assault
entrenched management
internal audit
ISO Auditing
lack of alarm systems
Uncategorized
Four ISO9001 Internal Audit Fails
I’ve been in or part of over 300 ISO9001 audits for several different registrars. Invariably the companies that do the best job at ISO9001 are the ones with the strongest internal audit program. The underlying rationale is that the internal audit is a moment of self-evaluation and introspection. The better you are at this, the more likely you are to make corrections in your system.
As a further public service, this article will highlight some of the more common instances of problems with an Internal Audit program. These things may lead to a finding of non-conformance, but it is much more likely to lead to you and your company not getting the full benefit of adopting the ISO standard. This is not about a piece of paper. It is a business improvement methodology.
So here, in no particular order, are some examples of internal audit failures that are obvious to the auditor and doing you no good.
Failure to Do One
We all know (don’t we?) that clause 9.2 of the standard does require you to do internal auditing of the requirements of the international standard. It also requires you to internally audit “your own” requirements deemed necessary by you.
The standard even allows you to set up your own rules as to frequency and method.
So given all of this flexibility, why would you not do one? The most frequent cause of this is that the company’s quality manager leaves. It takes a long time to hire a new one, and no one is around to lead the process. Quite often, a new one is hired, just before the audit and gets the news a few days before the registrar’s audit.
Nothing Happens in Isolation
But, nothing happens in isolation. In a case like this, the real underlying cause is a lack of understanding of the requirement by management. I believe that this is a good feature of the ISO9001:2015 standard. The new current version of the standard requires management commitment and integration of the ISO standard into the normal business processes.
Quality managers have a lot of reasons for leaving. One of them quite often is frustration. But this is another sign of management disengagement. Since nothing happens in isolation, it is also quite common for the quality manager not to be backed up by management in general.
So invariably, when I as an ISO auditor go into a place and find out that the internal audit has not been done, it is usually just the tip of the iceberg.
Excessive Use of the Checklist
This happens a lot: Someone buys a canned system off of the internet and is in “conformance” to the standard. A lot of these things have “internal audit checklists”.
They will say something like “does the employee have access to the correct work instruction” and have a box yes/no.
Or they will say “is the employee doing their job properly?” and have a box to check “sure”.
So it is pretty easy for someone to go through, check all the boxes, you have “objective evidence” that an internal audit took place, and everybody is happy. Supposedly.
We can have a conversation later about the companies that buy a canned system off the internet and think they are ISO conformant.
Do Checklists Work?
Does this actually work? In a way it satisfies the requirement of the standard. The company is doing “internal audits.” I as an auditor cannot say that it is either effective or not, because it is not my job to do that. It is the client company’s job to make that determination. But this happens a lot. I go into a place, see multiple years of beautifully filled out checklists. There are no findings. Then, I go out onto the floor and find a dozen non-conformances before noon on the first day.
So I guess there is no clause of the standard that keeps you from doing “bad” internal audits. However it is generally not considered a good quality systems practice, and most decent auditors can see right through it.
As a further clue, I will quite often find out that the date on the internal audit is just a few days before the actual audit. The auditor knows when you tried to “cram.”
In the place where I do internal audits, I usually just find the procedure that is applicable to a given process. I then go through it line by line and look for the word “shall”. If I find one, I ask the simple question “are you still doing it that way?” and if that is the case they are good. If that is not the case, they need to use one of the two blanket responses for any non-conformance. Fix it, or change the procedure.
Failure to Respect the Process
This happens a lot and as an auditor it makes me crazy. Your internal auditor goes out and finds things that need to be fixed. You then don’t fix them.
I have been to a lot of places that, in their internal audit procedure, actually have a required response time for internal audit findings. They will say something like: “internal audit findings must be put into the corrective action system.” Or “non conformities must be addressed within 10 days” and these things don’t happen.
Side issue: this is called “painting yourself into a corner” in procedure writing. We will have a talk about that later on.
In a lot of these same places you have recurrent internal audit non conformities. In fact, I would say the incidence of this is about 95%
What all of this points to is that the internal audit program is pretty good, but there is lack of management commitment. Your knowledgeable internal auditor has found some process issues and you aren’t doing anything to fix them.
Negative Projection onto the Auditor
This is actually reasonably common as well, maybe I have seen this less often than at the start of my career.
Here is a scenario: Someone is not doing his or her job, as defined by the procedure. Some authority figure comes along and calls them out on it. Management (sometimes reluctantly) sides with the auditor. The “someone” then blames the auditor, and holds it against them.
I once worked with a guy whose job was to turn people in who were not doing their jobs. He was a bright guy (and if you are reading this, Tom, give me an email and let me know how you are doing). He was also very good at it. But he had this way of ticking off a lot of the workers he was calling out. At one point, the situation got so hostile that a mixer operator very nearly dropped a 1200 pound batch of material onto him.
I believe that in this era, this would be called “assault” and the operator would be arrested, and correctly so. But at that particular place, and at that time, the reflex action was to back up production, irrespective of quality.
An auditor can sometimes be a little officious.
It is true that sometimes, an auditor can be a bit officious, and a bit annoying. The best ones are bright people. But, if the auditor sticks to the facts, which they should, the issue of conformity should be indisputable.
In a situation like this, where the production people negatively project onto the actual auditor, it is a function of supervisor and management commitment. If it is tolerated in a place to ignore established work instructions, you have to go back to the fundamental issue of ownership.
IF the owners of the company ask you to do X, and then you don’t do X, why would you not do that?
The above example, extreme enough, is an example of a toxic work environment, and also lack of alignment. There is a series of videos on those issues as well.
The Common Thread
The common thread in all of this is management. The companies that do the best job at internal auditing also do the best job at running their business. Their procedures reflect reality. There are clearly defined methods of job performance. When there are deviations, they are investigated, and if a better way is found they’re adopted, and if not, there is a correction.
The places where the internal audit program is the strongest are the places where the management is committed to continual improvement, and meeting requirements. These are the two fundamental principles of the ISO methodology.
Nothing happens in isolation. I as an auditor, see this all the time.
Feel free to share your stories. I may use one in an upcoming post.