The management of the QMS’s internal audit program

June 4, 2022 Chiara Alcantara No Comments 128 Views

In last month’s article I discussed what an ‘e-QMS’ is and its relationship to an organization’s Enterprise Resource Planning (ERP) activities and its continuous improvement journey thereof. For example, e-QMS automations often first appear in an organization’s compliance, auditing, and non-conformance incident management activities. However, since a ‘good’ QMS encompasses the control and assurance mechanisms used for all processes and their results, e-QMS automations will also interface with or expand the capabilities of many other of the organization’s ERP activities. 

In this article I discuss purposes of and best practices for the planning and management of a QMS internal audit program. 

What is the purpose of the QMS’s internal audit program?

The purpose of the QMS’s internal audit program is to provide independent, objective, and timely evidence that the organization is ‘healthy.’ 

More practically speaking, the purpose of the QMS’s internal audit program is to assess the overall effectiveness and efficiency of the organization’s actual operation and results as well as its on-going decision making. For example, a ‘good’ QMS internal audit program does not just document/trace its findings (e.g., non-conformances, opportunities for improvement) between the process and the requirement ID#(s) of the QMS standard implicated. It must also assure management that is objectives remain suitable to its current goals and priorities. 

Or putting it another way, the purpose of the QMS’s internal audit program is not just about examining the organization’s processes and their results so that records that exist for organization’s QMS registrar. The purpose of the QMS’s internal audit program is to help the organization have successful relationships with its customers, employees, suppliers, and the implicated regulatory and statutory agencies.

What constitutes a ‘good’ QMS’s internal audit program?

A ‘good’ QMS internal audit program examines the organization’s processes to highlight potential as well as real failure points and to identify candidate improvements including more effective process controls or increases in product capability, performance, and reliability. 

  • The examination of process is done with risk at the center of the audit plan’s purpose and reporting. Specifically, risks can exist for any of the (customer, employee, supplier statutory and regulatory) obligations held by an organization and the mechanisms used by the organization to prevent and manage them. Further to this point, the audit plan and report of a good QMS internal audit program will be focused on foresight (and not hindsight). 

A ‘good’ QMS internal audit program also looks at the significance of its findings with respect to the relevant strategic, tactical, and operational objectives of the organization. 

  • Management review is one of the best mechanisms for ensuring the significance of a finding and the urgency of any actions taken to contain, correct, and further prevent it aligns with the organization’s goals/objectives and priorities.

What are some best practices for a ‘good’ QMS internal audit program?

The marketspace, product/services, as well as the statutory and regulatory obligations for an organization will certainly help determine what best practices a ‘good’ QMS internal audit program will create, promote, and follow. However, the champions, managers, and practitioners of the QMS internal audit program should also consider the following best practices for gaining and sustaining a ‘good’ QMS internal audit program:

  • The QMS internal auditing must focus on issues that are relevant to the current processes, tools, intended results and business plans of the organization. No one wants QMS internal audit reports filled with ‘old news’ (of already known defects and already documented improvement recommendations. The later is especially so if no newer root cause(s) and/or solution(s) for addressing them is stated).

 

  • The auditing activities of the QMS’s internal audit program itself must be as rigorous as the activities for planning, execution, and management of an audit upon any other process. A ‘good’ culture of quality is not about having evidence that the policing of the police is also an integral part of the organization’s governance but if the internal audit program itself is not championed, managed, and audited to the same level of planning and record verification as any other process of the organization the culture of quality will likely not reach that which is intended/desired. Transparency and integrity must be universally practiced within the organization.

 

  • The backbone of a ‘good’ audit program is having a competent root cause/failure analysis knowledge and practice within the organization. A quick, cursory and/or non-cross functional team identification and treatment of root-cause analysis will rarely deliver success. Rather, those organization’s that invest in both their employees and their tools for improved critical thinking/analysis capabilities and that ensure that a multi-disciplined effort for determining root causes (and their solutions) is conducted will be the organization’s that deliver timely value-added results. This is not to say a specific auditing finding will never repeat itself but if the effort to determine the true root cause is not well done neither will be the actions taken to address that non-conformance.

