 |
 |
|
 |
The Internal Audit - make the most of it!
By David Powley - DNV Certification
The internal (or first party) audit should be one of the
most important opportunities for an organisation to check the effectiveness
and the delivery capability of its management system. Unfortunately this
opportunity is generally not appreciated according to David Powley, of
DNV Certification, who offers an opinion on how to get better value from
it.
The internal audit is a well established feature of all management system
standards and protocols for quality, environment and safety & health
(QESH). Certification bodies (or Registrars) take the internal audit seriously
- they are required to. It is an obligatory feature for consideration
at every certification or maintenance audit that they carry out on their
certificated companies. Certification body auditors would prefer to ‘ride
on the back’ of the internal audit and assess how capably the organisation
can discover its own non-conformities and improvement opportunities. This
is the ideal situation but too many organisations unnecessarily restrict
themselves and do not fully appreciate the freedom and imagination they
can exercise.
For example, internal audit programmes too often appear to be framed on
clauses of the standards. This is too abstract and diffuse – organisations
and their constituent processes are not (and should not be) based on clauses
of standards even though they may be meeting the requirements written
within them. Also, clause-based auditing tends to leave auditors without
adequate focus and direction. Furthermore, there appears to be a restrictive
folklore that prevents internal auditors from determining whether true
customer requirements (e.g. contracts) are being fulfilled. The same type
of folklore gives certain departments, within companies, a ‘no go
area’ status or creates barriers to discovering whether the company
is showing true compliance with regulatory stipulations such as ‘licence’
conditions for environment and quality or adherence to safety & health
legally-based best practice. There must be a better view. More about this
later but firstly, why is the internal audit (IA) so important?
The importance of being earnestly audited
The management system standards ISO 9001 (quality) and ISO 14001 (environment)
as well as the quasi-standard OHSAS 18001 (safety & health) have a
common wording for the purpose of an IA – it should determine whether
the management system ‘conforms to planned arrangements’ and
is effectively ‘implemented and maintained’.
Leaving aside the standard-speak, common sense presents the IA as the
primary device for checking the effectiveness of delivery of performance
regarding risks to QESH management. Basic risk management principles have
it that significant risks (or undesired conditions) should be:
1. identified
2. effectively managed and that
3. the effectiveness of the management should be monitored.
It is within the third principle – monitoring the effectiveness
of management - where the IA comes into its own. It is the main opportunity
to determine whether adopted or obligatory procedures and planned arrangements
are adequate and are being complied with. These being the procedures and
planned arrangements used to manage and minimise the risks and undesired
conditions (ref. principle number 2). The importance of the IA is self-evident
but much depends on how well it is planned, administered and performed.
All things relevant and auditable
As mentioned above, there is a mysterious folkloric tendency to be ‘clausal’
and avoid getting better value when deciding on individual audit scopes.
There is a need to get more from the IA and in order to do this we need
to look at what matters.
In quality management, the main issue of concern is the relationship with
the customers and clients together with all that is directly and indirectly
related to it – this would include quality-related legal aspects.
A bigger picture presents the concept of maintaining and enhancing the
prosperity of the organisation.
For environmental management, the pre-occupation should be to minimise
the impact on the environment together with maintenance of environmental
regulatory compliance. A big picture slogan here would be ‘to manage
the environmental impact of the organisation’.
Finally for safety & health, the focus of management is maintaining
the safety and well-being of employees and others affected by the organisation’s
activities as well as compliance with safety & health law– the
maxim here is ‘to protect people’.
With these needs in mind the individual IA scopes could take on the following.
| • |
The contract. Why not audit against the stipulations
within contracts with customers? After all these are the true agreements
between the organisation and the people with whom it is doing business
and they do happen to fall within the term ‘planned arrangements’
as given in the ISO 9001 standard. The more significantly-sized contracts
can be quite auditable in that there are usually clear unequivocal
requirements written into them such as content specifications, delivery
times and terms, packaging requirements and so much more. For contracts
within the service sector such as consultancies and expertise providers
there may be requirements such as qualification and experience standards
of personnel, the make-up of consultancy teams and requirements for
regular and obligatory project meetings. There can be nothing more
powerful or revealing than auditing against contracts when it comes
to discovering whether or not the aim of meeting customer requirements
has been achieved. |
| • |
Regulatory-based specifications. The product or output of several
industry sectors is substantially regulated through specifications
or protocols e.g. food, pharmaceuticals, potable water, consumer products
etc. The customers and regulators expect a provider to meet these
so why not periodically check that this is the case by way of the
internal audit? |
| • |
‘Sacred Cow’ departments. It is curious that certain
corporate or service functions can be absent form IA programmes. Examples
that immediately come to mind are Human Resources, Finance and Marketing/Advertising
but there may be others. Is it not the case that poor practices or
failure to follow acceptable practices in these functions can impair
relationships with customers? Poorly handled recruitment and people
development can run the risk of poor product / service or at least
create unnecessary internal trauma when trying to apply correction.
Failure to carry out timely or adequate invoicing will almost certainly
not be to the liking of customers. Misleading and inaccurate claims
in company literature could lead to spending unwanted effort and energy
in trying to get relationship with clients and customers back on track.
