By Mike Richman
I recently completed hosting duties on Exemplar Global’s Future of Auditing Expo. This online event was loaded with interesting perspectives from auditors, trainers, and authors (and in fact, many of the presenters fulfilled all three of those functions in and of themselves). The Expo covered forward-thinking topics like machine learning, data analysis, cybersecurity, using cloud-based technology, and even the psychological aspects of the auditing function. Interesting—and unique!— perspectives, indeed.
During a live session, titled “What Is the Future of Auditing?” I was joined by Greg Hutchins of CERM Academy, Jackie Stapleton of Auditor Training Online, and Bud Weightman of Qualified Specialists LLC to dig into the future of the profession and what it means for those working as auditors. The top-line takeaway is a good one for auditors; namely, that the auditing function isn’t going anywhere. There is now and will continue to be a strong call for experienced professionals who can probe an organization’s structures and processes to ensure that they conform with the management system standards that are designed to improve output. Whether on site or remotely (and the sense is that both will be important in coming years), auditing will remain integral for organizations within manufacturing, service, and transactional sectors.
Beneath that rosy executive summary, however, there are some thorny and complex issues that need sorting out. Following are some of the topics that were broached during the live session, complete with perspectives from our panelists.
What will auditors need to know?
“Number one, an auditor will need to be a subject matter expert,” said Weightman near the top of the broadcast. Expertise, knowledge, and experience will all be the stock in trade for successful auditors of the future even more so than today, because the costs of failure in quality, safety, or environmental management will continue to soar due to processes becoming more layered and complex. The risks of non-conformance will therefore naturally increase, requiring ever-more technically astute auditors to identify conformity assessment issues.
It’s not just technical skills that tomorrow’s auditors will need to improve, however. “You have to know the standards front to back, but you also need to be able to relate to people and build a relationship,” said Stapleton. “It’s not just about learning what’s in the standard. It’s learning about how to develop personal rapport, too.”
Of course, becoming an SME does not just happen. It takes focused attention, study, training, and the desire to apply what you’ve learned in working within a variety of real-world situations. Exemplar Global and QLBS, for example, have partnered in the Audit Simulator project to bring deep understanding to auditors with scenarios that closely replicate those in the real world—perfect for building just the kind of expertise we’re discussing here.
Integrated audits are gaining traction
Today, there are still a great many auditors who exclusively handle ISO 9001, or ISO 14001, or ISO 45001. But increasingly, auditees want and expect a single point of auditing contact for these and other operational areas covered by standards.
“Being an integrated management system auditor is going to be the way to go, especially as the auditor gets closer to retirement and wants to be able to pick up work in a variety of areas,” said Weightman.
Stapleton agreed. “Quality was my first love, but I soon found that I could get more work with bigger players who were triple certified by also auditing environmental and health and safety management systems. So now we tell our students, ‘Why not do it all?’
Integrated auditing can certainly deliver a bigger bang for the buck not just in terms of costs, but in efficiency, too. Auditees often have silos even within their quality, health and safety, and environmental management system, not to mention other functions. Therefore, integrated audits represent a great opportunity for auditors in the years to come because the auditees themselves will be calling for them.
Different kinds of audits require different kinds of skills
We spent a good deal of time during the live session delving into emerging career opportunities that range far beyond typical certification or re-certification audits. In this, the area of risk-based auditing is central—and that’s Hutchins’ special area of knowledge.
“Risk-based audits are going to be a requirement for internal, second-party, and third-party audits,” stated Hutchins definitely. “The clients will want these new forms of auditing and higher levels of assurance in their processes. This is something very different from a certification audit against ISO standards—it’s risk transference from the backs of the client to the professional organization that conducts the assessment.”
That assurance really comes to play in more technical standards like ISO 27001 and/or certain NIST standards, which involve much deeper assessments, where the organization emerges with a professional opinion on their risk.
Those working within a risk-based framework will require more time on site due to the complexities of these audits. Naturally, that will require a higher degree of training for the auditors/assessors—and that can result in better compensation, too.
