This month we take a look at how internal audits actually work. As we saw last month, these are there to examine the operation of your management system and provide top level management with the information needed to ascertain whether the system is operating effectively or if any changes need to be made.

An Internal Audit can be performed within the organisation by auditors who are employed by the organisation, but who should have no vested interest in the audit results of the area being audited. Alternatively you can use an External Auditor who will also be free of any conflict of interest. Whichever one you choose, you should make sure that the auditor is actually competent to do the job - this can be based on skills, formal training and experience.

For organisations with a formal management system in place, such as ISO 9001, ISO 14001, or ISO 45001, this is a requirement of the standard, which means it must be done. However, conducting internal audits is a vital process regardless of whether you have to do it or not. It’s there to serve several purposes:

• Ensuring adherence to the company’s processes – the auditor should look to ensure that the organisation is complying with its own procedures.
• Ensuring the effectiveness of the system – the auditor should look at all processes, reviewing the value of each process, and ensure that the procedures still meet the organisation’s objectives.
• Providing information for management reviews – the results of audits should be documented so that they can be reviewed and analysed, providing information for use in corrective action programmes and management reviews.
• Identifying opportunities for improvement – the auditor should examine documented evidence against the management system that is relevant to the function or department being audited. This could include staff competency, qualifications or training. Problems should be discussed with the auditee and corrective/preventative actions should be recorded.
• Driving continual improvement – the auditor needs to follow up and verify that any corrective actions have been completed by the agreed date.

You should conduct internal audits at planned intervals throughout the year. This will enable you to regularly determine whether the system is being effectively implemented and maintained.

The first and most important thing to understand is how often you need to audit your systems. There is a myth out here that you need to audit your entire ISO Management System every year, and it is just that a myth, you do not!

The wording in pretty much every standard is now the roughly the same, the key wording being: “The organisation shall conduct internal audits at planned intervals to determine……” There is nothing there about every year it just says planned intervals. Planned intervals just means that you should have a documented planned frequency for auditing your system, it maybe you decide you want to do it all within the 3-year cycle of your certification but again you do not actually have to (you should, but you do not have to).

In all the newer revisions of the ISO Management System Standards, right at the very start of them they all talk about taking a risk-based approach to your compliance system. That means throughout your entire ISO9001 Quality Management System or ISO14001 Environmental Management System or even your ISO27001 Information Security Management System you should look at the risks of each policy or procedure and make a call on how often you will carry out an internal audit on it.

Grouping things into a risk category does not need to be complicated, keep it simple and allocate each on a simple rating in terms of the impact each one could have on the performance of your ISO Management System, the possible impacts on your product or your customer if things were to go wrong. For example, a rating like this works well in terms of setting out your audits:

• Low – As required i.e. you may audit once in the 3 years or more frequently if something pops up
• Medium – Audit Every Two Years
• High – Audit Every Year
• Critical – Audit Multiple Times Per year

In terms of things to consider when deciding that risk level, you could use the list below as a good starting point, you should also factor into your thinking when you are deciding if you need to re-audit an area sooner than planned or push it further out (yes, you can adjust your schedule as you go):

• Level of non-conformances within / linked to that process.
• Customer complaints
• Any business risks / hazards
• Importance of the process on your product or customer
• Previous audit results (internal & external)
• Organisation changes e.g. key personnel changes.

A shameless plug here - The Ideas Distillery offers a comprehensive, objective internal auditing service which can be undertaken to verify compliance against International Standards (ISO), legal requirements or internal procedures. This service will ensure impartiality of the audit process therefore maintaining impartiality.

Regardless of the industry, companies face increasing competition with each passing day. Whether you’re a massive enterprise, or a small startup, monitoring and maintaining operational efficiency has never been more important. Consequently, internal audits have grown to become an essential component of a business’ success.

The dynamic pace of today’s business landscape also means that failure to effectively evaluate and manage risks has the potential to ruin any organisation.

If your clients or end users expect products or services that are secure and compliant, you will need to ensure that you’re making the most of internal audits. 

