Last edited 05 Jul 2019

Main author

ConSIG CWG Institute / association Website

Auditing management systems

Audit Shutterstock 1385375525.jpg

Contents

[edit] Introduction

Auditing is a prime way of locating risk in management systems and acting to reduce that risk to as low as reasonably practicable. It is key to continuous improvement as it sits under performance evaluation. Auditing as a tool can be used to “check” that planned objectives are being met.

This article provides an overview of the key principles, benefits and components of auditing.

The simplicity of auditing as a tool means that it can be used across a range of industries, disciplines and organisation types. The application of audit effectively helps to facilitate improvement and assess compliance. It is an exercise in gathering information from which decisions for change can be made.

[edit] What is auditing?

Many views exist regarding the meaning and purpose of auditing. These views are often based on the experiences of individuals. Below are some popular definitions that have been drawn from the international standard for auditing, ISO 19011:2018, and from the Institution of Occupational Health and Safety (IOSH):

  • Auditing aims to find objective evidence (or evidence that’s as objective as possible) for whether the current way of managing safety and health meets the organisation’s safety and health policy and aims (IOSH).
  • An audit is an evidence gathering process. Audit evidence is used to evaluate how well audit criteria are being met. Audits must be objective, impartial, and independent, and the audit process must be both systematic and documented (ISO 19011).
  • Audit - systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled (ISO 19011).

[edit] Why audit?

Audits can be used for many different purposes and benefits, which include, but are not limited to:

  • Examine existing management systems, usually against known standards, to gather information from which decisions can be made
  • Process or procedural improvement
  • Certification purposes
  • Ascertain fulfilment of compliance obligations (legal, industry and other requirements)
  • Assess the capabilities of supply chain
  • Follow up audits of the above.

The purpose of audit is not to lay blame for problems or errors, to witch hunt or to settle arguments. Auditees are frequently concerned or emotional just prior to an audit. It is the responsibility of the auditor to help to allay those feelings. Sometimes, the expectations of senior management teams can reinforce the search for someone on whom to lay blame. Management at all levels have a duty to support auditees during an audit.

[edit] Risk based auditing

The concept of risk-based audits is aligned with the ISO 9001:2015 requirement for risk-based thinking. In alignment with determining an organisation’s context, its strategic direction and the associated risks, a risk-based audit approach can be used to determine if a management system can deliver the planned objectives and results. Ideally, an organisation should use the outputs from tools, such as risk registers and PESTLE and SWOT analyses to influence and prioritise audit activities.

[edit] Categories of audit

[edit] Internal audits

Internal audits, also known as first party audits, are performed by organisations on themselves and typically look at determining:

  • Opportunities to introduce improvement in all processes
  • Compliance to corporate policies and processes
  • Employee awareness of management systems.

They can be used to assess if management systems are performing effectively and whether processes are meeting the organisation’s compliance obligations.

Internal auditors must be independent of the activities being audited. This means that they should not be part of, responsible for or have influence over the function, process or discipline they are auditing.

[edit] External audits

External audits fall into two categories: second party and third party.

[edit] Second party audits

These are audits against standards imposed by businesses onto their suppliers. These audits are extremely important for all clients who need to confirm that the supplier can provide product and/or services that have been contracted/ordered.

Auditors should recognise that there will be a relationship that will or may in the future exist between their organisation and the one being audited. This may be a pre-contract audit being undertaken of several suppliers in competition prior to contract placement, an audit at the start of a contract to confirm that the right arrangements have been implemented or an on-going confirmation of implemented arrangements.

Auditors need to take care to understand the relationship and to act accordingly. For example, an organisation that is offering itself in competitive tender may push forward a well-polished view of its arrangements.

These audits typically look at confirming:

Supplier audits can also be performed by independent auditing organisations on behalf of a clients, for example, Achilles or SSIP (Safety Schemes in Procurement).

[edit] Third party audits

Third party audits, commonly known as certification body audits, may be performed by independent authorities or certification bodies, which are regulated by accreditation bodies such as UKAS (United Kingdom Accreditation Service).

Certification body audits demonstrate to interested parties that a management system complies with the requirements of a recognised standard and compliance obligations.

Care should be taken in employing certification bodies that do not have independent accreditation, especially those that offer a cheap path to certification, either with or without an off-the-shelf manual and procedures, as these may not accurately match the direction the auditee wishes to follow and organisations should consider whether or not they are getting value for money.

