The Internal Auditing Pocket Guide

Also available from ASQ Quality Press:

The Process Auditing Techniques GuideJ.P. Russell

Continual Improvement Assessment Guide: Promoting and Sustaining Business ResultsJ.P. Russell

ISO 9004 Assessment Criteria Checklist for Performance ImprovementJ.P. Russell

ISO Lesson Guide 2000: Pocket Guide to Q9001:2000, Second EditionDennis R. Arter and J.P. Russell

The ASQ Auditing Handbook, Third EditionJ.P. Russell, editing director

Quality Audits for Improved Performance, Third EditionDennis R. Arter

ANSI/ISO/ASQ QE19011S-2004: Guidelines for quality and/or environmental management systems auditing—U.S. Version with supplemental guidance addedANSI/ISO/ASQ

The Process Approach Audit Checklist for ManufacturingKaren Welch

ASQ Foundations in Quality Self-Directed Learning Series: Certified Quality Auditor (CD)ASQ and Holmes Corporation

Process Driven Comprehensive Auditing: A New Way to Conduct ISO 9001:2000 Internal AuditsPaul C. Palmes

The Certified Manager of Quality/Organizational Excellence Handbook, Third EditionRussell T. Westcott, editor

To request a complimentary catalog of ASQ Quality Press publications, call 800-248-1946, or visit our Web site at http://qualitypress.asq.org.

The Internal Auditing Pocket Guide

Preparing, Performing, Reporting, and Follow-Up

Second Edition

J.P. Russell

ASQ Quality PressMilwaukee, Wisconsin

American Society for Quality, Quality Press, Milwaukee 53203© 2007 by J.P. RussellAll rights reserved. Published 2007Printed in the United States of America13 12 11 10 09 08 07 5 4 3 2 1

Library of Congress Cataloging-in-Publication Data

Russell, J. P. (James P.), 1945– The internal auditing pocket guide : preparing, performing, reporting, and follow-up / J.P. Russell.—2nd ed. p. cm. Includes bibliographical references and index. ISBN 978-0-87389-710-5 (soft cover : alk. paper) 1. Auditing, Internal. I. Title.

HF5668.25.R877 2007 657'.458—dc22 2007004699

ISBN: 978-0-87389-710-5

No part of this book may be reproduced in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher.

Publisher: William A. TonyAcquisitions Editor: Matt T. MeinholzProject Editor: Paul O’MaraProduction Administrator: Randall Benson

ASQ Mission: The American Society for Quality advances individual, organizational, and community excellence worldwide through learning, quality improvement, and knowledge exchange.

Attention Bookstores, Wholesalers, Schools, and Corporations: ASQ Quality Press books, videotapes, audiotapes, and software are available at quantity discounts with bulk purchases for business, educational, or instructional use. For information, please contact ASQ Quality Press at 800-248-1946, or write to ASQ Quality Press, P.O. Box 3005, Milwaukee, WI 53201-3005.

To place orders or to request a free copy of the ASQ Quality Press Publications Catalog, including ASQ membership information, call 800-248-1946. Visit our Web site at www.asq.org or http://qualitypress.asq.org.

Printed in the United States of America

Printed on acid-free paper

v

Table of Contents

Chapter 1 Welcome to Auditing. . . . . . . . . . . . . . 1

Chapter 2 Getting the Assignment . . . . . . . . . . . 13

Chapter 3 Audit Process Inputs (Purpose and Scope) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 4 Preparing for the Audit . . . . . . . . . . . . 29

Chapter 5 Identifying Requirements and Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 6 Desk Audit and Audit Strategies. . . . . 53

Chapter 7 Beginning the Audit. . . . . . . . . . . . . . . 65

Chapter 8 Data Collection. . . . . . . . . . . . . . . . . . . 77

Chapter 9 Techniques to Improve Effectiveness and Address Vague Requirements. . . . . . . . . . . 93

Chapter 10 Analyzing the Results. . . . . . . . . . . . . 109

Chapter 11 Reporting . . . . . . . . . . . . . . . . . . . . . . 123

Chapter 12 Audit Follow-Up, Corrective Action, and Closure. . . . . . . . . . . . . . . . . . . . . . . 135

Appendix A Example Audit Plan . . . . . . . . . . . . . 145

Appendix B Example Work Order . . . . . . . . . . . . 149

Appendix C Example Meeting Agenda and Record. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Appendix D Example Interview Schedule . . . . . . 155

