I’m quite a novice in risk audits, though I have twenty years experience in quality audits and fifteen in quality inspections.
I think that audits’ basics – or sound-track – are the same, be they quality, risk, financial audits: auditors are usually – and officially … welcome. Auditors are treated like princes, as a colleague of mine once said, they’re told their work is most useful but – in the end – auditors and audits are a nuisance, even to the top management who might ask for them to investigate deep into the company’s business. Fighting words? Let’s look at risk auditing:
AUDITING BASICS
Any audit is an examination. Any auditor – when good enough – is an examiner, like a doctor who looks straight into your eyes and tells you the sins that you’ve done.
This is why there aren’t so many good auditors and audits. It takes courage to tell somebody who pays you that he has done wrong.
I was enthusiast when I started my career as an inspector, that later developed into an audit career. But after many inspections and many audits, the enthusiasm faded away. More exactly, it grew to a kind of passion for observing audits and auditors, and analyzing how audits were – and are being – done, and auditors’ behavior, too.
I’m in no position to list auditors ‘do’s and don’ts’, but I can certainly list the key features of my own way of doing audits, a list that I hope may help you.
MY AUDITING TIPS
I’m a ‘lark.’ I start early in the morning and I finish early in the afternoon. I dislike auditing night shifts. I find it a useless formality, unless they’re carried out at four or five a.m., that is, when people do really sleep.
I’m concise. I don’t like long talks. The usual blah-blah, when I ask for a question. I want an answer, not a story. Most people find I’m not sympathetic to them when I’m behaving in this way.
I don’t like excessive paperwork too. An audit plan is what it is. It’s seldom read by the auditees and even more seldom implemented. Either an audit plan or the audit initial meeting: both of them mean useless redundancy.
I also do not like that auditors do their work on an informal basis. Audits are technical surveys. Auditors must focus on critical technical matters. Though, it cannot be always easy. It happened to me in Egypt I confess. I had to audit the human resources management process that – as often happens – is governed by ladies. I had four ladies in front of me, one of which was simply as beautiful as Venus. I had to put a stop to the interview. I couldn’t speak a word because I was tongue tied. So, was it an audit?
Field auditors also need to be audited, when not monitored. Monitoring is certainly necessary when they’re new to auditing, but not always necessarily so. I’ve met and worked with ‘seasoned’ auditors who were so used to work according to their own rules that they didn’t recognize that the world had changed.
ISO 9001:2015 CHALLENGES
In implementing ISO 9001:2015, we are facing a double risk that quality auditors will ‘re-invent’ themselves as risk auditors, and vice-versa.
I think it will be easier for risk auditors to develop into quality auditors. The most advanced standards – e.g. automotive – emphasize risk management. On the opposite end of the scale, quality auditors are still too limited by the ISO formal requirements, which make it difficult to have an open vision of a company’s risks.
ISO 9001 has always required conformity to specifications. Now it requires to identify the risks that can impact customer satisfaction but does not say how. Nor it says how to find out what risks within the organization will affect customer satisfaction and how.
My guess is that registrars (certification bodies) will have to roll up their sleeves and not only train ‘once for all’ their auditors but to monitor and audit them very carefully.
Miriam Boudreaux, on the latest issue of Quality Digest Magazine, expresses the issue of ISO 9001 certificates validity. I fully agree with her but it’s not only a question of validity, but is much more a – worrying – question of credibility.
ISO 9001:2015 will raise quite a fuss with its focus on RISK.