14th June 2009
The 8th IRCA International Forum
Developing
An Effective Internal Audit System
～
Activities of
ＩＳＯ users
～
Hirokazu Hata
Director, H4
１
Definitions of an effectiveness audit and an effective audit
２
Movement from conformity audit to effectiveness audit
３
Relationship between effectiveness audit and
integrated management system
４
Development of an effective internal auditor
５
Each company’s approach to effectiveness internal audit
６
Summary
Ｈ４
I have made the following presentations before.
・at the 4th Forum in 2005
“Value-added internal audit” (integrated system
internal audit)
・at the 6th Forum in 2007
“Proposals from users regarding perfect audit ”
(partnership between auditor and auditee)
At this Forum, I will make the following presentation;
・ “Developing an effective internal audit system”
(actions at user side)
All are viewed from ISO users.
Original topics for this Forum
Effective internal audit
in the slow economy
As an user of ISO standards, “continual
improvement in internal audit” is the permanent
theme.
I would like to talk about evolution of audit with
case examples from past to present audits aiming
at “effective internal audit”, regardless of the
current slow economy.
Explanation of evolution of internal audit systems
where I have been involved
From 1999 to March 2006
When I was developing a management system within a
company and acted as the responsible person for
internal audit in the company
Phase of
struggling
From April 2006 to 2009 (to date)
Time of independent contractor, advisor for companies
Phase of
meddling
１
Definitions of an effectiveness audit and an effective audit
２
Movement from conformity audit to effectiveness audit
３
Relationship between effectiveness audit and
integrated management system
４
Development of an effective internal auditor
５
Each company’s approach to effectiveness internal audit
６
Summary
Ｈ４
Definition
Definition and
and concept
concept of
of an
an effectiveness
effectiveness internal
internal audit
audit
(my
(my opinion)
opinion)
Conformity
Effectiveness
internal audit
Internal audit
Evolution
Checking conformity to
the ISO standard and the
internal system
Checking internal operations using
the management system standard
as a tool
Checking effectiveness of the
essential operations
assumption
Primitive internal audit system
Effective internal audit system
Definition
Definition and
and concept
concept of
of an
an effectiveness
effectiveness internal
internal audit
audit
(my
(my opinion)
opinion)
・Conformity internal audit
Audit to check conformity to the standard,
internal rules, laws and customer
requirements, etc.
・Effectiveness internal audit
Audit to check whether the system is effective
or not
・Effective internal audit
Audit that brings about the planned and highlyeffective results
Definition
Definition and
and concept
concept of
of an
an effectiveness
effectiveness internal
internal audit
audit
(my
(my opinion)
opinion)
Effectiveness
internal audit
Conformity internal audit
Checked thru
有効な内部
an effective
監査で確認
internal audit
For
For effective
effective internal
internal audit
audit
Effective internal
audit
Effective internal audit
development system
Effective
internal audit
system
Area where both systems
supplement each other
For
For effective
effective internal
internal audit
audit
For an internal audit to be effective…what are effective?
Audit process is effective
Auditor is effective
Valid
qualification
Internal
qualification
Evaluation
method
Valid
competence
Development
training
Brush-up
Audit is effective
Effective auditing
method
Valid audit plan
Check sheet
Promotion plan
Auditing method at
work
Basic plan
Departmental
plan
１
Definitions of an effectiveness audit and an effective audit
２
Movement from conformity audit to effectiveness audit
３
Relationship between effectiveness audit and
integrated management system
４
Development of an effective internal auditor
５
Each company’s approach to effectiveness internal audit
６
Summary
Ｈ４
Changes
Changesin
inmaturity
maturityof
ofan
anorganization
organization(presented
(presentedatatthe
theForum
Foruminin2007)
2007)
Evolved according to the system maturity
Preparation
for
introduction
1st year 2nd year
Introduction stage
3rd year
Settlement stage
Viewpoint of maturity
Phase where
auditor provides
precise advices
Audit with
YES/NO
against the
standard
Audit with YES/NO
against the system
4th year
6th year
Growth stage
7th year ～
Development stage
Audit to assess
effectiveness of the
management
system
Audit to
assess
effectiveness
of the system
Focus
Focuson
oneffectiveness
effectivenessofof
IN/OUT
IN/OUT
Checking
Checkingofofimpact
impactofof
management/administration
management/administration
factors
factors
Focus
Focuson
onconnections
connectionsamong
among
processes
processes
Focus
Focuson
onperformance
performance
Conformity
Conformityassessment
assessmentalong
along
the
established
system
the established system
Conformity
Conformityassessment
assessment
against
the
against thestandard
standard
5th year
Phase where
auditor encourages
as inspiring person
Table
Tableof
ofstages
stagesin
inISO
ISOsystem
system
Auditor’s
support required
ISO system introduction/settlement stages (conformity confirmation stage)
Stage
Description
System status
Internal audit
status
Implied issues
ISO
introduction
Assessment of
conformity to
standard
Creation of
documents
conforming to
standard is main task
YES/NO check
against the clauses of
standard
Gap between system and
actual operation is likely to
occur
Settlement
Assessment of
conformity to
established system
Settlement of
operation
improvement cycle
Assessment of
consistency between
management system
and actual operation
Audit becomes formalized
Barrier
ISO system growth/development stages (effectiveness confirmation stage)
Stage
Growth
Development
System status
Internal audit
status
Assessment of
processes and
performances
Consistency between
management system
and actual operation
In/out audit to check
effectiveness with
performance focused
Guaranty of auditor’s
identity /finding out of
possible problems ⇒
response action
Assessment of
IN/OUT and impact
Evolution to
integrated/combined
system
Audit to check impact
factors
Audit becomes longer,
difficulty in developing
competent auditor for
integrated/combined audit
Description
Implied issues
Evolution
Evolutionof
ofmanagement
managementsystem
systemand
andinternal
internalaudit
audit
Evolution of internal audit is traced as
follows …
１．Linkage with Visual Management (VM)
From 2001 to 2002
Checking of performance ⇒ identification of
problems
２．Introduction of vertical and lateral audits
From 2002 to 2003
Focus on connections of processes ⇒ sharing of
problems
３．Introduction of turtle model
Focus on impact to processes ⇒
From 2005 to 2004
Cooperation for problem-solving
Elimination of dependence on individual skills
From 2000 to 2002
1. Linkage with visual management (VM)
Grasping of status through
Visual Management
Priority issue is:
Identification of problems (Q・E・C・D・S) at workplace
Definition of VM (Visual Management)
・For entire work place, for types of tasks at work, for
each worker,
VM control activities
・details and amount of task,
・progress Ａstatus of Ｐtask schedule,
・action
status, etc.
