ISO Internal and Supplier AuditingHow Guaranteed Internal Audits Lead To Certification – They also result in improved processes

Process auditing has been a part of Cavendish Scott’s expansive suite of ISO services since 1985 when Colin Gray, leader of Cavendish Scott, and two partners founded the firm. Since then, the firm has conducted numerous internal audits and, for more than 30 years, Cavendish Scott has provided written guarantees that its ISO internal audits will lead to successful certification audits.

Three Types of Process Audits

In the world of management system standards, two types of audits work in tandem and the terms can be confusing. Cavendish Scott performs dozens of internal audits each year, helping assure clients they will pass the certifying audit that will follow. As part of its internal audits, Cavendish Scott helps clients find solutions to any problems that occur.

On the other hand, representatives from certifying organizations perform certifying audits, which are sometimes called external audits. These auditors must be objective and independent. They can—and must—tell organizations what their deficiencies are, but they are prohibited from intervening to help organizations address those issues or improve, for fear of conflict.

Yet another category, second-party audits, may be performed by or on behalf of the organization’s suppliers or contractors. The purpose of these audits is often to assure conformance to proprietary requirements or specific functional aspects. They function similarly to internal audits and are often closely controlled by the audit customer. Since the purpose of these audits is internally inspired, they can actually be considered as a special form of internal audit.

The Internal Audit Process

In performing internal audits, Cavendish Scott follows a defined plan with controls, which is executed by experienced auditors who are knowledgeable about management system standards.

Conversations about an internal audit begin months before the actual event. Then, as the date grows closer, Cavendish Scott coordinates with the client’s point of contact on specifics like the need for certain documents and meetings with particular personnel. Cavendish Scott provides support and documents to help the point of contact prepare the personnel involved in the audit. As a result, everyone involved in the audit is well prepared. And, everyone in the organization is alerted about the audit.

Certifying auditors don’t emphasize documentation as much as they did in the past. But documentation is essential in any defined and planned system and Cavendish Scott starts audits by inspecting documents and cross-referencing them with the standards. Auditors use documentation not just to seek out whatever potential shortcomings may be present but also to prove that clients follow what they do correctly and meet the standards—and can, therefore, obtain certification. Whenever possible, Cavendish Scott offers suggestions for improvements to processes but doesn’t ever usurp the client’s authority and responsibility to make decisions about how their business is run and success achieved.

The time that an audit requires depends on the size of an organization and other factors. For a company with 100 employees, six auditor days may be needed. So two auditors would be scheduled for three days or three may be scheduled for two days. All or part of the audit may be done remotely, allowing more flexibility with timing and enhanced focus on the inevitable computer records, and also reducing the need for travel expenses. The flexibility of a remote or hybrid audit also means an audit can be spread over several days or even weeks.

A few days after the observations and interviews are finished, Cavendish Scott provides a full, formal, comprehensive report. Its comprehensive scope includes all the preparation and planning, evidence collected, people and records reviewed, findings (observations and nonconformances), opportunities, risks, evidence noted, auditor qualifications, summary, and conclusions. There is also plentiful supporting content justifying the audit, its approach, objectivity, roles, and similar factors. Of course, Cavendish Scott guarantees this report will meet the needs of the client’s certification auditor.

The goal of Cavendish Scott is to keep clients informed and certified, whatever it takes.

The below post from the Cavendish Scott website explains why it’s important to hire full-time professional auditors for internal audits.

Internal ISO Audits Internal ISO Audits: A Job For The Pros

One of the most important decisions organizations face when planning their annual internal audits is whether to perform the function in-house or call in professionals. Without question, Cavendish Scott recommends the approach with professional, internal auditors.

Pros Bring Depth of Knowledge

All Cavendish Scott auditors take the 40-hour IRCA-accredited ISO 9001:2015 lead auditor class and pass the IRCA exam. But that’s only the beginning. The most experienced Cavendish Scott auditors spend significant amounts of time mentoring and training hundreds of new auditors each year.

Advantages Of A Pro Audit

Advantages of Cavendish Scott audits include the following.

