Audit Management Best Practices

Catching risks and mitigating them before something goes wrong is always preferable to reacting to an incident. A robust audit program can help your organization be proactive and continually improve.

What gets measured is what is important to your organization. Whether it's for ISO, process safety management, risk management, OHSAS or equivalent, the audit element is essential to making sure you are keeping your eye on the ball.

This article focuses on compliance audits which are one of the continuous improvement aspects of the PSM standard. Like incident investigation, it is intended that you leverage them for learning and improvement. In the case of incidents, you are intended to learn from unwanted events and create corrective action. In the case of audits, you need to learn from identifying system weaknesses before something goes wrong and take preventive action.

3b

Who Should Be Part Of The Audit Team?

The most important characteristic of an auditor is curiosity. Other important characteristics include experience with your industry, chemical processing experience, maintenance background, being detail-oriented, and having the heart of a servant. After all, they are looking for weaknesses in your management systems that might result in someone getting hurt or worse.

New standards like BSSE’s Safety and Environmental Management Systems (SEMS) require an independent third party (I3P) to audit your operations. This is an essential element to a best practice audit management system. Companies need industry perspective and it is hard to audit yourself in terms of industry best practice.

On the other hand, internal auditors will sometimes go much deeper on an audit because they have deep understanding of the operations. No outsider can do that. Therefore, having a mix of internal and external domain experts conduct your audits is the best approach.


Audit Management Nitty-Gritty

A best practice audit management system begins with an understanding of the requirements. The entire corporation and future audits should use the same set of questions for repeatability and ensure that there is a minimum depth of observation. Once you decide how many audits can be conducted in a year, proceed to assign audit leaders and use all the technology that you can get your hands on.

A high-level best practice audit management system looks like the continuous improvement management system depicted below. Improvement ideas are fed into the system. These ideas for improvement are vetted and assigned as CPA (corrective action, preventive actions). Each of these ideas for improvement is addressed and documented in a database management system. Real-time dashboards and reports illustrate progress.

6

What Does Audit Best Practice Mean?

Ensuring that you have an audit management solution that works for all requirements (all inclusive) is step 1. There is no need for separate audit solutions for environmental, PSM, operational excellence, RMP, OE, SMS, EMS, EHS, quality or security. If you have all the audit needs collected in one system, you will need an automated process for proposing and prioritizing audits that need to be accomplished (planning). You will need a means to approve the audit schedule and resourcing (planning). Then you need an efficient and effective way to assign and remind lead auditors of their assignments (notifications and reminders). You will also need experienced internal auditors in combination with independent third party consultants who can give you industry perspective (resourcing).

Use an enterprise audit management software that can be used anywhere, preferably on laptops or tablets, and can be used off-line as well as synchronized with the enterprise audit solution. Then categorize findings as a major or minor opportunity for improvement or best practice. In addition, you need the ability to associate findings with a company-specific root cause.

Once your final report is created, review audit results on-line with managers and push out these results to an enterprise dashboard and reporting system for all to see. A best practice audit management system will prioritize a list of findings and its recommendation, including the “as-is” and “to be” risk. Senior managers who are constantly measuring audit program results as well as the tracking of change required to address findings will need to know how the risk will be reduced by the change.

7


Managing Results from an Audit: Best Practice Results Management

The results are twofold. First, there are the findings and recommendations for the site that has been audited. These need to be assigned and tracked to closure. Recommendations can then also be evaluated for their applicability at other units, sites or facilities so that those lessons can be applied across similar functions before they get cited or, worse yet, experience a process safety event. In further implementation of the PSM standard, there is an expectation of a performance safety culture cultivated by the sharing of ideas and openness of correct findings. The best practices that have been identified need to be shared and actioned at the other sites. This is where most companies fall short. There is no requirement in the PSM standard to identify best practices while auditing.

Good practice can be equally important for improving the safety culture and encouraging the right behaviors. The ability to learn at a site level and leverage the learning globally is a rare quality in a company.

Managing results from audits begins with enterprise-wide reporting clarity. Once you have planned your audits and are conducting them, you need a real-time view of audit progress and results. Are you meeting the planned audit schedules? Reporting dashboards are the best way to view real-time graphs, which provide non-invasive information that can be used by everyone to manage continuous improvement. Transparent reporting of results is essential to ensure everyone is being held accountable. Careful thought should be applied when designing dashboards so it is clear whether there is action needed or issues to resolve, and tgood results and behaviors are conveyed.