Proactive
management
can be
cycle visible, and
Ｃ
Ｄ
・before problem or poor result occurs,
・grasp the fact precisely as soon as possible, and
・when a problem is likely to occur, seek the cause,
and
plan and implement the measures in a timely manner.
Actions are taken
Abnormality, waste,
as soon as possible
and problem are
before occurrence
kept visible
of trouble or poor
result
In 2001
Thorough visual management
Well-organized waste bins for separation
VM board common for entire company
Display of process control board
Display of production control board
■Integration of MS and VM activities
Management information is excluded
Process
management
in dept.
ＶＭ board (common for the entire
organization)
Companywide
policy
philosophy
Middleterm plan
Departmental
objective
management
Ｄｏ
Ｐｌａｎ
Quality
policy
Environmental
policy
Objectives
for current
term
Departmenta
l process
approach
chart
Group
Group
Individual
Individual
Objective
management
Objective
management
Comment by manager
Ｃｈｅｃｋ・Ａｃｔｉｏｎ
Allocation of
required
competence
Training
plan
Status of
use of
recourses
Skill map
■Linkage
■Linkageamong
amongprocesses・performance
processes・performancefocus
focus
Check if
linkage with
previous
process is
correct
Input
Check if
support is
appropriate
Process where top
management is
involved
Process to realize
operations in its
own department
Support process
Check if
correct
information is
input
Output
(Is it effective?)
Check if
linkage with
next process
is correct
D epartm ental process approach chart (exam ple)
D ate
Approved
C hecked
D epartm ent:P roduction ○ secition in P roduction D ept.
P rocess w here top m anagem ent is involved
P roduction
controlprocess
Input process
1.P rocess design
process
2.C ustom er-supplied
product process
3.M aterialm anagem ent
process
O bjective
m anagem ent
process
C ustom er
satisfaction
process
Its ow n departm ent realization process
1.P rocess controlprocess
2.Specialprocess controlprocess
3.N onconform ing product controlprocess
4.P roduct m onitoring and m easurem ent
process
Training process
M easuring
instrum ent
controlprocess
C ustom er
property supply
process
Support process
O utput process
1.Test control
process
C reated
■Benefits of Visual Management (1)
Individual・team objective
management can be understood
Linkage between own work and policy
can be understood and what to do is
clear
Ｐ・Ｄ・Ｃ・Ａ in operations
is immediately understood
Trend management can lead
to preventive actions
・Elimination of preparation of reference
materials for meeting ⇒ everything is clear
in here・best use of time for improvement of
efficiency!
Think upside down
Conventional way of thinking
Department
Report
Management
New structure
Management
Can visit work
place at any time
Check with ＶＭ board
The latest information is posted so every detail of the
situations can be grasped!
There is no need for reporting and preparing
documents!
■Benefits of Visual Management (2)
Linkage among company-wide
policy, departmental objectives
and targets can be understood
Training plan and individual
competence (skill map) are clear
Details and progress of corrective
and preventive actions are clearly
shown
・Prioritized work is clear
・Communication is
ensured
Internal audits can be done
completely in front of VM board
From 2003 to 2004
2. Introduction of vertical and lateral audits
Focus on process linkage ⇒ Sharing of
problems
Purpose is:
Sharing of problems between
both of auditors and auditees
Background is:
Frequent organization change and cooperative
work between parent and subsidiary companies
Improvement
Improvementof
ofduplication
duplicationof
ofmanagement
managementsystems
systems
Im provem ent of relationship betw een parent and subsidiary com panies' m anagem ent system s
P resident
P arent com pany's
QMS
Subsidiary
com pany's Q M S
T op
M anagem ent
P resident
S ystem
M anager
QMS
M anagem ent
R epresentative
EM S/Q M S
M anagem ent R epresentative
QA
D epartm ent
M anager
Q uality
Engineering
D esign R oom
R eliability C enter
P art of D esign dept.
