Internal auditing is a requirement of ISO 22000 and ISO 9001, and more. So it is something we do have to do. Besides just ticking a box when conducting an internal audit, this process can add a huge amount of value if done correctly.
After having to do a remote internal audit this week, and being associated with another, it is essential that we go back to the basics – especially for seasoned auditors who may be stuck in their ways.
Some important questions I should ask myself to ensure a valid audit.
1 Am I objective?
According to ISO 19011:2018. Guidelines for auditing management systems, an audit is systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Independence is key for this process to be valid. I must stay objective as the auditor and not allow myself to be affected by relationships or politics. If as a consultant, I have worked previously with a company, I must work very hard to maintain this. If I am called in to assist acompany, I need to understand the purpose of the audit and the possibility of a hidden agenda. Look at the big picture.
2 Am I prejudiced by my preferences?
When evaluating a management system, I have to ensure my personal preferences for documentation format and styles of processes do not cloud my judgement of a new system that I have not been involved with. I am not auditing my preference – I am auditing evidence. The new version of the management system standards give a company even more scope of their OWN interpretation of the requirements. With “Documented Information” now used to describe the system requirements and no longer a documented procedure, we need to let go of many pre-conceived ideas and bad habits. Also remember the reminder in the standards: The extent of documented information for a quality management system can differ from one organization to another due to:
- the size of organization and its type of activities, processes, products and services
- the complexity of processes and their interactions
- the competence of persons.
Is what they have working based on OBJECTIVE EVIDENCE? I guess if you don’t like it, deal with it, but don’t raise finding.
3 Am I talking to the right person?
It may seem obvious, but we can find ourselves “led” during the audit by someone who knows something about a process but not directly involved. According to all definitions, this would be hear-say. We cannot come to conclusions based on hear-say. In the same way as we should process with great caution when someone says “But the consultant said...” or “The last auditor said...”. Bottom line is we only see part of the picture as we are only there for a limited time. So, in the absence of facts, we also cannot come to a conclusion. In any trial you would be innocent until found guilty, wouldn’t you? If the right person is not available during the audit, perhaps ask why and ensure this information is noted as it can invalidate the audit completely.
4 Do I have all the evidence?
An audit is a limited process as it is based on a sample. A sample is only a snapshot in time. When we audit, the golden rule is to take as many samples as you can in the time available. Samples provide the evidence we use to make the evaluation. Evidence should corroborate itself. That is why verbal evidence should be supported by documented information and viceversa in all cases. The existence of a documented procedure does not imply conformance and vice versa.
5 Does the auditee understand the why of the standard?
In many audits, the auditor is the expert. I do know the requirements of standard better than the auditee in most cases. In an internal audit, I can provide consultation to improve the system with direct suggestions about corrective actions. But am I giving the correct advice? If I do not know the process, the resources available or the culture of the company I am auditing, I could give the wrong advice. As auditors, we always want to ensure the company understand WHAT they have to do to comply and WHY this requirement is important. Then they should figure out HOW. It is a good idea to hear their ideas – by going back to sign documents that previously were signed is not the right corrective action – it is in fact fraud. We do not want to tacitly condone the incorrect actions, but we also don’t want them to take actions we suggest without the proper consideration.
As an auditor, you do have power by virtue of your role. Don’t abuse it.
