Edit this article

Last edited 07 Dec 2020

Main author

ConSIG CWG Institute / association Website

Auditing management systems

1 Introduction
2 What is auditing?
3 Why audit?
4 Risk based auditing
5 Categories of audit
- 5.1 Internal audits
- 5.2 External audits
  - 5.2.1 Second party audits
  - 5.2.2 Third party audits
6 Accreditation of certification bodies
7 Types of audit
8 The typical phases of an audit
9 Audit Findings
10 Important principles for auditors
11 Auditor behaviours
12 Annex 1 Suggested Opening and Closing Meeting Agendas
- 12.1 Opening Meeting
- 12.2 Closing Meeting
13 Annex 2 Useful Auditing tools
14 Related articles on Designing Buildings Wiki

[edit] Introduction

Auditing is a prime way of locating risk in management systems and acting to reduce that risk to as low as reasonably practicable. It is key to continuous improvement as it sits under performance evaluation. Auditing as a tool can be used to “check” that planned objectives are being met.

This article provides an overview of the key principles, benefits and components of auditing.

The simplicity of auditing as a tool means that it can be used across a range of industries, disciplines and organisation types. The application of audit effectively helps to facilitate improvement and assess compliance. It is an exercise in gathering information from which decisions for change can be made.

[edit] What is auditing?

Many views exist regarding the meaning and purpose of auditing. These views are often based on the experiences of individuals. Below are some popular definitions that have been drawn from the international standard for auditing, ISO 19011:2018, and from the Institution of Occupational Health and Safety (IOSH):

Auditing aims to find objective evidence (or evidence that’s as objective as possible) for whether the current way of managing safety and health meets the organisation’s safety and health policy and aims (IOSH).
An audit is an evidence gathering process. Audit evidence is used to evaluate how well audit criteria are being met. Audits must be objective, impartial, and independent, and the audit process must be both systematic and documented (ISO 19011).
Audit - systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled (ISO 19011).

[edit] Why audit?

Audits can be used for many different purposes and benefits, which include, but are not limited to:

Examine existing management systems, usually against known standards, to gather information from which decisions can be made
Process or procedural improvement
Certification purposes
Ascertain fulfilment of compliance obligations (legal, industry and other requirements)
Assess the capabilities of supply chain
Follow up audits of the above.

The purpose of audit is not to lay blame for problems or errors, to witch hunt or to settle arguments. Auditees are frequently concerned or emotional just prior to an audit. It is the responsibility of the auditor to help to allay those feelings. Sometimes, the expectations of senior management teams can reinforce the search for someone on whom to lay blame. Management at all levels have a duty to support auditees during an audit.

[edit] Risk based auditing

The concept of risk-based audits is aligned with the ISO 9001:2015 requirement for risk-based thinking. In alignment with determining an organisation’s context, its strategic direction and the associated risks, a risk-based audit approach can be used to determine if a management system can deliver the planned objectives and results. Ideally, an organisation should use the outputs from tools, such as risk registers and PESTLE and SWOT analyses to influence and prioritise audit activities.

[edit] Categories of audit

[edit] Internal audits

Internal audits, also known as first party audits, are performed by organisations on themselves and typically look at determining:

Opportunities to introduce improvement in all processes
Compliance to corporate policies and processes
Employee awareness of management systems.

They can be used to assess if management systems are performing effectively and whether processes are meeting the organisation’s compliance obligations.

Internal auditors must be independent of the activities being audited. This means that they should not be part of, responsible for or have influence over the function, process or discipline they are auditing.

[edit] External audits

External audits fall into two categories: second party and third party.

[edit] Second party audits

These are audits against standards imposed by businesses onto their suppliers. These audits are extremely important for all clients who need to confirm that the supplier can provide product and/or services that have been contracted/ordered.

Auditors should recognise that there will be a relationship that will or may in the future exist between their organisation and the one being audited. This may be a pre-contract audit being undertaken of several suppliers in competition prior to contract placement, an audit at the start of a contract to confirm that the right arrangements have been implemented or an on-going confirmation of implemented arrangements.

Auditors need to take care to understand the relationship and to act accordingly. For example, an organisation that is offering itself in competitive tender may push forward a well-polished view of its arrangements.

