Process audit checklist. Internal audit of qms. What it is

Roman Isaev

Organizational Development and Process Management Expert

Partner of the Group Modern technologies management "

Head of organizational and corporate development projects

Professional Business Coach and Business Studio Specialist

The final article of the cycle devoted to the functioning of the quality management system (QMS) in commercial bank(for the beginning see: MMK, 2010, No. 11-12 " Typical system quality management of a commercial bank and its architecture ”, part 1 and part 2). In a series of articles this cycle the processes (stages) of the QMS development are considered in detail: planning and building the QMS (see: ММК, 2011, No. 1), management of each QMS process (see: ММК, 2011, No. 2), internal audit of the QMS, analysis of the QMS by the management bank, as well as practical examples and recommendations from the experience of various banks. The author demonstrates how to ensure the stable and effective functioning of the QMS in the bank over a long period of time.

Internal audit of the bank's QMS

Audit- a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively in order to determine the extent to which the audit criteria are being met.

The object of the audit can be: QMS (upper level), process, department, Information system and etc.

A model of this process is shown in Scheme 1.

Scheme 1. Internal audit of the QMS

When conducting an internal audit of a bank's QMS, it is recommended to use the ISO 19011 “Guidelines for the audit of quality management systems and / or environmental management systems”.

The templates of documents that are necessary for the audit of the bank's QMS and audit of the bank's processes are given in.

see diagrams 2 and 3, MMK, 2011, No. 1, p. 6-7), then the internal audit of the QMS includes two corresponding stages, as well as the general stage "Preparing for the audit":

Preparing for the audit. Contractor: quality service;
Internal audit of the QMS (top level). Contractor: quality service;
Process audit. Executor: process team.

Let's consider these stages in more detail.

1. Preparing for the audit

Assumes the following procedures and actions.

Development, coordination and approval of the internal audit program. This document contains a list of all types of audits with names (for the next year). For each audit, the following is indicated: a list of audit objects, full name. the head of the audit, the timing of the audit.

Formation and training (if necessary) of a group of internal auditors of the bank. In parallel with the development of the audit program, the need for auditors is determined, a group of auditors is formed and trained (if necessary), auditors are appointed for each process team, auditors are appointed to audit the top-level QMS, and the chief auditor is approved.

Preparation and publication of an order for conducting internal audits. The bank's order approves the audit program, the composition of the group of auditors and their duties, the duties of the members of the process teams, heads of departments and bank employees during audits.

Preparation of teaching materials on internal audit.

Development of a single checklist for auditing the process.
A checklist is a table that is used by the auditor to check that established requirements are met. A fragment of the checklist (three columns of the table) for auditing the process is given in table. 1.

The checklist consists of six columns:

Line number;
Checked requirement;
Clarifying questions (if necessary);
A method for assessing the fulfillment of a requirement (study of documentation, observation, survey, etc.);
Compliance / non-compliance mark;
Audit evidence (auditor's record and comments).

Table 1. Checklist for process audit (fragment)

A single process audit checklist is necessary so that all process teams and auditors conduct process audits for the same requirements.

2. Audit of the QMS (top level)

Consists of the following procedures and actions.

Development of a checklist and plan for the audit of the QMS (top level). A sample checklist (fragment) for the audit of the QMS (top level) is presented in table. 2.

Table 2. Checklist for internal audit of the QMS (top level)

It lists General requirements to the components of the QMS (top level). These requirements should be detailed and supplemented with requirements ISO standard 9001 (one might say, with quotes from this standard) and the bank's own requirements.

For example, the requirement “1.1. The list (completeness) of the documentation - compliance with the requirements of ISO 9001 ”is detailed to the requirements of Sec. 4.2 of ISO 9001 "Requirements for Documentation", which specifies the composition of the required documentation:

“The quality management system documentation should include:

Documented statements of quality policy and objectives;
Quality quide…" .

Based on the checklist, a QMS audit plan is developed.

