Get More Value From Your Internal Audits! Use ‘Enhanced Internal Auditing’!
Below is a full transcript of our recent Enhanced webinar that offers an overview of ISO ISO 19011:2018 and current auditing best practices.
Webinar Topics
- Updates to ISO 19011:2018
- Remote Auditing
- Layered Process Audits (LPA)
- Next Generation Auditing (IRCA Whitepaper)
- Supply Chain Audits
- The SimplifyISO advanced checklist – includes ‘results’ and ‘risk’ evaluations
Full Webinar Transcript
Rick:
Hello everyone. My name is Rick [Herm 00:00:11]. I’m co-hosting this with Jim Moran, our guest, our speaker. Today, our topic is Enhanced Internal Auditing, getting more paybacks from your audits.
Rick:
Just a little bit of housekeeping here. Everyone is muted and the video is off, meaning we can’t see your video. However, the chat box is live. So, feel free to ask questions during the presentation, and we’ll try to relay those to Jim, and he’ll answer them for you.
Rick:
We will be conducting polls and sharing the results in real time, so we hope you’ll participate in those. It’ll give us a sense of what the group thinks and some immediate feedback.
Rick:
In addition to the in-process or ongoing questions, we will do a Q&A at the end, again using the chat box. Then, even though this is a 45-minute presentation, if you would like, Jim will stay after the webinar if you have any very specific questions about your own situation.
Rick:
Then, if you’d like to review the webinar again, we will provide you a link to the recording and hopefully that arrives shortly after the webinar. Next slide.
Rick:
Okay. So, today our presenter is Jim Moran. Many of you know, but if you do not, Jim is a president of SimplifyISO, which is a sponsor of today’s webinar and also the Learning Alliance. Jim has been teaching business professionals since 1977, holds a master’s degree in education and has used that in the ISO world to help implement ISO standards since 1992. He’s done that with a variety of Fortune 500 companies as well as small to medium-sized businesses and even governmental entities, such as the governments of Canada and Africa.
Rick:
With that, I’d like to turn it over to Jim to start to the presentation.
Jim:
Thank you very much, Rick. It’s good to see so many familiar faces today, lots of visitors, even from around the world, actually. We have Qasim joining us from the Middle East and a couple other locations in Europe and South America. It’s just great to get everybody together today, and I hope you’re all surviving the current situation as well as possible, maintaining your mental stability. What better way to maintain mental stability, I’ve always said, than talking about ISO topics.
Jim:
So, we’re going to be talking today about updates to ISO 19011:2018, how they might help you or impact you. Just did a remote on it last week Monday, Tuesday, Wednesday with a client near Toronto, talked about layered process auditing, generation auditing, supply chain audits if any of you are involved with any kind of supply chain. We’ve seen a phenomenal impact on the supply chain over the last couple of months.
Jim:
Then, just to finish up with, I’m just going to give you a quick look at the checklist that we’ve developed over the last five or six years to help with our audit.
Jim:
So, let’s get going. We’d like to have a poll. I think you’ve got a poll ready to start there, Rick, if I’m not mistaken, then yes. There we go.
Rick:
We’re [00:04:20] 29 out of 35. I’ll give another few seconds just to vote in the polling. Here are the results.
Jim:
Thank you. I notice we’ve got some more participants, Rick. Is it possible they need to be let in from the waiting room?
Rick:
Sure.
Jim:
And actually, you could probably turn on the waiting room [00:04:48] here. Yeah. Great. Thanks. So, I see a few of you are doing them weekly and some monthly. Looks like the majority. It’s annual for the majority and that’s great. Typical. That’s what we likely see. What was in the chat box for the others, Rick?
Rick:
Let’s see. “The poll’s not visible.” The polls should be visible now. Try clicking on the polls at the bottom when you move your cursor.
Jim:
Okay.
Rick:
So, send me a note. Can everybody see the poll? I guess that’s the question. If you can’t, send me a quick chat.
Jim:
Good and …
Rick:
Nope. Tom says he cannot see the poll. I’ll relaunch it, if you want or …
Jim:
Well, let’s see what we need to do for the next one, Tom, if you can hang on for us or maybe you could type in how often you do internal audits. Then we can head out from there. Thanks.
Jim:
So, we’ll check that next time. Maybe, Rick, you can do one last check to see if anybody …
Rick:
By the way, Elizabeth’s saying, “Every three years auditing to cover all the process.” Tom says he’s on the web interface, not the app, which may affect things. So, maybe the web interface is causing his not seeing the polls. Okay. We’ll stop the polls here.
Jim:
Okay. Thanks. Well, thanks for that feedback, folks. Looks like some majority’s annual. That’s what I’ve seen in last 30 years of this, when people tend to do them manually. There’s a good case to be made for doing them a little more often, keeping your thumb on the pulse, as it were, of your system, just to maybe pick a few things, or actually, we’ll talk about that a little bit, when we get to the layered process auditing section. Thanks for your input, too.
Jim:
There’s some new definitions in ISO 19011, which some of you maybe haven’t come across yet. I probably should have put the title in there, now that I think about it. It’s the guidelines for auditing management systems. It started out as ISO 10011 parts one, two, and three back in 1987. Then, in ’96 14000 was released. When that happened, they created another document called Guidance for Auditing Quality and Environmental Management Systems. That was the title up until 2011, when they called it Guidance for Auditing Management Systems. Then, they just updated it two years ago with the high-level structure. With the implementation, there was the inclusion in 2015 standards of risk and customer focus context and those kind of things.
Jim:
So, some of the new definitions are ‘combined audit,’ which is an audit carried out at a single auditee on two or more management systems, like seeing this integrated system concept grow over the last four or five years quite quickly. I think the advent of the high-level system is certainly going to increase the number of you who actually develop, implement, and manage integrated systems, multiple standards.
Jim:
The three I see the most often are 9001, 14001, and 45001, but there are a whole bunch more. We’re going to talk about a few others as well. 55001 is Asset Management Risk, 31000, it’s not certifiable, but you certainly wouldn’t maybe want to include some of those elements in there.
