Auditing: a slapped wrist or a helping hand?

Measuring Business Excellence

ISSN: 1368-3047

Article publication date: 1 September 2000

480

Citation

Wharton, C.L. (2000), "Auditing: a slapped wrist or a helping hand?", Measuring Business Excellence, Vol. 4 No. 3. https://doi.org/10.1108/mbe.2000.26704caa.005

Publisher

:

Emerald Group Publishing Limited

Copyright © 2000, MCB UP Limited


Auditing: a slapped wrist or a helping hand?

Auditing: a slapped wrist or a helping hand?

Introduction

Nortel (Northern Telecom), Fixed Wireless Access was previously a predominantly Ministry of Defence (MoD) site and was assessed as a business against the MoD AQAP quality standards. In 1992 a decision was taken to move into the commercial telecommunications market, divesting the defence interests. Many changes had to be made to ensure that this change was effective.

As one of the many changes that had to be made, it was decided to move the business to the ISO 9000 assessment methodology rather than AQAP. As preparation was made for the first ISO assessment, it became apparent that a revised audit methodology would be required. The audit philosophy at that time had been developed for the MoD business and was very bureaucratic and rigid. The audit methods were entirely compliance based with the traditional "show me" phrases being the basis statement for all audits. The Nortel Fixed Wireless Access audit group would audit each business function on an annual basis, and on occasion this would lead to certain functions that had a need for further investigation being left for an entire year before being audited again. This meant that there was no focus on need and many issues that could have been avoided were not solved.

To improve the process a planning aspect was added which included introducing a deficiency metric. This entailed developing a chart which depicted quantities of "non-conformances" which were detailed under the ISO clause numbers and against the business's core functions. This was updated on a monthly basis and the information contained within was for a rolling 12-month period. A quarterly business system review (QBSR) was held and the deficiency metric used to plan the audits for the next quarter. This gave a focus on the functions that required a greater amount of attention.

Transition to a process-based management system

In 1995 the Nortel Fixed Wireless Access audit group identified a need to move from a very functional-based management system to that of a process-based system. This need was identified by the audit group and also via feedback from the employees assessed during functional audits. The functional audits to that point had been perceived as not giving full value to the business. Each audit identified non-conformances for each function which, in the traditional style, were logged on to an audit database and followed up on a monthly basis. The feedback received highlighted the fact that people performing individual functional tasks knew what was wrong in the process and did not need auditors to tell them this. As a result it was felt that a completely new process-based audit was needed.

The audit group, therefore, pioneered a management system review to move the business from functional to process based. This was achieved by, first, the board of directors developing a core process model and each director being assigned ownership of a core business process. This gave them responsibility for that particular process and all sub-processes associated with it. The audit group were then assigned a particular process owner to work with to aid in defining the business processes and sub-processes. This meant that each auditor would take on the role of a facilitator to take part in cross-functional meetings mapping the core and supporting processes. There was also a need to move away from the traditional paper business unit standards and work instructions. It was felt that if, for example, an employee was trained as an RF (radio frequency) engineer, then they would not need a work instruction telling them how to be an RF engineer. This put the focus on the skills required to perform and support a particular process and task associated with it, and took the focus off the work instructions. This enabled employees to identify themselves if they needed a work instruction to perform their process/task. This information was then fed into the new paperless management system. We were able to call up a particular process and either expand that process into lower levels or call up attributes held behind it which identified the process scope, the measures/metrics, the work instruction reference and its location (if applicable), who owned the process and who actually performed it, which in some cases was the same person.

This then meant that, instead of looking through reams of work instructions during the scope of an audit, we were able to confirm by a skills matrix held by the process owner that the identified employee performing the tasks had the required and necessary skills.

Redesign of the audit methodology

To support the original audit methodology we have always asked ourselves the question, "Are we doing things right?" This question supported the traditional compliance-style audit philosophy. We had to take into account employees' views of their perception of the auditors' role as being that of adding limited value to the business. We looked further than the traditional compliance question above and decided that there was a need to ask ourselves the question, "Are we doing the right things?" This allowed us to start questioning not only whether what we were doing was right but was it right for the business as a whole? We could then apply this philosophy to any process level of the business.

There were three main levels that would need to be audited, as shown in Figure 1.

The board of directors level oversees the business as a whole, the process owner level oversees the core business processes and provides inputs to the board of directors to enable them to oversee the business. The task level is the actual "doing" level which supports the core processes and hence supports the business. In doing an audit which we have titled "Audit for business improvement" we can assess how an individual task impacts on the process or on the business as a whole.