Simply put, an internal audit is an independent activity designed to objectively evaluate the effectiveness of an organisation’s internal controls, risk management and governance. It is typically pre-emptive in nature and aims to uncover any discrepancies between operational processes and their intended purpose.

Upon completion of the internal audit, a detailed report is provided to management, outlining the findings alongside any recommendations. By including activities that affect businesses from top to bottom, internal audits go beyond your organisation’s internal processes: they’re concerned about the overall wellbeing and success of your organisation.

So internal audits are there to examine the operation of your management system and provide top level management with the information needed to ascertain whether the system is operating effectively or if any changes need to be made.

An Internal Audit can be performed within the organisation by auditors who are employed by the organisation, but who should have no vested interest in the audit results of the area being audited. Alternatively you can use an External Auditor who will also be free of any conflict of interest.

Whichever one you choose, you should make sure that the auditor is actually competent to do the job - this can be based on skills, formal training and experience.

For organisations with a formal management system in place, such as ISO 9001, ISO 14001, or ISO 45001, this is a requirement of the standard, which means it must be done. However, conducting internal audits is a vital process regardless of whether you have to do it or not. It’s there to serve several purposes:

• Ensuring adherence to the company’s processes – the auditor should look to ensure that the organisation is complying with its own procedures.
• Ensuring the effectiveness of the system – the auditor should look at all processes, reviewing the value of each process, and ensure that the procedures still meet the organisation’s objectives.
• Providing information for management reviews – the results of audits should be documented so that they can be reviewed and analysed, providing information for use in corrective action programmes and management reviews.
• Identifying opportunities for improvement – the auditor should examine documented evidence against the management system that is relevant to the function or department being audited. This could include staff competency, qualifications or training. Problems should be discussed with the auditee and corrective/preventative actions should be recorded.
• Driving continual improvement – the auditor needs to follow up and verify that any corrective actions have been completed by the agreed date.

You should conduct internal audits at planned intervals throughout the year. This will enable you to regularly determine whether the system is being effectively implemented and maintained.

Another shameless plug here - The Ideas Distillery offers a comprehensive, objective auditing service which can be undertaken to verify compliance against International Standards (ISO), legal requirements or internal procedures. This service will ensure impartiality of the audit process. 

There's no getting around it - an ISO 9001 certification will require time, effort and improvement from many areas of the business. However, the steps that must be taken are worth it for any company. The whole point of putting in a quality management system is that it will benefit business owners, employees and customers alike.

If you are considering becoming ISO 9001 certified, it's important to learn as much as possible about the certification and about the process. Rather than simply leave everything to a consultant, it's always a good idea for you to know exactly what you must do to get the certification.

In simple terms, ISO 9001 requires organisations to ‘say what they do, and do what they say’. They ‘say what they do’ by detailing their operating procedures, explaining how quality is monitored and controlled. They must then demonstrate that they ‘do what they say’ as they operate their quality systems. This usually involves keeping records of quality checks, tests and other activities, so that the system can be audited.

In previous iterations of ISO 9001 (before 2015) there was an emphasis on writing down your operating procedures and having a written manual detailing how your quality management was monitored and controlled. No longer - the 2015 standard has a distinct absence of the terms “documents” and “records”.

Documented information is a means by which an organisation demonstrates compliance. It communicates what we do and how we do things, it communicates what happened and what results were achieved. It is, essentially, a tool for communication.

There are many different formats in which communication can happen and ISO 9001:2015 makes allowances for organisations to use what suits them best. Documented information can be in any format, any media, from any source.

While some may be wedded to pieces of paper, the medium used can be anything: paper, electronic, photographic, samples, etc. The possibilities are not quite endless, but certainly varied. If an organisation would find it useful and appropriate, a wall-painting or mosaic may also achieve the required result!

Organisations are not obliged to relegate their quality manuals and documented procedures to the dustbin. While there is no requirement for an organisation to have or use either, where such documentation exists, and is of use to the organisation, they should continue to use it.

I still believe in an organisation having a Quality Manual, even though this is not a requirement under the standard. My experience shows that a good Quality Manual can be a vital a tool when referred to properly throughout an organisation - if it’s just a tome which sits on a shelf gathering dust, the only purpose of which is to satisfy the requirements of a standard (as far too many used to be), then this is clearly a waste of time and effort. 

