QCS International

One of the key audit skills we deliver in our audit courses is the ability to write a good audit checklist.   This is simply because a checklist provides you with a clear set of questions to ask during the audit and keeps you on track with the audit timetable and objectives.

At QCS write our checklist of the month to help people with areas of auditing management systems but this month we thought we would look at how to actually write an audit check list using and ISO standard.

The key steps to writing a checklist based on any management system standard is to understand:

• the intent of the section/clause of the standard
• breakdown the specific requirements of the clause of the standard (the ‘shalls’)
• identify what objective evidence you are going to look for to prove the system works

To give a simple example I have chosen Management Review from ISO 14001:2004 (Section 4.6) but this technique can be applied to any section of ISO 9001, ISO 14001 or OHSAS 18001.

The overall intent of management review is to ensure the management system is implemented and effective in driving continual improvement.

If we take a look at clause 4.6, the key requirements of ISO 14001 are that

• Results from internal audits will be reviewed
• Results from legal requirement evaluations will be reviewed
• Review of environmental performance
• Review of the extent to which objectives and targets have been met
• Communication from regulators and other interested parties
• Status of corrective/preventive actions
• Follow up actions from previous reviews
• Changes (legislation, organisation, technology etc) are reviewed
• Records of the review shall be maintained

The evidence you will need to look at during the audit will be:

• Minutes of management review meetings
• Who actually attended management review meetings
• Agendas from the meetings including any data analysis/reports
• Action plans resulting from the management reviews

And of course the main question to ask to ensure effectiveness… review an actual improvement that has occurred as a result of a decision taken in management review.  This way you can show that the system if fully implemented and effective.

Stress Audit Checklist

How often do any of your employees experience high levels of stress at work? Never, Rarely, Weekly, Constantly? Stress has firmly been on the HSE agenda for some time now but do you ever audit the control measures for this particular hazard?   Here are some questions that you can use to assess stress management compliance in your organisation…

• Do you ensure that managers receive information and advice on how to manage work-related stress?

• Do you ask your employees what causes stress at work, and what can be done to reduce it?

• Do you have a clear policy that acts of bullying and harassment are not acceptable and all such complaints will be formally investigated?

• Do you, where possible, let your employees have some choice about how they prioritise their work?

• Do you make sure your employees always know what they are expected to do and regularly talk to them about their work?

• Do you ask your employees to talk to their manager if they are finding their job stressful?

• Do you make sure all managers know how to provide help, support and training to employees?

• Do you discuss any expected changes with your employees?

• Do you make sure working hours are managed and kept below 48 hours each week?

• Do you make sure your employees have enough time to do their work?

Setting environmental objectives is getting easier by the day.   With Government Initiatives raising overall awareness, even Financial Directors are asking how we can reduce the Carbon Footprint of the company.

Also many organisations have heard of SMART objectives so we now know to make any objective for our system specific, measurable and time bound.

The real problem is that environmental objectives are a bit like a Gym Membership – signed up too hastily in January by everyone and then not re-visited for at least another 6 months…

But remember ISO 14001 requires that you have a programme for your objectives including a ‘means and a time frame’.  

As we are often setting objectives at this time of year, it is worth getting an effective programme set up at the same time to make sure that all objectives are prioritised and given the right resources to be successful from the start.

Objectives, targets and programmes…
Once you have decided on your ‘SMART’ objective break this down into a brief project plan.   Also make sure that resources in terms of time and money etc are clearly identified as part of the overall programme and that the senior management team in your company has bought into the objective and the programme.   This will make sure that every one really understands what’s involved in achieving an objective and more importantly that the right objectives are given a priority and you don’t fall into the trap of setting too many objectives.

Also make sure that within the programme you have regular reviews/updates to monitor progress and update and amend programmes as you progress your objective.    

This may seem like a detailed approach, but failure to have an effective programme for your objectives may well result in non-conformities at your next ISO 14001 audit.

Love them or hate them KPIs (Key Performance Indicators) are the way many organisations monitor and measure their processes.   These should be linked to business objectives and as January often starts with the annual cycle of objective setting, just how good is your organisation at setting KPIs?.. 

 Here is what ISO 9004 tells us…
‘ensure that you provide information that is measurable, accurate and reliable, and usable to implement corrective actions when performance is not in conformity with objectives or to improve process efficiency and effectiveness’.

