+ Categories

News Categories

Auditor Profile: Six Decades of Auditing

At 80, Dr. Andrew Perry…

At 80, Dr. Andrew Perry has recently renewed his auditor certifications to ISO 9001:2015, ISO 13485:2016, and AS9100D. He’s been conducting audits for almost 60 years. Although now semi-retired, he still conducts 10–15 audits per year and plans to continue working from his Southern California home as long as he can.

Perry started performing audits in 1960 for the Inspector of Naval Material at Westinghouse Baltimore-Washington Friendship Airport Division, which later became part of Defense Contract Administration Services.

In the mid 1960s, he joined the Hughes Aircraft Co. in El Segundo, California, as a project quality assurance engineer on the Surveyor project, the first spaceship that went to the moon and gathered soil samples for analysis.

From there, he moved to the Apollo program where he helped audit all phases of design and production of the Apollo instruments. These audits consisted mainly of basic assessments without checklists to discover problems in design and manufacturing and create corrective actions.

After working with the Apollo program in Minneapolis, Perry moved to Los Angeles, where he worked on various space projects for Hughes Aircraft. He later moved to Hughes’ Santa Barbara Research Center, where he audited suppliers to the former aerospace standard checklist NPC 200 1, 2, and 3.

In 1976, Perry began his career in the nuclear field working on reactor electric penetration assemblies for Bunker Ramo Amphenol. Here, Perry reflects on his long career in the auditing profession.

 

What was the profession like when you performed your first audits? When I performed my first audits, companies worldwide were trying to implement various concepts of the Fathers of Quality: W. Edwards Deming’s 14 Points of TQM, Joseph M. Juran’s Quality Control Handbook, Armand V. Feigenbaum’s Total Quality Control book, Philip B. Crosby’s book Quality Is Free and his zero defects program (which we tried to implement on the Surveyor Project), and Professor Kaoru Ishikawa’s handbook, What Is Total Quality Control? defining quality circles.

What were you looking for? Audits were mainly product audits and inspection/test system audits, looking for production controls, product conformance through inspections, and tests.

How did you present the audit report? Audit reports were usually issued to affected managers and professional personnel in the form of memos, detailing findings observed in quality control and each of the production departments visited. Sometimes I added photos to the report.

How have you seen auditing change over the years? I’ve seen notable changes, from the simple self-made audits described above, to audits performed by superbly trained auditors in accordance with applicable standards and ISO 19011:2011.

How often are you performing audits now? Now, being semi-retired, I can afford to pick and choose what audits I perform, based on my interest in the company and product line, as well as how I relate to their management.

Do you plan to retire at any point? I plan to continue as long as I can, sharing with as many as possible the practical applications I have learned in my 60 years of industrial experience.

What advice would you give new auditors? Start out with training to your applicable ISO/AS/TS standard and ISO 19011:2011, conducted by a registrar, certification body, or other internationally recognized entity. Keep current with applicable courses and ASQ meetings, qualify as an Exemplar Global Lead Auditor, and try to become a coach in your company.

Is there a standard you believe could be improved? All the current standards are excellent and are constantly being reviewed by experts worldwide.

The post Auditor Profile: Six Decades of Auditing appeared first on The Auditor.

ANSI Seeks Comments on Integrating a Business Excellence Framework with Management System Standards

The International Organization for Standardization…

The International Organization for Standardization (ISO) has circulated a proposal to study how to integrate a business excellence framework with management system standards. Those interested in commenting on the proposal have until March 4 to submit their comments to American National Standards Institute (ANSI).

The Standards Council of Canada (SCC) submitted the proposal to ISO, which states that organizations simultaneously implementing management systems with business excellence frameworks are often challenged by lack of alignment. This is due to multiple factors, including organizational design and structure, responsibilities matrix, contextual understanding of the linkages and interdependencies, silo mentality, and turf protection.

The proposal reads: “‘Guidelines on Integrating a Business Excellence Framework with ISO Management System Standards’ will provide the roadmap on integrating the national/international business excellence frameworks with management system standards, for enhancing organizational efficiency, facilitating effective decision-making, and promoting transparency, innovation, and continuous improvement.”

The field of work will exclude the development of an ISO business excellence standard and/or development of ISO management system standards. Instead, it will focus on the integration aspects, available best practices, and provision of useful practical tips for better organizational management.

