by Andy Hofmann.
In my last article for The Auditor (January–February 2010), I explored some of the content of ISO 9001:2008 as it relates to outsourcing and audit administration. In discussing this with some of the people kind enough to provide feedback on the article, there was concern expressed about how much additional time would be involved in assessing outsourcing and its related requirements. It was clear from the comments that external third-party auditors are under significant time pressure to complete their audits. We were able to identify three sources of this pressure: audit administration, competitive pressures, and organization complexity. In this article, we will explore the source of these issues and provide some suggestions on how to manage them.
ISO 19011 requires every audit to include preparation, planning, conduct, reporting, and follow up. To do this, there is no getting away from some administrative requirements. Each stage is an important part of the audit process. Let’s explore each requirement and the time it will take the auditor to complete it.
Audit preparation requires the assembly of an appropriate audit team with the required technical skills. Usually performed by the registrar’s back office, this involves looking at the economic sector that the client operates in and finding an audit team with the technical and audit expertise to serve its needs. For example, an auditor who has spent his or her career in aerospace quality wouldn’t be sent to an environmental audit of a food processor.
Each registrar will maintain an auditor qualification process. Qualification will be for specific standards, such as ISO 9001, OHSAS 18001, and ISO 14001, along with the industry code. This can be complex because an auditor may be qualified to perform audits to multiple standards, but not for the same industries. For example, an auditor might be qualified to conduct audits to ISO 14001 for a food processor, but may not have the expertise to audit the same organization to ISO 9001. One of the most scrutinized areas of oversight by accreditation bodies is the consistent application of the qualification process. Thus, registrars spend a significant amount of time demonstrating control over their auditors’ competency.
This means that auditors must assemble a summary of their formal training and experience when they enroll with a registrar, and the registrar must keep this information updated. Registrars differ in how much documentation they require, but an auditor should expect to take several days to gather the necessary documentation.
To demonstrate continued competence, auditors should keep track of the audits they have conducted over the years. Formal training by the auditor that expands his or her technical abilities needs to be submitted also. An auditor might spend a day or more updating his or her credentials every year.
The audit plan is the next piece of administration that needs to be accomplished. Usually completed by the lead auditor, this document will define the schedule of audit activities. Registrars will have a form that defines the timing of various audit activities. Usually process based, this document will break down the schedule of interviews and functions that the auditors will review. Auditors are expected to have this prepared for the client well in advance of the audit to ensure that necessary resources are available. For single site or small organizations, a plan can take less than an hour to complete. However, for complex organizations that have several sites, a proper plan can take several hours to assemble.
Registrars have different requirements for the kinds and amounts of evidence that auditors should collect during their audits. Some require extensive notes, which must be submitted with the audit report. Others require that the notes be transcribed into the audit report. Still others require that the collection of client records and documents be keyed into the audit plan. Whatever the requirement, auditors need to be able to support their conforming or nonconforming decisions. No less than 80 percent of the time allocated to the audit must be spent on this phase.
Audit reports differ greatly between registrars. Some have software that delivers the report immediately after the audit. Others simply list the nonconformities and follow up with a formal report days or weeks after the assessment. Others are somewhere in between. Regardless, when the auditor is observed pounding away at the computer in the conference room, he or she is probably working on the audit report. Still, no more than 20 percent of the time budgeted for the audit should be consumed by reporting its result.
The audit report isn’t just submitted to the client; the auditor submits it to the registrar too. There, the report is reviewed to ensure that it contains all the necessary information to support the registration decision. This happens at each audit, not just the initial certification and is part of the accreditation rules contained in ISO 17021. If the auditor has missed a piece of information, he or she will be asked to spend additional time to fully complete the report. This usually takes a few minutes, but on occasion it can add up to significant time.
Follow up will be necessary for assessments in which nonconformities were noted. The follow up can be on-site or off-site, depending upon the seriousness of the nonconformities. If the nonconformities were serious, the auditor should generate another audit report to communicate either the acceptance of corrective actions or the need for additional work. Follow up time isn’t included in the time initially scheduled for the conduct of the audit and is billed separately by the registrar. The time commitment here is anywhere from 30 minutes to one or more days.
Although the audit itself consumes the bulk of the audit schedule, one can see that there are significant time commitments in the planning and follow up phases of the audit. It’s not unusual for an auditor to participate in a three-day audit and invest an additional one or two days in its administration.
To be successful in managing the administrative burden, auditors must stay current with all their engagements. The auditor must have a weekly process by which he or she looks out four to five weeks in his or her schedule to ensure that he or she has audit plans for upcoming work. The auditor must also look for previous audits that have found nonconformities and ensure that he or she follows up on them. These must be addressed by the client and responses reviewed. Travel time should be planned for if this will require an on-site visit. Microsoft Outlook and Lotus Notes allow auditors to send themselves reminders of deadlines and to plan for future assignments. Discipline in keeping this information current is paramount to success as an auditor.