What should we measure?
All processes within your organisation should be measured and monitored and key performance indicators should take into account:

• the needs and expectations of customers and other interested parties
• the importance of individual products to the organization, both at the present time and in the future
• the effectiveness and efficiency of processes
• the effective and efficient use of resources
• profitability and financial performance
• statutory and regulatory requirements

What makes a good KPI?
The KPI should be relevant to the control of critical parts of your organisation.   The KPIs should also be quantifiable and should enable you to set measurable objectives, identify and predict trends and if required take corrective, preventive and improvement actions.

Are you best in class?   Take the test…
How you use the KPI is often another matter.   ISO 9004 has provided a self assessment test to allow you to assess where your organisation is regarding the use of KPIs.   On a scale of 1 to 5 (1 being poor – 5 being best in class) take a look at the following self assessment questions to see where you think you are on the ISO 9004 business maturity scale.

Business Maturity Level 1: Very limited set of data from measurements and assessment is available to support management decisions or tracking of the progress of actions taken.   Basic indicators (such as financial criteria, on-time deliveries, and the number of customer complaints, legal warnings and fines) are used.   Data are not always reliable.

Business Maturity Level 2: There is a formal set of definitions for key indicators related to the organization’s strategy and main processes.   Indicators are mostly based on the use of internal data.    Management decisions are supported by the outputs from reviews of the management system and additional key performance indicators.

Business Maturity Level 3: Process-level objectives are related to key performance indicators.   Data is available to show how the organization’s performance compares with that of other organizations.   The main conditions for success are identified and tracked by suitable, practical indicators.   Management decisions are supported by reliable data from the measurement systems.

Business Maturity Level 4: Data is available to show progress on key performance indicators over time.   Deployment of the strategy and objectives are monitored.   Performance indicators are established, widely deployed and used for strategic decisions regarding trends and long term planning.   Systematic analysis of data allows future performance to be predicted.

Business Maturity Level 5: Systematic analysis of comprehensive data allows future performance to be predicted with confidence.   Indicators contribute to good strategic decisions.   KPIs are selected and acted upon in a way that provides reliable information for predicting trends and for taking strategic decisions.   Risk analysis is performed as a tool for prioritizing improvement.

The most important thing here is to identify where you are in terms of business maturity and how you can improve your use of KPIs as a business control and improvement tool for the coming year.

And finally if the KPIs you are measuring do not drive any kind of process control, action or improvement, make it your new years resolution to save some time and effort and stop measuring them!

You may be thinking about setting your Health and Safety objectives for 2011.   If you are short on inspiration, here are a few ideas straight from OHSAS 18001:2007…

1. Look at your risk assessments – what hazards still have a high risk score?   Can you reduce these in any way?
2. Still looking at your risk assessments – have you really used the hierarchy of  control in deciding robust control measures or are there hazards that rely a bit too much on ‘good old’ supervision and PPE for controls?
3. Your policy (the little used document in your reception area) – take a look at this.   If you have made commitments in the policy then you really should be setting objectives to achieve these.
4. Accidents and incidents from last year – have you closed our on all corrective actions are there still some outstanding issues?
5. Near misses – again have you closed our on all corrective actions are there still some outstanding issues?
6. Management Review – you probably made some commitments in the meeting – it’s always worth taking a close look at this and make sure any actions are tied into your objectives for the year.
7. Compliance Evaluation… Did you find any areas that needed improvement from your review?   (Did you do a review????)
8. Health & Safety committee meeting minutes – Review the minutes to make sure you have picked up any longer term actions into your objectives.
9. OHSAS 18002 & OHSAS 18004 – The Guidance documents are packed with help and advice on how to apply and improve OHSAS 18001 in your organisation – take a look at them for inspiration.  
10. HSE Web Site – Very user friendly and full of free information – Use this to look for any up and coming changes in legislation so that you and your organisation.

And finally for every objective don’t forget these should be measurable if possible and have a clear responsibility assigned with a time scale.

Recently, a UK company Strachan and Henshaw was fined £30,000 plus costs for failure to improve ‘filthy and dilapidated’ toilets.   This seems a hefty fine but is a good reminder to ensure that the requirements of the Workplace, Safety, and Health and Welfare regulations 1992 are reviewed on a regular basis during health and safety audits.

