Chapter 13

D. Quality Audits

Part II.D.1

quality system audit, as defined by ANSI/ASQC A3-1987, is a systematic and independent evaluation of the quality system and its execution, looking at both design and performance of the system. It is a fact-finding process that compares actual results with specified standards and plans. It provides feedback for improvement. It differs from inspection, which emphasizes acceptance or rejection, and surveillance, which is ongoing continuous monitoring.

1. TYPES OF AUDITS

Describe and distinguish between various types of quality audits such as product, process, management (system), registration (certification), compliance (regulatory), first, second, and third party, and so on. (Apply) Body of Knowledge II.D.1

Quality audits may be classified according to the party conducting them, their scope, and the audit method used. In general, three parties are involved in an audit: (1) the organization requesting the audit, or client, (2) the party conducting the audit, or the auditor, and (3) the organization to be audited, or the auditee. When the auditor is an employee of the organization being audited (auditee), the audit is classified as an internal quality audit. For the purposes of maintaining objectivity and minimizing bias, internal auditors must be independent from the activity being audited. On the other hand, when the auditors are employees of the client or an independent organization or third party hired for the purpose, the audit is termed an external quality audit. In this case, the auditors are clearly independent of the auditee and are in a position to provide the client with an unbiased, objective assessment. This is the type of audit required to permit listing in a register or to meet mandatory quality requirements. However, the time required and costs involved in an external audit are much higher as compared to internal audits. 100

Chapter 13: D. Quality Audits 101

Another way to classify quality audits is by scope and extent. An audit may be as comprehensive as needed or requested by the client. The most comprehensive type of audit is the quality system audit, which examines suitability and effectiveness of the system as a whole. This involves both the documentation and implementation aspects of the quality system. Reasons for initiating a system audit may range from evaluating a potential supplier to verifying an organizations own system. Audits of specific elements of a system, processes, products, or services, are also possible. These are limited in scope and are typically referred to using a modifier preceding the term quality audit. Examples include process quality audits and product quality audits. The method by which the quality audit is conducted provides yet another way to classify. Audits may be conducted by location or function. A location-oriented audit provides an in-depth examination of all the quality-related activities within a given location. In a function-oriented audit, an activity is examined in all the locations where the activity is carried out. It is important to note that these classifications are not mutually exclusive and, in practice, cross-classifications of a quality audit are possible. The following four purposes of quality audits are listed in ANSI/ISO/ASQ QE19011S-2008: 1. To meet requirements for certification to a management system standard 2. To verify conformance with contractual requirements 3. To obtain and maintain confidence in the capability of a supplier 4. To contribute to the improvement of the management system

Part II.D.2

2. ROLES AND RESPONSIBILITIES IN AUDITS

Identify and define roles and responsibilities for audit participants such as audit team (leader and members), client, auditee, and so on. (Understand) Body of Knowledge II.D.2

Each of the three parties involved in an auditthe client, the auditor, and the auditeeplays a role that contributes to its success. The client, the party that initiates the audit, selects the auditor and determines the reference standard to be used. The client, typically the end user of the audit results, determines the type of audit needed (system, process, product, and so on) as well as its time and duration. The selected auditor, whether an individual or a group, needs to adhere to the role of a third party. That is, the auditor must maintain objectivity and avoid bias in conducting the audit. The auditor must comply with any confidentiality requirements mandated by the auditee. An experienced individual is appointed

102 Part II: The Quality System

as lead auditor to communicate audit requirements, manage the auditing activities, and report the results. For rules, qualifications, and evaluation criteria for an auditor, see ANSI/ISO/ASQ QE19011S-2008. Finally, the auditee has the responsibility of accommodating the audit, which entails providing the auditors access to the facilities involved and copies of all relevant documentation. The auditee is also expected to provide the resources needed and select staff members to accompany the auditors.

