Published: 13 Mar 2017

In the second part of our series on the Competency Framework for auditors, Richard Green explains how you can understand if management intent is fit for purpose and why this is crucial for auditing Annex SL-based management systems.

In the first of this series we considered the role of the auditor in the Governance part of the CQI Competency Framework and determining whether management intent is defined. This time around we will examine the role of the auditor in answering the more challenging governance question: Is management intent fit for purpose?

The true stakeholder advocate

Just because an organisation is clear about its aims does not is mean it has sound governance. There are organisations out there doing the wrong things extraordinarily well, either subconsciously, because they don’t understand what their stakeholders really want, or through deliberate disregard of those they are meant to serve.

“As auditors, we play a crucial role in ensuring top management is focused on achieving what the organisation’s stakeholders want to see delivered”

If they are fortunate, the impact will be solely commercial – the bottom line will be adversely affected because it has supplied products and services which don’t meet the market’s needs. At worst, the business and those that operate it suffer fatal reputational damage and legal sanctions.

As auditors, we play a crucial role in ensuring top management is focused on achieving what the organisation’s stakeholders want to see delivered. For organisations operating an Annex SL-based management system there is a clear path for us to follow, however, the same logical approach can be applied in situations where no external certification is held.

Context of the organisation

As part of ‘Context of the organisation’, Annex SL Clause 4.2 requires organisations to understand ‘the needs and expectations of relevant interested parties’ (stakeholders). As auditors, we look for objective evidence to show needs and expectations have been determined and actively monitored and reviewed. This is important as an organisation’s stakeholders and their requirements are liable to change through time.

Clause 4, ‘Context’, feeds into Clause 5.2, ‘Policy’. At this point an auditor would expect to see a policy statement. The statement should be appropriate to the purpose of the organisation and provide a framework for setting objectives. It commits the organisation to satisfying all of the applicable requirements, including those drawn from the stakeholder community.

“It is not up to us to decide the relevant interests of interested parties, it is up to the organisation”

The next step is to make sure the organisation has considered the applicable stakeholder requirements in its planning for addressing risk and opportunities. Consider what could happen to stop these from requirements being met and how to help the organisation achieve them more easily. How does the organisation evidence it has done this step?

Then, look to Clause 6.2 and determine if the organisation has considered the above applicable requirements when it sets its objectives and when it creates plans to achieve these goals.

Lastly, make sure Clause 8 is implemented by ensuring the organisation translates these plans into actions on the ground which deliver outputs that match the stakeholders needs.

If you follow these steps, then at the end of our audit trail you will be confident management intent is fit for purpose. Remember, if top management is satisfying its stakeholder’s requirements then management intent is fit for purpose.

Putting the plan into practice

In reality things aren’t quite so simple. Often the requirements of different stakeholder groups conflict. Perhaps the board wants to reduce costs while the employees want enhanced benefits. Local residents might want to minimise environmental impact while top management wants a 24/7 operation.

From an audit perspective we need to recognise this. However, it is not up to us to decide the relevant interests of interested parties, it is up to the organisation. By all means, challenge their decision but do not be tempted to issue a non-conformity unless their choice has resulted in a clear breach of the audit criteria.

Annex SL-based standards require the introduction and maintenance of management systems. This means  management intent must be both defined and aligned to the needs of those who receive the results of the management systems. As auditors, we would expect to see related certificates displaying good governance. If this is not the case, the audit needs to find out where in the audit trail the link between management intent and stakeholder requirements has been broken.

Your checklist for making sure management intent is fit for purpose

  1. Look for objective evidence to show stakeholder’s needs and expectations are determined, monitored and reviewed
  2. View the policy statement – this should match the purpose of the organisation and give a framework for the organisation’s objectives
  3. Review the analysis of risk and opportunity –  what could stop stakeholder requirements being met and how can their needs be achieved more easily? Is there objective evidence to back this up?
  4. Is there evidence that the organisation has considered stakeholder requirements when setting its objectives and making plans to achieve its goals?
  5. Check stakeholders’ needs are considered when these plans become a reality.

Richard Green, CQP MCQI, is the CQI representative for ISO 17021-3, ISO 19011 and ISO 45001, and managing director of Kingsford Consultancy Services.