Quality Auditor Guide
Theory and Application
Made Easy
© 2011 Warren Alford
www.warrenalford.com
Published by
Speckbohne Publishing
All rights reserved
No part of this book may be reproduced by any means without prior written permission of the publisher.
First Edition
10 9 8 7 6 5 4 3 2 1
Table of Contents
|
Chapter 1 |
Page 5 |
|
Chapter 2 |
Page 21 |
|
Chapter 3 |
Page 37 |
|
Chapter 4 |
Page 65 |
|
Chapter 5 |
Page 83 |
|
Chapter 6 |
Page 117 |
|
Chapter 7 |
Page 129 |
|
Chapter 8 |
Page 141 |
|
Glossary of Terms |
Page 165 |
|
List of Figures and Tables |
Page 335 |
|
About The Author |
Page 337 |
Dedicated to
Silvia, Rosemary and Lola
I Love You…
“This is for all those who tirelessly seek the truth in the face of adversity and who are willing to pay the high price of social isolation for having done so.”
Scott Grant
"Quality is never an accident; it is always the result of intelligent effort."
John Ruskins
Chapter I Key Terms:
Audit: The on-site verification activity, such as inspection or examination, of a process or quality system, to ensure compliance to requirements. An audit can apply to an entire organization or might be specific to a function, process or production step. (see Quality Audit)
Auditee: The person / organization being audited.
Conformance: An affirmative indication or judgment that a product or service has met the requirements of a relevant specification, contract or regulation.
Continuous Improvement (CI): The ongoing improvement of products, services or processes through incremental and breakthrough improvements. Also called continual improvement.
Corrective Action: A solution meant to reduce or eliminate an identified problem.
Cost of Poor Quality (COPQ): The costs associated with providing poor quality products or services. There are four categories: internal failure costs (costs associated with defects found before the customer receives the product or service), external failure costs (costs associated with defects found after the customer receives the product or service), appraisal costs (costs incurred to determine the degree of conformance to quality requirements) and prevention costs (costs incurred to keep failure and appraisal costs to a minimum).
Effectiveness: The state of having produced a decided on or desired effect.
Feedback: Communication from customers about how delivered products or services compare with customer expectations.
Finding: A significant difference between the requirement and the actual state. Also called a discrepancy or noncompliance. Usually stated as major or minor.
ISO: A voluntary, non-treaty federation of standards setting bodies of some 130 countries. ISO covers standardization in all fields including computers and data communications, but excluding electrical and electronic engineering (governed by the International Electro technical Commission or IEC) and telecommunications (governed by International Telecommunications Union's Telecommunications Standards Sector or ITU-TSS). (International Organization For Standardization).
Nonconformity: The non-fulfillment of a specified requirement. Also see “blemish,” “defect” and “imperfection.”
Preventive Action: Action taken to remove or improve a process to prevent potential future occurrences of a nonconformance.
Quality - A subjective term for which each person or sector has its own definition. In technical usage, quality can have two meanings: 1. The characteristics of a product or service that bear on its ability to satisfy stated or implied needs; 2. A product or service free of deficiencies.
Quality Audit: A systematic, independent examination and review to determine whether quality activities and related results comply with plans and whether these plans are implemented effectively and are suitable to achieve the objectives.
Quality Management System (QMS): A formalized system that documents the structure, responsibilities and procedures required to achieve effective quality management.
Quality Manual: Describes in a concise format, the scope and extent of the quality system. Often contains the quality processes to be used by QMS personnel.
Risk management: Using managerial resources to integrate risk identification, risk assessment, risk prioritization, development of risk handling strategies and mitigation of risk to acceptable levels.
Value added: A term used to describe activities that transform input into a customer (internal or external) usable output.
“Good order is the foundation of all good things.”
Edmund Burke
Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of the risk management, control, and governance processes. Professionals called Internal Auditors are employed by organizations to perform the internal auditing activity.
Internal auditing professional standards require the function to monitor and evaluate the effectiveness of the organization's Risk Management processes. Risk management relates to how an organization sets objectives, then identifies, analyzes, and responds to those risks that could potentially affect its ability to realize its objectives.