Jim:
‘Joint audit,’ on the other hand, is an audit carried out at a single auditee by two or more auditing organizations. Some of you may be in a situation where you’re governed by some regulatory body. You could certainly do a joint audit with them. You might do a joint audit with maybe a head office body of yours plus the registrar. Those require a little bit of finagling, getting people engaged and figuring out who’s going to do what process audit. That’s a definite process or a process has been defined in ISO 19011, a set of interrelated or interacting activities that use inputs to deliver an intended result. Sometimes the result, you don’t get the result you intended, but nevertheless it’s the …
Jim:
Oh! The older definition was a series of interrelated or interrupting steps that turns inputs into outputs. Any definition will work as long as everybody’s using the same definition ‘performance’ as a measurable result. Finally, ‘effectiveness’ is the extent to which planned activities are realized.
Jim:
So, those are things to keep in mind when you’re auditing. If you do still have a documented audit procedure, you might want to include some of these in it. There used to Annex A and Annex B in ISO 19011. Now, it’s all combined into one. Believe it or not, no surprise, there’s more information on human interaction and no human interaction. There was a little bit of information there before, but the governing bodies for the registrars weren’t encouraging mode audits by any means, and because of that, there wasn’t as much information in ISO 19011 on it.
Jim:
Part of the new world we’re going to see would be a registrar’s audit, auditor working with one of you at your locations and you using maybe a pad, an iPad, any kind of tablet, your phone even, or a laptop and actually having you as the guide go around to spots in your organization to see activities. You could check things like guard heights on machines. You could see somebody doing an inspection, watch them inspecting input in. You might see them inspecting during the process, taking samples out. You might see an inspection at the end.
Jim:
In a service organization, the auditee could be showing the auditor how a person is doing an interview with a new client. So there’s all kinds of possibilities.
Jim:
There’s some more guidance to supplement the new terms. In the HLS versions, all the high-level standards, excuse me, have referenced a process approach. So there’s in a section there to help you clarify how to audit the process approach.
Jim:
Auditing context was new for everybody. That didn’t exist in any of the standards before. So, there’s some information there about how to do that. Leadership, we have a form on our platform, when you supervise a platform where we’ve actually created a form for leaders to fill in on those 10 requirements, A to J and 5.1.1. In ISO 9001, it’s A to I. In 14001, you probably remember that they just need to do nine things, but they do need to do 13 in 45001.
Jim:
So, as auditors, in order to enhance your internal auditing activity, you want to make sure that your leaders have met those requirements and go through each one individually with them.
Jim:
Risks and opportunities, brand new for ISO 9001. In section A10 of the standard, you’ll get an idea of how to approach that, in terms of seeing if people are aware of risks, see if they’re following the flow chart to determine risks and, of course, every yin has a yang and every risk really creates an opportunity for you to improve your effectiveness, your management system.
Jim:
You’ve got some auditing and supply chain. We’re going to be talking a little bit more about that later and, of course, the big challenge with auditing a supply chain is trying to find enough resources to do it.
Jim:
Virtual activity, so there’s a whole section, section 15 and 16 in this standard talks about virtual activities and locations. I have to say, the technology today is getting so good, this is becoming less and less of an issue. This week we used Microsoft Teams and we use Cisco WebEx. Some of you may already have those in your organizations, so make sure you take advantage of what’s available there.
Jim:
[00:13:50] So, we like to know, Rick’s got another poll ready to go there. Do you use ISO 19011 as guidance for doing your internal audits? We’ll just get that guy up there, see how we’re doing. There we go. And let us know if you can’t see it. For those of you who can’t see it, the three possible answers are I’ve never heard of it, we used it to design our internal audit process, and nobody yet has said we follow it to the letter.
Jim:
Maybe while people are answering, for those of you who haven’t seen it, this first section, section five is on planning the audit program, section six is carrying out an audit, and section seven is qualifying auditors to do internal audits. Good. I’m kind of happy to see nobody’s following it to the letter. It’s a pretty massive document. It looks like there might be some chance coming in. Are there? No.
Jim:
Oh! Sorry. Let me go back here, get back one … There we go. What do you think, Rick? We’ve got the poll closed. So, it looks like 65% used it to design, excellent, and 35% haven’t heard of it.
Jim:
So, now you’ve heard of it. It’s available anyplace you buy your standards online. You can definitely check it out. Again, it’s not a set of requirements. It’s a guidance. There’s a difference if it’s requirements you can get certified to it. If it’s guidance, it’s only guidance in the sense that here are some ideas, here’s something to think about. It uses the word should all the way through and all the other standards you’re familiar with use the word shall. Then, you can get certified to them if you … This is actually something to look about another way to enhance your audits, start looking for the word should in your procedures, and if you find the word should, you’ll discover quite quickly that it is [inaudible 00:16:18] auditable. It’s like there’s still some more people coming. Thanks. If you could let them in, Rick, that’d be great. Thanks.
Jim:
Remote auditing. As I said, we just did one this week, Monday, Tuesday, Wednesday was a three-day audit. I did find it quite interesting because, well, first off, it saved the client some money on expenses and not only expenses, it saved time. I’ve got less harm to the environment. I mean, I only had to drive a couple hours to get there, but when we think of how many millions of miles are logged with auditors jetting off to remote places to do audits, there’s lots of advantage to keeping people home. I mean, the current situation is also an excellent example of how much we can protect things, how much we can not only protect the environment, but protect people. We also noticed that with this way, auditors can spend more time with their families. It’s something that we all strive for, this work-life balance.
Jim:
So, by doing remote audits, it definitely helps us keep things in line and helps us just stay better centered, better balanced, gives us more time to appreciate the things in life that we’re maybe some of us are noticing right now that we don’t have quite as much as access to …
Jim:
Remote locations are more reachable, more easily reachable to a point. Some of you may be living in an area in the world. Southern India, for example, has pretty good internet activity. Every country I’ve been to over there and had talked to people over there, we found that, for the most part, things are coming along quite nicely. It’s definitely infrastructure. It’s definitely something all the organization that I’ve been working with have been developing and are continuing to develop.
