AS9100 for Smart People-Internal Audit?Planning

Introduction

In 18 years of auditing, I don’t think I have yet to see an internal audit plan that works for an organisation, I’m not saying they aren’t compliant with the requirements but I question the effectiveness of the audit planning process itself. Is the way an organisation is planning their audits giving benefit to the clients' management system?

I would lay good money on saying 90% of the internal audit plans/schedules/programmes seen by external auditors identify a full system internal audit a month or so before the external assessment. Yes, this is probably good at catching some of the things which have not been done as required but is it just paying lip service to the requirement of the standard? Is the internal audit process adding benefit to the management system and organisation?

Audit Programme Vs Audit Plan

Firstly, technically it’s an audit programme not an audit plan. There is actually a difference; an audit programme sets out the cycle, processes, frequency etc, an audit plan is more focused on the specific audit being performed, what exactly is the audit going to cover? If you think of it from a Certification Body perspective then we follow the same type of requirement. We set out a 3-year programme of what we are going to cover and on what visit, we then issue an audit plan for each visit giving the detail of what will be covered and at what times of the day(s), etc. Client organisations should consider the same practice.

Now when it comes down to the frequency of audits I feel this is the main weakness. Everyone does a full system internal audit just before the external Certification Body assessment which is possibly not beneficial to most organisations. Although this next part is a little bit contentious, there is nothing that states you need to cover every part of the system every single year. There is an argument in the certification industry about how do you know your system is effectively implemented (9.2.1b) if you are not checking it yourself through internal audits? However, there are possibly other measures which can demonstrate some elements of the management system. Have you received client complaints against specific processes? do you have internal issues against specific processes? are you hitting your KPIs against specific processes? All of these factors could potentially be used to demonstrate the system effectiveness but you would need to justify this based on factual evidence and thinking.

I am not saying that you can use that to justify no internal audits at all but you need to put a programme in place which reflects the business and system needs based on factors including risk.

What is the Standard Asking?

When you read what the standard states when performing internal audits it states:

9.2 Internal Audit

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system;

a. conforms to:

1. the organization’s own requirements for its quality management system;

NOTE: The organization’s own requirements should include customer and applicable statutory and regulatory quality management system requirements.

2. the requirements of this International Standard;

b. is effectively implemented and maintained.

NOTE: When conducting internal audits, performance indicators can be evaluated to determine whether the quality management system is effectively implemented and maintained.

9.2.2 The organization shall:

a. plan, establish, implement, and maintain an audit program(s) including the frequency, methods, responsibilities, planning requirements, and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;

b. define the audit criteria and scope for each audit;

c. select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d. ensure that the results of the audits are reported to relevant management;

e. take appropriate correction and corrective actions without undue delay;

f. retain documented information as evidence of the implementation of the audit program and the audit results.

What does it mean?

I am not going to go into every clause of this requirement as they are self-explanatory, however, there are some key elements you should think about when setting out your audit programme. Firstly 9.2.1a1 which states you need to perform your audits in line with customer or regulatory requirements. If your customer states you need to perform specific internal audits then you shall do them as required. They may put into their contract to you that you need to perform internal audits of the full system at least once a year, every quarter or doing product based audits against their own products. Read the terms and contracts and do as the customer (or regulators) require, they are the god in all of this. This clause is often overlooked when setting out the audit programme.

The next part to consider is 9.2.2a which is the main element of the audit planning process which organisations jump to. “ which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits” is the specific element that I feel is not implemented effectively by just doing a full system audit before the external assessment.

• Importance of the processes concerned
• Changes affecting the organisation
• Results of previous audits

Importance of the processes concerned

This is asking you to think about all of your processes and think about how important they are on the overall management system. For example, you could have a process called training within your management system and only 5 employees who have been doing the work for 15 years and the overall processes being performed by those employees are quick to learn. You could possibly determine that this is a low-risk process on the overall effectiveness of the management system. Maybe this is something you do not need to audit as frequently?

On the other hand, you could have lots of new employees coming into the organisation and lots of training taking place over the next 2 years. Maybe we need to audit the process once every 6 months for the next 2 years to ensure the process is working effectively. You may also consider the key processes as important to the overall effectiveness of the management system, you may consider auditing these more often as they have the greatest impact to the quality and service.

Think Risk-based thinking!

Changes affecting the organisation

This is actually one of my favourite topics of the new standard (read clause 6.3). The question to ask yourself here is have you got any processes within the organisation were there is currently a lot of changes taking place? Maybe you have added a new process, maybe there is a lot of new employees coming into the business, maybe you are entering a new market?

You may have a process which has not changed for 10 years and the same employees have been doing that process for all of that time?

The changes do not necessarily need to be internal changes, there could be changes relating to the context of the organisation (clause 4.1) or the interested parties (clause 4.2). Maybe your customer has recently been acquired by another organisation, are there new requirements being flowed to you as a result of the new management team or structure? Maybe new legislation is being introduced in the industry sector which your organisation needs to implement?

Think Risk-based thinking!

Results of Previous Audits

This one is almost self-explanatory but don’t just think about internal audit results, consider 3rd party audits such as those received from your Certification Body and even customer audits. Have you got some areas were you had major non-conformances previously? You could consider auditing these processes more often, at least for the next year or so until you are comfortable the process is now stable and compliant.

In the aerospace scheme standard (AS9100, AS9120, AS9110), if an organisation receives repeat non-conformances then your auditor will raise two non-conformances. You not only receive a non-conformance against that specific process failure, but you also receive another non-conformance for ineffective corrective actions. The auditor should not have raised the same issue twice so your corrective action process is not robust. One of the considerations for your audit programme and also the effectiveness of corrective actions is how are you determining that they are effective actions? Maybe you should be auditing those areas more often to ensure that what you said you were going to do to correct the issue you have done? Is your auditor raising the same non-conformance that you have previously raised in your own internal audits?

Think Risk-based thinking!

Conclusion

Hopefully, the above information has highlighted some elements of the standard which have possibly been overlooked or not fully appreciated. The interesting part for which is always at the forefront of my mind when auditing is Risk-based thinking. If you have demonstrated that you made a decision to do something a certain way and it was based on your identified risks then I would struggle to argue against your audit programme. Don’t just pay lip service to the internal audit process, they are important to any business with any standard and effective implementation can give great benefits.