The audit plan has five columns:

Line number;
Checklist number or section (group of checked requirements) of the checklist;
FULL NAME. auditor;
Date and time of check;
FULL NAME. and the position of the person in charge of the process team members / process executors.

The auditor chooses the requirements from the checklist and prescribes in the plan when, how and with the help of whom he will check them.

For example, to check the requirement “1.2. The relevance of the documentation ”the auditor schedules several interviews with the bank employees responsible for these documents, and writes it down in the plan.

Conducting an audit of the QMS (top level) according to the plan and filling out the checklist. The auditor evaluates the fulfillment of each requirement from the checklist using the selected assessment method (interviews the bank employees, examines the documentation, monitors the bank's activities). Then he puts a mark on conformity / non-conformity and indicates the evidence that confirms this.

Preparation of a report on the results of the internal audit of the QMS (top level). The report on the results of the internal audit of the QMS combines all completed checklists in the order of the requirements. The total number of identified inconsistencies, conclusions and conclusions are indicated.

Development of corrective and preventive actions based on audit results.

Implementation of prompt corrective and preventive actions.
The most urgent and important actions are performed immediately after development. Actions requiring the involvement of significant labor and financial resources, are performed during the next period of the QMS functioning.

3. Process audit

The rules for auditing the process are similar to the rules for auditing the QMS (top level), only the process becomes the object of the audit. Therefore, we will provide a list of procedures and actions without additional comments.

In order for the process audit to be performed by the process team in a methodically correct and effective manner, it must include a qualified auditor from the quality department.

So, the process team during the audit:

Get acquainted with the documentation on internal audit;
Develops a process audit plan;
Audits the process according to the plan and fills out the checklist;
Prepares a report on the results of the process audit and submits it to the quality service;
Develops corrective and preventive actions based on audit results;
Carries out prompt corrective and preventive actions.

For example, in one bank there was a completely normal and cost-effective “Payroll Projects” process. However, the audit revealed many inconsistencies. Some of them were not even known to the owner and functional managers of the process. Eliminating inconsistencies doubled the performance and quality of the process.

Receiving and aggregating reports on process audits from process teams. Reports on the results of all audits should be collected together for further work with them.

Analysis of the QMS by the bank's management

The model of the sub-process "Analysis of the quality management system by the bank's management" is shown in diagram 2.

Scheme 2. Analysis of the QMS by the bank's management

The process is launched according to the frequency established in the bank (at least twice a year) or by decision of the bank's management. The director for quality is in charge of the collection and preparation of information for the analysis of the QMS, the development of plans for improving the QMS. The responsible executor of work in the framework of the preparation of the QMS analysis is the head of the QMS department. Responsible for the process of analyzing the QMS within the processes - process teams (process owner).

Since the architecture of the QMS consists of two levels (see diagrams 2 and 3, MMK, 2011, No. 1, pp. 6-7), the analysis of the QMS by the management has two components:

Preparation by process teams and analysis by management (process and quality committee) of summary reports on all QMS processes;
Preparation by the quality service and analysis by the management (process and quality committee) of reports on the upper level of the QMS.

Note that the analysis of the QMS by the bank's management, as well as the internal audit of the QMS of the bank, is recommended to be carried out using software products of the Business Modeling class (for example, Business Studio). They allow you to store all information and documents on the QMS, integrate (establish and maintain relationships) with other components of the QMS (processes, departments, goals and indicators, projects), automatically generate QMS documents that are obtained at the outputs of processes (reports, protocols, records, etc. etc.).

More detailed information on the use of these software products in the performance of all processes / stages of the bank's QMS operation is presented in.
The process consists of the following procedures and activities.

Sending information and requests to process teams. Process teams should conduct an analysis and audit of their processes, prepare and submit to the quality service a summary report on the process. Process commands may be prompted for Additional Information by a process that is not included in the summary report.

Receiving, checking and aggregating summary reports on processes from process teams. All reports should be reviewed and then consolidated into a single process report.

