MANAGEMENT SYSTEM AUDITING

Site hosted by Angelfire.com: Build your free website today!

MANAGEMENT SYSTEM AUDITING

What is an audit?

An audit is a systematic and independent examination to determine whether activities, and related results comply with planned arrangements. It also determines whether these arrangements are implemented effectively, and are suitable to achieve objectives.

Who performs audits?

Audits may be classified as follows:

First party audits – audits conducted by an organisation’s own personnel (internal audits). This type of audit is mainly directed at improving the management system, and checking compliance of the organisation’s employee’s work practices, with procedures. A properly conducted program of internal audits is well recognised as an effective management tool.

Second party audits – audits conducted of a supplier’s or contractor’s management system by a customer (external audit). This type of audit is often used to acertain, how the customer’s contract is being handled by an organisation.

Third party audits – audits conducted for certification purposes, usually by certification bodies such as Quality Assurance Services, Lloyds Register etc. (extrinsic audit). These certification bodies are usually accredited by JAS-ANZ (Joint Accreditation Scheme Australia and New Zealand), which has treaties with international certification bodies. Certificates issued by accredited certification bodies, are recognised by international trading groups such as the European Community. This means that certified organisation’s have better access to international markets.

(Extrinsic audits, can also be performed on supplier’s management systems, by customers. Large organisations sometimes introduce their own form of certification of their suppliers’ systems.)

Audits provide an independent and objective assessment of compliance with defined system requirements.

At the same time, effective subcontractor audit can remove the need for many internal costs, such as inward inspection (control) of the product or service, supplied by them.

What are the audit objectives?

The aim of a management system audit is to discover and evaluate the need for improvement or corrective action. An audit should not be confused with ‘surveillance’ or ‘inspection’ activities performed for the sole purpose of process control, or product or service acceptance.

Audits should be designed to:

Determine the conformity or nonconformity of the management system with specified requirements set out in relevant Management System Standards such as AS/NZS ISO9000, AS/NZS ISO 14000, AS 4804, and the organisation’s management system documentation.

Determine the effectiveness of the implemented management system in meeting specified risk management objectives.

Provide the auditee with an opportunity to improve the management system.

Meet regulatory requirements.

Permit the listing of the audited organisation’s quality (safety, environment, security) system in a register.

Audits are generally initiated for these reasons:

To evaluate an organisations own management system against a Management System Standard.

To verify that an organisations own management system continues to meet specified requirements.

Management system audits should not transfer the responsibility to achieve quality (safety, environmental control, security), from operating staff to the auditor.

What are the requirements for auditors?

Requirements for auditors include an appropriate level of training (Standards Australia offer Internal Auditor training, and Lead Auditor training on a regular basis). Auditors should also be independent, (auditors must not audit their subordinate staff, or their own supervisor).

Auditors should not audit operating procedures, which have been written (developed) by themselves.

What documents are audited?

Auditors audit against the following management system documentation:

The organisation’s mission and vision statement.

The relevant Management System Standards (AS 4581, AS/NZS ISO 9001, AS/NZS ISO 14001, AS 4801).

The management policy manual.

Procedures/Work Instructions.

Quality Plans

Audit Reports.

Audits are normally routine and conducted in accordance with a prearranged schedule. They may however, be prompted by a significant change in the organisation’s own management system or product or service problems.

An internal audit may be initiated to follow-up corrective action to ensure that preventive action has been implemented, to maintain the management system.

When developing an audit schedule, each audit may be scheduled against:

a section/part of the above documents, or

one of the above documents, or

a combination of the above documents.

How is an audit arranged?

It is essential and courteous to contact the auditee or the relevant department and make arrangements well ahead of time.

This may be adequately achieved by phone, letter, memo or fax. As the time approaches, contact the auditee again by phone, or directly, and clearly establish a commencing time and date of the audit.

Advise the auditee that they will be receiving an audit plan prior to the audit.

It is essential that the auditee understands, that there will be three main components of the audit. They will consist of an opening meeting, the audit itself, and a closing meeting with the auditee.

Prior to the audit the auditor should visit the auditee to collect relevant information, including:

names of people.

