Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work)

[Sidney Vianna]

Only that people put one interpretation on (my native language) to suit their point of view.

I hope you are not implying my command of the English language is faulty... And even if you still want to argue about the meaning of the word "independent", as the Note 1 to the ISO 9000 definition makes ABUNDANTLY clear audits must be performed by people NOT RESPONSIBLE for the "object" being audited. How can someone perform work and not be responsible for the work performed?

For those people who really think one can be objective and impartial auditing their own work, I have a great suggestion: tell your boss that s/he does not need to perform your performance review any longer. You will do it on their behalf, including the recommendation for grade level promotion and salary raise....

Here is the deal: differently from what you mentioned, ISO TC 176 SC 2 did NOT remove the language related to people auditing their own work to make it easier for small businesses. The adopted language is the one from Appendix 2 of Annex SL in the ISO Directives Pt.1, also known as High Level Structure. The language is the same for all HLS-based MS standards. That's why. And that is why is EVEN more important to pay attention to normative references when implementing a standard.

 

[Jim Wynne]

For those people who really think one can be objective and impartial auditing their own work, I have a great suggestion: tell your boss that s/he does not need to perform your performance review any longer. You will do it on their behalf, including the recommendation for grade level promotion and salary raise....

How is it that after some thirty years of ISO 9001, this question can still be argued by reasonable and experienced people? The defect must be in the standard itself, and its normative references. There is no doubt that some people can be objective when reviewing their own work, and others won't be. The performance review analogy fails because the boss still has the final say in the matter. It's not unusual for organizations to ask people to evaluate their own performance, but that evaluation is never the final word.

Simply choosing a presumably disinterested person in the same company to do the auditing doesn't assure objectivity. God knows that there are people in different departments that might have issues with one another that transcend the quest for objectivity. Many small companies engage contract auditors, either for objectivity reasons or lack of competency within the organization, or both. The fact is that these disagreements will continue so long as the standard is vague and porous on the issue. In my own opinion, it's best to do whatever can be done to remove the appearance or likelihood of bias. Having people audit processes outside their own bailiwicks has the added advantage of exposing them to how things work in other worlds, and that's never a bad thing.

 

[AndyN]

ISO TC 176 SC 2 did NOT remove the language related to people auditing their own work to make it easier for small businesses.

Are you certain? If the vast majority of the feedback in revising the standard was from small/medium businesses, how is that claim accurate? The whole standard was revised to better address their needs, such as the removal of prescriptive documentation.

There are too many imponderables for a (very) small business to deal with, when practically complying with ISO 9001, 9.2, to simply dismiss the need for "independence" as having someone not touch some work. Who's to know WHAT was in the minds of the committee and that the same worked on the definitions in both ISO 9000 and ISO 19011? If I can read "independent" as meaning free of pressure in this context, who is to say any other "version" is more applicable? As JW suggests, the fault is with the definitions NOT adequately conveying the intent.

 

[Sidney Vianna]

Are you certain?

Am I certain of what? The HLS common text is publicly available. You know as well as I know that, since 1987, after the 1st edition of the standard, the TC 176 has been voicing their mantra of making the revisions of the standard more user friendly for service organizations, organizations in any business sector, small and medium size enterprises, bla bla bla...

A word of caution here: ANYONE who claims that internal quality management system auditors can audit their own work, WILL HAVE to accept that for ANY ORGANIZATION. You CANNOT limit it to small companies, because, the moment you state that a small company auditor can be objective and impartial and can disregard the normative references, THAT PRINCIPLE can carry over everywhere. Multi-billion dollar corporations can lay off their internal audit team; consultants that perform internal audits for organizations are out of luck. ANYONE "COMPETENT" CAN AUDIT THEIR OWN WORK....but how can we know they are objective and impartial? ....how? how can you determine if someone is objective and impartial when auditing their own work? Isn't that a much more difficult challenge to establish than "independence"....?

Many of us know that most internal auditors are not made competent for the function. And now, we are going to promote non-competent internal auditors auditing their own work? Risky, very risky. RBT? What RBT?

 

[AndyN]

Am I certain of what? The HLS common text is publicly available. You know as well as I know that, since 1987, after the 1st edition of the standard, the TC 176 has been voicing their mantra of making the revisions of the standard more user friendly for service organizations, organizations in any business sector, small and medium size enterprises, bla bla bla...

