Auditing - Best Practices

[Marc]

This for everyone. I would like a perspective from both sides - auditors and auditees.

What would you say are Best Practices in Auditing?

Please specifiy whether you are stating your ideas of Best Practices with respect to Internal vs. Second party (customer) vs. Third party (registrar) auditing.

 

[Randy]

Great topic seeing as I am right now in the middle of doing some registration audits in Texas and Louisiana.

First and foremost, 1st, 2nd or 3rd party..Know the standard you are auditing to.

Secondly...be OBJECTIVE. Get rid of your personal wishes, likes, feelings and thoughts. Have an open mind.

Third...Maintain a good sense of humor

Fourth.....Always...always...always be as polite and courteous to the least important as you would the most important person of the organization being audited.

Fifth....Look and act the part you are playing

Toodles for now from Cajun Country

 

[Randy Stewart]

Internal & 2nd Party

Both: I remind myself that the person I'm talking to is the expert in that field at that time. Wheather or not I have ever done that job or something similar before.

Both: Digest the conversation, review and study the pieces to see how they fit together. And always remember - 2 eyes, 2 ears, 1 mouth. Use them in the proportion that we were born with.

Both: You are dealing with a persons livelihood - their job, this is how they put food on the table for their families. Treat it with respect.

In the case of a 2nd party audit: I am the representative of my company. Even though I must have my company's best interest in mind, I may be the only or the lasting impression of what my company is. Will it be a master & servant relationship or are we really here to help.

:thedeal:

 

[barb butrym]

awesome job guys

Great response.......i agree with everything you said

I'll try the auditee answer.

BOTH

Be prepared. Know what is expected and be ready to present evidence. Don't volunteer extraneous information....but know where the auditor is heading, don't make him grovvel for information hoping he will forget something.
Be proud of your system, it helps.

Ask for clarification when you are not sure what is expected/asked of you. Promote a "relationship" not a confrontation mode. Listen Listen Listen........good communication is a key factor.

Be humble but not condescending. Be prepared to show how the system works for you if unconventional methods are used...educate the auditor. Be as professional as you would expect the auditor to be.

Honesty.......the auditor probably has seen it before, don't try to hide things when caught red handed...belly up to the bar.

 

[MrPhish]

Best Practice vs. Standard Compliance

Throughout the process of moving from 1994 to 2000 I am always trying to get more out of the limited resources at hand by developing "best practices". Being a multi-site registration it gets expensive to send qualified personnel out to the off-site locations to conduct audits. In addition, I always want to send the best qualified person(s). Now IMHO the requirement for qualified person(s) doesn’t end with just auditing skills … it includes an understanding of the products and services being produced, the processes being used and the “know the customer” factor. With all this in mind … what is a "best practice" when assigning auditors to audit a given area/process/etc? Does clause 8.2.2 restrict me from selecting the absolute best auditor because: “Selection of auditors and conduct of audits SHALL ensure objectivity and impartiality of the audit process. Auditors SHALL not audit their own work.”

Here is my thought: I would like to train some of the managers who frequently visit these off-site locations as a course of their normal business routine to become auditors. They are by my estimation the best qualified technically because they manage the job from A to Z (they don’t do the work). They understand the processes the best and have the best “view” of what works and what doesn’t. For example, if I trained the Division Manager of division XYZ (who doesn’t work at the off-site location and therefore is not auditing his/her own work) to audit one of his/her sub-departments (for this example divisions are made up of several small departments) is this by definition a problem with “objectivity and impartiality” since the manager is responsible for the very work in the department he audited? Is it absolutely impossible for the Division Manager to be open-minded enough to conduct the audit and most likely have to report some form of nonconformance against himself? An ideal QMS should work for the benefit of the company by detecting process problems and fixing them, and if top management truly supports this concept then no manager should be “afraid to report nonconformances”. If this is true, does objectivity and impartiality become less of a concern than finding the problem and fixing it?

This seems to make good business sense which is the purpose of a well run QMS, but I also have to balance “good business sense” by smartly following the intent of the standard. Would a simple resolution be to have these managers sign a type of pledge to conduct these audits without any impartiality and to remain objective regardless of the findings? At least the signed pledge would be objective evidence that the manager completely understands the concept and has agreed to “leave any impartiality at the door” during an audit. Not living in a perfect world I know this can’t be done 100%, but is it a reasonable method to satisfy all requirements? I would like to hear from third party auditors Marc has invited to this site … as well as the regulars of course. DISCLAIMER: This is not an attempt to “lip service, cheat, or short-cut” the standard, but as always to be effective and efficient with the resources at hand and to follow the intent and spirt of the standard.

 

[db]

Best? practices

For auditors, it would be to develop a checklist based on the procedure, or process. Do not just rely on “canned” checklist. They are great at auditing to the standard, but do not reflect individual processes and procedures. Secondly, you should already know the answer to most questions you ask. Otherwise, you could not be sure they gave a correct answer.

For auditees…spill your guts (especially in internal audits)! This is contrary to everything we are taught, but if the intent is to improve, we really must be forthright and not hold anything back. When we “hide” things from auditors, including information, we inhibit our ability for improvement and growth.

 

[JodiB]

MrPhish,

I understand where you're coming from. Who better to audit than someone who understands? But to play devil's advocate, I'll throw out some thoughts...

1) Perhaps the one to audit should not know everything (or think he does). That leaves an open and truly objective mind. Someone who hasn't worked in the box will have a different perspective. They are able to stand away from the process and truly ask and wonder "why"? and "how"? I know I was floored when I was informally auditing one of the dept. here. Some of the things they did made no sense and the worker had no idea why it was done that way except that she was just doing it the way it was set up before she started. And no one else involved in the process ever really gave it much thought either. All they knew was that they were having problems and didn't know why. As an outsider who started with zero knowledge, I was able to see what they couldn't.

2) Doesn't "objective' mean that another reasonable person would draw the same conclusion? Any person. So a true piece of objective evidence is perhaps best identified by someone without a pre-conceived notion.

3) A manager who will have responsibility for addressing the CAR is not impartial and his/her objectivity is doubted. I would also be wary of the responses that an underling would give to his/her boss, even if removed by a couple of management levels.

I would hope that a manager would spend some time with his folks to learn what they are doing and how they are doing it, but I would not make it a part of the internal audit process. JMHO.

 

[MrPhish]

The Other Side

Lucinda, Thanks for the "devil thoughts". That's what I like about this forum ... you get all kinds of good input and a lot of the input makes you step back and think ... again.

 

[David Mullins]

first bite

initial response - scope needs definition.

I'd suggest breaking this down into facets of auditing and then determining best practice in each area.


Some example areas include:
scheduling
arranging audits
preparing checklists
opening meetings
asking audit questions
following leads
closing meetings
report writing
reporting forms

 

[Claes Gefvenberg]

Good idea Aussie,

I think we should add follow up to your list?

/Claes