by Andrew Barham
Checklists can help auditors remember what to ask and what to look for during an audit, and they normally have a place to write down audit evidence. There is normally a column that allows us to mark some form of symbol to show the finding—C for conformance, NC for nonconformance, O for observation, or something similar.
And what is wrong with that, you might ask? Well, it can drive bad processes, bad procedures, and ultimately bad management systems. It’s not good for your business.
Certification auditors and regulatory auditors audit against a standard: either a national one such as an Australian standard or an international one such as ISO 9001. These standards include requirements and are often written generically so that they cover all industry types and sizes of business. They are not written to suit an individual business—they are written to logically group requirements together.
For example, there may be a section on purchasing that details which requirements an organization needs to meet when it buys something: what criteria suppliers need to meet, the inspections and checks that are required, the documentation and records needed. Some businesses, however, have a central purchasing function where all the purchasing is done by one group, whereas other businesses may have their purchasing decentralized, therefore people across a range of departments or functions may be buying things.
If the auditing body develops a checklist around the standard it’s auditing against, the logical way to write this is the same way that the standard is written—to follow the requirements of the standard. In this instance, all the purchasing requirements would be grouped together in one section. Make sense? Of course it does.
We are now going to flip from the organization that writes the criteria or checks against it, to the business that is being checked—the one that has to comply with the requirements. We are now looking at this from the point of view of the auditee, rather than the auditor.
An efficient and effective business must operate in a way that suits itself. Its method must address its operation, its people, and strategic direction. The business may operate at one site or may have many locations, with some locations permanent (like the branches of a bank) and some locations temporary (like a construction project).
The structure of businesses also vary, with some having a flat management structure, some a hierarchical management structure, and some may have a matrix structure. And then there are family businesses, public companies, corporations, government departments, and multinationals. Some have fewer than 10 employees, some have thousands.
Now back to the auditor and his or her job: to audit and follow and complete the checklist. Using a checklist is a bit like reading a book. The auditor starts at the beginning and works through each question until the end, then stops.
You can see where I’m heading here.
Because the auditor is reviewing the business against a checklist that does not align with the business, something has to give. And what gives is often the business’s management system because it’s the auditor who has the power. Over time the business’s management system starts to look a lot more like the checklist and less like the business. In some extreme cases there are businesses that have more than one management system, each one written to suit a particular auditor, standard, or regulation.
Another issue that drives ineffective behavior is the report template. If the report template is again laid out in the same format as the audit criteria, this is something else that is “suggesting” the business management system (BMS) is best when it fits nicely with audit criteria. When the audit criteria, the BMS and the audit report all align, everyone is happy and the certificate is issued. What could be simpler?
So what is the answer?
As we can see, having a detailed checklist that is in the same format as the criteria, then writing a report that follows and remains in the same format as the checklist, is all very good and efficient for the auditor. However, it’s not very good for the business because it’s not how the business operates.
I like to think there is a better way. When I audit, I use a prompt sheet. A prompt sheet is different to a checklist—it’s not as detailed and doesn’t have a place to record information. Information is recorded on a blank notepad so the the auditor has the flexibility to ask the same question multiple times and record different answers. If you audit at multiple locations you can use the prompt sheet over and over again, while still recording your evidence in the notebook against each of the locations.
And as for the audit report, you are primarily writing it for the business that you are auditing, not for yourself. Write the report around the business’s processes, its locations, and its functions—not around your own requirements.
If you are a certification or regulatory auditor, structure your processes to produce an audit that serves the auditee organization’s needs—not your own.
About the author
Andrew Barham is a director at PwC Australia, leading PwC’s Auditor Training & Certification. Andrew has over 30 years experience, having audited some of the world’s largest organizations in a broad range of sectors including construction, infrastructure, oil and gas, aviation, manufacturing, government and utilities.
For more information about PwC’s Auditor Training & Certification, and to find out how they can help your organization deliver an integrated audit approach, visit auditortraining.pwc.com.au.