In ISO 19011:2011, clause 4, “Principles of Auditing”, states that management systems auditing relies on six principles:
- Fair presentation;
- Due professional care;
- Independence; and the
- Evidence-based approach
And that if the auditor adheres to these principles, the resulting audit should provide the organization being audited (aka, the client or auditee) with the kind of information that helps improve its performance. So what exactly are these auditing principles?
In the course of an audit, auditors are expected to conduct themselves in an honest, diligent, and responsible manner. They ought to be aware of, and comply with, any legal requirements that apply to the auditee, its business type, or its location.
“Wisdom is knowing the right path to take. Integrity is taking it.”
M.H. McKee (1859-1945)
Auditors should show that they are competent to perform the particular kind of audit. They need to be impartial and they also need to be aware of – and resist – any attempt to influence their judgment.
Integrity is defined in ISO 19011 as “the foundation of professionalism”. If you’re the auditee, ask yourself: Is your auditor acting professionally?
As auditors, we are obliged to report on the results of our audits truthfully and accurately. To me, that means I shouldn’t hold back on any information or gloss over the truth to spare your feelings, or to keep you as a client. I will tell you what you need to know to improve your management system, rather than tell you what I think you want to hear. Any time I address the auditee, my communication needs to be as timely, clear, complete, and objective as possible.
In addition, I’m required to report any “significant” obstacle I encounter while I’m conducting the ISO audit and any unresolved differences of opinion between the auditee and me.
Due Professional Care
As auditors, we are expected to use sound judgment and exercise due care while auditing a client’s management system. “Due care” is said to vary according to the “importance of the task they (auditors) perform and the confidence placed in them”. This statement leaves a lot of room for interpretation, so I would advise any auditor to always use sound judgment and exercise the greatest care in all situations.
Don’t treat a small organization any better or worse than the largest one. Perform all audits to the best of your abilities. Apply all of your experience and knowledge to every audit. Learn from every audit in which you take part. Or, as Hippocrates supposedly said, “Do good and do no harm.”
Every organization has the right to protect and secure its information, to prevent other parties from using its information to gain an unfair advantage. As an auditor, I go through a lot of process data in detail in order to help identify weaknesses in those processes and determine where there are opportunities for improvement, in my opinion. Also, the data may be part of the evidence that I have found a major or minor nonconformity in the organization’s management system.
But that’s as far as their information goes – in the audit report, normally. I could be – but up to now, I haven’t been – faced with an imminent danger to life or property or a violation of the law, in which case my duty would be to report the problem to safety or enforcement authorities. If that’s not the case, the client’s information stays with them. It’s standard practice for auditors to sign a confidentiality agreement, so they may legally be bound.
This principle goes hand-in-glove with the principle of fair presentation. In other words, my presentation (report) of my findings is more likely to be viewed as fair, impartial, and objective if I am independent of the party/organization being audited. As an independent auditor, it’s easier for me to maintain objectivity than it is for an insider. My purpose is to identify potential and actual problems in the client’s management system (for instance, production data aren’t being recorded or their records are incomplete, or they’re not using the information to drive improvements) and explain precisely why they are problems (e.g., an ISO standard or a regulation states the auditee is supposed to do “xyz” and they’re not).
An internal auditor may be subjected to pressure from the organization to “give us a ‘passing grade’” or get through the audit quickly because auditing isn’t their only or main focus. I certainly don’t believe that happens in all cases but I have seen it. The organization isn’t being fair to the employee in that case; furthermore, they’re not being fair to themselves.
The Evidence-Based Approach
This is what ensures objectivity and fairness – the idea that when you, as an auditor, believe you have identified a nonconformity, you can’t go forward with only a belief that “something’s just not right”, any more than you can send your next-door neighbor to jail because he prefers t-shirts to collared shirts.
When you write up a nonconformity, you have to describe it. Clearly and concisely describe the problem so the auditee understands it and can identify it for themselves. You have to indicate where and when you identified the problem, how you identified the problem (observed, interviewed, etc.), describe the requirement that is not being met (e.g., “ISO 9001:2008, clause 7.3.1(a), states that the company shall…”), and describe the objective evidence that led you to your finding of a nonconformity or observation.
If I ask an organization’s Quality Manager (QM) to see their Corrective Action (CA) procedure and she tells me they don’t have one, and ISO 9001:2008 requires that that they have a documented CA procedure, I appear to have objective evidence of a nonconformity. However, if the Quality Manager says they “don’t really have one, per se, but” she trains every new employee on how to take corrective actions, including how to fill out a corrective action form they have, I dig further.
I find that every employee has been trained to perform corrective actions. The Quality Manager has kept a detailed log of this training. In addition, the Quality Manager has a folder full of corrective action reports and maintains a corrective action log that goes back 3 years and details not just the actions but follow-up activities, as well. There is documented proof that corrective actions are executed and followed up in a timely manner.
I ask the QM what she uses to train employees and she says she uses a PowerPoint slide show; she refers to a printed copy of the slide deck, on which she has handwritten notes and a number of points highlighted in yellow. What do you think? Do I still have a nonconformity?
* * * * * * *
There you have it…the six principles of auditing. The question the auditee should ask, during and after the audit, is whether their management systems auditor is following these six principles. I don’t believe it’s enough that the auditor signs documents that legally bind them to these principles. As the auditee, you should always be observing critically and asking questions.
Make sure you’re getting a good audit for your money.
 Since ISO 19011 is a set of guidelines, not requirements, it uses “should” instead of “shall”, meaning whatever is mentioned may be a good idea but it is not mandatory.
 Whether in oral, handwritten, pictorial, or electronic form
 It is impossible to be 100% clear, complete, or objective all of the time, regardless of how ISO 19011 is worded.
 For example, a key manager is continually unavailable (for an interview, etc.) while the auditor is onsite.