Breadth of experience: Each Cavendish Scott auditor is involved in approximately 50 to 70 audits a year, working with organizations of various sizes in a range of industry sectors. The exchange of knowledge and understanding that come from working in teams further extends the breadth of experience they bring to audits.

Outside perspective: Whether it’s a process or a material object, something that’s been around for a while can be taken for granted. In a typical example of an internal audit performed by Cavendish Scott, a member of the auditing team recalled, ‘There was hodge-podge of uncontrolled documents on walls and machines. They were so much a usual part of the environment that personnel no longer noticed them. When the auditors arrived they were immediately drawn to the discordant display.”

Inside neutrality: Internal auditors have a position within the hierarchy of their organizations. Especially when changes are in order, it’s difficult for personnel to audit leadership and management even though that’s part of a full-system audit. Cavendish Scott auditors are always willing to speak truth to power when reporting to organizational leadership. This is often the most important part of any audit.

Lack of disruption: Other responsibilities often leave in-house auditors with little time for audits. And they often audit only for a few days a year so they are hardly unobtrusive and swift. Because an internal audit by Cavendish Scott requires minimal time from a client’s staff, disruption of usual operations is also minimal. Whenever possible, Cavendish Scott conducts simultaneous audits for organizations that are certified in multiple standards. When needed, several personnel are assigned to an audit, expediting its completion. The bottom line is that audits by Cavendish Scott are quicker, less intrusive, and more thorough in getting the job done.

Consulting during the audit: Because Cavendish Scott becomes part of each client’s team, the goal of auditors is to help and prepare clients as thoroughly as possible. Auditors can discuss issues they find during an audit and talk about streamlining and optimizing processes. And they always cover risks and opportunities that come out of an audit. Cavendish Scott is so committed to assuring clients’ ongoing certification that the firm guarantees that clients will pass their certification audits or remain certified. Cavendish Scott provides this support in a way that helps clients remain compliant in the least obtrusive way, the most sensible and easy-to-maintain way, and a way that drives value into their organization.

Ongoing support: Cavendish Scott auditors are full-time employees, not subcontractors. Because they work in teams, clients can always reach someone to help with their concerns, even if their primary auditor isn’t available. Besides being available for the duration of an audit, Cavendish Scott auditors are always available for additional support as needed after the audit and throughout the year.

Sound Advice on Corrective Action: During an audit, Cavendish Scott auditors provide coaching and teaching while auditing. They identify improvement opportunities and best practices, and address issues and problems that go beyond minimum requirements. After an audit, the firm continues to be available if clients have findings (discovered internally or by a certification body) and need help with resolution. Delays to certification and repeat-action submissions are expensive, so Cavendish Scott helps clients avoid these.

Readiness for other audits: Cavendish Scott audits prepare clients in the most effective manner, highlighting risks (other auditors often won’t notice or pursue some issues) and promoting opportunities. Cavendish Scott guarantees clients they will pass or maintain certification, and the firm’s audits are also accepted by most reputable customers, positioning clients well for any audits. Guaranteed.

Pro Audits Mean Assured Quality Management

Cavendish Scott has sometimes performed internal audits for a few years for clients who then decide to perform the function in-house. Then something happens. They don’t get the internal audits completed or they soft-pedal the audit, maybe because they don’t report findings or they don’t know what to look for. When the registrar comes in for their annual audit, major nonconformities are identified, jeopardizing certification and possibly leading to a panicked phone call to Cavendish Scott.

Cavendish Scott finds that a proactive plan that includes professional internal audits provides valuable protection for clients’ investment in ISO certification and is an essential element of a quality management system.

The Certifying Audit ProcessThe Certifying Audit Process

Certifying audits, which take place in two stages, generally follow internal audits. It’s best to allow enough time between the internal and certifying audits for any corrective action that needs to be taken, but not long enough for processes to slacken.

The first stage of a certifying audit is generally more relaxed and informal than the second stage. The auditor reads the procedures, makes sure the organization has sufficient documentation, checks to make sure the data is in order, and prepares a detailed schedule for the second stage. If all goes well, the second stage is confirmed.