Preparation and aggregation of reports on the upper level of the QMS include reports:

Based on the results of the internal audit of the QMS;
On the implementation of corrective / preventive actions for the upper level of the QMS;
Analysis of customer complaints (summary);
On the implementation of the plan for the development, updating and improvement of the QMS;
On the implementation of actions approved by the results of the previous analysis of the QMS by the management;
According to the analysis of factors of external and internal environment, changes significantly affecting the bank's QMS.

For more information on these reports, as well as their samples, see.

Development of a report on the functioning and effectiveness of the QMS. This report includes, as annexes, reports on the upper level of the QMS, summary reports on processes. It should contain conclusions and conclusions on the functioning and effectiveness of the QMS (each component) over the past period.

Development of corrective and preventive actions. Corrective and preventive actions are developed by the quality service both for process teams and for the upper level of the QMS.

Preliminary study of the report, plans, preparation of comments and suggestions. The bank's management (process and quality committee) must familiarize themselves with all documents and submit their comments and suggestions to the quality service.

Collection and processing of comments and suggestions from members of the process and quality committee

Organization of the committee, submission of the final version of the report and plans to the committee meeting(performed by the quality service).

Preparation, presentation of the report and presentation of the report. The Quality Director at a meeting of the Processes and Quality Committee makes a report on the functioning and effectiveness of the QMS over the past period, makes presentations of prepared reports and plans.

Discussion and approval of the report, plans and decisions. When discussing the report and plans at a meeting of the process and quality committee, the necessary adjustments and additions are recorded for them. On the basis of reports and plans, the committee should evaluate the effectiveness and quality of each component of the QMS (in accordance with the architecture - see schemes 2 and 3, MMK, 2011, No. 1, pp. 6-7). There may be the following solutions / assessments:

Fine. All planned results have been achieved. There were no glitches, errors, inconsistencies. The component does not require improvement or corrective action;
Satisfactorily. Not all planned results have been achieved. There were minor glitches, errors, inconsistencies. Some improvements and corrective actions are required;
Unsatisfactory. The planned results have not been achieved. There were significant glitches, errors, inconsistencies. Significant changes are required.

In the course of the meeting, a protocol of the analysis of the quality management system by the management is drawn up, which indicates decision for each document / component of the QMS considered by the committee.

Adjustment and approval of plans based on the results of the analysis of the QMS by the management(performed by the quality service).

For example, in one bank, after studying all the reports of the QMS, the management remained so quite transparent and efficient in its activities that it allocated the quality service three separate spacious offices equipped with the latest technology, next to the office of the bank's chairman of the board.

Conclusion

So, the secret of the stable and effective functioning of the bank's QMS for a long time lies in strict adherence to the processes and procedures described in this work, as well as in the use of standard and best practices in the field of quality management (for example, a typical bank quality management system).
Thus, the bank's QMS will be ready for repeated successful certification and will be able to constantly bring the bank both financial (increased profits, reduced costs for poor-quality processes) and non-financial effects (increased reputation, customer loyalty).

List of used literature

ISO 9000: 2005. Quality management systems. Fundamentals and vocabulary
Typical quality management system of a commercial bank (as part of a comprehensive standard business model of a commercial bank)
ISO 9001: 2008. Quality management systems. Requirements
Isaev R. A. Business engineering and management in a commercial bank. - M .: GOLOS-PRESS, 2009 .-- 318 p .: ill.

A creative, attentive and serious attitude to work is an important component modern business... However, creativity has always been closely associated with the unforeseen expenditure of working time, uncertainty in the assessment of labor, the need to clarify the cost of work performed.

There are a large number of tasks that do not require high qualifications and can be solved by precise and high-quality execution of a sequence of simple actions. A checklist is just such a solution to the problem.

Scope of the idea

The sequence of simple operations is applicable both for solving important tasks that are performed by qualified specialists, and for other tasks that an ordinary worker, student or schoolchild can handle.

A checklist is a sample of the correct one written in the form of a sequence of the most simple, most accurate and concise, but complete actions that need to be performed, for example, in order to:

the plane took off;
go to the store and buy what mom asked;
build a business;
achieve some goal;
check or do something for something.

