In March 2018 Shuchi Arya and I published an article about Auditors and Auditing. At the time, we had great feedback and so many great comments on it. Since then, a new version of ISO 19011 (July 2018) and, more recently, the COVID 19 pandemic unexpectedly disrupted (also) the Audits world. It seemed to make total sense to release an updated version of the article.
Formal auditing processes began to be implemented with industrial evolution as method for detecting fraud and establishing financial accountability. The financial sector, particularly after the development of stock markets, was the great promoter for establishing formal and regular audits procedures mainly to provide investors information that they could trust.
Relatively to food safety audits, although HACCP has been introduced by Codex Alimentarius back in the 1969 it was considered that this Code of practice was not auditable. It was only with the surge of Food Safety Standards at the end of last century that food safety audits become common. As any other audit, food safety audits involve interviews and documentation review to access compliance with a specific set of standards. A food safety audit focuses on gathering information about a food business to identify any areas of potential improvement in the business’s food safety processes and systems, also identifying areas of the business that have deficiencies and the appropriate action to correct any deficiencies.
ISO 19011:2018 – Guidelines for auditing management systems defines audit as: “A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”.
Audit provides the opportunity for a second set of eyes. It provides the information needed to ascertain whether the system is operating effectively or if any changes need to be made. There are several types of audits from which the organization may choose according with their own objectives. Below is present a brief description of the most common.
Types of audits
Many persons/organizations may have interest in the audit. One way that is commonly used distinguish audits is between internal and external audits.
A. Internal audits
Internal audits are often called First Party Audits. This is when someone from the organization itself will audit a process or set of processes to ensure it meets the procedure that the company has specified. This person can be an employee of the organization or someone hired by the organization to perform the internal audits. These audits will be credible when first party auditor is genuinely independent and free to bias. If you decide to use first party auditors to make a self-declaration of compliance, make sure that they aren’t auditing their own work
These audits can and should be much more in depth than the other audits, since this is one of the best ways for a company to find areas to improve upon.
B. External Audits
External Audits perform on a supplier by a customer or by a contracted organization to ensure that they are meeting the requirements specified in the contract. These audits tend to be more stressful to the auditee since it can condition the customers’ buying decisions.
It is important to understand that a second-party audit is between the customer and the supplier and has nothing to do with becoming certified.
They are performed by independent organization that should be free of any conflict of interest regarding the clients/customer relationships. The independence of the auditor is a core principle for these audits since is the only way to maintain confidence on it whatever the audit outcome may be.
Other common definitions for audits are:
When two or more auditing organizations cooperate to audit a single organization. At the end a single audit report is produced.
When two or more management systems of different disciplines are audit together at the same time. This option can reduce cost and audits duration.
Virtual Audits means auditing an virtual site where virtual site means organization which performs work or which provides a service using an online environment i.e. allowing persons irrespective of the physical locations to execute processes (e.g. Cloud computing , company intranet etc). By nature, Virtual Audits are always done remotely.
Remote Audits are those audits performed electronically due to circumstances like pandemic situation or any country restrictions to visit a particular place. Remote auditing refer use of Technology to gather information, interview an auditee etc when face to face methods are not possible. Remote Auditing is already an existing term in International Accreditation Form (IAF) and you can find many Informative Document (ID) upon the same.
By nature Remote Audits can be of a virtual site or a physical location.
International Accreditation Forum (IAF) , International Laboratory Accreditation Cooperation ILAC and International Organization for Standardization (ISO) have worked together in July 2021 to produce a survey to better understand the views of the conformity assessment community and those that rely on the results of conformity assessment, on the use of remote techniques for audit/assessment/evaluation activities. Now the need of the hour due to pandemic situation has forced us to think upon the hybrid technologies of Onsite and Remote Auditing.
“Why following rules?”
Rules help to make audit an effective and reliable tool in support of management policies by providing information on which an organization can act in order to improve its performance. Adherence to these rules is a prerequisite for providing audit conclusions that are relevant and sufficient and enable auditors, working independently from one another, to reach similar conclusions.
ISO 19011 is a standard that provides guidance on how to audit management systems (internal or external audits). The focal point of the new version of the standard ISO 19011:2018 is the consideration of evolving technologies and the increased focus on risk. Key changes are:
I. Changes in terminology:
The Terms and definitions section has been revised. This revision encompasses the inclusion of the most important terms and definitions of ISO 9000:2015 such as: audit, audit team, management system, and risk. The terms ‘documents and records’ have been replaced with ‘documented information’ and ‘suppliers’ has been replaced with ’external providers, among others.
II. Changes in the principles of auditing:
The 2018 version of the standard has placed an enhanced focus on the utmost newly added principle – the risk-based approach – which considers risks and opportunities during the planning, conducting and reporting phases of an audit. In order to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit programme objectives, the risk needs to be considered from the design of the audit programme to the issue of the audit report. The application of the risk-based approach can serve as a tool for risk prevention, and optimization of the efficiency and effectiveness of the audit process and its outcome(s).