designs S ubsidiary
com pany's products
Empowerment in
management
R eliability test for part of
S ubsidiary com pany's
products is carried out
Management
Managementsystem
systemin
invertical
verticaldirection
direction
Developed form of level-base audit
Beyond
boundaries of
parent/subsidiary/
group companies
(Overlapped areas)
Management
system audit
for
organizations
Management system
audit for departments
Process evaluation・
process evaluation
Check the main pillar in organization
Check the main pillar in organization
It is important to
check interface
among levels
carefully
Internal audit to assess conformity and
effectiveness of company-wide management
system
Validation of companywide objectives, etc.
Auditee: management team, EMR
Audited by: Leader internal auditor, in some
cases, outsourced to related company
General internal audit
Auditee: all departments
Audited by: internal auditor
Internal audit for actual
operations
Auditee: Production dept., dept
in charge of outsourced
manufacturing
Audited by: self-check or
auditor from similar operation
dept.
Management
Managementsystem
systemin
inhorizontal
horizontaldirection
direction
Top management
checks the system
including supply
chain laterally
Developed form of system approach
Top management
Manager
Customer
Organization
Organization
Organization
Organization
Organization
Suppliers, subcontractor
companies
z
Levelbase
audit
Person
in
charge
Check if there is not any thing in gaps among them
Internal
Internal audit
audit plan
plan in
in about
about 2003
2003
Twice internal audits a year
Apr.
May.
Jun.
Jul.
Aug. Sept.
Oct.
Nov.
Dec.
Jan.
Feb.
Mar.
Vertical audit
Validity of
objective
management
Sharing of objectives and
targets
Communication among
organizations
Lateral audit
Connections of
processes
Right flow of products and
services
Accurate communication
Response to requirements for control of
chemical substances
From 2004 to 2006
3. Introduction of turtle model
Focus on impact on processes ⇒
Cooperation for problem-solving
Elimination of dependence on individual skills
Purpose
is:
Improvement of ability to solve problems
■
■Check
Checkof
ofinfluential
influentialfactors
factorsby
bythe
theturtle
turtlemodel
model
Does information flow bring about additional value? Effective?
Does goods and service flow bring about additional value? Effective?
Means – by what?
Is infrastructure
appropriate?
(Equipment/facilities,
materials, testing machines,
and other resources used in
processes)
As a result, is
PDCA run
appropriately?
Is he/she competent?
Does he/she develop people?
(Training, awareness, competence)
Input
Process
What is the purpose?
(“Work” performed in auditee
dept.)
¾Environmental/Quality
policy, company-wide
objective
¾Objective of new product
¾Major control items
¾Laws and regulations, etc.
By who?
Policy, objective
development/daily
management/supporting
work
Output
Does the result serve
the purpose?
(Effectiveness)
¾Products and services
¾Objective achievement
level
¾What is next action?
How?
To what extent?
Is it just enough way?
Any waste, irregularity,
strain?
Is the measure appropriate?
(Method/procedure/technique)
(Responsibility and authority)
(Response to emergency
situation)
Any constrained conditions?
Is design and development valid?
(measurement/evaluation), (best available
technology) (laws and regulations)
Audit
Auditprocedure
procedureadopted
adoptedin
in2004
2004
Confirmation of segregation of duties/job descriptions
(presence of dependence of individual skills)
Interview based on checklist (checking for differences)
Discussion for solution of identified problems
(conclusion of audit)
Implementation of audit
Interview based on turtle diagram (re-filling)
Improvement of communication
Creating audit work instruction and checklist
Preparation for
audit
Drafting (filling in) turtle diagram
Evolution
Evolutionof
ofmanagement
managementsystem
systemand
andinternal
internalaudit
audit
マネジメントシステムと内部監査を構築
Elimination of discontent in auditee
してきた足跡を振り返ってみると・・・
“Audit is to just raise findings!”
From 2001
to 2002
1. Linkage with visual management (VM)
Identify
problems at workplace from the viewpoint of “third-party”
パフォーマンスの確認⇒問題点の抽出
2. Introduction of vertical and lateral audits
From 2002
to 2003
Share problems across organizations and departments
3. Introduction of the turtle model
From 2004
to 2005
Find solutions to problems with general ability
プロセスへの影響重視⇒問題点解決の協
力 to relate to projects （ISMS, OHSAS, REACH, etc.）
Develop
属人性
１
Definitions of an effectiveness audit and an effective audit
２
Movement from conformity audit to effectiveness audit
３
Relationship between effectiveness audit and
integrated management system
４
Development of an effective internal auditor
５
Each company’s approach to effectiveness internal audit
６
Summary
Ｈ４
Transition
Transitionto
toorganization
organizationwhich
whichcan
cangrow
growand
anddevelop
develop
The factor for upgrading conformity internal audit
to effectiveness internal audit is …
Transition to integrated
system, as the driving
force to overcome the
barrier
Flow
Flow of
of the
the established
established system
system
OHSAS18001
ＩＳＯ９００１/１４００１
In April 2004
＋α integrated system
ＩＳＯ１４００１
ＩＳＯ９００１＋１４００１
Certified in April 1999
ISO27001
In June 2005
ＩＳＯ９００１
Certified in April 1992
As a result, the system came to cover 4
factories and 4 affiliated companies
(1800 employees included).
