Secretly Auditing - Writing an audit report with observations based on my experiences

#1
Hi Everyone

I am currently experiencing a reorganization of my Department (QM/QA). Among the aims of this reorganization is that I spend less time looking at QA and more looking at compliance, risk management and improving the application and usage of our management system.

The reorganization comes under the scope of our "development of organizational structure" business process. What I have witnessed in the meetings and discussions of this process is that this process is not being followed at all, even though the person responsible for this process is sitting in the meeting. I have not raised this point as yet because it only occurred to me in our last meeting. This will be the last meeting on the subject before implementation so mentioning it now would be "closing the stable door".

My question is this. Would it be appropriate to write an audit report with observations based on my experiences or is this too evil?

I have not stated that am am Auditing the process while in these meetings nor is an audit planned or announced. My opinion is that what I am witnessing is common practice that deviates from standard practice and I am able to witness this because participants are behaving without the artificial effect of having an auditor present.

So should I document what I have witnessed as an audit?
 
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#3
Re: Secretly Auditing - Writing an audit report with observations based on my experie

Welcome to The Cove, Peter
So should I document what I have witnessed as an audit?
No, because, technically that is not an audit. But, on the other hand, that is something you should not ignore either.

If you are performing an audit of this business process, you can ask question to the effect that why was the actual work and activities deviating from the intended process? You might hear that the "deviation" is intentional and this was one of the cases where the command media describing the process needs to be revised to catch up with the actual operational process.

While observing activities is one of the means to collect evidence for audit purposes, the auditor must declare an audit is in effect. Otherwise, if you try to "audit" stealthily, secretly, you are sending a message that audits are like a big-brother spying on the workforce. That would have serious ramifications for the audit program and you, as well. Don't you think your co-workers would always be concerned when you are around?

Auditing is not supposed to be a gotcha exercise. It has to be transparent in order to be welcomed and have a chance to add value to the business.
 
#4
Re: Secretly Auditing - Writing an audit report with observations based on my experie

Thanks for the detailed reply Sidney.

Sure, I get your point regarding trusting auditors and "big brother is watching".

On the other hand, I have been in internal audits where there have been clear attempts to BS the auditor (and they have been successful too). I agree that a skilled auditor can cut through this but it can take a really skilled auditor.

Unfortunately, the culture of the organization is not great when it comes to Auditing. The aim of the auditee in some cases appears to be to avoid audit observations as they are seen as work and the whole point of the exercise (improvement) is missed. An effect of this has been audits with no observations (perception: waste of time) or weak observations (perception: "the audit hit me with a cotton bud"). I therefore thought a bit of "clandestine" Auditing might be a way forward to get some more solid improvement actions.

I understand this is risky though and it could do more damage than good to the rep of the audit function.

On reflection, I will probably note it and use the my experience to prep a formal audit of the process.
 

somashekar

Staff member
Super Moderator
#5
Re: Secretly Auditing - Writing an audit report with observations based on my experie

Per the standard, the internal audit is a planned process. So there should be nothing like a secret audit. At any point of time, if you notice or feel that a deviation is being made, you have to communicate within your escalation chart without losing time.
 

Mike S.

Happy to be Alive
Trusted Information Resource
#6
Re: Secretly Auditing - Writing an audit report with observations based on my experie

As others have correctly said, NO this was not an audit and an audit report should not be written.

However, I have given internal auditors areas of concern to look at in depth when they do a scheduled audit of an area.

You also may consider handling this under your internal CAR process if applicable. We do not need an audit to issue an internal CAR, anoune can request one.
 
#7
Re: Secretly Auditing - Writing an audit report with observations based on my experie

As already said: Nope. Not as an audit and most certainly not as a secret one. Never that.
However... Since you are obviously expecting problems if you continue in the direction you are currently heading, it may be prudent to have a chat off the record with the person responsible for the process?
 
B

bigqman

#8
Re: Secretly Auditing - Writing an audit report with observations based on my experie

I would first ask the person responsible for the process why they are not following the process. (Do they understand the process? Why aren't they following the process?)
 

normzone

Trusted Information Resource
#9
Re: Secretly Auditing - Writing an audit report with observations based on my experie

Many good answers above, thank you all.

Phrases that come to mind in this case include -

Stealth audit
Knowing where the bodies are buried
"I can come back with a warrant if you want"

I think the most telling for me was the requirement about auditing being a planned activity.

Part of the challenge is always getting the purpose of a good audit across to those involved. I inherited some management that came with the belief that the purpose of the audit was to " check the boxes and pass the audit ". They were dismayed when I corrected them and told them the purpose was both verifying conformance AND finding weak places in the process to improve.
 
