AUDITOR'S SKILL

Have you got what is takes to be a good auditor? The skills that are needed to be a good auditor are much more than learning the lead assessor of management systems, audit execution completing checklists. Economist, E.F. Schumacher is quoted as stating, “You can either read something

many times in order to be assured that you got it all, or else you can define your purpose and use techniques which will assure that you have met it and gotten what you need.”

Mr. Schumacher’s statement has auditor significance if you think about it for a minute. Putting an audit spin on the statement would go something like this:

You can either review the checklist many times in order to be assured that you carried out the audit procedure, or else you can define your audit purpose and use your audit skill to assure that you have met the audit requirements and gotten what you need.

Auditing is a complex process which involves many different skills and responsibilities. Also, in the current environment, the auditor continues to face ever-increasing demands because of regulation and client expectations. At one end of the spectrum, the auditor has the pressure to sufficiently document the work performed and on the other end, the auditor faces the pressure to get the work done on time and on budget.

These pressures can cause auditors to fall into the “complete the checklist” trap, giving them the illusion that to get the job done on time and the audit opinion will be correct. However, if the only technique an auditor learns how to do is to complete checklists, he/she fails to become good auditor.(The Characteristics of a Successful Auditor)

Good auditors come with experience. Lead Assessor certificates would not be sufficient. To apply to be an auditor for a certification body, besides your certificates, requires audit log to show you have experience auditing organization of the same sectors e.g. chemical and materials, construction, services etc. Otherwise you have to undergo audit on the job training for a certain number of days including observation, training and assessment. With this exposure you will start learning auditing skill. However it is not as easy as it was thought. Unlike machines, people have different character. Everyone is different from others and same person may behave differently every time we meet them at different situations.

Auditee may be honest answering audit question if they did the job well, otherwise they would do their best to show only the best.

Who are good auditors?

1. When auditing a management system you must comply with certain standards. Auditors have their own auditing standard/guideline that they must comply with. Good auditors should work within their standard, guideline and scope of audit. You must know this standard very well to avoid misunderstanding with auditee. Standard and guideline should always be your guidance if there are conflicts.
2. Some people are born to be a good communicator. These people, everywhere you go, you are welcome. When you talk auditee will listen, whatever need would easily presented. Communication skill is vital for an auditor. If you walk to an auditee with scary manner, you are building a barrier between you and auditee. The scary you are, the stronger the barrier is. This would make your investigation difficult.
3. Auditors’ objectives are to investigate to ensure the organizations are complying with the system and recommend for certification at the end of audit. You should conduct an audit by looking for positive findings. If nonconformance is detected, you must immediately confirm with auditee of the nonconformance.
4. You may detect some of the practices not conform to requirement and you feel that it is a makeup record or ‘undercover’ practice for the sake of audit. An auditor should not assume the findings without positive evidence. By looking at a pattern of the writings or signatures is not a positive evidence to confirm as evidence for not doing. Auditors would ask other questions related to his/her observation to further investigate the observation. It is like playing chess, once checkmate, then, you can confirm your findings.

Good auditors work within the scope, always refer to the standard requirement and look for positive findings. When there are no findings, do not mean you are not a good auditor.

You may list down more characteristic of good auditors. Comments are welcome.

Good auditors should be able to handle auditee tricks without giving offence to auditee. This will be discussed in the next issue.

AUDITEES' TRICKS

A well-established organization do not worry of any findings and non-conformities detected during an audit. This is because the employees have done their job well to maintain the system. The top management always regards eyes of the third parties as an opportunity for improvement. This type of organization will see findings as adding value and a gift for the organization. They are people who appreciate the auditors work and would always look forward for the next audit.

When an organization sees the management system as a business tool they would continuously maintain the system. They would establish their own management system which in in line with the management systems. They are always above the international management system such as ISO9001, OHSAS18001 and/or ISO14001. Auditors are welcome; certification body, customers, government etc. These are the people who would review the effectiveness of their systems with feedback for improvement. Consider this as a free consultation.