The time allocated to the performance of third-party audits is defined by national accreditation bodies in each country. Accreditation bodies also accredit certification bodies and registrars in accordance with ISO 17021. In the United States, the accreditation body is ANSI-ASQ National Accreditation Board (ANAB), which has issued accreditations to more than 20 certification bodies.
ANAB doesn’t operate without direction. The body that provides direction to the accreditation bodies is the International Accreditation Forum (IAF). The IAF provides a system of directives, the most important of which are mandatory documents (MD). Regarding audit time, clause 9.1.4 of ISO 17021 states:
“The certification body shall have documented procedures for determining audit time, and for each client the certification body shall determine the time needed to plan and accomplish a complete and effective audit of the client’s management system. The audit time determined by the certification body and the justification for the determination shall be recorded. In determining the audit time, the certification body shall consider, among other things, the following aspects:
- The requirements of the relevant management system standard
- Its size and complexity
- Its technological and regulatory context
- Outsourcing of any activities included in the scope of the management system
- The results of prior audits
- The number of sites maintained by the organization”
Because this requirement alone didn’t result in consistent audit times, the IAF issued more specific direction through MD 5, Duration of QMS and EMS audits. This document contains a series of tables that account for the population of the organization that’s seeking registration when planning its audit time. The more people an organization has, the longer the audit will take. This is illustrated in figure 1.
Stage 1 and
Stage 2 (days)
Stage 1 and
Stage 2 (days)
Figure 1: Determining Audit Length
The audit time in this table is based upon:
- Number of processes
- Design responsibility
- Number of locations
This is where things get really interesting for auditors tasked with performing meaningful audits. In practice, the time indicated in the table is rarely increased because of:
- Certification bodies compete for business. The organization with the lowest price usually wins, so there is substantial pressure on the auditor’s day rate and the number of days an audit will consume.
- Reduction guidance. MD 5 provides the kind of substantiation that’s necessary for the registrar to reduce audit time. As long as one or more of these are documented in the registrar’s file, accreditation bodies will rarely challenge it on its audit times. Think about it this way: The accreditation body is conducting its audit mainly in the office of the registrar. Without going to the client location, it’s impossible to determine the accuracy of the contents of the file. Accreditation bodies do sometimes witness audits, but the sample size is always small.
- Audit psychology. Auditees have other jobs and audits disrupt their work schedules. The shorter this disruption, the more quickly they can return to their workloads.
These pressures have resulted in the optimization of audit time. I had clients in the 1990s that have grown and become more complex, yet their audits times have decreased. This means that to perform meaningful audits, we have to be better organized.
Out of the eight hours the auditor is given for each audit day, a portion of the time is devoted to reporting. The more complex the report, the less time is spent auditing. Some of my clients have reported experiences in which their auditor was available for only half of each audit day. The rest was consumed sitting in front of a computer entering data, even though the IAF’s MD 5 indicates that at least 80 percent of an eight-hour day is to be consumed by auditing.
Lead auditor courses teach trainees that an audit day is long. Courses stress that reporting and documentation is to be performed only after the audit day is complete, and many lead auditor courses assign evening work to emphasize this. It has been my practice to do the reporting work in the evening, in some cases stretching the day well beyond ten hours.
Modern technology streamlines the reporting process. In addition, if we are truly to perform process audits, the audit report should look more like a strengths, weaknesses, opportunities, and threats (SWOT) report than the traditional clause-by-clause verification. This requires a hybrid report that captures the organization’s goals and targets and then follows them into key processes. It would then be a simple matter of identifying the linkage between the process and the clauses on a one-page matrix. Process-based assessments have been recommended since ISO 9001:2000 was published, so clearly, auditors should generate process-based reports.
Organizations have changed substantially in the 31 years that I’ve been involved with auditing. The automation now used in everything from financial systems to human resources processes has permitted much of the work to be programmed. In addition, regulations that organizations must comply with have changed significantly.
The recent financial crisis has resulted in additional regulation and structure in the financial sector. As an ISO 9001 auditor in the financial sector, I experienced something similar after the Enron situation when Sarbanes-Oxley was introduced and additional programs were written, additional personnel were hired, and additional audit trails were necessary. This additional regulation and complexity plays out in many economic sectors.
Auditors must stay current on these changes and monitor how organizations are responding to them. Online focus groups and forums provide information and strategies on how to manage this evolution. As a virtual community, auditors can assist one another in finding strategies to continue to be the best we can be.
Auditing today is a terrific challenge. There is always pressure to reduce the time involved in what we do. Automation and organization skills can assist us in succeeding, but forums like The Auditor newsletter and online virtual communities are the critical final piece.
About the author
Andy Hofmann has been involved with management systems for more than 30 years. He has audited more than 2,500 systems, giving him a unique opportunity view of organizations that are performing well and those that struggle. A regular contributor to American Society for Quality management systems conferences and publications, Hofmann’s intellectual property has received wide acceptance. Currently the president of ICS Certification Services, Hofmann continues to work with management systems professionals throughout North America. He has an MBA from the University of Toronto and is a Certified Engineering Technologist.
TAG: audit administration.