Secretly Auditing - Writing an audit report with observations based on my experiences

P

PETERROW

Hi Everyone

I am currently experiencing a reorganization of my Department (QM/QA). Among the aims of this reorganization is that I spend less time looking at QA and more looking at compliance, risk management and improving the application and usage of our management system.

The reorganization comes under the scope of our "development of organizational structure" business process. What I have witnessed in the meetings and discussions of this process is that this process is not being followed at all, even though the person responsible for this process is sitting in the meeting. I have not raised this point as yet because it only occurred to me in our last meeting. This will be the last meeting on the subject before implementation so mentioning it now would be "closing the stable door".

My question is this. Would it be appropriate to write an audit report with observations based on my experiences or is this too evil?

I have not stated that am am Auditing the process while in these meetings nor is an audit planned or announced. My opinion is that what I am witnessing is common practice that deviates from standard practice and I am able to witness this because participants are behaving without the artificial effect of having an auditor present.

So should I document what I have witnessed as an audit?
 

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Secretly Auditing - Writing an audit report with observations based on my experie

Welcome to The Cove, Peter
So should I document what I have witnessed as an audit?
No, because, technically that is not an audit. But, on the other hand, that is something you should not ignore either.

If you are performing an audit of this business process, you can ask question to the effect that why was the actual work and activities deviating from the intended process? You might hear that the "deviation" is intentional and this was one of the cases where the command media describing the process needs to be revised to catch up with the actual operational process.

While observing activities is one of the means to collect evidence for audit purposes, the auditor must declare an audit is in effect. Otherwise, if you try to "audit" stealthily, secretly, you are sending a message that audits are like a big-brother spying on the workforce. That would have serious ramifications for the audit program and you, as well. Don't you think your co-workers would always be concerned when you are around?

Auditing is not supposed to be a gotcha exercise. It has to be transparent in order to be welcomed and have a chance to add value to the business.
 
P

PETERROW

Re: Secretly Auditing - Writing an audit report with observations based on my experie

Thanks for the detailed reply Sidney.

Sure, I get your point regarding trusting auditors and "big brother is watching".

On the other hand, I have been in internal audits where there have been clear attempts to BS the auditor (and they have been successful too). I agree that a skilled auditor can cut through this but it can take a really skilled auditor.

Unfortunately, the culture of the organization is not great when it comes to Auditing. The aim of the auditee in some cases appears to be to avoid audit observations as they are seen as work and the whole point of the exercise (improvement) is missed. An effect of this has been audits with no observations (perception: waste of time) or weak observations (perception: "the audit hit me with a cotton bud"). I therefore thought a bit of "clandestine" Auditing might be a way forward to get some more solid improvement actions.

I understand this is risky though and it could do more damage than good to the rep of the audit function.

On reflection, I will probably note it and use the my experience to prep a formal audit of the process.
 

somashekar

Leader
Admin
Re: Secretly Auditing - Writing an audit report with observations based on my experie

Per the standard, the internal audit is a planned process. So there should be nothing like a secret audit. At any point of time, if you notice or feel that a deviation is being made, you have to communicate within your escalation chart without losing time.
 

Mike S.

Happy to be Alive
Trusted Information Resource
Re: Secretly Auditing - Writing an audit report with observations based on my experie

As others have correctly said, NO this was not an audit and an audit report should not be written.

However, I have given internal auditors areas of concern to look at in depth when they do a scheduled audit of an area.

You also may consider handling this under your internal CAR process if applicable. We do not need an audit to issue an internal CAR, anoune can request one.
 
Re: Secretly Auditing - Writing an audit report with observations based on my experie

As already said: Nope. Not as an audit and most certainly not as a secret one. Never that.
However... Since you are obviously expecting problems if you continue in the direction you are currently heading, it may be prudent to have a chat off the record with the person responsible for the process?
 
B

bigqman

Re: Secretly Auditing - Writing an audit report with observations based on my experie

I would first ask the person responsible for the process why they are not following the process. (Do they understand the process? Why aren't they following the process?)
 

normzone

Trusted Information Resource
Re: Secretly Auditing - Writing an audit report with observations based on my experie

Many good answers above, thank you all.

Phrases that come to mind in this case include -

Stealth audit
Knowing where the bodies are buried
"I can come back with a warrant if you want"

I think the most telling for me was the requirement about auditing being a planned activity.

Part of the challenge is always getting the purpose of a good audit across to those involved. I inherited some management that came with the belief that the purpose of the audit was to " check the boxes and pass the audit ". They were dismayed when I corrected them and told them the purpose was both verifying conformance AND finding weak places in the process to improve.
 
P

PETERROW

Re: Secretly Auditing - Writing an audit report with observations based on my experie

So - definitely got how secret Auditing is a no-no. Thanks - it won't happen.

Asking the person who is responsible for the process why the process was not followed is definitely planned. It should also not be a problem as this person is my boss and he is pushing me to get people applying the business processes in the management system properly. He needs to know that as he is the GM - it starts with him.

Another Option that I have is that I am currently performing the annual management review. In this I check the processes in the M-system with randomly chosen users and customers of the processes. In this case I am clearly a customer of the process so can give my input in terms of how the restructuring was conducted from my point of view.

Forgetting for a moment whether the process was followed or not, or even that there is a defined process, I can certainly state what I felt was missing in the workshop and it's output.
 
Top Bottom