The scope of internal auditing within an organization is broad and may involve topics such as the efficiency of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with processes, laws and regulations.
Quality conveys different thoughts to each person. Certainly, our individual definitions are as varied as opinions of style, fashion and taste. It is a small but important word, which bears more importance than most people realize.
The Quality Management System (QMS) must be effective. That effectiveness must be evaluated periodically to ensure the system remains strong and healthy. As the saying goes, “Actions speak louder than words“. This truly applies when it comes to quality and the QMS.
Quality, as a profession and process associated with the quality function, was introduced during the second-half of the 20th century, and has been evolving ever since. Over this period, few other disciplines have seen as many changes as the quality profession.
The idea of manufacturing huge numbers of products, sorting out the good and destroying the bad ones was an expensive undertaking. The factories of the early 1900s began to see that money could be saved and more could be earned by lowering the number of defectives and the way to do that was simple yet complicated at the same time.
Quality would need to be incorporated into the entire manufacturing process; from receiving the raw materials, to loading the product into a truck or train for final transport. All steps in between would require quality controls.
There would need to be a monitoring system, which could objectively verify the processes were working and the output from each process was consistent. The idea was if all processes are in control and outputs are consistent, the product or service at the end of the assembly line would be of consistent quality because there would be no opportunity for a defect to occur.
Audits are an important part of the overall QMS. The audit will not only verify compliance, but it will also identify areas of improvement and ways to streamline the business. The audit represents the best way for management to know how the audited department is truly functioning.
In the past, audits have been viewed but the Auditee as a punitive measure that uncovers mistakes and could perhaps result in disciplinary actions. The auditor was someone to be feared, loathed and if at all possible avoided.
The view in the modern business world contradicts the negative impressions and misconceptions of days past. Managers today realize the advantages of audits and use the audit as a management tool for everything from process improvement to verification to verify perceived additional resources are in fact, needed.
As Quality has evolved, the audit has taken on a different appearance in its performance. The “police like” audit interviews of the past have made room for a more guided discussions and conversations, where the information is exchanged and verified by the auditor. The audit now focuses on conformance as opposed to non-conformance.
The verification of audited material remains, for the auditor, the primary obligation of his / her due diligence however, the auditor should also focus on identifying opportunities for improvement and ways to bring savings to the business.
Another popular and cost / time effective method is the use of inspections. The inspection is a limited scope audit that examines only a couple areas of a process or procedure to verify the final product or service meets the specification of the internal and external customer. Inspections frequently consist of record examinations. The inspection takes less time and allows the auditor to verify compliance to the standard while allowing the exploration of ideas to reduce waste and increase the speed of the process without compromising the quality of the process output.
The importance of feedback to management from audits cannot be overstated. The data gathered and delivered to management is invaluable in setting goals and objectives. To ignore the information is to abandon management through facts and data to rely solely on luck, which runs out sooner or later for everyone.
Corrective and / or Preventative Actions result from audit performance. These tools are designed to improve the process or system using Root Causei evaluation, implementation of a “fix” and prevention of future defects of the similar nature.
Corrective action plans are developed by the Auditee or responsible manager. It should clearly identify the necessary activities that should be implemented.
A documented quality process should exist for dealing with findings that result from an audit. The process should include assignment of responsibilities for short term, immediate action to contain a product, process or service nonconformityii.
Some corporations have committees (Corrective Actions Boards) that coordinate the corrective / preventative action activities. The quality department should always be involved in reviewing the actions through follow-upiii to ensure the measures are effective. Quality must remain objective during the evaluation.
Corrective actions usually fall into one of the following categories:
Immediate Actions: Actions taken to stop the problem immediately. “Would you want defects to continue to be sent to your customers?”
Temporary Actions: Actions taken to stop the problem in the near term. “Do we shut down the assembly line and inspect 100% of the product until the run is complete?”
Permanent Actions: Actions taken to stop the problem forever. “Shut down the line, overhaul the machinery and start the line again. We will inspect 100% of the product until we meet Six Sigmaiv (99.99%) standards.”