Relevant stakeholders would include industry and commerce in large industry, SMEs, government, standards application businesses, and nongovernmental organizations, among others.

All interested stakeholders are invited to review the proposal, which includes the full listings of relevant documents at the international, regional, and national levels, as well as affected stakeholder categories that may benefit from or be impacted by the proposed standard.

Please submit comments to Steven Cornish, ANSI senior director of international policy (scornish@ansi.org), by close of business on Friday, March 3, 2017. Based on the input received, the ANSI ISO Council will then be asked to approve an ANSI position and comments to be submitted to ISO before its April 12, 2017, deadline for voting on this proposal.

The post ANSI Seeks Comments on Integrating a Business Excellence Framework with Management System Standards appeared first on The Auditor.

Taking Auditing to New Level with International Standard Under Revision

ISO’s popular standard for auditing…

ISO’s popular standard for auditing management systems is under revision and has just reached the first voting stage, a crucial step in its development.

Organizations are increasingly turning to management systems in a quest to be more effective and save time and money. Many companies have several different management systems, each focusing on different areas, such as IT, information security, quality, and environmental management. ISO 19011, Guidelines for auditing management systems, will help with the effective audit of those management systems to ensure continuous improvement, allowing harmonization across systems and a uniform approach of the auditing process where there are multiple systems in place.

The standard is currently being revised to reflect the growing number of management system standards (MSS) and the recent revisions of some of the most widely used, such as ISO 9001 for quality and ISO 14001 for the environment. It has just reached Committee Draft (CD) stage, meaning those countries involved in its revision have an opportunity to make comments on the draft.

Denise Robitaille, chair of ISO/PC 302, the ISO project committee responsible for the revision, said that when the standard was last published in 2011, there were 11 management system standards, but that number has since grown significantly to 39, with 12 others in development.

“As organizations see the benefit and need for management systems, there has been an increase in the number of sector-specific standards to respond to the mandate.

“There are now MSSs that cover areas such as health and medical, environment, services, information technology and more. In addition, the two most popular MSSs – ISO 9001 and ISO 14001 – have recently been updated, so the auditing of these systems needs to reflect the variety and number of standards being developed.”

ISO 19011 is applicable to all organizations that need to conduct internal or external audits of management systems or manage an audit programme. It is intended to apply to a broad range of potential users, including auditors, organizations implementing management systems and organizations needing to conduct audits of management systems for contractual or regulatory reasons.

ISO 19011 also provides guidance on external audits, including certification and supplier, which support the implementation of the MSS.

The revised version of ISO 19011 is due to be published mid-2018.

This article has been republished in full with permission from ISO.

The post Taking Auditing to New Level with International Standard Under Revision appeared first on The Auditor.

A Little Data’ll Do Ya

figure-1-coleman.png
An introduction to basics statistics…

An introduction to basics statistics and data analysis for auditors

So what is a process approach anyway? Wait a minute. Hold up! This article is about data analysis for auditors isn’t it? Well yes, but before we can talk about how auditors can analyze data we need to understand the processes from which this data comes.

A process can be thought of as an activity that transforms inputs into outputs. In manufacturing, the 6Ms—man, machine, material, measure, method, and mother nature—are often identified as process inputs, with the understanding that problems with process outputs typically come from problems with process inputs. This is shown in figure 1.

In other words, the root causes of nonconforming outputs tie directly back to the process inputs. You don’t always need to use the 6Ms though. It’s only important to identify inputs that make sense for your organizational processes. Data from most process outputs align themselves in a normal distribution, or bell-shaped curve. The bell-shaped curve is a graphical representation of process variation, of which there are two kinds. Common cause variation is that which is normal to any process. Special cause variation is that which is outside of the  +/- three sigma control limits caused by an external factor.  Special cause variation should be investigated to determine root cause and apply corrective action.

Having a normal distribution is important because bell curves allow for a more profound understanding of process behavior through the use of statistical tools and methods. For example, understanding whether a given process is producing normal variation or if some special cause is adversely affecting it. It can also show if there’s a statistically significant difference between two events. Additionally, we can make certain predications about a population based on the bell curve, such as how likely something is to be true or whether it will fall within a certain range.

These benefits are so important that when process data doesn’t fall into a normal distribution pattern, the data is often transformed. Transformation is a kind of “statistical hocus-pocus” that seeks to answer the question: What would this data look like if it was normally distributed and which statistical tools can we apply based on this theoretical model?  Data transformation is thankfully outside of the scope of this article.

