SAI Global Webinar: Tips for Effective Internal Auditing

Live Webinar
Tips & Techniques for
Managing an Effective Internal
Auditor Programme
July 28th, 2017
2pm BST
1

Presenter
• 25-year veteran with SAI Global
• Master’s degree in polymer chemistry from Long Island University and a
bachelor’s in biochemistry from Manhattan College
• Areas of specialty include ISO 9001, ISO 14001, ISO/TS 16949, IATF 16949
and OHSAS 18001, as well as process improvement techniques
• Exemplar Global certified Lead Auditor for Quality and Environmental
Management Systems, Automotive Industry Leader. Expertise in developing
and implementing integrated management systems
• Coaches clients in all aspects of developing, implementing and integrating
management systems, and provides services that range from training and
consulting support to leading internal assessment teams
Carmine Liuzzi
Industry Leader
Learning & Improvement Solutions
2

Webinar Objectives
• Why Do We Audit?
• Discuss the enhanced requirements for the Internal Audit process and
Auditors in the revisions to ISO 9001:2015, ISO 14001:2015 and IATF
16949:2016
• Audit program management considerations
• The Importance of Leadership Support for Audits
• Value-Added Nonconformity Statements
3

Why We Audit #1
We audit to confirm conformance of the organisation’s management
system to applicable standards.
We do not audit to find and report nonconformities as our primary
objective.

Why We Audit #2
Nonconformities are not bad
• Individuals should not be penalised if nonconformities are found in
their area during an audit
• Nonconformities are the method our processes use to focus
attention on a potential weaknesses in the process

6
The Cornerstones of a Management System
Management Review
Corrective Action Internal Audit
Management
System

1st Party – We audit ourselves
2nd Party – We audit our suppliers
3rd Party – Customer’s subcontractor or certified
body audits us (e.g., SAI Global, DNV, TUV)
Why We Audit - Management Systems 7

Reasons for Internal Audit (1st Party)
• Satisfy management system requirements
• Detect and correct problems prior to external audits
• Ensure effective quality system implementation
• Identify improvement opportunities
8

Reasons for Supplier Audit (2nd Party)
• Quality system requirements imply the need
• Provides input to selection, grading, and approving suppliers
• Helps to improve supplier’s management system
• Increases mutual understanding of requirements (quality,
environmental, health and safety, regulatory)
• Leads to “supply chain tuning” towards JIT, TQM, etc.
• Communication of goals, objectives and critical business
issues (Risk Identification and Mitigation)
9

Reasons for Certification Audit (3rd Party)
• Reduce the need for 2nd party audits
• Establish minimum standards met by companies
• Gain recognition of conformance with internationally
recognised standards
• Reduce avoidable costs to purchasers and suppliers
• Increase company’s market competitiveness
• Contractual requirement
10

Auditing Management Systems
We audit to:
– Confirm MS arrangements comply with organisational requirements,
both internal and external (intent)
– Assess that the stated requirements are being used (implementation)
– Evaluate that processes and procedures represent the most effective
method of control (effectiveness)
Provide a service to the auditee
11

Section 9: Performance Evaluation
9.2 Internal Audit (ISO 9001 & ISO 14001)
– Program in place to ensure internal audits are conducted at planned
intervals
– Internal audits conducted by competent personnel
– Define criteria and scope for each audit
– Internal audits must be conducted at planned intervals to provide
information on whether the management system conforms to:
• the organisation’s own requirements for its management system
• the requirements of the Standard
• the MS is effectively implemented and maintained
– Take appropriate correction and corrective actions without undue delay
– Audit program outcomes used as input to management review

9.2 Internal Audit (IATF 16949:2016)
– Documented internal audit process that covers the entire QMS including
QMS, Manufacturing Process and Product audits
– Audit program based on risk, process criticality and internal and external
performance trends
– Software development capability assessments included where
applicable
– Audit frequency will be reviewed and adjusted based on changes,
nonconformities, customer complaints, etc.
– Effectiveness of program reviewed at management review

9.2 Internal Audit (IATF 16949:2016 continued)
– All QMS processes are audited over each three-year calendar period
according to an annual program
– Process approach used during audits
– All manufacturing processes are audited over each three-year calendar
period. All shifts audited. Verify process documents (i.e. PFMEA, control
plans, etc.)
– Products audited using customer-specified approaches at appropriate
stages of production and delivery
Has the organisation implemented an internal audit program that
meets the needs and scope of the organisation’s operations?