Jim:
Of course, our current situation has forced people like Zoom, the one we’re using today, to up their game a little bit. There were a few issues with people bombing Zoom meetings. They’ve increased their security. So, it’s continually getting better. Of course, it always will.
Jim:
The audit team, turns out, can be more efficient if there are fewer distractions. There are pluses and minuses. Most of us who have been doing this for years really love the interaction with you. You can see more things around the periphery when you’re actually on-site, but it certainly isn’t impossible if you have a good working relationship with the person who you’re auditing. You can work with them and have them show you, say, the storage room, have a look at the place where you’re keeping hazardous goods, maybe have them pick a few products up and show you some expiry dates if things have a shelf life, show how things are being stored maybe in some warehouse areas, even, again, for a service organization, as I said, if it were a consulting firm, you can review consulting contracts online. Of course, you just share the screen and open up some files.
Jim:
Then, for interviewing somebody, let’s say you’re a personnel agency and you’re trying to hire some new people or get some new people on board. You could actually have someone showing you the interview that the person’s either doing live. You have to get permission, of course. We still, regardless of the fact that it’s an audit or not, we still have to follow all of the privacy laws and those kind of rules, but the audit team can work together, as well, and, as an audit team, you’ll be able to decide ahead of time how you’re going to share the auditing. It’d be less likely to have overlaps as well.
Rick:
Jim, do you have a second?
Jim:
Yes.
Rick:
[00:20:49] A question from Salim. He says, “In a remote audit, does the audit team have to be located at the same location?”
Jim:
The audit team? No. In fact, the audit I did last week, there were three people involved in the audit. The president, the president’s vice president, and then the person who pretty much manages the audit system. They were even in three different locations. They weren’t even going into their own place.
Jim:
Now, when we get back to normal, the audit team would be in the same location or at their branches, but the audit team … No, thanks for that question, Salim. The audit team doesn’t have to be in the same location. That’d be a good thing to organize at the front end as well, get the audit team to decide who wants to host the meeting.
Jim:
In this particular case, Rick and I are both hosts. We’re co-hosts here. If your organization, if you’re thinking of doing this, especially if you’re going to be doing audits and you’re going to be using different people, make sure that your software that you use has that capability.
Jim:
The other thing, there was something else popped into my head there. Oh, yes. If you have the client, if you’re the auditor and you have the client send you a map ahead of time, floor plan, the two of you can say, “Okay. Now, I’m going over here and now, I’m going over there.”
Jim:
So, there’s lots of things you can do. I mean, I even do that with regular audits with them. I’m going to be visiting the site just so I can plan out where I’m going to go, so I’m not going to the northwest corner of their property, then the southeast corner, and then the north.
Jim:
So, it’ll help you get organized as well. That can kind of make the thing come to life a little bit more for you as well. Thanks.
Rick:
Jim, you have a second?
Jim:
Yeah. Any other questions?
Rick:
Jim, there’s one question from the [E.R. 00:22:50]. He says, “These days, the high-quality digital matter port camera’s being used to obtain 3D measurable results in real estate.
Jim:
Oh, wow!
Rick:
For example, can we make use of this in our remote audits? I know BSI is using virtual headsets essentially to give sort of an in-process or spacial kind of a view.
Jim:
Thanks. That’ll definitely be, as that technology become explodes. Of course, the current situation is going to push that kind of development along probably exponentially. Thanks.
Jim:
Any other questions on the auditing there, Rick?
Rick:
Well, I have one just to follow up. “I assume most of these are going to be recorded, so the the output from the video would be recorded as well?”
Jim:
Good point. So, you’d have that as part of the audit record if you did that. We didn’t do any recording this week, but we certainly could have. We recorded what we say. I used my checklist, my ISO SimplifyISO checklist, you’re going to see later. I had it to the desk here, to the right, and I was filling in notes, just as if I were there. Then, I scanned them all at the end and submitted them with the audit report and the attendance report as evidence for the registrar that the audit happened. This was an internal audit that I was doing. Thanks. All right. Thanks very much.
Jim:
Technology is getting better. One of the things we did have an issue with was they were using a VPN. You’ll find, again, working from home using a VPN it’s that extra little chunk in there. It tended to drop, probably dropped in, we worked to three hours in the morning, 9:00 till 12:00. Then, we worked one 12:45 through 4:15, so we worked three hours in the morning, three-and-a-half hours in the afternoon. It might have dropped half a dozen times, maybe once an hour sort of thing, but without a VPN, with a simpler connection, that wouldn’t be an issue. However, if they had been at the location and we wouldn’t have been going through a VPN. So, that’s one thing to keep in mind. Thanks.
Jim:
And the process owners might not be as involved when you’re doing your remote audit, but, with auditor skills, you can certainly develop your ability to get them involved, but that is something to be aware of.
Jim:
Then, if you want to see X to processes underway, then we can either do the virtual you were talking about. That would be pretty exciting. It will take a little while, but to have someone hold the phone, point the phone at the activity, you could have them use, point a laptop at the activity or a tablet of some kind.
Jim:
Storage areas, I mentioned those already, especially things like hazardous goods and, then again, having people show you some samples of expiry dates if there are any.
Jim:
All right. The other thing auditors need to think about is focusing on conformance and not non-conformances. This is part of what we’re going to be talking about next-generation auditing as well. The shift away from just simply saying, “Are you following the procedure,” to, “Are we getting the results?”
Jim:
Auditors, it’s one of the complaints or one of the fears, if you will, of people, just talking about remote auditing, discussing remote auditing, one of the fears is that they won’t be able to see problems. Well, remember that the audit isn’t about seeing problems. The audit is about finding conformance.
