Characteristics of a Robust Internal Audit Program

Posted in Featured Post on by .
ISO

Most companies like ACDi who perform electronics manufacturing services are certified to one or more quality management system (QMS) standards such as ISO 9001 (generic), AS9100 (aviation, space, and defense), IATF 16949 (automotive), ISO 13485 (medical devices), and others. Maintaining the proper functioning of a QMS requires continual effort and vigilance to combat inevitable entropy. As noted physicist Stephen Hawking once said, “It is a matter of common experience that disorder will tend to increase if things are left to themselves; one has only to leave a house without repairs to see that.” As with houses, a QMS will tend toward disorder without maintenance effort.

One of the best ways to help ensure a QMS continues to function as intended is to have a robust internal audit program. Virtually all QMS standards require internal audits, but as with most things, you can do “just enough to get by”, or you can try to optimize your internal audit program. In my experience, doing the latter will result in a substantial net benefit to the organization.

A lot of work goes into planning and executing a successful internal audit program. Each standard has its own specific requirements, and each company has its own needs and goals, but there are a few considerations that are mostly universal.

Most electronics manufacturing companies don’t have people whose primary job is that of internal auditor, but instead have folks who perform audits as secondary responsibilities. This is a good thing in my view, as it gives everyone involved exposure to people and processes that they otherwise might not get to see. Such cross-functional commingling can result in unexpected benefits as information and experiences are shared and people are better able to understand the challenges faced by others in the organization.

There are no hard and fast rules about how many internal auditors you should have, but I have found that for most small to mid-size organizations, somewhere between 3 and 10 is about right. You want to avoid people auditing their own work and auditor burnout, as well as ensure that the auditors have the right skills and experience to do a thorough job.

Not everyone has what it takes to be a good auditor. Look for people who are outgoing, observant, fair, curious, detail-oriented and are good listeners. If you don’t have a good internal auditing trainer on staff, lots of reputable organizations can provide the necessary training to either train-the-trainer or train the entire audit staff.

How often to audit various processes is often a hotly debated subject. It’s sort of like asking “how often should I perform maintenance on my car”. The answer is…it depends.

ISO 9001 tells us we must “take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits.” That is extremely good advice no matter what QMS standard you’re using. Your resources are finite, so employ risk-based thinking to use them to the best benefit of your organization. It’s not wise to just say “every process will be audited once every 12 months” or any other fixed time and leave it at that indefinitely without regard for the factors mentioned.

If I have a process where there are several new people, or which has had nonconformities noted in previous audits, I will usually shorten the internal audit interval. Conversely, if I have a process with a stable, experienced team running it and there have been no problems observed in years, I usually lengthen the interval somewhat. But all processes should be audited within some appropriate time frame because, as mentioned earlier, entropy rules.

In a practical sense, audit scheduling must also take into consideration things like availability and schedule syncing for both the auditor and auditee, possible Covid-19 restrictions and where the audit is to take place.

The leader of the internal audit program must ensure that they and all their auditors always act fairly and professionally. To be effective, the audit program must be seen as an effort to help the company succeed so that it can continue to provide jobs by identifying and correcting problems in the system, not to punish, demean or embarrass anyone. Only when internal audits can be conducted in an environment without fear will they be of optimal benefit to the company.

If you have an effective internal audit program, you will eventually discover nonconformities.  I would suggest that if you go several years with no identified nonconformities anywhere in the company your internal audit program is either not working as well as it should, or else you are in the top one percent of companies. You need to make that determination honestly.

When a nonconformity is identified during the audit, the auditee should be notified before the auditor leaves the area. If the auditor is unsure, they should let the auditee know of the concern and that they will advise them of the final determination as soon as possible. A good auditor will always keep the auditee informed; there should be no surprises.

For there to be a nonconformity, there must first be a clear requirement, which is typically preceded by auxiliary verbs like “shall”, “must”, and “will”. If a practice does not violate a requirement, it is not a nonconformity, though it may be an opportunity for improvement worthy of note.

A nonconformity must be documented clearly and unambiguously, followed by objective evidence. Copies of relevant documents and/or pictures can be very helpful. The nonconformity should feed into your corrective action process to ensure appropriate correction and corrective action takes place. You do have a good corrective action process, right?

Steve Bell
Quality Manager