Upload
mohamed-hibah
View
214
Download
0
Embed Size (px)
Citation preview
The Internal Auditing Pocket Guide
Also available from ASQ Quality Press:
The Process Auditing Techniques GuideJ.P. Russell
Continual Improvement Assessment Guide: Promoting and Sustaining Business ResultsJ.P. Russell
ISO 9004 Assessment Criteria Checklist for Performance ImprovementJ.P. Russell
ISO Lesson Guide 2000: Pocket Guide to Q9001:2000, Second EditionDennis R. Arter and J.P. Russell
The ASQ Auditing Handbook, Third EditionJ.P. Russell, editing director
Quality Audits for Improved Performance, Third EditionDennis R. Arter
ANSI/ISO/ASQ QE19011S-2004: Guidelines for quality and/or environmental management systems auditing—U.S. Version with supplemental guidance addedANSI/ISO/ASQ
The Process Approach Audit Checklist for ManufacturingKaren Welch
ASQ Foundations in Quality Self-Directed Learning Series: Certified Quality Auditor (CD)ASQ and Holmes Corporation
Process Driven Comprehensive Auditing: A New Way to Conduct ISO 9001:2000 Internal AuditsPaul C. Palmes
The Certified Manager of Quality/Organizational Excellence Handbook, Third EditionRussell T. Westcott, editor
To request a complimentary catalog of ASQ Quality Press publications, call 800-248-1946, or visit our Web site at http://qualitypress.asq.org.
The Internal Auditing Pocket Guide
Preparing, Performing, Reporting, and Follow-Up
Second Edition
J.P. Russell
ASQ Quality PressMilwaukee, Wisconsin
American Society for Quality, Quality Press, Milwaukee 53203© 2007 by J.P. RussellAll rights reserved. Published 2007Printed in the United States of America13 12 11 10 09 08 07 5 4 3 2 1
Library of Congress Cataloging-in-Publication Data
Russell, J. P. (James P.), 1945– The internal auditing pocket guide : preparing, performing, reporting, and follow-up / J.P. Russell.—2nd ed. p. cm. Includes bibliographical references and index. ISBN 978-0-87389-710-5 (soft cover : alk. paper) 1. Auditing, Internal. I. Title.
HF5668.25.R877 2007 657'.458—dc22 2007004699
ISBN: 978-0-87389-710-5
No part of this book may be reproduced in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher.
Publisher: William A. TonyAcquisitions Editor: Matt T. MeinholzProject Editor: Paul O’MaraProduction Administrator: Randall Benson
ASQ Mission: The American Society for Quality advances individual, organizational, and community excellence worldwide through learning, quality improvement, and knowledge exchange.
Attention Bookstores, Wholesalers, Schools, and Corporations: ASQ Quality Press books, videotapes, audiotapes, and software are available at quantity discounts with bulk purchases for business, educational, or instructional use. For information, please contact ASQ Quality Press at 800-248-1946, or write to ASQ Quality Press, P.O. Box 3005, Milwaukee, WI 53201-3005.
To place orders or to request a free copy of the ASQ Quality Press Publications Catalog, including ASQ membership information, call 800-248-1946. Visit our Web site at www.asq.org or http://qualitypress.asq.org.
