QKC20190412：讀書會_設計審查與內部稽核

hlperng

品質學會品質知識社群 (QKC) 讀書會
專題：設計審查與內部稽核
時間：2019 年 04 月 12 日(星期五) 15:00 - 18:00   
地點：品質學會九樓教室（台北市羅斯福路 2 段 75 號）
引導：彭鴻霖會友

hlperng

審查 (review) 與稽核 (audit)

• 審查與稽核是什麼？
• 審查與稽核做什麼？
• 審查與稽核怎麼做！
  

審查：線上、主動、決策；稽核：線外、被動、建議。

COSO 內部稽核著眼在企業營運公司治理的財務面向，嚴謹的狹義稱法為財務內部稽核，稱 ISO 內部稽核為非財務稽核。兩者應該如何整合是個議題，尤其是對於上市上櫃公司更是如此，兩者都是有相當的法源基礎。

ISO 內部稽核以管理系統、過程、產品為稽核對象，COSO 內部稽核以公司治理、財務管理、內部控制、組織倫理、組織文化為稽核重點。

稽核分為第一方稽核（內部稽核）、第二方稽核（顧客稽核）、和第三方稽核。

審查與稽核兩個名詞在產業應用最早是出現在美軍標準 MIL-STD-1521，「系統、設備、與電腦軟體之技術審查與稽核」。審查與稽核的主體是專案計畫的產品（包括系統、設備、與電腦軟體），稱為型態物件 (configuration items)。
技術審查與稽核的種類總共有 10 項，依照專案計畫的發展階段加以區別，

相關議題：專案計畫發展階段，新產品開發過程，系統工程過程，先進產品品質規劃 (APQP)、新產品導入 (new product introduction, NPI)。

ISO 9000 系列國際標準自從 1987 年開始發行及推動之後，應用主體從產品、過程、品質管理系統、營運管理系統的演變，美其名為了使標準的內容更具體、明確，事實上其適用範圍是限縮的。

ISO 9001:1994 第 4.4.6 節「設計審查」(design review) ，規定在合適的設計階段，必須規劃、執行與紀錄設計審查活動。ISO 9001:2000 第 7.3.4 節、ISO 9001:2008 第 7.3.4 節「設計與發展審查」 (design and development review) ，具體規定的要求條文，評估設計與發展結果符合要求的能力，以及識別任何問題並提出必要的行動。ISO 9001:2015 不再有顯性的設計審查條文規定，第 8.3.4 節「設計與發展控制」 (design and development controls)，說明審查只是手法之一，其他的手法包括：驗證、查證、及其他任何必要的行動。這就是 ISO 9000 的作風，小鼻子、小眼睛，看高毋看低，從基礎的產品技術與工程下手借殼上市，形成氣候之後轉向高層營運管理同溫層靠攏取暖，始亂終棄、削足適履、棄之如敝屣！


審查相關名詞：

• 審查 (review)
• 技術審查 (technical reviews)
• 設計審查 (design reviews)
• 同儕審查 (peer reviews)
  

稽核相關名詞：

• 稽核
• 技術稽核：檢查 (examination) 設計文件，
• 品質稽核：
• 內部（品質）稽核：ISO 9000 系列國際標準、ISO 19011
• 內部（控制）稽核：COSO 內部稽核
  

汽車界的未然防止方法 (Mizenboushi method)， GD3 問題預防過程 (problem prevention process)，：

• GD3 過程: 良好設計 (good design)、良好討論 (good discussion)、良好解剖 (good dissection) 。
• Good Discussion = DRBFM，基於失效模式之設計審查 (design review based on failure modes, DRBFM)
• Good Dissection = DRBTR，基於試驗報告之設計審查 (design review based on test report, DRBTR)
  