Below a brief description of the audits principles according ISO 19011 standard.
I. Integrity: the foundation of professionalism
Auditors should perform their work with honesty, diligence, and responsibility in an impartial manner, i.e. remain fair and unbiased in all their dealings.
II. Fair presentation: the obligation to report truthfully and accurately
Audit findings, audit conclusions and audit reports should reflect truthfully and accurately the audit activities. The communication should be truthful, accurate, objective, timely, clear and complete.
III. Due professional care: the application of diligence and judgement in auditing
Auditors should exercise due care in accordance with the importance of the task they perform and the confidence placed in them by the audit client and other interested parties. Auditor must have the ability to make reasoned judgements in all audit situations.
IV. Confidentiality: security of information
Auditors should exercise discretion in the use and protection of information acquired in the course of their duties. It includes the proper handling of sensitive or confidential information.
V. Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions.
Auditors should be independent of the activity being audited wherever practicable, and should in all cases act in a manner that is free from bias and conflict of interest. For internal audits, auditors should be independent from the operating managers of the function being audited.
VI. Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process.
Audit evidence should be verifiable. It will in general be based on samples of the information available, since an audit is conducted during a finite period of time and with finite resources. An appropriate use of sampling should be applied, since this is closely related to the confidence that can be placed in the audit conclusions.
VII. Risk based approach: an audit approach that considers risks and opportunities.
This risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit programme objectives.
Auditors Skills and Techniques
A benchmarked auditor cannot exist, being Human the Auditor like everybody else has a unique set of characteristics. However, some of the processes used by certification bodies to calibrate auditors can help in developing the skills.
Have you got what is takes to be a good auditor? Strong technical and ethical characteristics are fundamental to audit success.
Auditing is a complex process which involves many different skills and responsibilities. Also, in the current environment, the auditor continues to face ever-increasing demands because of regulation and client expectations. At one end of the spectrum, the auditor has the pressure to sufficiently document the work performed and on the other end, the auditor faces the pressure to get the work done on time. These pressures can cause auditors to fall into the “complete the task” trap, giving them the illusion that to get the job done on time and the audit opinion will be correct. The balance of both has to be maintained to be as characteristics of an auditor that are essential to audit success.
So here are some of the techniques one can grasp:
Being tactful will make your job easier and produce a factual report. Auditor must be tactful in dealing with people particularly time wasters. While your report must be accurate and factual, make sure you include Positive Points also where possible.
2. Good communicator
Effective communication occurs when the client understands exactly what you are saying. Communication skills allow auditors to have connection with others. The technological world in which we live today can negatively impact the audit staff’s ability to become an effective communicator, especially when e-mail becomes a substitute for face-to-face communication with audit clients. A good auditor recognizes the importance of face to-face communication and strives to make it the primary mode of communication. Clients want to talk to the auditor, and the better the auditor is at effective communication, the better the conversation is with the client. Effective communication occurs when the client understands exactly what you are saying. Achieving this is not easy but once achieved, it will set you apart from the rest.
Great leaders have the desire to help others succeed. Henry Ford said, “Don’t find fault, find a remedy.”
This statement is a classic in the context of leadership; leaders find solutions, they don’t place blame. An auditor that is a leader finds solutions to complex problems. Auditors should know how to lead the audit day (e.g. time management, other auditors in case it it a team) to achieve the best possible outcome.
4. Good listener
Personnel are often quite defensive when being interviewed about their tasks so putting them at ease is an essential requirement.
The most often overlooked people skill is listening. Listening seems like a simple concept, but few do it well. Many auditors listen to hear the answer they want to hear rather than to listen for understanding. When the client answer, the auditor must “listen” completely; missing one small piece can cause them to miss the message entirely.
Reaching timely conclusions based on logical reasoning and analysis. Decision making can be hard. Mostly decision involves some conflict or tradeoff. The challenging part is to select the best given information that you have gathered to assist with the decision.
Audits historically started in a time of crisis and with the objective of control if banks were following rules after the great depression. Until today audits still have this negative charge of someone controlling another. Even for experienced people, sometimes with decades of experience in the field, is hard to face the audit day with the right mindset. In fact, this may explain how so few organizations use internal audits as a source of self-assessment instead of simple step in preparation for an external audit.
In the last years the introduction of unannounced audits in food safety programs and the growing number of organizations that are adopting it even when not mandatory, is a step in the right way. This encourages organizations to maintain their food safety program based on a daily-approach and not in an external audit-approach. In a time where developing a Food Safety Culture is becoming a priority in the food industry (an even a requirement in European Union) what better message can Top Management send to everyone then promoting the use of unannounced audits even for internal audits.
This article was written with SHUCHI ARYA Senior Manager -Food Safety Compliances
Disclaimer: The information contained on this article is based on research done in the last months and the authors personal experience and opinion. It is not intended to represent the view of any organization they work for or collaborate with. The authors will not be held liable for the use or misuse of the information provided in the article.