Jim:
[00:26:34] So, let’s see. Auditors will need training not only just on the technology but getting used to the idea of not being there and trying to develop techniques for interview questions. I’m hoping there isn’t a complete shift to pre-recorded or pre-planned checklists. I mean, it could happen using a blank checklist and following the flow is definitely a much better way to audit and, in fact, we’re familiar with the concept and you’ll see some information about it if you get a copy of ISO 19011 as well, but definitely, just like any other skill, auditors will need training.
Jim:
So, we have another poll, Rick, if you’ve got a minute there to pop that guy up. I know you’re out there. I can hear you breathing.
Rick:
Hang on a second. Hang on a second. Hang on. It says, “Relaunch.” Hang on a second.
Jim:
Remote auditing! Great.
Rick:
You see it? Okay.
Jim:
Yup. You think you use … Yes, good, good, good. There’s a hundred. There’s we’ll insist. Yes, we will insist.
Jim:
I put this in to remind everybody that you’re the customer and whatever your registrar’s issues are with it, remind them that this is a new world. There used to be a maximum international auditing forum, had a maximum of 30%, if you look up a document called MD for mandatory days, MD5. It’s a free document online. It’s the document that registrars who plan an auditing time for all kinds of audits. It needs to be updated for 45001, but you’ll see a graph in there for 9001 and 14001 and, as I said, they used to have a maximum that they could do, minimum time that they had to spend. The idea was that they didn’t want drive-by audits. Good.
Rick:
Hey, Jim? Hang on a second. I got a few questions for you.
Jim:
Yeah. Shoot.
Rick:
So, Chris asks, “Does the auditor need to document the objective evidence for ‘conformance,’ quote unquote of each element of the QMS?”
Jim:
Is the question about each element? Yes. Yes. It depends on how you define each element of the QMS. Definitely, since day one, you’ve had to audit your entire management signal, but yes you need to document it. That’s what I mentioned. I can sure use our mission. I just took these sheets and I made handwritten notes on them during the audit. You always have to have objective evidence or another word is verifiable evidence when you’re making a statement of conformance. As the auditor, you still need verifiable evidence to say that this requirement has been met.
Jim:
Any other questions on …
Rick:
Yeah. A couple of things. Just maybe comments and questions. Some comments from obviously Tom’s saying these travel restrictions are going to force a lot of remote auditing, so that’s almost a non-issue.
Rick:
Also, Steve says they’re using it currently for surveillance audits, or they’re going to be using it for surveillance audits, which is an interesting idea.
Rick:
Then, there’s a comment here. “Registrar is still raising mandatory on-site time.” So, even with the remote audits, is that something that’s allowed?
Jim:
[00:30:32] Well, registrars can do whatever they want, but as a customer, you can choose whichever registrar you want, as well. So, I can see the pandemic is going to force some changes to some organizations and the organizations that won’t change will just start to lose customers. They’ll probably have to get what’s called a sanctioned interpretation from the governing body, from ISO in Geneva. They’ll likely have to change their document that the registrar’s get accredited to, ISO 17021. They’ll have to probably redo it this year, in fact, or write an addendum to it to allow registrar’s to, in fact, do 100% remote auditing.
Rick:
Okay. One other question from Steve. “What tips do you have for people to prepare for remote external audits from third parties? I’ve always done them on-site. Is there any major differences that I would need to focus on?” I guess this is that supply chain issue, as well, huh?
Jim:
Yeah. If that’s coming from an auditor who is about to do remote audits, definitely get as much information as you can from the auditee, but, as I said, even just getting a floor plan would be good.
Jim:
George [Walislowski 00:31:53] was talking about trying to audit a packaging place that made cardboard packaging. He mentioned how noisy the assembly line was. Good news is you can turn the microphone off. Yeah. Go over as many of the procedures as you can that you’d be auditing and prepare them as well. Let them know how you typically would do an audit plan, or if you’re the auditee, you’ll get an audit plan. Just have things ready in order, have them accessible. Make sure that you’ve got all your ducks in a row, if you will. That’ll make it go much more quickly. You still have time to find everything you need, too.
Rick:
Hang on a second, Jim. I got a question from Marcos. He said, “I see a focus on the external auditing. Are we going to tackle internal auditing more?”
Jim:
Yes.
Rick:
And then one … Go ahead.
Jim:
For internal auditing, typically you wouldn’t do it remotely because it’s your own organization, but for internal audits, you could remotely audit your branches from an internal audit perspective. Yeah. Thanks. I hope that worked out.
Rick:
Again, back from Chris, “Is the auditor doing the process audit need to be qualified as SME in the process being audited?”
Jim:
Well, auditors, they always have to be qualified in their area that they’re auditing. They have to be qualified in that specific category of the NACE code. I can’t remember what the other code is, but you always had to be qualified, yes. The more you know about the process, the better audit you can do, that is for sure.
Rick:
Well, just to clarify for me, is there a definition of a subject matter expert? Is there a threshold they have to reach to be qualified?
Jim:
Not that I know of. I’ve never, never come across it, but it’s an excellent question, probably worth pursuing. That is something you could definitely check out with your registrar. You could maybe ask them how they determine qualification. That’s in section seven, by the way, of ISO 19011. There’s a little bit of a hint in there. Thanks. Great question.
Rick:
I’m sorry. Comment from Salim. “In recent webinars, G.S. said that, ‘In some cases, SGS will issue a provisional certification for certification audits up to six months and then do a site audit to assure a proper certificate.'” That’s interesting.
Jim:
Thank you for that, Salim. We’re going to have to change going ahead for sure. Yeah.
Rick:
Okay. One more comment here for rider. “Actually, as more and more of us work from home now, remote internal audits is very much a sign of the future, even from within.” So agreement there. Mm-hmm (affirmative).
Jim:
All right. Thank you very much.
Jim:
All right. Layered process audits. Some of you, again, back to the question about the internal auditing. Yes, this is something, this is designed for you to improve the effectiveness of your audits internally. This is what it looks like. You’ll see down here at the bottom, these are the processes and grouped leaders would be looking at the standard workflow, look at materials flow, look at quality.
