In starting this series for Quality, a couple of quick common concepts:
Management System Standard (MSS) – a series of management standards published by the ISO, as the 9001, 14001, 45001 and about 50 others that are considered as auditable standards versus guidance documents as the 9000, 9004 and many more. Auditable standards typically end with the number one: 22301, 50001, etc.
Auditing levels as discussed in the ISO 19011:2018 – Guidelines for Auditing Management Systems and itself being a guidance document. First party audits are those conducted by personnel at your site, second party audits are conducted at suppliers’ locations or when you hire consultants to conduct your internal audits (IA), and third party audits are conducted by independent organizations usually called Registrars who are themselves being audited by government agencies to conduct audits.
Integrated Management System (IMS) – with the number of ISO MSS available today, many organizations are utilizing the registration process to multiple MSS for a marketing focus for their organization. The most common combination today are the 9001 Quality, 14001 Environment (sometime for showing that the organization is going "Green") and the 45001 Safety. A note here is that any organization in North America should find this combination relatively easy as the yhave the EPA & OSHA in the United States and the Environment Canada & OH&S in Canada.
The Integrated Use of Management System Standards (IUMSS) is an ISO Handbook that was published in November 2018 and will be the focus of a future article. IUMSS links the process approach with the PDCA cycle.
CPR for internal auditors is an acronym designed to help internal auditors remember concepts for conducting better audits. The acronym represents conformance/compliance; process approach; and risk-based thinking.
Many internal auditors who conduct first party audits do so with limited auditing experience and/or training. Others have been assisting their companies for many years; however, have limited auditing time or exposure to the ISO 19011:2018. Many of the reports that I review are simple check sheets that are repeatedly used with limited thought around what is being audited. In one case, there was more detail; however, the quality engineer who performed the audit did not explain what was being reviewed and what he observed. When questioned about this in front of the quality manager, he said, "I didn’t think that anyone would actually read this report." Yes, I wrote a minor finding on the effectiveness of their audit program.
As a full time third party auditor for more than ten years - and having conducted over 800 audits - a common question I ask my clients is "How can the internal first party auditors demonstrate to the third party auditor that they are utilizing the process approach in their auditing tasks?"
The first statement here is that the Management System Standards (MSS) as the ISO 9001:2018 does not actually require internal auditors to utilize the process approach or risk-based thinking. With that said, ISO 9001 clause 5.1.1 d) does ask how management is: "promoting the use of the process approach and risk-based thinking." With this statement, a logical approach would be for the management team to utilize the IA process to address these two key factors as the external third party auditor will definitely utilize these approaches in conducting all MSS audits.
So, although not required in the MSS, the use of the process approach and risk-based thinking would be a win-win-win approach for all management teams to utilize in directing how auditing should be conducted at their sites. The next question for management is how are the auditors trained, cross trained and what, if anything, will be done around the integration of the standards and the need for regulatory compliance to agencies such as the EPA and OSHA. Here again, the win-win-win approach is to train all internal auditors in aspects of the ISO 9001, ISO 14001 and ISO 45001, even if your site is not registered to all three standards. This just makes good sense and better utilizes resources.
There are thus two concepts here to consider if your organization has not already started moving in this direction. One, how do we train our internal auditors for using the process approach and risk-based thinking in auditing? And how do we ensure that our auditors are cross trained in at least the three basic platforms of quality, environment and safety?
The first concept of the CPR for internal auditors is to ensure that the internal auditing team is performing the most effective audits for your organization to support the management team as mentioned in clause 5.1 of the MSS that you are working with. The "C" is for what we are doing in most organization today with the checksheet-based audit of verifying the conformance or compliance of the process to any standards or regulatory issues. The "P" represents the process approach thinking that we need to train auditors to utilize. The "R" is to think around risk-based thinking that also includes identifying opportunities.
In thinking about the process approach, there is an interesting idea of one company that has figured out how to take an order from a customer and deliver that order in five minutes or so in virtually every city and town across North America and many places around the world. And they can do it consistently using high school students. If you have ever had a high schooler in your home, you know how hard it is to get them to do anything, never mind consistently! However, this organization has figured it out. Okay – the company is: McDonald’s. So as you are training internal auditors, have them go to the local McDonald’s and sit for an hour or so somewhere where they can watch what is happening behind the front counter. And have them create some sort of a graphical chart of what they are observing: flow chart, swim lane diagram, Turtle diagram, process map, value stream map or any other graphical tool that your organization prefers to use. This should be a very good first step in helping the new internal auditor understand process thinking.
If your organization already uses some form of process maps in your documented information system for the MSS, then have the internal auditor conduct their audits using those forms and to make comments on the paper to demonstrate to management and the external auditor that they are following the process. If your organization is not using some form of process map within your work instructions, then ask the internal auditors to start creating them when talking to process owners for management review. This will give you a leg up if you start transitioning your documents into flowcharts.
The last step of the CPR for internal auditors is for the team to ask each person they interview (including top managers) what are the risks and opportunities in doing the work being reviewed. The method was meant to be an ice breaker and with the 2015 release of the 9001 & 14001 has become my mainstay for getting at risk. I ask the interviewee if they have ever heard of Harry Potter – almost everyone has. Then I ask, If I could give you one of those Harry Potter magic wands for a day, what would be the first thing that you would want to change to make some sort of process improvement? I do not limit the question to the person’s job, but most people tend to go there first. The information gained is then recorded in the audit report for client review. And sometimes, management even finds a way to make the suggested improvement before the audit is completed.
The second concept of the CPR for internal auditors is to ensure that the internal auditing team has the skills needed to perform process approach and risk-based auditing. In my travels, I find many internal auditors who work with either the quality or the safety & environmental departments. The thinking going forward should be around integration within the management system.
When I talk with top management, I point out that they should have one management system, versus silo departments. Anything more than that, and they are wasting money, time and resources. So one process improvement, if not already in your system, is to fully integrate your internal audit system even if you are not registered to all three main standards of the ISO 9001, ISO 14001 and ISO 45001. And if you are registered to any one or more of these MSS and you cannot demonstrate that you are saving the organization money, then you are doing something wrong!
So in cross training your current internal auditor teams, the question of how do we teach skills for integrating the audit process will often come up. As the internal auditors become more skilled at using the process approach, they will find that going into different areas should not be that much of a challenge as processes should be similar. Even W. Edwards Deming was well known for stating that "the more things that you see, the more things will look similar." So practicing using the process approach is the first step in training integrated internal audits.
When specific skills are needed in each of the three main areas, target these. In the quality camp, something like the Certified Quality Improvement Associate could be a good start. In safety, taking a 10-hour General OSHA Industry training would be good as all supervisors should already have this training. For the environmental lessons, something like a Certified Environmental Special could be utilized.
The goal for the CPR for internal auditors is to develop a process to continually improve the auditing skills of your people – both auditors and auditees. In my own auditing, I am constantly trying to learn new skills and techniques. Some of these will be the topic of a future article.
In thinking about future topics for this series, I’ve generated a large list of ideas for the Quality editors and we would love to hear from you about what you might be interested in learning more about in the ISO auditable standard process. I can be reached at [email protected].