But I find that the benefits of having a Quality Manual are wide and varied and applicable to most businesses. They:

• Communicate management’s expectations to employees
• Demonstrate the organisation’s plan to conform to the standard
• Demonstrate that organisational roles, responsibilities, and authorities have been assigned, communicated, and understood
• Provide company context for internal and customer requirements (you need to consider the needs of your own company and your clients or customers in setting up your management system - yes, this is a requirement of the standard, but it also makes fundamental business sense)
• Guidance in increasing efficiency and improving processes
• Guidance on having clear and concise communication throughout the organisation’s documents and between functions or departments
• And yes, not a main reason but certainly a useful by-product, it makes audits easier (both internal and any external ones you might have) as it shows how you are aiming to comply with each clause of the standard

This will really help you as your system will consist of the following elements and a properly-managed Quality Manual will help to keep tabs on things:

• a quality plan, and written Quality Policy which is understood, implemented and maintained at all levels of the organisation;
• a definition of the responsibilities of all those who affect quality (an organisation chart is a good idea here);
• a review of accepted orders to ensure that customers’ requirements are clear, and procedures which control the design of goods or services to ensure that these requirements are met;
• procedures to ensure that purchased goods and services conform to the requirements of the organisation and that their progress can be traced through to delivery;
• systems that ensure the suitability for use of any materials or services supplied by a customer;
• demonstration that processes are carried out under specified conditions;
• the control, calibration and maintenance of all measuring and testing equipment;
• a system which identifies and segregates all non-conforming goods and services and which specifies corrective action and identifies root causes for these;
• processes for any servicing operation to document and verify that it satisfies customers’ requirements;
• records which provide objective evidence that the work is being carried out in accordance with procedures and customers’ requirements;
• processes which identify training needs and carry out and record training for employees
• the use of statistical techniques;
• self-policing through internal audits and reviews (e.g. Senior Management meetings).

That's it for this month, next month we'll be taking a look at how internal audits work.

​This week we take a bit of a departure from our normal ‘written word’ format to give you a recent presentation we gave on practical steps to designing your business processes to put your customer’s needs at the centre.

It’s incredible to realise that:

• 81% of companies who provide great customer experiences and customer satisfaction do much better than their competitors (1)
• It costs six to seven times more to acquire a new customer than it does to retain an existing one (2)
• 84% of consumers all over the world trust recommendations from friends and loved ones, and they have a 16-25% higher lifetime value than those acquired from other sources (3)

Putting a Quality Management System into your business is not just about assuring the quality of your product or service - it goes much deeper than that.

If done correctly, you should develop your company processes - from initial enquiry right through to final delivery - totally centred around the needs of your customer.

Every decision your business makes needs to be considered according to the way it will impact your customer experience, even the decisions that might not seem immediately obvious.

Every member of your team needs to be engaged and understand how their work impacts the customer and their experience.

Your customer feedback is invaluable. That’s why it almost goes without saying that a business with a customer-first strategy needs to develop a robust management system to process and implement customer feedback and use this as the tool for continual improvement.

This video workshop deep-dives into what a Quality Management System is, how it works, then shows you how to strip down then reconstruct your company processes to make them customer-focussed. 

Being customer-focused isn’t a PR stunt - it’s what distinguishes the best from the rest. Just click here to view on our YouTube channel. Alternatively, just paste the following address into your browser:
​
https://www.youtube.com/watch?v=AN8W8nI-RXM&ab_channel=TheIdeasDistillery

(1) “Customer Experience Maturity Monitor” report; Peppers & Rogers Group; 2009
(2) Business2Community
(3) “Global Trust In Advertising And Brand Messages”; Nielsen; 2013

Last week we looked at the basic elements of a Quality Management System, and the five questions customers ask themselves when weighing up the quality of your product or service.

This week we look at how we can use these five questions - relating to specification, conformance, reliability, delivery and cost - to judge what will be emphasised.