However, not all organizations are well prepared for audits and many are not. There are organizations which manage the management system for the sake of certificates. The top management usually not very responsible and committed, they are only interested to get the certificate because the customer wants it. You will see on the day of audit they are mostly missing in action; vacation or meetings. The highest person attended the audit usually a management representative. Some of these people sometimes do everything; he is an auditor, document controller, auditee etc. When they get the certificate, they let the system run by itself without proper maintenance. A few days before the next audit, they will call all their people to start updating the system. They usually spent certain period of time purposely to prepare for an audit.

Let me ask you, do you think all the records available? Do you think they can update all the records correctly? Do you think they could take corrective actions effectively? It is least likely they will get it all done correctly. 

How do you think they will get it done and ready for an audit? This time they will do anything to hide, divert attention of auditors and to waste the auditing time just to ensure non-conformities are not detected. Here are some of the examples:

1. During an opening meeting, the management will give a lengthy presentation. Sometimes it associated with breakfast which may kill about 1 hour of the time.

2. During site visit, although there is already a scheduled time, the tour guide will take a longer distance walking around. This would kill another hour or two of the auditing time. If there are locations which are not ready and they don’t want the auditors to see, they would avoid passing through the area.

3. The auditee will book a room for audit investigation. Audit will be conducted in the room. Whenever the auditor needs to see documents or records, auditee will run out of the room ‘to look’ for them. It takes a long time to get them. Sometimes they purpose slow down the search just to kill the time.

4. When there are routine tasks were not done and forms were not completed, they will fill up and signed all form for the year in one day.

5. If records were found not up-to-date or signed, they would immediately update or sign. This very common.

6. Some management records may not available or up-to-date.  When these records are requested, they would tell the auditor that they are kept in the manager’s office and the manager is away and nobody has the key.

7. Lunch time, the auditee would take auditors out for it. Sometimes they purposely book a place which is far from the premises and take long time to order. This will delay the investigation further.

There are many more auditee tricks. Some of these tricks are already known by the experience auditors. Whatever tricks auditee apply it does not harm auditors. Although the organization get the certificate; new or renew, the defect in the management system is still exist. No corrective action taken and more damage to the system as the time goes by. No one pay attention for the defect of the system. In the end, the certification body get the money from the organization for the damage which done by their own employee.

Next … I will write how auditors should handle those tricks.

WHEN YOU ARE WEARING AUDITOR'S HAT

When you are wearing the hat of an auditor, no matter how friendly you are, perception of the people upon you that you are coming to find something that they don't do well. This applies to all type of audits; internal audit, supplier audit or certification audit. No matter what and how best we behave the perception will exist. That is why when we come for an audit especially the certification and supplier audit, majority of the clients will greet auditors well. The top management will come down to greet and shake hands. Good breakfast were be served and most of them including the top management will join for breakfast.
This kind of reception usually not happened when come with different hat such as a trainer or consultant although from the same organization.
During lunch auditors will be served with good food at a high class restaurant. At many occassions dinner will be provided at least once at a good restaurant.
I was a lead auditee before and I did the same. Why I have to greet the auditors well? There are reasons why this kind of reception exist when auditors came to audit.

1. Auditee is doing their best to take care of auditor during audit investigation. Although they are already well prepared, they worried there are many hidden non-conformities around. What the auditee expected if the non-conformities found it can be negotiated.
2. If the auditee already know that there are many conformities around but the corrective action were not taken, they will do their best to hide from be found by auditors. Since the relationship established during breakfast, what we hope that the auditors will listen to our recommendations where and what to check and of course we will present our best records and conditions for auditors to investigate.
3. Auditee want to please auditors so that no non-conformity request will be issued at the end of audit. Before the issuance of formal non-conformities, they should be consulted and they hope with a frienship they have built auditors would down grade the findings to a lesser burden.
4. Auditee are hoping the auditor will not investigate too detail during investigation; if found a non-conformity, the auditor will just 'close an eye' before proceed to the question.
5. Last and not least, serving good breakfast, lunch and dinner could be once a while opportunity for some employee where the company pay everything. There could only be one or two auditors only but the company representative could be twenty coming to join the events to a place they could have never been with own expenses.

