News

Auditing of System and Processes

• satyendra
• July 2, 2013
• 5 Comments
• audit, auditee, auditor, Control levels triangle, NCR, procedure, process, system,

Auditing of System and Processes

The combination of various processes with the management processes constitutes a system. Processes can be simple or complex or can be similar or dissimilar. The system brings the processes together for a common purpose.  A process transforms inputs into outputs. The transformation or change takes place as a series of activities / steps which leads to the desired results (process objective). Every process follows four basic principles. These principles are (i) process activities are linked as sequential steps, (ii) a change or transformation takes place during the process, (iii) the law of conservation applies to a defined process, and (iv) optimization of activities is carried out for the best utilization of the resources and achievement of the process objectives. Economics is an important consideration of design and the operation of the process. The process is required to have a set of optimum operating conditions for the achievement of both of its economic and performance objectives.

The ‘process approach’ method of doing things is more effective for the achievement of the objectives as compared with a haphazard or a random approach. Processes can be good or bad, or can be efficient or inefficient. Process inputs can be tangible or intangible. Process inputs can be materials, equipments, funds, information, people, knowledge and experience, and work procedures etc. Process transforms the inputs into output by the transforming mechanisms. Process output can be a product or a service. Process outputs can be products, equipments, revenue, information, quality, safety, performance, skill and knowledge, and many others similar things. There have to be sufficient inputs to the process to get desired outputs. There is to be a balance of equilibrium between the inputs and the outputs.

There are several other inputs to a process other than the inputs mentioned in the previous paragraph. The inputs are needed to make it possible to complete the process of transformation. These inputs are frequently being called as ‘process elements’. The process elements can be divided into six groups namely (i) people, (ii) equipment, (iii) environment, (iv) materials, (v) measures, and (vi) methods.

In the majority of the processes, it is desirable to control the processes to avoid negative consequences. The quantity, severity, and level of control vary depending on the risk and acceptability of the undesirable outcomes. The necessary requirements of the control system are that there is a feedback information loop from the process output. This feedback information is used to adjust the process or make decisions about the output. Examples of the feedback informations are temperature, pressure, dimension, weight, number count, colour, condition, or portion etc. This function of the feedback is to achieve the process objectives and the output targets.

For the management of the control activity for a process, it is needed to establish a pre-determined method. Without it, there is no basis available for the adjustment or the improvement of the process. Pre-determined methods can include plans, procedures, work instructions, checklists, outlines, diagrams, flow charts, process maps, and so on.

Feedback information is to relate to the process /output performance criteria and /or to the objectives. Feedback can be in the form of a quality characteristic such as activity level, properties, or dimensions, and feedback can be a performance measure such as yield, cost, waste, delays, utilization, error rate, and satisfaction levels etc. Sometimes it is easier to monitor a process parameter which has control on the process performance. Fig 1 shows schematic model of a process.

Fig 1 Schematic model of a process

Processes are to be organized with other processes for the achievement of the organizational objectives. The organization can be considered a collection of different processes, all of which are working to transform inputs into outputs. The combination of several of such input / output processes with the management processes creates a system. Processes can be simple or complex or can be similar or dissimilar. The system brings the processes together for a common purpose such as production, quality, environment, energy, marketing, procurement, safety, accounting, and several others. Fig 2 shows schematic model of a system.

Fig 2 Schematic model of a system

Audit

The term audit is derived from the Latin term ‘audire,’ which means to hear. In early days an auditor used to listen to the accounts read over by an accountant in order to check them. Auditing of a system or system processes is carried out against agreed upon requirements. Such an audit is carried out in order to verify that the individual processes within the system are effective and suitable in achieving the stated objectives. The audit is used to verify whether the system / the processes are operating within the specified limits and achieving the specified targets (objectives). The system / process audit examines the process activities / steps for verifying whether the inputs, actions, and the outputs are in accordance with the defined requirements. A system / process audit is an evaluation of the sequential steps and techniques of the process within the system. Auditing of a system or system processes provides value for the management by the evaluation of the processes, their control, risks, and the achievement of the objectives.

System audit is defined as ‘a systematic and independent examination to determine whether activities and related results comply with the planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives’. It is also defined as ‘a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled’.

One of the main differences between the process audit and a system audit is the scope definition and expansion. A process audit can be a singular process or a part of a process. Process audit can start at any level of the process where work takes place. Referring to the ‘control levels triangle’ (Fig 3),  it can be seen that the process audit can start from level 4 and go up to the top, while the system audit starts from the top (level 1) and goes down. A system or a sub-system audit is against the agreed upon requirements. Top level requirements drive the formation of subsystems and processes for meeting the requirements.

