#132 – WHAT TO DO IF THERE IS NO AUDIT DOCUMENTATION? – GREG HUTCHINS

Posted on by

Greg Hutchins pixMost organizations have established operational standards, objectives, metrics and expectations, which are operationalized through procedures and work instructions. If these exist, then the value added auditor can use these as a metric to conduct an audit.

The internal auditor determines whether the business objectives, standards, metrics, processes and work instructions are acceptable to meet audit objectives and then determine if they are being met.

But, what does the internal auditor do if there are no technical, procedures, policies, specifications, standards, or other types of documents?

This may raise a major red flag. The lack of defined, accepted, and established process documentation could be among the most glaring deficiencies the auditor could find. Why? Because the value added documentation details customer and organizational requirements. The value added auditor would have nothing against which to check systems or processes to establish what is acceptable and unacceptable. In terms of improvement, standards and specification documents state what is minimally acceptable, what are the benchmarks, and what is the rate of improvement.

If no documentation, standards, or metrics exist to form the basis of an audit opinion, the value added auditor has several options:

  • May proceed no further and inform the auditee and the customer of your decision.
  • May conduct a cursory evaluation of undocumented and uncontrolled systems and report results in the audit.
  • May recommend to the auditee what steps to take to obtain the appropriate specification documentation and develop process controls.
  • May work with the auditee to develop realistic standards and documentation (requires rescoping engagement so auditor is no longer independent).
  • May report opportunities for improvement (OFIs).

Any of the above requires a rescoping of the audit, which should be reflected in the updated audit brief. The decision of what option to follow rests with the auditor’s customer or supervisor and depends on time constraints, importance of the audit, and other risk factors.

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below:

Leave a Reply

Your email address will not be published.