設計審查參考資料

• ISO 19011:2018, Guidelines for auditing management systems
• ISO 21349:2007, Space systems - Project reviews
• AIR-4.1:2001, Design Review Handbook
• ECSS-M-30-01A:1999, Organization and conduct of reviews
• JPL-D-10401A:1998, JPL Guidelines for Reviews
• BS 5760-14:1993, Guide to formal design review
• IEC 61160:1992, Guide to formal design review
• MIL-STD-1521B:1986, Technical reviews and audits for systems, equipments, and computer software
  

hlperng

審查 (review)：審核、評論、覆查

ISO 8402:1986、ISO 8402:1994 為設計審查 (design review)，是一種品質管理手法，一種活動。ISO 9000:2000 第 3.8 節、ISO 9000:2005 第 3.8 節，檢查相關名詞 (Terms related to examination)。ISO 9000:2015 第 3.11 節決定相關名詞 (Terms related to determination)，是一種找出一項或多項特性及其特性價值的活動，此類活動包括：審查 (review)、監視 (monitoring)、量測 (measurement)、檢查 (inspection)、試驗 (test)、進度評估 (progress evaluation)。

審查定義：

• ISO 9000:2015, 3.11.2 review
  
  • determination of the suitability, adequacy, or effectiveness of an object to achieve established objectives
  • EXAMPLE.  Management review, design and development review, review of customer requirements, review of corrective action, and peer review.
  • NOTE 1 to entry.  Review can also include the deternination of efficiency.
    
• ISO 9000:2005, 3.8.7, review
  
  • activity undertaken to determine the suitability, adequacy, and effectiveness of the subject matter to achieve established objectives
  • NOTE.  Review can also include the determination of efficiency.
  • EXAMPLE.  Management review, design and development review, review of customer requirements, and non-conformity review.
    
• ISO 9000:2000, 3.8.7, review
  
  • activity undertaken to determine the suitability, adequacy, and effectiveness of the  subject matter to achieve established objectives
  • NOTE.  Review can also include the determination of efficiency.
  • EXAMPLE.  Management review, design and development review, review of customer requirements, and nonconformity review.
    

設計審查定義

• IEC 61160:2005, 3.4 design review
  
  • planned, dccumented independent review of an existing or proposed design
  • NOTE 1.  Objectives include evaluation of the design's capability to fulfil the specified requirements, identify any actural or potential deficiencies, proposing enhancements.
  • NOTE 2.  Design review by itself is not sufficient to ensure proper design.
  • NOTE 3.  The design can be for a product or process.
  • NOTE 4.  The design review can be achieved by means of a meeting or other documented process.
    
• ISO 8402:1994, 3.11 design review
  
  • documented, comprehensive and systematic examination of a design to evaluate its capability to fulfil the requirements for quality, identify problems, if any, and propose the development of solutions.
  • NOTE.  A design review can be conducted at any stage of the design process, but should in any case be conducted at the complation of this process.
    
• IEC 61160:1992, 3.1 (formal) design review
  
  • A formal and independent examination of an existing or proposed design for the purpose of detection and remedy of deficiencies in the requirements and design which could affect such things as reliability performance, maintainability performance, maintenance support performance requirement, fitness for the purpose and the identification of potential improvements.
  • NOTE.  Design review by itself is not sufficient to ensure proper design. [IEV 191-17-13]
    
• ISO 8402:1986, 3.13 design review
  
  • a formal, documented, comprehenisve and systematic examination of a design to evaluate the design requirements and the capability of the design to meet these requirements and to identify problems and process solution.
  • NOTE 1.  Design review by itself is not sufficient to ensure proper design.
  • NOTE 2.  A design review can be conducted at any stage of the design process.
    
  
  

技術審查 (technical reviews)

• MIL-STD-1521B:1986，針對型態物件，決定是否符合其發展規格規定的要求。
  
  • 系統要求審查 (system requirements review, SRR)：系統的功能要求，查明 (ascertain)。
  • 系統設計審查 (system design review, SDR)：系統的配當技術要求，評估 (evaluate)。
  • 軟體規格審查 (software specification review, SSR)：電腦軟體型態物件的要求與操作概念，評估 (evaluate)。
  • 初步設計審查 (preliminary design review, PDR)：型態物件初步設計的手法、性能與工程特定要求、技術風險、進度、相容性，評估 (evaluate)、評鑑 (assess)、決定 (determine)、建立 (establish)。
  • 關鍵設計審查 (critical design review, CDR)：型態物件細部設計的手法、性能與工程特定要求、規格、進度、相容性，評估 (evaluate)、評鑑 (assess)、決定 (determine)、建立 (establish)。
  • 試驗就緒審查 (test readiness review, TRR)：電腦軟體型態物件的測試程序，決定 (determine)、確保 (assure)、預測 (predict)。
  • 正式鑑定審查 (formal qualification review, FQR)：型態物件合約性能要求的試驗、檢驗、或分析過程，驗證 (verify)。
  • 生產就緒審查 (production readiness review, PRR)：型態物件的生產決策，決定 (determine)。
    

