What are some of the best practices for conducting a quality audit?

Begin by clarifying the purpose of the audit. Is it a routine quality audit, a compliance audit, or a specific process audit? Determine the driving factors behind the audit, such as regulatory requirements, management requests, or identified risks. This understanding will help shape the audit scope and objectives.

Defining audit objectives and scope is NOT the first step. The first step is to review previous audit findings. Only when you know where the swamps are can you design an effective audit using the right people with the relevant expertise. If someone wants you to go in blind, that's a signal to be cautious.

Maybe I’m too far in the weeds with my comment but… the purpose of standards is so that you don’t have to banter on “best practices”. This article is based on the principles and guidelines of ISO 19011. Want to know my thoughts on best practices… follow ISO19011. Which has step 1 as “Establish audit programme and objectives”. It “feels” like the Quality profession is drifting away from “standards” and moving more towards “best practices”. Let’s follow the standard and if we are not getting the desired results, change the standard. Remember this thing called P-D-C-A? It’s not BP-D-C-A (BP=best practices).

Plan the Audit Define Clear Objectives Gather Relevant Information Select Competent Auditors Use Standardized Checklists or Criteria Communicate Expectations Opening meeting evidence collection Follow Impartiality Allow free communication Immediate documentation of evidences provide Honest feedback Follow up on report Keep confidentiality on report and auditee. Plans for continuous improvement

I disagree with Charlie "Doc" Martin above (and welcome rebuttal). Audit scope must come before anything else in order to know what we're looking at. If I'm auditing the Management Review process, there's no point reviewing the registrar's audit findings against Sections 7 & 8. The auditor's purpose is not to "clean the swamp" but to objectively assess the compliance and effectiveness of whatever is in scope. Looking for the swamp sounds more like fault finding than value-added auditing.

Audit Team Selection: 1. Identify individuals with relevant expertise and knowledge in the area being audited 2. Consider including members from different departments or functions to gain diverse perspectives 3. Ensure the team has a good understanding of audit principles, standards, and methodologies 4. Assign team members based on their skills, experience, and ability to work collaboratively Audit Criteria Selection: 1. Determine the specific criteria or standards. 2. Tailor the criteria to the objectives and scope of the audit 3. Use a combination of quantitative and qualitative criteria for a comprehensive assessment 4. Align the criteria with the organization's goals and objectives.

Start by defining the skills and expertise needed and then identify potential team members within your organisation or external resources who possess the required skills and expertise. Make sure your audit team encompasses a mix of skills, experiences, and perspectives. Consider including both senior and junior team members to facilitate knowledge transfer and mentorship opportunities. Aim for a team that can work cohesively and complement each other's strengths.

Audit team selection requires many considerations. Sector specific knowledge QMS related knowledge Organizational knowledge Auditing skills Attributes of the person Qualification and training Based on these auditor selection criteria can be set. One very important consideration is that one cannot audit one's own work. So while planning this has to be considered

- Thoroughly review the governance documentation like policies, SOP, etc. to understand the sampling requirement, exception extrapolation process, etc. - Compare with relevant ISO to understand the discrepancies. - Request for past trends in quality issues and details of root cause analytics (RCA) and Corrective Action and Preventive Action (CAPA) details. - Review Compliance to policies and processes for samples.

There is a big difference between giving the actual list of specific questions and allowing clients/ auditors to preselecte the objective evidence to be reviewed during an audit Vs giving them an honest & accurate schedule covering all the topics to be reviewed. It is up to the auditor to make sure the sample data is selected either at random or as needed to follow audit trails from previous questions. We shouldn't be in the business of writing NCRs as much we should be focused on ensuring we deliver a fair assessment & evaluation of the current QMS/EHS/Etc. health status.

I personally use checklists extensively and I complete one at the preparation stage of an audit. This is where I capture my observations from the review of the documents and items I would like to check and/or discuss further with the people I am interviewing during the audit when applicable. I keep updating the checklist during the audit and I look through it before the close-out meeting/end of the audit to make sure I have addressed all points under consideration.

