Advice from Auditors

What do you think about the advice you receive from your auditor? Is it welcomed and acted upon, or do you view the suggestions as unwarranted meddling?

Auditors are trained to determine conformity and evaluate effectiveness, as well as, identify areas for improvement. If requirements aren’t met, or a process is ineffective, the auditor issues a nonconformity report and expects corrective action to be taken.

If a process is currently conforming, but weak and might become a nonconformity, the auditor may issue an observation (opportunity for improvement). Also, if a process could be performed in a more efficient or effective way, an observation may be reported. While preventive action is not required in these cases, it should be considered to avoid potential problems.

When offering advice, auditors should be careful to not cross the line into consulting and contaminate their independence for future audits. And, what is the basis for their advice? If they are proposing best practices they’ve seen at other organizations, then they must avoid divulging confidential and proprietary information.

Is it appropriate for an auditor to suggest improvements? The ISO 19011 auditing guidelines standard has this to say about recommendations:

6.2.2 Defining Audit Objectives, Scope, and Criteria

The audit objectives define what is to be accomplished by the audit and may include:

d) identification of areas for potential improvement of the management system.

6.5.5 Generating Audit Findings

When specified by the audit objectives, audit findings can identify an opportunity for improvement.

6.5.7 Conducting the Closing Meeting

If specified by the audit objectives, present recommendations for improvement, but emphasize that recommendations are not binding.

6.6.1 Preparing the Audit Report

The audit report should provide a complete, accurate, concise, and clear record of the audit, and should include or refer to the following:

o) recommendations for improvement, if specified in the audit objectives.

So, if agreed to as part of the audit objectives, it is okay for an auditor to identify opportunities for improvement. However, if a recommendation is made, the auditor should be clear that it is not binding, meaning the organization is not required to take any action.

Code of Conduct

Auditors certified through RABQSA or IRCA must abide by codes of conduct that require them to act in an unbiased manner. If consulting advice is given, the auditors may not be able to impartially assess their proposed solutions during later audits. You can see the codes of conduct at these RABQSA and IRCA web pages.

ISO 17021 Requirements

The ISO 17021 standard provides requirements for certification bodies. Clause 4.2.4.b in that document refers to a “self-review” threat to an auditor’s impartiality when an auditor reviews the work either done by the auditor or work resulting from consulting by the auditor.

Changing Role

A recent BSI article on The Changing Role of the Auditor states:

The biggest value for clients, however, comes from ‘opportunities for improvement’, where the auditor brings their expertise to bear to note things that could be changed for the better. “We can’t tell our clients what to do, but we do discuss examples of good practice,” explains Nonn Reynolds, BSI’s global scheme manager for energy and environment. “I’m opening the clients’ eyes to different things based on what I’ve seen elsewhere. We want to point out where they could be doing something better or are missing a trick.”

The value of the audit comes from the fact that auditors see the organization in a way no one else does. They have a unique perspective from top to bottom and right across the organization; it means that they are in a position to suggest improvements within processes and across systems that enhance performance and strip out duplication of effort.

Value-Added Audits

A “value-added” audit adds value by providing useful information that helps an organization improve its management system and achieve its business objectives. However, this useful information should be limited to reporting nonconformities, evaluating effectiveness, and identifying opportunities for improvement, not providing specific solutions.

The correct auditor approach for handling nonconformities is to encourage the auditee to implement their own solutions. The auditor can help by discussing the problem solving process used to uncover root causes and determine the best corrective action.

Organizations may ask auditors for quick solutions to resolve the reported nonconformities. While this might please the auditee, it doesn’t result in long-lasting, substantial improvements. And, if you are a third-party auditor, you might inadvertently share proprietary methods from other audited organizations as you propose a solution.

Auditors add value by looking at more than just conformity to requirements. They need to evaluate effectiveness by analyzing the extent to which planned activities are taking place and planned results are being achieved. They need to find out if the organization is receiving real benefits from the management system, including the level of customer satisfaction with the delivered products and services.

Auditors also add value by adjusting their audit plans to focus on the critical areas of the business, including those areas with significant change and increased risk. Auditors must understand the technical and managerial issues faced by the industry sector in which the audited organization operates.

For more information on this subject, see the “Added value audits versus consultancy” paper at the ISO 9001 Auditing Practices Group web site. You may want to also read the “How to add value during the audit process” paper at the same web site.