Welcome to the Whittington & Associates
e-Newsletter!
Visit and bookmark our web
site.
Our newsletters provide guidance on ISO 9001,
AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO
14001,
ISO 27001, ISO 20000, ISO 22000, and related ISO
standards, as well as, Six Sigma.
If you have any questions about the articles
appearing in this issue, or you want to suggest
topics for future issues, please let us
know.
Safer at Work or Home?
The idea of on-the-job safety has been
incorporated into business policies and
culture for decades. And, injuries at work
have been lowered substantially. However,
companies are now recognizing that a more
serious threat exists: off-the-job injuries.
According to the National Safety Council, for
every person killed at work, 11 are killed
away from work. And, for every person
suffering a disabling injury on the job, two
people are similarly injured off the job.
Off-the-job injuries cause people to miss
more than 3 times as many days from work as
those suffered on-the-job. The cost of these
off-the-job injuries exceeds those at work by
$80 billion each year.
As a result of these statistics,
organizations are now talking "Safety 24/7".
They recognize that safety awareness
shouldn't be turned off when an employee
leaves for home.
To read more about off-the-job safety
programs, see "Staying Clocked In", an
article written by Kyle Morrison, an
associate editor with Safety + Health. For
more information on the National Safety
Council, which publishes Safety + Health, go
to their web site: http://www.nsc.org.
To get a free subscription to Safety +
Health, go to this magazine
web site. Note: If you order the magazine
from the NSC web site, you will pay for the
subscription.
Document Control Software Features
Are people in your organization spending too
much time filing and retrieving documents and
forms? Are document control issues causing
process problems and audit findings? Maybe it
is time to implement a document management
system.
The most important consideration when
evaluating document management software is
how easy is it to create, approve, release,
secure, access, revise, and archive
documents.
Basic and advanced features of a document
management system are listed below:
Document Creation
Support different document types
Store in original document formats
Provide customizable layout options
Offer manual or automated numbering
Provide use of prefix and suffix
Import existing documents and forms
Offer scanning of hard copy records
Allow linking of related documents
Approval Routing
Include automated routing and approval
Provide unique approvals per document
Monitor document approval status
Route documents serially or in parallel
Support routing for team collaboration
Send reminder notes for document reviews
Issue management escalation notices
Document Release
Distribute document files electronically
Record and display electronic signatures
Convert documents to PDF format
Track hardcopy document distribution
Document Retrieval
Define user access per document
Provide search and view queries
Filter and sort to locate and print
Link related documents together
Offer full text database searches
Allow controlled remote access
Revision Control
Provide automated periodic reviews
Keep records of completed reviews
Include a change request process
Offer customized approval process
Produce master list reports
Archive old document revisions
Restore an archived document
Link to process training requirements
Send notices of review requests
Maintain document history
Track revision times and trends
Document Security
Provide password protection
Include multi-layered user access
Allow use of electronic signatures
Permit document encryption
Prevent unauthorized viewing
Keep audit trails of user access
Offer proof files are unaltered
Software Selection
Look at software buyer guides
Try a trial CD or online demo
Focus on software ease-of-use
Count the clicks and screens
Evaluate multi-user license
Identify available support
Consider product upgrades
Determine price and fees
Consider modular feature design
Examine scalability for growth
Look at user references
Evaluate industry sector solutions
See if built-in ISO, TS, AS, TL support
Evaluate training and installation help
Decide if client-server or application
service provider (ASP)
Consider monthly usage fee, if ASP
Determine fee to export if quit ASP
Check integration with other
applications
Consider SOX compliance (Finance)
Consider HIPAA privacy (Health)
Consider 21 CFR requirements (Medical)
Installation Steps
Install software product
Learn software operation
Customize for your system
Establish naming convention
Define access and security
Create new documents
Run some simple tests
Pilot a single application
Train users on its operation
Scan hardcopy files (as needed)
Import electronic documents
Respond to usage issues
Benefits
Quicker to create documents
Faster to approve documents
Awareness of document changes
Secure documents and records
Quicker access to documents
Only most recent version available
Access while employees travel
Access by suppliers and customers
Fewer obsolete documents
Opportunity for more collaboration
Automation of tedious tasks
Less costly document control
Reduced business process times
Frees up time for core business
Reduced number of audit findings
You may want to know which software product I
recommend. I don't. Although I've seen a lot
of software solutions, the best choice will
depend on your document management needs,
your industry requirements, if you or an ASP
will provide the host, the need to integrate
with other applications, and what you are
willing to pay.