The process width of six standard deviations (+/- 3 standard deviations from the process center) is considered the voice of the process. This is the portion underneath the bell-shaped curve where 99.7 percent of the data falls, as shown in figure 2.

A Little Data’ll Do Ya

Someone way smarter than me years ago decided that 99.7 percent was a high enough percentage of the population to draw conclusions about the entire population. It’s this plus or minus three standard deviations from the process center where control chart control limits are set. Note that uncontrolled doesn’t necessarily mean out of specification. You want control limits to be within specification limits so that if a control limit is passed, you have time to either troubleshoot the process or make adjustments before parts begin to consistently go out of specification. The two most important things to understand about a process are: Is it stable and in control? Is it capable?

A Little Data’ll Do Ya

Process capability is simply the ability of a process to consistently make parts to specification. Process capability indices compare the process width to the difference between the upper specification limit and lower specification limit. The most commonly used capability indices are Cp, Cpk, Pp, and Ppk. When voice of the process equals voice of the customer then the capability index is one. Less than one and the process is not capable. An industry rule of thumb when a capability requirement is called out in a specification is Cp/Cpk of greater than or equal to 1.33 and Pp/Ppk greater than or equal to 1.67.

Cp/Cpk shows short-term variation. Pp/Ppk shows long-term variation, which captures more special cause variation. It is for this reason that Pp/Ppk will always be lower than Cp/Cpk. Cpk and Ppk are the preferred methods for evaluating process capability, as they both account for  process location and width.

Though statistical software often shows capability indices as a part of the control chart graphic, it’s important to understand that capability indices are not an element of control charts. Control charts (graphical) and capability indices (analytical), although complimentary of one another, are two separate and distinct tools.

 A Little Data’ll Do Ya

 

Now that we have covered the basics, let’s talk about data review. As we review an organization’s data analysis program you want to ask what information is reviewed, by whom, and what the data is used for. When looking at data you want to not just look at whether or not it’s within specification or even control. You also want to understand trends in data. Understanding how to respond to uncontrolled conditions or negative trends is an often overlooked portion of the less mature QMS.

“Decisions based on the analysis and evaluation of data and information are more likely to produce desired results” –ISO 9000:2015 2.3.6.1

What does this mean to us as auditors? As auditors we should be looking to confirm the maxim below.

  • Don’t collect data if you aren’t going to plot it.
  • Don’t plot data if you aren’t going to analyze it.
  • Don’t analyze data if you aren’t going to do anything with the results.

Ideally you would want to see process data even distributed around the process average, as shown in figure 5.

A Little Data’ll Do Ya

Some examples of commonly seen trends that would warrant further investigation are shown in the following figures. You will note that some of these changes can be subtle, so you will need to be on the lookout for them.

A Little Data’ll Do Ya

A Little Data’ll Do Ya

A Little Data’ll Do Ya

A Little Data’ll Do Ya

There’s a set of rules developed by Westinghouse in the 1980s called the “Westinghouse Rules” that gives additional examples of plotted data that might require investigation. However, you don’t need to be a statistical expert and remember every guideline for when to launch an investigation based on data. You should, however, be able to recognize when there is the possibility of special cause variation indicated by plotted data and know what questions to ask.

Some of the questions that an auditor might ask when reviewing the process monitoring program are:

  • What do you do when an adverse trend is encountered?
  • What do you do when an out of control condition is encountered?
  • How do you know what to do when an out of control condition or adverse trend is encountered?
  • If Cp/Cpk or Pp/Ppk data is captured, ask if there is a minimum requirement?
  • How do yields or other process data compare across shifts or between similar lines?
  • Is there a structured program in place for review of and response to adverse trends/conditions in data?
  • How do you identify positive trends that may point to an opportunity to transfer a best practice from one process or work center to another?
  • What training is provided in SPC and data analysis?
  • Are the daily metrics captured aligned with organizational goals and objectives?
  • How were the control or specification limits selected? Don’t assume that a statistical or even logical method was used.

In our data-driven society, more data is available than ever before. It’s important to not just understand the data that we are looking at but to also know which data to review.