#10
Re: Secretly Auditing - Writing an audit report with observations based on my experie

So - definitely got how secret Auditing is a no-no. Thanks - it won't happen.

Asking the person who is responsible for the process why the process was not followed is definitely planned. It should also not be a problem as this person is my boss and he is pushing me to get people applying the business processes in the management system properly. He needs to know that as he is the GM - it starts with him.

Another Option that I have is that I am currently performing the annual management review. In this I check the processes in the M-system with randomly chosen users and customers of the processes. In this case I am clearly a customer of the process so can give my input in terms of how the restructuring was conducted from my point of view.

Forgetting for a moment whether the process was followed or not, or even that there is a defined process, I can certainly state what I felt was missing in the workshop and it's output.
 
Thread starter Similar threads Forum Replies Date
Marc LinkedIn Accused Of Secretly Selling Members Professional Data To Potential Employers World News 9
C List of MDSAP Auditing Organizations Medical Device and FDA Regulations and Standards News 1
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 4
cscalise Suggestions for MDR Auditing tools EU Medical Device Regulations 1
J Auditing of Support Function IATF 16949 - Automotive Quality Systems Standard 9
D ISO 13485, FDA 21 CFR 820 and Auditing the Accounting Department ISO 13485:2016 - Medical Device Quality Management Systems 5
S Risk based internal auditing Internal Auditing 6
Randy Remote auditing (for disaster, disease, disturbance etc...) during the Neo Coronavirus Pandemic and Social Distancing Registrars and Notified Bodies 7
K ANVISA B-GMP Auditing requirements for Contract Manufacturers Other Medical Device Regulations World-Wide 0
F AS9100D Internal auditing requirements Internal Auditing 3
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
G Best Practices for IT auditing - Is a session-id necessary for a complete audit trail? IEC 27001 - Information Security Management Systems (ISMS) 0
I Questions to ask when auditing for Organizational Leadership and Planning for the QMS? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
tony s What is the automotive process approach for auditing? IATF 16949 - Automotive Quality Systems Standard 2
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
R I've been auditing for a CB for 18 years General Auditing Discussions 10
P Consultant Auditing Qualifications Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 23
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 146
M We still have not received our certificate due to a 'backlog' with our auditing body Registrars and Notified Bodies 25
N Online Internal Auditing Course for ISO 13485 - Suggestions ISO 13485:2016 - Medical Device Quality Management Systems 8
A Agenda for 8D audit on Supplier's side - Auditing Corrective Actions General Auditing Discussions 5
U Internal auditing - Company employees or contract second party Internal Auditing 10
J Recomended Values - Auditing process in a supplier IATF 16949 - Automotive Quality Systems Standard 18
M Canada - Registrars that allow e-auditing for ISO 9001? Registrars and Notified Bodies 4
K Internal Auditing - Umbrella QMS and Multiple Standards Oil and Gas Industry Standards and Regulations 4
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
supadrai Auditing Organization dragging their heels on issuing our MDSAP Surveillance Audit Confirmation Letter - everyone is nervous ... are we the only ones? Canada Medical Device Regulations 7
Ed Panek Supplier Auditing - No purchases from our key suppliers in the last 24 months ISO 13485:2016 - Medical Device Quality Management Systems 5
P Auditing "process validation" process 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
qualprod Effective Auditing advice needed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
M Acceptance of remote auditing techniques - Can you help me with my research? General Auditing Discussions 0
GStough Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay? General Auditing Discussions 11
qualprod Auditing Product and Services doubts ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
R Auditing support and management processes General Auditing Discussions 7
F It is acceptable moving remote locations staff to manufacturing plant for auditing? IATF 16949 - Automotive Quality Systems Standard 3
D MSDS / GHS Walk-through / Auditing Occupational Health & Safety Management Standards 6
Pmarszal Supplier Auditing Services (Audit Needed?) General Auditing Discussions 4
S ISO 9001 Audit Observations - Transitioning my career into auditing Career and Occupation Discussions 16
G AS9101 Rev F - Worksheets for internal auditing AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
N API Q2 clause 6.2.2.1 Auditing Outsourced Suppliers Oil and Gas Industry Standards and Regulations 5
M Auditing processes followed by employees placed on client's site Internal Auditing 4
S ISO 13485:2016 and MDSAP internal auditing ISO 13485:2016 - Medical Device Quality Management Systems 6
M Auditing a Contractor in EMS and Non Conformity Report General Auditing Discussions 1
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
S ISO 9001:2015 - Internal Auditing - Audit to the Standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
B Auditing Senior Management to determine the Effectiveness of Management Processes IATF 16949 - Automotive Quality Systems Standard 6

Similar threads

Top Bottom