Appendix E Example Checklist Page . . . . . . . . . . 159

Appendix F Audit Time Considerations . . . . . . . . 161

Appendix G Example Notification Letter . . . . . . 163

Appendix H Popular Performance Standards . . . 165

Appendix I Example Audit Nonconformities. . . . 167

Appendix J Auditor Code of Conduct . . . . . . . . . 171

Appendix K Example Corrective/Preventive Action Request . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Appendix L Corrective Action Checklist. . . . . . . . 177

Appendix M 20 Basic Audit Principles . . . . . . . . . 181

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

vi Table of Contents

1

Chapter 1

Welcome to Auditing

The Internal Auditing Pocket Guide prepares those new to auditing to conduct inter-nal audits against quality, environmental,

safety, and other specified criteria. You may be learning the basic auditing conventions to qual-ify as an internal auditor or for self-improvement. In either case, both you and your organization will benefit from your new skills. Your organiza-tion will benefit because you will be a more effec-tive auditor and you will benefit because you will gain knowledge and learn new skills. Not only will you be learning new skills in auditing, you can also use these skills in other job responsi-bilities, be able to link requirements to your job, and improve your everyday communication skills by practicing interviewing techniques. After you learn the basics of internal auditing, you may seek more advanced study to qualify as an ASQ Certified Quality Auditor (CQA). The scope of work for an internal auditor assignment can vary

2 Chapter One

from simple verification of compliance to identi-fication of performance-improvement opportuni-ties. Your organization has objectives that the internal audit program can help achieve.

An audit is some type of formal independent examination of products, services, work processes, departments, or organizations. Conducting an audit is a process, work practice, or service. Some organizations prefer the word evaluation, survey, review, or assessment instead of the word audit. I will use the word audit when I reference the process because it is universally accepted and, to experts, it means a certain type of investigation or examination as described in this guidebook.

The audit process steps (Figure 1.1) are to:

• Identify plans (what people are supposed to do)

• Make observations (what people are actually doing)

• Evaluate the facts collected (sort the evidence)

• Report the results (conformance or noncompliance)

• Follow up (ensure that problems are corrected)

No matter what name is used for the audit pro-cess, auditors are entrusted with confidential

Welcome to Auditing 3

information. Auditors must be ethical in their dealings with the organizations they audit as well as with the general public. People have vari-ous feelings about auditors that may include fear as well as respect, but there is also a sense that auditors hold a public trust of honesty and con-duct their affairs in an ethical manner. When this public trust is broken (for example, in the Arthur Anderson–Enron case) the public is out-raged. At the time of the Enron incident, Arthur Anderson was one of the top five accounting firms in the United States and now, because of the misconduct of a few auditors, they are out of business.

From time to time throughout this guide I will highlight one of the 20 Basic Audit Principles to

Identifyplans

Evaluate

Reportresults

Followup

Makeobservations

Figure 1.1 The audit process.© 2006 J.P. Russell.

4 Chapter One

emphasize its importance. All 20 audit principles are listed in Appendix M. The first audit princi-ple concerns the public trust.

Audit Principle

Use knowledge and skills for the advancement of public welfare.

TERMINOLOGY

This chapter is about the terminology of audit-ing to help you communicate effectively. Your organization may have its own names for things that are different from standard audit terms or even different from the dictionary. If the termi-nology in the text starts to get confusing, con-sider starting your own cross-reference showing the word you are familiar with compared to the more generic terminology. You can start with the examples shown in Table 1.1.

CONTROLS TO EXAMINE

An audit is a process of investigating and exam-ining evidence to determine whether agreed-upon requirements are being met. An effective

Welcome to Auditing 5

audit depends on how information is gathered, analyzed, and reported. The results may ver-ify conformance or indicate noncompliance with rules, standards, or regulations. A quality audit is linked to quality requirements, environmen-tal audits to environmental requirements, finan-cial audits to financial statements, and safety audits to safety rules and regulations. One of the things that makes an audit different from an inspection is that individuals performing an audit

Table 1.1 Example terminology cross-reference table.

Universal No. terminology Your organization’s term

1 Audit Assessment, evaluation

2 Survey Review

3 Audit program Regulatory compliance department department

4 Employee Associate

5 Customer Client, patient, member, passengers, students

6 Client Program manager, quality/ safety/environmental manager

7 Audit program Compliance director manager

6 Chapter One

must be able to do so impartially and objectively. This means that the person performing the audit must be independent of or have no vested interest in the area being audited. The level of indepen-dence necessary to ensure impartiality and objec-tivity will vary by industry, type of organization, risks involved, and organizational culture.