Fig 3 Control levels triangle for an audit

Auditing of the system / processes is one of the key management tools for achieving the objectives set out in the policy of the organization. A system audit is a disciplined approach to evaluate and improve the effectiveness of a system. The system audit also provides objective evidence concerning the need for the reduction, elimination and most importantly, prevention of non conformities. The results of these audits can be used by the management for improving the performance of the organization. Systems audits are carried out by the trained auditor who can be organization own employee or a person of an external auditing agency or independent professional auditor. The audit is carried out by looking up for objective evidence.

System audits are normally carried out for such objectives as (i) to evaluate the organization system against a system standard, (ii) to determine the conformity or non conformity of the system elements with the specified requirements, (iii) to determine the effectiveness of the implemented system in meeting the specified objectives, (iv) to offer an opportunity for improvement in the system, and (v) to meet statutory and regulatory requirements. In the latest approach to the systems audit, the auditors are expected to go beyond mere auditing for the compliance by focusing on risk, status, and importance. This means they are expected to make more judgments on what is effective, rather than merely adhering to what is formally prescribed.

Terms used in a system audit

Various terms used during the auditing of system and processes are described below.

• Audit – A planned and documented audit performed in accordance with manual, procedures, records, and other documents like checklists etc. for the intended purpose of verifying applicable elements of a system and processes and its implementation.
• Audit plan– It is typically an audit action plan based on the applicable audit requirements in the standards / norms for the system / processes being audited and the audit report summary, with additional questions / issues which are to be verified included in or attached to these documents as needed to ensure objectivity and impartiality.  It can also be a marked up copy of the procedure / process documentation, identifying evidence to be collected to verify conformance.
• Auditor– A qualified and trained person who is authorized to perform specific audit functions under the direction of a lead auditor.
• Audit coordinator – A person with responsibility / authority for scheduling audits, selecting auditors (ensuring objectivity and impartiality), and ensuring issues raised are effectively addressed.
• Effectiveness– It is the evidence, including the relationship with inputs and outputs for the process. It shows the process is working, driving performance, and supporting the organization’s policy, objectives, and compliance with requirements (laws, regulations, etc.).
• Finding– It is an issue needing resolution.  It can be an actual problem (something requiring corrective action), a potential problem (something requiring preventive action), or any other opportunity for improvement (including those making it better and / or helping to be more fiscally responsible).  These ‘problems’ are also known as non-conformances with any element of the system and process.  All non-conformances are to be formally resolved to assure effective correction of the observed condition and the adoption of system improvements or preventive measures to reduce or preclude the likelihood of recurrence. Types of findings can be a major problem, a minor problem, or a comment. Example of a major problem is ‘the evidence shows the problem to be systemic (very big or bad) and / or requirements from the applicable standard are not addressed or adhered to’. Example of a minor problem is ‘the evidence shows a problem, in need of attention, but not one where the system is broken down (simply needs a little touch-up) and / or a requirement or two from the applicable standard are not completely addressed or adhered to’. Example of a comment is ‘opportunity for improvement, or observation which can be praise or can be pointing out things which can use a little work (correction, preventive action, or opportunities for improvement). When all is said and done, the decision whether something is a major or minor is in the lead auditor’s hands.  The tendency is to use ‘the benefit of doubt’ (things start as a minor and escalate as supported by evidence) as the rule of thumb.
• Internal auditor– A qualified and trained person of the organization who performs audit of system or processes, reports non-conformances and observations, evaluates the adequacy of corrective and preventive actions, and reports audit findings to the organization management.
• Lead auditor – A qualified and trained and certified person, who is authorized to plan, organize, and direct audit of system and processes of an organization, to report non conformances and observations, and to evaluate the adequacy of corrective and preventive actions.
• Non-compliance– It is the evidence which indicates the organization is not complying with a regulation, rule, or requirement where compliance is mandatory (i.e., law, corporate policy, etc.).
• Non-conformance– It is the evidence which indicates the actions by those fulfilling a process and the information in supporting documentation do not conform to one another and / or requirements outlined in the standards.
• Objectivity and impartiality– These are expectations of both of the auditors and the organization using the system and processes. To be objective and impartial means to let the evidence speak for itself.  Auditors and the audit process need to be free of bias and in pursuit of the truth with evidence to support conformance with the processes or activities being audited.

Types of audits

There are several types of audits as described below.