“This all will generate a lot of opportunities for trainers, for consultants, for everyone,” Hutchins stated. “For example, in quality, we have the old Deming PDCA cycle. In our world, in the risk world, we have to actually design risk controls for an organization. So, if we’re coming in consultatively, we design their controls. The PDCA or PDSA cycle doesn’t work for us, so we architect a control system, design it, deploy it, and assure it. That’s our equivalent to the PDCA cycle—architect, design, deploy, and assure. The second thing we do when we design risk controls is what we call the 4Ps (standing for proactive, predictive, preventive, and preemptive). As we move forward, we’re not going to see things through a quality lens anymore… it’s going to be seen through a risk lens.”
Stapleton reinforced the enormously important point during this part of the discussion that certification auditors are prohibited from the kind of consultation and assurance/professional opinions that Hutchins was talking about. And that’s critical—these types of professional opinions are clearly outside the bounds of what is considered as the role of ISO certification auditors. But if you are an ISO certification auditor with the present technical skills and experience to dig deep into risk and potentially provide a professional opinion of this nature, contemplating this very different type of role for an entirely new type of clientele has to be intriguing, to say the least.
Final thoughts from the panel—and from me
I closed by asking each of our panelist to summarize their key takeaways for what the future of management system auditing will look like.
“I think that the future is going to be risk-based auditing,” offered Hutchins. “I think consulting-wise, there is going to be a big need for companies and people to design and architect risk-based systems, control systems. I think there’s going to be more traveling because nowadays, if you’re going to do a risk-based audit, you have to be on site, gathering enough evidence so you can prove with a 95-percent confidence level that the controls are in place, economic, and working effectively. And to get that type of evidence, you have to be on the site, looking at things, taking samples of large populations of items. You can’t do that remotely.”
“I believe that it’s critically important to learn technology and how it applies to auditing,” said Weightman. “Learn new methods and disciplines—risk is a great one. In addition, seek different certifications in different management system standards so you can go after integrated certification. Learn technical information about the fields you want to be in. It’s important to be relentless in your pursuit of learning. If you don’t do that, you’re going to become passé in auditing, and that will show.”
“That’s a great segue for me,” said Jackie. “My big advice is to stay curious. I do think that there is still a place for remote auditing; obviously, it will be balanced with on site as we are released from our various restrictions. The big thing I’ve noticed is that it’s now accepted to work from home. Even many of my clients have moved their existing staff to work from home; new hires are asked to work from home, too. Since my company went live with our online training in 2013, our team has always worked from home. We used to hide it; we were embarrassed. We didn’t think we were portraying this global company that we were. So, we used to hide it. But now, it’s so accepted. With that, however, working from home presents some health and safety risks that as workers and employers we need to be aware of. It’s not just a matter of safety, it’s mental health as well, isolation, etc. So please be aware of that. Coming back to auditing, I absolutely agree with Greg and Bud that getting your technical competencies are of the utmost importance, but also be a real person. Be relatable. You can do that remotely as well. It’s a bit more challenging remotely than in person, but I think we should all be aware of being a real person so that you’ll get the best out of your client and auditee.”
From my perspective as a journalist/moderator as opposed to a practitioner, my chief recommendation for those in the auditing field is to rid your mind of the vestiges of paternalism. Once upon a time a young person could get a job in a given field, pay their dues, follow the rules, and feel fairly confident that an employer would take care of them throughout their career. Clearly, those days are gone. Today, everyone needs to take their careers fully and completely into their own hands. If there are trainings you want and need to gain new skills, take them—whether your current employer pays for them or not. Are you hearing about new standards or sectors that you think hold promise? Explore them, network with colleagues new and old, and find out all you can, even on your own time.
Don’t wait! The future is out there, and whether you meet it, or it meets you is entirely your choice.
To watch the on-demand version of “What Is the Future of Auditing,” please click here. We are also very much interested in your feedback on what the future looks like for auditors and the auditing function, so please take a few minutes and let us know your thoughts in the comments below.
About the author
Mike Richman is the principal of Richman Business Media Consulting, a marketing and public relations company working with clients in the worlds of manufacturing, consumer products, politics, and education. Richman also hosts the web television program NorCal News Now, which focuses on social, economic, and political issues in California. He is a contributor to (and former publisher of) Quality Digest.