INTERNAL AND EXTERNAL AUDITS

All audits are either internal audits or external audits. Figure 1.2 shows how audits are classi-fied as first (internal), second (external), and third (external) party.

Think of your organization as the circle in the figure. Internal or first-party audits are con-ducted inside the circle. You must go outside the circle to conduct external or second-party audits (audit your suppliers).

On the right-hand side of the figure is an area designated for third-party audits. Third-party audits are independent of the customer–supplier relationship. Third-party audits may result in certification, license, or approval of a product, process, or system by an independent organization. Your organization may have their quality system or environmental system regis-tered by a third-party registrar or licensed by a

Welcome to Auditing 7

government oversight agency. One of the reasons internal audits are conducted is to help prepare organizations for audits conducted by external audit organizations (for example, customers, reg-istrars, government agencies).

Customer

Supplier

External Internal

Second-partyCustomeraudits yourorganization

Second-partyYou audityour supplier

First-partyAudit your ownorganization

Third-partyIndependentauditorganization

Figure 1.2 Audit classifications.

8 Chapter One

AUDIT TYPES

Audits are also classified by area (process, sys-tem) or object (product, service) of the audit. You may be assigned to conduct a system, process, or product audit. Different audits may require dif-ferent methods, personnel, or equipment.

The product audit (or service audit), the smallest circle in Figure 1.3, determines if tan-gible characteristics and attributes of a thing are being met. Typically, an auditor checks the object or service to ensure that it has the proper mark-ings, weight, size, viscosity, smoothness, amount, hardness, color, texture, placement, arrange-ment, count, and so on. The auditor checks the

System audit

Process audit

Productaudit

Figure 1.3 Different types of audits.

Welcome to Auditing 9

object or service against a predetermined set of characteristics or attributes. A product audit is just like an inspection except there must be some level of independence and the results of the audit are not used to approve release of a product or delivery of a service.

A process audit determines whether process requirements are being met. During a process audit, the auditor will examine an activity or sequence of activities to verify that inputs, actions, and outputs are in accordance with an established procedure, plan, or method. Outputs can be compared to objectives to determine effec-tiveness and efficiency. A process audit may examine a particular task such as stamping, welding, serving, sterilizing, filing, cleaning, transacting, mixing, or sets of processes within processes such as manufacturing, delivering, purchasing, or designing. The activity examined during a process audit normally is described with a verb, indicating that an action is taking place. A process audit normally follows a process from beginning to end or end to beginning.

A system audit determines whether system requirements (manual, policy, standards, reg-ulations) are being met. When processes are interrelated and interacting, you have a system. A system is made up of processes organized to achieve an objective such as quality, safety, or income. During a system audit you may examine

10 Chapter One

the operation of a department, company, division, or program. Auditors may conduct a product or process audit as part of a system audit. Typically, an auditor will audit an organization against clauses of a quality, safety, or environmental management system standard.

It may help you to think of this type of audit classification as zooming in or out of a picture. For example, in the picture of the racers below:

• A product audit would be checking the helmet or helmets for such attributes as size, color, hardness, markings, identification, web-bing, chin strap adjustment, and so on, against requirements (specifications). You may decide to

Welcome to Auditing 11

check the team helmets, check all the helmets at the skating rink, or visit the manufacturer and sample a number of helmets. You can do the same thing for a service such as inspecting for the proper arrangement of a cleaned room, cleanli-ness of a rental car, proper storage of gear before a flight, and so on.

• A process audit may be evaluating the methods used for skating during a race or meth-ods for skating in a sharp turn. You may ask about training, techniques to be employed, type of equipment required, measures for determin-ing a successful turn, adjustments for ice condi-tions, and equipment prep and maintenance.

• A system audit may be evaluating the man-agement of the skating team or management of the skating arena. You may be interested in how events are scheduled, communication with team members, how changes are implemented, preven-tive maintenance programs, operating the box office, maintaining and operating the zamboni, how customer needs are determined, and so on.

Most internal audits are either process or system audits. Many organizations divide up their sys-tem into little pieces or elements and assign each of their internal auditors to one. Other organiza-tions may divide up the system into big chunks and assign teams of auditors to evaluate them.