Identify and collect documents.

Logistics.

Technology.

Size of the department or site.

Travel and accomodation details.

Safety requirements.

Maps.

Working hours.

When the cost of travel to the auditee’s department or site is prohibitive, this information should be collected by phone or fax.

The opportunity must exist for collecting this pertinent information prior to the audit. During the audit, time is often the auditor’s greatest enemy. Having all the relevant facts available for the audit plan will permit the auditor to use the available time to best possible advantage.

How is an audit planned?

Planning is essential to satisfactory audit performance.

The audit plan should be designed to be flexible, to meet changes in emphasis based on information developed during the audit, and to permit effective use of limited resources.

The audit plan should include:

The audit objectives.

Identification of the area to be subjected to audit.

Those responsible for the conduct of the management system in the areas of interest.

The plan should identify reference documents that may be applicable, such as the management policy manual(s), and those management system procedures that will be operable in the area subjected to audit.

Also the history of (previous) internal audits and possible future audits by second and third parties should be provided, especially where nonconformances have been previously noted.

The internal auditor has special responsibilities in the early stage, especially in the planning, to ensure that the following have been achieved:

Relevant employees have been informed that the internal audit has been scheduled and may understand its objectives and scope.

Responsible members of staff should also be advised that the internal audit has been scheduled.

Access to the facilities and material that can support the results that need to be determined during the internal audit.

What is an ‘adequacy audit – desk top review’?

As a basis for planning the audit, the auditor should review for adequacy the auditee’s recorded description for meeting the management system requirements such as:

The organisation’s mission and vision statement.

The management policy manual.

Management system procedures.

Management system procedures should reflect the policy statements in the management policy manual. Policy statements should be consistent with the organisation’s mission and vision statement.

How is the audit checklist developed?

The role of the checklist is as follows:

Provides a useful reminder.

Guides the conduct of the audit (and helps the auditee prepare for the audit.

The completed checklist provides objective evidence of questions set out in the audit.

Provides balance.

Maintains depth.

Maintains scope.

The checklist should be structured in accordance with criteria applicable to the audit, including Management System Standard(s), management policy manual, procedures, and in the case of second party audits, contract requirements.

Checklist questions should be designed to produce objective evidence that the management system is working. Closed questions do not produce objective evidence!

DEVELOPING CHECKLIST QUESTIONS

TRIGGER WORDS (Active Verbs)	CLOSED QUESTIONS (Yes/No Answers)	OPEN QUESTIONS (Objective Evidence)
Shall	Is there….?	When does….?
Must	Have they….?	How does….?
Will	Does it….?	Who does….?
Record	Do they….?	Where is….?
Forward	Are there….?	What do….?
Maintain	Can they….?	Why are….?

Trigger words which appear in management system documentation, prompt the development of checklist questions, to provide objective evidence of compliance with agreed policies and procedures. Checklist questions may be ‘closed’ or open.

Example:

Closed question.

Are there records kept of all changes?…….. Yes!

Are you records indexed?……..Yes!

Open question.

How do you identify the records?

How long do you keep the records?

What records are kept?

How do you index your records?

OPEN QUESTIONS ARE USED TO OBTAIN OBJECTIVE EVIDENCE.

How is an audit conducted?

Opening Meeting.

It is essential that any audit creates the right impression. Failure create the right impression on the auditee will imperil the audit. Therefore conduct the opening meeting in a business-like manner and ensure that at least the following points are dealt with:

Introduce the members of the audit team to the auditee(s).

Explain the purpose of the audit.

Review the scope and objectives of the audit.

Provide a short summary of the methods and procedures to be used during the audit.

Establish the official communication links between the audit team and the auditee(s).

Confirm the time and date for the closing meeting.

Clarify any unclear details of the audit plan.

Define the classification of nonconformances, if this method is used.

Set up and take minutes of the entry meeting, i.e. records.

Establish an attendance list.

Confirm that all concerned are aware that an audit is to be conducted.

Any special points the auditor should be aware of, e.g. safety, restricted areas.

Auditors’ meeting.

This is the opportunity for auditors to meet for 5-10 minutes to discuss the audit plan.