Jim:
In this model and you can see over here to the right, this comes from a website called ALeanJourney.com. You’ll see that picture there. These are done daily. These are done weekly and this is monthly or quarterly. You can probably do some of these monthly or quarterly, the weekly, just decide, again, depends on the intensity and how critical this process we’re looking at is to getting the right outcome from your work. These would be done sort of on the front line here. The supervisors at this level would be looking at area flow, how well it’s flowing through the area. What’s going on in the interfaces.
Jim:
Remember that if you think of the 80/20 rule, Parato’s Law of the Vital Few, in most organizations, 80% of the non-conformance has happened at the hand off. That’s another beauty of looking at the workflow as opposed to just looking at the procedure to see if people are following it. Standard work process, look at it maybe quarterly, semi-annually, that kind of thing.
Jim:
Again, you’ll see some more details here and you’ll develop a program for yourself. The idea here is to find some things that you want to audit very regularly and each one of your employees can become an auditor. You wouldn’t file. You wouldn’t do the audit and file an audit report every time, but you could do things daily like a checklist. I got a number of clients that do a daily toolbox meeting or a tailgate meeting. Not the party with the beer and the barbecue, but get together and talk about what’s going to happen during the day, does anybody have any issues with any of their requirements?
Jim:
They talk it, when you get here, you’ll see there’s three or four things that happen here. What’s the process? What kind of goal are you trying to reach with the process, and if you’re hitting it, great. If you’re not hitting it, are there any issues that we can help you with today to get it going?
Jim:
[00:37:20] So, think of the layer being every day, every week, or every month, and then monthly or quarterly or semi-annually. That’s kind of the whole idea. Very simple and there’s lots of good information here, too. Again, you type in layered process audits, you’ll see lots and lots and lots of references. They review the same key operational controls to ensure sustainability. This is the whole idea.
Jim:
I’ve often, in internal audit classes that I’ve taught, asked people would they get in their car and close their eyes and on the way home say, “I’m going to open my eyes every five minutes”? No, you wouldn’t. You’re constantly assessing your driving. You want to stay within the lines. You want to do corrections before you’re off in the ditch or before you’re in the headlights of an oncoming Mack truck.
Jim:
So, with what your process audits, you’re looking at things more often. You have your thumb on the pulse better. We’re going to talk about some of the challenges, but nevertheless, the more you have focused, the more you’re focused on, let’s say, key operational controls. Some of you might use the term KPIs, key performance indicators. You can check to see which ones of these activities have a KPI. If there isn’t one here, is the one here? Is there one here? See again, ask the question what’s the KPI and are you hitting it?
Jim:
So, the more time you can spend doing this, the more proactive you’ll become as well. You’re also managing risk better. When you’re looking at something more often, it’s giving you a better picture of what’s going on. Carry out simple checks. Is the process yielding the right result?
Jim:
When we talk about checks, again, think of a daily toolbox meeting, a tailgate meeting, just a group, join for five minutes, 10 minutes, just to make sure everybody’s on the same page. You’d be very nervous about getting on a plane where the pilot was not doing a pre-flight check.
Jim:
So, even though it’s routine and it’s mundane and it might look like a pencil-whipping exercise at some point, it’s still worthwhile in terms of getting people all on the same page. Of course, if you put some conversation in it and let people help each other, let people learn from each other, it can add some value to it as well.
Jim:
So, don’t hesitate to head back here to this site, ALeanJourney.com. We know that lean, it has many, many benefits and even doing these daily, weekly, monthly checks can help you find more ways to take some of the waste out of your management system as well.
Jim:
So, even though it might look at this moment like a lot of extra work, the value is there, especially if you can avoid non-conformances. Be proactive and make a small tweak ahead of time. You know that age, age, age-old saying a stitch in time saves nine. An improvement in time saves non-conformances.
Jim:
So, by spending a little bit of time talking to each other, interacting, communicating and it definitely will improve internal communications. No question about it.
Jim:
So, let’s see. They got the simple checks. Everyone needs to know the metrics relating to their job. Deming said it. “Nobody wakes up in the morning and says, ‘I wonder how badly I can do my job today.'” The last thing you want is so much oversight that people don’t know if they’ve done a good job or you haven’t trained them to think of whether or not they’re doing it well.
Jim:
So, the better information we can give people about what the result is supposed to look like, the better you’re going to be taking care of things. So, layered process audits will help you find ways to make and sustain improvements. Let’s see if you might try it.
Jim:
We’ve got another poll here. Rick, if you’d like to pop that up on the screen for everybody. That’s the remote auditing poll and one more. That’s still the remote auditing. Where’s the layered process auditing? Rick, can you change that to the process?
Rick:
Yeah. I’m trying. Hang on a second. It’s not working here.
Jim:
I’m going to add that poll.
Rick:
Hang on a second. Okay. It’s next generation supplier audit. Next generation, right?
Jim:
Layered, layered process audit.
Rick:
My apologies.
Jim:
[00:42:26] There we are! LPA. Do you think you’re trying layered process audits? It’s a quick overview of what it was I’m sure we have lots of questions about it. We do have four half-day course where we go into this in quite a bit more …
Jim:
Oh! Looks interesting. “I’ll try it in key areas.” “No. We don’t have the resources.” “Might try it. It looks interesting.” “May try it in incremental.” “We already do.”
Jim:
If anybody who’s already doing layered process audits has anything they’d like to add, Rick can let me know if there’s something coming in in the in-basket.
Jim:
Oh, good. Somebody seems to benefit. Somebody just joined. Maybe they were off by an hour in the … Okay. Are we okay there? Good. Thank you very much. Good stuff. So, yes. I said if those of you who are already doing them had any information for us that you’d like to add, that would be great. Is there anything coming in there, Rick, in the chat box?
Rick:
Yeah. A couple comments. So, Don says, “We use a program called EASE, E-A-S-E, where we use an app to perform the audits on our phones. That may or may not be layered process audits.” I have looked at that EASE software. It looks pretty good.
Jim:
Oh, great.
