Confirmation of the effective maintenance of your Management System (MS) is the least you should expect
External auditors, whether from certification bodies, accreditation bodies, regulatory bodies or customers, all place great emphasis on your internal audit reports and the associated process.
Their interest goes beyond confirming the fulfillment of a requirement - they want to see your level of commitment, the kinds of problems you've been having, and the effectiveness with which you've dealt with them. At a fundamental level, they want to assure themselves that you are not just 'going through the motions'.
In presenting a satisfactory picture you are very dependent on your Internal Auditors, and the effectiveness with which they complete their task. Other than slavishly following your Internal Auditing Procedure, what should you expect from your auditors? And what further training and development would help them perform to the maximum of their capability?
In this article we suggest five important behaviours you should expect of your trained internal auditors.
Behaviour #1: Proper preparation - considering the Standard, the MS policy, the MS objectives, as well as applicable Procedures
A review of the procedure to be audited alone is not enough. Auditors need to understand the context and the requirements in the applicable Standard, applicable statutory or regulatory requirements (and Guides to these where applicable).
Training will help but, for a given audit, you must also ensure that your auditors know what documentation they need to familiarize themselves with and provide them with sufficient time to study them.
Suggestion: include a list of applicable documentation for each audit in your internal audit schedule.
Result: The right questions in the correct context will be asked. Inadequate answers will be more easily identified.
Behaviour #2: Use a variety of sources of evidence
Many internal audits are entirely focused on confirming that controlled documentation has been issued and is available at point of use and that specified records are being kept. This is a lazy and ineffective way of determining whether requirements are being met.
In doing so, they should look for where commitments are made. In particular, note commitments that link with higher-level standard requirements.
For example, commitments to follow or issue a schedule, complete a record, file a form, assign certain personnel, create and maintain an environment, use specified equipment, report within a certain time frame, or check off certain tasks, and so on.
During the on-site audit activities a variety of evidence sources can be used. Four evidence types in particular include:
- Documents and records (review procedure and examine records).
- Physical examination (you count it, it is tangible).
- Observing activities (you watch what is going on).
- Interviewing (you talk to people connected with the process).
Suggestion: Ensure your auditing procedure requires auditors, as part of their preparation, to list commitments in procedures, standards, regulations, customer contracts, etc. And then during the audit use and record evidence of all four evidence types.
Result: A robust body of objective and corroborated evidence will be recorded. The dependability of the audit reports will be greatly increased. Less likely that major non-conformances will remain for external auditors to find!
Behaviour #3: Audit the non-specific requirements appropriately
Some standard clauses and internal organization procedures may have open-ended type requirements that are not very specific and can leave the auditor with a lot of questions.
You may notice various open-ended requirements during the document evaluation and during the performance of the audit. There are four types of open-ended requirements you may encounter during your audit.
- Open-ended phrases/words: Use of open-ended words subject to wide interpretation (for example, periodic, timely, readily, promptly, without undue delay, and based on importance).
- Generalized statements: Phrasing a requirement at a generalized or abstract level (for example, to manage or control a function or process).
- Unclear or undefined words: Use of words that are not defined or are subject to multiple definitions, which can leave the auditor with no basis for issuing a non-conformance.
- Goal but no tangibles specified: A requirement lacking specified verifiable actions or outputs (that is, there is no requirement to define, document, record, schedule, review, and so on). When there are no prescriptive requirements to audit against, audit findings could be perceived as subjective.
Suggestion: Ensure that your internal auditing procedures define these words and phrases, where used. Better still, avoid using them in your policy and procedure documentation.
Result: A common, appropriate understanding and application of the words and phrases internally. Avoidance of non-compliances from external auditors for having failed to define them.
Behaviour #4: Audit Reports based on reliable working papers that include Audit Trails
Ensure that Working Papers are part of the auditing system. While not a requirement of any of the ISO MSS, working papers are a great place to provide guidance during the audit and to record data (including details of samples checked). A wide variety of forms and documents are used including:
- Audit procedures
- Sampling plans
- Auditee evaluation forms
- Attendance record form
- Audit questions
- Log sheets
Suggestion: Prepare generic Working Documents and require, as part of the auditing procedure, your auditors to record their sampling plans, audit questions, checklists, etc. prior to the on-site audit activity.
Result: On-site activities will be concluded more effectively and quickly. Sound objective evidence to back-up audit findings and conclusions as recorded in the Audit Reports.
Behaviour #5: Well-written Non-conformance Statements
Long rambling statements of non-conformances are about as useless as cryptic ones. In both cases, the person who needs to take corrective action may be unsure of what needs to be corrected and/or unable to identify, or seek out, the root cause.
What's needed is a statement of the necessary information and only the necessary information. More easily said than done, of course. And this is where the ENR4c Formula helps greatly.
The ENR4c formula: ¨What is the evidence (E) that you looked at? What was the nature (N) of the nonconformity? What was the requirement (R) ? And, is the statement clear, concise, complete, and correct (4C)? The nonconformity statements will be the most read parts of the audit report.
Suggestion: Train your Auditors in the ENR4c Formula. Remember it will take them time to get good at using it.
Result: With clear nonconformity statements the auditee fixes the right problem and fellow auditors can more easily verify corrective actions.
And Finally ...
You won't be surprised to learn that all of these behaviours are integral to our Auditor Courses. If you'd like to learn more about our Conversion Courses, click the 'Learn More' button below.
Note This article was first published in Jan. 2017 and has now been revised and updated.