Compared to the first stage, the second stage is more structured with a formal opening and closing. Its purpose is to make sure the plan is properly enacted. Discussions take place about quality, goals and processes. The schedule is followed, management and employees are interviewed, records are reviewed and activities observed.

Some issues may go unaddressed if the auditor observes items he or she does not feel they need to be reported. If the auditor finds significant deficiencies, these are stated explicitly in writing. When organizations disagree with an auditor, they may repudiate unfavorable findings.

After the audit is complete, the certifying organization conducts an independent review of the auditor’s report, determines whether the organization has passed the audit, and issues the certification if appropriate.

Certification is issued by the certifying organization and not the International Standards Organization, which publishes standards but does not certify. The ISO logo may be used in connection with certification but only under careful controls. Certification is usually good for three years, with annual assessments in the off years.

The goals of the internal and certification audits are different. Cavendish Scott strives to improve management systems and add transparency and accountability, if needed, in their internal audits. The goal of the certification audit is to assess the compliance of the system, ensuring it meets basic requirements for a good assured management system.

The Deming Connection

The ISO model for standards is based on business practices promulgated by W. Edwards Deming following World War II, most notably the plan-do-check-act cycle, which is also attributed to one of his mentors.

Born in Sioux City, Iowa, in 1900, Deming earned his bachelor’s degree in electrical engineering at the University of Wyoming in Laramie. He received his master’s from the University of Colorado Boulder and his doctorate from Yale University, both in mathematics and physics.

In 1927, Deming met Walter A. Shewhart, who is sometimes known as the father of statistical quality control. Shewhart’s ideas were a strong influence on Deming and the two sometimes collaborated. Shewhart developed the model that Deming refined to create the plan-do-check-act cycle.

Deming is best known in Japan for helping to bring about the transformation sometimes called the Japanese economic miracle. In the aftermath of World War II, Gen. Douglas MacArthur asked Deming to come to Japan in 1947 to help with the Japanese census. At the request of the Japanese, Deming stayed on and helped the war-torn nation become the second largest economy in the world. Even now, a connection is sometimes drawn between Deming’s shared expertise in quality-control techniques and the Japanese insistence on smaller margins of error in manufacturing processes compared to their competitors. Toyota and Sony are two prominent Japanese companies that may attribute their success in some part to Deming.

In the U.S., Deming may be better known for the “14 Points for the Transformation of Management.” His 1982 book Out of the Crisis contains a theory based on fourteen points that aim to help organizations stay in business, protect investment, ensure future dividends, and provide more jobs through improved products and services. U.S. companies that have been influenced by Deming include Lockheed Martin and Honeywell.

Deming died in 1993, but his legacy lives on in many ways. He established the W. Edwards Deming Institute in Washington, D.C., in 1993. Its aim is to “enrich society through the Deming philosophy.” Sampling techniques he developed are still in use by the U.S. Department of Census and Bureau of Labor Statistics. Goodreads lists 21 distinct works by Deming and together they have a rating of more than four out of five based on 134 reviews.

And, of course, Deming’s plan-do-check cycle remains in widespread use through organizations around the world that adhere to ISO standards.

The PDCA model consists of the following:

Plan – Design a process. Establish objectives and processes to achieve them.

Do – Put the process into operation. Implement the plan and gather data related to its execution.

Check – Assess whether processes are operating as designed. Analyze the data collected during the “do” phase.

Act – Take appropriate action accordingly. While the “do” and “check” phases help to identify issues, the “act” phase is where they are addressed. Causes or shortfalls are investigated. Risk is re-evaluated. At the end of this phase, processes have better objectives or instructions. The cycle raises the baseline for the next round of planning.

Planning and doing are necessary for implementation, but checking and acting require auditing. All four phases are necessary for standards to be effective and receive certification. Auditing is the way of assuring that processes are working according to their design, and it’s at the heart of ISO.

