The First Rule of Internal Auditing

By | November 1, 2010

This is an open letter to all the wearers of many hats out there.

If your organization happens to be ISO, SGP, FSC or SFI certified, or even if you’re not formally certified to anything, but still subscribe to some type of formalized quality management system framework, you may think this article’s not for you, however hear me out before you decide.

If your organization doesn’t formally subscribe to a quality management system of some type, this article’s definitely for you as the benefits are infinite. It ultimately saves the organization time, money, effort, money, energy, money, resources, money and money.

Quite frankly, like so many other things, the 80/20 rule applies here. In this case, eighty percent of the organizations I visit do not implement internal audit (IA) protocols for their processes, and of the twenty that do, eighty percent of them have no clue how to do it correctly.

Regardless of whether there is an external certifying body that requires it or not, the only way to truly validate conformance to any process is to impartially audit it. Like a financial audit, process auditing is a skill using a rules-based approach. The key is to ask the right questions in a consistent, controlled and meaningful manner in order to discover any underlying nonconformities which may either consciously or unconsciously exist.

The first step is to be able to measure any process from a procedural perspective. No standard? No measurement. No procedures? No control. Anything can be evaluated, verified, validated and/or measured. A procedure can be as simple as how to answer a phone to how to produce a job by breaking down each component part, to how to measure customer satisfaction. It can be statistical, empirical or documentary.

Also, let’s not confuse process or product development, realization, verification and validation with internal auditing. Management and staff directly involved or affected by or from any process activity should always be involved with the procedurally-related activities pertaining to that process. That’s not what we’re talking about here.

Internal auditing is an intermittent activity that should be planned to be enacted at least annually to evaluate every process in the enterprise. Some processes which are more critical than others should be internally audited more frequently, sometimes quarterly, and of course immediately upon reoccurring issue identification such as multiple product non-conformities or customer complaints.

Management needs to ensure that objective guidelines are established based on procedural requirements. Any procedure can be turned into a question for these purposes. A procedure stating that “All Author Alterations shall be reviewed by the CSR in charge” can be turned into the question “Have all AA’s been reviewed by the CSR in charge?” In this way a manageable set of questions applicable to the process can be asked in an objectively interpretable manner.

Audit sampling is also an important aspect of meaningful IA’s. They should be random, yet should represent the breadth of range of the products involved. In cases where a repeatable process is in play, a smaller sampling which is representative of the overall volume is sufficient. Where more variables exist, the audit sample should be larger. It could be as much as 20%. Some auditing standards also use the 8/10 of the square root of the sum total rule. As an example, if you have 1000 unique orders, you would internally audit 25 of them.

Now let’s talk about internal auditors. They should first and foremost be “detail oriented”, articulate and diligent. There’s another term for this kind of person in general use, but this is a family-oriented column. Second and equally as important is that the internal auditor should have no responsibility within the process or system being audited. Case in point is that the CFO of an organization is a prime candidate to perform purchasing department IA’s (unless of course one of the hats the CFO wears is that of purchasing manager). The last point is one of objectivity. With a well-crafted internal audit checklist in hand, internal auditors should be able to validate any process in the organization impartially and with total objectivity. “Just the facts, ma’am”.

Once the IA has been completed, any non-conformances should be expressed in the form of a corrective action request (CAR). CAR’s should reference the specific procedure along with a description of the non-conformant issue(s). From there, management should investigate the causes by performing a root cause analysis (RCA). RCA’s in their simplest form ask why, five times, just like when a child asks why the sky is blue.

And finally, once the IA’s, CAR’s and RCA’s have been completed, it’s time to put together an action plan along with a resolution timeline which is followed up on my management. For issues needing immediate attention due to systematic failure, the timeline should be rather short. For procedural non-conformities which do not directly affect the outcome, a longer period of time is acceptable, but no longer than to be part of the review process during the next scheduled IA. In all cases the CAR should be re-evaluated and either formally closed or elevated.

These are the tops of the waves. IA implementation is just one tool in a total quality management/ continuous process improvement program. Implemented effectively, the end result is always an improvement over the status quo.

Share this post