[edit] Accreditation of certification bodies

The use of an accredited certification body is recognised as best practice as all accredited certification bodies are assessed against the same standards to ensure that certification bodies are impartial, auditors are competent and that they provide a consistent service.

UKAS is the only accreditation body for the UK. It monitors the arrangements, processes and delivery of certification bodies, so they are also subject to surveillance.

UKAS is appointed by Accreditation Regulations 2009 (SI No 3155/2009) and the EU Regulation (EC) 765/2008 and operates with the Government through the Secretary of State for Business, Innovation and Skills.

Outside the UK other accreditation bodies exist that may have other accredited registration bodies. Care should be taken to confirm that any accreditation body is a member of the International Accreditation Forum or equivalent.

[edit] Types of audit

[edit] Vertical versus horizontal audits

The terms “vertical” and “horizontal” relate to the way the organisation operates. You can go “vertically” through departments following a thread or “horizontally” looking at all works passing through that department. For example, an auditor from a project auditing a sub-contractor is interested only in the works being conducted under the sub-contract, whereas an audit of a department may be conducted by a third-party auditor or internally to determine how the department operates overall.

[edit] Vertical audits

These audits would be undertaking by following a process by discipline or function. For example, a vertical design audit would look at the following for a design department:

[edit] Horizontal audits

These audits can be used to assess the effectiveness of a process across functions/departments or lifecycle. They follow an audit trail that follows the process for goods and materials, for example:

[edit] The typical phases of an audit

[edit] Introduction

All audits follow a standard process, although the depth may be reduced under certain circumstances. This section gives a high-level overview of the key phases of an audit and should not be considered as auditor training.

[edit] Strategic audit schedule

The strategic audit schedule can be issued at regular intervals, normally annually or quarterly, and define the audits to be delivered over a period. It should be based on:

  • The status and importance of activities being conducted; this may include results from previous audits, criticality to the operation of the organisation, known issues, level of legal compliance and so forth
  • The results of previous audits (internal & external)
  • Corrective actions
  • Changes to systems elements
  • Introduction to new methods and technology
  • Organisational and personnel changes
  • The risk to quality if audit frequency is reduced
  • Availability and competence of audit personnel.

Factors to be considered when developing an audit schedule should include:

  • The audit objectives and criteria
  • The audit scope including processes to be audited
  • The dates and places where the on-site audit activities are to be conducted
  • The expected time and duration for the on-site activities including safety/security requirements
  • Persons to be interviewed
  • Competence of auditors.

[edit] Individual audit planning and preparation

[edit] The audit plan

Each auditor must prepare an audit plan for each individual audit contained in the strategic audit schedule. The individual audit plan forms the basis for the audit and allows the following:

  • The auditor can arrange for notification to be sent to the auditee following a discussion and agreement over the scope, dates and other administrative arrangements
  • The auditor can propose the order and approximate timing of visits to audit areas
  • The auditee can confirm the plan and make suitable arrangements to assure that the right staff will be available
  • The auditee can confirm that appropriate lengths of time are allocated to each element of the audit
  • The auditor can watch time progressing during the audit
  • The auditor and auditee can make suitable arrangements (eg is a guide needed? Are there any safety controls? Is PPE required?)
  • Examine documents
  • Prepare checklists.

One small caveat: the auditor should not make too detailed a plan, as any changes can throw a lot of work aside. Also, apart from time for formal meetings at the start of the audit and at the end - see below - (and lunch, of course) no definite times should be stated, so as not to constrain the audit. Where the audit continues for more than one day, a “wash-up” meeting should be held at the end of each day.

[edit] Audit notification

The lead auditor sends the auditee notification of the forthcoming audit. This is the first action defined in the audit plan and identifies:

  • Location(s) and date(s) for the audit
  • Times of opening and closing meetings
  • Audit objectives, scope and criteria
  • People (by name or role) who will need to be available
  • Documented information that will need to be available
  • Equipment that may be required.