So, as an example, when you eat at a Japanese restaurant you may be more concerned with specifications (what can I expect when I eat there?), whereas when you eat at your local Italian restaurant you may be more concerned with conformance (is it what I expected?).

If you are eating at a Pizza Hut you may be more concerned with reliability (is it the same as last time?). However, in reality expectations are likely to comprise a mixture of these elements, in different combinations in each case. Customers are likely to have different expectations, even of the same product or service, and this may compound your difficulties. Also, customers may perceive the same product or service quite differently.

Returning to the restaurant example, some customers may see a meal as a means of enjoyment with family and friends, while others may be using it as a business opportunity to entertain their customers.

In short, the quality of a product or service is whatever customers perceive it to be: this makes it essential that you understand quality from your customers’ point of view. In some situations, customers may not be able to judge the technical aspects of a product or service specification.

For example, you may be unable to judge the quality of the medical aspect of an examination and diagnosis you receive at a visit to your dentist. You may therefore judge the experience by the dentist’s manner, the receptionist’s attitude, or even whether you had to wait longer than you expected.

Shortfalls in quality are likely to arise when there is a gap between what customers expect and what they consider they are getting. When such gaps exist it is almost bound to lead to customers’ dissatisfaction.

You need a plan

This is why it’s essential that you look at a plan for managing this. An organisation may use several different types of plan: business plans that address how it will anticipate, respond to and satisfy the needs of its customers; marketing plans that consider specific products or groups of products; production plans; IT plans; human resource plans.

Your organisation may have all, some, or even none of these plans. You may feel that you know what your organisation is trying to achieve, but that this is not written down anywhere. Whatever your situation, it is useful to understand the planning process in its own right.

For example, you may set your own preliminary objectives which could be precursors to the rest of your planning activities. You need to be clear about these two areas before you carry out any further activities, and you will need to keep the business objectives and environment in mind while you develop your own plan.

However, you will probably need to revise them as you go through the process in the light of the context analysis (the review of your organisation and its environment) that you carry out and if you do a SWOT (strengths, weaknesses, opportunities and threats) analysis. The results of the context analysis will help you to develop your SWOT analysis and this will help in the revision of your own objectives.

The SMART acronym for setting objectives is useful here. All objectives you set should be:

• Specific: “65 per cent of new customers who book a ticket for an event through the online booking service I manage will buy through us again within a year.”
• Measurable: “I will ensure that all buyers’ details are entered on to the database, that it is used for all calls, and that at the end of every month/quarter someone checks the percentage of new customers who have bought a second time (or more).”
• Agreed: “I will check with my manager that this 65 per cent target is relevant, reasonable and in line with the company’s overall objectives.”
• Realistic: “Although our current data is limited, anecdotally we believe that about half of our customers come back again. I have read articles that suggest that once people become familiar with and actually complete a particular online buying process, most are reluctant to seek out others.”
• Timed: “This target applies as from 1st September, although it will be a year before we can fully analyse whether we are achieving the target.”

There is a key point to this process. Imagine that you are a training company and you initially decide that you need to improve the quality of the materials given to your delegates. At the moment the teaching styles of the trainers are inconsistent, and you feel that the quality of what is offered is low and does not reflect the professionalism you wish your company to be known for. You therefore set as your preliminary objectives:

• to develop a set of guidelines for your trainers on the preparation of training materials;
• to develop a quality specification for training materials to which all trainers must adhere.

However, after conducting a context analysis and a SWOT analysis to find out exactly what is happening at the moment and what your customers want, it becomes clear that a major weakness is the quality of delivery of the materials, rather than the quality of the materials themselves.

You therefore decide to keep your two original objectives, but to add a third priority objective, which is to institute a training programme for all trainers.

The plan would be measured against the initial objectives that you set, and this might influence your next set of objectives. If you achieve the objectives then you may want to set even more challenging ones next time, or you may wish to alter your focus to concentrate on other areas of perceived weakness.

Like other planning frameworks, the one presented here could be more detailed and would need adjusting according to the size, sector and character of the business and problem you are addressing. However, its purpose is to stimulate your thinking about what you can do as a company to enhance customer satisfaction. 
​
Next week: What you’ll be doing when implementing ISO 9001…