hlperng

品質管理與品質保證相關名詞定義，從 ISO 8402:1984 第 4 章工具與技法相關名詞, 、ISO 8402:1994 第 3 章名詞與定義、ISO 9000:2000 第 3.9 節稽核相關名詞、ISO 9000:2005 第 3.9 節稽核相關名詞、ISO 9000:2015 第 3.13 節稽核相關名詞。
由此可看出，ISO 9000 品質管理系列對於稽查一詞的定義變化，從 2000 年之前的工具與技法之一，到 2000 年之後變成品質管理活動的過程 (process) 之一。


品質管理的稽核與品質稽核定義

• ISO 9000:2015, 3.13.1 audit (3.13 terms related to audit)
  
  • systematic, independent, and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled
  • NOTE 1 to entry. The fundamental elements of an audit include the determination of the conformity of an object according to a procedure carried out by personnel not being responsible for the object audited.
  • NOTE 2 to entry.  An audit can be an internal audit (first party), or an external audit (second-party or third-party), and it can be a combined audit or a joint audit.
  • NOTE 3 to entry.  Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization iteself for management review and other internal purposes, and can form the basis for an organization's declaration of conformity independence can be demonstrated by the freedom from responsibility for the activity being audited.
  • NOTE 4 to entry.  External audits include those generally called second and third- party audits.  Second party audits are conducted by parties having an interest in the organization, such as customers, or by other persons on their behalf.  Thied-party audits are conducted by external, independent auditing organizations such as those providing certifiction / registration of conformity or governmental agencies.
  • NOTE 5 to entry.  This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1.  The original definition and NOTE to entry have been modified to remove effect of circulairty between audit critieria and audit evidence  term entries, and NOTE 3 and 4 to entry have been added.
    
• ISO 9000:2005, 3.9.1 audit (3.9 Terms relating to audit)
  
  • systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.
  • NOTE 1 to entry.  Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization itself for management review and othr internal purposes, and may form the basis for an organization declaration of conformity.  In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsiblity for the activity being audited.
  • NOTE 2 to entry.  External audits include those generally termed second- and third-party audits.  Second-party audits are conducted by parties having an interest in the organization, such as customers, or by other persons on their behalf.  Third-party audits are conducted by external, independent auditing organizations, such as those providing certification / registration of conformity to ISO 9001 or ISO 14001.
  • NOTE 3 to entry.  When two or more management systems are audited together, this is termed a combined audit.
  • NOTE 4 to entry.  When two or more auditing organizations cooperate to audit a single auditee, this is termed a joint audit.
    
• ISO 9000:2000, 3.9.1 audit (3.9 Terms relating to audit)
  
  • systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.
  • NOTE.  Internal audit, sometimes called first-party audits, are conducted by, or on behalf of, the organization itself for internal purposes and can form the basis for an organization's self-declaration of conformity.
  • External audits include what are generally termed "second-" or "third-party audits".
  • Second-partty audits are conducted by parties having an interest in the organization, such as customers, or by other persons on their behalf.
  • Third-party audites are conducted by external independent organizations.  Such organizations provide certification or registration of conformity with requirements such as those ISO 9001 and ISO 14001:1996.
  • When quality and environmental management systems are audited together, this is termed a "combined audit".
  • When two or more auditing organizations cooperate to audit a single auditee jointly, this is termed "joint audit".
    
• ISO 8402:1994, 4.9 quality audit
  
  • systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives.
  • NOTE 1. The quality audit typically applies to, but is not limited to, a quality system or elements thereof, to processes, to products or to services.  Such audits are often called "quality system audit", "process quality audit", "product quality audit", or "service quality audit".
  • NOTE 2.  Quality audits are carried out by staff not having direct responsibility in the area being audited but, preferably, working in cooperation with the relevant personnel.
  • NOTE 3.  One purposes of a quality audit is to evaluate the need for improvement or corrective actions.  An audit should not be confused with quality surveillance or inspection activities performed for the purposes of process control or product acceptance.
  • NOTE 4.  Quality audits can be conducted for internal or external purposes.
    