[edit] Conducting the audit

[edit] Audit checklists

Audit checklists are normally useful for the auditor. An audit checklist:

  • Is generated by the auditor
  • Provides a structured list of points to evaluate against requirements
  • Identifies and communicates the scope of an audit
  • Is a tool to gather evidence and provide an audit trail
  • Guides the course and controls the pace of an audit
  • Keeps audit relevant to objective
  • Provides evidence of planning
  • Assists with note taking
  • Reduces risk to bias
  • Helps to manage time
  • Assists in the preparation of the audit report.

[edit] Performing the audit

Detailed below are the key steps that an auditor takes in performing an audit.

  • Hold an opening meeting by:
    • Conducting introductions
    • Explaining the audit objectives, scope and criteria
    • Confirming the definitions of nonconformity and observation (or equivalent) to set the expectations of the auditee
    • Confirming the audit programme and timings
    • Confirming the audit process and arrangements.
  • Interview personnel and:
  • Hold interim meetings with auditors, if more than one, to provide an opportunity to compare notes and write up findings
  • Hold a closing meeting by:
    • Introducing anyone who was not at the opening meeting
    • Re-stating the audit objectives, scope, and criteria
    • Providing the audit conclusion - executive summary
    • Explaining the audit findings - detail of factual findings
    • Follow-up activities that may be required (but see below)
    • Obtaining ownership and commitment
    • Reporting arrangements
    • Clarification of any questions
    • Confirming the confidential nature of the findings
    • Discussing the future, including agreeing, if appropriate, the time for the auditee to present a corrective action plan.

[edit] Points to note

Opening meetings set the scene for the audit. They are led by the auditor, who should provide enough opportunities for the auditee to explain and provide information, although this should not be time-wasting. The items to be included will vary from audit to audit. Generally, external audits tend to have more formal opening meetings, whereas internal audits can be quite relaxed.

The auditor should also put the auditee/s at ease and make it clear that that an audit is to confirm that processes are being followed, not a witch hunt to catch people out.

Auditors are not there to interrogate the suspect. The normal technique is to ask a general or “open” question to allow the auditee to provide a picture of what is going on and to encourage detailed responses from the auditee. This is then following by a series of more “probing” questions that seek to provide the auditor with a clear picture of the process and the results of the work being conducted. Auditors should finally confirm their understanding by asking a “closed” question that generally elicits the answer “yes” or “no”.

The auditor needs to take adequate notes to enable him/her to write the audit report, as well as identify tasks and items to be dealt with later. However, notes need to be concise and not interfere with the progress of the audit any more than necessary. Important notes should be taken of any information relating to any potential nonconformities.

The audit report should be written up and presented as soon as possible after the audit so that the audit findings are fresh in people’s minds, but not necessarily on the day that the audit is completed. Any findings on which the organisation is expected to take action should be written clearly and in such a way that they can be located by the organisation - and by an auditor during a follow-u[p visit.

[edit] Audit follow-up & corrective action

[edit] Process and principles

  • Close out previous audit findings
  • Verify the effectiveness of corrective actions taken previously and the probability of recurrence
  • Establish if any special visits are required to close out items
  • Discuss the next audit.

[edit] Reasons for undertaking follow-up

  • Timely completion of corrective actions
  • Effectiveness of corrective actions
  • Realise the benefits gained from the audit
  • Measure the effectiveness of the audit programme.

[edit] Audit reporting

An audit report provides a record of the audit in relation to the audit objectives, scope and criteria and the audit findings. Typically, an audit report should include a summary, a description of the areas and activities audited, the audit findings, the personnel involved and the attendees at the opening and closing meetings.

The audit findings enable corrections to be made, corrective actions to be taken, opportunities for improvement to be identified and provide information for management reviews.

[edit] Audit Findings

[edit] Nonconformity

Nonconformity means failure to comply with requirements, whether specified or implied, although different organisations may use different terminology to describe the difference between what is found during the audit and the process/es that ought to have been followed.

A nonconformity report is not a ‘ticket’ that has been issued and not something that should be written out in front of an auditee.

The management of the area being audited is responsible for deciding what action to take in response to identified nonconformity. This may include action to correct something that has been done incorrectly (correction) or action to prevent the same thing, or similar, happening again (corrective action).

The organisation needs to get to the bottom of the reason for the nonconformity. There are several techniques for doing this that are described elsewhere. In general, the reasons may arise from one of the following:

  • The auditee had not followed the procedure but had found a way around that seemed to provide no risk (the auditor should look wider and “audit it out” to find the reason why and note any risks that may have been engendered by the unauthorised change)
  • The auditee had not followed the procedure with risk to the product or service offering
  • The auditee had followed the procedure, but the procedure was inappropriate, ineffective or just plain wrong.