These audits typically look at confirming:

Effective management systems in place
Fewer defects for products & services (zero defects programmes)
Better response on customer service
Robust inspection & testing, together with accurate and visible records
Better storage & handling of product, together with traceability of product to source
Equipment maintenance & calibration
Necessary resources, including competent labour, are available
Effective checking & approval of design
The capability of equipment or process to produce to required specification/tolerance.

Supplier audits can also be performed by independent auditing organisations on behalf of a clients, for example, Achilles or SSIP (Safety Schemes in Procurement).

[edit] Third party audits

Third party audits, commonly known as certification body audits, may be performed by independent authorities or certification bodies, which are regulated by accreditation bodies such as UKAS (United Kingdom Accreditation Service).

Certification body audits demonstrate to interested parties that a management system complies with the requirements of a recognised standard and compliance obligations.

Care should be taken in employing certification bodies that do not have independent accreditation, especially those that offer a cheap path to certification, either with or without an off-the-shelf manual and procedures, as these may not accurately match the direction the auditee wishes to follow and organisations should consider whether or not they are getting value for money.

[edit] Accreditation of certification bodies

The use of an accredited certification body is recognised as best practice as all accredited certification bodies are assessed against the same standards to ensure that certification bodies are impartial, auditors are competent and that they provide a consistent service.

UKAS is the only accreditation body for the UK. It monitors the arrangements, processes and delivery of certification bodies, so they are also subject to surveillance.

UKAS is appointed by Accreditation Regulations 2009 (SI No 3155/2009) and the EU Regulation (EC) 765/2008 and operates with the Government through the Secretary of State for Business, Innovation and Skills.

Outside the UK other accreditation bodies exist that may have other accredited registration bodies. Care should be taken to confirm that any accreditation body is a member of the International Accreditation Forum or equivalent.

[edit] Types of audit

[edit] Vertical versus horizontal audits

The terms “vertical” and “horizontal” relate to the way the organisation operates. You can go “vertically” through departments following a thread or “horizontally” looking at all works passing through that department. For example, an auditor from a project auditing a sub-contractor is interested only in the works being conducted under the sub-contract, whereas an audit of a department may be conducted by a third-party auditor or internally to determine how the department operates overall.

[edit] Vertical audits

These audits would be undertaking by following a process by discipline or function. For example, a vertical design audit would look at the following for a design department:

Requirements capture
Feasibility
Conceptual design
Detailed design
Buildability or manufacturability.

[edit] Horizontal audits

These audits can be used to assess the effectiveness of a process across functions/departments or lifecycle. They follow an audit trail that follows the process for goods and materials, for example:

[edit] The typical phases of an audit

[edit] Introduction

All audits follow a standard process, although the depth may be reduced under certain circumstances. This section gives a high-level overview of the key phases of an audit and should not be considered as auditor training.

[edit] Strategic audit schedule

The strategic audit schedule can be issued at regular intervals, normally annually or quarterly, and define the audits to be delivered over a period. It should be based on:

The status and importance of activities being conducted; this may include results from previous audits, criticality to the operation of the organisation, known issues, level of legal compliance and so forth
The results of previous audits (internal & external)
Corrective actions
Changes to systems elements
Introduction to new methods and technology
Organisational and personnel changes
The risk to quality if audit frequency is reduced
Availability and competence of audit personnel.

Factors to be considered when developing an audit schedule should include:

The audit objectives and criteria
The audit scope including processes to be audited
The dates and places where the on-site audit activities are to be conducted
The expected time and duration for the on-site activities including safety/security requirements
Persons to be interviewed
Competence of auditors.

[edit] Individual audit planning and preparation

[edit] The audit plan

Each auditor must prepare an audit plan for each individual audit contained in the strategic audit schedule. The individual audit plan forms the basis for the audit and allows the following:

The auditor can arrange for notification to be sent to the auditee following a discussion and agreement over the scope, dates and other administrative arrangements
The auditor can propose the order and approximate timing of visits to audit areas
The auditee can confirm the plan and make suitable arrangements to assure that the right staff will be available
The auditee can confirm that appropriate lengths of time are allocated to each element of the audit
The auditor can watch time progressing during the audit
The auditor and auditee can make suitable arrangements (eg is a guide needed? Are there any safety controls? Is PPE required?)
Examine documents
Prepare checklists.