Rick:
And then Barbara says, “We use the checklist option followed by a weekly tool box meeting,” so there’s somebody who does do it. And Don says, “LPAs.” That’s about all the comment.
Rick:
I guess I had a couple of questions myself. What would be the connection between an LPA and ISO certification audits?
Jim:
Oh! In order to be certified ISO, you have to demonstrate that you’ve done internal audits. So, you would just use all the results from your layering process audits as evidence to the registrar that you have done your internal audits. Yeah.
Rick:
And another says, “There’s another software app called iAuditor.” You might want to do a little program just on the apps available. That’d be a good thing to do, hmm?
Jim:
Yeah. We do that. Probably spend one of these days. I apologize for running a bit late. We’re at 12:45 now. So, if some of you have a hard stop at 1:00, we’ll get through the material for sure by then. Just might not have as much time, but again, I’ll wait.
Rick:
Yeah. Jim, I’m sorry. One more. Chris is mentioning, “I don’t find the layered process audit in ISO 19011. Are we missing something?” It’s not a fair part of an ISO, is it?
Jim:
[00:45:29] It’s not described in ISO 19011, no, but I can tell you, Chris, there are thousands of articles online. Just type in layered process auditing. You’ll be overwhelmed.
Rick:
Well, I just want to … Jimmy and I were talking about this. I mean, some of the stuff we put into this webinar is not on ISO, but quite frankly, would try to bridge the gap between people who just sort of want the certificate hanging on the wall and people who can actually use ISO principles and related principles in improving daily quality.
Jim:
Absolutely and anything you can do to enhance your management system will give you more payback on your investment. It costs you a lot of money to have a system, cost money to be certified, for the register, and all that stuff. It’s important that … You have to make a decision. It has to be a strategic decision by top management. Yes, we’re willing to invest the money because we know we’re going to get a multiple times payback out of it. Thanks.
Jim:
So, this is a paper we use in the training course, Next Generation Auditing. It’s easily available. Just type in next generation auditing IRCA, International Register of Certificated Auditors, next generation auditing IRCA. What it’s done is it’s tried to give auditors a picture of how a world of auditing changed when the 2015 standards came out. Some of you might have known that ISO 27001 Information Security actually came out in 2014, ahead of 9001, but in it, it focuses on is this process working as opposed to are you following the procedure?
Jim:
Nothing wrong with following a procedure, as long as the procedure is well-written and has taken into account the circumstances that a person’s typically working under. The bad news is when people get into trouble for not following your procedure because they’ve actually found a better way to do it.
Jim:
So, the focus on following the procedure actually inhibits innovation, inhibits people experimenting and trying to find ways to improve the system.
Jim:
So, by shifting the focus to the outputs and are we getting the results we want, we’re actually improving the effectiveness of the system as well all the time. Is this working is the key thing here. You’ll see in the article when you read the paper, we need to get the boardroom involved with internal audits. In fact, I often recommend to people who take the auditor training to get it either through BSI or other registrars.
Jim:
Ask top management what they want out of the next internal audit. It starts to make them aware that they are part of the organization. You’ll also notice in clause 5.1 of all the standards that top management is responsible for the effectiveness of the management system and getting them involved, getting them through this next generation auditing approach definitely helps them meet those requirements.
Jim:
We do an exercise in the training. Excuse me. And we have people read their document. Then, they create this little presentation in the training.
Jim:
You’ll notice that this particular group noticed when I asked them to pick out the three things in the document that pops out at them. Senior management, it shows up here, the role of the auditor is changing from … You’re actually getting past auditing and starting to assess things.
Jim:
It also talks about don’t just audit the procedure, the documented part of it. Check the process. This has a little discussion of process versus procedure. I have a video on that as well on the YouTube channel, which they can see that senior management wants to get accountability going, ownership of the system, different things like that. This was another group here, same exercise. Up here, you can see difference between management and the auditor. You can’t read that very well. Process versus procedure showed up again. Risk-based thinking, so even though it was a different exercise, similar groups.
Jim:
In this one, you’ll see senior management employing QMS and embracing culture-changing role of the auditor, future of auditing.
Jim:
So, it’s a pretty valuable little document. It could be very helpful. In your organization, you’d have to create this culture and employees need to be made aware that you’re auditing differently, that it isn’t the same old checklist. We’re not looking at the same things. We’re actually going to ask you as the auditee whether you think we could improve this process. Is this process working for you personally?
Jim:
[00:50:54] So, that’s where the next generation is going, the next generation of auditing. Again, not so much done remotely but definitely looking for ways to get more value out of the internal audit. I like people to audit, looking for ways to improve the effectiveness of the system rather than just looking for people not following procedures.
Jim:
If you look for ways to improve the effectiveness of the system, you’ll end up with a whole bunch of OFIs at the end. I had 20 last week for a three-day audit. If they make the system better, it’ll cost them less to operate the system and it’ll actually push money to the bottom line.
Jim:
So, while you didn’t hear a whole bunch about it, but based on what you think the direction is, we’re getting away from just auditing to see if people are following procedures were focused on process effectiveness, process results. Do you think you might give this a try?
Jim:
We’ve got another poll there, Rick. Next-generation auditing. I’ll just keep talking a little bit about it while we’re getting the poll up. That’s the layered process auditing one, the next one. That’s still layered process audits. Get to the … There we go! Next-generation auditing.
Jim:
Getting into the boardroom is important, too. Letting people who are making critical decisions in your organization, letting them know that you have a management system in place that can help them meet the objectives. So, we need to make top management aware that this management system can make money for them.
Jim:
Got a couple like to learn more about it. “Can see the benefits of focusing on results. This is good news.” I’m hoping those few that are still using checklists that audit for following procedures and maybe had a little light bulb go on today, seeing if perhaps there could be some advantage to looking a bit further. All right. We can close that one off. Thank you very much.