The conveyor once revolutionized the industry, and it turned out to be useful in the production of not only simple parts, but also complex machines, mechanisms, food, sporting goods, clothing, footwear.

Ideally, when the checklist is a dozen of the minimum necessary, simple actions:

an ideal simple action is a simple, unconditional instruction to do something;
the perfect indication does not create options, but the next action is performed strictly in turn;
no random movements, everything is done strictly according to the plan and according to the content of each item on the sheet.

The goal (task) can be great, and not every solution can fit on one sheet. However, nothing prevents you from compiling several checklists, which are executed sequentially by different workers at certain intervals.

Planning a solution to the problem

Planning is an important part of any business. A checklist is also a plan, and not just a solution to a problem. You can draw up an action plan in case of an unforeseen situation, a plan of behavior in case of an accident or natural disaster, the daily routine in a children's recreation camp. The schedule of classes at an institute or school is also a test product for "simple intelligence", since there are conditions in this kind of checklist. For example, odd or even days, weeks.

Man always planned everything he did, but he did it unconsciously. The emergence of the concept of "check-list" is an example of how the ordinary and habitual unconscious is within the competence of the conscious, acquires a new meaning and a radically new quality.

The term itself is relatively young, but the history of its idea and its application goes back hundreds of years. Most likely, the first papyri with the regulation of the sequence of simple actions were used in ancient times, otherwise it is difficult to explain the moments of the flourishing of ancient civilizations, as well as the reasons for their fall.

Sample: FTP daemon installation checklist

This is a pattern written once and used for many years. Nothing here is beautifully designed, written in a unixoid style, but practical.

Generally speaking, such checklists are born as a result of lengthy administration performed by the system administrator. As a rule, two or three years later, after hundreds of installations, the administrator writes such a memo to himself and his colleagues. This is a real checklist: ugly but practical.

A sample of a beautiful impractical checklist

Everything is written correctly here, but this is not a checklist. In particular, the "Logo" is primarily the verbs:

create;
how to create;
what to consider;
what to discard.

There should be several recommendations behind each such verb.

Appealing to a slogan is reasonable, but creating a slogan is creativity, and checking it is a long practice (on a real live Internet with a massive influx of visitors), neither one nor the other is related to the checklist.

And so on for each item.

Really "flying" checklist (fragment) for the Boeing 737

This is how the checklist should be drawn up. The phrase is a simple answer. That is, a simple action and a simple result.

This is only a fragment of a document, and written in English language, but in this particular case, not the language is important, but the accuracy of the declaration of the action and the verification of the result of its execution.

Test Applications

Practical applications of a clear action plan:

sports;
Accounting;
checking the products of the enterprise;
company audit;
investigative measures;
spaceship launch, etc.

Almost any area of human life and activity can be defined by an assortment of various small plans: checklist # 1, # 2, # 3, etc.

Strict regulation of actions is of particular importance in critical areas of activity, for example, in preparing a surgeon for an operation, when medical personnel, all participating doctors and nurses - each within their competence - performs a strictly regulated list of actions. Usually everything is done "automatically", but professional ethics requires all actions to be performed "on a piece of paper."

A checklist is an indispensable document for certification and regulation of the production and testing of food products, children's goods, checking the operation of machines and mechanisms.

Internet technologies and simple operations

Any surgical intervention requires a highly qualified surgeon. But it also requires the proper execution of simple operations. In particular, all instruments on the operating table must lie strictly in certain places, the patient must be prepared for the operation not only physiologically, but also morally.

A checklist (an example of a sequence of actions) is not a program, not an algorithm, and it is difficult to attribute it to programming in the direct sense of the word, but Internet technologies have led to the need to create and perform many routine, but very important operations.

Creation of a web resource requires at least a triplet of Apache, PHP and MySQL or its equivalent based on another server, another interpreter and database. The installation of this trinity is the minimum required clear sequence of actions.

A mistake here is fraught with the impossibility of working at all. Modern Internet programming is characterized by the fact that the algorithms of the server, the interpreter and the browser programming language "do not think", but if they "do not understand" something, then they definitely "do not do"!