The regulations require the provision of ‘suitable and sufficient sanitary conveniences’ in addition, employers must provide:

• enough toilets and washbasins for those expected to use them – people should not have to queue for long periods to go to the toilet;
• where possible, separate facilities for men and women _ failing that, rooms with lockable doors;
• clean facilities to help achieve this walls and floors should preferably be tiled (or covered in suitable waterproof material) to make them easier to clean;
• a supply of toilet paper and, for female employees, a means of disposing of sanitary dressings;
• facilities that are well lit and ventilated;
• facilities with hot and cold running water;
• enough soap or other washing agents;
• a basin large enough to wash hands and forearms if necessary;
• a means for drying hands, e.g. paper towels or a hot air dryer; and
• showers where necessary, e.g. for particularly dirty work. 

A more extensive code of practice is available form the HSE web site but the link below includes the HSE information guide for managers which provides a good summary to use when preparing for an audit of this legislation.

indg244 Welfare Regulations – A short guide for managers

Although this is probably not the most exciting audit to do, it is worth performing an audit across your business from time to time to assess how documentation is controlled.

A question of risk…
It is important when planning your audit to look at the overall risk to your business posed by documentation control.   The fact is, no one has ever died because the wrong revision of the internal audit procedure was being used but some big mistakes have been made because the wrong specification was issued.

Of course system documentation is important and yes you will pick up non conformities during certification body assessments for poor control of system documentation but you also need to look at the control of all types of documentation in your business.  

Typical documentation can include:

• Quality Management Policy, Manual and Procedures
• Operational Procedures
• Operational Checklists
• Training Documents
• Documents sent to/used by customers
• Bills of materials
• Price Lists
• Product & Test Specifications
• Art work and packaging proofs
• Service Level Agreements
• Method Statements
• Documentation sent to and from suppliers
• Design documentation

 Also don’t forget external documentation – I often get told during audits that there aren’t any external documents only to find a long list of important documents that are not being controlled effectively.  

External documents may include:

• Product/service legislation
• Product/service design standards
• ISO standards and other industry requirements
• Customer policies and specifications
• Service level agreements
• Contracts
• Customer designs

 For each type of documentation you should assess the core controls as identified in the check list below:

 For internal documents:

 Is there a documented procedure available to define controls for all document types identified?

1.Does this procedure identify who can approve and issue each type of document?

2.What is the process for updates and changes?

Are changes approved before issue?   Is this approval by the same ‘authority’ as the initial issue or has this changed?   If so is this adequate to control the document issue? 

Are documents reviewed from time to time to make sure they are still relevant and being followed?   If there is a review period is there evidence this is being followed or are documents out of date?

Are hand amendments allowed in the procedure and if so are these properly authorised? 

3.Does each document have a clear title/identification and is there a clear revision level for the document?

4.How are changes to documents communicated to the people who need to use the document?

5.How are documents of each type circulated?   Are the right documents available at each point of use?

If this is controlled by a computer system, what happens if this system is not available?

7.Are any documents used at other/remote locations?   If so how do you know the correct version is being used?

8.For external documents – what controls are in place to identify any updates to:

Legislation and standards?

Changes to customer designs and requirements?

Changes in any contracts/service level agreements?

9.What happens to obsolete documents?

When new documents are issued are you sure the old documents are removed from use?   Is it obvious which documents are obsolete or is there a chance of confusion?

Are old documents retained for reference and if so are these identified?

Document control is a process that require auditing from time to time to ensure compliance and control business risk.  Don’t forget, you can download the audit checklist below.

Document Control Checklist

This month, Checklist of the Month takes a look at your OHSAS 18001 system and how you investigate accidents and incidents.   The checklist looks at base compliance to OHSAS 18001 and also RIDDOR so should give you plenty to audit.    

The checklist is also available here for anyone who wants to download and audit.  

Sept Checklist Accident Investigation

Checklist…

1. Is there a documented procedure for the process?   Is it controlled? (4.4.4 & 4.4.5)

 2. Is the procedure defined for:

 -          Accident/Incident Reporting

-          Investigation of any issues

-          Corrective Actions

-          Closure of actions and verification of effectiveness

(4.5.3)

 3. Are records of accidents/incident recorded and are records maintained?  

 For how long are records retained for?  

Note: check 3 years retention for any RIDDOR? (4.5.4)

 4. Are key people aware of accident reporting procedure & have they been trained? (4.4.2)

-  Managers?..First Aiders?

 RIDDOR Regulations 1995

5. Does the procedure define the requirements for reporting under RIDDOR?   Review records to ensure compliance?

 6. Does the procedure ensure that dangerous occurrences are reported under RIDDOR?

 7. Check that all accidents and incidents have been reported.

 How is 3 day lost time is calculated for any RIDDDOR (exclude day of accident but include rest days?).