• ISO 8402:1986, 3.10 quality audit
  
  • A systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangement are implemented effectively and are suitable to achieve objectives.
  • NOTE 1.  The quality audit typically applies, but is not limited, to a quality system or elements thereof, to processes, to products, or to services.  Such audits are often called "quality system audit", "process quality audit", "product quality audit", "service quality audit".
  • NOTE 2.  Quality audits are carried out by staff not having direct responsibility in the areas being audited but, preferably, working in cooperation with the relevant personnel.
  • NOTE 3.  One purpose of a quality audit is to evaluate the need for improvement or corrective action.  An audit should not be confused with "surveillance" or "inspection" activiites performed for the sole purpose of process control or product acceptance.
  • NOTE 4.  Quality audits can be conducted for internal or external purposes.
    
  
  

德國車輛協會 (VDA) 產品稽核 (product audit)
A product audit assesses the effectiveness of quality assurance through the examination of a small number of product  and/or parts and confirms their quality capability based on the quality of the product.






型態管理的型態稽核 (configuration audit)

• EIA-STD-649B:2011, 5.5 Configuration Verification and Audit, 5.5.3 Configuration audit
  
  • configuration audit: review of processes, product definition information, documented verification of compliance with requirements, and a inspection of products, to confirm that products have achieved their required attributes and conform to released product configuration definition information.
  • a means to assure that configuration verifications have been accomplished and to establish baselines at key points in the product life cycle.
  • audits are a summation of the configuration verification activity to assure ...
  • configuration audits include performance verification (fiunctional configuration audit) and design verification (physical configuration audit).
  • CVA-3. Configuration audits are a summation of the configuration verification process, where necessary to establish baselines at key points in the product life cycle.
  • configuration audit = conformity inspection = product configuration verification = product consistency verification = system verification review
    
• ISO 10007:2003, 5.6 Configuration audit
  
  • to determine whether a product conforms to its requirements and product configuration information
  • normally there are two types of configuration audits: functional configuration audit and physical configuration audit
  • functional configuration audit: functional and performance characteristics
  • physical configuration audit: physical characteristics
    
• MIL-HDBK-61B:2002, 8 Configuration Verification and Audit
  
  • functional configuration audit (FCA): examination of functional characteristics to verify ... has achieved ...
  • physical configuration audit (PCA): examination ... to establish or verify ...
  • configuration audit of configuration verification records and physical product to validate that a ...
  • to establish ... and support ...
    
• EIA-STD-649:1998, 5.5.2 Configuration audit
  
  • product configuration verification accomplished by inspecting document, products and recrods; and reviewing procedures, processes, and systems of operation to verify that the product has achieved its required attributes (performance requirements and functional constraints) and the product's design is accurately documented.  Sometimes divided into separate functional and physical configuration audits.
  • audits may be conducted by the organization responsible for the product development, by the customer, or by a third party designated by the customer.
    
• ISO 10007:1995, 5.5 Configuration audit (CA)
  
  • to assure the product complies with its contracted or specified requirements and to assure the product is accurately reflected by its configuration documents.
  • normally there are two types of configuration audits: functional configuration audit and physical configuration audit
  • functional configuration audit: verify performance and functional characteristics
  • physical configuration audit: examination to verify
    

hlperng

型態管理名詞與定義

• 型態 (configuration)：形態、組態、構型、配置、技術狀態
  
  • ISO 10007:2003, 3.3
    
    • interrelated functional and physical characteristics of a product defined in production configuration information
      
• 型態物件 (configuration item)：設計，設計與開發、設計與發展的產品
  
  • ISO 10007:2003 3.5
    
    • entity within a configuration that satisfies an end use function
      
• 型態管理 (configuration management)：
  
  • ISO 10007:2003, 3.6
    
    • coordinated activities to direct and control configuration.
    • NOTE.  Configuration management generally concentrates on technical and organizational activities that establish and maintain control of a product and its product configuration information throughout the life cycle of the product.
      