Jim:
[60 00:53:22], “I can see the benefits of focusing on results. This is great news.” I mentioned we have a four half-day course and we go into this in quite a bit of detail. We actually do that exercise that you saw the results of and put you in groups in Zoom. We can make up rooms, can see the benefits. Good, good. So, we had a little light go on there.
Jim:
Supply chain audits, big deal these days. If you can see this title here, BSI-White Paper-Risk-Based-Supply Chain Auditing. You’ll have it in the recording, too if you review it. We did a BSI webinar and we gave this white paper away. It’s available free at that location. Just type in, “BSI white paper risk-based supply chain auditing.”
Jim:
We can clearly see the advantages today in our current situation where, if you go beyond just looking for the cheapest price and look for stability of supply and so on, it can change perhaps the person you chose, but there’s some more BSI when you type in that, just get back to that address again. BSI white paper risk-based supply chain auditing. You can see risk versus resilience case studies, 360s, pharmaceutical supply, and so on.
Jim:
So, most of the organizations I work with don’t do supply chain auditing. They typically don’t have the resources to do it, but now, with the current push we are getting to more virtual, many activities more virtually, you might see some opportunities here to audit some of your suppliers virtually. This is the main thing over here on the left. Use your contract as the audit criteria. Look at human resources requirements if they do design for you. Obviously number one with most people is on-time delivery or, two, sometimes price is number one, but delivery and price combination.
Jim:
Who are they purchasing from and what’s their supply chain look like? How do they do inspecting of incoming products? What’s their production process? Do they look after their people and the environment, health, and safety? Are they doing quality audits? Do they have any key performance indicators? How do they monitor them? What do they do and what have they got in place? I guess quality audits is important. I always have my clients ask about risk management. What do they do for me as their customer? What do they do for me if something goes wrong? Do they have a way to formally address a non-conformance? They don’t have to be ISO certified, but if they aren’t, do they have a non-conformance process in place?
Jim:
We’ve got another poll there, Rick. Supplier audits. Would you consider doing supplier audits now? That’s the next generation audit.
Jim:
[00:56:53] Next one, we can close that one. That’s closed. Let’s get you to put up the supplier audits. Fabulous! There we go. Thanks. “Will you consider doing supplier audits? I’d be quite fascinated to see how many of you are doing them now.” Oh, that says, “Poll closed,” Rick. So, I’ll relaunch poll. There we go.
Jim:
“Would you consider doing supplier audits, if you could just check on those.” Fabulous. We will consider auditing our bigger suppliers. Actually, it’s the first line of attack. “Is the larger suppliers benefit from expanding our efforts?” No, we don’t need to.
Jim:
Well, so far no … Oh! We have one … No. “We don’t have the resources.” Maybe for the person who feels they don’t have the resources, maybe this advent of more virtual activities would help you a little bit and bigger suppliers could benefit from expanding efforts. No, we don’t need to. Good. A lot of service companies don’t need to. No. They don’t have the need for … Good. Yeah, thanks. How’s that looking? Yes, we can.
Jim:
Whenever you’re ready, Rick, you can close that one. Where are the results? Could we have a look at the results? Sharing the results, we can see what people are doing. There we go. Thanks.
Jim:
So, 44% knew them now. For those of you who are sort of sitting on the fence, you can see almost half the people today are doing them, so there’s some value out there. Then, 22% consider auditing the biggest suppliers, can benefit from expanding goods.
Jim:
So, I think that was helpful. Maybe we’ll open up those of you who don’t have the resources. As I said, maybe you can start thinking in terms of virtual audits could get you there. Thanks.
Jim:
We’re just about ready to wrap it up. I showed you maybe you can see what I held up a little bit earlier. This is what I used this week when I did the virtual audits. We put the organizations in this box here, wherever the requirement is met or is stored in their system, we put that in this guy here. This is the ISO clause, so that, at the end, you can check all the ISO clauses to see what you covered to make sure you covered everything. The activity box, here’s a flowchart. So, we have this receive call here, so the words receive call would go into this box here. This process name is direct service.
Jim:
So, the process name up here would be direct service. You can put the auditees name in, if you want. You put the date in, who the auditor was. Then the registrar can check to make sure the auditor had the training. You’ll see over here the assess whether the requirements of the clauses have been met. This is all of section seven, support class people, 712 infrastructure, 713 work environment.
Jim:
So, everywhere you go you can either … I originally just ticked them off, but then I started putting numbers one to five in here. Then, if it was a one or a two, I knew it was a non-conformance. I’d also put non-conformance number one here, non-conformance number two, non-conformance number three, four, and so on.
Jim:
[01:00:55] People, if it has an OFI, same thing. OFI number one, OFI number two, OFI number three. Then, you’d have a second page, where you’re keeping track of those and then putting them in the audit report. Five is okay.
Jim:
So, you’d put a one to five in here. Is it getting the right results, one or two being a non-conformance, three and four and OFI, five being okay. And then, are there risks associated with this being [many 01:01:24] 12?
Jim:
So, what you’re doing with this, you’re going through all of the steps of the process, making sure that you’ve covered off all the requirements. You’re also checking the hand off from here … Whoops. Sorry. From here to here. That’s where, as I mentioned earlier, 80% of non-conformance is happening here, in here, in here, in here. People know what they’re doing. They know how to manage themselves. They’re good at what they do. Thanks.
Jim:
So, if you’d like to learn more, we’ve got a full course. It’s four half-days. Guidance on the exercises helps you deepen understanding of what you learned about today. We keep it limited to 12 participants. Then, you’ll have access to me after with Zoom, email and so on. You get a recording of the four half-days. You get a certificate. It’s also credit towards becoming a certified management system professional at IMSIpro.org. Let me know if you want to hear any more about that.
Jim:
So, the online course runs June the 1st to 4th, four half-days from 12:00 noon to 3:00 pm each day, but if you sign up by May 3rd, you save $300 by using this code, ENHANCE, all caps. That gets you $300 off. If you don’t hear from your supervisor by then, you can still get $200 till May 10th, $200 off, and fine me $100 from May 11th to the 17th.
