Compliance and Internal Audits
#rituals of #theBeautifulJourney
This month, at work, for our internal newsletter, I wrote about the Compliance related activities that are in progress. The article was the first of what should be a quarterly, all staff, internal update. This prompted me to write this article.
At the moment, my current role is a Senior Test Engineer, but I’m also working as a coordinator of Compliance related activities and internal audits for my current employer’s ISO 27001 certification. Here are some examples of the sort of things that I do in this part time role:
- ISO 27001 Internal Audits planning and interviewing
- Corrective Actions Preventive Actions CAPA process framework definition, planning, effectiveness checks, reporting
- Cross-departmental process advisory, support
- Customer questionnaires (RFI, RFP) support and stock responses collection and curation
- Customer audits participation with required deliverables/evidence
- ISO 27001 surveillance and re-certification audit participation with required deliverables/evidence
- HIPAA external assessments
- Compliance awareness presentations e.g. relevance and limits of Title 21 CFR Part 11 scope
- Compliance onboarding presentation to new staff
- Compliance related documentation definition, coordination with Subject Matter Experts (SMEs), writing e.g. Information Security Whitepaper
- Quality Management System (QMS) definition and integration with the wider company
- Compliance strategy related discussions
- Keeping track of the above, making sure we are in time with all tasks and external and internal queries
In my previous and first job, I worked for Stratec Biomedical (with Stratec Biomedical UK, which prior to acquisititon was known as Sanguin) which is active in a highly regulated environment, having to do submissions to FDA for certain products, and had a QMS in place and that was my first exposure to that. I was a tester there as well, but took responsibility over the application of the QMS to the testing activity. Hence, at this point, you might spot a pattern here. 🙂
I’m a fan of:
- process improvement and doing things right, the first time, hence my Lean Six Sigma interest as well.
- understanding the big picture, the business, where everyone sees a little bit beyond their role.
- systems thinking and the previous points relate to this as well, they need to happen in the context of systems thinking.
… and these things bring me to the Compliance world. With Compliance, Quality Management Systems and Internal Audits I get involved in many areas of the business and I simply love that! I need to understand more than just one job and aspect of a business for this kind of work, I enjoy thinking of the next improvement we could do, how, when, why, with whom, or the next training I could run to build the awareness, the knowledge, the quality and compliance culture. And this kind of work fits well with me because on a personal level I’m so interested in personal development, striving to do the right thing as a person and what it means to be a good colleague. Yet, personal development is a life long journey for everyone and nobody is perfect, but #practiceMakesProgress. ?
The inquisitive mind of a sotware tester can be very useful in internal audits.
- You are exploring work in a given area relative to some specifications – the ISO 27001 policies in my case, at the moment.
- You want to discover gaps in the theory (policies) and the practice (the work) with the aim to continuosly improve and support the business objectives that often rely on exquisite performance and practice in the areas covered by an ISO.
- You are also looking for evidence of work well understood and done.
In internal audits you are not the bearer of bad news, per se, as software testers can be perceived to be, but the role of the internal auditor can still be uncomfortable at times because it might be perceived as a threat. People can easily get defensive if they feel under investigation or they simply had bad experiences in the past with this. Hence, good communication skills, rapport and support before, during and after the internal audits is essential.
CAPAs (Corrective Actions Preventive Actions) are about continuous improvement, about making those changes that will support good results sustainably. Here, the systems thinking mindset is essential, Lean Six Sigma understanding useful and clear planning, success criteria and communication fundamental.
CAPAs are a respone to audit findings, significant product issues and/or other faults across the business. I treat them as small projects, where the plan, the people, the work is realistically considered for scheduling in the context of other business priorities. What I discover in practice, and is defnitely not new in theory, is the importance of the organizational culture for these things to work.
- There is management support for any investigative work and corrective work
- Time and resources are provided for this kind of work
- Priorities include this kind of work so it can be done efficiently (i.e. spread too thinly on too many things will only make you slower, delay results and compromise quality (even) more)
- Product quality is as important as product quantity (e.g. number of releases in software development)
I won’t cover everything I do in this article as it will become too lengthy. I’ll have to promise to come back with dedicated articles for the remaining topics and maybe I’ll even some practical tips on the topics covered above.
Until next time… wish you great relationships with your Compliance department!