Things
Things done
done for
for effective
effective internal
internal audit
audit
Implementation of integrated internal audit in 1999 to around Autumn
of 2002
At the beginning, QMS and common areas and then EMS
area were audited, under what is called the combined audit.
QMS
Purchasing,
monitoring and
measuring of
processes,
design and
development
Audit of
common areas
Management review, internal audit,
objectives and targets, corrective
action, preventive action, training,
responsibility and authority,
measurement and analysis, control of
documents, control of records
EMS
Environmental
aspects, legal
requirements,
emergency
preparedness
Completely-integrated internal audit for QMS and EMS was
implemented around April in 2003
Checklist also integrated
Target at issue of
ISO14001：2004
Who is responsible for management system?
President
Engineering
Development
Dept.
Quality
Control
Dept.
Production
Dept.
General
Affairs
Dept.
Sales
Dept.
ISMS
？
QMS
？
EMS
？
OH&S
？
Audit Office
Corporate
Planning
Engineerin
g Sec.
System
Development
Sec.
Inspection
Sec.
Quality
Control Sec.
Production
Control Se.
Production
Engineering
Sec.
Production
Sec.
Equipment
Sec.
Accountin
g Sec.
General
Affairs
Sec.
Sales Sec.
Who is responsible for the management system
in a true sense?
How can we take a top-down approach
when responsible functions differ in the
management system?
Who is responsible for the management system?
Audit Office
Corporate
Planning
Engineering
Development
Dept.
Quality
Control
Dept.
Production
Dept.
General
Affairs
Dept.
Sales
Dept.
ISMS
？
QMS
？
EMS
？
OH&S
？
Each dept.
implements
practical
business
affairs
President
Isn’t this
responsibl
e in a real
sense?
Engineerin
g Sec.
System
Development
Sec.
Inspection
Sec.
Quality
Control Sec.
Production
Control Se.
Production
Engineering
Sec.
Production
Sec.
Equipment
Sec.
Accountin
g Sec.
General
Affairs
Sec.
Sales Sec.
Top
Topmanagement-led
management-ledrisk
riskmanagement
managementwithin
withinthe
theorganization
organization
Ideally
Top management
Ｐ
ＲＭ(Risk Management)
Medical device
ISO13850
Ｃ
Quality
ISO9001
Health and safety
OHSMS
18001
Information risk
ISO27001
Ｃ Ｄ
Environment
ISO14001
Ａ Ｐ
Ａ
Ｄ
Automobile
TS16949
IT management
ISO20000
Food product
ISO22000
Runs respective management systems within the integrated
system
１
Definitions of an effectiveness audit and an effective audit
２
Movement from conformity audit to effectiveness audit
３
Relationship between effectiveness audit and
integrated management system
４
Development of an effective internal auditor
５
Each company’s approach to effectiveness internal audit
６
Summary
Ｈ４
Approach to develop an internal auditor
Things done to improve competence of auditors
1. Establishment of acceptance criteria for judging
competence of internal auditor
2. Establishment of system to develop integrated
system auditors
3. Establishment of system to develop supplier auditors
4. Improvement of level of internal auditor training
In 2000
In spring of 2003
In Autumn of 2003
From 2005
Internal
Internal auditor
auditor development
development in
in initial
initial stage
stage
1992 to about 1999
Person in charge participated in external auditor training course
Based on the training course, internal auditor training was arranged to
meet company’s situation
Auditor was qualified with experience of 3 to 5 internal audits
Management Representative qualified leader auditor
Number of audits is only
concerned without evaluation
of auditor!?
Judgment
Judgmentof
ofcompetence
competenceof
ofinternal
internalauditor
auditor(from
(from2000)
2000)
Step 1
Selection of personnel
Step 2
Assembly training
Recommendation or
designation by
departments
Curriculum of training
for 7 to 14hrs
NG
Comprehension test
Step 3
Written test
OK
Step 4
Practice work of auditor
Participation in
about 4 audits
Competence check sheet
Check by judge
NG
Step 5
OK
Step 6
Practice work of lead auditor
NG
Step 7
Competence check sheet
OK
Step 8
Qualification work of leader auditor
About 2 times of
practice work for
leader
Check by judge
Things
Things done
done to
to improve
improve competence
competence of
of auditor
auditor 22
Judgment of competence of internal auditor
Quality Management System
Auditor training (7hrs)
Comprehension test
OK
Environmental Management System
Auditor training (7hrs)
Retest
Comprehension test
NG Only once NG
OK
Education on chemical substances ＆ auditor practice work (10 hrs for
QMS, 10 hrs for EMS)
Competence evaluation sheet
NG
OK
Qualification of integrated system auditor
Trigger
Trigger to
to integrated
integrated internal
internal audit
audit
Complete Q/E integrated internal audit started in April
2003 because…
RoHS Directive
came into force!