Printed in the United States of America
Printed on acid-free paper
v
Table of Contents
Chapter 1 Welcome to Auditing. . . . . . . . . . . . . . 1
Chapter 2 Getting the Assignment . . . . . . . . . . . 13
Chapter 3 Audit Process Inputs (Purpose and Scope) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 4 Preparing for the Audit . . . . . . . . . . . . 29
Chapter 5 Identifying Requirements and Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chapter 6 Desk Audit and Audit Strategies. . . . . 53
Chapter 7 Beginning the Audit. . . . . . . . . . . . . . . 65
Chapter 8 Data Collection. . . . . . . . . . . . . . . . . . . 77
Chapter 9 Techniques to Improve Effectiveness and Address Vague Requirements. . . . . . . . . . . 93
Chapter 10 Analyzing the Results. . . . . . . . . . . . . 109
Chapter 11 Reporting . . . . . . . . . . . . . . . . . . . . . . 123
Chapter 12 Audit Follow-Up, Corrective Action, and Closure. . . . . . . . . . . . . . . . . . . . . . . 135
Appendix A Example Audit Plan . . . . . . . . . . . . . 145
Appendix B Example Work Order . . . . . . . . . . . . 149
Appendix C Example Meeting Agenda and Record. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Appendix D Example Interview Schedule . . . . . . 155
Appendix E Example Checklist Page . . . . . . . . . . 159
Appendix F Audit Time Considerations . . . . . . . . 161
Appendix G Example Notification Letter . . . . . . 163
Appendix H Popular Performance Standards . . . 165
Appendix I Example Audit Nonconformities. . . . 167
Appendix J Auditor Code of Conduct . . . . . . . . . 171
Appendix K Example Corrective/Preventive Action Request . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Appendix L Corrective Action Checklist. . . . . . . . 177
Appendix M 20 Basic Audit Principles . . . . . . . . . 181
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
vi Table of Contents
1
Chapter 1
Welcome to Auditing
The Internal Auditing Pocket Guide prepares those new to auditing to conduct inter-nal audits against quality, environmental,
safety, and other specified criteria. You may be learning the basic auditing conventions to qual-ify as an internal auditor or for self-improvement. In either case, both you and your organization will benefit from your new skills. Your organiza-tion will benefit because you will be a more effec-tive auditor and you will benefit because you will gain knowledge and learn new skills. Not only will you be learning new skills in auditing, you can also use these skills in other job responsi-bilities, be able to link requirements to your job, and improve your everyday communication skills by practicing interviewing techniques. After you learn the basics of internal auditing, you may seek more advanced study to qualify as an ASQ Certified Quality Auditor (CQA). The scope of work for an internal auditor assignment can vary
2 Chapter One
from simple verification of compliance to identi-fication of performance-improvement opportuni-ties. Your organization has objectives that the internal audit program can help achieve.
An audit is some type of formal independent examination of products, services, work processes, departments, or organizations. Conducting an audit is a process, work practice, or service. Some organizations prefer the word evaluation, survey, review, or assessment instead of the word audit. I will use the word audit when I reference the process because it is universally accepted and, to experts, it means a certain type of investigation or examination as described in this guidebook.
The audit process steps (Figure 1.1) are to:
• Identify plans (what people are supposed to do)
• Make observations (what people are actually doing)
• Evaluate the facts collected (sort the evidence)
• Report the results (conformance or noncompliance)
• Follow up (ensure that problems are corrected)
No matter what name is used for the audit pro-cess, auditors are entrusted with confidential
Welcome to Auditing 3
information. Auditors must be ethical in their dealings with the organizations they audit as well as with the general public. People have vari-ous feelings about auditors that may include fear as well as respect, but there is also a sense that auditors hold a public trust of honesty and con-duct their affairs in an ethical manner. When this public trust is broken (for example, in the Arthur Anderson–Enron case) the public is out-raged. At the time of the Enron incident, Arthur Anderson was one of the top five accounting firms in the United States and now, because of the misconduct of a few auditors, they are out of business.
From time to time throughout this guide I will highlight one of the 20 Basic Audit Principles to
Identifyplans
Evaluate
Reportresults
Followup
Makeobservations
Figure 1.1 The audit process.© 2006 J.P. Russell.
4 Chapter One
emphasize its importance. All 20 audit principles are listed in Appendix M. The first audit princi-ple concerns the public trust.
Audit Principle
Use knowledge and skills for the advancement of public welfare.
TERMINOLOGY
This chapter is about the terminology of audit-ing to help you communicate effectively. Your organization may have its own names for things that are different from standard audit terms or even different from the dictionary. If the termi-nology in the text starts to get confusing, con-sider starting your own cross-reference showing the word you are familiar with compared to the more generic terminology. You can start with the examples shown in Table 1.1.
CONTROLS TO EXAMINE
An audit is a process of investigating and exam-ining evidence to determine whether agreed-upon requirements are being met. An effective
Welcome to Auditing 5
audit depends on how information is gathered, analyzed, and reported. The results may ver-ify conformance or indicate noncompliance with rules, standards, or regulations. A quality audit is linked to quality requirements, environmen-tal audits to environmental requirements, finan-cial audits to financial statements, and safety audits to safety rules and regulations. One of the things that makes an audit different from an inspection is that individuals performing an audit
Table 1.1 Example terminology cross-reference table.
Universal No. terminology Your organization’s term
1 Audit Assessment, evaluation
2 Survey Review
3 Audit program Regulatory compliance department department
4 Employee Associate
5 Customer Client, patient, member, passengers, students
6 Client Program manager, quality/ safety/environmental manager
7 Audit program Compliance director manager
6 Chapter One
must be able to do so impartially and objectively. This means that the person performing the audit must be independent of or have no vested interest in the area being audited. The level of indepen-dence necessary to ensure impartiality and objec-tivity will vary by industry, type of organization, risks involved, and organizational culture.
