The management of certification audits
Since 1992 I’ve been audited to a range of standards including ISO 9001, ISO 14001, AS 4801, OHSAS 18001 and ISO 17025 (sometimes for management systems I developed and sometimes for systems that were thrust upon me). I have conducted factory audits for product marking schemes, certification audits, internal audits and 2nd party audits and over the years I’ve learnt some techniques which I thought may assist you.
I believe there are two alternate approaches to audit management. Both have merit, but the one you choose is dependent on your situation. The ‘lock-down’ approach tends to be adopted where persons are uncomfortable with the audit situation or where the management systems is immature, while the open approach is synonymous with optimising. Read on to find out which approach you should take.
The ‘lock-down’ approach
This is a damage limitation approach and is best adopted with auditors you are not comfortable with, with a system you know little about or where you know the system being audited has some serious deficiencies. This approach is about getting through the audit with the minimum number of issues by providing the auditor with as little information as possible and making them work harder for each piece of information.
Although this method is useful in some circumstances it should never be adopted as the default ongoing audit management method. Doing so will only damage your company’s progress in the long term. If you have a problem it needs to be fixed. If the problem is your auditor, where possible discuss the issue with your certification body or accrediting body. Certification bodies are generally willing to accommodate a change of auditor. Accrediting bodies (ISO 17025) are generally less obliging, but that doesn’t mean they won’t accommodate your request.
Isolate the audit process
If you are adopting the lock-down approach provide your auditor with their own comfortable room or office for the duration of the audit. Try to keep your auditor in this room as much as possible without resorting to physical restraint. Where possible provide access to the management system here, but ensure the auditor only has access to the management system. Where hard copy documents need to be presented to the auditor take them to this room for the auditor to review. The auditor is unlikely to stay in the room or office for the duration of the audit, but any time spent here is time away from your operation. By minimizing contact time you minimise the risk of adverse findings being raised.
How to answer questions
When the auditor asks questions provide answers that are truthful, succinct and only answer the question posed.
Unless asked don’t ever be tempted to explain what’s in front of the auditor and definitely don’t try to justify anything. They’ll ask where they need clarification. Do not be tempted to fill silences with unnecessary chatter about your work. Often by doing so you release information which may lead to issues.
Never lie. When auditors ask questions there is little point in lying. Auditors are lied to on a daily basis and they will probably know. A whiff of a lie and a decent auditor will start digging through records to substantiate your statements and a lie will be quickly exposed by the evidence.
For general advice in how to respond to the auditors findings read more
Ensure you conduct your visitor induction with your auditor pointing out the usual emergency arrangements, high risk areas, PPE, toilets, tea and coffee arrangements, etc. This is especially relevant for Health and Safety audits where auditors can raise non-conformities before the audit commences due to a lack of basic induction.
Be friendly. Although when it comes to questions about the company, organisation or work you may be guarded do not appear unfriendly. The auditor may not be your friend, but it would make the experience more pleasant for everyone if they were. By all means talk about the weather, the state of the world and what you did at the weekend (without obviously diverting the auditor). You do not want to appear guarded even if that is exactly what you are.
If you intend to offer your auditor lunch, check dietary requirements first and do not go overboard. Too lavish a lunch could be construed as a bribe.
Although I have left this until last it is obviously important to have this in place prior to the commencement of the audit.
Ensure everyone knows that the audit is taking place and what the auditor’s plan is. If you haven’t received an audit plan request one. Encourage the auditor to stick to their plan so people are not taken by surprise. Provide those you can trust with the details of the approach you intend to take with the audit. Don’t be tempted to bring everyone into your confidence. There will be people you shouldn’t trust to keep your audit approach confidential. In general ensure that workers know where to find their management system, what the basic intent of the system is (the policy) and are reminded to answer all auditors questions honestly and succinctly. Ensure a tidy up is conducted prior to the audit. A clean desk policy and a closed door policy is recommended for the day of the audit. You would be amazed at how many findings are raised after auditors stumble across a loose document or conversation. Make sure you know where everything is. That way you minimise points of contact when providing the auditor with their requested information and you appear organised (even if you believe otherwise).
Locked down openness
Lastly, although this audit management method is called the lock-down approach it should be mixed as much as possible with the open approach (see below), particularly where you know your systems are robust, but could benefit from improvement. This masks the fact that you have adopted the locked down approach and conveys a better impression to your auditor.
The open approach
You should aim to adopt the open approach with all audits. The open approach provides the most beneficial outcome for the company and should present the best opportunities for improvement. The open approach should be adopted where companies are confident in their management system and their auditor. As such this approach may result in more audit findings to resolve, but the findings centre around refining the management system and reaping the rewards of improvements rather than just conformity with requirements. The following explains how the open approach differs from the locked down approach.
Directing the audit
Once confident in your system you should aim to direct the auditor to the parts of the business where you want to see improvement (your areas of opportunity and weakness). This can be started with the audit plan – carefully review it and if it focuses on your strengths (areas that you know to be robust and have recently audited with few serious findings) then request a change of focus and explain why you want it. The auditor will most likely still want to check general conformance, but they may be willing to look at areas you have identified as areas that could be improved. Take your auditor to the locations where the work is being undertaken. Give them time to look around and ask questions.
You can also use the audit to your advantage in assisting with initiatives that you may be struggling to get management support for. By directing the audit to these issues the auditor may have a similar view and raise a relevant finding. This can help garner management backing for action, particularly if they believe inaction could jeopardise certification / accreditation. Use this technique to gain management support sparingly, because your superiors may view this as underhand and self-serving if you over do it.
Response to auditor
Always answer the auditor truthfully, but ask as many questions as needed to ensure you have fully explored the auditor’s knowledge of the subject. Auditors see many different management systems and their experience can prove invaluable, but don’t expect them to give away secrets or competitor information as auditors are bound by a strict code of conduct. Keep the conversation general. Always carry a pen and paper with you. Not everything they tell you will be in the audit report. For general advice in how to respond to the auditors findings read more.
Most of the rules regarding hospitality are the same here as for the locked down approach. One exception is that during lunch spend time getting to know your auditor and rather than avoiding the subject of work, take the opportunity to discuss ideas and issues. Prior to lunch invite other key personnel along (including the key people being audited) and encourage them to come with questions. Again bring paper and a pen. You’ll be amazed at how much you can learn over a sandwich.
In a mature system notifying colleagues of an impending audit is more about courtesy than to ensure your defences are in place. Colleagues will be equally comfortable with the process and open to being audited and view it as an opportunity rather than a threat.
Responding to audit findings
Where an auditor raises a finding, ensure it is tied back to a requirement. This applies to everything that is raised as a non-conformance or has the potential to be elevated to a non-conformance on inaction (basically everything they say you need to act on). It’s particularly important that this is done at the time it’s raised, because by asking for the requirement the auditor is forced to stop and consider the finding carefully before raising it. Once an audit finding gets as far as an audit report the auditor will have to admit a mistake to change the report and that’s more difficult to achieve, but not impossible. Get the auditor to explain their finding in terms you and / or the recipient are comfortable with. Make your own detailed notes of the issues, keep them as a record of the audit and don’t rely on the auditor to provide sufficient detail in the audit report. Too many auditors produce reports with non-specific findings and are unable to recall the detail of their reasoning after the event.