Information may have surfaced during the opening meeting that requires a redeployment of auditors or a change in audit plan.

It is also worthwhile at this point to discuss any last minute concerns, and to provide encouragement to novice auditors.

Conducting the audit examination.

The audit activity is a very sensitive task and should be undertaken with minimum disruption to the people involved.

Assurance should be given that this is not a police-type investigation or some form of inquisition. It is a test of the effectiveness of the system, not of the people involved, and at no time during the audit should it become personal.

The audit should concentrate on the management system and associated procedures: have they been effectively implemented? Are they working? What deficiencies exist at the moment?

Essentially we are trying to determine what shortcomings the people are experiencing, and present the opportunity of taking action to overcome these problems. The audit will serve as an excellent opportunity for overcoming difficulties, obstructions and frustrations that many times cause people to fail in the accomplishment of their tasks; it is intended to improve the management system.

This stage of the audit consists of:

Asking questions based on the checklist requirements;

The detection and observation of objective evidence; and

The notation or recording (on checklist) of evidence details.

Evidence should be collected through:

Interviews

Examination of documents

Observation of activities and conditions in the areas of concern.

Clues suggesting nonconformities should be noted if they seem significant, even though not covered by checklists and should be investigated.

Information gained through interviews should be tested ,by acquiring the same information from other independent sources, such as physical observation, measurements and records.

Audit observations.

All audit observations should be documented in a clear, concise manner and should be supported by evidence.

Nonconformances should be identified in terms of the specific requirements of the standard(s) or other related documents, against which the audit has been conducted.

Audit reschedule

Occasions may arise when the auditor may need to abort the audit and reschedule for another time. For example:

When requested by the auditee.

Management system (procedures, records) not yet implemented.

When, for personal reasons, the auditor or auditee is unable to carry on.

Personal conflict may jeopardise auditor objectivity.

Major disruption (industrial dispute, accident).

Nonconformance Report/ Corrective Action Report Meeting

When the audit examination has been completed the auditors meet to write up NCR/CARs for each nonconformance.

This is an important opportunity to discuss or clarify problems or concerns, and test findings.

The NCR/CAR should include:

A brief statement defining the nonconformance>

The objective evidence to substantiate the nonconformance.

Reference to document or relevant standard.

Closing Meeting

The main purpose of this meeting is to present audit observations to the auditees in such a manner to ensure they clearly understand the results of the audit. It is important to bring to the auditee’s attention any problems in the form of nonconformances and observations, first hand from the auditor.

The following activities should occur at the closing meeting:

Set up and take the minutes.

Establish the attendance list.

If necessary, explain the purpose of the audit.

Present audit observations and nonconformances.

Quote the evidence.

Present conclusions regarding the management system’s effectiveness.

Handle auditee justification of a nonconformance with patience and understanding.

Auditee refusal to take corrective action on a nonconformance should be noted on the relevant NCR/CARs and the audit report, and the matter referred to the Management Representative.

Audit Report

The purpose of the audit report is to summarise and record details of the audit and closing meeting.

It is normally prepared by the lead auditor immediately after the audit has been completed.

Prior to distribution, the audit report should be reviewed by the entire audit team to ensure that the information is fair and representative of the audit findings.

It is strongly recommended that a formal audit report format be established, to ensure consistency of approach, with the following components:

‘Audit plan’ details.

Audit findings including nonconformances and observations.

Corrective Action Requests

The report should be brief, accurate, factual. It should not interpret or add post audit information.

The audit report should be issued as soon as possible after the audit.

Corrective action and follow-up

Corrective action and follow-up should be completed within an agreed time period.

In follow-up activities the auditee is responsible for determining and implementing corrective action.

The auditor is only responsible for:

Identifying the nonconformance at audit.

Verifying the corrective action to be taken and that the corrective action is correct.

If the follow-up audit indicates that corrective action is successful, the NCR/CAR is ‘closed out’. This ‘closeout’ status should be noted on the nonconformance report.

In the case where corrective action has not been successful a new NCR/CAR should be raised, with further follow-up.

Alan Cotterell

Acotrel Risk Management Pty Ltd

19/9/99