When looking at data analysis an organization, it’s important to understand how flow down of strategic goals and objectives as called out in ISO 9001:2015 is accomplished. It should be clear how operational targets support tactical objectives, which in turn support strategic goals. Each goal and objective should have an associated metric that will indicate when the goal or objective has been met. When there is not a clear link between goals, objectives, and metrics it may sometimes be the case that unnecessary metrics are being tracked. Let’s look at the following example of proper flow down of corporate vision.

Vision: Become marketplace leader within the next five years.

Strategic goal: Increased market share

  • Metric: Industry ranking

 

Tactical objective: Improved quality

  • Metrics: Reduced customer return rate and increased customer satisfaction survey scores

 

Operational targets: Reduce process variation.

  • Metric: Lower scrap rate

 

We seek to derive insights from the review of data. Through those insights, data is transformed into information upon which can be based decisions.

Reviewing data doesn’t just occur by reviewing charts on the manufacturing floor. Often as part of an audit we are called upon to review validation reports. This may appear to be a daunting task. However, you don’t have to have a degree in statistics to provide a thorough review. Here are some basic tips below:

  • Is the data that was specified in the protocol in the report?
  • Have all of the required signatories signed off?
  • Have all the success criteria been met?
  • If all of the success criteria has not been met, were appropriate procedures followed?
  • Any red lines crossed on the graphs?

 

Auditors play an important role in their assessment of an organization’s data analysis program.  Understanding basic statistical tools and techniques will allow an experienced auditor to provide a thorough review, regardless of their background. I will close with this quote by W. Edwards Deming: “In God we trust. All others please bring data.”

 

About the author

Lance B. Coleman has more than 20 years of leadership experience in the areas of quality engineering, Lean implementation, quality, and risk management in the medical device, aerospace, and other regulated industries. He has a degree in electrical engineering technology from the Southern Polytechnical University in Marietta, Georgia and is an American Society for Quality Senior Member, Certified Quality Engineer, Six Sigma Green Belt, Certified Quality Auditor, and Biomedical Auditor. He is also an Exemplar Global Principal QMS Auditor. Coleman is chair of U.S. TAG 302 and a voting member U.S. TAG 176.

He is the author of Advanced Quality Auditing: An Auditor’s Review of Risk Management, Lean Improvement and Data Analysis (Quality Press, 2015) which has been nominated for an ASQ Crosby Award. Additionally, Coleman is an instructor for the ASQ Certified Quality Auditor Exam Preparatory and FMEA courses. As principal consultant of Full Moon Consulting, he has presented, trained, and consulted throughout the United States and abroad.

The post A Little Data’ll Do Ya appeared first on The Auditor.

New iNARTE Customer Portal

The new customer portal is up and fully functional. We will continue to make improvements to make the portal more user friendly. If you haven’t done so already, please log in to the iNARTE self-service portal at http://inarte.org/login/ using the username and password you were sent via email. If you…

The new customer portal is up and fully functional. We will continue to make improvements to make the portal more user friendly. If you haven’t done so already, please log in to the iNARTE self-service portal at http://inarte.org/login/ using the username and password you were sent via email. If you did not receive the email, please contact our Milwaukee office.

Using the portal, you can change your personal details such as addresses and phone numbers to ensure that your hard-earned certificates reach you. You also have the ability to view and pay invoices, and stay up to date on all the upcoming iNARTE and industry-related events and news.

The post New iNARTE Customer Portal appeared first on iNARTE.

IEEE Product Symposium: Taiwan

20161222_133115-300x283.jpg
In December, Elya Joffe represented iNARTE at the IEEE Product Safety Symposium in Taipei, Taiwan. The symposium had a strong attendance with over 80 attendees—all practicing compliance and product safety engineers, and a small number of EMC engineers. Elya delivered a presentation on the iNARTE PSE program and its expected…

In December, Elya Joffe represented iNARTE at the IEEE Product Safety Symposium in Taipei, Taiwan.

The symposium had a strong attendance with over 80 attendees—all practicing compliance and product safety engineers, and a small number of EMC engineers.

Elya delivered a presentation on the iNARTE PSE program and its expected evolution. The presentation drew great interest and led to many inquires for more about info the iNARTE program.

Elya even had his photo taken with two proud iNARTE certified professionals.

We plan to attend further conferences for all areas we certify in the coming year. Check future newsletters for events that we will be attending.

The post IEEE Product Symposium: Taiwan appeared first on iNARTE.