@ Don Bowes: I support sharing the audit checklist with auditees, but we may be applying different definitions. If the checklist includes all of the specific questions that the auditor will ask, I prefer not to go that far. But I do provide detailed scope, objectives and criteria so that appropriate auditees are available. I summarize the audit checklist by with 5 basic questions: 1) How does this process work? 2) How do you know that the inputs to this process meet requirements? 3) How do you know that the output of this process meets requirements? 4) How do you know that the customer of this process is satisfied? 5) Is there anything that can be improved in this process? That summarizes a process-based audit.

An audit checklist can help keep the audit focus within the identified scope. However, process audits can have some areas of overlapping with other processes, such as employee competency. Some flexibility needs to be given to the audit checklist and audit trials should be followed while not going too far "into the weeds". When developing the audit checklist, process interactions should be taken into consideration and try to schedule the audit when there will be the best opportunities to observe the process in action. Not on processes operate on a consistent or routine basis. Make sure to take note of areas of exceptional compliance to include it in the audit report and not focus only on the areas of nonconformance.

My top three recommendations are: - Stay focused and gather evidence thoroughly. Follow a systematic approach to collecting evidence through document reviews, interviews, observations, and data analysis. Ensure that the evidence is reliable, verifiable, and representative of the audit purpose. - Be professional and flexible. Demonstrate integrity, respect, and professionalism when interacting with auditees and stakeholders. Be prepared to adjust the audit approach and priorities when things don't turn out as planned. - Interviews: Create a comfortable and non-confrontational environment to encourage open and honest communication. Use techniques like active listening, asking open-ended questions, and seeking clarification when needed.

Be objective as possible - Make sure that the audit team who conducts the audits are non-biased. For the best QA, it’s important to think outside of the box about the problem and task at hand and to be as unbiased as possible.

I disagree that the audit leader should have the responsibility to follow up and verify implementation and effectiveness. This steps far outside the purview of an auditor. It is and should remain firmly the responsibility of the process owner to implement corrective action and verify its effectiveness. An auditor should audit, not babysit.

All modern “management systems” are built on the P-D-C-A approach. The auditing approach should follow: 1) Plan: What are the requirements of the system, process or products? How is it supposed to work or function? What are the expectations? 2) Do: Review objective evidence that the system, process or product is achieving it requirements, specification or expectations. 3) Check: All processes should have measures / metrics to evaluate efficiency or effectiveness. How are they performing and are they meeting their objectives? 4) Act: Are we correcting when we are not achieving targets or objectives, are we reacting to nonconforming outputs or are we using the data of measures and metrics and driving improvement?

Audit reporting and follow up on results is one of the critical part of a successful audit. It depends upon the auditor capability and willingness of the supplier to address and resolve issues without the need for escalation.

This is an area internal audits fail on the most. Corrective actions often aren't done at all or the team fails to do a proper RCA to ensure the root causes are addressed. If actions aren't properly resolved, the audit was a waste of time. If you are starting in a site with high levels of non conformity, it can help to work first on the most serious issues, using recognised RCA techniques and agreeing as a team when the issues are closed. I'd also build in action review into the drumbeat of your site, not a separate meeting so resolution stays high on the agenda.

In terms of conducting the audit itself, the audited needs to work to give you the information you need. I always tell my auditees ‘Tell me the story of how you get to B from A, the more talking you do, the faster I will learn your system’ I’d also add that opening and closing meetings are vital to lay the ground of the audit and finalise results.

You also need to define your questions with examples in a quality standards definition document that is readily available for all to read. This document must be kept up to date as well.

Compliance audits have their place and time however in an established management system they aren't as valuable as process performance audits. Audits need to not only evaluate the process in terms of compliance to requirements but in terms of actual performance. Focusing on process performance (efficiency & effectiveness) and identifying the compliance gaps that are causing the poor performance is more valuable to a business than a simple compliance audit.

The basics of all QMS audits(unless stated elsewhere like IT, Energy, Food...) lies in the heart of ISO 19011. While best practising we should not forget originating

Audit practices are essential for ensuring the accuracy, integrity, and effectiveness of organizational processes. One key aspect is establishing clear objectives before initiating any audit. Defining the purpose and scope of the review helps align audit efforts with organizational goals and ensures meaningful outcomes. Thorough planning is vital for success, requiring a detailed audit plan with specific timelines, resource allocation, and methodologies, considering relevant regulations and standards. Understanding and prioritizing risks enable audit teams to focus efficiently, identifying vulnerabilities or compliance issues needing attention.