Criteria of Integrated Management Systems Audit

I don’t know about you, but when I have to manage an internal audit system I always have the same concerns:

1. How do I stop losing auditors?
2. How do I convince the departments that I need their time?
3. How do I get the corrective actions closed without threatening the actionee?
4. Why do some auditors hardly ever raise non-conformance reports (NCRs) and others will raise NCRs for a spelling mistake?
5. …And most of all, how do I ensure the audits are completed to schedule and I am not running around trying to get them done before the external auditor arrives?

I have worked in quality management for 20 years in seven businesses across six industries and always see the same concerns. In my experience, there was always extra concern about waste and duplication. For example, whilst my quality department were carrying out our internal audit, the HSE (health, safety and environment) department were also carrying out audits. It was only seven years ago that I started to look at the possibility of implementing Integrated Management System Internal Audits, but we didn’t have an Integrated Management System (IMS) so this couldn’t be done, right? Wrong – there is no reason why you can’t integrate the audits. You also don’t need to have certifications for ISO 9001, 14001 and 45001 – some companies are certified only to one or two of these standards, but it doesn’t mean they can’t internally audit to all three standards if they wish to do so. They will still get the benefits.

What I developed over a period of time was an easy-to-follow, six-step process, which not only manages the requirements of the standards but actually adds some value and takes less time overall for the auditor (including administration) than independent audit systems. As a bonus, the external auditors love it.

Step 1: Train up some employees to be auditors

The training has to be made fun, there is nothing more boring than going through each standard, clause by clause, so mix this up. In some industries there is a requirement for formal training, but often if you can do it yourself you can tailor it to meet your own needs. Initially, I worked with a consultant and we developed a two-day training presentation covering lots of examples of QHSE (quality, health, safety, environment) tools, videos and games that interweaved the clauses. The most important element is to train the IMS audit processes and procedures and then physically audit an area together as a team. Ideally, make sure you are on the list to audit, too!

Step 2: Utilise the audit team to create an audit schedule

The internal audit team are not just auditors, they actually determine the audit schedule. Bring the auditors together at the beginning of the year to discuss all of the departments, functions or processes and determine the risk of potential failure to the business. In the example below (see Figure 1), the audit team agree on the risk to the business based on historical or potential quality and HSE failures/incidents in the area (1 = high risk), which are added together and multiplied by urgency. There are no rules to how you determine priority, you just need to justify it! Again, the team can determine when the audit should be carried out, in which area and by whom (see Figure 2). Straight away you are getting buy in from the team and only one audit a year for each auditor too (depending on the size of your audit team of course). Note – there are no audits planned in January as this month is usually spent planning, and none in December as this is when the Management Review happens.

Figure 1: Audit planning

---

Figure 2: Internal audit schedule

---

Step 3: Audit planning

The planning process is relatively simple and it is not all about reading every procedure that is owned by the area.

The audit checklist needs to be user-friendly and flexible, allowing the auditor to think for themselves. The checklist has two planning pages (see Figure 3) with helpful notes included to ensure correct information is collected. The agenda is pretty standard with timings for opening and closing meetings, and for the audit itself. The auditor will also identify two actions closed from a previous audit in the area to ensure that they are still installed, and will address any other corrective actions that have been raised from non-audit activities.

On the second page, there is a ‘Reminder Sheet’ which allows the auditor to choose three clauses from each of the three standards. This information is taken from a ‘Quality Matrix’ (the matrix is also required for Environment and Health and Safety) identifying the main clauses which are applicable to the particular area that you are auditing (see Figure 4). The point of the matrix is that within the audit schedule, you will need to address all clauses of the standard. The auditor having access to the matrix will be able to see which clauses are mandatory, which are applicable and also which clauses have already been reviewed and to try to choose clauses that have not been reviewed. The idea of the ‘Reminder Sheet’ is that at a very minimum, nine clauses of the standard will be reviewed within the area.