• 產品型態資訊 (product configuration information)
  
  • ISO 10007:2003, 3.9
    
    • requirements for product design, realization, verification, operation, and support
      
• 工程變更 (engineering change)：
  

型態管理 (configuration management, CM) 相關文件：

• ISO 10007:1995, CNS 14238:2000, ISO 10007:2003, CNS 14238:2006
• MIL-STD-480:1968, DOD-STD-480A:1978, MIL-STD-480B:1988
• MIL-STD-482:1968
• MIL-STD-973:1992
• MIL-STD-3046:2013
• EIA-STD-649:1998, EIA-STD-649A:2004
• MIL-HDBK-61:1997, MIL-HDBK-61A:2001, MIL-HDBK-61B:2002
  

hlperng

ISO 9000:2015, 3.11 決定 (determination)

ISO 9000:2015, 3.11.1 決定 (determination)

• activity to find out one or more characteristics and their characteristic values.
  

檢驗 (inspection)

• ISO 9000:2015, 3.11.7 檢驗 (inspection)
  
  • determination of conformity to specified requirements.
  • NOTE 1 to entry: If the result of an inspection shows conformity, it can be used for purposes of verification.
  • NOTE 2 to entry: The result of an inspection can show conformity or nonconformity or a degree of conformity.
    
• ISO 9000:2005, 3.8.2 檢驗 (inspection)
  
  • conformity evaluation by observation and judgement accompanied as approproate by measurement, testing or gauging
  • [ISO/IEC Guide 2]
    
• ISO 9000:2000, 3.8.2 檢驗 (inspection)
  

試驗 (test)

• ISO 9000:2015, 3.11.8 試驗 (test)
  
  • determination according to requirements for a specific intended use or application.
  • NOTE 1 to entry: If the result of a test shows conformity, it can be used for purpose of validation.
    
• ISO 9000:2005, 3.8.3 試驗 (test)
  
  • determination of one or more characteristics according to a procedure
    
• ISO 9000:2000, 3.8.3 試驗 (test)
  

監視 (monitoring)

• ISO 9000:2015, 3.11.3 監視 (monitoring)
  
  • determining the status of a system, a process, a product, a service, or an activity.
  • NOTE 1 to entry: For the determination of the status there can be a need to check, supervise or critically observe.
  • NOTE 2 to entry: Monitoring is generally a determination of the status of an object, carried out at different stages or at different times.
  • NOTE 3 to entry: This constitutes one the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original definition and NOTE 1 to entry have been modified, and NOTE 2 to entry has been added.
    
• 
  

ISO 9000:2015, 3.11.4 量測 (measurement)

• process to determine a value.
• NOTE 1 to entry: According to ISO 3534-2, the value determined is generally the value of a quantity.
• NOTE 2 to entry: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 11. The original definition has been modified by adding NOTE 1 to entry.
  

ISO 9000:2015, 3.11.5 量測過程 (measurement process)

• set of operations to determine the value of a quantity.
  

ISO 9000:2015, 3.11.6 量測設備 (measuring equipment)

• measuring instrument, software, measurement standard, reference material or auxiliary apparatus or combination thereof necessary to realize a measurement process.
  

驗證 (verification)

• ISO 9000:2015, 3.8.12 驗證 (verification)
  
  • confirmation, through the provision of objective evidence, that specified requirements have been fulfilled.
  • NOTE 1 to entry.  The objective evidence needed for a verification can be the result of an inspection or of other form of determination such as performing alternative calculations or reviewing documents.
  • NOTE 2 to entry.  The activities carried out for verification are sometimes called a qualification process.
  • NOTE 3 to entry.  The word "verified" is used to designate the corresponding status.
    
• ISO 9000:2005, 3.8.4 驗證 (verification)
  
  • confirmation, through the provision of objective evidence, that specified requirements have been fulfilled.
  • NOTE 1.  The term "verified" is used to designate the corresponding status.
  • NOTE 2.  Confirmation can comprise activities such as
    
    • performing alternative calculations,
    • comparing a new design specification with a similar proven design specification,
    • undertaking tests and demonstrations, and
    • reviewing documents prior to issue.
      
• ISO 9000:2000, 3.8.4 驗證 (verification)
  
  • 
    
• 
  

查證 (validation)

• ISO 9000:2015, 3.8.13 查證 (validation)
  
  • confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled.
  • NOTE 1 to entry.  The objective evidence needed for a validation is the result of a test or other form of determination such as performing alternative calculations or reviewing documents.
  • NOTE 2 to entry.  The word "validated" is used to designate the corresponding status.
  • NOTE 3 to entry.  The use conditions for validation can be real or simulated.
    