INTERNAL AND EXTERNAL AUDITS
All audits are either internal audits or external audits. Figure 1.2 shows how audits are classi-fied as first (internal), second (external), and third (external) party.
Think of your organization as the circle in the figure. Internal or first-party audits are con-ducted inside the circle. You must go outside the circle to conduct external or second-party audits (audit your suppliers).
On the right-hand side of the figure is an area designated for third-party audits. Third-party audits are independent of the customer–supplier relationship. Third-party audits may result in certification, license, or approval of a product, process, or system by an independent organization. Your organization may have their quality system or environmental system regis-tered by a third-party registrar or licensed by a
Welcome to Auditing 7
government oversight agency. One of the reasons internal audits are conducted is to help prepare organizations for audits conducted by external audit organizations (for example, customers, reg-istrars, government agencies).
Customer
Supplier
External Internal
Second-partyCustomeraudits yourorganization
Second-partyYou audityour supplier
First-partyAudit your ownorganization
Third-partyIndependentauditorganization
Figure 1.2 Audit classifications.
8 Chapter One
AUDIT TYPES
Audits are also classified by area (process, sys-tem) or object (product, service) of the audit. You may be assigned to conduct a system, process, or product audit. Different audits may require dif-ferent methods, personnel, or equipment.
The product audit (or service audit), the smallest circle in Figure 1.3, determines if tan-gible characteristics and attributes of a thing are being met. Typically, an auditor checks the object or service to ensure that it has the proper mark-ings, weight, size, viscosity, smoothness, amount, hardness, color, texture, placement, arrange-ment, count, and so on. The auditor checks the
System audit
Process audit
Productaudit
Figure 1.3 Different types of audits.
Welcome to Auditing 9
object or service against a predetermined set of characteristics or attributes. A product audit is just like an inspection except there must be some level of independence and the results of the audit are not used to approve release of a product or delivery of a service.
A process audit determines whether process requirements are being met. During a process audit, the auditor will examine an activity or sequence of activities to verify that inputs, actions, and outputs are in accordance with an established procedure, plan, or method. Outputs can be compared to objectives to determine effec-tiveness and efficiency. A process audit may examine a particular task such as stamping, welding, serving, sterilizing, filing, cleaning, transacting, mixing, or sets of processes within processes such as manufacturing, delivering, purchasing, or designing. The activity examined during a process audit normally is described with a verb, indicating that an action is taking place. A process audit normally follows a process from beginning to end or end to beginning.
A system audit determines whether system requirements (manual, policy, standards, reg-ulations) are being met. When processes are interrelated and interacting, you have a system. A system is made up of processes organized to achieve an objective such as quality, safety, or income. During a system audit you may examine
10 Chapter One
the operation of a department, company, division, or program. Auditors may conduct a product or process audit as part of a system audit. Typically, an auditor will audit an organization against clauses of a quality, safety, or environmental management system standard.
It may help you to think of this type of audit classification as zooming in or out of a picture. For example, in the picture of the racers below:
• A product audit would be checking the helmet or helmets for such attributes as size, color, hardness, markings, identification, web-bing, chin strap adjustment, and so on, against requirements (specifications). You may decide to
Welcome to Auditing 11
check the team helmets, check all the helmets at the skating rink, or visit the manufacturer and sample a number of helmets. You can do the same thing for a service such as inspecting for the proper arrangement of a cleaned room, cleanli-ness of a rental car, proper storage of gear before a flight, and so on.
• A process audit may be evaluating the methods used for skating during a race or meth-ods for skating in a sharp turn. You may ask about training, techniques to be employed, type of equipment required, measures for determin-ing a successful turn, adjustments for ice condi-tions, and equipment prep and maintenance.
• A system audit may be evaluating the man-agement of the skating team or management of the skating arena. You may be interested in how events are scheduled, communication with team members, how changes are implemented, preven-tive maintenance programs, operating the box office, maintaining and operating the zamboni, how customer needs are determined, and so on.
Most internal audits are either process or system audits. Many organizations divide up their sys-tem into little pieces or elements and assign each of their internal auditors to one. Other organiza-tions may divide up the system into big chunks and assign teams of auditors to evaluate them.
