How not to audit: Learnings from Audit SIG’s LinkedIn group

No matter in what sphere we work, it is human nature to strive for perfection. But, often, just as much can be learned from looking at what not to do as by studying best practice. Drawing on opinions given by some members of the Audit SIG’s LinkedIn group, we look at the pitfalls auditors should try to avoid, set against the framework of plan, do, check, act (PDCA) – and what auditors should be doing. 

Lack of planning

Fail to prepare, prepare to fail, as the adage goes. A key failing for auditors is being ill-prepared for their assignment. This can be a personal failure or even because of the ineffectiveness of the audit management programme. Whatever the reason, a poorly prepared auditor cannot do a good and effective job. 

It can be very seductive to reduce the burden of an audit by using a predetermined checklist (often downloaded from the internet) in the belief it is a silver bullet. Experience shows that this only thwarts the actual audit, as there is no ownership by the auditor of the task at hand. This becomes apparent in the contextually odd questions asked of the auditee, taken from the checklist.

Thinking they know it all

No-one likes a know it all, and this is just as true when you are conducting an audit as it is when you are having a meal with friends or family. 

Auditors may be masters of their craft, but no-one can be an expert on every organisation at which they conduct an audit. The people who work at the organisations are the experts in producing whatever goods or service they make, so don’t dismiss what they have to say. Listen, and take on board what you learn.

Failing to use the power of silence

Following on from the above, never forget that silence can be golden. If you are doing all of the talking, how can you listen and learn? Failing to ask the right questions can be a big risk, but failing to listen attentively is just as serious an error. 

"Simple compliance with a documented requirement is only the beginning of an auditor’s quest. There are other facets that need to be tested and verified."

Lack of understanding of the underpinning principles

Understanding the key principles that underpin the criteria against which you are auditing may seem a basic requirement for conducting an audit, but, for some, that knowledge does not go deep enough. 

Understanding the criteria against which an audit is being conducted is one thing, but it is also necessary to fully understand, for example, the seven quality management principles that underpin ISO 9001. 

This lack of understanding often comes from the myth that auditors must be from another department or area of the organisation, in the name of ‘independence’. This is incorrect, however. What is required is that the auditor has a practical grasp of the application of the audit criteria and is not performing the audit under pressure to deliver a specific – perhaps negative – result.

Personal bias

It is also important to ensure that an audit is being carried out against a strict criterion of what is required by the applicable standard. There is no room for personal interpretation in a properly conducted audit; personal opinions and bias must be left at the door. Auditees will rarely challenge this personal bias, as they may not feel comfortable questioning the auditor. Similarly, it is common to apply ‘interpretations’ to the requirements, without reference to facts. 

Acceptance of compliance to mediocrity and ineffectiveness

Simple compliance with a documented requirement is only the beginning of an auditor’s quest. There are other facets that need to be tested and verified. These include the effectiveness of the result(s), the understanding of the people involved in meeting the requirement, and – for internal auditors in particular – how efficiently things are being done. Add in, as well, that the customers’ requirements are being met – or not – and this can provide a much more comprehensive audit result and report. 

Failing to verify actual implementation

We have all heard stories of auditors who set up camp in a conference room and have ‘objective evidence’ brought to them on silver salvers. Yes, it is a common understanding that records do give evidence of results, especially when variable data is used to create the record. However, there is no substitute for what the Lean people call the Gemba walk. Going to see what actually happens is a critical part of the management system implementation – do people actually understand and perform their assignments? Isn’t how people get results equally as important as the actual results?

Expecting action to result from poorly written nonconformities 

Authoring a nonconformity report that does not lead to understanding of the need for some kind of action means a wasted audit. 

A nonconformity that reports to management that ‘people were not following the procedures’ may not be questioned by the auditee, but it is missing a vital fact that will lead to action – what was the result? If the auditor does not have a clue about the path of correction or corrective action that should be taken, how will the auditee benefit? What will the follow-up actions become?

With thanks to everyone who contributed their thoughts on this subject in the CQI’s Audit SIG’s LinkedIn post.