Auditing ISO 9001:2015 Without Documents

One of the most frequent…

One of the most frequent concerns raised by auditors about ISO 9001:2015 is how to audit a quality management system (QMS) that has little or no documentation. ISO 9001:2015 doesn’t include specific requirements for documented procedures and doesn’t require a quality manual. However, it does require “documented information” related to a number of requirements. Several of the new requirements: context of the organization (clause 4.1), actions to address risks and opportunities (clause 6.1), and organizational knowledge (subclause 7.1.6), have no such reference. So how can these “documentless” processes be audited?

ISO 9001:2015 defines an audit as a “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The standard defines audit criteria as a “set of policies, procedures or requirements used as a reference against which objective evidence is compared.” Finally, ISO 9001:2015 defines audit evidence as “records, statements of fact or other information, which are relevant to the audit criteria and verifiable.”

It may appear from these definitions that audit evidence and audit criteria must be documented. However, the key questions that come to mind when limited or no QMS documentation is available are:

  • How are audit criteria established?
  • What audit evidence is available to evaluate conformance?

The answer to these questions is found in understanding the QMS from the process approach and applying essential auditing skills.

Consider that every activity within an organization is a process that—by definition—takes inputs and converts them to an output typically of greater value through defined steps. Thus, the basic audit criteria for any process can then be derived through a set of process questions:

  • What is the desired output?
  • What input triggers action toward the desired output?
  • What steps are taken to transform the input to the output?

Every process must have a process owner who’s responsible for managing the process and its related outputs. Specifically, a process owner is responsible for:

  • Clearly identifying process output requirements
  • Determining process interfaces, including input triggers
  • Defining how the process is to be executed (process sequence and actions)
  • Establishing process performance goals
  • Evaluating potential process risks in achieving output requirements and process performance goals
  • Determining appropriate process and output controls
  • Identifying, obtaining, qualifying, and maintaining process resources
  • Monitoring ongoing process performance (process execution and outputs, both internal and external)
  • Changing/improving the process as necessary

Recognizing the process owner’s role makes it clear that audit criteria can be determined by interviewing the process owner. The process owner’s responses to the questions then become the basis for gathering the objective evidence to verify conformance to the stated audit criteria. This approach requires auditors to exercise several critical auditing skills:

  • Initiating the audit by interviewing the process owner to establish the audit criteria. This will challenge auditors to carefully listen to the process owner’s responses to audit questions and quickly organize this information into a process framework.
  • Be able to quickly develop open-ended audit questions based on the process owner’s response to the questions and gather relevant audit evidence from personnel working in the QMS process, including the process owner. This technique for gathering objective evidence is often referred to as corroboration.
  • Be capable of synthesizing auditee responses to determine alignment with audit criteria as described by the process owner and recognize relevant audit trails for exploring the sequence and interaction of QMS processes.

While this approach to auditing certainly depends heavily on auditors’ listening skills and ability to organize information, it also offers greater flexibility in the depth of questioning that can be pursued during an audit. The auditor is no longer limited to questions related to whatever is stated in QMS documentation.

This does mean a bit more work for the auditor—especially during the audit—and perhaps auditees will be nervous not having a script to follow when responding to auditors’ questions. However, the potential for exploring potential risks and opportunities related to QMS processes is much greater. These benefits will increase the value of audits and the information they can provide to process owners and the organization’s leadership in better utilizing their QMS for increased customer satisfaction and improved business performance.

About the author

Cathy Fisher is founder and president of Quistem LLC, which provides online and onsite management systems implementation, update, and assessment services for manufacturers and other industry sectors. Cathy has more than 30 years of respected auditing expertise, having led internal audit programs at many manufacturing organizations during her career. Cathy also has extensive experience conducting management system registration audits, as well as establishing supplier evaluation and development programs.

She has held numerous auditor certifications including ASQ CQA, RAB-Certified Quality Systems Auditor, and ISO/TS 16949 IATF-recognized auditor. She has conducted internal and external audits that total more than 1,000 audit days and trained hundreds of management systems professionals as auditors. Cathy is passionate about the value auditing can bring to organizations and enjoys mentoring the next generation of technical professionals to develop their auditor excellence.

The post Auditing ISO 9001:2015 Without Documents appeared first on The Auditor.

Prepare for a Decentralized Management Audit Using Modular Kaizen Tools

duffy-fig-13-300x166.png
Today’s audit environment is truly…

Today’s audit environment is truly global. Gone are the days of small, local teams working on focused audits within a single department. Seldom are all audit members in the same time zone or even the same continent.