Under the combined audit, it is difficult to audit
management of chemical substances!
Fundamentals
Fundamentalsof
ofchemicals
chemicalsmanagement
management
Management with QMS
Management of entire supply chain
・
・
Material/
Purchase
Dept.
Process control
Prevention of mixture, leak,
contamination
・Purchase
specifications
Selection
of
・Placematerials
an order
・History of product
⇒parts⇒materials
・History of
delivery
destination
・Production
specifications
Design and
development
Selection of
subcontractors
・Audit
・ID control
Shipment
inspection
・Verification of equipment and
・Procedure to control contamination and
mixture
・Prevention of
mixture
・Development of alternative
substance
・Response to LCA, WEEE, Eup,
RoHS, REACH and others
・Observance of
laws and regulations
・Observance of
customer
requirements
Customer
(Receiving
inspection)
Measurement data
Certificate of disuse
Communication
Suppliers, subcontractors
・
Material suppliers
Deliv
ery of
good
s
Storage
control
Continual activity to reduce chemicals with EMS is complement each other
Satisfy requests
from stakeholders
・Management review
･Review of plan
Action
・Audit to suppliers
･Checking of progress of
chemicals reduction plan
・Drafting of chemicals reduction plan
Plan
Do
Check
･Checking of laws and regulations
・Drafting of chemicals management
training
・Management /disclosure of chemicals
management information
･Implementation of chemicals reduction
plan
Byproduct
Byproduct of
of integrated
integrated internal
internal audit
audit
The system where only auditors
who understood QMS, EMS and
chemicals management can act as
second-party audit for external
organizations (suppliers) has been
established!
Things
Things done
done to
to improve
improve competence
competence of
of auditors
auditors 11
In about Autumn of 2003 In order to perform second-party audit
Internally
Externally
QMS internal auditor
ＱＭＳ内部監査員
1. Understanding of ISO9001 standard
2. Understanding of Quality Manual and
basic procedures
3. Outline of internal quality audit
4. Case-study
5. Comprehension test
6. Practice audit
EMS internal auditor
1. Outline of environmental issues
2. Understanding of ISO14001 standard
3. Understanding of Environmental
Management Manual and basic
procedures
4. Environmental impact assessment
5. Introduction to internal quality audit
6. Case-study
7. Comprehension test
8. Practice audit
Integrated
system internal
audit
1. Interpretation of QMS/EMS
checklist
(Development of management
of environmental burden
substances)
2. Understanding of
ISO19011
Supplier auditor
1. Training of process audit
2. Understanding of secondparty audit
3. Outline of information risk
management system
4. Outline of health and safety
Chemicals auditor
1. Procedure to control
environmental burden
substances
2. Procedure to audit chemicals
management
RoHS
Directive
Things
Things done
done to
to improve
improve competence
competence of
of auditors
auditors 33
In about April of 2004
Auditor evaluation sheet
Q M S auditor
S upplier auditor
Establishment of
internal auditor
evaluation system
completed
E M S auditor
IIM S auditor
T rainee auditor:
Audit items
C om m entator:
Date of practice work: ／　～　／　" What/ Where"
" When"
" How/ it is desirable to ～"
Temporary completion of
issues since 2001
Evaluation points: 3-stage evaluation
Advisor
auditor fills in
competence
evaluation
sheet
Evaluation point
3
K now ledge of standard
2
3
S erious attitude
U nderstanding of audit criteria
1
2
3
C hangeable depending levelof
P recise questions
2
1
auditee
1
0
3
P
l
ai
nness
i
n
w
ords
U nderstanding of checklist
2
1
3
Fairness
A ccurate audit report
Total points
21
Friendliness
Rank A
Competence avaluation
* Rank C: 1～10pt …Not acceptable
* Ranka A: 21～30pt … Excelle* Rank B: 11～20pt …Good
G eneral
Planned time
Knowledge of standard
Understanding of audit crite
Precise questions
Understanding of checklist
Accurate audit report
Friendliness
Fairness
Plainness in words
Changeable depending leve
Serious attitude
com m ent
s
Actual time spent
Is furtuer practice work need
Yes ・ No
Findings
Findings from
from previous
previous internal
internal auditor
auditor evaluation
evaluation
Previous internal auditor evaluation
Comments with only “findings” about
what hasn’t been achieved
This created dissatisfaction of internal auditor
Though I don’t like
auditing, I carry
out audit. Despite
this, I get
complaints…
It is too much trouble
and hard work to
conduct internal
audit while we have
to do our own jobs!
I have not been
trained properly…
Visualization
Visualization of
of competence
competence with
with Cobweb
Cobweb chart
chart
Knowledge of
standard
Understanding of
audit criteria
Precise questions
Understanding of
checklist
Accurate audit
report
Correct judgment
Fairness
Plainness in words
Changeable depending on
level of auditee
Serious attitude
Total points
Overall evaluation
2
1
2
1
2
2
2
2
１
3
18
B
•Rank A: 21 to 30p…Excellent,
General comments：
Rank B: 11 to 20p…Good
,Rank C: 1 to 10p…Not acceptable
Planed time: 2hrs
Actual time spent: 2.1hrs
Comments
Comments by
by advisory
advisory auditor
auditor
Auditor evaluation sheet
IMS auditor
Supplier audit
QMS auditor
EMS auditor
Name of auditor:
Audit items
4.4.6
Operational
control
Commentator:
Audited area:
Leader
How, it is desired to ～
When you
recommended that
meeting with designer
can be expressed as
“progress”
Good communication was
achieved by obtaining
understanding of auditee
dept., which was good.