• ISO 9000:2005, 3.8.5 查證 (validation)
  
  • confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled
  • NOTE 1.  The term "validated" is used to designate the corresponding status.
  • NOTE 2.  The use conditions for validation can be real or simulated.
    
• ISO 9000:2000, 3.8.5 查證 (validation)
• 
  

審查 (review)

• ISO 9000:2015, 3.11.2 審查 (review)
  
  • determination of the suitability, adequacy or effectiveness of an object to achieve established objectives.
  • Example: Management review, design and development review, review of customer.
  • NOTE 1 to entry: Review can also include the determination of efficiency.
    
• ISO 9000:2005, 3.8.7 審查 (review)
  
  • activity undertaken to determine the suitability, adequacy, and effectiveness of the subject matter to achieve established objectives
  • NOTE.  Review can also include the determination of efficiency.
  • EXAMPLE.  Management review, design and development review, review of customer requirements, and nonconformity review.
    
• ISO 9000:2000, 3.8.7 審查 (review)
  
  • 
    
  
  

ISO 9000:2015, 3.11.9 進度評估 (progress evaluation)

• <project management> assessment of progress made on achievement of the project objectives.
• NOTE 1 to entry: This assessment should be carried out at appropriate points in the project life cycle across project processes, based on criteria for project processes and product or service.
• NOTE 2 to entry: The results of progress evaluations can lead to revision of the project management plan.
• [SOURCE: ISO 10006:2003, 3.4, modified - NOTE to entry have been modified]
  

ISO 9000:2005, 3.8 Terms relating to examination
ISO 9000:2005, 3.8.1 客觀證據 (objective evidence)

• data supporting the existence or verify of something
• NOTE.  Objective evidence may be obtained through observation, measurement, test, or other means.
  

ISO 9000:2005, 3.8.6 鑑定過程 (qualification process)

• process to demonstrate the ability to fulfill specified requirements
• NOTE 1.  The term "qualified" is used to designate the corresponding status.
• NOTE 2.  Qualification can concern persons, products, processes, or systems.
• EXAMPLE.  Auditor qualification process, material qualification process.
  

ISO 9000:2000, 3.8 檢查相關名詞 (Terms relating to examination)
ISO 9000:2000, 3.8.1 客觀證據 (objective evidence)
ISO 9000:2000, 3.8.6 鑑定過程 (qualification process)

hlperng

COSO 內部稽核著眼在企業營運公司治理的財務面向，嚴謹的狹義稱法為財務內部稽核，稱 ISO 內部稽核為非財務稽核。兩者應該如何整合是個議題，尤其是對於上市上櫃公司更是如此，兩者都是有相當的法源基礎。



公司治理與內部控制架構 (COSO Internal Control Framework) 的內部稽核：偏重企業營運在財務風險與企業社會責任

• COSO 企業風險管理整合架構 (Enterprise Risk Management - Integrated Framework) (2017)
  
  • 從風險評估到風險導向管理的內部稽查。
  • 企業營運風險：財務風險、財務報表報導風險、作業風險、遵循風險、策略風險、聲譽風險、法務風險。
  • 事件識別 (event identification)、風險評鑑 (risk assessment)、風險回應 (risk response)，風險地圖（風險評鑑圖表）(risk assessment chart)。
  • 企業風險管理三道防線模型 (three lines of defense model)：第 1 道防線，管理控制、內部控制措施；第 2 道防線，財務控制、保全性、風險管理、品質、檢驗、遵循性；第 3 道防線，內部稽核。
    
• COSO 內部控制整合架構 (Internal Control - Integrated Framework) (2013)
  
  • 內部控制以 COSO ERM 為主流。目標、風險、內部控制。
  • 內部稽核為內部控制的一環：監督功能，是企業風險管理的第三道防線。藉由獨立與客觀的稽查，確認內部控制制度的足夠性與有效性，提出改正行動並追蹤改正情形，以監督內部控制的確實運作。
  • 稽核重點：定期稽核、專案稽核、交叉稽核、不定期稽核。
  • 稽核方法：觀察、詢問、盤點、檢視、勾稽、比較分析、覆核、測試等。
    
• 國際專業實務架構 (international professional practices framework, IPPF)
  