Clause 5 - Leadership Requirements
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to
the management system by:
– Taking accountability of the effectiveness of the management system
– Ensuring that the policy and objectives are established for the
management system and are compatible with the strategic direction and
the context of the organisation
– Ensuring that the policy is communicated, understood and applied within
the organisation
15

• Ensuring the integration of the management system requirements into the
organisation’s business processes
• Ensuring that the resources needed for the management system are
available
• Communicating the importance of effective quality and environmental
management and of conforming to the management system requirements
• Promoting awareness of the process approach and risk based thinking
(ISO 9001)
16

• Ensuring that the management system achieves its intended results
• Engaging, directing and supporting persons to contribute to the
effectiveness of the management system;
• Promoting continual improvement
• Supporting other relevant management roles to demonstrate their
leadership as it applies to their areas of responsibility.
17

Much Broader Reach - Management of Change
Management of change is addressed in various requirements of the
Standards including:
• Maintaining the management system (see 4.4)
• Environmental aspects (see 6.1.2)
• Contingency Planning (6.1.2.3)
• Planning of changes (see 6.3)
• Internal communication (see 7.4.2)
• Operational planning &control (see 8.1)
• Control of changes (see 8.5.6, 8.5.6.1, 8.5.6.1.1)
• Internal audit program (see 9.2.2)
• Management review (see 9.3)
• Nonconformity & corrective action (see 10.2)
18

Audit Program Management
Involves a number of tasks including:
– Develop Schedule of Audits
– Define Objective, Scope & Criteria for each Audit
– Assign Audit Team
– Define Audit Method

Audit Program Considerations
Audits may be scheduled based on a number of factors
– Cost
– Regulatory requirements
– Customer feedback
– Risk
The audit program should be tailored to meet the specific
needs, resources and culture of the organisation
A program or schedule has a number of benefits:
– Enables audits to be planned
– It identifies resources required
– It allows areas of risk to reviewed and managed

21
Additional Considerations
• Trends in current performance
• Internal failures or other cost data
• Number, importance and complexity, similarity of the activities or
processes to be audited
• Results of previous audits and/or postmortem on earlier programs
• Language, cultural and social issues
• Significant changes to the organisation or its operations
• Areas with excellent performance - what can we learn?

Explanation:
– Documented process to verify auditor competency. Maintenance &
improvement of auditor competency must be demonstrated (minimum
number of audits, etc)
– Core competencies include: risk-based thinking, process approach,
customer-specific requirements, core tool requirements, plan, conduct, and
prepare reports and close out audit findings, knowledge of standards
Section 7 - Support
• 7.2.3 Internal auditor competency
• 7.2.4 Second-party auditor
competency

Auditor Personal Behaviours
Auditors should be
Ethical Decisive
Open - Minded Self - Reliant
Diplomatic Act with Fortitude
Observant Open to Improvement
Perceptive Culturally Sensitive
Versatile Collaborative
Tenacious

24
What are the Objectives of the Audit Program?
• Management priorities (think business objectives!)
• Marketplace objectives
• Management system requirements
• Statutory, regulatory and legal requirements
• Customer requirements
• Needs of other interested parties
• Evaluation of risks facing the organisation and established control
effectiveness

Audit Frequency
• Areas which are critical to the long-term success of the business are
audited first and the most frequently
• Consider:
– Maturity
– Effective performance
– Consequences to the business

