Auditing for the Boss

Abstract

There are two basic evaluation methods for any work activity: inspection and audit. The inspection says what was. The audit says what will be. Both are needed.

When implementing an audit program, there are four fundamental principles to be considered. First, audits provide information about the future. Second, those performing the audit are capable of performing their duties. Third, audits measure performance against agreed criteria. Fourth, the conclusions of an audit are based on fact.

Through rigorous preparation, thorough examination, and serious analysis, your auditors can identify strengths and weaknesses. They must present results aimed at the three business drivers of cost, production, and risk.

Introduction

There are two basic evaluation methods for any work activity: inspection and audit. The first one, inspection, examines the output of a process to certain characteristics. These characteristics, generally classified as form, fit and function, have been specified and the item either possesses the characteristics or it does not. The result of an inspection is always binary: pass or fail. It states what was or what is.

The audit evolved in the twentieth century, as business practices became more complex. The first use of auditing appeared in financial transactions, as tax collectors and bank examiners needed assurance that the financial data were correct. This concept of verifying compliance was picked up by the quality profession in the 1960s and applied to military and nuclear power uses. Today, the audit is applied to all organizations, from manufacturing to health care to government and all the rest. Third-party registration audits, regulatory inspections, and most supplier audits measure compliance to existing requirements and if that compliance will continue. Internal audits should examine compliance as well as business cost, production and risk elements. They need to focus attention on business results.

Fundamental rules

When conducting an audit, there are certain basic rules that must be obeyed. First, audits provide information about the future. Second, those performing the audit are capable of performing their duties. Third, audits measure performance against agreed criteria. Fourth, the conclusions of an audit are based on fact.

Rule 1 - Serve your customers

Audits provide information. All affected parties need to know if product, process, and system controls are present and being applied. Sometimes there is also a desire to know if these controls actually work. Auditors evaluate actions against requirements and produce a report. If controls are present and working, confidence exists about the future. If controls are missing or not working, then resources must be applied to fix the problems.

Auditors serve three customers: the auditee, the audit boss, and the organization. All three are important. In addition to passing the audit, the auditee would like to know if their organization is functioning effectively. This outside perspective can be quite valuable. The audit boss is the person who commissions the audit. The audit boss is accountable for the auditors and their reports. Committees cannot generally perform this function. You need an audit boss to schedule the audits and make assignments. Finally, the auditors must serve the needs of the organization. Business values are important and the auditors can assist by determining if the enterprise is actually achieving its cost, production, and risk goals.

Rule 2 - Use qualified people

Auditors must be able to carry out their assignments in an impartial and objective fashion. This means that they cannot have a vested interest in the activity being audited. If they developed the rules, they cannot (impartially) evaluate the effectiveness and application of those same rules. Although the auditor can never be totally independent of the auditee, there must be a separation. It’s fine to audit within your own group, but you can’t audit your own job.

Auditors must also be capable of doing their job. They need certain skills in the emotional, intellectual, and mechanical areas. Your auditors should attend courses, read books, and observe others to obtain this knowledge of the audit process. In addition to knowing how to do an audit, an auditor must be familiar with the technical processes being examined. A good way to demonstrate this familiarity is to flowchart the activity to be audited. If auditors cannot flowchart it, they cannot audit it. Finally, the auditor needs to be able to communicate, both orally and in writing.

Rule 3 - Measure against agreed criteria

Auditors are not allowed to make up the rules! They must audit against standards of performance that are already in place and accepted by the auditee. This is the planning part of plan-do-check-act. Often, these requirements are classified in tiers or levels. The highest of these are corporate policies, management system standards, and regulatory requirements. Usually originating from outside the auditee’s organization, they are the goals and objectives to be achieved. National and international standards, such as TS 16949 and ISO 9001, fall in this highest category. Next come the local approaches for implementing these high level requirements. These are often called manuals. They give the framework for achieving the concepts and should be fairly compact. They are site-specific and address the local systems. Manuals are followed by a number of process-specific procedures. Further detail can be provided in specifications, such as drawings, assembly instructions, traveler sheets, and sampling plans. One of the challenges of an auditor is to obtain and become familiar with the many levels of requirements forming the basis for the audit.

Rule 4 - Use facts to form conclusions

Auditing is fact based. From the data, conclusions are drawn. Facts can be good (a requirement was met) or bad (a requirement was not met). There can be no judgment or opinion here. Also known as objective evidence, these facts can come from five sources. They can be physical properties, such as flow rates and dimensions. They can be sensory derived, from seeing, hearing, smelling, or tasting. They can be documents or records. They can come from interviews with auditee staff members. Finally, they can be patterns of these four types, such as percentages or ratios. Auditors use checklists and other tools to determine the facts to be gathered. Then they perform the fieldwork to gather these facts.

The audit report

The output of the audit process is a report. The audit boss receives the report from the auditor and delivers it to the auditee. In order to prepare a report, the auditor must take all of the good and bad facts and make some sense of the data. The auditor must analyze the data.

The first step is to list all of the good and bad facts. Then sort those data into piles by controls or problem areas. Generally, there will be a large number of bad facts associated with just a few control items. This natural chunking of the data allows the auditor to see the patterns, rather than the individual events. The auditor should then identify the pain associated with those piles of bad facts. It is important to identify pain in business terms, such as scrap, rework, and overtime. Then, the auditor combines the missing control and the business pain into one statement, called a finding. This takes the form of cause and effect, the two items that are necessary in a meaningful audit finding. Under the finding statement, all of the bad facts associated with the missing control are listed. A reasonable person, presented with those same bad facts, will draw the same conclusion. Because the business pain is identified, there will be a tremendous desire to do something about it. No one wants pain to continue. That is a basic human characteristic.

By associating the bad facts with their controls, the auditor is now at the system level of analysis. This has lasting value, because the system drives the processes, which produce the product (or service).

Conclusion

Audits measure actions to requirements. They examine the product, process, and system against standards of performance. This has value when the requirements have been thoroughly tested and scientifically proven. Rarely, is that the case. Most manuals, procedures and specifications are the result of a small number of individuals, putting some rules together with limited resources. They aren’t perfect. By looking at results, the audit can determine if those plans and approaches are any good. If not, there is a desire to make them good, because the developers and users can see the adverse consequences. The auditor is no longer a policeman, but is now a productive member of the organization. That is good.