 20 Only then can you close the CAR Some Helpful References The Auditor, a bi-monthly newsletter from Paton Professional, $99/year, has informative articles from auditing gurus, available at www.theauditoronline.com Booklets by Denise Robitaille from Paton Professional on Root Cause Analysis, Corrective Action, others, typically ~$25, available from www.patonprofessional.com Root Cause Analysis, book by Duke Okes 21 ASQ H1363, $ 28 (member price)