Many Standards, One Approach To Auditing Many Standards, One Approach To Auditing

Cavendish Scott works with many different management system standards, each of which is designed to achieve a specific purpose. Each relies on the management of processes that have explicit objectives and goals. When possible, Cavendish Scott performs simultaneous audits of all the standards an organization has implemented.

Included are:

Beyond ISO, Cavendish Scott works with standards related to the following:

  • Federal Aviation Administration
  • National Aerospace and Defense contractors Accreditation Program
  • Nuclear Quality Assurance
  • Capability Maturity Model Integration
  • Baldrige Performance Excellence Program
  • Various industry sectors, including petroleum, oil and gas; automotive; and software security

In working with many versions of these standards, Cavendish Scott always brings the firm’s signature expertise in the optimal design of solution management systems for the benefit of the organization and the assurance of compliance with standards-based requirements.

In addition to auditing, Cavendish Scott activities include comprehensive consulting services and in-house, public, accredited, and customized training in these standards. This enables auditors to interact with multiple clients in many sectors around many industries and standards. Through this experience, Cavendish Scott auditors have had the privilege of meeting great leaders, incredibly visionary managers and brilliant technical people, as well as seeing phenomenal process controls and products and great ideas.

This provides auditors with plentiful real-world experience that informs the support they provide to clients, whether it’s in training, audits, consulting, or answering questions that come between scheduled and paid services. Even through this sharing of information, Cavendish Scott always protects clients’ private and proprietary information.

Successful By Design

While some view audits as mysterious processes with magical, unpredictable outcomes, Cavendish Scott approaches them with logical processes and controls that lead to predictable outcomes. Cavendish Scott helps clients become successful by design. It’s what Deming had in mind.

All successful certification audits end with certification, and for some organizations, that’s all that matters. ISO certification demonstrates to customers that an organization is well run and its processes are well managed. For example, the goal of ISO9001 is to satisfy customers by providing them with the right product on time and certification shows that an organization has the processes in place to do those things. That attracts business.

Some may perceive the plan-do-check-act approach as a linear process that begins with planning and ends with corrective action that brings the management system into compliance with the original plan. But that’s not the way Deming envisioned it and it’s not the way Cavendish Scott practices it.

Cavendish Scott knows that plan-do-check-act is a continuous, ongoing loop designed to foster improvement in processes. The goal is not just to make sure everything good. It’s to make sure everything is good all the time. The goal is not just to make sure everything is OK. The goal is to use the cycle for constant improvement. Meaningful standards have the potential to inject discipline, control, and improvement into management systems. Certification is a guaranteed result of a Cavendish Scott internal audit, but it’s usually not the greatest benefit.

Occasionally Cavendish Scott hears from an organization that is left wondering after the completion of a certification audit. The auditor may not have seemed to be engaged, or did not audit thoroughly. Just because the certification audit is easy or lax or just not great does not mean that an organization should not be.

While certification organizations sometimes suffer from difficulties with their staff and organization, certification is different from a QMS (quality management system) and getting the most out of an audit usually pays off in the long run. If an organization wants to get all the benefits of a good internal audit, they may want to hire a firm, such as Cavendish Scott, that will help them understand auditing and improve their processes.

The Certifying Audit Process Remote Services: A Smart Way to Audit

Cavendish Scott became proficient in delivering services remotely even before the Covid-19 pandemic, but the firm learned one important lesson by delivering all services remotely: Providing auditing services remotely can be smart, whether it’s necessary or not. Significant opportunities and benefits come with remote audits.

The Covid-19 pandemic called for all Cavendish Scott operations to move online and they did so without a hitch. There were no problems, project slippages or failures and certainly no problem around the certification guarantee that comes with Cavendish Scott internal audits.

As with onsite audits, Cavendish Scott approaches remote audits with a defined process, tools and controls, as well as a plan. Before meetings are held, interviews are scheduled and communications technology is chosen and tested.

Because of the careful planning, the audit is often better focused and able to look at specific aspects in more detail. This can lead to specific and detailed suggestions, or help identify potential risks or open up opportunities.