It is not a part of the auditor’s duty to propose actions, otherwise the auditor might be made responsible for the outcomes if the action goes wrong.

[edit] Observations

These can be called by several different names, such as “improvement points” or “opportunities for improvement” and may be raised under the following circumstances, among others:

  • There is some good work going on that deserves to be recorded
  • There is a concern that is outside the scope of the audit
  • Something looks as though it may become a problem, but hasn’t yet.

[edit] Feedback

The output of the audit will have been discussed as part of the closing meeting. That should never be the end of the matter, as there will be opportunities for the quality management system to be improved as a result. The most appropriate persons to make any changes are those intimately involved in the part of the organisation affected by the finding. A note should be recorded of the action, the actionee and the date by which the action has to be taken.

A check should be made to confirm that the action has been taken and that the change has stuck.

It is useful to analyse the results of all audits over time, just to make sure that the same concerns are not raised in different areas of the organisation or repetitively in the same place.

[edit] Important principles for auditors

  • Never lose sight of the basic aim of an audit
  • It is an audit of the process rather than the person
  • Seek to achieve management commitment in response to audit findings
  • Listen lots more than talking
  • Be assertive; never aggressive or passive
  • Always be fair and balanced
  • Be naturally inquisitive
  • Never point the finger!
  • Keep it simple and concise
  • Keep the audit outcome confidential
  • Publish in a timely manner.

[edit] Auditor behaviours

The competence of auditors is essential in the success of an effective audit process. Good practice is for the auditor to have attended an IRCA recognised auditing course. Individual competence also requires that the behaviour of an auditor is neither aggressive or passive but is assertive. The term “assertive” is not easy to define, as assertive to someone in an office environment may well be different to that when auditing a construction supervisor!

According to clause 7.2.2 of the international standard ISO 19011:2018. “Guidelines for auditing management systems” auditors should also possess the necessary attributes to enable them to act in accordance with the six principles of auditing. These six principles are:

  • Integrity
  • Fair presentation
  • Due professional care
  • Confidentiality
  • Independence
  • Evidence-based approach.

The professional behaviours that auditors should display during the performance of their audit activities, including being:

  • ethical: fair, truthful, sincere, honest, and discreet
  • open-minded: willing to consider alternative ideas or points of view
  • diplomatic: tactful in dealing with people
  • observant: actively observing physical surroundings and activities
  • perceptive: aware of and able to understand situations
  • versatile: able to readily adapt to different situations
  • tenacious: persistent and focused on achieving objectives
  • decisive: able to reach timely conclusions based on logical reasoning and analysis
  • self-reliant: able to act and function independently while interacting effectively with others
  • acting with fortitude: able to act responsibly and ethically, even though these actions may not always be popular and may sometimes result in disagreement or confrontation
  • open to improvement: willing to learn from situations, and striving for better audit results
  • culturally sensitive: observant and respectful to the culture of the auditee
  • collaborative: effectively interact with others, including team members and auditee personnel.

The selection of auditors should consider competency in terms of knowledge, skills and experience, as well as, personal traits and characteristics. Potential auditors can be evaluated through interviews, training, and testing. The competence and behaviour of auditor trainees can be assessed through witnessed audits and feedback from the lead auditor. Ongoing evaluations can involve solicited feedback from the managers of the audited areas.

Auditors, particularly when acting in a 2nd or 3rd party should assure the auditee that commercial and organisational confidentiality will be maintained. In certain cases this may be formalised in a non-disclosure agreement (NDA).

[edit] Annex 1 Suggested Opening and Closing Meeting Agendas

These agendas should be tailored to the type of audit and the conditions under which they are being used.

[edit] Opening Meeting

Introduction of the audit team by the Lead Auditor, if not already done.

Introduction of the organisation’s representatives and their responsibilities.

Confirm the purpose of the audit:

  • To assess the suitability of the organisation for inclusion on the approved List of vendors by carrying out an audit on the organisation’s quality management system
  • To assess the on-going suitability of the quality management system to meet the business needs of the organisation
  • To examine the operation of the documented quality management system for its effectiveness in ensuring that the contract requirements are met in the most effective and efficient manner and to identify any risks there may be to successful completion of the project
  • To examine the overall management system of the organisation to identify any potential risks to delivery of the contracted items to meet schedule.