  • Internal auditing is an indenpendent, objective assurance and consulting activity designed to add value and improve an organization's operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
  • 內部稽核為獨立、客觀的確認性服務與諮詢服務，用以增加價值及改善組織營運。內部稽核協助組織，透過有系統即有紀律的方法，評估與改善風險管理、控制、與治理過程的效果，已達成組織之目標。
  • 由內部稽核專責單會或任務編組，以客觀公正的立場，協助組織檢查內部控制實施狀況，並事實提供改善建議。
    
• Objects of the internal audit
  
  • determine whether the management and the board are effective in promoting an ethical culture
  • determine whether the compliance and/or ethics programs provide reasonable assurance of compliance with organizational policies, applicable laws and regulations, and whether the incentive system is properly fomulated
  • determine if the compliance and ethics program's management framework is documented, in place, and appropriately resourced to meet the organization's needs.
  • determine whether the organization has implemented the compliance and ethics program effectively, and whether the program's performance reporting system accurately presents the results of the program's effort.
  • access the costs/benefits of the governance, risk, and complance program.
  • ensure that the program is in keeping with current practices based on the size and complexity of the organization.
    
• 內部稽核員學會 (The Institute of Internal Auditors, IIA)
  
  • Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
    
• 內部稽核的 Quality Assurance and Improvement Program (QAIP) [vs. 品質管理系統的內部稽查]
  
  • a means to systematically improve internal audit practices and results.
  • enable an evaluation of the internal audit activity's conformance to the "Definition of Internal Auditing," "International Standards for the Professional Practice of Internal Auditing," and an evaluation of whether or not internal auditors apply the "Code of Ethics."
  • assess the efficiency and effectiveness of the internal audit activity.
  • identify opportunities for improvement to add value to the audit activity.
  • improve operational operations.
    
• 內部稽核是展示公司治理與內部控制成果的手法
  
  • internal audit separately evaluates control environment, considering employee behaviours and whistleblower hotline results and reports thereon.
  • 內部稽核報告為公司治理的外部非財務報告 (non-financial reports)
  • 內部稽核人員親赴現場，看、聽，根據觀察的結果提出報告。
    

財務盡職調查 (financial due diligence) 與財務稽核 (financial audit) 的比較

• 財務盡職調查強調過去的分析與未來的預測，多使用趨勢分析、結構分析等工具。
• 財務稽核立足在現在，一般採用函證查閱、實物盤點、數據複算等方法。
  

盡職調查(due diligence, DD)，簡稱盡調，亦有翻譯為謹慎調查。盡職調查常見於公司營運的財務管理，其目的是為了確認顧客是否值得被投資，是否有潛藏的風險，避免客戶投資的報酬無望，需要承擔更大的風險。常見的盡職調查項目包括：

• 合約：合約條款有沒有陷阱，後續承擔的權利義務為何。
• 資產負債：抵押、質押的資產和負債情況，債務是否含投資標的、債務執行的影響與風險。
• 訴訟現況：有無訴訟案，是否會影響公司形象，造成業務開展困難，有無智慧財產權爭議，是否會導致產品研發無效。
• 智慧財產權與專業技術：專利是否具有攻擊和防禦功能，商標是否擱置未使用，研發技術是否具有可專利性，涉及營業秘密的專業技術是否有保密措施。
  

財務盡職調查與財務稽核不同，盡職調查強調過去的分析與未來的預測，多使用趨勢分析、結構分析等工具。稽核則是立足在現在，一般採用函證查閱、實物盤點、數據複算等方法。

hlperng

失效模式為基設計審查  (Design Review Based on Failure Mode, DRBFM) 是日本九州大學 (Kyushu University) 工學院機械系吉村達彥 (Tatsuhiko Yoshimura) 教授在 1997 年所倡議的品質問題未然防止手法 (The Prevention, Mizenboushi, Method for Quality Problems, GD³)。吉村達彥曾在豐田汽車公司服務 32 年，擔任負責保證產品品質與可靠性的工程師之一，職業生涯致力於在產品發生問題之前就加以避免，而一些在問題發生時出面解決問題、號ˋ稱故障排除師 (troubleshooters) 的同事都成為公司的英雄，印證了 MIT 的研究發現：「從來沒有人因為解決從未發生過的問題而獲得讚譽。」 (Nobody Ever Gets Credit for Fixing Problems that Never Happened.)