3. AUDIT PLANNING AND IMPLEMENTATION Part II.D.3

Proper planning is a key factor in achieving an efficient quality audit. Planning should be conducted with consideration of the client expectations. This includes the scope, depth, and time frame. The lead auditor has the responsibility of planning and conducting the audit and should be authorized to perform these activities. Planning an audit, just like any other activity, should address the questions of what, when, how, and who. That is, what elements of the quality system are to be audited? Against what document or reference standard? The answers to both questions are determined by the client and should be communicated clearly to the auditee. When to start and when to conclude the audit? A schedule of the audit activities needs to be prepared and communicated to both the client and the auditee. It is the lead auditors responsibility to inform the client of any delays, report their reasons, and update the completion date of the audit. The method of conducting the audit also should be addressed. Working documents need to be prepared, including checklists of the elements to examine, questions to ask, and activities to monitor. A number of references provide generic checklists that can be used as templates. However, it is best to design a checklist to suit the audit at hand and its specific scope and objectives. Forms for collecting auditors observations and the supporting evidence also should be included in the working document. Working documents typically are reviewed by an experienced auditor and approved by the lead auditor before implementation. It is recommended that the auditor explain the methods planned to the auditee. This should help the organization better prepare for the audit and ease the fear usually attached to the process. The question of who will examine specific elements, processes, or products addresses the qualifications and experiences of the individual auditors (assessors) needed. With the client expectations in mind, the lead auditor should assign the various tasks among his or her team.

Chapter 13: D. Quality Audits 103

An audit is usually conducted in three steps. (1) A pre-examination or opening meeting with the auditee marks the beginning of the process. During this meeting, the lead auditor introduces team members to the senior management of the auditee and explains the objectives of the audit and the methods used. The auditee is represented by selected members of the organization who facilitate and assist in the process and submit a documented description of the quality system or element to be examined. Issues regarding proprietary information typically are addressed and resolved before starting the audit. The next step (2) involves a suitability audit of the documented procedures against the selected reference standard. Observed nonconformities at this stage of the audit should be reported to both the client and the auditee for immediate action. The auditing process should pause to allow for corrective measures. For the third step (3), the auditor examines in depth the implementation of the quality system. The auditor maintains records of all nonconformities observed and the supporting data. Provisions should be made in the audit plan to allow additional investigation of clues suggesting nonconformities revealed by the data collected. The auditee management should be made aware of, and acknowledge, all the nonconformities observed during the audit. This step concludes with a closing meeting with the auditees management for a presentation of findings. In some cases, the auditor may be required to recommend corrective measures for improving the system. However, it is up to the auditee to plan and implement these measures in a way that best suits the organization.

Part II.D.4

4. AUDIT REPORTING AND FOLLOW-UP

Identify, describe, and apply the steps of audit reporting and follow up, including the need to verify corrective action. (Apply) Body of Knowledge II.D.4

A final report is submitted to the client indicating the facts of the audit and conclusions regarding the ability of the subject system, element, process, or product to achieve quality objectives. Proper planning and execution of the audit facilitates the preparation of this report and provides data to support its conclusions. The lead auditor is responsible for the accuracy of the report and the validity of its conclusions. The report should be submitted to the client, who in turn is responsible for providing a copy to the auditee. The audit final report should include, at a minimum, the following: 1. Type of audit conducted 2. Objectives of audit 3. Identification of involved parties: auditor, auditee, and third party

104 Part II: The Quality System

4. Audit team members 5. Critical nonconformities and other observations 6. Audit standards and reference documents used 7. Determination of proper corrective action(s) 8. Duration of audit 9. Audit report distribution and date 10. Audit results and recommendations

Part II.D.4

11. Audit-related records Should the auditee initiate improvement efforts to correct nonconformities, the three parties should agree on a follow-up audit to verify the results. The plan, audit, report, and improve cycle may be repeated whenever systems and/or requirements change. The results attained provide a measure of the effectiveness of the audit. Improvement efforts also should be directed to identifying and eliminating the root causes of reported nonconformities and identifying the corrective action(s) to be taken. Root causes represent the main reason behind the occurrence of a nonconformance or an undesirable condition or status. These corrective actions may then be validated by performing tests, inspections, or even more audits.