 

  • Everyone understands that auditors should not audit their own work but the temptation to do so often exists (especially in smaller sized organizations). To overcome this temptation the role of internal auditor must always be promoted and valued by management (… not just at the time immediately prior to an audit or during its closing meeting). In small organizations outsourcing the internal audit program can be one of the ways of ensuring independence of the work being audited is achieved; otherwise ensure employees are encouraged and rewarded/appreciated when they gain auditor training, auditing assignments and then ultimately auditing subject-matter expertise.

 

  • Auditors are just like ‘peer reviewers’ in that they need to keep their skills honed and well practiced. So, a ‘good’ QMS internal audit program ensures auditing assignments are requested of its auditors regularly. More specifically, a QMS internal auditor should be auditing two or more processes at least twice a (business) year. They should also be given opportunity to acquire lead-auditor skills (and credentials by those assignments as well as 3rd party certifications).

 

  • Auditors must also understand the processes they are auditing and the intended results of it otherwise they will overlook, erroneously describe or even categorize/disposition audit findings. In other words, ‘good’ QMS internal auditors are persons who have held and completed several roles in various parts of the organization successfully (because they are better able to understand and verify the interactions of processes – the areas in which value is correctly transferred (or lost) within the organization or to (or from) its clients and suppliers).

Summary and Conclusion

In summary:

  • sometimes organizations want a QMS internal audit program that is only meant to create records that demonstrate compliance of the organization’s quality control and assurance mechanisms with the implicated QMS (e.g., ISO 9001, AS9100, TL9000) standard an organization wishes to be certified in. That is, however, not a ‘good’ QMS internal audit program’s purpose. The purpose of a ‘good internal QMS audit program’ is to help know if the QMS itself is ‘good.’  In a previous blog (from April-2022) I spoke to the characteristics of a ‘good’ QMS. So, a ‘good’ QMS internal audit program is planned and managed with awareness to all (strategic, tactical, and operational) objectives of an organization in mind.
  • Often is the case that the best persons suited to identify solutions for improving a process are the very employees who are asked to be responsible for the creation of the outputs of the process. When employees are encouraged to improve the results of the work assigned to them, they become more engaged in the success of the organization. And more specifically, unless an audit finding is against the QMS internal auditing program itself, a ‘good’ QMS internal audit program does not assign the auditors to be the owners of a finding’s root cause analysis; rather, the implicated process owners/practitioners of the non-conformance are the owners of its root cause.

To conclude:

  • QMS internal audit programs are purposed to provide accurate and pro-active governance on product and process compliance with all the requirements accepted by an organization (not just the ones of the QMS standard(s) of interest/relevance).
  • the scheduling of QMS internal audits and the processes to be audited needs to be based on the intended context and objectives of the organization, its actual work locations and performance, and the findings made in past auditing events that still pose risk to where the organization is today and where it wants to go tomorrow.

And now, a sneak peak into my next article

In my next article I will discuss specific job experiences integral to being a ‘good’ QMS internal auditor as well as career development paths for gaining those experiences (timely). For example, a ‘good’ QMS internal auditor is a person who has that completed various (customer and supplier facing) positions successfully – they are typically not just a person who has obtained a large number of auditing hours of a process or an objective of the organization.

Related Posts

A summertime “muse” … a comparison of the P-D-C-A and L-A-OModus Operandi
QMS – Awareness And Effectivity Survey
My Conclusions to “Things Quality Management Systems (QMS)”
Pros and Cons of an ISO 9001 Compliant Quality Management System (QMS)
A Learning Roadmap for QMS internal auditors
QMS automations and an organization’s ERP activities
Chiara Alcantara