Preparing for an audit in a decentralized function takes complex planning and attention to detail. Effective decentralized management audits require the right skills focused on the right data within manageable time frames. Modular Kaizen is an integrated systems approach to organizational performance that supports the complex planning required for decentralized audits.

What is Modular Kaizen?

Modular Kaizen is a modification of the traditional kaizen improvement process that provides the same rapid results without removing critical personnel from daily operations. It’s conducted over a series of short activities designed to fit into a highly driven work environment.

Modular Kaizen was developed as a method for implementing a culture of quality improvement within an agency of the U.S. federal government during the H1N1 flu virus response in 2009. The agency was deeply involved in both the global preparation for and response to the effects of the H1N1 virus. Key personnel involved in the development of the cultural quality framework were leading scientists in the efforts surrounding the H1N1 epidemic. I was challenged with leading globally dispersed teams with subject matter experts busy working on life-saving activities.

Improvement relies on a system of processes

A management audit is an effective tool for process improvement. Faster process cycles and associated agility often suggest a decentralized auditing event. Auditors must be prepared to support this decentralized structure through remote communication.

One purpose of a management audit is to assure that the correct information is fed back to the appropriate parts of the organization to facilitate sustainability. The example described in this article shows how planning for a decentralized audit identified underlying process problems.

The emerging requirement to conduct decentralized audits fits well into the concept of Modular Kaizen. Modular Kaizen places heavy focus on planning, considering the availability of team members and subject matter experts. Critical to any successful audit is the availability of supporting documentation, often stored remotely under differing levels of security and access. Tools can be employed to structure complex activities to minimize disruption and maximize audit success.

What the audit tells us about a process

Figure 1 illustrates the concept of “accept, adjust, or abandon” in auditing processes. The least disruptive condition is to have the current process flow smoothly from one task to another, as illustrated in flow 1. Occasionally, processes will veer off expected target performance and exhibit a slight variation as shown in flow 2. This variation is still within the expected range of performance for the current process, so the process simply adapts to the minor variation identified in an audit and returns to the expected flow.

Occasionally a special cause strongly disrupts the flow, as exhibited in flow 3. Here process performance is outside the expected variation of the process. At this point, the process must adjust operations to return to the current process flow.

Finally, in flow 4, external pressure may be so strong on the current process that it’s no longer capable of meeting customer requirements. In this situation, the current state is abandoned and a new process is designed.

Auditing process performance relative to the four flows in figure 1 is a challenge when all the players are in the same room. Achieving an accurate image of how processes are followed during a remote audit can be downright frustrating. Unless the auditor and auditees think clearly through the audit steps well ahead of time, the event can fail miserably.

An example from real life

I recently served as a senior quality consultant to the electric utility industry. During this time, I designed quality assurance systems for protection and control departments. I was asked to complete a project closeout audit as follow-up for corrective action. One issue was the failure to follow documented procedures for engineering checklists and peer reviews before releasing an electrical design package to the client.

When planning for a decentralized audit, the following items are critical to a favorable outcome:

  • The right skills
  • The right standard
  • In the right place
  • At the right time
  • With the right documentation

Although the right skills were assigned to the process being audited at the electric utility, several other requirements were not as simply addressed.

The office being audited and the subject matter expert were in Birmingham, Alabama, along with the project coordinator and director responsible for the client. The auditor and project manager work out of headquarters near Orlando. We used online virtual meeting software for audit meetings. Keep in mind that this example is influenced by only one time zone. Imagine what happens when the audit is with locations on the other side of the globe!

Obstacles in this decentralized audit appeared quickly. Because the subject matter expert continued to have daily responsibilities for technical upgrades at client substations, I needed to schedule audit virtual sessions in between his work activities in Alabama. The Birmingham office was small with no backup for specialized engineering work.

Road blocks also appeared during documentation planning. Accessing standards and documentation across different servers became an issue. I use Microsoft Windows 10; the auditee location uses Windows 7. Windows 10 defaults to Microsoft Edge; Windows 7 uses Internet Explorer. IT access rules prevented the subject matter expert from having field access to corporate files, so we needed to download copies to a tablet we carried with us. Even with this workaround, we couldn’t always access the files we needed.

