Skip to main content

The importance of gap assessments in auditing

Published: 21 Dec 2022

Conducting a gap assessment is a vital first step when implementing a new management system or integrating one with an existing system. IRCA Lead Auditor Andy Lau explains the steps that must be taken to ensure conformance with certification body standards.

Whether you are planning to make changes to an existing management system, integrating one with a previously implemented structure, or just starting out with a new management system, most consultants – as well as certification bodies (CB) – will tell you to do a gap assessment first. But what exactly is a gap assessment?

Why is a gap assessment required?

In simple terms, ‘gap’ refers to what is currently missing in your organisation. It could be a document or a record, a policy or an instruction, or even an environment that is required to achieve the intended result. If your intended result is geared towards fulfilling customer requirements, you must ensure that your organisation has all the gap(s) filled before you decide to try to meet customer requirements.

“In simple terms, ‘gap’ refers to what is currently missing in your organisation. It could be a document or a record, a policy or an instruction, or even an environment that is required to achieve the intended result.”

Andy Lau, IRCA Lead Auditor

An organisation cannot declare itself to be free of hazards unless it first determines the potential hazards of all those activities that it can control or influence. It must put in place actions that must be implemented effectively to eliminate or reduce the likelihood of occurrences. In the case of certification bodies, an organisation cannot declare it has been ‘certified’ unless all the gap(s) have been addressed in terms of conformity against the requirements of a standard, such as ISO.

Inputs and outputs

The inputs of the gap assessment process is a list of your activities, products and/or services. This includes resources – such as workers, contractors, hardware, software, tools and machinery – and the existing management of such, which includes leadership, performance evaluation and improvement, to ensure they gel together.

Outputs of the gap assessment process are, of course, the activities, documents/records, competency, tools, machinery and the environment necessary to achieve conformance with the requirements of ISO (or another) and its intended results.

The process of conducting a gap assessment involves a person(s) checking existing documentation, interviewing workers and the management team, and observing how things get done in the organisation. ‘Evidences’ collected are then compared with the requirements of ISO and a judgement made by the person(s) as to the extent of conformance.

Ensuring success

The results of the gap assessment are used by the leadership of the organisation to plan actions so that any non-conformances are addressed as soon as practically possible. ISO certification by the CB cannot be given until the evidences show that all non-conformances determined by the gap assessment have been converted to conformances, and that all conformances are being maintained as such.

Sometimes, a consultant may be engaged by the organisation to provide knowledge on how to convert non-conformances to conformances. At the end of the day, however, the implementation of conformances must be demonstrated by the organisation itself.

The table below outlines some key questions for leadership when conducting a gap assessment, as well as the type of answer that will indicate a gap in the system that must be addressed:

Gap assessment questions on leadership

Potential gaps in the system

How were the quality policy and objectives established for the quality management system (QMS), and how are they compatible with the strategic direction of the organisation?

The quality policy and objectives were established by the quality management representative (QMR) and I just signed them off.

How is the quality policy communicated within the organisation? How is this understood and applied?

I think the QMR, and perhaps HR, does the communication with new hires.

How are the requirements of the QMS integrated into the business processes?

Quality is important and everyone working here knows that. Also, the customer is always right.

How do you promote awareness of the process approach?

I approve the budget for getting a trainer to come into my office to train staff on ISO standards.

How do you ensure that resources needed for the QMS are available?

I make sure that funds are allocated when I approve the budget

How do you communicate the importance of effective quality management?

I am very busy, so this is normally done by the QMR.

How do you communicate the importance of conforming to QMS requirements?

The QMR is responsible for this

How do you ensure that the QMS achieves its intended results?

As far as I know, the certificate previously issued is still hanging on the wall, and we cite it when tendering.

How do you engage, direct and support people to contribute to the effectiveness of the QMS?

I have meetings with my managers on a weekly basis.

How do you promote continual improvement?

I think the staff are already busy enough with customer demands, so there is no time for improvement. Perhaps in the future, when the company is more stable.

How do you support other relevant management roles to demonstrate leadership in their areas of responsibility?

If they are loyal and seldom argue with my instructions, I will give them more responsibilities.

Read more from Andy Lau.