Figure 1 The three main levels to be audited

Audit for business improvement methodology

The management system is set up using a basic process model (Figure 2). In the traditional style audit, we would have been limited to auditing a particular function and the audit would be confined to the boundaries of that particular function with limited audit trail exploration of other areas. Using the model in Figure 2 we can now look at inputs and outputs of a process. This enables us to see what is coming in to "kick it off" and if it is sufficient for process needs. We then look at the outputs: what is it trying to achieve? Are the outputs sufficient for the inputs of the following process? So already we are looking across the boundaries and across functions set up within each core process. We can then look at resources, i.e. is there sufficient manpower to achieve what the process is trying to produce? Is there enough machinery, is training adequate, is further training required, etc? We can also look at the controls; by this we mean the measures pertaining to a particular process. Historically, we would have asked if there were any metrics for a particular function. If there were, then we would follow with the traditional "show me" statement. Now we can actually question the suitability of the measures. Are they telling you what you need to know? Are they designed around historical measures? In other words, is it something that has always been measured, so continues to be measured regardless? Does the measure tell you how efficient the process is? And so on.

Figure 2 - Basic process model for the management process

However, we must not lose sight of the traditional compliance aspect of the audit methodology. This is still an important part and still comprises a large part of the audit for business improvement ethos, not only for satisfying the requirements of ISO 9001 but also to give us important information. For example, by doing a traditional compliance audit at task level, we are able to identify where problems occur. This information is then used to look into the process level to see where the problem stemmed from and why it occurred.

When performing the compliance part of the audit at task level the auditors are looking to motivate the individual by portraying a non-conformance as an improvement opportunity and developing the corrective action with the person to understand the reasons why the improvement is needed. As an example of this, during a recent assessment, it was identified that a product had been segregated into passed/failed bins within the production area. The identification method for distinguishing between the two was post-it notes stuck to the bins. In the original style of assessment, we would have identified this as a non-conformance and logged it as such within the report. Instead, we approached the individual who had labelled the bins and asked her reasons for labelling them. She had identified the need to distinguish between the pass/fails, etc. We then expanded on her idea with her and prompted her to make a further improvement to ensure that the labels were permanent to avoid confusion in the event of a post-it-note falling or being knocked off. The individual in this case was pleased to have further improved her process and we as assessors felt that we had contributed some value to this. Although this is a minor example of improvements, it does highlight the route we are taking with our assessments, being that the ownership of the solution rests with the individual rather than being enforced in the form of a formal action by the auditor.

When an improvement has been identified to a process, we would then discuss this with the process owner and, if required, we as an assessment team would work with the cross-functional process teams to facilitate the implementation of the improvement. Our role as auditors has had to expand. We also have to be facilitators and have a fairly broad process and business knowledge; we need to be sufficiently aware of the individual processes and be a part of the process team – however, we do not get so close that we are unable to be objective and realistic. By the auditors being in such a position within the process team to provide objective and realistic assessments, we are also in a prime position to make positive challenges to the process. This takes us back to our question, "Are we doing the right things?" Understanding the process and its needs and requirements enables us as a group to reduce the business-wide perception of auditors adding limited value. This philosophy will show employees that we can add value to their task, process and hence the business.

Audit for business improvement findings

We as an audit/assessment team have carried out various assessments throughout our business using this methodology. For example, our assessments have highlighted a need for process efficiency measures throughout the business. We have measures in place to ascertain the ability to produce the specific outputs of a process but it was felt that we needed to look, in addition, to measures that would identify how effective an improvement was.

For example, we could make an improvement to a process which would reduce the amount of time spent on the task level by half, but we have no way of knowing at this time if that improvement will cost us twice as much to implement. In addition, this applies to the audit for business improvement process, for which efficiency measures are being identified. We find that during assessments, the participants (auditees) are more forthcoming with information as they understand what we as a group are trying to achieve, i.e. working to improve their process and the business. A need has recently been identified for further training throughout the business to address process management issues. Employees, although aware of process methodologies, are not fully aware of the role of process owners and process boundaries and we have found in some cases that, where an employee has identified an improvement to their process/task, they have taken this to their first-line managers as opposed to the process owner. It was also apparent that funding/budgetary requirements were still being allocated in a functional way rather than in a process format. Budget is an important factor for audit for business improvement. We as a group may identify an improvement opportunity to a process owner, but if they have not budgeted for time and resources to implement that improvement it will remain in a theoretical format only, and again the audit group as a whole will run the risk of losing any credibility for improvement implementation.