One small caveat: the auditor should not make too detailed a plan, as any changes can throw a lot of work aside. Also, apart from time for formal meetings at the start of the audit and at the end - see below - (and lunch, of course) no definite times should be stated, so as not to constrain the audit. Where the audit continues for more than one day, a “wash-up” meeting should be held at the end of each day.

[edit] Audit notification

The lead auditor sends the auditee notification of the forthcoming audit. This is the first action defined in the audit plan and identifies:

Location(s) and date(s) for the audit
Times of opening and closing meetings
Audit objectives, scope and criteria
People (by name or role) who will need to be available
Documented information that will need to be available
Equipment that may be required.

[edit] Conducting the audit

[edit] Audit checklists

Audit checklists are normally useful for the auditor. An audit checklist:

Is generated by the auditor
Provides a structured list of points to evaluate against requirements
Identifies and communicates the scope of an audit
Is a tool to gather evidence and provide an audit trail
Guides the course and controls the pace of an audit
Keeps audit relevant to objective
Provides evidence of planning
Assists with note taking
Reduces risk to bias
Helps to manage time
Assists in the preparation of the audit report.

[edit] Performing the audit

Detailed below are the key steps that an auditor takes in performing an audit.

Hold an opening meeting by:
- Conducting introductions
- Explaining the audit objectives, scope and criteria
- Confirming the definitions of nonconformity and observation (or equivalent) to set the expectations of the auditee
- Confirming the audit programme and timings
- Confirming the audit process and arrangements.
Interview personnel and:
- Examine documents.
- Observe processes.
- Examine materials and equipment.
- Collect notes throughout.
Hold interim meetings with auditors, if more than one, to provide an opportunity to compare notes and write up findings
Hold a closing meeting by:
- Introducing anyone who was not at the opening meeting
- Re-stating the audit objectives, scope, and criteria
- Providing the audit conclusion - executive summary
- Explaining the audit findings - detail of factual findings
- Follow-up activities that may be required (but see below)
- Obtaining ownership and commitment
- Reporting arrangements
- Clarification of any questions
- Confirming the confidential nature of the findings
- Discussing the future, including agreeing, if appropriate, the time for the auditee to present a corrective action plan.

[edit] Points to note

Opening meetings set the scene for the audit. They are led by the auditor, who should provide enough opportunities for the auditee to explain and provide information, although this should not be time-wasting. The items to be included will vary from audit to audit. Generally, external audits tend to have more formal opening meetings, whereas internal audits can be quite relaxed.

The auditor should also put the auditee/s at ease and make it clear that that an audit is to confirm that processes are being followed, not a witch hunt to catch people out.

Auditors are not there to interrogate the suspect. The normal technique is to ask a general or “open” question to allow the auditee to provide a picture of what is going on and to encourage detailed responses from the auditee. This is then following by a series of more “probing” questions that seek to provide the auditor with a clear picture of the process and the results of the work being conducted. Auditors should finally confirm their understanding by asking a “closed” question that generally elicits the answer “yes” or “no”.

The auditor needs to take adequate notes to enable him/her to write the audit report, as well as identify tasks and items to be dealt with later. However, notes need to be concise and not interfere with the progress of the audit any more than necessary. Important notes should be taken of any information relating to any potential nonconformities.

The audit report should be written up and presented as soon as possible after the audit so that the audit findings are fresh in people’s minds, but not necessarily on the day that the audit is completed. Any findings on which the organisation is expected to take action should be written clearly and in such a way that they can be located by the organisation - and by an auditor during a follow-u[p visit.

[edit] Audit follow-up & corrective action

[edit] Process and principles

Close out previous audit findings
Verify the effectiveness of corrective actions taken previously and the probability of recurrence
Establish if any special visits are required to close out items
Discuss the next audit.

[edit] Reasons for undertaking follow-up

Timely completion of corrective actions
Effectiveness of corrective actions
Realise the benefits gained from the audit
Measure the effectiveness of the audit programme.

[edit] Audit reporting

An audit report provides a record of the audit in relation to the audit objectives, scope and criteria and the audit findings. Typically, an audit report should include a summary, a description of the areas and activities audited, the audit findings, the personnel involved and the attendees at the opening and closing meetings.

The audit findings enable corrections to be made, corrective actions to be taken, opportunities for improvement to be identified and provide information for management reviews.

