Using of Risk Based Thinking When Creating Your Internal Audit Schedule

Posted by Craig Thornton

Compliance at it's Best

Last week found me on a small plane flying over New Zealand’s picturesque South Island.

I sat right behind the pilots and could see how they used their quality system to fly the plane. Checks and double checks were performed by the Captain and the First Officer. They communicated regularly. They were fully aware of who had responsibility for every task.

I thought – “that’s compliance at its best”.

Then I remembered a company I visited just last week which had caused me to slap my forehead and think, “oh boy, that was compliance at its worst”.

I spent a day providing internal auditor training for this company. They have been ISO 9001 certified for over 20 years. They’ve been through hundreds of audits, both internal and external. They have their ISO certificate hanging behind their reception desk.    


They Had Serious Quality Issues

As my training progressed it became apparent that the company had been experiencing quality issues with one particular customer.

Serious issues.

Issues that had driven the customer to complain many times over a period of years. Issues that were hurting the customer so badly that they were planning to make a special audit of the company to try and finally sort things out.

The stakes? Contracts worth millions of dollars.

The problems the customer was experiencing pointed to underlying issues with both the customer complaint processes and the corrective and preventive action processes.

Keen to delve deeper, I looked back over the last few internal audit reports.

First I noted that an external consultant had conducted the audits, at which point alarm bells started ringing for me. Then I was amazed to find that incredibly – and frighteningly - the internal audit reports contained no mention of these serious quality issues.

Not one.

I did see a lot of box ticking, though, enough to ensure that they continued to meet the clauses of the ISO 9001 standard.

What does bad compliance look like?

Bad compliance comes in many forms. This kind is perhaps the most dangerous.

Often there is a level of complacency which can come with having ISO certification.

We tick all the boxes, therefore we’re okay!

When this occurs it is obvious to me that the managers involved don’t have a clue what a quality system is actually for. All they know is they have to have ISO certification.

They don’t realise that they potentially have an immensely powerful tool that can take their company to an outstanding level of performance. Instead, they use this immensely powerful tool to … decorate their reception.

Here’s the thing: if there aren’t any boxes on your audit quiz that directly address your problem – in this case, an important customer frothing at the mouth with frustration - you may as well be taking one of those “which celebrity do you most resemble?” quizzes on Facebook.

To get helpful answers, you need to be asking the right questions (hint: helpful answers don’t usually fit into a checkbox).

You need to ask questions based around risk rather than questions which use the check-list mindset (the check-list mindset likes to focus on how documents look.

In one internal audit, the auditor proudly picked up that the quarantine stickers were spelled incorrectly (that there was over $20,000 worth of goods in quarantine that no-one had done anything about wasn’t addressed. Yep, that really happened).

Here’s what we did:

  1. First I told them to just let the certification body audit to ISO 9001. I explained that they had bigger, more important things to focus on.
  2. Then I outlined that they needed to harness their system by using risk-based thinking to solve knotty problems.
  3. To make this happen we created a new audit schedule by focusing on clause 8.2.2 of the ISO 9001 standard. We looked at the status and importance of their processes. We talked about risk and what that looked like. This really opened their eyes because they could see that they could create an audit schedule based on the status and importance of their processes. They could take risk into account.
  4. They could use risk-based thinking to determine what was important for them and their clients.
  5. Instead of just auditing section 4 or 5 or 6 or 7 or 8 of ISO 9001, they could focus on what was really important.

Immediately we observed two significant benefits - the audit schedule had become easy to do and – most importantly - it was starting to add real value to the organisation.

The takeaway

Here’s how to create your own powerful audit schedule:

  1. Throw out your old, tired audit schedule that deems all processes as having the same importance. It’s worse than useless.
  2. Review all your processes for status and importance to you and your clients.
  3. Review the risks that your company is exposed to.
  4. Create an internal audit schedule that focusses on your processes that are of high status and importance to your clients.

Remember - what you think the external auditor wants isn’t actually that important. An external auditor once asked a client – and I’m not making this up either - “Have you ever considered changing the font type to Times New Roman in your procedure?”



Tags: Internal Audit, Risk Management, risk-based thinking