The Most Successful Companies…

The most successful companies will have executive leadership that believes PSM and the audit management element are important. You can do without this, but it makes it much more difficult. It is important that the management team embrace PSM as a good way to do business. PSM is not an add-on with no payback. Successful companies leverage technology by automating processes where possible and continuously improve the audit process and the information system.

Having an audit management system that adheres to best practices is a moving target, so if you are not getting better, you are losing ground. You need to be auditing the audit management system and assessing its effectiveness.

You need to be able to measure the risk of the findings “as is” and the “to be” risk after corrective actions are completed. This risk is usually established using a common risk ranking matrix that can be applied to all findings and opportunities. Once risk ranking is accomplished, clear and dynamic reporting of risk and opportunities is enabled (below).

What are the Best Practice Audit Metrics?

You need to measure the audit plan, the progress to plan, the types of audits that you do, the recommendations (major, minor, OFI and best practice), root causes, and best practices discovered and action.

In order to take full advantage of the audit management system, you should make sure that practices are not only shared but acted upon by the other sites in the company that might benefit from them. Assign senior managers at each facility best practice actions that have been discovered in audits and have them either implement the best practice at their site or explain how they have already addressed that best practice in another manner.

The following dashboard is an example of audit management metrics. Quadrant 1 (top right) — Auditor Item Time lag — shows how long it takes to get a draft report out, the final report out (once all has been accepted) and the time needed to close the audit. se metrics are needed to show the number of days to Audit Closure. Quadrant 2 (top left) — Auditor Items Schedule by Month — is important because it is showing how many audits are planned, assigned, approved, open and closed. Quadrant 3 (bottom left) reveals the kind of audits that are being accomplished (ISO, PSM, RMP, OE, etc.). It is important to know where you are spending your audit budget. Quadrant 4 (bottom right) — Auditor Items Open REC/MOCs by location — is an “aging” chart. All standards require that you implement corrective actions without undue delay.

5

Identifying the “Finding” Root Cause

The metric measured by world class companies is the “finding” root cause (basic and root). Basic and root cause analysis reveals an interesting story concerning why you have system weaknesses. The “why” is important so you can address the underlying (root) cause. A root cause is a cause that, once removed from the problem fault sequence, prevents the final undesirable event from recurring. In conducting incident investigations, various methodologies are employed to identify the root causes for the incidents. In conducting audits, there should be the same focus on finding the true cause of the failing so that appropriate measures can be taken. The table below illustrates examples of root causes that could be associated and then reported using dashboards to drive corrections. This will add additional insight into the kinds of work you need to do as a company to get better.

Best Practice Action Tracking Metrics

Once you have identified what needs to be done (corrective actions, preventive actions and possibly MOCs), it is critical that all required activities are tracked to closure. If continuous improvement ideas don’t get managed, your company has gained nothing but a check in the box that the audit was completed.

What is displayed below are the number recommendations (corrective actions, preventive actions), MOCs, emergency MOCs, past due recommendations, implementation status and changes in target dates. These are best practice action tracking metrics.

A strategy of being aware of your circumstance and identifying where your management systems have weaknesses. Take solace in knowing that the weaknesses have been identified, analyzed, communicated and, most importantly, that corrective and preventive actions are being managed in a timely fashion. Leverage audit management best practices to lift up the entire organization by ensuring the best practices identified are the best practices utilized.

Best Practice Summary

Automate your entire audit management system: planning, preparation, conduct, recommendation tracking, verification, communication and reporting.

  1. Ensure your audit management system covers all of the audit types (ISO, PSM, RMP, BSSE, etc.) your organization must comply with.
  2. Create a full-time audit group that is staffed with experienced (operations) and domain members who are curious and energetic about finding system weakness and best practices.
  3. Augment that audit team with independent third party auditors that can bring industry perspective.
  4. Ensure that each finding has a basic and near root cause identified so you can see where to concentrate your efforts in the future.
  5. Ensure that all recommendations have an “as-is” and “to be” risk ranking so it is easy to see how big the opportunity is.

Ensure you have a dynamic risk registry that logs all opportunities and findings. Ensure that recommendations concerning system weakness are assigned and tracked to closure with urgency.

Learn more about best practice audit management solutions. Contact us today or visit for more: https://visiumkms.com/solutions/audit