Audits are all too often seen as a necessary evil – the means to achievement of that all important certification. But well constructed programs of internal and vendor audits can add real value, providing insights into operations and improving business operations and strengthening your partnership with vendors. They also make you so much better prepared for those all important external certification audits. We take a look at what makes an excellent audit program.
What is an Audit?
Clearly identifying what forms an Auditing activity is the first step to implementing a best-in-class program. ISO defines an Audit as a “systematic, independent and documented process for obtaining Audit evidence and evaluating it objectively to determine the extent to which the Audit criteria are fulfilled.”
Let’s break down this definition into simple concepts and review their true meaning:
- Systematic – the process shall be planned, formal and shall follow a cycle
- Independent – the process shall require impartiality from the activity being Audited
- Documented – it is conducted as per a set of procedures and triggers records generation
- Evidence – activities Audited must be fact-based and verifiable
- Objective evaluation – an evaluation that is not governed by self-opinion
- Audit criteria – the Audit is conducted against a pre-defined reference against which evidence is compared
Types of Audits
Your organization may be subject to several types of Audits. Within each type of Audits, the depth, number and frequency of which will also depend on a number of factors such as the type of products you manufacture, the size of your organization, the complexity of your supply chain and the role you carry out within the supply chain (e.g. manufacturer, designer, after sale), your regulatory and customer requirements etc.
For simplicity, we have grouped these types of Audits as follows:
- External Audits – these mainly relate to unsolicited Audits conducted by third party organizations such as Regulatory Agencies (e.g. TGA, FDA), Notified Bodies (e.g. CE Mark, MDSAP) or customers to verify the extent of compliance of your systems against standards, regulations or contract terms
- Internal Audits – these relate to Audits initiated by your organization, whether the Audit is conducted by your own team or whether you subcontract this activity to a third party. Such Audits can be combined as a single Audit that covers the full scope of your system or can be conducted as multiple Audits over the course of a defined period (e.g. per standard element, per department, project-specific)
- Supplier Audits – Supplier Audits can be viewed as a type of external audit where your organization or one of your subcontractors conducts an Audit of a critical supplier for evaluation/selection or on-going monitoring. Supplier Audits are an effective “Supplier monitoring” technique as they can strengthen relationships with your suppliers, help you understand their internal systems and methods and identify how they interact with your internal processes.
Benefits of a robust Internal Audit program
Ensuring that your Internal Audit program operates effectively should be an on-going focus of your organization. An effective internal Audit provides many benefits, such as:
- Preparing your team for external Audits by gaining exposure to the process in a low stress environment
- Helping your team understanding the standard requirements and the way processes have been implemented within your company, by either asking challenging questions or by answering Audit questions
- Providing an opportunity to staff to better understand your organization and activities within other departments/disciplines
- Allowing your organization to identify areas of good practices and improvement opportunities ahead of an external party. Showing that you can detect the state of your systems on your own is a sign of organizational effectiveness
- Identifying potential sources of deviation (e.g. business risks) and actively driving continuous improvement activities
Audit process framework
Organizations seeking to implement a Quality Management System should develop an audit program that is commensurate to the company risk profile, size and complexity of operations. A person within the organization should be appointed to ensure the program is implemented.
The program should include a planning activity whereby the objective and extent of the audit is determined on the basis of factors such as Management priorities, Regulatory/statutory requirements, Organizational risks and upcoming changes. The planning phase should also account the establishment of procedures and provision of adequate resources (e.g. personnel and training) to conduct audits within the program.
Implementation of the program is achieved by communicating the program to the relevant parties, coordinating and scheduling the audits, selecting the audit teams and ensuring adequate conduct of the audits as per the approved plans.