12 Chapter One
KEEN OBSERVATIONS
Regardless of the type of audit, an auditor must be good at observing and reporting factual information.
The person conducting the audit is the audi-tor. Other equivalent descriptive words are eval-uator, assessor, examiner, reviewer, and so on. The organization being audited is called the auditee. Any type of organization can be an audi-tee (your department, a corporation, government agency, nonprofit organization, retail sales store, manufacturer, and so on). The person or orga-nization who requested the audit is the client. Audits are only conducted when someone or some group requests one. You might think of the cli-ent as the person who has authority to assign you to do an audit. This person is one of the custom-ers of the audit service, to whom you are account-able. This person (the client) normally is your boss, the audit program manager, or the quality/environmental/safety manager.
In the next several chapters we will take you from getting the audit assignment and reporting find-ings to ending the audit by completing follow-up actions.
207
Index
A
accessibility limitations, 67–68activities, observing, 87–88agenda
exit meeting, 125–28opening meeting, 67–72
assignment, 13–15accepting, 15–19
Arthur Anderson corporation, 3audit
definition of, 2follow-up, 140–41versus inspection, 5–6types, 8–11
audit classifications, 6–7audit conclusion, 118–22audit criteria, 77audit escort, 71audit evidence, 77, 78, 90–91, 112–13audit follow-up, 135–43audit methods and techniques, 68–69
audit plan, 34–35example, 145–47 (Appendix A)
audit planning, 37–51auditing objectives, 37–40checklists, 44–48collection plans, 48–49sampling plans, 49–50working papers, 51
audit preparation, 29–36audit team, 29–31contacting auditee, 31–32issuing audit plan, 34–35make a list, 36
audit principles, 20 basic, 181–83 (Appendix M)audit process steps, 2, 3, 14
inputs, 21–27audit purpose, 25–27audit report, 69
example, 167–69 (Appendix I)audit scope, 22–23audit team, 29–31audit team meeting, agenda, 73audit time considerations, 30, 161–62 (Appendix
F)auditee, 12
contacting, 31–32responsibilities, 128, 135, 136
auditee meeting, agenda, 74auditing, 1
auditor observations, 12controls to examine, 4–6internal and external, 6–7against requirements, 40–44
208 Index
Index 209
strategies, 59–63techniques, process, 102–6terminology, 4, 12types of, 8–11
auditor, 12code of conduct, 19, 171–72 (Appendix J)number needed, 30responsibilities, 24, 128
auxiliary verbs, 40–41availability, for audit, 15
B
best practice, 113best practices, observed, 116
C
can, 42canned checklists, 48checklists, 44–48
in desk audits, 54example, 47, 159–60 (Appendix E)rules, 45–46
client, 12, 13responsibilities, 135
closed-ended requirements, 94closing meeting, 123code of conduct, auditor, 19, 171–72 (Appendix J)collection plan, 48–49, 78communication flow, between auditor and
auditee, 33competence, of auditor, 18–19
concern, 113conclusion, audit, 118–22conflicts of interest, 15–18conformance, 25, 37–38
verifying, 88–89conformity, 113controls verification, 80correction, 138corrective action, 138corrective action
effective, 141–42timely implementation, 143
corrective action and preventive action (CAPA) process
closure, 142–43effectiveness, 141–42elements, 136–39follow-up audit, 140–41verification, 139–40
corrective action checklist, 177–79 (Appendix L)corrective action plan, 136–37, 138corrective/preventive action request
closeout, 142–43example, 173–75 (Appendix K)
corroboration, of information, 81–82criteria, audit, 77
D
data collection, 77–91collection plan, 48–49, 78examination of documents and records, 79–80interviewing people, 81–86
210 Index
Index 211
observation of activities, 87–88physical examination, 86
data sorting, 111–12datum, as evidence, 110defect, 112definitions, in standards, 97department method, 60desk audit, 53–57directed sampling. See judgmental samplingdocument evaluations, 53–57document levels, 23–25
and requirements, 43documents
examination during audit, 78, 79–80versus records, 43
E
element method (technique), 39, 60ENCR4 formula, 114Enron Corporation, 3escorts, for auditor, 71ethics, in auditing, 2–3evaluation, of document, 53–57evidence, 77, 78, 109–10