There are no sacred cows where there is a detectable risk of quality
(and therefore prosperity) being compromised or if experience has
shown that this has actually occurred (see later). |
| • |
‘Issue’ audits. Issues regarding the environment
are many and depend on the circumstances of the organisation. They
can include discharges to the aquatic environment, waste, atmospheric
emissions, resource usage, nuisance, effects on habitats etc. For
safety & health the term ‘issue’ can loosely translate
to hazard and these can include categories such as physical (e.g.
slips. trips etc.), mechanical, chemical, radiological, biological,
energy and others. An issue audit would take one or more of these
issues as a theme across all of the relevant units or departments
of the organisation, as appropriate. Alternatively, geographical or
other limitations may promote the idea of covering several issues
at one unit or department at a time. The choice is to be made. |
| • |
‘Licence-based’ audits. Many organisations are confronted
by significant SHE risks and as such are carefully regulated by the
use of documented ‘licence’ arrangements. For environmental
control in the UK these licences include discharge consents issued
by water companies and permits and authorisations issued by appropriate
regulators according to appropriate legislation. Safety and health
legislation in the UK is often underpinned by documented ‘licence’
arrangements (e.g. radio-active substances) and these too are worthy
of internal audit. Other safety and health legislation (e.g. for controlling
hazardous substances, noise at work etc.) is supported by Approved
Codes of Practice. All of these documents are very auditable by virtue
of their clear stipulations. Furthermore they are worth occasional
internal auditing for compliance given that any SHE management system
worthy of the term should be capable of ‘delivering regulatory
compliance’. |
What with existing procedures, instructions, contracts, ‘licences’,
‘issues’ and the rest, there would appear to be a mountain
to audit. Not so. It is fully appreciated that internal audit resource
(i.e. available audit man-hours) is precious and limited and that some
things are more important than others. So priorities must be set.
Risk and Performance – nothing else really matters!
There is a piece of folklore that says that all of the management system
should be internally audited. Really? What is the basis of this? Certainly
the QESH standards do not say this. ISO 9001 says ‘An audit programme
shall be planned, taking into consideration the status and importance
of the areas to be audited, as well as the results of previous audits’.
ISO 14001 states that ‘The organisation’s audit programme,
including any schedule, shall be based on the environmental importance
of the activity concerned and the results of previous audits’. The
quasi-standard OHSAS 18001 similarly says that ‘The audit programme,
including any schedule, shall be based on the results of risk assessments
of the organisation’s activities, and the results of previous audits’.
Thankfully and sensibly, it would seem that internal audit priorities
and therefore programmes should be based on what is important. So how
is importance determined? There are two factors that matter – (1)
the inherent risk and (2) the actual performance of activities, processes,
business units, departments etc.
The determination of Inherent risk is an integral part of all
three standards covering QESH management. ISO 14001 demands that significant
environmental aspects be identified and OHSAS 18001 requires something
similar for hazards and associated safety & health risks. Although
the term ‘risk’ is not actually used in ISO 9001 there can
be no doubt that at the ‘preventive action’ clause requiring
action to ‘eliminate potential non-conformities’ the standard
does require an organisation to effectively make a value judgement on
inherent risk.
Performance is assessed through actual experience such as results
of previous internal audits, non-conformities arising outside of internal
audit, customer complaints, breaches of ‘licence’ conditions,
neighbourhood complaints, accidents, incidents, near misses and other
indications. The graphic in Fig 1 simplistically presents the various
combinations of the risk and performance relationships. For example Zone
1 has low risk/good performance situations while Zone 2 contains those
of high risk/poor performance and so on to Zone 4. This model, or a more
sophisticated refinement of it, could be used to prioritise in determining
audit programmes.
Fig 1. Risk and Performance - developing priority-based audit programmes.
 |
Each organisation has its own agenda to consider but based on this simplistic
approach that is offered, it would be reasonable to accept that at least
50% of available audit resource would be spent in Zone 2 and 40% variably
split between Zones 1 and 3 with 10% or less being spent in Zone 4. Obviously
if it is felt that there is not enough to be covered within Zone 2 then
the remaining available resource can be devoted to Zones 1 and 3. How
much effort should be split between Zones 1 and 3 respectively depends
on circumstances. Even though activities, processes and departments in
Zone 1 may exhibit good performance the mere fact that they may have high
risk may be enough to justify primary effort. On the other hand Zone 3
activities and departments may present low risk but the poor performance
may result in more serious propagated or ‘knock on’ effects.
There may be political reasons for wanting to devote 10% and more resource
in Zone 4 – the areas, processes and activities concerned may not
be in the QESH front-line but it may be felt that personnel in these areas
ought to know that a management system exists. However this should be
limited so as not to draw precious resource away from the important aspects.
This is a simple depiction but it should serve to make the point that
internal auditing should be directed to that which is important.
The foregoing can only be a limited attempt at putting the case that internal
auditing should be taken seriously and that to underestimate its power
and usefulness would be a self-disservice. For many management systems
the internal audit has been the major contributor to improvement but for
others better usage could be made of it. It is important for primary custodians
of management systems to feel freer about what should be included and
of course what is not necessary for coverage by the internal audit, based
on importance. It is only in this way that an organisation can fully meet
any aims regarding its management system in protecting its people, prosperity
and reputation.
| David Powley is a well recognised and highly experienced
integrated management systems Auditor and Trainer with DNV Certification.
He is the author of numerous articles on management systems for
quality, environment and health and safety. DNV Certification is
one of the world’s leading certification bodies/registrars
offering the latest in management systems certification services.
With more than 49,000 certificates issued worldwide, our name evokes
a strong commitment to safety, quality, and concern for the environment.
DNV recently launched Risk Based Certification™, a fresh approach
to auditing. For further information on Risk Based Certification
or any other service DNV offer please visit www.dnv.co.uk/certification
or call 020 7716 6543.
|
top of page |
|