Auditors are people like auditee, being paid to perform the task. Audtors have work ethic and guidelines to perform the job. When audit schedule is distributed we were given list of items to be completed during audit. If the investigation delay, more time need to investigate and it may drag the time to late evening.

Next I will tell you the auditee tricks ....

AUDITORS

Person who is conducting Audit or person appointed by the company to execute the audit is called Auditor. When we introduce ourselves as auditor, people may get first impression as financial auditor. I am not going to talk about financial auditor but the auditors I am going to talk is management system auditor; quality management system, safety management system, environmental management system, etc. Although auditors do their work almost similar in many ways, however, the approach is different, the method of investigation is different, audit reporting is different.

There are three types of auditor, although auditing techniques are almost similar but there are some differences the way audits are executed.

Internal auditor is an auditor who is appointed by the management of the company in order to carry out the internal audit function. Generally employee of the company acts as an internal auditor where as some companies appoint an external expert as an internal auditor. Though internal auditor is appointed by the management or an employee of he company; independence is the prime requisites for the execution of internal audit. Compromise in independence may distort the objective of internal audit.
Internal auditor is responsible towards the management of the company and auditor submits the report to the management.

Second party auditor is generally supplier auditor. Second-party auditing improves the strength of your supply chain. A second-party audit occurs when an organization audits their suppliers, or their own facilities, to their own proprietary requirements. By finding and correcting problems before they affect the customer or end user, the audit process helps the organization to avoid the risk of product recall, service failure, or compliance issues.

Third party auditor is appointed by a certification body after meeting some requirements. Different certification body may require different qualifications depends of the accreditation body they are certified with. Third party auditor responsible towards the certification body they are engaged; direct hire or freelancer.
Generally to act as an auditor of the company, person should have been trained, certified and certificate of practice from a recognised certification and accreditation body.

AUDITING THE MANAGEMENT SYSTEM

• Auditing is defined as a systematic and independent examination of data, statements, records, operations and performances of an enterprise for a stated purpose. In any auditing the auditor perceives and recognises the propositions before him/her for examination, collects evidence, evaluates the same and on this basis formulates his/her judgment which is communicated through his/her audit report.
• It is therefore, the auditors when auditing will perform based on a certain system. In the case of management systems it will based on certain management system e.g. ISO900 for quality system, OHSAS18001 for occupational health and safety system, ISO14001 for environmental system etc. They will not simply audit the organisation without referring the system where audit scope covers. Those systems are the standards agreed and accepted by a committee represented by many organisations all over the world.
• The scope and objectives for every audit are determined through discussion with the department's management and a department specific risk assessment. While each audit is unique, there are some general or common objectives applied to most audits. Audit will not or should not take place outside of the scope. The agreed scope should be determined by the management of the organisations to be audited.
• There are 3 types of audit namely first party audit (Internal audit), second party audit (normally supplier audit) and third party audit (normally audit by certification body).
• Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing is a catalyst for improving an organization's governance, risk management and management controls by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organisations to perform the internal auditing activity.
• Second party audit is conducted by a customer for their suppliers to determine the suppliers meet their requirement; quality, safety, environmental etc.
• Third party audit sometimes refer to certification audit is conducted by a certification body which is accredited by an international accreditation body. The purpose of audit is to certified a certain organisation with a certicate of compliance such as ISO9001 or ISO14001 or OHSAS18001 etc.

AUDITOR AND AUDITEE - Introduction

Introduction

It has been quite some time I took a break from writing. I have been busy auditing and training on behalf of some certification bodies for the past one year. Now I am back working in an office as audit specialist and I may have some time to write on this page again.

