by Radley M. Smith, Roderick A. Munro, Ph.D., Ronald J. Bowen
The automotive industry requires its suppliers to use internal auditors to verify their quality and environmental management systems (QMS and EMS) as outlined in ISO 9001 and ISO 14001, respectively. However, the International Automotive Task Force and Ford Motor Co. have directed additional training and experience above the general requirements of ISO 9001. This article will discuss some of the qualifications of internal auditors and the process approach to auditing required in the automotive industry.
The controlling document used by the International Organization for Standardization for auditing both QMS and EMS is ISO 19011, "Guidelines for quality and for environmental management systems auditing." This document is to be used by all organizations (registrars and companies seeking registration) to manage their auditing programs. Both ISO 9001 and ISO/TS 16949 require that top management conduct an internal audit program to ensure that management's planned results and customer satisfaction requirements are being met.
Top management is responsible for ensuring that internal auditors are adding value to the organization through the auditing process. Instead of good traffic cops--i.e., those who can read procedures and catch people doing something wrong--what is needed are individuals who will be able to look at processes from a systematic viewpoint and then generate ideas for improving customer satisfaction.
The organization should use ISO 19011 as a guide when selecting internal auditors. ISO 19011 contains four clauses that auditors should pay special attention to:
• Clause 4, "Principles of audit program." Internal auditors need to be ethical; able to provide fair (that is, appropriate) assessments; able to demonstrate a level of professionalism as defined by management, independent of the work that they normally do; and trained in the evidence-based process approach to auditing.
• Clause 5, "Managing an audit program." The audit program must be managed with identified objectives and goals. Some considerations for these could include management priorities, commercial intentions, management system requirements, governmental regulations, customer requirements, the need of other interested parties and risks to the organization. Responsibilities, resources and procedures for the audit program must be clearly defined and implemented, with records maintained, reviewed and acted upon accordingly (as noted in subclauses 5.2.1, 5.2.2, 5.3.1, 5.3.2, 5.3.3, 5.4, 5.5, and 5.6).
• Clause 6, "Audit activities." The audit process should follow a clearly defined process and apply all the basics of good auditing practice and technique (as flowcharted and outlined in ISO 19011). This typically starts with appointing the audit team leader; defining the audit objectives, scope and criteria; determining the feasibility of the audit; selecting the audit team; and contacting the auditee. A document review should then be conducted, as well as preparation for on-site audit activities. The standard on-site audit consists of an opening meeting, communication during the audit, establishing the roles and responsibilities of guides and observers, collecting and verifying information, generating audit findings, preparing audit conclusions, and conducting the closing meeting. An audit report is then prepared, and approvals and distribution take place according to plans. At this point the audit can be considered closed, and follow-up procedures should be used to close any remaining open items.
• Clause 7, "Competence and evaluation of auditors." The organization must choose internal auditors who are competent in conducting internal audits. Important considerations are such personal attributes as knowledge and skills, education, work experience, auditor training and experience, and maintenance and improvement of competence.
Your internal auditors will need training on ISO/TS 16949. The internal auditors should start by reading all of ISO/TS 16949 and the related core tool documents. There are a number of additional materials that are customer-specific that may need to be read, depending upon who your customers are. Your organization should assign someone to monitor customer-specific and general document updates, and this person should confirm that internal auditors are being trained with the most current documents. For ISO/TS 16949 and customer-specific requirements, visit www.iaob.org. (This site should be checked weekly.) The core tools and related documents can be found at www.aiag.org. For customer's documents, contact the customer's purchasing department.
Ford's customer-specific requirements have the strictest internal auditor procedure and have been suggested as a potential automotive industry benchmark. Consider using the following outline to train/upgrade internal auditors in your organization:
• An initial assessment of the understanding and ability to utilize the following documents, followed by formal training (usually a one-day minimum):
- The technical specification (ISO/TS 16949)
- Related core tools (e.g., APQP, PPAP, FMEA, SPC and MSA)
- Applicable customer-specific requirements
- The process approach to auditing
• Ongoing testing and training in understanding and applying the following requirements:
- The technical specification (ISO/TS 16949)
- Related core tools (e.g., APQP, PPAP, FMEA, SPC and MSA)
- Applicable customer-specific requirements
- The process approach to auditing
• Practice sessions (equivalent to one audit day) on:
- Case study audits
- Auditing role plays/simulations
- On-site audits
The starting point for ISO/TS 16949 is to understand your organization's existing processes. Under QS-9000, many people came to understand the basic process model. (See figure 1.) This model can be seen in any activity and represents a balance of energy going into a process and coming out. If you don't have a balance, waste is present in the process.
By understanding the basics of any activity through the process model, you can start looking deeper into what is happening in your organization. Six Sigma practitioners have expanded the process model to get the supplier-input-process-output-customer (SIPOC) model. (See figure 2.) This includes recognition that every process has customer(s) and supplier(s). Sometimes organizations change, and processes that were at one time important are no longer needed. The challenge is to determine if your current processes still add value to your organization and its customers.
Under ISO/TS 16949, we now move to what is called the turtle diagram for individual processes. (See figure 3.) This takes the basics of the process model and adds aspects of the SIPOC to what is being done in the process to satisfy customers. Internal auditors must review these diagrams for every major process in your organization. If the internal auditors don't find such diagrams, they will have to create them as they go. (Remember to leave a copy in the area for the next auditor.) Some say that the turtle diagram is a cross between the SIPOC and a cause-and-effect diagram. This is a good analogy because the turtle diagram looks at how the process satisfies the customer (typically an internal customer at this stage). By looking at what is really happening vs. what procedures say is supposed to be happening, an evaluation can be made as to whether the process is effective in meeting the customer's requirements.
