by Craig Cochran

Principles are an excellent way to begin our exploration of auditing. After all, these are the ideas that form the foundation of any successful audit program. Many of these principles will seem like common sense, but I’ve come to understand that common sense is indeed not very common. Even smart and experienced auditors sometimes forget these principles. That’s why we have to build the audit program around these ideas and then continually reinforce them. Let’s examine each one and discuss what it means.

Focus on processes, not people

A great deal of evidence gathered during the audit comes from people. That’s because organizations are made up of people. They’re analyzing information, making decisions, and producing products. Despite being a primary source of evidence, people aren’t really the focus of the audit. We’re focusing on the processes, methods, and procedures that are in place. People are the conduit through which we learn about the process.

When there are audit nonconformities (and trust me, there will usually be nonconformities), we make changes to our processes, not our people. A focus on people leads to corrective actions such as verbal reprimands, written warnings, and dismissals. These corrective actions don’t actually change the way work is being done. We might have changed the people, but the same flawed methods will be in place. Effective audits focus on the process and the resulting corrective actions are aimed at improving the process. The only way to make improvements is by changing the way work is being done.

Don’t strive to find nonconformities

This principle may sound strange, given the way some authors conduct themselves. Auditors should try to find evidence that the organization is meeting its requirements. In pursuit of this, it’s inevitable that nonconformities are going to come up. Nonconformities or not, the auditor’s attitude is one of someone carrying out an improvement activity in partnership with the auditee. It’s not a “gotcha” exercise. A good auditor examines a reasonable sample of evidence and draws conclusions from it. No need to keep digging and digging until nonconformities are found. As far as I know, no auditor has ever been paid by the number of nonconformities found.

Some of the most profound outcomes of an audit are the best practices that are revealed, especially in a mature management system. Effective audits identify isolated pockets of excellence that are unknown to the wider organization. In this way the audit becomes almost a benchmarking exercise, with parts of the organization learning from other parts. Effective auditors begin each audit in a “learning” state of mind. They expect to find best practices and positives they will learn from. This learning state of mind makes auditors especially receptive to the good things the organization is doing.

Auditors are naturally curious and persistent, so it’s hard to suppress the satisfaction you might feel when you uncover a nonconformity. There is a visceral thrill that auditors feels when they identify problems that can affect the success of the organization. Nevertheless, effective auditors always conducts themselves in a professional manner. No cheering, high-fives, or shouts of ecstasy when you find a nonconformity, please.

Keep yourself unbiased and impartial

In a word, effective auditors are fair. They simply examine evidence and draw factual conclusions. This can be especially challenging for internal auditors because you know most of the people you’re auditing. You know people who are smart, silly, careless, and downright reckless. In fact, there are probably people you like and people who (gasp) you don’t. Effective auditors have to lock away all these opinions during the audit and approach the audit with fresh eyes and open minds. In spite of your certainty that the guys in the warehouse are a bunch of idiots, you still treat them in the same way you do everybody else. You don’t dig deeper and try harder to find nonconformities. When auditors have especially strong feelings about certain functions, either good or bad, they realize that there is no way they can be unbiased. In these cases, auditors work with the lead auditor to find someone else who can audit the function impartially. Fairness is the consistent thread that runs through every effective audit.

Independence is another aspect of being impartial. This refers to being organizationally separate from the function that you audit. You certainly don’t audit your own work and you avoid auditing your department. It’s best not to audit any area where you have an existing reporting relationship. No matter how hard you try to be unbiased, you’re tied to the function and you’re likely to be influenced by the relationship.

Maintain confidentiality

The results of the audit do not belong to you. They belong to the entity requesting the audit, known as the “audit client.” This is usually top management. The audit results go to top management, and they are also shared (at least verbally) with the auditee, but that is as far as they go. The audit client gets to decide who else will hear the audit results. It’s your responsibility as an auditor to maintain confidentiality over the results. Audit “war stories” make interesting conversation, but they should never stray into the territory of talking about an organization’s specific strengths and weaknesses. Maintaining confidentiality is a professional courtesy, of course, but it’s also a matter of self-preservation. Auditors who betray confidentiality are not invited back in the future.

Base the audit on requirements and evidence

At the heart of auditing lie two things:

1. An understanding of relevant requirements
2. A search for evidence that meets requirements

The factual approach of requirements and evidence keeps the audit purely objective. The auditors’ opinions of what should be done have no relevance. What matters is what the organization has committed to, and whether it’s meeting those commitments. Auditors certainly have opinions and most have valuable experience in the industries they audit. But an audit isn’t a consulting visit, it’s a friendly evaluation aimed at driving improvements. When audits stray from a strict focus on requirements and evidence, they become fuzzy and subjective—exactly what you don’t want.

Be professional

Effective auditors are consummate professionals. This doesn’t mean they’re stiff unblinking robots who refuse to crack a smile. It simply means they are good communicators, well-prepared, smartly attired, and, of course, cordial. When people are going through the trouble of being audited, they want to know their auditor is a pro. This provides credibility to the audit process and lets the participants know it won’t be a waste of time. Professionalism doesn’t necessarily depend on years of experience, either. I’ve seen novice auditors who were exceptionally professional and veteran auditors who were less professional than a circus clown. It all goes back to preparation. If you do the correct amount of preparation for the audit, and arrive ready to produce excellent results, you will be truly professional.

Beyond basic principles

It’s helpful for auditors to think about the audit as a series a friendly conversations. That’s really what audits are. Auditors chat with employees about their methods, tools, materials, and products. The information revealed during the conversation is compared to the organization’s requirements and the auditor determines whether the commitments are being met. In either case, the determination isn’t a secret. If we’re meeting requirements, or even going above and beyond requirements, the auditors will congratulate the employees. If the commitments are not being met, the auditors confirm their understanding of the requirements and also confirm their understanding of the evidence. Auditors don’t assume anything. Good auditors verify everything they see and hear because it’s very easy to misinterpret information during an audit. The whole process of gathering evidence and determining conformity is conducted like a conversation among partners. As auditors, that’s exactly what you are: partners in the organization’s improvement processes.

Another important point is that top management has to be involved in the audit process. They will certainly be audited and may even act as auditors themselves. Having top management visibly involved in auditing gives the process credibility. This credibility is like a passport to all corners of the organization. When auditors are supported by top management, auditees will cooperate and provide auditors with whatever they need.

Following these principles will enable you to get top management support and maintain the attention of the entire organization. After all, you’re there to help the organization. Yes, I know the old joke, “We’re auditors and we’re here to help you.” When you audit a management system, it’s actually true. Believe it, and carry the rest of these principles with you wherever you audit.

About the author

Craig Cochran is a project manager with the Georgia Institute of Technology Economic Development Institute. He has served in management roles in multiple industries-including textiles, glass manufacture, semiconductor, and telecommunications-for nearly twenty years. Some of his specific areas of expertise include customer feedback methods, auditing, development of key measures, organizational development, management systems of all types, and problem solving.

Cochran is a Certified Quality Manager, Certified Quality Engineer, and Certified Quality Auditor through the American Society for Quality, and is certified as a QMS Lead Auditor through Exemplar Global.

This article originally appeared in the November-December 2014 issue of The Auditor newsletter. Subscribe to The Auditor and get access to articles like this delivered to your desk. Subscribe here.