AUDIT PROGRAM
SCOPE SCHEDULED MONTH
PROCESS/
PROJECT
J F M A M J J A S O N D
ORDER FULFILLEMT C
ABC PROJECT C F
PROCUREMENT
EQUIPMENT
MAINTENANCE C
HUMAN RESOURCES
DESIGN /
DEVELOPMENT
RECEIVNG
SCHEDULED F = FOLLOW UP C = CONDUCTED
REVISED MARCH
Audit Program

Internal Audit Process
Six Stages for planning and conducting an internal audit:
1. Initiating the audit
2. Prepare for the audit
3. Conduct the audit
4. Prepare & distribute the audit report
5. Complete the audit
6. Conduct audit follow-up

Audit Planning & Preparation
Each audit on the schedule must have the following information
defined:
• Objective - defines the goals for the audit
• Scope - defines the extent and boundaries of an audit
• Criteria - stated requirements i.e. what you are auditing against

Audit Strategy
Human
Resources
Management Quality
Assurance
Maintenance Purchasing Scheduling
& Planning
Research &
Development
Production Order
Fulfilment
New Product
Development S S S PO S
Supplier
Qualification S PO S
Customer
Satisfaction S S S PO
Material
Review
Board
PO S S S
Strategic
Planning S PO S S S S S S S
Employee
Communicati
ons
PO S S S S S S S S
Calibration
PO S S S
Training Plan
Development PO S S S S S S S S

30
Using a Process Approach
• Once identified, an organisation can ensure its processes are effective
(the right process is followed the first time), and efficient (continually
improved to ensure processes use the least amount of resources)
• Using this approach will aid understanding of how the organisation is
structured at a strategic level
• Helps to identify areas of duplication e.g. configuration management (who
decides), customer interface (who is responsible)
Knowing how an organisation works is key to making it work better.

A desired result is achieved more efficiently when activities and related resources
are managed as a process
PROCESS
“set of interrelated or
interacting activities
which transforms
inputs into outputs
Input Output
CONTROLS
Product
Process effectiveness
Extent to which planned activities
are realised and planned results
achieved
Process efficiency
Relationship between the
result achieved and the
resources used
Process Approach
People/Equipment
/Material
31
RESOURCES

Audit Strategy
VERTICAL
HORIZONTAL
UPSTREAM
DOWNSTREAM
32

Audit Strategy - A Model
DOWNSTREAM
Sales
Design
Purchasing
Operations
Quality
Shipping
Customer
enquiry
“Are they working?”
UPSTREAM
“Do we have procedures in
place?”
33

Process Requirements
Inputs
(Receive what?)
With What?
(Materials / Equipment
How Many?
(Measurement / Controls?)
How?
(Methods/Procedures?)
WHO?
(Special Skills? / competence?)
Outputs
(Results?)
Process
Linkages
Objectives
and Targets
Business Process
34

Work
Document -
Process
Checklist
Controls
How is the process defined?
Who is responsible for the process, & how is their
responsibility & authority defined?
What statutory & regulatory requirements apply?
What are the customer requirements, & how are these
defined?
What are the product/service specifications & how are
these defined?
What objectives & targets are relevant to this process?
What controls/checkpoints are there?
What acceptance criteria exist?
Effectiveness Checks
Is the process meeting its defined purpose?
Where will the impact of the effectiveness of the
process by felt?
Where might failures of this process be
identified?
How does it impact upon:
The customer?
Downstream processes & activities?
Is there evidence that quality objectives &
targets affected by this process are being
achieved?
Mechanisms
Equipment:
What equipment & resources are required to
complete the process?
Is equipment suitable & maintained?
People:
What are the competence requirements for
the activities?
Is there evidence that people are suitably
trained?
Inputs
What triggers the process?
What inputs are required?
Information
Materials
Where do the inputs come
from?
Are they received in a timely
manner?
Are they fit for purpose?
Process
What are the process steps?
What happens at each process step?
What documents &/or records are generated?
Is the process implemented as described in procedures,
instructions or plans?
Are controls applied as described?
Have the activities been carried out by the responsible
people?
Outputs
What is the product or service
produced by this process?
Are product measures in place to
ensure that product meets
requirements?
How are processes measured?
Are product & process measures
achieved?
What feedback is received from
internal or external customers of
the process?