[edit] Audit Findings

[edit] Nonconformity

Nonconformity means failure to comply with requirements, whether specified or implied, although different organisations may use different terminology to describe the difference between what is found during the audit and the process/es that ought to have been followed.

A nonconformity report is not a ‘ticket’ that has been issued and not something that should be written out in front of an auditee.

The management of the area being audited is responsible for deciding what action to take in response to identified nonconformity. This may include action to correct something that has been done incorrectly (correction) or action to prevent the same thing, or similar, happening again (corrective action).

The organisation needs to get to the bottom of the reason for the nonconformity. There are several techniques for doing this that are described elsewhere. In general, the reasons may arise from one of the following:

The auditee had not followed the procedure but had found a way around that seemed to provide no risk (the auditor should look wider and “audit it out” to find the reason why and note any risks that may have been engendered by the unauthorised change)
The auditee had not followed the procedure with risk to the product or service offering
The auditee had followed the procedure, but the procedure was inappropriate, ineffective or just plain wrong.

It is not a part of the auditor’s duty to propose actions, otherwise the auditor might be made responsible for the outcomes if the action goes wrong.

[edit] Observations

These can be called by several different names, such as “improvement points” or “opportunities for improvement” and may be raised under the following circumstances, among others:

There is some good work going on that deserves to be recorded
There is a concern that is outside the scope of the audit
Something looks as though it may become a problem, but hasn’t yet.

[edit] Feedback

The output of the audit will have been discussed as part of the closing meeting. That should never be the end of the matter, as there will be opportunities for the quality management system to be improved as a result. The most appropriate persons to make any changes are those intimately involved in the part of the organisation affected by the finding. A note should be recorded of the action, the actionee and the date by which the action has to be taken.

A check should be made to confirm that the action has been taken and that the change has stuck.

It is useful to analyse the results of all audits over time, just to make sure that the same concerns are not raised in different areas of the organisation or repetitively in the same place.

[edit] Important principles for auditors

Never lose sight of the basic aim of an audit
It is an audit of the process rather than the person
Seek to achieve management commitment in response to audit findings
Listen lots more than talking
Be assertive; never aggressive or passive
Always be fair and balanced
Be naturally inquisitive
Never point the finger!
Keep it simple and concise
Keep the audit outcome confidential
Publish in a timely manner.

[edit] Auditor behaviours

The competence of auditors is essential in the success of an effective audit process. Good practice is for the auditor to have attended an IRCA recognised auditing course. Individual competence also requires that the behaviour of an auditor is neither aggressive or passive but is assertive. The term “assertive” is not easy to define, as assertive to someone in an office environment may well be different to that when auditing a construction supervisor!

According to clause 7.2.2 of the international standard ISO 19011:2018. “Guidelines for auditing management systems” auditors should also possess the necessary attributes to enable them to act in accordance with the six principles of auditing. These six principles are:

Integrity
Fair presentation
Due professional care
Confidentiality
Independence
Evidence-based approach.

The professional behaviours that auditors should display during the performance of their audit activities, including being:

ethical: fair, truthful, sincere, honest, and discreet
open-minded: willing to consider alternative ideas or points of view
diplomatic: tactful in dealing with people
observant: actively observing physical surroundings and activities
perceptive: aware of and able to understand situations
versatile: able to readily adapt to different situations
tenacious: persistent and focused on achieving objectives
decisive: able to reach timely conclusions based on logical reasoning and analysis
self-reliant: able to act and function independently while interacting effectively with others
acting with fortitude: able to act responsibly and ethically, even though these actions may not always be popular and may sometimes result in disagreement or confrontation
open to improvement: willing to learn from situations, and striving for better audit results
culturally sensitive: observant and respectful to the culture of the auditee
collaborative: effectively interact with others, including team members and auditee personnel.

The selection of auditors should consider competency in terms of knowledge, skills and experience, as well as, personal traits and characteristics. Potential auditors can be evaluated through interviews, training, and testing. The competence and behaviour of auditor trainees can be assessed through witnessed audits and feedback from the lead auditor. Ongoing evaluations can involve solicited feedback from the managers of the audited areas.

Auditors, particularly when acting in a 2nd or 3rd party should assure the auditee that commercial and organisational confidentiality will be maintained. In certain cases this may be formalised in a non-disclosure agreement (NDA).

