One of the requirements for management system standards is that internal audits be conducted of the processes of the management system. Internal auditors might find that when they are creating their plan for how they will audit the process that there appears to be less to look at than in the past. It might also seem that audits can be completed quicker than in the past because information is so readily available.
For comparison purposes, in the beginning when audits were conducted of the management system, it typically would take longer than audits conducted today simply due to the amount of time it would take to retrieve documented information. For example, in the past an auditor would ask to see a copy of the design review for a specific design project, and the search would begin. The project engineer might look in a series of binders, or in later years, on their computer drive. However, the computer drive was usually not organized in any structure and the amount of time to find the design review documented information was not reduced.
In today’s auditing environment, most organizations would have an online tool that organizes documented information for engineering projects. This might be a SharePoint site or a software program that has been purchased for the purpose of storing documented information related to design projects.
When documented information is easier to locate and retrieve, the auditor has more time to focus on other areas of the management system. It is also important to realize that when document information is delivered through automation or electronically that the focus of the audit should not only be on the information that is being retrieved but how the information is controlled and protected in the automation tool.
As an auditor, it is important that you consider the potential areas of automation where data should be verified, specific to your organization based upon the system you develop. Auditors should take their sample to a more granular level and not only look at the data a person of the organization is using, but how the data was determined and the controls in place to ensure it is correct.
The following provides two examples of how to audit in the electronic age. One approach demonstrates a method to sample data that is entered into a system. The other approach provides examples of how to audit the control and protection of electronic documented information.
Purchasing: In today’s organization, frequently information provided to the buyer is delivered through an enterprise resource planning (ERP) system. For the manufacturing organization, the buyer reviews a demand list that is created through a series of queries and the buyer places purchase orders based on this demand list. Because product information is loaded into the ERP system and typically the buyer does not verify any information such as the correct version of the drawing when placing the order, it is important to adjust the audit approach.
The focus on a different approach to auditing is not to drive the buyer to have to validate the product information, but for the auditor to sample the process in a different manner in order to add value. When auditing the purchasing process, the auditor should record the part number and the drawing version that the part or raw material is being purchased against.
The auditor should then go to the engineering process and confirm that the current version of the part or raw material is the one that is being purchased by the buyer. The versions should match. By conducting the audit sample in this manner, you can verify that the buyer is purchasing the correct part and that the engineering change / release process is effective.
The auditor should also confirm that there is a method for how the buyer provides the correct version of any drawings to the supplier. In some cases, buyers might communicate with suppliers via informal methods such as email or telephone. For that reason, the auditor should confirm purchasing information includes the version of drawings for parts that are being purchased and that the receiving process verifies what is received against the purchase order.
Using this method for conducting the audits will not only help ensure that requirements are being met, it will help determine if the data that buyers are using is correct thereby validating the data provided through automation is correct.
Protection of Documented Information: Prior to the use of computers, hard drives, and the cloud to store and protect documented information, most organizations used hard copy documents and evidence to provide objective evidence of a requirement being met. With the transition to most documented information being provided in electronic format, the methods of protection have changed.
In the past, an auditor would have verified that there was an approval to a documented procedure. This was frequently in the form of a signature or a change request form. Protection of records was frequently in the form of locked cabinets or a storage area.
In today’s environment, documented information that requires some type of revision (e.g. procedures, work instructions, forms, drawings) typically have some type of workflow. Auditors should consider this workflow and review it to ensure the appropriate person(s) is approving the document. When workflow is not used and the organization uses more of a drive storage method, the auditor should ensure that the documents are read only and only authorized person(s) are able to revise the document.
With the transition to electronic documented information, it is important to modify the methods of how this information is audited. This can be done by having a person who is not authorized attempt to change the document. At times, organizations use SharePoint to store the documents. Auditors should also ensure that documents delivered in this format cannot be modified. This is especially critical for documented information that is used to demonstrate fulfillment of a requirement (e.g. record) since records are not to be revised either intentionally or unintentionally. This is because records can be corrected but not modified.
The other area of focus for protection of documented information is the backup of documented information stored electronically. There are various methods to backup documented information. Organizations use methods such as local backup, using a service to conduct the backup, or backups are conducted by a corporate headquarters that has responsibility for the servers.
The internal auditor should interview the information technology professional and establish what method the organization uses to conduct its backups. Based on this interview, the audit sample can be established. If the organization indicates that they conduct all backups on site, the frequency for these backups should be determined. The auditor should then confirm that the backups are being conducted as planned. There should also be a review of how off-storage is maintained and the results of contingency actions that have been taken to ensure that the restore process works in case data were to be lost.
When backups are being provided by a supplier, the auditor should have the information technology professional provide evidence through available reports that backups are being conducted. This can be done through email reports or review of online tools. Because the supplier of the information technology back-up services has an effect on the conformity of product requirements, the auditor should confirm that this supplier is on the approved supplier list.
Backups that are conducted by a corporate office can be more challenging to verify. While an organization may indicate they have no responsibilities, this process should be treated as an external provided process. When an organization has a process provided by an external provider, even a corporate headquarters, it cannot exclude the requirement. Internal auditors should verify that backups are being conducted. Since most likely internal auditors for the organization will not be provided access to these persons at the corporate level, it is reasonable to ask that the procedure for backups be provided. By knowing that a process has been established, the organization can confirm that necessary controls are in place.
The organization can also verify if the corporate headquarters has conducted a backup or restore for local data at the organization to determine if the process is effective.
By altering the approach to how your organization conducts internal audits to include controls and protection of electronic documented information, it can take the value of auditing to the next level. It also increases the level of readiness for your organization as external auditors also begin to take this more in-depth approach. Q