Audit Methods: On-site vs. Remote
Extent of Involvement
Between the Auditor and
the Auditee
LOCATION OF THE AUDITOR
On-site Remote
Human Interaction  Conducting interviews
 Completing checklists and
questionnaires with auditee
participation
 Conducting document review with
auditee participation
 Sampling
Via interactive communication means:
 Conducting interviews
 Completing checklists and
questionnaires
 Conducting document review with
auditee participation
No Human
Interaction
 Conducting document review (e.g.
records, data analysis)
 Observation of work performed
 Conducting on-site visit
 Completing checklists
 Sampling (e.g. products)
• Conducting document review (e.g.
records, data analysis)
• Observing work performed via
surveillance means, considering
social and legal requirements
• Analysis of data.

Audit Findings
Conformity = fulfillment of a requirement
- identification of the requirements or audit criteria
against which conformity is shown
- audit evidence to support conformity
- declaration of conformity, if applicable
Nonconformity = non-fulfilment of a requirement
- description of or reference to audit criteria
- nonconformity declaration
- audit evidence
- related audit findings, if applicable

Other Relevant Categories of Audit Findings
Observation - Situation which exists and attention should be given to
reduce the potential of failure or improve the process.
Opportunity for Improvement - Is a situation where the evidence
presented indicates a requirement has been effectively implemented but
based on auditor experience and knowledge, additional effectiveness or
robustness might be possible with a modified approach.

There is a nonconformity when
The system does not conform with the
intended requirement, e.g. system
manual, procedures, etc. do not exist or
are inadequate
Implementation of the system is not
effective to achieve intended results
Implementation does not correspond
to the intended requirement or
management system
Intent
Effectiveness
Implementation

Customer contract or agreement
Organisation’s system or procedure
Management System criteria
Other relevant criteria
Nonconformity vs. Noncompliance
A failure to meet a
specified requirement
Nonconformity
Noncompliance
Failure to meet a
regulatory requirement

Basic Elements Of A Nonconformity Statement
1. Source of requirement (e.g. procedure ref. quality manual ref. clause
of standard, position of person responsible who has made an oral
statement of requirements etc.)
2. The requirement (e.g. relevant excerpt of procedure, quality manual,
clause of standard, content of oral statement etc.)
3. Source of the evidence that conflicts with the requirement (e.g. identity
of record(s), process identity, position of person responsible providing
an oral statement of nonconformities etc.)
4. The actual evidence which conflicts with the requirements (e.g.
relevant excerpt of record(s), examples of process, content of oral
statement etc.)

Value-Added Nonconformity Statement
• On January 23 at 6:45 AM, line 3 was manufacturing product 123 for
Big Corporation. Line was set up using product 123 specification
revision C.
• A check of the specification revision level for product 123 indicated
that revision D is the current level.
• ISO 9001:2015 . Clause 7.5.2
Consequence to the Operation
– Due to Line 3 manufacturing to the incorrect revision,
the following additional costs were incurred:
• $10,000 – nonconforming material
• $3,000 – equipment cleanup / downtime
• $1,000 – raw materials
• $400 – expedited shipments (raw materials, customer)
• $200 – overtime
• Total cost of nonconformity - $14,600

Preparing the Audit Report
The audit report should provide a complete, accurate, concise
and clear record of the audit, and should include or refer to the
following:
• The audit objectives
• The audit scope
• Identification of the audit client
• Identification of audit team leader and members
• The dates and places
• The audit criteria
• The audit findings
• The audit conclusions