Code of Conduct for Internal Auditors
Ethics are the principles of conduct
governing an individual or a group. Ethical
behavior is the foundation of
professionalism.
Auditors certified by the RABQSA are required
to sign a Code of Conduct. Most internal
auditors are not certified auditors, yet it
would be appropriate for them to also sign a
code of conduct.
Years ago, I created a Code of Conduct for
internal auditors based on the IIA
Code of Ethics, the RABQSA Code of Conduct, and the IRCA
Code of Conduct. I recently examined the
current codes from these organizations, as
well as, considered the ISO 19011 Audit
Principles and the Auditor
Ethics paper from
the ISO 9001 Auditing Practices Group, to
update my Internal Auditor Code of
Conduct.
Audit program managers could ask their
internal auditors to sign this code of
conduct each year to emphasize the importance
of adhering to the principles and ethics of
the organization.
Purpose
To communicate the integrity, objectivity,
confidentiality, and competence expected of
internal auditors, as well as, to provide a
means for them to pledge their commitment to
these principles.
Integrity
The integrity of internal auditors
establishes trust and provides the basis for
relying on their judgment. As an internal
auditor, I pledge to:
1. Perform my audit assignments with honesty,
accuracy, fairness, and discretion.
2. Not engage in activities that might
discredit the audit program or our
organization.
3. Report audit results truthfully and
disclose any unresolved diverging opinions.
4. Act in a professional and courteous
manner, even under adverse audit
conditions.
Objectivity
Internal auditors must be objective in
gathering, evaluating, and communicating
information about the activities being
examined. They must make a balanced and
impartial assessment of all the relevant
facts and not be unduly influenced by their
interests, or those of others, in making
judgments. As an internal auditor, I pledge
to:
5. Disclose any activity or relationship that
may affect my unbiased assessment.
6. Not accept anything that may impair, or
appear to impair, my judgment.
7. Include all the material facts to avoid
any distortion of my audit report.
Confidentiality
Internal auditors must respect the value and
ownership of the information they receive and
not disclose it without the appropriate
authority, unless obligated for legal or
professional reasons. As an internal auditor,
I pledge to:
8. Be prudent in the use and protection of
the information acquired during my audit
duties.
9. Not use the information for personal gain
or in any way detrimental to the
organization.
Competence
Internal auditors must apply their knowledge,
skills, and experience in the performance of
their assessment duties. As an internal
auditor, I pledge to:
10. Accept assignments only if I possess the
necessary knowledge, skills, and experience.
11. Perform audits in accordance with the
procedures and practices of the
organization.
12. Continually improve my proficiency and
the quality and value of my audit services.
13. Assist other auditors under my
supervision to develop their audit management
skills.
14. Use my auditing knowledge to help improve
the quality of our products and services.
15. Prepare well for my audit assignments and
report findings using verifiable
evidence.
I agree to act in accordance with this code
of conduct to uphold the integrity of our
audit program and the ethical standards of
our organization.
Signed by: __________________________
Printed Name: _______________________
Date: ______________________________
If you have any comments or suggestions for
the proposed Internal Auditor Code of
Conduct, please send them to
Larry@WhittingtonAssociates.com.
Lean Software Development
Software development can greatly improve its
business performance by discovering and
embracing its kinship to classic
(non-software) industries. Perhaps the most
important thing software has to gain is
guidance on how to implement Lean
production.
Lean production has, on average, doubled
productivity and tripled quality for the
classic industries. According to James M.
Sutton with Lockheed Martin Aeronautics,
early applications of Lean to software have
exceeded those results.
Software development is an ideal subject for
Lean because its product is pure information
that lacks the physical limitations of
durable goods, as well as, most of the soft
issues of service activities. In software
development, Lean can remain focused on the
primary issues of value and waste. This
allows the Lean tools to work with unusual
effectiveness.
One of the biggest challenges for software
development approaches has been to keep up
with the growth in size and rigor of customer
systems. Lean scales up easily for large
systems. It works well in plan-ahead life
cycles such as the Department of Defense
acquisition system. Lean also provides the
evidence and assurance needed for
safety-critical and high-security
applications. These capabilities make it
well-suited for the defense and aerospace
domains, and for most other domains as
well.