A word of caution here: ANYONE who claims that internal quality management system auditors can audit their own work, WILL HAVE to accept that for ANY ORGANIZATION. You CANNOT limit it to small companies, because, the moment you state that a small company auditor can be objective and impartial and can disregard the normative references, THAT PRINCIPLE can carry over everywhere. Multi-billion dollar corporations can lay off their internal audit team; consultants that perform internal audits for organizations are out of luck. ANYONE "COMPETENT" CAN AUDIT THEIR OWN WORK....but how can we know they are objective and impartial? ....how? how can you determine if someone is objective and impartial when auditing their own work? Isn't that a much more difficult challenge to establish than "independence"....?

Many of us know that most internal auditors are not made competent for the function. And now, we are going to promote non-competent internal auditors auditing their own work? Risky, very risky. RBT? What RBT?

OK, so your glass is half empty, mine's half full!

 

[Ninja]

Completely ...fair warning...

tell your boss that s/he does not need to perform your performance review any longer. You will do it on their behalf, including the recommendation for grade level promotion and salary raise....

We had a couple of managers that asked exactly that...employees write their own reviews, then they would be edited by those managers and submitted. Talk about lazy.
FWIW, many large corporations have been moving that way...

One of the guys wrote his own lengthy review of himself, including measurable data, graphs year on year...the whole works.
In his list of accomplishments over the previous year he included a bullet point: "Invented and patented the semicolon".

It passed editing, upper management review and was published to him. He got a decent raise...
The manager was let go the following year.

 

[Mike S.]

I'm kinda surprised and disappointed that the standard writers have not further clarified the issue of auditor independence after all these years of obvious confusion.

The closest I can find is this from the IAQG Clarifications document dated 7/2017:


9.2.2c Does the IAQG 9100 standard allow
the Quality Assurance manager be
the lead auditor in an Internal Audit
and audit QA specific questions?

No. The requirement in IAQG 9100 is "select auditors and conduct
audits to ensure objectivity and the impartiality of the audit
process." This ISO 9001 text is in place to ensure an effective
internal audit by having an objective and impartial auditor. It also
states that auditors shall not audit their own work to ensure an
independent set of eyes are being used to conduct the audit.

I can see that "clarification" adding confusion in one way. (sigh)

 

[Jim Wynne]

I'm kinda surprised and disappointed that the standard writers have not further clarified the issue of auditor independence after all these years of obvious confusion.

The closest I can find is this from the IAQG Clarifications document dated 7/2017:


9.2.2c Does the IAQG 9100 standard allow
the Quality Assurance manager be
the lead auditor in an Internal Audit
and audit QA specific questions?

No. The requirement in IAQG 9100 is "select auditors and conduct
audits to ensure objectivity and the impartiality of the audit
process." This ISO 9001 text is in place to ensure an effective
internal audit by having an objective and impartial auditor. It also
states that auditors shall not audit their own work to ensure an
independent set of eyes are being used to conduct the audit.

I can see that "clarification" adding confusion in one way. (sigh)

There is no way to completely "...ensure objectivity and impartiality..." What does "independent set of eyes" mean?

 

[Yukon]

There are lots of "should" statements in the ISO 19011 auditing guidelines doc, but should is not shall.

I had a registrar auditor say 9.2.2.c (select auditors and conduct audits to ensure objectivity and the impartiality of the audit process) meant you could not audit your own work and we HAD to have an auditor who only audited the internal audit process. No amount of my arguing would change his mind. Management chose not to fight it. Each company must decide for themselves how to satisfy this requirement.

Mike,
The registrar is correct.

 

[Sidney Vianna]

I'm kinda surprised and disappointed that the standard writers have not further clarified the issue of auditor independence after all these years of obvious confusion.

The standard writers have "clarified" plenty of times. In ISO 19011 and ISO/TS 9002, for example. The problem is, ISO's commercial interests make them pander to small business and allow a double standard. One of the principles of auditing (in ISO 19011) is independence

​

As one can read, ISO 19011 throws the words "if practicable" (keep in mind practicable does not mean practical). So, it seems to me that what is happening out there is: when dealing with small businesses, some people automatically infer that internal auditors CAN BE objective and impartial. But they refuse to answer a very simple question: HOW CAN ANYONE KNOW IF THE INTERNAL AUDITOR WILL BE OBJECTIVE AND IMPARTIAL WHEN AUDITING THEIR OWN WORK? HOW?

And, as I warned in my previous posts, the moment you allow for small business internal auditors to audit their own work, because they can be objective and impartial, YOU WILL have to allow the same for ANY business. There can be no differentiation.