Audit Trails

The ISO 9001 Auditing Practices Group (APG) recently published a paper on Audit Trails. The author, David John Seer, said the failure to carry out a process audit following an audit trail is the single most important reason why audits are not effective.

What is an Audit Trail?

In the absence of a definition from ISO 9000:2005 or ISO 19011:2002, the author used a dictionary definition for ‘audit’ and ‘trail’ and developed this audit trail definition:

A systematic approach to collecting evidence based on specific samples, that the output of a series of inter-related processes meets expected outcomes. 

But what does this mean in practice?

The paper states that although applied by some auditors, the use of an audit trail is by no means universally accepted. It is the failure to ensure all audits employ process audits following an audit trail that undermines their credibility. Auditors should understand the path of the process that they are auditing and perform the audit accordingly, ensuring that the requirements of the process are being met.

Audit Trail Examples

As an example, the author refers to when auditors visit the shop floor. This trip enables the auditor to see what is taking place and to identify the specific order numbers of jobs that are going through at that time. From this information, it is easy to identify in the sales department the agreed specification for that product or service and select relevant samples. This means the process can be checked to ensure that what takes place is controlled and will meet the required specification. From here, the audit trail is picked up and followed.

As another example, the author uses the audit of a purchasing activity. You need to identify what material or equipment has been purchased for your sample order. It is always important to understand what drives the process. In this case, it is normally the requisition, which defines what is wanted.

The paper states that if you do not understand the specification, then you cannot check if the process being followed meets the requirements of the requisition.

  • what does the requisition require?
  • does it comply with the agreed specification?
  • how is the decision to purchase made?
  • how is the specification decided? Is it adequate?
  • who decides what is required and do they have the authority?
  • who chooses the supplier and by what criteria?
  • what is the process for bid evaluation?
  • how is the specification advised to the supplier?
  • are national or international standards used?
  • what controls the process?
  • are there any special packing delivery requirements?

These are just some of the issues that need to be addressed, many of which relate to the clauses of ISO 9001.

Correct Audit Samples

The paper continues by saying the starting point for the audit is to use the chosen samples and identify the process path and the controls that were applied. It is vital that the samples are linked and come from the same trail. Too frequently, audit samples are taken at different stages of the process and are not related or linked to the initial sample chosen, which means that an auditor is unable to verify that the process is working. He will only be able to check if that particular document is filled in correctly.

Procedures, forms, checklists, and so on, all ensure that a process is managed and controlled effectively. It is essential that auditors take the time to understand what is required from the process they are auditing.

It is impossible for an auditor to carry out an effective audit of an organization if the auditor does not take the time to understand the specification of its product or service, including legal requirements. It is this professional approach to auditing that allows the auditor to identify any weaknesses in the process and decide if an organization is capable of meeting the specified requirements.

Whittington Observations

In addition to the points made by the paper, I’d like to add that some audit trails may be short. The trail for a process may extend only to an internal supplier process (to check on provided inputs) or to an internal customer process (to check on delivered outputs).

An auditor will usually need to travel outside the defined scope of a process audit to fully judge the effectiveness of that process. The audit trails will help you see how well the process communicated its requirements to the supplier processes and how well the process is meeting the requirements of its customer processes.

You are not required to follow every trail that presents itself during an audit. You may decide to ignore a trail if there are more important items to be sampled on the main path. Or, you may make note of the audit trail for later use in the audit or a later audit. Or, you may pass it on to another auditor on the team. Or, the trail may need to be followed immediately to assess process conformity and judge effectiveness.

Just make sure you don’t get lost on an audit trail and fail to return back to the main path to complete the audit and satisfy the audit objectives. To see the APG Group papers on auditing, go to this¬†web site