Error logging is necessarily declared, but often logging is not sufficient to locate the problem.

Internet Programming: Simple Solutions to Complex Problems

A checklist is a solution to a problem. The practice of Internet programming in JavaScript and PHP, in particular, with an object-oriented style of writing, allows only two options for solving the problem:

Professional intuition.
Test case.

There is no third. Testing tools in programming have been very developed for a long time. There are also many additional tools for checking code, and developers of programming languages devote a lot of time and effort to creating tools for debugging and finding errors.

But to determine in what place, at what level, in which particular subsystem of objects common system an opportunity happened, maybe only the creator (author) of the code, or an advanced test case, to the creation of which an experienced master had a hand.

The ideal solution is to make a checklist at the code level, when not a person, but the object created by him, takes care of the execution of its own functionality, and also controls its state and its relations with other objects.

Internet promotion, SEO

Since the Internet became available to the mass visitor (and the topic "checklist as a test product" has always been available to the masses), a stream of monotonous ideas has poured into the field of SEO. Absolutely trivial sequences were offered, and completely real money was squeezed out of gullible buyers on empty and groundless grounds.

technical component;
internal idealization of content;
semantic content of the core of the resource;
content: how it is and how it should be;
commercial moment, resource monetization;
external circumstances;
region of promotion;
a behavioral moment in the image of a visitor, etc.

But the buzz words were about money. Gullible buyers, paying for the "work" of the authors of the checklists, stimulated the production of such products, which is not good at all. But this process led to the fact that the topic of promotion expanded to the maximum possible limit and created conditions for the generalization of information.

Reproduction in the field of information is a natural process, and today anyone who wishes gets a real promotion of their own resource in any way:

minimum costs through its own potential;
maximum costs through a qualified craftsman.

The checklist today is real and effective tool achieving the desired in its formal part and absolutely complete freedom in the creative moment of the achieved goal.

Virtual space of simple ideas

The material component in life, at work, in the socio-economic sphere as a whole has gained stability. The foundations for successfully achieving what he wanted became apparent. The checklist is an example of how the creative component has gone into the virtual space.

The level of qualification of consumers and authors of ideas has moved to a new quality. This nullified the position and led to the formation of a range of new tasks and the need for new solutions. The world again became more perfect, and again a new quality was due to a simple and natural step forward.

Remember, we have highlighted two parts of the ISO 9001: 2015 requirements for internal audits. We just talked about the first part just now. It will be more difficult to verify the practical implementation of the remaining provisions of ISO 9001 at the enterprise. However, this task is within the reach of anyone. Depends on the specifics of the particular process being checked, of course. As you know, many companies use Key Performance Indicators (KPI - Ed.) To assess their performance, including when they achieve compliance with ISO 9001: 2015. by measuring a specific indicator of which one can confidently draw conclusions about the state of the process.

I say this to the fact that if your KPIs are implemented and supported by the process owners, then the assessment of the effectiveness of the QMS based on the existing KPIs can be included as one of the elements of the internal audit checklist. If KPIs are not included in the practice of the audited company, then it would be good to include in the checklist a question for the owner of the process: how he determines for himself that his process is effective. Finding this out will help you get more out of your internal audit process.

For more information on key indicators activities, visit the page "".

Control accounting, as well as other areas economic activity should be carried out in all commercial enterprises without exception.

In this case, one should remember about a large number of the most different features similar procedures. They must be ordered, follow each other in a certain order.

Since this is one of the reasons for the absence of problems of all sorts during inspections by regulatory authorities.

A special checklist allows you to significantly simplify this kind of work. Its importance is difficult to overestimate. There are many variations on the format of such a document.

If possible, it is necessary to familiarize yourself in advance with its properties, the nuances of its compilation. This will avoid many complications in the future.

General information

This document contains the most detailed information about the list of questions on the audit. The sheet in question does not have a format established by law.

But at the same time, it is imperative to follow certain rules when forming it. This will reduce the likelihood of complications during the process.