Give lots of praises as to good points
Make comments carefully. Be careful
not to point out errors/mistakes in a
negative manner
Even if you have
not been taught…
Audit date:
When
What/Where
In the area of
management for
product realization
Member
Raising
someone’s
weakness is easy!
It is better to make further
recommendations as to
undefined matters in the
auditee dept.
Do not use such
expression as “You
failure to ○○,
although you must
○○”
Principle
Principle of
of auditor
auditor training
training
The reason why internal auditor
training can not be remembered by
the trainee…
We have not taught!
Case example of
level-up training for
internal auditor
Case example of internal auditor brush-up
training implemented in 2005 to 2008
Retailing company with 1400
employees, about 60 locations
About 45 internal auditors (all are
managers)
Point
Point of
of past
past training
training 11
Authority for audit program (5.1)
Establishment of audit program (5.2,5.3)
－Objectives and scope
－Responsibility
－Resources
Training
－Procedure
in 2008
Act
Implementation of audit program (5.4,5.5)
Improve－Creation of audit schedule
ment of
－Evaluation of auditor
audit
program －Selection of audit team
－Instruction of audit activity
(5.6)
－Maintenance of records
Training
in 2005
Monitoring and review of audit program (5.6)
－Monitoring and review
－Identification of needs for corrective and
preventive actions
－Identification of opportunity for
improvement
Plan
Competence
and evaluation
of auditor (7.)
Do
Audit activity
(6.)
Training
in 2006
Check
Training
２００７
年研修
in
2007
From “Process flow for management of audit program” of ISO 19011
Preparation
Preparation for
for audit
audit activity
activity in
in 2005
2005
Establishment of effective internal audit program + creation of effective checklist
Record of competence with QR code
Ａ： Leader, Ｂ： skilled worker, Ｃ： person in charge, Ｄ：
novice
Material Purchase
Design Development
Taro Aso
Ichiro Ozawa
Selection of team members by leader auditor
Members who are competent necessary for audit
are selected based on skill map.
PE
Collection
Collection and
and verification
verification of
of information
information in
in 2006
2006
Collection and verification of effective information
Information
from preliminary
investigation
Information
from
interview
Preliminary
check of job
descriptions
Information
from site visit
Investigation of
documents and
records at work
Sampling of several cases and checking of reliability of
documents and records
Corrective
Corrective actions
actions and
and improvement
improvement activity
activity in
in internal
internal
auditor
auditor training
training in
in 2007
2007
Preparation of an audit report + effective corrective and preventive actions
Procedure
Identify insufficient corrective action case sample from
among the previous internal audits
Prepare a report on “If we were you, what corrective
actions would we take?”
Verify the difference between the actual corrective
action and that we proposed
Seek the real cause and effective corrective actions
Case
Caseexample
exampleof
ofinterest
interestin
ininternal
internalauditor
auditortraining
trainingin
in2007
2007
4.5.2
Evaluation of compliance
○○ Center, etc.
Item raised:
General waste from business activities and industrial waste (waste plastic) were
specified in the same manifest slip.
Audit criteria:
ISO14001 standard 4.5.2 “Consistent with its commitment to compliance, the
organization shall establish, implement and maintain a procedure (s) for
periodically evaluating compliance with applicable legal requirements”. Manifest
Control Procedure (E-Nagano-Procedure-6)
Specific fact:
Hearing was conducted from the Head of Center and Manager at internal audit.
Simple manifest slip was not issued.
Evidence verified:
Check of descriptions of the manifest. Check of storage status of waste in the tent
witnessed with the Head of Center and Manager.
An
Aninteresting
interestingcase
caseexample
exampleof
ofdraft
draftcorrective
correctiveactions
actionsininan
aninternal
internalaudit
audittraining
traininginin2007
2007
Consideration of simulated audit team
Cause of nonconformity:
Consideration of
root cause by
trainee
Corrective action plan:
Deadline in
consideration of
weight of corrective
action
Detailed corrective action:
Is it possible to
truly prevent
reoccurrence?
An
Aninteresting
interestingcase
caseexample
examplein
ininternal
internalaudit
auditin
in2007
2007
4.5.2
Evaluation of compliance
This is not a problem
of
○○センター
training!
Cause of nonconformity:
Training and its checking provided for the person in charge for “○○ Company Waste
Management Procedure” and “Manifest Control Procedure” were not sufficient.
Compare the result of discussion in
the training with the actual
Corrective action plan:
corrective action
Opportunity for training is provided so that the descriptions of the procedures are shared
among the related personnel. Segregation of general waste and industrial waste is
clarified in the waste material storage area. Meeting for issue of simple manifest is held
with subcontractors.
Corrective action taken:
(1) Industrial and genera waste materials were clearly segregated in the waste material
storage area with displays which were easily understandable. (on 11 September)
(2) Training was provided for Manager and personnel in charge (on 11 September).