When a finding is discovered through auditing, the most critical immediate action should be to evaluate the risk resulting from the output of the process. You would not want to discover a widget is out of specification while one hundred widgets are loaded on a truck and sent to your customers. A quick risk analysis must be completed to see what the extent of damage (defects) may be present.
Auditor follow-up has been one of the weakest links in the audit process of the past. The auditor must evaluate the implemented changes and objectively consider if the actions are effective. If the actions have a “reasonable opportunity for success”, the auditor should accept the actions and evaluate the effectiveness of the control during future audits and inspections.
After follow-up and verification, the finding may be closed. The Quality Manual or other quality documentation should address the procedure and documentation required for closure.
It is also important to remember auditors cannot “fix” their findings. If involved in the correction, they should not conduct the follow-up to close the finding.
NOTE: Auditors cannot audit their own work. It is for this reason the auditor must remain independent and in doing so, the auditor remains objective.
The Cost of Quality or the Cost of Poor Quality is an important part of the quality system approach. Quality has been viewed in the past as only an expense for organizations. This belief has changed somewhat in the modern business world. A majority of business managers today view quality as value added in contributing to saving money by preventing failures and / or defects that customers might experience. This is the basis of the Cost of Poor Quality.
The ISO (International Organization for Standardization) standards such as the ISO 9000 series was developed to help companies effectively document the quality system elements to be implemented in order to maintain an efficient QMS. There are many different QMS models in the business world. Each company must decide which QMS model fits their particular quality needs.
We will examine these issues more in depth along with the role of the Quality Auditor exploring the theory and application of the elements required to ensure success.
In the following pages, you will find a roadmap to assist in leading you to success as an auditor. Many auditors claim to understand the quality elements but in reality, you must be open minded in your desire to learn. It is this human element that will prove to be the greatest challenge in the quality system.
Quick Note: This book should be read at least three times to fully understand and retain the presented material.
Chapter II Key Terms:
Assessment: A systematic evaluation process of collecting and analyzing data to determine the current, historical or projected compliance of an organization to a standard.
Audit Client: The person / organization who have the authority to request an audit be conducted. The auditor team delivers the completed audit report to the audit client.
Audit Scope: Determination of the range of the activities and the period (months or years) of records that are to be subjected to an audit examination.
Auditee: The person / organization being audited.
Compliance: The state of an organization that meets prescribed specifications, contract terms, regulations or standards.
Conformance: An affirmative indication or judgment that a product or service has met the requirements of a relevant specification, contract or regulation.
Desk Audit: Limited scope examination of documents and records, away from the place of action.
External customer: A person or organization that receives a product, service or information but is not part of the organization supplying it. Also see “Internal Customer.”
Gap analysis: The comparison of a current condition to the desired state, such as a Compliance Matrix. A service usually provided by the Quality Department.
Internal customer: The recipient (person or department) within an organization of another person’s or department’s output (product, service or information).
Matrix Organization: Multifunctional team structure that facilitates horizontal flow of authority, in addition to its normal (vertical) flow, by abandoning 'one person, one boss' rule of conventional organizations. Used mainly in management of large projects or product development processes, it draws employees from different functional disciplines (accounting, engineering, marketing, etc.) for assignment to a team without removing them from their respective positions.
Process: A set of interrelated work activities characterized by a set of specific inputs and value added tasks that make up a procedure for a set of specific outputs.
Quality Audit: A systematic, independent examination and review to determine whether quality activities and related results comply with plans and whether these plans are implemented effectively and are suitable to achieve the objectives.
Quality Plan: A document or set of documents that describe the standards, quality practices, resources and processes pertinent to a specific product, service or project.
Supplier: A source of materials, service or information input provided to a process.
Supplier Quality Assurance: Confidence a supplier’s product or service will fulfill its customers’ needs. This confidence is achieved by creating a relationship between the customer and supplier that ensures the product will be fit for use with minimal corrective action and inspection.
System: A group of interdependent processes and people that together perform a common mission.
“An investment in knowledge always pays the best interest.”
Benjamin Franklin
The purpose of auditing is to examine the effectiveness of the quality controls. Quality Assurancev is based on prevention of defects instead of detection of problems at the end of the process. Quality Inspectors are still used in manufacturing operations to separate the bad product from the good but this results in rework and added costs. Quality problems often result in customer dissatisfaction and loss of employee morale.