Flexibility is one of the greatest benefits. While planning is still essential, a remote audit can be scheduled over two half days, or split days across a week. This can help an organization’s staff balance the responsibilities of their primary job with the demands of the audit. When needed, schedules can revolve around the availability of management, thereby making the audit less intrusive on day-to-day operations. Remote meetings are a great way to give everyone the opportunity to show up and participate.

Observation and walk-throughs of facilities are challenging despite camera technology. But, the purpose of an internal audit is not to snoop around or spy on anyone. The goal is to see everything and, as with other goals, careful planning can ensure this one is met in a remote audit.

One of the most obvious benefits of remote audits is that they do not involve travel expenses or time. And, just as they were safer during the pandemic compared to face-to-face audits, they may be safer in the future, too.

Cavendish Scott envisions a planning process that optimizes remote and onsite auditing. An audit for one client may include a single day onsite out of a five-day audit. Another client may have two years of remote audits followed by a full onsite audit.

Joining the Cavendish Scott Team

As has been noted in the Cavendish Scott blog, the firm sometimes needs to expand its contingent of full-time auditors.

The most important course for aspiring auditors to take, whether they wish to work at Cavendish Scott or elsewhere, is the official one approved by the International Register of Certified Auditors, IRCA ISO 9001:2015—Lead Auditor Training. Cavendish Scott was the first source in the U.S. to offer this course, which is recognized by auditor registration organizations including Exemplar Global. It is essential for registrar auditors and those involved in auditing quality management systems.

In addition to IRCA certification, ideal applicants for Cavendish Scott auditing positions have the knowledge in the following areas:

  • The plan-do-check-act cycle
  • The core elements of a management system and the interrelationship among top management responsibility, policy, objectives, planning, implementation, measurement, review, and continuous improvement
  • The fundamental concepts and the seven quality management principles presented in ISO 9001
  • The relationship between quality management and customer satisfaction
  • Commonly used quality management terms and definitions, as defined in ISO 9001
  • Knowledge of the requirements of ISO 9001

Ideal applicants for full-time positions at Cavendish Scott also have experience with ISO 9001, ISO 13485, ISO 14001, and other standards, as well as experience in auditing. Whether applicants have gaps in experience, certification, and training or not, all new hires receive training and support as needed so they can conduct audits with colleagues and on their own. Entry-level auditors who have not yet taken the IRCA certification class may take it during onboarding.

Applicants need to have a base in Colorado so they can take advantage of ongoing professional development and the spontaneous exchange of ideas among staff members. They need to have the ability to travel extensively, usually five to ten days a month. And, perhaps most importantly, they need to be curious, hard workers who enjoy engaging effectively with others.

Even on the occasions when Cavendish Scott employs contract auditors, they are carefully selected and fully qualified.

Openings are posted and updated regularly.

Story Of An Experienced Auditor Story Of An Experienced Auditor

Melodi Nelson joined Cavendish Scott in 2016, became an IRCA-certified and registered lead auditor within six months, and conducted about seventy-five to eighty internal audits per year during her first four years. She traveled about five to seven days a month and saw a huge variety in clients industries’ and their abilities related to management systems. Her background and experience have also allowed her to begin doing more consulting while continuing to participate in audits.

She loves her job because, with thousands of standards and millions of companies, possibilities for learning and developing are almost endless. “There’s so much opportunity for learning new things,” she says.

Being a part of the Cavendish Scott team is stimulating. Team members constantly bounce ideas off of each, share their stories and check-in, as they serve each other as a support system, discussion group, and source of technical support. Together they live and breathe ISO standards, learning through training and professional development sessions, which are sometimes followed by happy hours.

The saying around the office is that “we always encourage each other to do the right thing and do it right,” Melodi says.

Planning is the Key

Many Cavendish Scott clients stay with the firm for years. “We have the privilege of going back year after year to help them improve their businesses through the internal audit process,” Melodi says.

Melodi’s first step in preparing for an audit is to plan. “Making sure everything is going to work is everything in auditing,” she says.

When she sends the schedule for an audit, she also sends a of list of documents the client will need to have in order, such as all procedures and completed records that will be followed on audited processes.