(3) Meeting for simple manifest was held with subcontractors (on 5 October).
(4) Measurement started on 18 October.
It is necessary to establish the handover
manual and review the procedure for
evaluation of compliance with the law
Flow of corrective and preventive actions in an internal audit
Temporary
action
(Prevention
of spill)
Internal
audit
Pointing
out of
nonconformity
Seek of
root
cause
Temporary
action
(Mitigation
action)
Pr
e
Opportunity for
improvement
(Observation)
Preven
tion
ve
nt
io
Corrective
action
(Prevention of
reoccurrence)
l
ra ent
e
t
La lopm
ve
e
d
n
Preventive
action
Review of
action
taken
(whether revision of
documents is
needed or not)
Implemented and recorded in accordance with the documented procedure
Examination
Examinationof
ofconclusion
conclusionof
ofaudit
auditinininternal
internalauditor
auditortraining
traininginin2008
2008
Examination of case example of audits in 2008 ⇒Seek root cause
・Divided into auditor team and auditee team, based on the items
raised in the previous internal audit, best suitable corrective
actions are considered through communication with each other.
(1) Auditor team asks questions about linkage with the rule and
procedure based on the details of item raised, audit criteria,
specific fact and evidence verified. At the time, the content of turtle
diagram is considered.
(2) Auditee team indicates differences with the rule and procedure
or insufficiency against the question made by auditor team.
(Person who actually experienced the case example is part of
auditee team.)
(3) Both teams consider improvement point and corrective action.
(4) Auditee team complies the way of improvement and corrective
action.
(5) Difference with the actual corrective action is checked.
Case
Case study
study in
in aa mock
mock audit
audit
Case study of items raised in the previous audit with change of auditorauditee teams
Auditor in
previous
audit
Auditee
Auditor
Sub
M
Main
TL
Sub
M
Auditee in
previous
audit
Trainee auditors
Aim: improvement of communication between auditee and auditor
Secondary effect: verification of corrective action and verification of its effectiveness
Purpose of brush-up training
・To bring about improvement of main
operations
・To make all employees to work out
issues
・To realize continuous improvement of
internal audit ability
As a result, this will bring about
improvement of management skills
１
Definitions of an effectiveness audit and an effective audit
２
Movement from conformity audit to effectiveness audit
３
Relationship between effectiveness audit and
integrated management system
４
Development of an effective internal auditor
５
Each company’s approach to effectiveness internal audit
６
Summary
Ｈ４
Ingenuity by companies
1. Company A (automobile parts manufacturer)
2. Company B (precision machine
manufacturer)
3. Company C (CO-OP, food product seller)
4. Company D (Printing machine manufacturer)
Management
Management system
system companies
companies social
social event
event
・In June 2002
Held for the first time as companies social event by Hata (myself) and
friend Mr.B
Study and exchanger of opinions were made for establishment of
integrated system
・In April 2004
Joined by precision equipment manufacturer, Company F, and developed to 3companies social event
Improvement of internal audit, dissemination of ISO across domestic and
overseas
locations, etc. were addressed
・In October 2006 Joined by printer manufacture, Company DG
Chemicals management, integrated internal audit, etc. were addressed
・In March 2007
Joined by electronics manufacturer, Company D
REACH, integrate system establishment, CSR, etc. were addressed
・In May 2008
Joined by automobile parts manufacturers, Company A and Company T, and
ceramic manufacturer, Company N
Application to cell production, integrated internal audit, corrective action, etc.
were
addressed
・In November 2008 Joined by actively working auditors from Company S and Company B,
certification bodies
Case
Case example
example of
of internal
internal audit
audit system
system –– Company
Company AA
Improvement
and solution
(Effect)
Definition of effectiveness audit
(Relationship between conformity and effectiveness)
◎
②
Highly
effective
Low
effective
Nonconformity
Effectiveness
audit
① Conformity audit
Conformity
Definition by Company A
(Rule)
Case
Case example
example of
of internal
internal audit
audit system
system –– Company
Company BB
Internal control and risk management (COSO model) can be integrated, too
Top management is now required to ensure governance to harmonize
the whole organization, which is the internal governance (COSO model).
Can be commonly used with QMS model (in red) and integrated
when terminologies changed
Case
Case example
example of
of internal
internal audit
audit system
system –– Company
Company C
C
Pickup-team audit
Background: this particular kind of retailing company of co-op did
neither have experience of second-party audit nor concept of
“internal audit” until ISO was introduced.
For more effective internal audit with more “reasonable tension”,
members from other co-op were invited as internal auditors
8 people in 2003
11 people in 2004
Furthermore, from 2005, total 14 people including 6 people of
Quality Secretariat Divisions from other companies, consultant,
etc. were invited (ongoing activity)
Effect: multilateral internal audit was implemented from various
viewpoints of different kinds of business, ISO expert
Strong effect of training was brought to auditors of own company
Case
Case example
example of
of internal
internal audit
audit system
system –– Company
Company C
C
3 integrated management system audits in a year
Apr.
Integrated MS
Audit for
May.
Jun.
Jul.
Aug.
Sep.
Oct.
Nov.
Dec.