Quality audits are important for an organization to gather information concerning the operations, compliance, conformance and performance of processes, policies and laws. An audit reveals the critical gaps in the process that allow for potential failures or defects in the final product or service. The audit also identifies areas for continuous improvement and the elimination of waste, which does not add value to the organization.
The Audit Client has the authority to request an audit and the responsibility to assist in facilitation of the audit. The audit report is the product of the audit and it is delivered to the Audit Client, who acknowledges the report and any findings by signing the report. Corrective / Preventative actions are usually assigned by the Audit Client to the managers who are accountable for the audited areas where the findings were discovered.
The audit scope is usually decided by the Audit Client and Quality Manager to determine and agree on the processes and procedures to be audited. The scope defines exactly what will be audited; it represents the “ground rules” for all parties. The scope is usually defined in the audit notification that is sent by the quality department to the Audit Client. Remaining within the scope is very important and prevents a “boiling the ocean” mentality from becoming the proverbial “fishing expedition”. The objective of an audit is defined by the audit scope.
There are generally three types of audits: 1) Product audit - concentrates on one or more products; 2) Process audit - concentrates on the achieved results of the processing effort; 3) System audit - focuses on the overall quality system which is the result of management directed activities and programs to produce a product or service.
An audit may also be classified as internal (first party audit) or external (second or third party audit). A first party audit is usually performed by the company (quality department within the company).
Unlike the first party audit, a second party audit is an audit of another organization’s quality program not under the direct control or within the organizational structure of the auditing organization.
Compared to first and second party audits, the third party audit is an assessment of an organization’s quality system conducted by an independent, outside auditor or team of auditors. When referring to a third party audit as it applies to an international quality standard such as ISO 9000, the term "third party" is synonymous with a quality system registrar whose primary responsibility is to assess an organization’s quality system.
Scope creepvi occurs when the audit scope is not closely monitored. This deviation from the original scope will result in items outside the scope of the audit being examined and as a result, the items within the agreed upon scope are omitted and not audited as necessary. The result is frustration for the auditors who did not prepare for processes or procedures outside the audit scope, wasted time and resources in the audited department due to unnecessary interviews and the creation of distrust from Auditees who are subjected to scrutiny of items that were not agreed upon up front. The mutual agreement of the Audit Client, Quality Manager and auditors as to what is be audited or inspected is of utmost importance.
The audit schedule is part of the overall quality plan. The schedule identifies the audits to be completed throughout the defined time period (usually a year). It also contains information such as the Auditees, processes to audit, documents to be examined and the assigned auditors names. The audit schedule is produced by the Quality Manager and approved by the Accountable Manager of the business area or division. The Quality Manager usually reports directly to the Accountable Manager, although there are many different types of organizational hierarchical structures in the business world.
Some other reasons for auditing include determining:
Products are fit for use
Adequate written procedures exist and are utilized
There is an adherence to regulatory requirements
Deficiencies in the product
Conformance to a specification
Remedial actions taken remain effective
Risk exposure
Standard practices are used
To seek improvement areas
Every organization, to be effective, must have an organizational structure. The organizational structure determines the hierarchy and the reporting structure in the organization. It is also called organizational chart. There are different types of organization structures that companies follow depending on a variety of things; it may be based on geographical regions, products or other hierarchy. To put it simply, an organizational structure is a plan that shows the organization of work and the systematic arrangement of work. The matrix organization is a combination of function, and product structures and is the most complex organizational structure.
The structure of the department being audited is important for the auditor to know. Audits of processes and systems often cross-departmental boundaries. For this reason, the auditor must be able to identify the responsible person(s) of each step of the process in order to interview the right person, identify the items that fall within the department’s span of controlvii and whom the users of each process report.
All organizations have customers with whom they conduct business. There are two types of customer: Internal and External. A department of an organization may supply support services to internal employees, such as the Finance or IT department, which may or may not have external customers who actually conduct business with the organization.
For those departments who have only internal customers, it is just as important that their departmental processes function effectively and efficiently. In doing so, the internal customers will be able to serve and meet the needs of the external customer.