12 Chapter One

KEEN OBSERVATIONS

Regardless of the type of audit, an auditor must be good at observing and reporting factual information.

The person conducting the audit is the audi-tor. Other equivalent descriptive words are eval-uator, assessor, examiner, reviewer, and so on. The organization being audited is called the auditee. Any type of organization can be an audi-tee (your department, a corporation, government agency, nonprofit organization, retail sales store, manufacturer, and so on). The person or orga-nization who requested the audit is the client. Audits are only conducted when someone or some group requests one. You might think of the cli-ent as the person who has authority to assign you to do an audit. This person is one of the custom-ers of the audit service, to whom you are account-able. This person (the client) normally is your boss, the audit program manager, or the quality/environmental/safety manager.

In the next several chapters we will take you from getting the audit assignment and reporting find-ings to ending the audit by completing follow-up actions.

207

Index

A

accessibility limitations, 67–68activities, observing, 87–88agenda

exit meeting, 125–28opening meeting, 67–72

assignment, 13–15accepting, 15–19

Arthur Anderson corporation, 3audit

definition of, 2follow-up, 140–41versus inspection, 5–6types, 8–11

audit classifications, 6–7audit conclusion, 118–22audit criteria, 77audit escort, 71audit evidence, 77, 78, 90–91, 112–13audit follow-up, 135–43audit methods and techniques, 68–69

audit plan, 34–35example, 145–47 (Appendix A)

audit planning, 37–51auditing objectives, 37–40checklists, 44–48collection plans, 48–49sampling plans, 49–50working papers, 51

audit preparation, 29–36audit team, 29–31contacting auditee, 31–32issuing audit plan, 34–35make a list, 36

audit principles, 20 basic, 181–83 (Appendix M)audit process steps, 2, 3, 14

inputs, 21–27audit purpose, 25–27audit report, 69

example, 167–69 (Appendix I)audit scope, 22–23audit team, 29–31audit team meeting, agenda, 73audit time considerations, 30, 161–62 (Appendix

F)auditee, 12

contacting, 31–32responsibilities, 128, 135, 136

auditee meeting, agenda, 74auditing, 1

auditor observations, 12controls to examine, 4–6internal and external, 6–7against requirements, 40–44

208 Index

Index 209

strategies, 59–63techniques, process, 102–6terminology, 4, 12types of, 8–11

auditor, 12code of conduct, 19, 171–72 (Appendix J)number needed, 30responsibilities, 24, 128

auxiliary verbs, 40–41availability, for audit, 15

B

best practice, 113best practices, observed, 116

C

can, 42canned checklists, 48checklists, 44–48

in desk audits, 54example, 47, 159–60 (Appendix E)rules, 45–46

client, 12, 13responsibilities, 135

closed-ended requirements, 94closing meeting, 123code of conduct, auditor, 19, 171–72 (Appendix J)collection plan, 48–49, 78communication flow, between auditor and

auditee, 33competence, of auditor, 18–19

concern, 113conclusion, audit, 118–22conflicts of interest, 15–18conformance, 25, 37–38

verifying, 88–89conformity, 113controls verification, 80correction, 138corrective action, 138corrective action

effective, 141–42timely implementation, 143

corrective action and preventive action (CAPA) process

closure, 142–43effectiveness, 141–42elements, 136–39follow-up audit, 140–41verification, 139–40

corrective action checklist, 177–79 (Appendix L)corrective action plan, 136–37, 138corrective/preventive action request

closeout, 142–43example, 173–75 (Appendix K)

corroboration, of information, 81–82criteria, audit, 77

D

data collection, 77–91collection plan, 48–49, 78examination of documents and records, 79–80interviewing people, 81–86

210 Index

Index 211

observation of activities, 87–88physical examination, 86

data sorting, 111–12datum, as evidence, 110defect, 112definitions, in standards, 97department method, 60desk audit, 53–57directed sampling. See judgmental samplingdocument evaluations, 53–57document levels, 23–25

and requirements, 43documents

examination during audit, 78, 79–80versus records, 43

E

element method (technique), 39, 60ENCR4 formula, 114Enron Corporation, 3escorts, for auditor, 71ethics, in auditing, 2–3evaluation, of document, 53–57evidence, 77, 78, 109–10

physical, 86exit meeting, 70, 123–28external audits, 6–7external requirements, 38