Jan.
Feb.
Mar.
Environmental Management System (ISO14001)
Quality Management System (ISO9001)
Occupational Health and Safety Management System (OHSAS18001)
Privacy Mark
Ｐｌａｎ
Is the plan valid? Is it
consistent?
Audit for
Ｄｏ
Is the plan
implemented
properly?
Audit for
Ｃｈｅck/Ａｃｔ
Is the implemented plan
effective? What should we
do next?
Audit result is presented to management team at monthly
management review
Case
Caseexample
exampleof
ofinternal
internalaudit
auditsystem
system––Company
CompanyDD(IMS)
(IMS)
Designated by
Secretariat Division
Annual schedule
Designation of
internal auditor
Planning
Training &
qualification
of internal
auditor
External audit
Internal audit
Previous case
example
April
17 depts. including IMS MR and
responsible dept. for IMS internal audit
Aug.
Sept.
Review of
internal &
external audits
Focus on communication
Oct.
Nov.
Dec.
Case study
Jan.
Mar.
Change of internal audit method after integration
①
Secretariat Div. designates internal auditors
※ Appropriate personnel was designated by the dept. ⇒ MR designates people who appear to be
suitable
②
Objective of internal audit is defined (work instruction is created in accordance to the objective)
※“Management of change-point along IMS introduction”, “Performance for quality of work”, etc.
③
Internal auditor training, work instruction for implementation
※ Detailed instructions was provided with consciousness of ISO standard ⇒ less conscious of
ISO standard, only framework instructed
④
At internal audit
※ Nothing was mentioned other than ISO standard and manuals ⇒ focus changed to
communication
⑤
Area subject to internal audit
※Quality/Environment Management Sec. ⇒ IMS Management Representative, IMS internal audit
responsible dept. are audited respectively
Case
Caseexample
exampleof
ofinternal
internalaudit
auditsystem
system––Company
CompanyDD(IMS)
(IMS)
Audit Report
Items raised/request for
improvement
Requirements of
the standard
(reference)
ＩＭＳ Manual/procedures
(Item raised) Information System
Dept. now considers installation of
a new server that does not affect
environment, etc., however, it has
not been addressed with operation
identification sheet.
4.3.2.2. in IMS manual
Not consistent with
“Procedure to establish departmental
environmental objectives” defined in the focused
environmental items.
4.3.1 Environmental
aspects
(Opportunity for improvement)
Approved parts suppliers are
evaluated regularly, however,
reconsideration is required to
ensure constant regular evaluation
in consideration of volume,
transaction amount, status of
chemicals management, etc.
4.4.6.2. in IMS manual
Material dept. should
request the items related to environmental aspects
necessary to achieve the company’s environmental
objectives and targets (significant environmental
aspects identified under the responsibility and
authority of each dept.) to their suppliers and
subcontractors and manage them regularly as
purchasing data.
4.4.6 Operational
control Communicate
applicable procedures
and requirements to
suppliers. 7.4.1
Purchasing process
Criteria for selection,
evaluation and reevaluation are
established.
Prescription of the
manual is the criteria
for judgment in
auditing
Identify environmental
aspects the
organization can
influence.
The standard is
only a
reference
１
Definitions of an effectiveness audit and an effective audit
２
Movement from conformity audit to effectiveness audit
３
Relationship between effectiveness audit and
integrated management system
４
Development of an effective internal auditor
５
Each company’s approach to effectiveness internal audit
６
Summary
Ｈ４
Concept
Concept of
of CSR
CSR and
and positioning
positioning
Corporate Ｓocial Ｒ
esponsibilities for
Responsibility
Sustainability
implementation and
Compliance
accountability are taken as
Corporate governance
corporate social
responsibility
Risk Management
In-advance measures
for frequency of risk x
significance of risk
Self-check
Accountability
AA1000
SA8000
Crisis Management
Management, recovery,
substitution responding to
crisis from the point where
it becomes obvious
Request
Requestfor
forsustainability
sustainabilityis
isalso
alsoincorporated
incorporatedin
inrisk
riskmanagement
management
Measure for natural disaster, accident,
political/economic/social risks are required
International conflict
Massive earthquake
Flu pandemic
Information
system breakdown
Financial crisis
Ｐ
Ｄ
Responsibility for implementation and accountability for stakeholders
Neighborin
(CSR)
Employees
Investors
Subcontractors
Consumers g residents
Ａ
Quality
ISO9001
Health and safety
OHSMS
18001
Information risk
ISO27001
Environmental
ISO14001
Ａ Ｐ
Ｃ Ｄ
Ｃ
RM (Risk Management)
Each management system should be fully
utilized
Concept
Concept of
of management
management system
system audit
audit
Audit
techniques to
fill in gaps
among factors
J-SOX
Financing
BCM
Financial
control
ISO
Business
management
CS
Engineering
development
Company’s business activities
Company’s management system
Response
to market
Important!
・Form of audit differs depending on the
companies.
・To enhance effectiveness, the following
systems are essential for any companies.
(1) Effective internal audit system
(2) Effective internal auditor development
system
Furthermore,
Future internal audit is likely to evolve to the
one to monitor company’s whole business
activities.
Thank you for your kind attention