The reference standard for auditing the process was contained in a series of control manuals, but they weren’t all located in the same office or in the same format. Companywide standards were housed in electronic format at the headquarters location outside Orlando. Client-specific standards were maintained at the Birmingham office in electronic or hard copy files. Project-specific information was maintained in Birmingham across several software applications and files. MS Project files were kept by the project coordinator in Birmingham.

The standard for design packages follows generic electrical engineering protocols. A series of checklists and peer reviews are required before delivering the final package to the client. A common flowchart was maintained at headquarters for all company protection and control design packages. The Birmingham office had modified the flow for minor changes in client communication during design and acceptance.

Checklists for preliminary design, engineering package assembly, and final package delivery were available as standard templates with slight modifications for client preferences.

I developed a tracking sheet to record scheduled and completed dates of checklists and peer reviews for each of the three phases of project design. Event completions by the required date were used as project key performance indicators. When I compared the dates on the checklist and peer review documents with the project schedule based on the standard flowchart, I discovered serious discrepancies. When I asked about this, I was told, “Well, we don’t use the standard checklists. We wait to review until issue for acceptance.” This was a big clue for the audit.

Because I didn’t have access to company MS Project files, the project coordinator offered to create a PDF version of the project schedule to use during the virtual audit. Figure 2 is the PDF file. Problems with this approach were apparent quickly. When I maximized the font size by 400 percent to see the text, I couldn’t see sequencing throughout the project. The schedule includes individual dates for all three checklist and peer review phases that weren’t met, but instead left for the end of the project.

 

Prepare for a Decentralized Management Audit Using Modular Kaizen Tools

 Apply data access and Modular Kaizen project scheduling tools

The project team and I quickly came to the root cause analysis of the corrective action situation. The local office had accepted more client work than time allowed and was cutting corners to meet deadlines. Resolving obstacles to performing the decentralized audit highlighted the discrepancies between the standard and the utility’s compliance.

As a result of this experience, I worked with the project coordinator and director to establish firm expectations for meeting key performance indicators. I used the Modular Kaizen model to suggest planning tools for an effective decentralized audit.

Figure 3 illustrates the major tools recommended by Modular Kaizen. The tools identified for this audit activity were:

  • Quality at the source
  • Teams
  • Modular flow
  • Pull technology
  • Project management

Prepare for a Decentralized Management Audit Using Modular Kaizen Tools

As we become less preventive and more reactive, the cost of correction increases in dollars and reputation. Planning to have all materials and personnel available for a remote audit is critical. We learned from our mistakes during this example.

The checklists and peer review templates provide a description standard for deliverables. The Birmingham team established the project schedule, modified standard checklists to meet the nuances of its client contract, and performed tasks as identified in the process flowchart. The local team was augmented with corporate project management and quality assurance for key performance tracking and the closing audit.

Modular flow: Schedule separately using pull technology

Modular flow assumes there is no need to have team members in the same room at the same time to perform a closing audit. Advanced planning ensures data are available in the correct format, in the right place, and with access authority for each scheduled activity.

Figure 4 illustrates the modular activities possible through effective planning.

Prepare for a Decentralized Management Audit Using Modular Kaizen Tools

Note that the project coordinator schedules the project kickoff meeting and builds the project schedule based on information from the project lead. The design engineer performs engineering activities, including three phases of checklists to meet content and due dates. Once the checklists are performed, the director is queued to perform the associated peer review. When the package is accepted by the customer, the director performs final signoffs for project close.

All members of the team don’t need to be present for the closing audit. If the project coordinator can present all materials to meet audit requirements, it’s done.

A Modular Kaizen approach to the decentralized audit

The decentralized audit requires significant advanced planning. Modular Kaizen focuses on the preventive nature of planning rather than the reactive nature of correction. Anticipating the skills, data, standards, and timing required for a decentralized audit allows both auditee and auditor to use their time effectively. In this fast-paced and highly disruptive world, using tools to assure that an audit is done right the first time is worth the work.

About the author

Grace L. Duffy has more than 40 years of experience in successful business and process management in corporate, government, education, and health care. She uses her experience as a former president, CEO, and senior manager to help organizations improve. She has authored 13 texts and many articles on quality, leadership, and organizational performance. She is a frequent speaker and trainer.