physical, 86exit meeting, 70, 123–28external audits, 6–7external requirements, 38
F
finding, 112, 116–17
212 Index
closeout, 142–43first-party audits, 6flowcharting, 57–59
benefits, 59symbols, 58
follow-up actions, 123, 127exit meeting, 123–28recommending solutions, 133–34the report, 129report format, 130–31responsibilities, 128what to avoid, 132
follow-up audit, 139
G
good practice, 113
I
improvement point, 112improvement potential, indicators of, 105information analysis, 109–22
classification of observations, 110–14nonconformity statements, 114–17overall audit conclusion, 118–22
inputs, for audit, 21–26purpose of audit, 25–27scope of audit, 22–23standards to audit against, 23–25when and where, 22
inspection, versus audit, 5–6
Index 213
internal audits, 6–7and conflicts of interest, 15–18
interview questions, process interview, 101interview schedule, 69
example, 155–57 (Appendix D)interviewing, 81–86
guidelines, 85six-step method for, 84
issue, 113
J
judgmental sampling, 50
L
lead auditor, 29, 31and opening meeting, 65–66, 72responsibilities, 29–30, 31, 125
logistics, 70
M
malicious compliance, 133management systems, process approach for,
106–7mandatory requirements, 41–42may, 42meeting agenda and record, example, 151–53
(Appendix C)meetings, during audit, 73–74must, 42
214 Index
N
nonconformance, in desk audit, 55nonconformity, 112nonconformity (noncompliance) statements,
114–17examples, 168–9 (Appendix I)
nonrandom sampling, 50noteworthy achievement, 113notification letter, 35
example, 163–64 (Appendix G)
O
objectives, of audit, 37–40observation , 113
of activities, 87–88classification, 110–14
open-ended questions, 46open-ended requirements, 94–95, 97–98, 99
types of, 95–96opening meeting, 65–66
agenda, 67–72opportunities for improvement, 116optional requirements, 42–44
P
PDCA technique, 39–40, 99–101questions, 100–101
performance auditing, 105performance standards, popular, 165–66
(Appendix H)
Index 215
physical evidence, 86physical examination, 86planning. See audit planningpositive practice, 113post-audit meeting, 123prescriptive requirements, 94preventive/corrective action request, example,
173–75 (Appendix K)process approach, for management systems,
106–7process audit, 6, 11, 39–40
complex, 104process auditing techniques, 102–6process model, 103process technique, 39, 99–101
questions, 100–101process techniques/process auditing, 94, 102–6
closed-ended requirements, 94open-ended requirements, 94–95process technique, 99–101
product audit, 8–9, 10–11purpose, of audits, 25–27
Q
qualitative data, 112quantitative data, 112
R
recommendations, 133–34records
versus documents, 43
216 Index
examination during audit, 79–80remark, 113remedial action, 137–38report, audit, 69, 129
example, 167–69 (Appendix I)report format, 130–31report summary (abstract), 118reporting, 123–34
what to avoid, 132reporting process, 69requirements, 40–44
closed-ended, 94in desk audit, 54–57identifying, 37–51mandatory, 41–42open-ended, 94–95, 97–98, 99optional, 42–44prescriptive, 94Type I, 95, 97–98Type II, 96, 98–99, 100Type III, 96, 97–98Type IV, 96, 99, 100
requirements method, 38–39results. See information analysis
S
sampling plan, 49–50scope of audit, 22–23
problems outside of, 62–63scoring, 121second-party audits, 6
follow-up, 140–41
Index 217
shall, 41should, 42six-step method, for interviewing, 84solutions, recommending, 133–34standards
audited against, 23–25performance, 165–66 (Appendix H)
strategies, auditing, 59–63strong areas, 119–20surprise audits, 32, 33system approach, for management systems,
106–7system audit, 9–10, 11, 104
T
team, audit, 29–31 terminology, 4, 12
unclear, 97third-party audits, 6–7
follow-up, 140–41traceability, 94tracing (audit strategy), 60–6120 basic audit principles, 181–83 (Appendix M)Type I requirements, 95, 97–98Type II requirements, 96, 98–99, 100Type III requirements, 96, 97–98Type IV requirements, 96, 99, 100
V
vague requirements, 39–40, 97validation
218 Index
of system/process, 89–90versus verification, 88
value-added processes, managing, 106verification
of conformance, 88–89of controls, 80of corrective actions, 139–40of information, 81–82in process audit, 104versus validation, 88
W
weak areas, 119–20work order, example, 149–50 (Appendix B)working papers, 51, 74–75
Y
yes/no questions, 45–46, 85–86