A Gap Analysis is mainly a determination of the degree of conformance of your organization to the requirements of a specification or standard (ISO, API, OHSAS, etc.). A Gap Analysis is mainly a document review or a “show me the evidence” type activity, evidence which usually will come in the form of a record or document. During a Gap Analysis there is very minor auditing being done, rather key process owner or project stakeholders will provide the evidence they may have –or not- for each of the requirements set forth in the specification or standard chosen.
Gap Analysis are very often conducted at the beginning of the journey of an organization seeking compliance to ta chosen specification or standard, however it may also be conducted after some development has taken place. The main reason why the Gap Analysis is conducted at the beginning of the development phase or after some development has occurred is because the organization wants to know where they stand in regards to meeting the standard and they want to know specifically what they need to do to close the gaps. Basically they want to know where the holes are–whether few or many- and what they need to do to close those holes and get closer to fully meeting the requirements of the chosen specification or standard.
This leads us into the Reporting. A good Gap Analysis report usually presents a clear summary or where the major gaps exist between the company’s documentation and the chosen requirements. It also should show a detail recount of each requirement and the degree of compliance, with corresponding actions that need to be taken in order to close these gaps. Here lies a major difference between an Audit report for example and a Gap Analysis report: the Gap Analysis report has some inherent advice to it, which makes it suitable to be accomplished by consultants or experts in the chosen specification or standards. A Gap Analysis will seldom be performed by a Registrar or company providing certification because they will not be allowed to provide the necessary advice without running into a conflict of interest situation.
An Internal Audit is an activity that also seeks to determine the degree of conformance of your organization to the requirements of a specification or standard (ISO, API, OHSAS, etc.) or to your own organizational requirements. This audit is performed in more than one dimension, through review of documentation evidence and also through actual questioning of employees.
An Internal Audit is usually conducted after development has been completed and some implementation has occurred. The reason being is that Internal Auditors will be questioning individuals to see their level of knowledge of the system; therefore without implementation under way, it may be hard to prove that employees are actually using the system or are knowledgeable of their role in meeting the chosen specification or standard; or the organization’s own requirements.
Internal Audit reports usually present the Lead Auditor ‘s summary on the overall impression of the organization’s degree of conformance to the chosen specification or standard and a list of findings. Good reports include not just nonconformities, but also observations, noteworthy efforts and even opportunities for improvement. In my many years of practice I always like to point at least one noteworthy effort to my clients, because it gives the report a positive note but also I believe that if no notable efforts are noticed, at least the organization should be praised for committing the resources and time accomplishing the requirements of the chosen specification or standard. There is no much advice included in an Internal Audit report, however Opportunities for Improvement and Observations when presented correctly, should give the organization enough food for action and follow up.
The last issue on Internal Audits is who is supposed to conduct them? As the word “Internal” says, Internal Audits should be conducted by internal employees, however this is easier said than done. In large organizations the task is easier because there are exclusive departments whose sole job is to perform audits throughout their business units and locations. However in small organizations, this becomes a real problem. First we are dealing with the issue of independence. If you have one auditor and he/she audits the whole facility, then who audits his/her area? If he/she does that too, then you will not be able to prove that the audit is unbiased because the auditor is auditing their own area. The other big question is how effective are your audits? An auditor who only performs audits once or twice a year does not truly have a chance to polish their auditing skills and therefore you may not be getting good bang for your audits. That’s when hiring an independent consultant sometimes works on your favor: they are independent, bring a lot of expertise from other organizations and have excellent up-to- date auditing skills. However if you decide to have your employees perform your audits, make sure that you keep them current in auditing techniques by sending them to continuing education or refreshing their internal auditor knowledge at least once a year.
A Pre-Assessment is usually the ante to an External, Registrar or Certification Audit. If you want a Pre-Assessment of your organization, chances are your system has been conforming to the chosen specification or standard for at least 3 months, you have conducted a full Internal Audit of your organizations and all the findings reported in the Internal Audit report have been closed. You are basically ready but want to have a last look before you bring the big boys in.
A Pre-Assessment is therefore a mock of an External Audit and consequently there is plenty of document review as well as actual questioning of employees. As with the Internal Audit, the Pre-Assessment’s objective is to seek the degree of conformance of your system to the chosen specification or standard, however you will also feel that is a good green light to know whether you are ready to go for the certification audit or if some fine tuning is necessary. The Pre-Assessment report will not give advice but rather should show if there are any nonconformities and allow the organization to close those out prior to the certification audit. The better you are prepared for a certification audit, the more you increase your chances of obtaining certification or being recommended for certification on the day of your External Audit.
Pre-Assessments can be conducted by consultants or Registrars; or competent individuals who are experts in the certifications or standards chosen by your organization.
Hopefully by now you are more clear on the difference of these three important activities in your continual improvement journey. Depending on the size of your company, you may need all three, although I tend to recommend usually a good Gap Analysis to define the starting point and a thorough Internal Audit since that’s a must do anyways. Based on our successful approach to implementation, most of our clients don’t’ need a Pre-Assessment before their certification, however that doesn’t mean your organization may need one or may benefit from one. Nowadays most Registrars or Certification bodies have implemented a “Stage 1” and “Stage 2” audit also which seeks to give organizations an opportunity to determine their readiness. Of course I don’t want to confuse you more, so I will leave that for another topic, but just remember that the quality of the activities is only as good as the quality of people performing those activities, so no matter whether you chose all 3 or at least just the Internal Audit, make sure they are performed by highly competent individuals. Only with expertise on hand and excellent reports, you will get closer to world class quality.
Miriam Boudreaux is the President of Mireaux Management Solutions, a consulting firm headquartered in Houston, TX. Mireaux’s products and services encompass ISO consulting, ISO Training, Internal Auditing, implementation of Web QMS platform and electronic QMS hosting.
To get in touch with Miriam Boudreaux, please contact her at email@example.com.