I’m often asked, how does one become an auditor? My first response is “Why do you want to be an auditor?” Motivation for wanting to be an auditor is critical to be an effective auditor. I have concerns when someone expresses to me that “I am tired that this is not being done or everyone is getting away with this or that.” This type of motivation results in conflict and auditing for the wrong reason. Motivation needs to be to drive improvement and identify areas where there is risk. Auditing is general is comparing what should be to what is while acquiring proof that is documented for traceability. The definition of auditing found in the International Standard ISO 19011 Guidelines for auditing management systems clearly states:
An audit is a “systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [a set of policies, procedures, or requirements] are fulfilled.”
It is important to understand that auditors, even internal auditors, are not consultants. When conducting the audit, the focus is on obtaining the evidence and making the comparison to assess conformity or if there is a gap. I also recommend that auditors understand the basic auditing principles documented in ISO 19011: 2018.
Auditing Principles
- Integrity – This is the foundation of professionalism, and one must ensure auditor competence, demonstrate ethical behavior, being impartial while conducting the audit and sensitivity of influences on them as an auditor
- Fair Presentation – Audit findings, audit conclusions and audit reports need to reflect accurate and truthful audit activities. If there were issues, then the report needs to document them based on the evidence. If strengths or best practices were identified, they also need to be included in the audit report and documentation.
- Due Professional Care – Auditors exercise care in accordance with the importance of the task they perform, and the confidence placed in them by audit clients and other interested parties. An important factor in carrying out their work with due professional care is having the ability to make reasoned judgements in all audit situations.
- Confidentiality - Auditors should exercise discretion in the use and protection of information acquired in the course of their duties. Audit information should not be used inappropriately for personal gain by the auditor or the audit client, or in a manner detrimental to the legitimate interests of the auditee. This concept includes the proper handling of sensitive or confidential information.
- Independence - Auditors need to be independent of the activity being audited wherever practicable and should in all cases act in a manner that is free from bias and conflict of interest. For internal audits, auditors should be independent from the operating managers of the function being audited.
- Evidence Based Approach - Audit evidence is verifiable. In general, it will be based on samples of the information available, since an audit is conducted during a finite period of time and with finite resources. An appropriate use of sampling should be applied, since this is closely related to the confidence that can be placed in the audit conclusions.
- Risk-Based Approach – The risk approach should influence the planning, conducting and report of audits in order to ensure that audits are focused on matters that are significant and meets the audit objectives.
The 2018 revision included the Risk-Based Approach. Risks and Opportunities is required in the management standards under clause 6.1. But there is also operational risk that an auditor needs to assess which is a function of planning, implementation, and control of a process. The following are red flags for risk that when identified need to be evaluated for its impact on the effectiveness of the process/management system.
- Inconsistency in adhering to processes.
- Inconsistency in document control.
- Inconsistency in maintaining logs or data entry on operator report, checklists and/or computer forms.
- Personnel knowledge of their respective role and job responsibilities.
- Key personnel turnover.
- Ineffective supplier management - using too many suppliers or subcontractors
- Inconsistent or frequent spikes for rejections or mistakes
- Internal audit results not being addressed or not being representative of the processes audited
- Inspection or test results. Are they on the high or low end of the requirements, or mixed range?
An auditor when performing these evaluations during the audit process must follow the audit trail. An audit trail is the steps taken during an audit to determine conformance or nonconformance of the audit evidence as required by the criteria. The audit trail is followed until a conclusion is reached with sufficient evidence of conformity or nonconformity.
An auditor has many responsibilities during an audit and to the audit programs. These include:
- Understanding the requirements in the standard
- Conducting “process oriented” audits
- Planning audits and organizing the team’s assignments
- Auditing according to the schedule and established scope
- Effectively identifying “low hanging fruit” and then focus on matters of significance
- Being able to identify information supporting the audit scope
- Collecting information by sampling appropriate documents and records
- Utilizing effective interviewing skills and the conversational audit style
- Observing actions that support the established process criteria (Documented)
- Evaluating consistency of actions between associates and shifts (non-Documented)
- Listening to auditee responses and correlate their comments to the actual process
- Taking time to compare the evidence collected to the criteria
- Ensuring evidence is clearly document in their audit notes
- Auditors must ensure that the evidence supports the findings and audit conclusion
- Auditors never audit with a vengeance (No conflicts of interest)
- Reporting the results of the audit without providing the corrective action
- Never celebrate an audit finding
Auditing processes for effectiveness is an objective for a quality system audit. This type of audit verifies that processes are working within established limits defined by the customer or organization. It requires the auditor to examine the resources (equipment, materials, people) applied to transform the inputs into outputs, the environment, the methods (procedures, instructions) followed, and the measures collected to determine process performance. The audit also includes an assessment of the adequacy and effectiveness of the process controls established by procedures, work instructions, flowcharts, training, and process specifications.
An auditor may be in a situation where they identify a gap but do not have enough evidence to say it is a nonconformity. This situation provides the ability to document an opportunity for improvement. Opportunities for improvement includes situations such as:
- Process efficiency
- Process nonconformance
- Consistency among processes
- Resource needs
- Excessive process variation or periods of out of control
In closing to be an effective auditor, one must develop, maintain, and improve their competence through continual professional development and regular participation in audits.