Mr. Sutton says it is time for software to
take its place as a classic industry and
leverage the strengths of Lean production.
Lean enables faster code production, smoother
integration with other products, fewer
surprises to budget and schedule, better
quality, and happier customers. Lean converts
software from management's biggest worry into
one of its best means for assuring business
success. Embracing Lean ushers software into
the fold of classic industry as a welcome and
synergistic partner.
The ISO 20000 standard for IT Service
Management includes requirements for incident
and problem management.
Incident and problem management are separate
resolution processes, but they are closely
linked. Incident management deals with
restoring services to users. Problem
management is concerned with identifying and
removing the causes of incidents.
Incident Management
An incident is defined as any event which is
not part of the standard operation of a
service and which causes or may cause an
interruption to, or a reduction in, the
quality of that service.
The ISO 20000-1 Specification standard
requires the following steps be taken for
incident management:
Record all incidents
Adopt procedures to manage the impact of
incidents
Define in procedures the recording,
prioritization, business impact,
classification, updating, escalation,
resolution, and formal closure of all incidents
Keep the customer informed of the
progress of their reported incident or
service request and alerted in advance if
their service levels cannot be met and an
action agreed
Give access to all staff involved in
incident management to relevant information
such as known errors, problem resolutions,
and the configuration management database
Classify and manage major incidents
according to a process
The ISO 20000-2 Code of Practice reminds us
that incidents may be reported by telephone
calls, voice mails, visits, faxes, letters,
or emails. They can also be recorded directly
by users that have access to your incident
recording system, or by automatic monitoring
software.
The incident management process should
include priority assignment and first line
resolution or referral. In addition, the
process should address security issues,
incident tracking, incident verification and
closure, and escalation paths.
The incident management staff should have
access to an up-to-date database containing
information on technical specialists,
previous incidents, known errors,
workarounds, and checklists that will help
them restore service to the business.
Final closure of an incident should only take
place when the initiating user has been given
the opportunity to confirm the incident has
been resolved and service restored.
Problem Management
A problem is defined as an unknown underlying
cause of one or more incidents.
The objective of problem management is to
minimize disruption to the business by
proactive identification and analysis of the
cause of incidents and by managing problems
to closure.
The ISO 20000-1 Specification standard
requires the following steps be taken for
problem management:
Record all identified problems
Adopt procedures to identify, minimize,
or avoid the impact of incidents and problems
Define in procedures the recording,
classification, updating, escalation,
resolution, and closure of all problems
Take preventive actions to reduce
potential problems, e.g., following trend
analysis of incident volumes and types
Pass to the change management process any
changes required to correct the underlying
cause of problems
Monitor, review, and report on
effectiveness of problem resolution
Ensure problem management is responsible
for making up-to-date information on known
errors and corrected problems available to
incident management
Record actions for improvement identified
during this process and input into a plan for
improving the service
The ISO 20000-2 Code of Practice says that
incidents should be classified to help
determine the causes of problems. And, when
the root cause has been identified, along
with a method of resolving the incident, the
problem should be classified as a known
error.
Known errors should be recorded in the
knowledge database together with any
workarounds. Information on workarounds,
permanent fixes, and problem status should be
communicated to those affected and those that
support the affected services.
The problem management process should cover
identifying any incidents that breach service
level targets, as well as, defining
escalation points and recording resources
used and any actions taken.
Problem reviews should be held to investigate
unresolved, unusual, or high impact problems.
These reviews look for process improvements
to prevent recurrence of the incidents, and
to examine incident levels against service
targets.
We offer ISO 20000 courses that explain the
following topics:
Service Delivery
capacity management
service continuity
availability management
service level management
service reporting
information security management
budgeting and accounting for IT services
Control Processes
configuration management
change management
Release Processes
release management
Resolution Processes
incident management
problem management
Relationship Processes
business relationship management
supplier management
Whittington & Associates provides training, consulting and auditing services for
management systems based on
ISO 9001, ISO/TS16949, ISO/TS 29001, TL 9000, AS9100, ASS9110, AS9120, ISO 13485,
ISO 27001, ISO 20000, and ISO 14001.