Audit reporting

The audit report format is vital in the success of the audit for business improvement and any improvements associated with it. Because of the history that auditing and auditors have, the audit for business improvement report needs to be very different from that previously used. We as a business use a format which does not list non-conformances as we have previously done but instead we take information from the task level compliance audit and base the identified improvement opportunities around this to enable positives to be recorded rather than a predominantly negative report which the traditional compliance reports used to be.

We now have a report format which is "reader friendly" and gives the process owner and associated team members positive feedback and potential improvements that are in support of their needs and requirements as a process team. The report, which we now title "Business process development report" as opposed to "Audit report", details a summary of the assessment highlighting areas where the process performed well. We then detail process improvements under this heading. This identifies areas where we feel, following discussions with the process teams, etc., an effective improvement could be implemented. We then suggest a completion/implementation date and the process owner signs to accept these improvements. This then gets logged on to our database and our audit co-ordinator assigns a member of our team to facilitate the implementation of the improvement.

Developing the audit methodology ISO 9001

During the management system review and the development of the revised audit methodology we as a business have worked very closely with the BSI. We have held discussions with it throughout the management system review to ensure that it is continuously updated and made aware of the aims we as a business are striving to achieve. It has been a key part in the development of our businesses audit philosophy. So much so that BSI is now piloting the process-based audit methodology using the loop shown in Figure 3 which is based around the Shewhart plan, do, check, act loop.

The loop in Figure 3, which was developed by the BSI, can be applied to any level of the business. As can be seen it addresses many of the elements of ISO 9001 and hence supports that philosophy while also covering the process audit requirements.

Figure 3 - The Deming Cycle applied to ISO 9000

If we start with "process control", you could input any process name in this area – for the purposes of this example, we will replace "process control" with "manufacturing". If we then follow this around the loop the next part is "inspection and testing". Using the results from this inspection and test, you can confirm the customer requirements and hence link back to the original customer needs. From this you could then have the option either to hold a "contract review" or to look at the "design" of your process, again asking yourself if it is providing what is right for the business. This then links back into your process, which we have called "manufacturing". This loop can be cycled through as many times as is needed to get the process right to satisfy the customer requirements and needs, although for the purpose of an audit for business improvement we would go around this loop only once.

Moving on from this loop, out of "inspection and testing" you would have "quality records". For this section, we as assessors would look at basic compliance style issues, i.e. are the records easily retrievable, are they stored satisfactorily, are they legible, etc? and also this would give us the opportunity to question whether these records are telling us what we need to know for the process to be effective. We would then look at how these records were being analysed under the "statistical techniques" element, again doing compliance aspects in addition to questioning the techniques used. From the analysis we could then move to the element of "management review" from which we would expect to see evidence of a "preventive" and "corrective" action plan if an area of non-conformance/improvement had been identified by the review. This may then lead to requirements for further "training" or again go back to a contract review or an improvement to the design and hence back around the loop. If at the management review stage no non-conformance/improvement opportunities had been identified, you could end the assessment or move to any other element of the loop to confirm this.

Process management

The loop in Figure 3 has been further developed to fully identify the TQM improvement philosophy. This can be seen in Figure 4. The philosophy of the loop in Figure 3 can be extended to include the business drivers as shown in Figure 4.

Figure 4 - The Deming Cycle applied to the TQM process

The policy and strategy of the business is derived from stakeholder needs and requirements. By adding stakeholder needs you are able to verify that the business is indeed supporting the mission.

Conclusion

This audit methodology has been in place for approximately one year and has provided some very useful process improvements which support the requirements and needs of our internal customers. In the spirit of continuous improvement, we are now looking to further improve this process to link the assessment results and improvements to the needs and requirements of our external customers as identified in our quarterly customer satisfaction surveys.

Claire L. WhartonNortel plc, Paignton, UK

Action points

  • Quality management was meant to avoid old, prescriptive work methods. The audit should not be bureaucratic or rigid, either.

  • Operators already know what is wrong. The audit should be run on a new basis.

  • Focus on enabling, not instructing.

  • Involve operators and team leaders at every stage of the audit. Do not draw conclusions in isolation, then present them.

  • Quality management processes make a good basis for audit procedure.

Related articles