• Adequacy audit – It is the audit exercise which determines the extent to which the documented system, represented by the manual, the associated procedures, work instructions and record forms adequately meets the requirements of the system and processes and if it provides objective evidence that the system and the processes are correctly designed in this respect.
• Compliance audit – It is the audit which determines the extent to which the documented system and processes are implemented and observed within the organization.
• External audit – It is an audit carried out for the system / processes of the organization with whom there is a contract to purchase goods or services or intend to do so. It can be adequacy and / or compliance audit or both. It is also known as second party audit
• Extrinsic audit – It is an external audit carried out by an independent accredited third party using a standard to provide assurance on the effectiveness of the system and processes. This audit can also be adequacy and / or compliance audit or both. It is also known as third party audit.
• Internal audit – It is an audit which is carried out by the organization from its own internal sources for its system and processes for the purpose of providing assurance to the management that the system and processes are functioning properly and are effectively achieving the planned objectives. These audits are carried out by those employees of the organization who are not directly involved in the system and processes. Sometimes organizations take the help of external agencies for carrying out the internal audit. It is also known as first party audit.
• Process or product audit – It is a vertical audit which looks into complete system that goes into the production of a specific end product or service.

Process of Auditing

The workflow for the auditing of system and the processes is shown in Fig 4.

Fig 4 Workflow for auditing system and processes

The process of auditing can be divided into the following steps.

Audit initiation – It defines the scope and the frequency of the audit. The scope of the audit is determined on the needs of the organization and a decision is made with respect to system’s elements such as activities, departments and locations etc. which are to be audited within a time frame. This is normally done along with the lead auditor. The frequency of the audit is determined after considering specified or regulatory requirements and any other pertinent factors. Both internal and external audits are to be part of the audit schedule. The frequency of the internal audits is normally much more than the external audit since it provides input to the management not only about the normal functioning of the system but also inputs for the decision making.

Audit preparation – As a basis for planning the audit, the auditor is to review the manual and the auditing procedure of the system and if there is any inadequacy it is to be resolved first. After this an audit plan / programme is to be made along with the auditee. This programme is to be approved and after approval it is to be communicated to the auditors and the auditees. This plan is to include (i) the objective and scope of the audit along with the activities to be audited, (ii) the persons who are directly responsible for the audited activities and the audit scope is to be identified with them, (iii) reference documents such as the system standard and system manual etc. are to be identified on which the audit is be conducted, (iv) the team members for the audit are to be finalized, (v) the date, time, and the place of the audit is to be finalized, (vi) the units of the organization are to be finalized, (vii) the expected time and duration of each of the audit activity is to be decided, (viii) the schedule of meetings with the management need to be finalized, (ix) audit is to fulfill the requirement of the confidentiality if any is there in the system and the processes, (x) the language of the audit is to be decided, and (xi) the distribution of the audit report to be finalized. All the documents needed for the audit are to be made available to the auditors to facilitate auditing. The auditors are to prepare also a check list to assist them during conducting of the audit. A further audit is sometimes necessary to check the corrective actions taken on a non conformity report (NCR).

Audit execution – A structured audit is having the following four execution steps.

• An opening meeting – It is chaired by the lead auditor where he introduces the team members to the auditees, confirms the arrangements made for the audit, briefs the auditees about the audit details, explain to the auditees difference between major and minor NCRs, ensures that the guides are available during the auditing, explain the timings for daily liasioning meetings and the final closing meeting. The opening meeting is to include the senior management and all the persons involved in the audit.
• The examination and evaluation of the system – The audit is to cover entire scope and is to run to the plan. During the audit clear and precise NCRs are to be raised based on the sound objective evidence. Regular liaisoning meeting are to be held.
• A closing meeting – Like the opening meeting this meeting is also to be chaired by the lead auditor. It is held at the end of the audit. In preparation of this meeting auditors explain their findings during the audit to team members and these findings are reviewed and the actions to be taken on these findings are taken. During closing meeting the lead auditors briefs about the audit scope, and tells the findings of the audits. The NCRs noticed during the audit are explained by the team members and are handed over to the auditees. Team leader give an overall summary of the findings and the conclusions including the actions to be taken are recommended.
• The audit report – This report is handed over during the closing meeting.

Audit report – The lead auditor has the responsibility of the preparation of the audit report. The audit report is to faithfully reflect the tone and the conduct of the audit. It is also to be signed with date by the lead auditor. The audit report is to contain only factual statement of discrepancies supported by the objective evidences. The audit report is to include, if applicable, such items as (i) the scope and the objective of the audit, (ii) details of the audit plan, (iii) the standard and any other document against which the audit was conducted, (iv) observations of the non conformity reports, (v) audit team’s judgment to the extent of the compliance with the applicable standards and other documents, (vi) the ability of the system to achieve the objectives, and (vii) the distribution list for the audit report. Any communication made between the closing meeting and the issue of the report should be made by the lead auditor in the report.