The next step is for management to start connecting the turtle diagrams (i.e., individual processes) into larger flow maps showing how the company functions. This is called an octopus diagram, and it looks at the sequence of activities and how these elements actually work together. Top management may need several levels of maps to show high-level, medium-level and shop/office activities. It's important to show how activities are interconnected and what is being done to satisfy the ultimate customers of your products and services. Internal auditors should evaluate the organization using the octopus diagram(s) to look for opportunities to improve customer satisfaction.
An analogy here could be the advanced product quality planning (APQP) process. Note that every output of one phase becomes an input into the next phase of the planning model. Everything is used (a balanced system), thus making everything a value-adding process. Waste is eliminated, and planning for contingencies is part of the process. This ensures that customers receive what they expect and what will work with their systems.
The organization should coordinate the construction of the octopus diagram, and evidence of the use of these diagrams might well appear in minutes of management meetings. Points (sometimes called process characteristics) that the organization should recognize in the processes include:
• A process owner exists.
• The process is defined.
• The process is usually documented.
• The process linkages are established.
• The process is monitored.
• Records are maintained.
An organization can demonstrate full coverage of the QMS by using the octopus diagram as a guide/model for managing the organization. Reviews of what is actually occurring should be evident, and the use of the internal auditor reports become a key management tool in verifying that what is believed to be happening is in fact a reality. Some questions that can be asked during reviews are:
• If the process is eliminated, will the customer notice?
• Does the customer have a metric for the process?
• Do any of the inputs and/or outputs directly affect the customer?
• Have we identified the support processes as value-adding activities?
• If we were to design what we do from scratch, would it look that same as what we are doing today?
Internal auditors need to look for evidence that top management is asking these and other questions of the current systems. Such evidence is proof that continual improvement is being sought in every aspect of the business. (Note: In any given audit, internal auditors should be writing far more preventive action requests than corrective action requests.)
At any point in the octopus diagram, there can be some form of customer interface, either with an input and output, or both. These processes must be identified and given special attention to ensure that information is collected on customer satisfaction metrics.
These interaction points can include any number of activities. Some areas that the internal auditors can look for include:
• Market analysis
• Bid/tender
• Order/request
• Product and process design
• Product and process verification/validation
• Production part approval process (PPAP)
• Product production
• SQA/STA reviews
• Shipping/delivery
• Payment
• Warranty/service
• Post-sales/customer feedback
One key point is to gather some type of customer input in these highlighted processes so that data are collected on what the customer perceives as value-adding activities. A correlation should then be established with the rest of the processes to ensure that what the company is doing will satisfy its customers. The internal auditors should look for this information and make a judgment as to how effective the overall process is in satisfying the customer.
Here the evolution from QS-9000 and ISO/TS 16949:1999 to ISO/TS 16949:2002 can be seen. In ISO/TS 16949:2002, we start with what the customers say they want and need, and evaluate how the organization meets customer requirements. Internal auditors are tasked with reviewing the system, not the departments or functions as required by QS-9000 or ISO/TS 16949:1999, from the standpoint of process effectiveness.
Establishing procedures and proving that they are being followed will no longer suffice. Although that practice theoretically helps reduce variation for the customer, in actual practice it has been shown that after the auditors leave, organizations frequently go back to doing what they did before. Such behavior doesn't help the organization improve. Auditors are now to start by looking at the process effectiveness in all areas they visit, and to ask questions relating to customer wants and needs, and how those are being met.
Under ISO/TS 16949 and ISO 9001, auditors (internal and external) view the organization horizontally, according to the process model, instead of as a group of vertical/functional departments. Custome rs see the results of the organization's work, so an ISO/TS 16949 audit will view the organization in the same manner. What is shown to auditors is merely what is done every day. This method requires top management to be much more involved in overseeing the quality management system and more aware of the audit process than ever before. What is the organization, as a whole, doing to satisfy customers, and are plans' successes being evaluated in terms of the measurement of customer satisfaction?
The internal auditing function under ISO/TS 16949 covers a number of areas that were not addressed in QS-9000. The organization, including the management committee (instead of the management representative), has the responsibility to ensure that all aspects of the internal audit process are planned, implemented and maintained, and that the information generated from the internal audit reports is reviewed and acted upon during management meetings. If this is not the case, suboptimized results may be achieved, and top management may miss opportunities for improving customer satisfaction.
The internal audit program must be seen as a value-adding activity for the organization. Top management must understand the reasons for taking people away from their regular jobs to review the overall system. This is why internal auditor selection is important and must be considered carefully. If the organization seriously considers the internal audit results and takes action appropriately, it can become an honor for employees to be asked to become internal auditors.
Note: This article was excerpted from chapter 16 of The ISO/TS 16949 Answer Book: A Step-By-Step Guide for Automotive Suppliers (Paton Press, 2004).
Radley M. Smith is author of The QS-9000 Answer Book, and co-author of Quality System Requirements: QS-9000. Roderick A. Munro, Ph.D., recently retired from Ford Motor Co., where he was senior engineer in the Supplier Quality Improvement Initiative. He is currently the principal of RAM Q Universe Inc., a quality training and consulting firm. Ronald J. Bowen recently retired after 46 years with General Motors Corp., where he served in a variety of quality, auditing, and environmental positions.
|