How often have you found yourself saying this to your colleagues or subordinates? Right… never. The only one who may say that to you (with a cheerful smile) is the auditor him or herself. For us mortals, any kind of audit is no more an opportunity to relax than a visit to the dentist. This sad state of affairs begs the question: why the pain, or at least the anticipation of pain?
Audit-related concern is often about the following:
- We know we don’t conform, and we expect our condition to surface during the audit.
- We believe we conform but are uncertain about having the appropriate data, or enough data to prove that.
- We are uncertain about the format of the data; it may not be easy or convenient enough for an auditor to draw the right conclusions.
- The format may be right, but we are missing a “meta-layer”, a context, that creates a holistic portrait of us as a reliable organization.
Considering these potential weak links, we should consider all available tools to close the gaps, especially since audits and types of audits are increasing.
New Industries, New Audits, Wider Scope
In the modern era, service organizations have become a new arena for audits. One example of this is the management of data in our companies, in data centers, or placed with go-betweens in “cloud storage”, where the actual location of the data at any given moment is not known to the client.
The message from the American Institute of CPAs (AICPA) which issues auditing guidelines such as the following is that companies must be prepared to address this in the same way that finance and other quality control issues are addressed:
The AICPA guide: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2SM)Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2SM)
Everyone is Affected
GSQA (Global Supplier Quality Assurance) “Software-as-a-Service (SaaS)” is one of the systems most qualified to address audit-related concerns. While the GSQA system is about managing material variability flowing through a complex supply chain, GSQA is also affected by the issue emphasized by the AICPA guide mentioned above, since data-processing integrity and security will only grow as serious issues for many companies.
Data Security and Integrity at GSQA
GSQA holds client data in its own data center, rather than in a widely dispersed cloud. EMNS, Inc., the company which offers GSQA, a “Software as a Service” (SaaS) solution for supply chain quality management, recently went through an audit based on the new AICPA guidelines.
This level of compliance has been an important commitment of the company for a number of years. In addition to the more recent AICPA audit, the Nuclear Regulatory Commission audited and validated GSQA for power, security, the quality of the network, and for operations, awarding the company a rating of “best-in-class”.
We believe that, for the time being, the investment in a physical data center is required. It is important to guarantee the security of client data, as well as our clients’ access to it at all times. By owning and managing its own data center, EMNS, Inc. avoids the creation of an additional “administrative supply chain” in which your data may be passed on to unknown data centers, through additional layers, with only the word of the “Cloud Computing” vendor as your guarantee.
There is another important dimension to GSQA. It creates a virtual Supply Quality Assurance department that is outside the firewalls of your company. The emphasis on “outside” is salient because of the ease with which the hacking of suppliers, and direct attacks on internal systems, has compromised the integrity of the data of several large companies in the recent past. Using GSQA means accessing your data on neutral, but well-protected, ground.
Your Ability to “See Around the Corner”
GSQA, besides being affordable, is powered by statistical process control (SPC). Complex statistical methods are applied to it, making any attempts at manipulation or falsification virtually impossible. It includes monitoring and processing of all key data that make up your supply chain Quality Assurance system, including:
- Test procedures (i.e., whether the proper methods are being used to test any material inputs)
- Monitoring of actual tests, as determined by the customer’s list of priorities
- Monitoring of testing specification ranges and their limits (which may need adjustment, depending on trends, changes in production methods or inputs, and market demands)
- Nonconformance issues, and the tools to intervene in breakdowns before they enter the production line
- Quality, regulatory and best-practice documentation submittal and approvals
- Monitoring compliance with both material and procedural guidelines
- Evaluate the performance of specific materials
- Supplier performance, including timely and specific opportunities to reward exceptional performance and/or develop promising new companies
Because these data inputs are monitored in real time, your company has the ability to see trends, and quickly see not only what has happened, what is happening, but also what is likely to happen – to predict the future with some reliability.
Using GSQA’s straight-forward “Software as a Service” system (which has itself been audited) housed in a well-protected data center increases your security in an important way. The dispersal of suppliers, co-manufacturers and enterprise plants does not increase your vulnerability because the service is performed outside your company’s firewalls. Errors are reduced because the User Interface is a work-horse geared to the lowest common denominator so that even suppliers located around the world can input their data in a standard format. It may yet allow you to declare “relax, it’s just an audit” the next time the auditor arrives!