by Denise Robitaille
It’s a no-brainer for third-party auditors—if they have a financial interest in the success of a company or can benefit in any way from the outcome of an audit, they need to decline the assignment. This thwarts even the suggestion of collusion or bias. Similarly, there’s an injunction against providing consultation during an audit. This mitigates the eventuality that auditors would suggest things that need to be fixed and then recommend their own firms as the providers of the fixes—for a fee. It also reduces the likelihood that auditors would presume to offer solutions without fully understanding the context or the culture of an organization.
Offering advice results in two drawbacks. The first is that precious resources are lost if the company implements the wrong solution based on suggestions provided by auditors who, without having conducted a robust root cause analysis, presumed to know more than they actually did about a given circumstance. The second drawback is that the client is deprived of the learning that’s implicit in the solution developing process. For certification and regulatory audits, the prohibitions against consulting and conflict of interest are clear.
But what about internal audits? There’s little likelihood of personal financial gain or incidents of out-and-out bribery to extort a favorable audit result. Where then do concerns arise? Why should organizations be vigilant to ensure against conflict of interest?
ISO 9001:2008, clause 8.2.2 states, “Auditors shall not audit their own work.”
Let’s take an example of an individual who has responsibility for auditing a manufacturing process, including the in-process inspection. This auditor, as part of her regular job, has responsibility for managing the calibration program. During the course of the audit, it’s observed that several micrometers lack adequate identification of calibration status. The auditor may decide to remedy the situation with great alacrity and due diligence. However, she may determine that this doesn’t warrant root cause analysis and corrective action. She may not perceive that the nonconformity could be symptomatic of a serious problem that can only be illuminated and addressed through the corrective action process. In those instances (especially in those markets where integrity of calibrated equipment is of elevated criticality due to the nature of the product), it would be advisable to ensure that another auditor is assigned the audit.
In another scenario, the internal auditor is an individual who has been recently transferred from equipment maintenance into the production area. Technically, this person is no longer in the preventive maintenance department. However, records to be audited will most likely stretch back to his tenure, resulting in the auditor auditing his own work. Should there be any findings, the risk exists that the auditor would not report the nonconformance due to embarrassment or fear—a recurring theme in many audit environments. Or the auditor may genuinely believe that the errors are too insignificant to warrant corrective action. The conflict of interest is twofold: personal interest inherent in wishing to save face and presumption of insider knowledge that may cloud objectivity and judgment. “I ran this program for years. I know how it’s supposed to work.” The person may even purport to know “where the bodies are buried.” This person should not be assigned to do any audits that involve the preventive maintenance program for at least a year.
In each case the auditors have a vested interest in part or all of a process. It may be their egos or their personal integrity. It may be their concern for co-workers’ feelings or for ensuring that resources aren’t wasted on what they deem to be trifling matters. The attitudes and presumptions are not deliberate. Their reactions are neither calculated nor surreptitious.
In small organizations, it’s really difficult to put together a comprehensive audit schedule without having some overlap of responsibilities. There are two tactics to mitigate the occurrence of conflicts of interest. The first is to have an audit pool large enough to prevent auditors from auditing their own work. This can be challenging, but not impossible—provided each auditor only gets assigned two or three audits per year. The second tactic involves vigilance and training. Auditors need to be reminded that it doesn’t matter how familiar they are with a process. They must read over the documents with fresh eyes, ask questions without presuming to know the answer, and report findings honestly, regardless of personal opinion or interest. And finally, they must inform the manager of the audit program if current or prior levels of involvement of a process could skew their objectivity.
About the author
Denise Robitaille is a member of the U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She is committed to making your quality system meaningful. Through training, Robitaille helps you turn audits, corrective actions, management reviews, and processes of implementing ISO 9001 into value-added features of your company. She’s an Exemplar Global-certified lead assessor, ASQ-certified quality auditor, and ASQ Fellow. She’s the author of numerous articles and several books, including The Corrective Action Handbook, The Preventive Action Handbook, and her latest book, 9 Keys to Successful Audits, all published by Paton Professional.