The very nature of the word ‘audit’ conjures up images of an inspector, policeman or even judge. No matter how much positive spin is placed on the audit process, the perception from the auditees’ perspective is often that the auditor is focussed only on finding faults.
However, whilst remaining cognisant of the need to verify and ensure legislative compliance using the audit process, a well-managed audit can achieve so much more than simply a verification of activities.
The success of an audit program can often be traced back to the audit schedule itself. Most organisations with documented management systems have some form of audit schedule detailing which areas are to be audited and when audits are to take place. Audit schedules vary depending on the management system scope. A common misconception, however, is that audits only take place on an annual basis, and many organisations take a simplistic approach by requiring that all elements of the management system will be audited once a year. This often results in a single whole-of-system audit repeated annually, resulting in all aspects of the system receiving the same level of attention, and typically a ‘tick and flick’ approach develops which provides little true value to the organisation. Such a compliance-check approach results in each audit becoming simply an extension of the previous one, and rarely identifies the true effectiveness of the management system being audited, or indeed the opportunities for continual improvement.
With the implementation and standardisation of the Annex SL in the recent revisions of ISO 9001:2015 Quality Management Systems and ISO 14001:2015 Environmental Management systems (and in all probability, the upcoming ISO 45001 Occupational Health and Safety Management Systems) there is a degree of consistency regarding audit requirements.
Both ISO 9001:2015 and ISO 14001:2015 in clause 9.2.2 require that organisations establish, implement and maintain an internal audit programme, including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits; together with consideration of the importance of the processes concerned, changes affecting the organisation, and results of previous audits.
This implies that it is not sufficient to simply state that audits will take place on an annual basis, but rather that consideration needs to be given to the areas to be audited, as well as the status of the organisation as a whole, together with results of previous audits. Consideration of the importance of process should include risk to the organisation in its broadest context relating to health and safety, environment and quality, dependant on the scope of the system. (The addition of risk to ISO 9001 means that organisations need to address risks to the quality of their products or services and also include this within the audit process.)
This approach should result in areas of higher risk being audited more frequently, whilst lower risk areas are audited less frequently. In health and safety systems this may result in high risk activities such as working at height being audited every six months, whilst consultation and communication may only be audited every two years. Within the ISO 9001 space, higher risk ‘quality’ activities to be audited more frequently could include procurement, customer facing processes or non conformity of product or services. With these higher risk activities being audited on a more frequent basis, there is opportunity for the audit to become a real learning process.
Utilising a specialist independent auditor with a full understanding of the relevant subject areas will also add value to the audit process by bring objectivity; rather than simply focussing on what was raised 12 months prior to each audit and treating it largely as a compliance checking exercise.
Please contact QRMC for more information.