Other Issues 

8. Are accident and incident issues discussed at the H&S reps team meeting? (4.4.3.2)

 9. Are accident and incidents communicated to the organisation as required?  (4.4.3.1)

 10. Is accident/lost time data reviewed at management reviewed?  Have any trends been identified as a basis for improvement? (4.6) 

Bonus Questions…

As mentioned, this checklist is all about base complaince to OHSAS 18001 and also RIDDOR (so you can use this for part of your compliance evaluation) but it does not cover things like near miss reporting which is best practice so it may be worth considering this in your audit.   It is also worth a look to see if accident/incident actions feedback into the risk assessment process (and results in an updated risk assessment) as this really does help to complete the ‘Plan-Do-Check-Act’ Cycle and also keeps your risk assessment ‘living’.

ISO 19011:2002 is the standard that covers the auditing of Quality and Environmental management systems and, after 8 years, the International Standards Organisation (ISO) is looking to revise this.

With a focus on enhancing the standard, ISO 19011 is now out for final comment and will be published next year.   This will include the following changes:

• There will be more of a focus on internal auditing.   The standard at the moment covers internal auditing but has a focus on supplier and certification body (second and third party) auditing.   With the previous publication of ISO 17021, there is now a standard for certification body auditing and ISO 19011 should focus more on internal auditing.
• ISO 19011 was originally published to cover Quality and Environmental auditing.   Over the last few years there are now many different systems to audit (Health & Safety, Food, Social Responsibility, Information Security etc) and ISO 19011 is being updated to reflect the differing competencies required to audit these systems adequately.    Competencies will include for instance knowledge of legal requirements, and other specialist areas such as waste minimisation, risk assessment and sustainability.
• The concept of risk based auditing will also be included,  where by significant business risks (eg most important contract, most significant aspect and most significant H&S hazard) are prioritised for auditing.   Although you could argue this is nothing new, it is a step in the right direction to make sure internal audits continue to deliver value to any organisation.
• Remote auditing is another area covered by the revised standard.   Although traditional face to face auditing is still favoured by many, the use of video conferencing and remote web based reviews are now covered in the revision.

It may be easy to dismiss the changes to this standard as custom and practice but ISO 19011 is used as the guidance for IEMA and IRCA auditor training courses so you should see these concepts filtering into training courses when the standard is published sometime in 2011.

Check List of the Month

 An audit of the audit system I hear you say!   What ever next?   Well actually it is a mandatory requirement but it often confuses people on what they should actually ask during their ISO 13485 internal audit.  

Here is a checklist that will allow you to thoroughly audit your ISO 13485 internal audit system.

 The checklist can also be downloded in checklist style below so that all you have to do is print the checklist out to use it as part of your audit.

ISO 13485 Checklist – Internal Audits 

Audit Programme

1. Is there an audit programme available, approved and communicated?(8.2.2)

 2. Does the audit programme cover all processes & clauses of ISO 13485? (8.2.2)

3. Does the audit programme cover processes (or does it tend to follow procedures within the system?).   (8.2.2)

 4. Does the programme reflect the results of previous audits & importance of process? (8.2.2)

 5. Are auditor’s trained? Check training certificates/records. (6.2.2)

 Audit Procedure

 6. Review audit procedure (8.2.2) does this cover:

 -          Requirements for planning audits?

-          Checklist preparation as a means to record objective evidence?

-          Non conformity reporting including categorisation (e.g. Major/Minor/Improvement etc)?

-          How corrective actions are agree, verified and followed up?

-          Requirements for auditor competency?   (6.2.2)

Reporting & Records

 7. Are records of internal audits maintained? (8.2.2)

 8. Are these records maintained?   If so for how long? (4.2.4)

 9. Are records of any non-conformities and corrective actions maintained? (8.5.2)

 10. Are records of root cause and corrective action verification maintained? (8.5.2)

System Effectiveness & Improvement

11. Is the audit programme on track (or have some audits been missed this year?)   (8.2.2)

 12. Are corrective actions from internal audits closed in a timely manner?   How many overdue actions are there?   (8.2.2)

 13. Are audits reviewed at management review as a means to improve effectiveness? (5.6)

 14. And finally, always ask yourself…does the audit programme provide real information to the senior management team to identify the real risks to the business and drive improvement if required or is it just a tick in the box exercise?