Blog posts tagged in Audit

What are we Trying to Verify?

An Audit will typically generate a number of findings, and whilst the first step is usually to take an immediate “short term” action, the important business is ensuring the fundamental cause or “root cause” is addressed – the challenge is that this is far from easy!

Essentially, we are seeking evidence that the cause or “causes” of the problem have either been removed or mitigated in an acceptable way. (It is not always possible to completely fix the issue and sometimes the best outcome we can hope for is a reduction of the causes.)

Essential Evidence for Verification

Last modified on

To deliver effective EASA compliance audits it is necessary to pay attention to a number of key areas which are identified below for discussion purposes.

a) Maintaining Objectivity
b) Sample Size
c) Value of Finding Raised
d) Operator’s Authority on Area of Audit

Maintaining Objectivity

Objectivity requires both perspective and balance on the part of the auditor. We should also pay attention to the fundamental reason we are carrying out the audit.

Last modified on

Introduction

The essential purpose of an EASA compliance audit is to support the maintenance of the regulatory approval.

Quality Assurance Compliance Audits are a systematic and independent comparison of the way the system process or objective is met. Using the observations made during this audit, as “objective evidence” a comparison is thus made against the standard, generating non-conformities or corrective actions in the event of any discrepancy.

The audits should be documented with a checklist which shows the details of the audit standard or audit criteria which is being applied to the audit.

Note 1 Quality Assurance Audits are Prescriptive in as much as they are always referenced against a standard – means compliant.

Last modified on

Management system audit requirements may include reference to documents such as policies, objectives, processes, procedures, instructions, quality plans, which can when combined with an audit scope statement, deliver internal audits which can be either wide-ranging or focused on any aspect of the organization or part thereof and which has the potential to address risk performance.

ISO 19011 considers that there is a risk associated with delivering an audit program which addresses all the requirements of the various standard or the management system are covered within a year.

Why does this method of scheduling create a risk?

Essentially audit programs which are fitted into an annual 12-month calendar program rarely take risk into consideration.

Tagged in: Audit Program Quality Risks
Last modified on

Changing the Audit Focus to a Performance Based System where the audits are driven by needs related to both System Performance and Management Objectives rather than by simple schedule.

For maximum benefit the internal management systems audits should connect with an overarching objective to evaluate "risk".

IS031000, defines risk as: "An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence" or the "effect of uncertainty on objectives".

It is increasingly understood that the explicit and structured management of risk brings benefits.

It is common for internal audit programs to be developed on an annual calendar that predicts which aspects of the Quality Management System are going to be audited.

Last modified on

Compliance Auditing brings with it the daily challenge of ensuring that the organisation remains at all times fully compliant with both internal and external obligations.

The Audit Management, Control and Oversight system should ensure that the established safety and quality procedures are fully complied with.

In addition :

a)     To plan and deliver audits

b)     To review findings

c)     To perform root cause analysis and develop additional actions where necessary (under the specific control or guidance of the business area owner of post holder)

In an effective Quality Management System QMS monitoring is a continuous process. It is essential to ensure robust and continuous oversight of all internal processes, and procedures.

Last modified on

Let’s consider the difference between Assessment & Audit

Assessment

The evaluation process used to measure the performance or effectiveness of a system and its elements.

Our goal is to perform an assessment of the auditing process follow up to determine both the cost effectiveness and overall value to the business.

Audit

An EASA Audit is a systematic and independent examination to determine whether quality activities comply with external regulatory requirements and internal organisational specifications and whether these specifications are implemented effectively.

A primary indicator of a poor or failing system is repeat findings or findings which should be addressed at a lower level – for example the Competent Authority should not identify problems which are normally expected to be found within the internal Quality Assurance System audit process.

Last modified on

Why should we wish to measure the performance of our Compliance Audit Process?

Essentially for 2 reasons

1/ The first is that we have an organisational obligation to ensure both regulatory and organisation compliance and of course there is a cost for this – so the question becomes is the organisation receiving value for money?

2/ The second is because there is a cost associated lets call it a return on investment – if we invest more will we return more- without a measure we will not be able to understand this.

The Internal Audit function was predominantly existing as a mandatory process to ensure and demonstrate compliance is also able to focus on improving business performance and add value by supporting strategic business objectives.

Management communication of the various shortfalls related to the audit findings should be strong and consistent and to be demonstrated to have a contributory impact on a culture of compliance within an organization

Last modified on

EASAOnline is pleased to discuss the role of the EASA Quality Assurance Auditor. Quality Auditors will be found in all organisations which work under the umbrella of the European Aviation Safety Agency (EASA), including Airlines, Airports, and Maintenance Organizations.

Considering the Nature of Audits

When we talk about audits we are generally talking about the need to ensure compliance. Regulatory audits are essentially compliance audits where we are looking to compare the actual with the expected. The expected typically being compliance either with EASA or another regulatory body.

Last modified on
What is it all about?

A compliance audit essentially looks for conformance to a set of rules or standards – the rules may be external (regulations) or internal, process and procedures driven.
Certain areas of business, (in aviation these are many) can be described as high risk. For these activities audits play a significant role to establish ongoing conformity with company processes and procedures.


What are compliance audits?
Compliance audits are designed to give assurance that activities have been performed properly and they are, of course, reactive. Compliance audits also tend to be binary - they either pass or fail. It is also fair to say that the compliance audit in fact requires a lower level of auditor competence. Why? Because it is essentially rules driven which means that there is a removal of subjective ambiguity. This audit is presented typically as a completed checklist of observed conditions at the time when it takes place.

