MANAGEMENT SYSTEM AUDITING
What is an audit?
An audit is a systematic and independent examination to determine whether activities, and related results comply with planned arrangements. It also determines whether these arrangements are implemented effectively, and are suitable to achieve objectives.
Who performs audits?
Audits may be classified as follows:
(Extrinsic audits, can also be performed on supplier’s management systems, by customers. Large organisations sometimes introduce their own form of certification of their suppliers’ systems.)
Audits provide an independent and objective assessment of compliance with defined system requirements.
At the same time, effective subcontractor audit can remove the need for many internal costs, such as inward inspection (control) of the product or service, supplied by them.
What are the audit objectives?
The aim of a management system audit is to discover and evaluate the need for improvement or corrective action. An audit should not be confused with ‘surveillance’ or ‘inspection’ activities performed for the sole purpose of process control, or product or service acceptance.
Audits should be designed to:
Audits are generally initiated for these reasons:
Management system audits should not transfer the responsibility to achieve quality (safety, environmental control, security), from operating staff to the auditor.
What are the requirements for auditors?
Requirements for auditors include an appropriate level of training (Standards Australia offer Internal Auditor training, and Lead Auditor training on a regular basis). Auditors should also be independent, (auditors must not audit their subordinate staff, or their own supervisor).
Auditors should not audit operating procedures, which have been written (developed) by themselves.
What documents are audited?
Auditors audit against the following management system documentation:
Audits are normally routine and conducted in accordance with a prearranged schedule. They may however, be prompted by a significant change in the organisation’s own management system or product or service problems.
An internal audit may be initiated to follow-up corrective action to ensure that preventive action has been implemented, to maintain the management system.
When developing an audit schedule, each audit may be scheduled against:
How is an audit arranged?
It is essential and courteous to contact the auditee or the relevant department and make arrangements well ahead of time.
This may be adequately achieved by phone, letter, memo or fax. As the time approaches, contact the auditee again by phone, or directly, and clearly establish a commencing time and date of the audit.
Advise the auditee that they will be receiving an audit plan prior to the audit.
It is essential that the auditee understands, that there will be three main components of the audit. They will consist of an opening meeting, the audit itself, and a closing meeting with the auditee.
Prior to the audit the auditor should visit the auditee to collect relevant information, including:
When the cost of travel to the auditee’s department or site is prohibitive, this information should be collected by phone or fax.
The opportunity must exist for collecting this pertinent information prior to the audit. During the audit, time is often the auditor’s greatest enemy. Having all the relevant facts available for the audit plan will permit the auditor to use the available time to best possible advantage.
How is an audit planned?
Planning is essential to satisfactory audit performance.
The audit plan should be designed to be flexible, to meet changes in emphasis based on information developed during the audit, and to permit effective use of limited resources.
The audit plan should include:
The plan should identify reference documents that may be applicable, such as the management policy manual(s), and those management system procedures that will be operable in the area subjected to audit.
Also the history of (previous) internal audits and possible future audits by second and third parties should be provided, especially where nonconformances have been previously noted.
The internal auditor has special responsibilities in the early stage, especially in the planning, to ensure that the following have been achieved:
What is an ‘adequacy audit – desk top review’?
As a basis for planning the audit, the auditor should review for adequacy the auditee’s recorded description for meeting the management system requirements such as:
Management system procedures should reflect the policy statements in the management policy manual. Policy statements should be consistent with the organisation’s mission and vision statement.
How is the audit checklist developed?
The role of the checklist is as follows:
The checklist should be structured in accordance with criteria applicable to the audit, including Management System Standard(s), management policy manual, procedures, and in the case of second party audits, contract requirements.
Checklist questions should be designed to produce objective evidence that the management system is working. Closed questions do not produce objective evidence!
DEVELOPING CHECKLIST QUESTIONS
Trigger words which appear in management system documentation, prompt the development of checklist questions, to provide objective evidence of compliance with agreed policies and procedures. Checklist questions may be ‘closed’ or open.
Are there records kept of all changes?…….. Yes!
Are you records indexed?……..Yes!
How do you identify the records?
How long do you keep the records?
What records are kept?
How do you index your records?
OPEN QUESTIONS ARE USED TO OBTAIN OBJECTIVE EVIDENCE.
How is an audit conducted?
It is essential that any audit creates the right impression. Failure create the right impression on the auditee will imperil the audit. Therefore conduct the opening meeting in a business-like manner and ensure that at least the following points are dealt with:
This is the opportunity for auditors to meet for 5-10 minutes to discuss the audit plan.
Information may have surfaced during the opening meeting that requires a redeployment of auditors or a change in audit plan.
It is also worthwhile at this point to discuss any last minute concerns, and to provide encouragement to novice auditors.
The audit activity is a very sensitive task and should be undertaken with minimum disruption to the people involved.
Assurance should be given that this is not a police-type investigation or some form of inquisition. It is a test of the effectiveness of the system, not of the people involved, and at no time during the audit should it become personal.
The audit should concentrate on the management system and associated procedures: have they been effectively implemented? Are they working? What deficiencies exist at the moment?
Essentially we are trying to determine what shortcomings the people are experiencing, and present the opportunity of taking action to overcome these problems. The audit will serve as an excellent opportunity for overcoming difficulties, obstructions and frustrations that many times cause people to fail in the accomplishment of their tasks; it is intended to improve the management system.
This stage of the audit consists of:
Evidence should be collected through:
Clues suggesting nonconformities should be noted if they seem significant, even though not covered by checklists and should be investigated.
Information gained through interviews should be tested ,by acquiring the same information from other independent sources, such as physical observation, measurements and records.
All audit observations should be documented in a clear, concise manner and should be supported by evidence.
Nonconformances should be identified in terms of the specific requirements of the standard(s) or other related documents, against which the audit has been conducted.
Occasions may arise when the auditor may need to abort the audit and reschedule for another time. For example:
When the audit examination has been completed the auditors meet to write up NCR/CARs for each nonconformance.
This is an important opportunity to discuss or clarify problems or concerns, and test findings.
The NCR/CAR should include:
The main purpose of this meeting is to present audit observations to the auditees in such a manner to ensure they clearly understand the results of the audit. It is important to bring to the auditee’s attention any problems in the form of nonconformances and observations, first hand from the auditor.
The following activities should occur at the closing meeting:
Handle auditee justification of a nonconformance with patience and understanding.
Auditee refusal to take corrective action on a nonconformance should be noted on the relevant NCR/CARs and the audit report, and the matter referred to the Management Representative.
The purpose of the audit report is to summarise and record details of the audit and closing meeting.
It is normally prepared by the lead auditor immediately after the audit has been completed.
Prior to distribution, the audit report should be reviewed by the entire audit team to ensure that the information is fair and representative of the audit findings.
It is strongly recommended that a formal audit report format be established, to ensure consistency of approach, with the following components:
The report should be brief, accurate, factual. It should not interpret or add post audit information.
The audit report should be issued as soon as possible after the audit.
Corrective action and follow-up should be completed within an agreed time period.
In follow-up activities the auditee is responsible for determining and implementing corrective action.
The auditor is only responsible for:
If the follow-up audit indicates that corrective action is successful, the NCR/CAR is ‘closed out’. This ‘closeout’ status should be noted on the nonconformance report.
In the case where corrective action has not been successful a new NCR/CAR should be raised, with further follow-up.
Acotrel Risk Management Pty Ltd