Auditee Bill of Rights

As an audited organization, do you stand up for your rights? Or, to avoid conflict, do you just accept whatever comes your way during the audit experience?

Maybe it is time for an Auditee Bill of Rights, so organizations know what they should expect and demand from their auditors and certification bodies.

A “bill of rights” is a list of rights that are considered important and essential by a group of people. A prime example is the first ten amendments to the United States Constitution, referred to as the Bill of Rights.

However, our Auditee Bill of Rights won’t be a legal document. It will be a list of economic rights from the perspective that the auditee is the customer, after all.

Patterned on the “Patient” Bill of Rights in the healthcare industry, the eight areas of consumer rights for our Auditee Bill of Rights are:

1. ChoiceThe auditee has the right to choose their certification body, and within the constraints of the contract, easily switch to a different certification body.

2. InformationThe auditee has the right to receive timely, truthful, accurate, and easily understood audit reports that describe the audit objectives, scope, criteria, sampling, and findings. Audit reports are to address conformity, effectiveness, areas for improvement, and any unresolved diverging opinions. In addition, the auditee is to be kept informed of changes to applicable standards and certification body policies.

3. AccessThe auditee has the right to communicate in a timely fashion with auditors before, during, and after the audit for an understanding of plans, interpretation of requirements, explanation of results, and confirmation that proposed corrective actions adequately address the reported nonconformities.

4. ParticipationThe auditee has the right to participate in the planning and performance of the audit, including the audit agenda, audit team selection, proposed logistics, audit guides, and feedback on the audit experience. The auditee will be viewed as a partner to identify applicable requirements, provide needed evidence, and confirm possible findings.

5. RespectThe auditee has the right to expect considerate, respectful behavior from the audit team and support staff at all times and under all circumstances.

6. ConfidentialityThe auditee has the right for the security and confidentiality of audit reports to be protected by all audit team members and report recipients. All auditee information maintained by the certification body will be available for review by the auditee for possible corrections and changes to the records.

7. AppealThe auditee has the right to a fair and efficient process for resolving differences, including a rigorous, written process for internal review and an independent system for external review. The documented appeal process will be publically accessible.

8. ResponsibilityIn a system that protects auditee rights, it is reasonable to expect and encourage the auditee to assume a supporting role. The auditee is responsible for providing access during the audit to areas, people, documents, and records. The auditee is to announce the audit in advance, explain its value, and encourage employees to fully participate with helpful and truthful responses.

Now that I’ve proposed an auditee bill of rights, let’s look at each “right” in more depth.

Choice: The auditee has the right to choose their certification body, and within the constraints of the contract, easily switch to a different certification body. 

You have many choices available. Go to the ANSI-ASQ National Accreditation Board (ANAB) web site (http://www.anab.org) to see a list of certification bodies. While at the web site, read the article, “Tips for Selecting a Certification Body”.

The International Accreditation Forum (IAF) provides guidance on the transfer of a certificate from one certification body to another. The objective is to maintain the integrity of the certificate during the transfer period. You can see the current IAF GD2:2005 guidance at (www.iaf.nu).

Information: The auditee has the right to receive timely, truthful, accurate, and easily understood audit reports that describe the audit objectives, scope, criteria, sampling, and findings. Audit reports are to address conformity, effectiveness, areas for improvement, and any unresolved diverging opinions. In addition, the auditee is to be kept informed of changes to applicable standards and certification body policies. 

The written audit report should be provided before the audit team leaves your site. Certificates should be issued within two weeks of your organization being recommended for certification and your submission of acceptable action plans.

Expect a written nonconformity statement to describe both the requirement not being met, as well as, the audit evidence that proves the nonconformity.

Does your auditor put in a full day’s work, or are you being shortchanged? Does the auditor conduct the audit where the work is being done, or do they camp out in the conference room? Auditors need to adhere to the audit plan, watch your operations, and select their own sample of people, documents, and records.

Your certification body may have identified that your internal audits need to be more process-oriented and less clause-by-clause audits. Are their own audits good models? Or, do they provide clause-based audit agendas and reports?

If the auditor isn’t assessing by process, and going downstream to see what internal customers think about the process results, then they aren’t really evaluating process effectiveness. And, if they never identify any opportunities for improvement, are they really adding value, or just judging conformity?