Before proceeding with the preparation of such a sheet, it is necessary to consider the following questions:

what it is?
purpose of the document;
legal framework.

What it is?

The checklist itself is a special document that allows you to simultaneously solve a fairly large number of different tasks.

The document can be used by various institutions, regulatory organizations and officials. It is only important to remember about the legal norms that take place in the case of drawing up a document of this type.

The document itself reflects the following issues:

The use of such documents has both advantages and disadvantages. The main disadvantages include the following:

List of issues identified in the document	May be overly narrow, resulting in insufficient full-scale verification
The checklist can in some cases be constraining	A limiting factor for the auditor - he simply will not go beyond the questions posed
The document cannot replace	Standard audit plan
An inexperienced auditor may have some difficulties	With an understanding of the questions formulated in the sheet, he simply cannot clearly and clearly explain what exactly he is looking for in a particular case
The document should be prepared as well as possible	Duplicate questions can lead to serious confusion

In most cases, both the advantages and disadvantages of a document depend on many different kinds of factors.

First of all, this applies to the following points:

The checklist is a universal tool for the implementation of tasks related to the audit and some other procedures that must be regularly carried out in the enterprise.

The following may include such documents:

Purpose of the document

Users of this type of document today can be:

This sheet allows you to simultaneously or sequentially solve the following list of tasks:

correctly, in accordance with legislative norms, plan the conduct of the audit itself;
carry out selective control, carry out the most efficient planning of all your time;
allows you to avoid missing any important stages of the audit;
used as a means of memory;
greatly simplifies the conduct of the audit itself;
the audit is carried out in a structured, holistic manner;
with the help of the checklist, it will be possible to carry out communication between various institutions, as well as the employees conducting the check.

Also, such documents are often used to solve other problems. It is worthwhile to familiarize yourself in advance with all the main properties of such documents. This will make it possible to avoid a large number of very different difficulties.

Legal framework

The main legislative act, in accordance with which a document of this type should be drawn up, is.

This regulatory document includes the following main sections:

	Auditing activities
	List of main NAPs that also regulate this kind of activity
	What is an audit organization
	What is meant by the term "auditor"
	What does a statutory audit mean?
	Audit report
	List of basic rules, standards of actions carried out by auditors
	Denotes the complete independence of various audit organizations
	Auditor secrecy
	How is the quality control of the inspection carried out?
	Auditor qualification certificate
	The procedure, as well as the grounds for canceling the auditor's certificate
	Carrying out state control in the considered area of activity of the enterprise

If possible, you should carefully familiarize yourself with all the nuances of the legislation governing audit activity. Since it is these regulatory documents that must be followed without fail.

An example of filling out a checklist for internal audit

The process of drawing up the type of sheet under consideration is quite simple, but it has its own nuances. It will be possible to significantly simplify this kind of procedure by considering an example of a QMS internal audit checklist.

The compilation process itself can be carried out in various ways. First of all, you will need to consider the following fundamental questions:

where to get the form;
the order of filling;
completed sample.

Where to get the form

The Excel example for internal audit can be easily downloaded from the Internet. Whenever possible, use only well-established and proven resources.

Today there are quite a large number of private institutions involved in auditing. Free of charge, in the form of consultation, such enterprises can provide a sample of this document. Or for a fee.

Filling procedure

The procedure for filling out the audit itself is not reflected in the legislation. But it is necessary, if possible, to adhere to the following algorithm:

Usually, Excel worksheet is used as the main format. The reason for this is the ease of compilation as well as printing. Quite often, checklists are needed in paper format.

If necessary electronic document can be sent over the Internet without difficulty. It should be remembered about some important nuances of the formation of this kind of sheet.

Completed sample

The only sure way to avoid the emergence of various kinds of difficulties when drawing up such a document is to use the already completed sample.

Thus, it will also be possible to significantly speed up the procedure for carrying out such procedures. This is especially true of the part of the compilation of questions. Often, it is at this stage that all kinds of difficulties arise.