The internal audit is where we take each procedure and check for compliance with our management system – wrong! OK, you can do that but all it will yield are nonconformances that have to be closed out, often by updating the system paperwork. The result is updated paperwork that few people other than the auditor reads. Granted, some operational deviations will be picked up but, in my experience, this approach rarely leads to a permanent fix. Overall, it will waste time and discourage auditing.
One major weakness in auditing by procedure is that it doesn’t tell you whether people are following the procedure or the procedure is following them. Many companies introduce a new system, write procedures to describe what they’re doing and then audit against them to check compliance. If the work writing the procedures was done in association with the workers, you should already know the answer. You ask somebody how they do a particular job, you write it down and you then check you’ve got it right. Auditing against the procedure is unlikely to tell you anything about the work processes – at best it will tell you how well (or badly) the system was written up. I’ll grant you that there may be some sense doing that on a mature system that has had few recent changes, to check it’s still valid, but the real problem here is probably that the system is not being maintained – I find very few systems that don’t benefit from ongoing updates.
Better to take a process approach – audit a process and see if it is giving the desired outputs and outcomes. And remember that both auditor and auditee are colleagues working to a common goal to improve company performance. The following approach was first suggested to me by David Hoyle (thanks David) – I’ve changed it slightly to fit in with my own approach. Five questions to ask (not so much as five direct questions but five elements to assess):
- What are you trying to achieve? Does the auditee know the objective of the process being audited or, at least, his or her part of it?
- How do you do it? An opportunity to walk through the process and see what is done, and how. This might be done verbally by the auditee describing what he or she does, or by observing the actual work being done. If the auditor is properly prepared, the key points will be on the checklist.
- How do you know you’re doing it right? Is the auditee aware of the required outputs, and is he or she monitoring them. Often a chance to look at some paperwork.
- Why are you doing it this way? Providing the auditor hasn’t been lazy and decided to use a copy of the procedure(s) in lieu of preparing a proper checklist, an opportunity to find out if the auditee knows and actually uses the system documentation.
- How could we make the process better? The auditee should know the work better than anyone else (or, at least, his or her part in it) – who better to suggest ways to improve.
And this last question highlights the real purpose of internal auditing – improvement. Verifying strict compliance with management system procedures should become secondary.