Tagged in: Audit Compliance EASA
Last modified on

Let’s first consider a fundamental difference between ISO 9001-2015 and EASA Regulatory Compliance Audits.  In the ISO world one reason to perform internal audits is to support the continual improvement of the organisation system. Conversely when in EASA compliance audit is carried out it is essentially to support the identification of a non-conformance.

Let’s also consider that the criteria by which we audit is called our audit “standard” Such a standard may in fact be a regulatory requirement driven directly from the Implementing Rule IR or the Acceptable Means of Compliance (AMC).

It may also be a requirement based on the need for compliance with internal documentation, for example any of the following - OPS Manual Part A, EASA Part 145 Maintenance Organisation Exposition (MOE), EASA Part M Continuous Airworthiness Management Exposition (CAMO) or EASA Part 147 Maintenance Training Organisation Exposition (MTOE).  All of the aforementioned documents contain detailed procedures which need to be complied with by the organisation.

Tagged in: Audit EASA Part 147
Last modified on

Step 1 is to fully understand the standard or requirement which we are auditing against

If it is a regulation – what is the current issue (are there any changes due – check for Notice of Proposed Amendments) the more background knowledge the better able you are to make good audit decisions.

It if is an internal process or Procedure – who is the owner or responsible person (do they know that you are going to be auditing there procedure?) it is good business manners to inform them – again take the opportunity to ask if there are any planned changes to the procedure or process.

Always taking the opportunity to ask open questions which will aid and benefit understanding of the background related to the audit subject matter.

Last modified on

How does the role the Quality Assurance (QA) Auditor differ within the EASA environment compared to say other aviation regulatory systems? (FAA for example?)

Well the first thing to consider is that the role of the Quality Assurance Auditor within the EASA system is quite specific in that it requires “Independence” This is not the case for example when you consider ISO 9001-2015.

9001: 2015 has removed the requirement for a single point of contact regarding the QMS replacing it with a new section on leadership to better emphasis a greater involvement from the leadership team. Compare with EASA where we have specific roles and responsibilities (Including Independent Compliance Manager (CM) and a clear understanding of who is managing each business objective, whilst still ultimately identifying the responsibility of the nominated persons.

Last modified on

 

Mature Quality Control Processes which are overseen by effective Quality Assurance/ Compliance Management audit processes provide a significant benefit to the organisation where the focus movers from simple regulatory compliance to effective development of the organisations systems which provide key benefits in organisational optimisation.

It is important to communicate in the most effective way the objectives of any audit and audits which are performed in respect of showing compliance with EASA Regulation EC 965/2012 is no different in this regard.

Audits should focus on all elements which are critical to demonstrating regulatory compliance as well as organisational compliance in particular to also pay attention to elements which impact operational safety and security.

Tagged in: Audit EASA
Last modified on

As you become familiar with this process you will start to understand that there are two options and a challenge to consider

Option 1 - To develop an EASA Compliant Auditing Program which ensure compliance with the regulatory objectives.

Option 2 - To develop an Organisation Auditing Program which ensures compliance with the regulatory objectives but goes on to set and meet further organisational objectives which provide a far wider and deeper understanding of the organisational exposures.

Tagged in: Audit Compliance EASA
Last modified on

Firstly to consider exactly what we mean by surveillance audits?

So to perform any audit requires a standard with which to compare or reference against, in this regard surveillance audits are no different from most other types of audit.

What is different is that surveillance audits are essentially audits without portfolio. Means they are “extra” to the audit program and provide the opportunity to provide additional oversight and confidence in the effective delivery of the compliance system.

Tagged in: Audit EASA
Last modified on

Firstly to understand that both System and Process audits are in fact compliance audits then to understand that a System typically consists of multiple processes. 

Next to consider that when we perform an audit it is in effect performed against a "standard” such standard could be for example directly taken from the applicable aviation regulations, or it could be an organisational standard which is referenced to the aviation regulations, but enhanced in some way to meet the organisations specific objective. 

The best way to deal with such an endeavour is to start by looking at the system in total and comparing it against the regulatory requirement to ensure that there are no “gross” errors.

Tagged in: Audit Human Factors
Last modified on

Compliance audits are designed to give assurance that activities have been performed properly. It should be understood of course that Compliance Audits are of course reactive (means we have to review evidence which is either post an event or concurrent with an event).

As we know certain areas of our Aviation Business, (And it is fair to say in aviation there are many) can be described as high risk. For these area, among the many mitigation techniques which are available Quality Audits can play a supporting role, by establishing ongoing conformity with company processes and procedures.

When we consider compliance audits whilst it may be satisfactory the reality is that it is an unknown if the compliance will be satisfactory next week or next month. The compliance audit typically requires a lower level of auditor competence and is presented typically as a completed checklist of observed conditions at the time of the audit.

Last modified on

How to Ensure the Independence of Audits within an EASA Part 147 Organization

When we talk about the Quality System we are off course considering both the function of QA & QC.
 
The QA audit process must be independent which means the auditor is not involved in the day to deliver delivery of training or management of processes.

It should also be understood that the audits do not replace the need for ongoing Quality Control (QC) activities.

The audits which we will carry out are considered as “compliance audits” and essentially follow a prescriptive checklist ensuring that all elements of the process are delivering in accordance with both the regulatory and organizational requirements.

Last modified on

Audit Scheduling
 
An essential requirement of our audit program is to cover the entire organizational system, notionally this should be done on an annual basis, we should also be mindful that some areas may require more frequent auditing, whilst some areas may be audited on a less frequent basis.

The primary reason to perform audits is to ensure regulatory compliance with external requirements and full compliance with internal organizational requirements. The secondary reason is to enable an understanding of opportunities to seek out improvement.
 
Audits should never appear as adversarial or confrontational, rather they are a method which should be fully supported by the auditee to demonstrate compliance in all necessary areas.

Last modified on