James Lamprecht’s preliminary ISO 9001:2015 comments published on # 20 CERM Risk Insights Magazine catalyzes thinking, last but not least on requirement 9.2, internal audit.

Certainly this ISO 9001 supporting process is going to be more challenging; but it will become more subjectively-controlled, too, therefore open to endless – and useless – comparisons based on the very human principle “I’m better than you”.  

When honestly recognized and admitted, the flaws in the ISO 9000 audit processes are evident: be they first- , second- , third-party or even mystery audits.  Audits are such that they have become a formality nuisance insurance-like.  In other words, audited organizations can be granted more credit than non-audited organizations.

Are audits really worth it? Let’s just take a short overview.

1. First-party audit:  usually compulsory to maintain registration, or customer satisfaction.  No one seems to care about them, least of all the organization’s top management, that only wants to have evidence that everything runs right.  Does anyone else care about them?
2. Second-party audit:  this audit process is more complex than the previous one; weather and location are determinant factors, or input, as well as the “sympathy” the second-party lead auditor has for one supplier or another; or the need the buying-party has for the parts to be supplied.  What are the benefits and disadvantages of these audits?
3. Third-party audit:  ISO registration has become a business in itself for a number of years let’s be honest and admit it to ourselves, at least.  News’ records seem to show more scandals in registered, than in non-registered businesses.  The ever disquieting doubt “who controls controllers?” becomes more and more disquieting, as the human kind seems to march on.
4. Mystery audit: surely a good idea but pity it’s based on sampling but not on monitoring – and we all know how samples can be biased. In the end, though tough they can be – both to the auditors and to the auditees – even mystery audits are biased by the same input above.

I don’t want to know Truth, just let me be and live in my – ignoring – peace.

RISK BASED AUDITING
Effective auditing, especially when managing – or processing – risk, also means technicalities, but it’s very far from being limited to those, only.

Effective risk-based, or -oriented, auditing requires auditors and their principals to be first of all aware of the risks the organization will run into, in connection with poor risk audit.

Having in mind Dr. Mobley’s An Introduction to Predictive Maintenance and the focus he puts on Visual Inspection, that is on sensorial perception and analysis, let us name audits the name they’ve been given.

Flaws in audit effectiveness, or their root causes, do not lay on auditors’ professionalism, as some Registrars and Accreditation bodies pretend.   They do lay, instead, in audits principals’ refusal to look for – and accept – real facts.

Let’s all smile, too: we’re all on the risk audit candid camera.