Effective auditing starts with the end result in mind

There’s a saying that suggests we should ‘start with the end in mind’. The basis of this phrase is attributed to the Roman philosopher Seneca, who wrote "Let all your efforts be directed to something, let it keep that end in view". This work is dated somewhere between 49 to 62AD but Seneca’s assertion is still valid today. Stephen Covey’s infamous book, entitled '7 Habits of Highly Effective People' suggests that to be effective at working towards anything, we need to ‘begin with the end in mind’.

So, when planning our internal audit programme, we must consider not only what the outputs of our audits are, but also how they are used and by whom. As with any tangible product, the producers are duty-bound to embody the customers’ needs and expectations.

We know, too, that clause 9.2.1 of ISO 9001:2015 states we must conduct audits “to provide information…”, but what form should that information take? If we want our leadership to recognise what we’re telling them, we should frame our audit information in easy-to-understand terms. What are their needs and expectations? Clause 9.2.2 goes on to say that the organisation shall ensure that the “results of the audits are reported to relevant management.”

Typically, internal auditors who attend ISO Internal Auditor training events, are taught to report in the following ways:

• verbally – during the audit and in debriefing;
• documentary – both in a report summarising the results and by the use of non-conformities.

This would appear to address the 9.2.2 requirements in that a specific audit, with associated scope and criteria, will produce a certain result, including any non-conformities. All very tactical in nature.

Information from audits might be inferred as being ‘the communication of knowledge’. This is gained from one or more audits or the internal audit programme, and closely aligns with the Management Review inputs in Clause 9.3.2 6: “information on the performance and effectiveness…including trends in: 6) audit results” – which sounds altogether more strategic in nature.

"For our audit information – and results – to make sense to top management, we need to be clear about the what, when and why of internal auditing."

Andy Nichols, Quality Program Manager at Michigan Manufacturing Technology Center

Quality management auditor training typically focuses on audit criteria, which is usually the international standards, such as ISO 9001, or its derivatives, IATF 16949 or AS9100D. The scope of the audit is commonly the whole quality management system (QMS) of an organisation (this is especially true with Lead Auditor courses), and the purpose of the audit is frequently to determine the status of the QMS in relationship to being compliant, leading to certification. The results of those audits are a recommendation to be certified or not, and the information is mainly areas of non-conformity that support the recommendation.

The plan informs the outcome

What happens after ISO certification is awarded? Does audit reporting change when the audit scope is a single process? Or when the audit criteria become the organisation’s own QMS? What is the organisation’s goal for the internal audit programme, once the QMS is complying to the standard’s requirements?

For our audit information – and results – to make sense to top management, we need to be clear about the what, when and why of internal auditing. It is the plan that informs the outcomes.

The fundamental internal auditing role is to be the independent verification/validation for management that the QMS is being implemented to achieve planned results. This can be shown graphically like this:

Top management are usually focused on the first two columns: what was planned and what the results are. These are frequently what they are personally responsible for during the organisation’s financial year. Hence, anything negatively impacting the achievement of what’s planned is going to be of significance to them, including:

• employee retention;
• meeting customers’ needs and expectations;
• achievement of schedule;
• planned vs unplanned costs;
• changes (people, products, processes, and so on).

Conversely, internal auditors are taught to verify the compliance to the process – “are people following the procedures?” Consequently, we have a dichotomy. The results achieved and information from audits are seen as mutually exclusive – there’s no connection.

Our internal audit programmes and our audit findings must be planned to forge a connection to managements’ objectives. We do that by ensuring we engage management when planning and conducting audits and then, reporting back on the impacts of process adherence has on achieving those objectives.

Only then, when there’s connection between the plan, the process and the results from internal audits, will management understand what is required of them: action.