Published: 9 Aug 2016

David Finney says that auditors need to embrace risk-based thinking.

Auditors of management systems know there are two commandments they must observe:

1. Do not give advice about what corrective action to carry out or how it should be carried out (otherwise they risk not being ‘independent’).

2. Do not ask ‘leading questions’ that provide or help to provide the answers (otherwise they risk damaging the integrity of the audit).

But has the arrival of ISO 9001:2015 changed this?

In my view the answer is no. Let’s take the first commandment. I have heard a few people telling me how happy they are that the old requirement in ISO 9001:2008 stated: “Auditors shall not audit their own work” (Clause 8.2.2) has been removed in ISO 9001:2015 (Clause 9.2).

But actually nothing has changed in the (internal) audit approach.

The definition of audit in ISO 9001:2015: “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled” is unchanged and hence still includes the word ‘independent’.

The new standard states, as did the old, that ISO 9001 is ‘indispensable for its application” ISO 9001:2015 and that “the terms and definitions given in ISO 9001:2015 apply”. So giving advice about how a process should be managed or about what kind of corrective action plan a process should have is still a no-no. In terms of the second commandment the ‘new age’ auditor faces a dilemma when auditing Context (Clause 4) or Planning (Clause 6).

Leading question

What if the organisation omits an interested party that the auditor feels should be included? What if the organisation has not considered a risk that the auditor believes is critical to planning?

The only option would appear to ask – what we have previously considered to be – a ‘leading question’.

For example: “What about your local residents”? (Context) Did you consider the risk that your proposal template might get over-written? (Planning).

But this is very different from: “I presume that when clients change their mind during a project that you keep all relevant emails?” which would still be an inappropriate ‘leading question’.

So we need to distinguish between the two.

The first one tests the robustness of the process whereas the second makes an assumption. Good auditors would have tested robustness under the 2008 version using “the hypothetical question”.

For example: "What happens if you are off sick tomorrow?”

“What would be the consequences if that machinery stopped working?”

“How would this process fulfil customer orders if the computer system went down?”

“Is there a risk that a customer would complain if staff leave the offices at 4pm on a Friday?”

What the auditor is doing is testing the robustness of the organisation by looking at risk.

So auditors should be more than ready for risk-based thinking. Maybe auditors will further develop their hypothetical question techniques and become ‘risk detectors’ which could really add value to the auditing function.

Business as usual

And so to conclude it would seem that it is business as usual for auditors.

However the release of ISO 9001:2015 has presented auditors with a real new challenge with regards to gaining evidence.

There are many clauses in the new Standard where the only evidence may be spoken and these need to be turned into “statements of fact” (contained in the ISO 9001:2015 “Audit Evidence” definition) by verifying statements with other personnel.

The only way to achieve this is to conduct a lot more interviews, not only with top management but at all levels of an organisation.

Auditors still stuck in 2008 (or prior) and expecting potentially meaningless written evidence from business leaders (for example, can you show me an organisation chart or a job description where you have defined responsibilities and authorities; or the email where you promoted risk-based thinking to all staff) should take care as to what this actually proves.

These types of documents did not – in isolation – demonstrate effective implementation.

They were – and still are – dependent on an auditor verifying their effectiveness.

Until they talk to staff they will not know whether those responsibilities and authorities are occurring in practice and whether the spirit of risk-based thinking has been received and embedded into organisational culture.

Auditors, as much as anyone, will need to embrace risk-based thinking in order to be supremely effective.

David Finney established The Energy of Conversation in 2008 and now trains professionals in coaching and auditing skills.