Jim:
Thank you so much. We’ve got some more of these coming up. Customer Satisfaction on May 25th, Sustained Success, 29th. All ISO Standards Asset Management, Risk Management, Innovation Management, Business Continuity Management. If there are any topics near and dear to your heart, we’d love you to text them in to us. You can reach me at Jim @SimplifyISO.com, if you have any more questions from today that you want clarified.
Rick:
Jim, there’s a couple more questions real quick if you don’t mind.
Jim:
Sure. [crosstalk 01:03:35].
Rick:
Couple of industry-specific questions from [Dode 01:03:38]. “Does Jim have any focus on methods in AS9100 aerospace.”
Jim:
Done three training sessions on internal auditing for AS9100. Nothing that I could say is different from auditing anything else except that, of course, learning which parts of the standard-required documented information is the hugest part for me, as one’s you know the name of the company being Simplify ISO, the biggest part for us is making sure that people understand what has to be documented.
Jim:
Then, of course, anybody can file a record. Is it retrievable? So, the two keys there for AS9100 would be really thoroughly understanding what’s required for documentation and then having it managed so well that you can always retrieve it.
Jim:
A big move in AS9100 to live dashboards. That’s definitely some area that, if you haven’t looked into that yet, that’s definitely something that could really make your life better. Live dashboards.
Rick:
Jim, a couple questions real quick here. So, for ISO 1345 and MDSAP, Salim says, “We use MDSAP part of the model and component document to design our checklist, to address the requirements of the seven MDSAP processes.” So, it sounds like that’s another area that sort of jumps across different audit or standards models in a sense.
Jim:
Yes and definitely for those standards, the 13485 standard, a lot of GMP requirements get built into those and that standard checklist would be somewhat helpful, well, very helpful, actually, especially ticking off. The challenge is to make sure that the auditee understands what they’re responsible for. That’s, again, where you can shift the focus to yes, we’ve got all the detail in here, but are you getting the results you want? Thanks.
Rick:
Couple of comments here. Just want to get them in back to the audits, [Darwood 01:06:01] again says, “We use a new app called Audits IQ which connects the equipment to automatically trigger an unscheduled audit to begin. It’s very convenient. Please include in the app discussion. I think that would be very good.”
Rick:
And then a discussion point from Steve back to the subject matter expertise idea. He says, “In my experience, I don’t always use SMEs for process audits. First, the SME is usually in charge of the department for the audit. So, they can’t really audit their own area, which makes it … Secondly, approach it with much more effectively because they stay at the procedural level. This also helps because they do not have the bad habits that apply to the audit, sort of like an outside point of view.” I get that too. “Therefore, we catch a lot of non-conformance, because we do not know the process. Lastly, third-party auditors are usually not SMEs and every business they audit, that’s another reason I follow that mindset.”
Rick:
Makes a good point, I think.
Jim:
Yeah and, of course, as far as auditors being SMEs, not every auditor can be a subject matter expert on absolutely everything in the world, of course. But you could work with the SME in an audit. An SME could actually help you maybe understand some of the more difficult areas or more complex areas of any given process, but I really agree completely, too, and I’ve seen it happen myself where the fresh eyes on something help SMEs sometimes fall into the trap of thinking that the way they know how it’s done is the best way or the only way. So, absolutely, yeah.
Jim:
So, I bet, with a little practice, a little soft gloving. What’s the word? Kid gloving? You could probably make a really nice hybrid of using SMEs for the really difficult parts, but also tempering what they’re talking about with what your own reality is, too. Thanks.
Jim:
Wow! We still have 40 people with us, so if you want to hang on, I’m willing to stay as long as you like.
Jim:
Any other comments coming in here?
Rick:
No. Just general thank you for having it and so forth. I guess … Oh, wait. Here’s one. “Maintaining independence in internal audit is an issue. What’s your suggestion on this?” I guess that plays into just a little bit of discussion we just had.
Jim:
Yeah. It does, but it’s a really critical point. Of course, it’s a requirement of the standard not just the guidance document 19011 but ISO 9001, well all the standards that have 9.2 in their clauses, which is all the major standards. They all talking about organizing the audits, so it can be done in an objective way.
Jim:
While that is just the more objective the audit is, the more value you’ll get as an organization out of the audit. The more opinionated it is, if you’re just saying things like, “Great,” or, “Terrific,” or the more objective, again, I use the term verifiable evidence.
Jim:
So, if you use objective evidence, verifiable evidence, tangible evidence, if you will, that might be another word to use. That would definitely give you more value out of the audit. The more objective the audit is, the more value. The more value you get, the more it’s going to push money to the bottom line for sure, or, if you’re a public service, it’ll help you work with the better the audit is, the more objective it is. It’ll help you stay within your budget.
Jim:
Thanks. Anything else?
Rick:
No. Nothing else. [ 01:09:31].
Jim:
Well, thank you all for joining us. We’ll send you a copy of the recording. We’ll send you some information on the class. I think there’ll be a link there, Rick, to sign up for it. Just when you check out, enter the enhance code and it’ll drop the price $300 till next week from Sunday night. Yes.
Jim:
And any last comments you want to make, Rick, before we go?
Rick:
I just want to thank everybody. We will have more information about the upcoming webinars coming out to you. We’ll have some reminders on the class going out to you as well. Then, just a quick note on this IMSI thing we mentioned briefly. Before we didn’t go into a lot of detail, but this is a new effort in the industry in a sense, to make ISO auditing a little more relevant on the strategic level, not just for the individual practice areas, the environmental or quality or safety auditing, but to make that sort of subject matter expert in that area more valuable and more authoritative within the organization.
Rick:
So, it’s going to be a career help for all you guys and it’s also going to a business help as we enter into this sort of new age, this post-COVID time of corporate responsibility. There’s a role we feel that all of our existing auditors can play. It’ll be good for everyone, so stay tuned for a little more information on that.
Jim:
Wonderful. Thank you all so much. Great to see everybody joining us today and maybe you we’ll see some of you at the next one.