First, what did you answer when the auditor asked you why you hadn't audited sub-processes? I thought your rationale included here was acceptable--there are so many it would be unreasonable to review them all. Perhaps though, a sampling from one of the five main processes would be appropriate. The choice of process for which a lower-level sampling would be reviewed might change periodically, or every x audits, or based on some other indicator of priority. In support of the auditor's perspective, if you never get to the lower-level processes how do you know they are conforming? It is often the case, especially in older, more established operations, that gaps exist between what is written and what is actually being done. Thus, even when the output is conforming--suggesting that the process itself must be conforming--there might still be hidden efforts being made to make it so. Also, and in the spirit of continuous improvement, if you don't dive into the details how will you know what needs to improve? I appreciate your position. Keep the faith.
1. Sit down with the process owner of each of the five major processes and ask them which would have the most impact on performance (customers, product, cost, etc.) if they failed.
2. Look at performance data (e.g., customer feedback, complaints, nonconforming material, delivery performance, equipment downtime, ...) to identify which processes may be having most difficulties. Review corrective actions to see what processes were involved in the nonconformity.
Also, consider that you can also not just audit for compliance, but also to look for opportunities to improve. You could have process owners/subowners participate in these audits as observers and discuss what you see. Can use a lean perspective, quality defect perspective, ...
oh, and next year I hope to not include any managers in my internal audits so I can hear from the people in the trenches. (Except when I audit leadership / mgmt review.)
and note, Some auditors just like to be painful.
Does your company have an SOP with a little more clarity on how you determine your audit plan for the year. Maybe that would help in your external audit, as you can show him you're meeting the standard and your procedures.
Matthew, your pose a good question. I dislike the feedback from your auditor a lot. For several reasons. If we go to the basics, you have several types of processes (management, core, support, etc.) Plus your mention of 5 main (core) processes and the subprocesses. In the “old days” people tried to audit by clause each year and got at least as frustrated as you message sounds.
I agree that your logic for selecting what should be audited and how often the “topics” should be audited needs to have logic behind the approach. Several different approaches are valid. It is more than what I can explain here. If you want to chat and discuss different approaches, book a free call here:
Well articulated! Yes Risk based approach is the best way forward. We should not be doing internal audits for audit sake.
You can’t audit your own work. You will have to train a second auditor for that.
Hi Matthew, it looks like you are getting some traction on your post (I'm thinking in December members were doing holiday things when this was originally posted) :)
A Process Approach to auditing is wonderful, you consider the Man/Machine/Methods/Metrics of the process and get a holistic view of the process. I am sorry to hear your training experience felt rushed. I would encourage you to continue to take on learning programs on your own. ASQ offers many free webinars that can further enhance or reinforce your learning. The QMD and Audit Divisions in particular have monthly webinars and most you can view online later if you miss the scheduled time. Check them out. Make sure you are receiving emails from ASQ and that your settings allow for eblasts, etc. If you need help finding the webinars, I am on the Boards of both divisions and have a list of several of them, just reach out.