Confirm the criteria for the audit, eg the organisation’s documented quality management system and its supporting procedures. ISO 9001:2015 will be used to provide guidance and to ensure that the business unit’s commitments are met.

Explain the recording of findings:

  • Nonconformity: the non-fulfilment of one or more specified requirements substantiated by objective evidence
  • Corrective action report: a formal request to resolve a nonconformity; this will require a person of adequate authority to accept the nonconformity and to define suitable actions to resolve the nonconforming condition in a timely manner
  • Observation: a statement of fact backed by objective evidence that lies outside the scope of the audit, but needs to be brought to the attention of the organisation.

Explain the role of the guides:

  • To act as witnesses to audit findings
  • To escort the auditor to the parts of the organisation agreed within the scope and to ensure that the auditor does not enter into areas of personal danger.

Confirm that all aspects of the audit will be confidential.

Explain that the audit is a snapshot in time and that it will only examine a set of examples. Any nonconformities that are reported in the closing meeting represent those that were found and that other nonconformities may exist in areas that were not examined.

The organisation is requested to:

  • Confirm who will be acting as guides
  • Confirm that the programme is acceptable
  • Confirm that suitable arrangements have been made for personal safety and product protection
  • Confirm that suitable office accommodation will be available during the audit for review, wash-up and closing meetings; accommodation has to be available also for the auditors to prepare reports, etc.

[edit] Closing Meeting

Introduction of the meeting participants, if there are persons who were not at the opening meeting.

Thank the organisation for their hospitality and assistance during the audit.

Comment on the good points found in the audit (lead auditor).

Re-confirm the purpose of the audit:

  • To assess the suitability of the organisation for inclusion on the approved List of vendors by carrying out an audit on the organisation’s quality management system
  • To assess the on-going suitability of the quality management system to meet the business needs of the organisation
  • To examine the operation of the documented quality management system for its effectiveness in ensuring that the contract requirements are met in the most effective and efficient manner and to identify any risks there may be for successful completion of the project
  • To examine the overall management system of the organisation to identify any potential risks to delivery of the contracted items to meet schedule.

Re-confirm the criteria for the audit, eg the organisation’s documented quality management system and its supporting procedures. ISO 9001:2015 will be used to provide guidance and to ensure that the business unit’s commitments are met

Re-confirm the recording of findings:

  • Nonconformity: the non-fulfilment of one or more specified requirements substantiated by objective evidence
  • Corrective action report: a formal request to resolve a nonconformity. This will require a person of adequate authority to accept the nonconformity and to define suitable actions to resolve the nonconforming condition in a timely manner
  • Observation: a statement of fact backed by objective evidence that lies outside the scope of the audit, but needs to be brought to the attention of the organisation.

Present the findings. This can be a summary by the lead auditor, followed by the detailed findings by the auditors who found them.

Agree the timetable for the preparation of the corrective actions. The actions should be written on the corrective action report form and submitted to the quality management team by the agreed date.

Confirm that all aspects of the audit will be confidential.

Explain that the audit is a snapshot in time and that it will only examine a set of examples. Any nonconformities that are reported in the closing meeting represent those that were found and that other nonconformities may exist in areas that were not examined.

The lead auditor confirms with the rest of the audit team and the auditee that all points have been covered.

The lead auditor requests a senior member of the organisation to sign the front page of the report, requests a copy of the report and leaves the original with the organisation for completion of the corrective action(s).

Return all documents belonging to the organisation to the organisation, if appropriate.

[edit] Annex 2 Useful Auditing tools


This article was originally written by Keith Hamlyn on behalf of the CQI Construction Special Interest Group, reviewed by members of the Competency Working Group and approved for publication by the Steering Committee on 24 April 2019.

--ConSIG CWG 12:46, 18 Jun 2019 (BST)

[edit] Related articles on Designing Buildings Wiki

Comments

The concept of risk-based audits is aligned with the ISO 9001:2018 requirement for risk-based thinking.

should read:

The concept of risk-based audits is aligned with the ISO 9001:2015 requirement for risk-based thinking.


Quite correct. Many thanks for pointiung the error out. It has been edited.