The typical auditing activities follow a defined workflow as follows:
- Initiate the audit by identifying the audit team, defining the individual objective and scope of the audit and making initial contact with the auditee
- Conduct a preliminary documentation review (e.g. previous findings, organization chart in the department being audited, latest projects or main changes and applicable procedures to audit)
- Preparation and submission of an audit plan to the auditee ahead of the audit. The plan will typically comprise the audit objective, time, audit team, Area to be audited, list questions or topics of interest and the logistics on the day
- Conduct of the on-site audit. The on-site audit should start with a brief opening meeting to introduce the teams, explain the audit process to the auditees and confirm the audit plan and logistics throughout the day.
Following the opening meeting, the audit team should follow the audit plan and ensure appropriate coverage as per the pre-defined audit scope. The audit process will consist in conducting staff interviews, reviewing records, observing processes and taking notes to provide specific references to the elements audited. The process should be conducted in such a way as to determine the extent of compliance with the audit criteria (i.e. as opposed to finding non-compliance) and areas of concerns should be brought to the attention of the auditee immediately to ensure a correct interpretation of the observation is made during this data collection process.
Upon completion of the audit, the audit team should gather to review the audit findings and agree on conclusions prior to sharing with the auditee.
The lead auditor should conduct a closing meeting to confirm adherence of the audit with the audit plan and obtain agreement on the findings with the auditees. Any diverging opinion should be captured in the minutes for final reporting.
- Preparing the audit report. The audit report should provide a complete and accurate picture of the audit. A reference to the audit plan and whether all planned areas have been covered shall be recorded. The audit report should detail the organizational elements of the audit (e.g. audit team, dates and time), the audit evidence reviewed, findings and conclusions on overall compliance with the audit criteria.
Independence of auditors
Independence of the audit team from the area being audited must be demonstrated. This is to ensure that there is no conflict of interest arising from the process and audit findings are a true representation of the state of compliance. In smaller organization, the independence criteria can be challenging and the following methods may be used:
- Evaluate and document the impact (e.g. by way of risk assessment) of the lack of independence of a certain process being audited. Determine what control measures can be implemented to mitigate this risk. E.g. consider if the same process can be audited by focusing on another project that did not involve the auditor. Provide justification for independence in the audit records
- Consider training other staff in the audit process to provide more flexibility in the execution of your program
- Sub-contract part or all of the program to a third-party provider who is not involved in your company operations
Particularly in the case of auditing, confidence and reliance in the process highly depends on the competence of those conducting the audit. Competence of individuals managing the audit program and conducting the audits should be based on two main aspects:
- Personal attributes: in order to ensure objectiveness of the results and accurate representation, auditors must possess excellent communication and presentation skills. They must show diplomacy during interviews, be open-minded to understand how an organization or team has decided to implement the requirements, show transparency in their conduct during the audit (e.g. explain why they are taking notes or why an audit question is being asked). auditors must be result orientated to ensure audit objectives are reached within the agreed timeframe and highly ethical.
- Qualification and experience: qualification may be acquired by external training, participation in audits lead by a qualified auditor, and a combination of industry experience. The key aspects of this qualification should be based on whether the auditor has appropriate knowledge in:
- The techniques of auditing and the audit process
- Management skills to ensure adequate planning, exchange of information, time management, focus on key areas, resolve any conflict arising during the audit etc
- The audit criteria or standard against which the audit will be conducted
- Quality Assurance principles and applications of Management Systems (e.g. exposure to various types of systems can be valuable)
- Organizational situations such as an appreciation of business size, processes, cultures
- Applicable regulations and laws
Need some help? We can support all aspects of quality systems compliance including implementation, technical support and Auditing. We have assisted Medical Device Manufacturers, Distributors, Sponsors and other economic operators meeting a wide range of organizational requirements such as ISO 9001, ISO 13485, ISO 17025 or the US QSR.
Whether you require support through training, internal Auditing of your systems, on-site support during external Audit, or require assistance with supplier evaluation, or establishment of your QMS, we are here to help! Contact us by email firstname.lastname@example.org or call +61 0 9906 2984. We would be pleased to discuss how we can help supporting your projects.