Grace holds an MBA from Georgia State University. She is an ASQ CMQ/OE, CQIA, SSGB, and CQA. Grace is a Lean Six Sigma Master Black Belt, ASQ Fellow, and Distinguished Service Medalist. Grace is the 2014 Quality Magazine Quality Person of the year and the 2016 recipient of the Asia-Pacific Quality Organization Milflora M. Gatchalian International Woman in Quality Medal.

The post Prepare for a Decentralized Management Audit Using Modular Kaizen Tools appeared first on The Auditor.

ASQ Manufacturing Survey: Confidence in the Supply Chain Returns

Despite 83 percent of manufacturers…

Despite 83 percent of manufacturers being adversely affected by supplier inability to meet their needs in the past, only one third anticipate a parts or services shortage in 2017, according to ASQ’s 2017 Manufacturing Outlook Survey.

More than 1,125 manufacturing professionals from around the world responded to ASQ’s 2017 Manufacturing Outlook Survey, which was conducted online in November and December. Survey respondents represented a multitude of industries including aerospace, automotive, food, and medical devices.

According to the survey, 66 percent of manufacturers expecting a problem with suppliers are working closely with providers to resolve issues, while 35 percent are working with their suppliers’ competitor. Some manufacturers are stockpiling parts, while others are expanding their operations to create the necessary parts themselves.

ASQ Chair Pat La Londe said supply chains play a critical role in manufacturing, and companies simply can’t risk being without the necessary material they need to be successful.

“Companies need to carefully consider multiple options when faced with a shortage of materials or suppliers that can’t meet their needs,” La Londe said.

In addition to questions about their organization’s supply chain, the annual Manufacturing Outlook Survey also asked respondents about their financial outlook for 2017. Close to 72 percent of respondents said they expected an increase in their company’s revenue in 2017. Furthermore, 74 percent said they expected salary increases in 2017—up from 61 percent in the 2016 survey—and 46 percent said they expect their company to increase staff, compared with 37 percent last year.

While respondents are confident their companies will increase revenue, the top hurdle facing organizations continues to be the economy. More than 36 percent of respondents cited the economy as their greatest hurdle in 2017, down from 40 percent of respondents in last year’s survey.

Around 30 percent of respondents said the shortage of skilled workers will be their greatest challenge, followed by regulatory issues at 15 percent. Uncertainly about the government’s direction with a new president, global trade issues, and decreased demand for their products were identified as other areas of concern.

Only seven percent of respondents said a shortage of necessary parts is their greatest obstacle. In fact, respondents are satisfied with the quality and availability of materials, with 68 percent of respondents saying quality is the most important factor when considering suppliers. When suppliers are unable to provide the necessary materials, respondents said “don’t put all your eggs in one basket.” Openly communicate with suppliers to determine any potential risks, and have back-up plans—and back-up suppliers—to alleviate supply chain disruptions.

The survey also revealed that 59 percent of respondents said their organizations have formal processes to address supply chain risk, whereas 28 percent do not, and 13 percent aren’t sure.

The post ASQ Manufacturing Survey: Confidence in the Supply Chain Returns appeared first on The Auditor.

ISO/IEC 27004 to Measure Information Security Effectiveness

Newly updated ISO/IEC 27004:2016, Information technology – Security…

Newly updated ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of information security management system standard ISO/IEC 27001.

ISO/IEC 27004:2016 explains how to develop and operate measurement processes, while also assessing and reporting the results of a set of information security metrics.

Replacing the 2009 edition of the standard, ISO/IEC 27004:2016 has been updated and extended to align with the revised version of ISO/IEC 27001 to provide organizations increased value and confidence.

Edward Humphreys, convenor of the working group that developed the standard,  said cyber attacks are among the greatest risks an organization can face.

“This is why the much improved version of ISO/IEC 27004 provides essential and practical support to the many organizations that are implementing ISO/IEC 27001 to protect themselves from the growing diversity of security attacks that business is facing today,” Humphreys said.

ISO/IEC 27004:2016 details how to construct an information security measurement program, select what to measure, and operate the necessary measurement processes. The standard also includes examples of different types of measures, and how to assess their effectiveness.

Benefits of implementing ISO/IEC 27004 include:

  • Increased accountability
  • Improved information security performance and ISMS processes
  • Evidence of meeting the requirements of ISO/IEC 27001, applicable laws, rules, and regulations

The post ISO/IEC 27004 to Measure Information Security Effectiveness appeared first on The Auditor.