Each audit begins with an opening meeting, which Melodi likens to the opening of a play. And, like a play, it can attract an audience of any size. She has been at audits attended by one person on behalf of the client and others with as many as 60 attendees.

The lead auditor introduces participants and tells what roles they will have in the audit. A discussion takes place about the details and logistics of the audit. “It’s an opportunity to make sure we’re on the same page and everyone knows what’s expected of them, as well as the scope of the audit, including any physical boundaries.”

Auditors check on whether they need a guide or translator. They confirm what they found out when they were planning the audit about whether there are areas where they will need personal protective treatment, like steel-toed boots, hard hats, or masks and gloves. Melodi says she’s especially appreciative for the guide who keeps her safe when she audits a small foundry in Michigan, where artisans melt metal at temperatures up to 2200 degrees.

The Audit

Melodi generally starts with management. “They play such an important role in ensuring the success of the organization, so it’s essential to get the story straight from them. They, too, have to have processes and in many respects theirs are among the most important.”

During the audit, auditors talk to workers involved in all aspects of the organization’s activities including sales, purchasing, production, and customer service. They chat with line employees and conduct formal interviews with some personnel. They also examine records and observe processes.

“A good auditor is using a multitude of senses while doing an audit—and it’s fun,” Melodi says. “For example, standards related to the aerospace industry call for all manufactured items that are substandard to be destroyed. Similarly, care needs to be taken that foreign object debris, known as FOD—like metal scraps, packing peanuts, and broken fingernails—needs to be properly discarded. We’re always looking and thinking.

“I’m looking for conformance to the standard and their own documented procedure,” Melodi says. “We don’t approach this as a ‘gotcha’ audit. We approach it as an opportunity to improve. We want to make sure clients do what they want—it’s their system–and they’re successful by design.”

Two Types Of Findings

Melodi explains the two kinds of audit findings. For nonconformance findings, she provides a short statement about the requirement that is not met and she cites the evidence she observed that led her to that conclusion. “It’s important to be precise and I like to make absolutely certain that there is no misunderstanding,” Melodi says. “This is a passion for all of us at Cavendish Scott.”

The other type of finding is an observation and that could consist of something like use of equipment that is behind schedule on calibration. It includes outlining risks and opportunities and recommendations, which are often discussed casually.

She doesn’t tell clients what to do, deferring instead to the clients’ decisions, but she discusses the situation, requirements, risks and options and ideas so they are fully aware of what they need to do. When she leaves, she says, the client can fix the issue and they can identify the underlying cause of the problem to keep it from cropping up again. “We want to make sure the responsible and accountable group is looking at the problem,” Melodi says.

At the end of each day of a multi-day audit, the auditors lead a discussion with the client about the day’s findings. Sometimes when clients explain their views of a perceived shortcoming, auditors are persuaded no shortcoming exists.

A closing meeting takes place at the end of the audit. Anyone may attend and while top managers sometimes skip the daily meetings, they often are present at the closing meeting. The auditors present all of their findings and the client may ask questions. “We put the curtain down and they know the audit is over,” Melodi says. This is the end of the play.

The Best Job In The World

Before starting work at Cavendish Scott, Melodi had worked in the organic food industry, managing ISO and other auditing for food manufacturing and other processes. She says other auditors were quality managers with some ISO responsibilities before coming to Cavendish Scott. She lists curiosity and good people skills as the most important characteristics for a successful Cavendish Scott auditor.

“I feel like I’m getting dropped into a new episode of ‘How Is It made?’ on a regular basis,” she says. At one point, she was learning about solar projects through one client, software models with a different one and automotive standards on behalf of another.

Melodi reports that whenever she trains auditors she tells them how she feels about her job and she means it. “I love my job. It’s the best job in the world,” she says.

With more than 30 years of experience, Cavendish Scott offers consulting, training, and auditing services to help organizations meet an expansive suite of ISO standards. Organizations that would like to schedule or talk about an internal audit or other ISO services, may contact Cavendish Scott.

Get Started Now and Get the Edge with an Internal ISO Audit