F

finding, 112, 116–17

212 Index

closeout, 142–43first-party audits, 6flowcharting, 57–59

benefits, 59symbols, 58

follow-up actions, 123, 127exit meeting, 123–28recommending solutions, 133–34the report, 129report format, 130–31responsibilities, 128what to avoid, 132

follow-up audit, 139

G

good practice, 113

I

improvement point, 112improvement potential, indicators of, 105information analysis, 109–22

classification of observations, 110–14nonconformity statements, 114–17overall audit conclusion, 118–22

inputs, for audit, 21–26purpose of audit, 25–27scope of audit, 22–23standards to audit against, 23–25when and where, 22

inspection, versus audit, 5–6

Index 213

internal audits, 6–7and conflicts of interest, 15–18

interview questions, process interview, 101interview schedule, 69

example, 155–57 (Appendix D)interviewing, 81–86

guidelines, 85six-step method for, 84

issue, 113

J

judgmental sampling, 50

L

lead auditor, 29, 31and opening meeting, 65–66, 72responsibilities, 29–30, 31, 125

logistics, 70

M

malicious compliance, 133management systems, process approach for,

106–7mandatory requirements, 41–42may, 42meeting agenda and record, example, 151–53

(Appendix C)meetings, during audit, 73–74must, 42

214 Index

N

nonconformance, in desk audit, 55nonconformity, 112nonconformity (noncompliance) statements,

114–17examples, 168–9 (Appendix I)

nonrandom sampling, 50noteworthy achievement, 113notification letter, 35

example, 163–64 (Appendix G)

O

objectives, of audit, 37–40observation , 113

of activities, 87–88classification, 110–14

open-ended questions, 46open-ended requirements, 94–95, 97–98, 99

types of, 95–96opening meeting, 65–66

agenda, 67–72opportunities for improvement, 116optional requirements, 42–44

P

PDCA technique, 39–40, 99–101questions, 100–101

performance auditing, 105performance standards, popular, 165–66

(Appendix H)

Index 215

physical evidence, 86physical examination, 86planning. See audit planningpositive practice, 113post-audit meeting, 123prescriptive requirements, 94preventive/corrective action request, example,

173–75 (Appendix K)process approach, for management systems,

106–7process audit, 6, 11, 39–40

complex, 104process auditing techniques, 102–6process model, 103process technique, 39, 99–101

questions, 100–101process techniques/process auditing, 94, 102–6

closed-ended requirements, 94open-ended requirements, 94–95process technique, 99–101

product audit, 8–9, 10–11purpose, of audits, 25–27

Q

qualitative data, 112quantitative data, 112

R

recommendations, 133–34records

versus documents, 43

216 Index

examination during audit, 79–80remark, 113remedial action, 137–38report, audit, 69, 129

example, 167–69 (Appendix I)report format, 130–31report summary (abstract), 118reporting, 123–34

what to avoid, 132reporting process, 69requirements, 40–44

closed-ended, 94in desk audit, 54–57identifying, 37–51mandatory, 41–42open-ended, 94–95, 97–98, 99optional, 42–44prescriptive, 94Type I, 95, 97–98Type II, 96, 98–99, 100Type III, 96, 97–98Type IV, 96, 99, 100

requirements method, 38–39results. See information analysis

S

sampling plan, 49–50scope of audit, 22–23

problems outside of, 62–63scoring, 121second-party audits, 6

follow-up, 140–41

Index 217

shall, 41should, 42six-step method, for interviewing, 84solutions, recommending, 133–34standards

audited against, 23–25performance, 165–66 (Appendix H)

strategies, auditing, 59–63strong areas, 119–20surprise audits, 32, 33system approach, for management systems,

106–7system audit, 9–10, 11, 104

T

team, audit, 29–31 terminology, 4, 12

unclear, 97third-party audits, 6–7

follow-up, 140–41traceability, 94tracing (audit strategy), 60–6120 basic audit principles, 181–83 (Appendix M)Type I requirements, 95, 97–98Type II requirements, 96, 98–99, 100Type III requirements, 96, 97–98Type IV requirements, 96, 99, 100

V

vague requirements, 39–40, 97validation

218 Index

of system/process, 89–90versus verification, 88

value-added processes, managing, 106verification

of conformance, 88–89of controls, 80of corrective actions, 139–40of information, 81–82in process audit, 104versus validation, 88

W

weak areas, 119–20work order, example, 149–50 (Appendix B)working papers, 51, 74–75

Y

yes/no questions, 45–46, 85–86