Counterintuitive Internal Audit Improvements

Want to improve your internal audit program? Read these audit improvement ideas from Kristin Case that may be counter to what you would think … yet greatly benefit your organization.

1. Limit the number of corrective actions from an internal audit. This is especially important when the quality management system is young or in its early stages of development. I’m not suggesting that you blindfold your auditors as they set out to audit. But, an internal audit program besieged with corrective actions can choke the progress toward a more mature system. Overwhelming a system causes resource shortages and no organization can fix everything at once.

If you limit the number of corrective actions, you must limit the number of nonconformities found during the audit. Here’s the catch: the audit scope must be revised once the maximum number of nonconformities has been reached. As an oversimplified example: Suppose the original audit scope was “NDT:  fluorescent penetrant process” (see flowchart below) and the maximum number of findings was one (1). Now suppose the auditor noticed that the NDT inspector was rinsing the part incorrectly: with the water nozzle 6 inches from and perpendicular to the part. The specification calls for a minimum distance between the nozzle and part of 12 inches and a 45° angle to the part. At this point the audit would end, the finding would be documented, and the scope of the audit report reduced  to: “NDT:  fluorescent penetrant process from cleaning to rinsing”.

Revised audit scope:  cleaning through rinsing.

Figure 1. NDT: fluorescent penetrant process (original audit scope).

The person who schedules internal audits can then reschedule an audit for the remaining scope “NDT: fluorescent penetrant from drying through recording results”.

2. Require volunteerism. Mandatory volunteerism may seem contradictory, but in internal auditing, it is essential. Preparing an employee to be an internal auditor requires a significant investment of resources. Typical training for ISO 9001:2000 internal auditing involves 16 to 24 hours. Add to that some practice time; a mentor (experienced) auditor; preparation, performance, and documentation time; and the “real” work that is falling behind and suddenly it is easy to see the magnitude of the organization’s investment.

Training internal auditors to assess the quality management system is a significant investment. When making a serious investment, you expect a serious return. But, auditing isn’t for everyone. Auditing takes a specific skill set and resilient personality.After investing in training is a lousy time to find out the employee does not want to volunteer as an auditor. Before investing in training is a good time to discuss required auditor attributes (open-minded, diplomatic, decisive, and self-reliant [1]) and expectations. If you are going to make this type of investment in an employee, demand a certain return on your investment in terms of internal audits performed. Make a fair trade.

3. Do not have fixed due dates for corrective actions. Many companies allow 30 days for performing corrective actions. Some allow 14 days; others 90 days. Having a fixed period for performing corrective actions assumes that all corrective actions (and therefore all nonconformities) are the same size.

I’ve seen corrective action performed (yes, with a complete root cause analysis) the same day. [The nonconformity involved expired shelf-life items and the team’s solution effectively prevented the recurrence.]  On the other end of the spectrum, I’ve seen a corrective action that took 18 months to complete. [That nonconformity was obsolete documents and the corrective action involved major capital investment to triple the size of the library, update the technology (more than once), subscribe to revision control services, and double the library staff to control every copy of approximately 500,000 pieces of technical data.]

Allow a timeline that is adequate to effectively perform root cause analysis and implement corrective action. Not all problems are equal; not all timelines should be. Have the auditor and assignee agree to a due date. The benefit is twofold: (a) the timeline is customized to fit the nonconformity and (b) the assignee is more likely to complete the corrective action on time if he was involved in setting the due date.

4. Do not issue corrective actions. Lots of organizations call them corrective action “requests”, but are they ever requested? Corrective actions are issued, signed, assigned, published, ascribed, handed out, released, logged, initiated, and delivered, but rarely requested. Too many organizations accidentally use corrective actions as a “big stick o’ punishment”. They are frequently issued to a supervisor in the area where the nonconformity occurred. Let’s assume most people do not come to work daily andattempt to cause nonconformities. Why would we then expect the department involved in creating the nonconformity to be responsible for preventing its recurrence? Chances are, this work area is lacking in some resource (training, equipment, calibrated instruments) or the nonconformity would not have occurred in the first place.

The “assignee” of a corrective action should be the person who can answer in the positive:

(1) Do you agree that this situation is a nonconformity?

(2) Do you have the organizational authority (power) to fix it?

If you “issue” a corrective action request to someone who doesn’t believe that it is a nonconformity, or doesn’t have the power to fix it, you cannot expect results.

5. Do not address corrective actions in an “Internal Audit” procedure.  Many companies document far more than is required by ISO 9001:2000 in their “Internal Audit” procedure. The standard [2] actually   requires a documented procedure to address “the responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records.” Most companies add a little more content to their audit procedure(s), but some wander outside the scope of audits and into the scope of corrective action. The standard [3] also requires a procedure to address corrective action. If corrective action is discussed in two procedures, the best case is redundancy; the more likely case (over time) is contradiction.

The internal audit procedure should contain a statement similar to the following: “In the event that nonconformities are found, refer to Procedure 14, Corrective Action.” That allows corrective actions from a multitude of sources, including internal audits, to be addressed in the same procedure.

Conclusion. Continual improvement of an organization’s processes, such as auditing, is a requirement [ISO 9001:2000, paragraph 4.1(f)]. A solid internal audit program is one of the most effective ways to continually improve a quality management system [paragraphs 8.1(c) and 8.5.1] and help an organization meet its quality objectives [paragraph 5.4.1].  If you found a useful improvement idea in this article, don’t forget to make sure your organization takes credit for preventive action [paragraph 8.5.3]!

[1] See ISO 19011, “Guidelines for quality and/or environmental management systems auditing” for a complete list of recommended auditor attributes.
[2] See ISO 9001:2000, “Quality management systems – Requirements”, paragraph 8.2.2.
[3] See ISO 9001:2000, “Quality management systems – Requirements”, paragraph 8.5.2.

Note: This article was written by Kristin L. Case, P.E.

Kristin has managed various quality management systems for ten years and teaches ISO 9001 courses at Tulsa TechnologyCenter. She is a lead and aerospace auditor, registered with RABQSA. She is on the Board of Directors of ASQ and holds the CQE, CQA, CQManager, and Six Sigma Black Belt certifications. She holds degrees in industrial engineering, mathematics, and an MBA in finance.

In future newsletters, look for her ideas on 1) Auditor improvements, 2) Responsibility and authority assignments, 3) Scheduling improvements, and 4) Simplification of the program.