許多人跟著吉村達彥教授學習 DRBFM 手法，學生之一美國比爾-豪格 (Bill Haughey) 撰寫了「失效模式為基設計審查與試驗結果為基設計審查過程指南」的電子書，並且主導發行了 SAE J2886 (2013) 與 AIAG CQI-24 (2014)。

設計審查三個核心目的：(1) 設計功能是什麼？(2) 設計能否實現？(3) 設計能否製造？
設計審查是為了控制產品的設計、品質，並且確保可以進行製造、運輸、安裝、使用、與維護等作業，對設計開發過程程序進行客觀評價並提出改善建議，確保能夠進入下一階段的活動。

2012 年豐田汽車公司檢討認為設計開發過程有太多的篩選程序，決議改變設計方式，減少設計審查參與人數。當太多人參與設計時，只是減少缺點的觀點進行設計，沒有導入創新的優點，因而針對已經驗證過的設計進行變更時，提出失效模式為基設計審查 (Design Review Based on Failure Mode, DRBFM) 的設計審查機制。

DRBFM 集中在三個概念：良好設計 (good design)、良好討論 (good discussion)、與良好拆解 (good dissection)，因此簡稱為 GD³。後來亦有稱GD³包括良好設計 (good design)、良好討論 (good discussion)、與良好設計審查 (good design review)。

「簡單就是可靠」，可靠性的根本就是不要變更設計。吉村邦彥認為，變更一定會造成設計的干擾，累積的結果影響零件之間的介面，以及系統之間的作用，所以需要設計變更時，那就必須將變更維持在最少的情形。設計變更不可以在多處同時進行，太多及太快的設計變更，會超出既有偵測能力所能掌握，因而快速導致失效的結果。

豐田汽車總設計師福市篤雄 (Tokuo Fukuichi) 認為，產品設計靠民主決定是不再存在的。「如果遵循持續改進原則，你可能會成為一名身材良好的模特兒，卻成不了一名演員，一個身材容貌都不算好卻令人難以忘卻的演員。」(By doing kaizen, you might be able to be a fashion model with a good figure, but not an actress - unforgettable even if she has a less attractive figure and an unusual face.)

新產品開發時，將已經在使用時證明 (proof-in-use) 的良好設計應用在未來產品，失效的風險相對是很低的。持續改進的對象是做事的人們和他們的態度，而不是所做的東西。

DRBFM 整合設計審查 (DR) 及失效模式與效應分析 (FMEA) 兩種可靠性手法，FMEA 結果是設計審查時的最佳輸入資料。

經過幾年來的推廣，GD³ 產生了不同的組合：

• GD³ = Good Design  + Good Discusion (DRBFM) + Good Dissection (DRBTR)
• GD³ = Good Design + Good Discussion + Good Design Review
  

其中：

• Good Design = Design for Reliability (DfR) + Robust Design (System Design, Parameter Design, Tolearance Design) + DFSS (Design for Six Sigma)
• Good Design Review = DRBFM + DRBTR
  

Delphi 公司 Lisa Allan 建議在產品發展過程推動設計審查時，在設計階段導入 DRBFM，雛型製造與試驗查證階段完成試驗之後執行 DRBTR，量產階段的生產物品執行 DRBD&P (design review based on design and process)，這些運用預防問題手法的時機如下圖所示：

研發過程導入預防問題手法的時機 (source: ReliaSoft website)

針對設計修改或設計變更 (design modification or design change)，所提出將 FMEA 與新產品導入 (NPD) 整合在一起的問題預防過程稱為「修改用失效模式與效應分析」 (Failure Modes and Effects Analysis of Modification, FMEAM) 。



參考資料：

• 品質問題的未然防止手法-GD3
• Hirokazu Shimizu, Yuichi Otsuka, and Hiroshi Noguchi (2010), Design Review Based on Failure Mode to Visualize Reliabilty Problems in the Development Stage of Mechanical Products
• R. Laurenti and H. Rozenfeld (2009), An Improved Method of Failure Mode Analysis for Design Change
• Nelson P. Repenning and John D. Sterman, Nobody Ever Gets Credit for Fixing Problems that Never Happened, 2001
• Lisa Allan, Change Pont Anaysis and DRBFM: A Wiring Combination.