Access: The auditee has the right to communicate in a timely fashion with auditors before, during, and after the audit for an understanding of plans, interpretation of requirements, explanation of results, and confirmation that proposed corrective actions adequately address the reported nonconformities. 

You should know who at the certification body administers your account and schedules your auditors. You should be provided their contact information, as well as, the contact information for the assigned auditors.

You should be made to feel comfortable contacting the auditor to discuss the upcoming audit, as well as, later for explanations of nonconformities and the acceptability of corrective actions.

Participation: The auditee has the right to participate in the planning and performance of the audit, including the audit agenda, audit team selection, proposed logistics, audit guides, and feedback on the audit experience. The auditee will be viewed as a partner to identify applicable requirements, provide needed evidence, and confirm possible findings. 

Does your auditor send you an audit plan in advance, or is the agenda developed after the auditor arrives? ISO 17021 requires certification bodies to communicate and agree upon the plan with your organization before the audit.

ISO 17021 also requires certification bodies to identify the auditors, and when requested, to provide background information on the team members so your organization can possibly object to the selection of a specific auditor and have the team reconstituted based on valid objections.

To minimize travel costs, the auditor visit to your geographic area should be synchronized with other audits to include multiple organizations in one trip.

For continuity, you should expect the same lead auditor to be assigned for your three year recertification period, as well as, to avoid having to training multiple auditors on your system. However, you should be willing to accept a new lead auditor after the recertification to introduce a fresh auditor perspective.

And, does the certification body request feedback on your level of satisfaction with the audit process and auditor competence? If not, are they afraid of what you might say?

Respect: The auditee has the right to expect considerate, respectful behavior from the audit team and support staff at all times and under all circumstances. 

The certification body and auditors should remember that your organization is the customer. Therefore, they should want to provide outstanding service and support to gain your loyalty and continued business. They can begin by promptly responding to your phone calls and emails.

Auditors should be respectful during interviews and meetings. They should avoid appearing to criticize people when identifying process nonconformities. The focus should be on the process, not the person. They are fact finding, not fault finding.

Although you requested the audit, and it is hopefully beneficial, the auditor’s visit is somewhat disruptive. Employees will be unable to fully perform their jobs while being interviewed. As a result, the auditors should respect your valuable time and come prepared to efficiently and effectively assess your system.

Confidentiality: The auditee has the right for the security and confidentiality of audit reports to be protected by all audit team members and report recipients. All auditee information maintained by the certification body will be available for review by the auditee for possible corrections and changes to the records. 

You should expect the certification body to safeguard the confidentiality of the information they obtain or create during the performance of your audit. And, information about your organization should not be disclosed to a third party (other than the accrediting body) without your written consent.

As you may know, the code of conduct for third party auditors does not allow them to offer consulting advice. This is to ensure they do not inadvertently share proprietary information, to encourage the client to develop their own corrective actions, and for the auditors to remain impartial in future audits.

You should refrain from asking the auditors for their suggestions on how to fix a problem. Respect their code of conduct. And, if you encounter an auditor that wants to offer unsolicited consulting advice, you might have a valid concern that some of your proprietary approaches could become suggestions for other clients.

Appeal: The auditee has the right to a fair and efficient process for resolving differences, including a rigorous, written process for internal review and an independent system for external review. The documented appeal process will be publically available. 

If you are unable to resolve differences with the auditor, you can appeal to the certification body. If the issue is still not resolved to your satisfaction, you can then appeal to the ANSI-ASQ National Accreditation Board (ANAB).

ISO 17021 describes the requirements for an appeals-handling process and complaints-handling process to be used by a certification body.

Responsibility: In a system that protects auditee rights, it is reasonable to expect and encourage the auditee to assume a supporting role. The auditee is responsible for providing access during the audit to areas, people, documents, and records. The auditee is to announce the audit in advance, explain its value, and encourage employees to fully participate with helpful and truthful responses. 

Your management team must communicate their support of the audit program throughout the organization. Attitudes are contagious.

Management must ensure that timely and effective corrective action is taken on each nonconformity to avoid the same problem repeating over and over again.

Your organization should notify the certification body without delay of any matters that may affect the capability of your quality management system to continue to meet the requirements of the applicable standard.