Figure 3: Checklist planning

---

Figure 4: Quality matrix

---

Step 4: Audit

The audit itself is based completely on the common sense of the auditor, which will allow them to observe fully. I have known quality audits being carried out in an area when (for example) document control was the focus, issues would be raised based on document control and the auditor would ignore the fact that there was an oil leak on floor, measuring equipment out of calibration and the operator wasn’t wearing personal protective equipment. What I want from an audit is to ensure that a process is safe and as environmentally friendly as possible. This ensures that the customer is not getting a defective product and we identify opportunities to make it better, for example, raising an issue because we have a spelling mistake in a procedure does not add value to the audit.

The checklist leads the audit process so after the ‘Opening Meeting’ the auditor will have a whistle stop ‘Process Tour’ of the process with the host to flowchart the process. This should take minutes and should quickly identify three or four process steps that would be useful to explore in more detail. Ideally, the process steps should be a good sample of the areas that are critical to the performance of the area.

After choosing the process steps, the auditor will spend time gathering information ensuring that ‘Items Checked’ are documented. This includes the ‘Evidence’ to identify whether the process is OK and utilise the opportunity to ask why a lot. Who is the person that you should audit (the auditee)? It should be the person who is carrying out the process on a daily basis, try not to have the supervisor/manager over your shoulder otherwise the answer will be what they want to hear and not reality. You need the auditee to be comfortable with you and always gather the evidence for any issues or improvements identified. Remember, there are nine clauses to review from the ‘Reminder Sheet’ as well as the corrective actions identified from previous audits etc. The auditor may identify a concern but may not be sure whether it is a non-conformance or just an observation, but this is not important at this stage. This can always be identified after the audit has been completed and to which clause in the standard it pertains to. Obviously, these concerns will have been identified during the audit and finalised to the owner of the area at the ‘Closing Meeting’. I don’t want to go through the detail of how to audit as there are plenty of books on the subject but I do want to stress that the audit has to be based on common sense, not to be just pigeon-holed into quality, or environment, or health and safety.

Step 5: Audit report

Once the audit is completed you may want to type up the checklist, but my advice is don’t do it! This duplicates work and the external auditor likes to see evidence that this is an actual audit and not something that has been made up last minute to satisfy the completion of the audit schedule! Just scan the document and keep it as part of the record (see Figure 5).

Figure 5: Checklist implementation – process flow and audit

---

The audit report can often be lengthy and a regurgitation of the checklist, but that really doesn’t need to be the case. The report should be a short, concise document providing the key facts (NCRs, observations, improvements) as well as capturing the main evidence of what was looked at during the audit. It should include a summary that is an honest reflection of the area audited.

Send a copy of the audit report along with individual corrective action reports for the NCRs, observations and suggested improvements to the owner of the area, and copy in the manager of the owner. It’s important that you get ‘buy-in’ from the beginning and keep copying in the manager to ensure fairness when following up on completion of Corrective Actions, as escalation may be necessary.

Figure 6: Audit report

---

Last step: Audit review

Remember Step 2 where we created an audit schedule as a team in the January review meeting? We will continue the meetings for the rest of the year (until November) and with good facilitation skills, each one should take about 30 minutes. This is a great opportunity to learn from each other.

Aims of the review:

• Feedback on any external audits that may have happened since the last meeting.
• Chat through the audit carried out in the previous month (provided by the auditor) with feedback provided by the rest of the audit team (opportunity for improvement).
• Review schedule and ensure availability of the planned auditor, offer of help (even to co-audit) for the more inexperienced auditors.
• Review gaps in the quality, environment and health and safety matrices.
• Review status of corrective actions.

Final note

This is a process that has worked very well with the businesses that I have worked for, but I don’t pretend that this will work for all businesses or industries. I will only implement this process if there is a need and if the current process is not working. It’s easy to follow and just requires common sense.

Attribute to original publisher/ publishing organization: Alan Grogan, CQP MCQI, is Head of Quality at Nuvia. https://www.quality.org/knowledge/common-sense-approach-internal-ims-audits