I have been an auditee for many years and later became an auditor. Beginning with internal auditor, supplier auditor and later third party auditor for certification bodies and opportunities to conduct audit internationally.

As you can see, I have changed the heading to Auditor and Auditee but maintain the system for EHSQ Management system. The purpose I changed because this time I want to share the experience while conducting audit and being audited.

There are always threatening moment when you walk into an office to conduct audit. However it is more threatening for auditee to see auditors walking into the office on the day of audit. Both parties were threaten when audit is about to start and both parties will try to win and gain respect of each other.

These are the moment I want to share with the readers, and how to handle the situation.
In the next series, I will share and give tips how to conduct audit and how to handle auditors effectively.

Unlike previous writing which I focus on delivery of knowledge, this time I will share some experience being an auditor and being audited. I hope with this sharing of knowledge whoever you are can be benefited by the experience. I will also share some tips how to conduct effective audit and how the handle auditors.

Management System Internal Audits

Checking that the system works is a vital part of the management systems. An organization must perform internal audits to check how its quality, environmental, health and/or safety management system is working. An organization may decide to invite an independent certification body to verify that it is in conformity to the standard, but there is no requirement for this. Alternatively, it might invite its clients to audit the quality system for themselves. Read more about certification to management system standards.

The purpose of conducting internal audit is to find out the answers to following questions:

• Is management system of the organization conformed to the planning of management systems carried out in the organization?
• Is the management system of the organization conformed to the requirements of Management System Standards?
• Is the management system of the organization conformed to the management system requirements established by the organization?
• Is the management system of the organization effectively implemented and maintained?

An internal audit is a tool to monitor and determine the health of the management system of the organization. For an organization, a properly conducted audit is beneficial and we need to conduct value added internal audit that is useful to the organization, auditee department, management representative and top management.

Clause 8.2.2 of ISO 9001:2008 QMS Standard and 4.5.5 of ISO 14001 EMS Standard, RC 14001 Responsible Care Standard and OHSAS 18001 OHS Standard deals with internal audit requirements. As per requirements of the standards, an organization needs to conduct internal audit at planned intervals. An audit process should include the following aspects:

• Planning of internal audit – such as planning of audit schedule, assignment of auditors, auditee area, and scope of audit, status and importance of processes, results of previous audits.
• Examining and reviewing the management system documentation of the organization,
• Examining and reviewing other relevant information of the organization, such as production, environmental, health and safety reports, failure, accident and incident trends, customer and community feedback,  etc.
• Examining and reviewing the management system procedures, SOP's and processes by visiting the audit area spot, interviewing relevant personnel and looking to relevant processes.
• Reporting the internal audit results (including corrective action requests from auditors).
• Verifying corrective actions taken.

What should be done after getting results of internal audit?

The organization gets information about the areas which need correction and/or improvement from the results of internal audit. The information from internal audit results becomes input for the management review.

Who should perform internal audits?

Internal auditors should perform internal audits. Management System Standard; ISO 9001:2008 QMS Standard and 14001 EMS Standard, RC 14001 Responsible Care Standard and OHSAS 18001 OHS Standard has two relevant important requirements:

• Selection of auditors must ensure objectivity and impartiality of the audit process
• An auditor must not audit his/her own work.

Clause 6.2.1 of ISO 9001:2008 QMS Standard 4.4.2 of ISO 14001 EMS Standard, RC 14001 Responsible Care Standard and OHSAS 18001 OHS Standard  mentions the requirement of competent personnel performing work affecting conformity to product requirements on the basis of appropriate education, training, skills and experience. Accordingly, the personnel conducting internal audit must be competent to audit for which the organization should refer to the relevant guidelines as mentioned in ISO 19011 Standard and take appropriate steps to provide appropriate training to personnel selected as auditors for internal audit.