Conclusions
• Used properly, internal audits are a critical component of the organisation’s
performance evaluation methodology
• Provides an objective evaluation of the current state of the management
system to Leadership
• Recognises good practices as well as identifying opportunities for
improvement
• Opportunity for best practice sharing and education
• Internal audit can be an effective communication tool to raise the visibility of
the consequences of the nonconformities to the organisation
44

SAI Global
• SAI Global was founded in 1922
• Largest registrar in North America, 14,000+ sites / 60,000+ globally
• Draws on deep global experience and footprint, with 2,000 employees in 29
countries and 51 locations across Europe, North America and Asia
• Both local and global resources: 500 Auditors within North America and 1,600
Globally
• Delivers audits by global accreditation bodies such as JASANZ and ANAB
• Accredited to deliver audits and certify organisations against a wide range of
international standards
• Conducts supplier audits against a wide range of custom standards as well as
supply-chain management solutions
• Provides training via public courses, online, in-house as well as customised
training when requested

Assurance Services – Auditing & Certification
Quality Management
System
• ISO 9001
• IATF 16949
• AS 9100, 9110, 9120
• ISO/IEC 17025
Environmental
Management System
• ISO 14001
• Responsible Care® -- RC
14001® & RCMS®
• ISO 50001
• BAN e Stewards®
• Responsible Recycling®
(R2)
• Recycling Industry
Operating Standard®
(RIOS)
Health & Safety
Management System
• OHSAS 18001
• ISO/DIS 45001:2016
Medical Devices
• ISO 13485
• MDSAP
Food Safety
• BRC
• ISF
• FSSC 22000
• HACCP
• GlobalG.A.P.
• ISO 22000
• Gluten Free
• Animal Welfare
• SQF
Seafood
• Global GAP Standards
• Global Aquaculture
Alliance BAP Standards
• ASC Standards
• ASC Chain of Custody
• MSC Chain of Custody
Packaging
• BRC Packaging
• IFS PACSecure
• FSSC 22000
• SQF
Forestry
• FSC
• SFI
• PEFC
• CoC
• CAN/CSA Z809
• CERTIFOR

• Public training (classroom)
• On-site training / In-house training
• eLearning courses
• Free Webinars & Other educational resources

Public Training Courses for ISO 9001:2015:
• Preparing for the Transition to ISO 9001:2015
• ISO 9001:2015 Lead Auditor
• ISO 9001:2015 Internal Auditor (2 day and 3 day)
• ISO 9001:2015 Foundation
• Implementing a Quality Management System ISO 9001:2015
• Auditing a Quality Management System ISO 9001:2015

Public Training Courses for ISO 14001:2015:
• Preparing for the Transition to ISO 14001:2015
• ISO 14001:2015 Lead Auditor
• ISO 14001:2015 Internal Auditor (2 day and 3 day)
• Implementing a Quality Management System ISO 14001:2015
• Auditing a Quality Management System ISO 14001:2015

Public Training Courses for IATF 16949:2016:
• Transitioning to IATF 16949:2016
• IATF 16949:2016 Certified Internal Auditor
• IATF 16949:2016 Certified Lead Auditor
• Quality Core Tools Training
• Measurement Systems Analysis
• Advanced Product Quality Planning & Control Plan
• Failure Mode Effect Analysis
• Production Product Approval Process
• Statistical Process Control

eLearning course topics:
• Root Cause Analysis
• Lead Auditor Training
• Internal Auditor Training
• Auditing a Quality Management System
Benefits of online learning:
 Convenient
 Cost effective
 Flexible

Q&A & more information
Submit via the Question and Answer box located in
the top right of your screen
Let us know your area of interest in the post-webinar
Questionnaire.
information@saiglobal.com

SAI Global Webinar: Tips for Effective Internal Auditing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SAI Global Webinar: Tips for Effective Internal Auditing

Similar to SAI Global Webinar: Tips for Effective Internal Auditing (20)

More from Switzerland09

More from Switzerland09 (10)

Recently uploaded

Recently uploaded (20)

SAI Global Webinar: Tips for Effective Internal Auditing