Internal audit programme: From 'Genesis' to 'Revelation'

In March 1969, the progressive rock band Genesis released its first album. Entitled ‘From Genesis to Revelation’, it completely failed to garner the attention it deserved because record shops frequently placed it in the religious section of their record displays.

Similar can be said of an organisation’s internal audit programme. They don’t attract the attention of the people they should – ie, management – because they are doomed to failure by being filed under 'ISO certification'. In fact, people frequently report that "management don’t take my internal audits seriously".

To fully understand the root of this lament and to identify a fix, we must reflect on the how and why internal audit programmes are started and their impact during the two 'phases' of auditing:

Phase 1 – The 'genesis' of the audit programme

This is the phase of the internal auditing programme where "all eyes are on the prize" – the attainment of the coveted ISO Certificate. An organisation may be motivated to achieve third-party certification for two reasons: being required by potential and actual purchasers, or as a perceived competitive advantage. Either way, some of the company’s leadership is vested in seeing it through. To support this initiative, activities are undertaken, including:

• having someone take Lead Auditor or Internal Auditor training; 
• engaging the services of an ISO consultant;
• obtaining a ‘QMS-in-a-box’ documentation package (or eQMS software solution);
• engaging a conformity assessment body (CAB) to perform a pre-assessment.

All these 'solutions' have one thing in common. They all focus on what it takes to prepare to pass the third-party audit as the objective, and ignore what should happen to sustain the organisation’s quality management system (QMS). In respect of obtaining an ISO Certificate, they can be seen to be (somewhat) effective.

In particular, the internal audit programme becomes modelled to prepare the organisation for certification. Lead auditor training courses frequently use the model of a CAB audit as the foundation of their course materials – everyone wants to know what the CAB auditor will do. Internal audits are frequently conducted in preparation for the certification Stage 1 audit, to ensure a finding is avoided and the certification stage 2 audit is delayed until internal audits are conducted.

"What is it about the internal audit programme before certification that is failing to be taken seriously by the organisation’s management, after that goal is achieved?"

Andy Nichols CQP FCQI, Quality Program Manager at Michigan Manufacturing Technology Center in the US

Advice may be obtained by those responsible for the organisation’s internal audit programme, which suggest that it’s appropriate to conduct a full cycle of internal audits or ensure all elements, either of the QMS or the ISO standard, are covered before the CAB auditor’s visit.

Indeed, once a calendar of internal audits is created, showing how the full cycle of all elements (whatever that means) is addressed, this may satisfy the CAB auditor and not prevent a recommendation for certification. After all, internal audits are one of the items that will be considered at the very first annual surveillance audit – most likely by the same CAB auditor – and at that point, if the internal audit programme has faltered, it can be reported as nonconforming.

All the necessary support, training and advice may be considered as being effective, since the goal of obtaining certification is rarely not awarded. The internal audit programme may not even be the subject of an ‘opportunity for improvement’ (OFI).

Success is recognised and may be rewarded. However, little thought about sustaining the internal audit programme was necessary or even considered at this point.

Phase 2 – moving to 'revelation'

Once third-party certification is awarded, what then? Rinse and repeat, but this time in preparation for the CAB’s annual surveillance audit? Depending on who you listen to, there’s a variety of ways an internal audit programme should operate after certification is awarded, including the popular:

• all ISO requirements once a year;
• all ISO requirements over three years;
• half the QMS each half-year;
• a QMS process a month;
• or some variation on these themes.

Experience shows that rarely does a CAB auditor raise an eyebrow, since they often undertook the same lead auditor training, and so on. After all, imitation is the sincerest form of flattery.

In Phase 2 of the internal audit programme, the goals and objectives have changed. Management may consider the job to be done. Indeed, as long as the organisation maintains its certification by avoiding major nonconformities, they believe the audit programme’s job is done.

What’s needed is a realisation that, as Einstein once put it, "doing the same things and expecting a different result is insanity". But what things? What is it about the internal audit programme before certification which is failing to be taken seriously by the organisation’s management, after that goal is achieved?

Simple! It’s the planning of the audit programme. What to audit and when to audit it. Before certification, the only consideration given to planning was a) the creation of a calendar of audits, and b) getting some audits done by the Stage 1 and Stage 2 certification audits. Beyond that, audit programmes need to consider the value they can bring to the organisation’s management, and what they call 'serious'.

There is a clue in ISO 9001, clause 9.2.2, which talks about planning an audit programme and taking into consideration the "importance of the process(es)…".

What makes a process ‘important’? Not all processes can be equally important, so ask:

a) Does it affect the customer and their satisfaction?

b) Does it perform below (or above) the planned performance levels?

c) Does it keep management awake at night?

Rarely, if ever, do internal audits solicit the input of management and include the things they (should) take seriously, namely process performance, which includes (to name a few):

1. Scrap.
2. Rework.
3. Reprocessing.
4. Equipment downtime.
5. Warranty claims.
6. Customer complaints.
7. Expedited shipments.

Further clues can be found in the same requirement for the audit programme planning to consider "changes affecting the organization". These may include:

• reorganisation, including new hires, re-assignments, etc;
• process changes;
• technology introductions;
• new customers and/or customer requirements;
• revised regulations;
• product revisions;
• improvements made throughout the organisation.

Rarely, if ever, do these events coincide with a calendared approach to scheduling internal audits, with the result that issues associated with changes are seldom flagged in a timely manner. 

Summary

If, when planning an internal audit, we engaged top management and asked them the questions above, and then used audit planning to evaluate what was going on with the process performance or changes, there’s certain to be a greater willingness to support the necessary corrections and corrective actions. After all, it’s most likely someone in management is being measured on such things.

When internal audits can help diagnose for the organisation’s management, what role the quality management processes had in causing issues affecting performance, this will therefore, lead to supporting swift and effective actions. When that happens, we will have caused a revelation.