[edit] Annex 1 Suggested Opening and Closing Meeting Agendas

These agendas should be tailored to the type of audit and the conditions under which they are being used.

[edit] Opening Meeting

Introduction of the audit team by the Lead Auditor, if not already done.

Introduction of the organisation’s representatives and their responsibilities.

Confirm the purpose of the audit:

To assess the suitability of the organisation for inclusion on the approved List of vendors by carrying out an audit on the organisation’s quality management system
To assess the on-going suitability of the quality management system to meet the business needs of the organisation
To examine the operation of the documented quality management system for its effectiveness in ensuring that the contract requirements are met in the most effective and efficient manner and to identify any risks there may be to successful completion of the project
To examine the overall management system of the organisation to identify any potential risks to delivery of the contracted items to meet schedule.

Confirm the criteria for the audit, eg the organisation’s documented quality management system and its supporting procedures. ISO 9001:2015 will be used to provide guidance and to ensure that the business unit’s commitments are met.

Explain the recording of findings:

Nonconformity: the non-fulfilment of one or more specified requirements substantiated by objective evidence
Corrective action report: a formal request to resolve a nonconformity; this will require a person of adequate authority to accept the nonconformity and to define suitable actions to resolve the nonconforming condition in a timely manner
Observation: a statement of fact backed by objective evidence that lies outside the scope of the audit, but needs to be brought to the attention of the organisation.

Explain the role of the guides:

To act as witnesses to audit findings
To escort the auditor to the parts of the organisation agreed within the scope and to ensure that the auditor does not enter into areas of personal danger.

Confirm that all aspects of the audit will be confidential.

Explain that the audit is a snapshot in time and that it will only examine a set of examples. Any nonconformities that are reported in the closing meeting represent those that were found and that other nonconformities may exist in areas that were not examined.

The organisation is requested to:

Confirm who will be acting as guides
Confirm that the programme is acceptable
Confirm that suitable arrangements have been made for personal safety and product protection
Confirm that suitable office accommodation will be available during the audit for review, wash-up and closing meetings; accommodation has to be available also for the auditors to prepare reports, etc.

[edit] Closing Meeting

Introduction of the meeting participants, if there are persons who were not at the opening meeting.

Thank the organisation for their hospitality and assistance during the audit.

Comment on the good points found in the audit (lead auditor).

Re-confirm the purpose of the audit:

To assess the suitability of the organisation for inclusion on the approved List of vendors by carrying out an audit on the organisation’s quality management system
To assess the on-going suitability of the quality management system to meet the business needs of the organisation
To examine the operation of the documented quality management system for its effectiveness in ensuring that the contract requirements are met in the most effective and efficient manner and to identify any risks there may be for successful completion of the project
To examine the overall management system of the organisation to identify any potential risks to delivery of the contracted items to meet schedule.

Re-confirm the criteria for the audit, eg the organisation’s documented quality management system and its supporting procedures. ISO 9001:2015 will be used to provide guidance and to ensure that the business unit’s commitments are met

Re-confirm the recording of findings:

Nonconformity: the non-fulfilment of one or more specified requirements substantiated by objective evidence
Corrective action report: a formal request to resolve a nonconformity. This will require a person of adequate authority to accept the nonconformity and to define suitable actions to resolve the nonconforming condition in a timely manner
Observation: a statement of fact backed by objective evidence that lies outside the scope of the audit, but needs to be brought to the attention of the organisation.

Present the findings. This can be a summary by the lead auditor, followed by the detailed findings by the auditors who found them.

Agree the timetable for the preparation of the corrective actions. The actions should be written on the corrective action report form and submitted to the quality management team by the agreed date.

Confirm that all aspects of the audit will be confidential.

The lead auditor confirms with the rest of the audit team and the auditee that all points have been covered.

The lead auditor requests a senior member of the organisation to sign the front page of the report, requests a copy of the report and leaves the original with the organisation for completion of the corrective action(s).

Return all documents belonging to the organisation to the organisation, if appropriate.

[edit] Annex 2 Useful Auditing tools

This article was originally written by Keith Hamlyn on behalf of the CQI Construction Special Interest Group, reviewed by members of the Competency Working Group and approved for publication by the Steering Committee on 24 April 2019.

--ConSIG CWG 12:46, 18 Jun 2019 (BST)