Auditing: The lead auditor

Introduction

This book is for first-time lead auditors. It presumes that you have done an orientation to quality auditing and, preferably, also done an audit as audit team member.

As a lead auditor, you will have general oversight of all aspects of the audit, involving the following:

1. oversee audit team members:
   1. help select them
   2. define the role of each one, and
   3. assign their tasks
   4. re-assigning them if necessary
2. oversee any trainee auditors
3. help prepare an audit plan and define requirements
4. manage audit team resources before and during the audit
5. comply with any relevant auditing requirements
6. represent the audit team to the auditee's management
7. review documentation
8. take any necessary contingency actions
9. report serious noncompliance with standards immediately to auditee and client
10. report illegal activities to authorities
11. issue the final report to the client.

Your organization

Familiarize yourself with your own organization's requirements. It will probably have its own policy, procedure and protocols on how to conduct all stages of the audit.

1. The audit procedure may specify the recording procedure, audit methods used, evidence required, location, timing of audit. Check that these are consistent with the purposes of the audit.
2. relevant legislation, codes, and standards relating to workplace legislative compliance
3. management systems
4. use of audit/assessment tools
5. industry practices and procedures
6. quality management principles
7. organizational auditing procedures
8. management system principles
9. the procedures that apply in different circumstances;
10. the principles of quality assurance and how they work in organizations;
11. options for corrective action;
12. the organization's appeals and disputes systems;
13. audit reporting requirements and how to interpret the content of reports;
14. criteria for evaluating the risks and impact of identified discrepancies.

Ethics

1. Auditors must be appropriately qualified. This breaks several ways:
1. As a team, you need together all the expertise required for the audit. In many cases, this will mean that you have at least a subject matter expert on the team with whom you can consult; you don't have to be the total expert on everything.
2. You will need specialist expertise in the area you audit. For example, if you audit laboratory procedures in a chemical factory, you probably need to be a qualified chemist or chemical engineer.
3. Having a clear, written standard to audit against can also take some of the angst out of the judgment call.
4. You might need to work under the supervision of someone else until approved to audit independently. This is especially the case for trainee auditors.
2. Auditors must be independent and free of conflict of interest.
1. If you are an internal auditor, the IAA recommended structure is that the audit department is responsible to a committee of the board. This gives you independence from the general management structure and lines of accountability. As a second-best system, internal auditors are responsible to the CEO. The current trend, however, is to outsource internal auditing to specialist organizations.
2. In an internal audit, it is a conflict of interest to try to audit your own work, no matter how honest you are. It's like trying to check your own typing; you are naturally blind to your own oversights.
3. The IAA deems it a conflict of interest if an auditor was previously in charge of the audited body, unless a substantial period of time has elapsed.
4. conflicts of interest can be institutional, even if there is no money or privileges.
3. Comply with audit requirements, including:
1. any specific standards with which it is planned to comply, and
2. remain within the scope of the audit.
4. Respect boundaries. What if you are auditing in a person's home? How much can you ask to see, and where is the line that it is their personal business?
5. Be objective.
6. Even if you are fully qualified to conduct the audit, you could run into limits of your expertise. Do not act outside your expertise. Get help if you need it.
7. Do not disclose any details to an auditee during an audit that would compromise the audit.
8. Don't discriminate on the basis of race, gender, religion, etc.
9. Respect copyright. You will sometimes need to get copies of documents.
10. Handle documents appropriately, especially confidential documents.
11. Avoid inducements. Direct bribes are uncommon in Australia , but inducements may be more subtle if given in kind, such as expensive accommodation and meals. What if the auditee takes you out for lunch? How expensive does it have to be before it is out of order?
12. Maintain confidentiality
1. Audits are strictly confidential. You have the power to explore weaknesses and cannot release audit information to anyone, even orally, except to your supervisor and the auditees. Audit statements should list the confidentiality requirements.
2. Do not compromise commercial advantage. For example, you might get information on the details of commercial deals currently being negotiated, or information that would be valuable to the auditee’s competitors (weakness, innovative business models).
3. In some organizations, such as the military, the confidentiality requirements can be very complex, even limiting the auditor from interviewing key staff on particular topics.
4. If your audit includes R & D work that might later be patented, a breach of secrecy could invalidate the patent application. You can be required to sign a secrecy clearance to protect the patent.
13. You might learn of potentially profitable business opportunities during an audit. While not always outlawed, it would normally be considered unethical to use that information to invest in the business opportunity (or help someone else to do so) when the information was not already publicly available.

Initiate the audit

You are appointed to be in charge of the audit (lead auditor) to lead an audit of an institution of some kind.

You will be given a brief. These vary from the highly specific to the fairly general. An internal audit brief most likely comes either from the Board, your organization's Chief Audit Officer, or perhaps the CEO.

Sometimes the client is not the auditee. For example, Joseph Bloggs wants to buy XYZ Corp. One of the conditions of sale is an independent audit. Bloggs is the client who will get the report, but he is not the auditee. If the client is not the auditee, some standards specify that it is the client's responsibility to provide the auditee's management with a copy.

So what then?

Agreement.The auditee agreed to the audit. If the client is not the auditee, you will need written agreement from the auditee. If it is a big audit, it should be in writing before you go too far, otherwise you can get it later at the entry meeting.

Authority. You are given written authority to conduct the audit. This could be a letter or other kind of written authorization. For internal auditors, it could be a Board minute, an audit committee minute, or a letter.

Scope. The authorization will specify the scope of the audit, that is, the extent of activities to be audited. Scope may be defined by location, compliance standards, or particular programs. Some scope definitions have some kind of rider allowing the auditor to follow up anything they find during the audit that appears out of order, even if it is outside the particular standard.

Boundaries of scope. The scope statement might also specify boundaries. For example:

• Auditors normally have authority to report illegal conduct.
• Auditors often have authority to explore serious non-compliances that arise during the audit beyond the stated scope.
• The scope statement will also specify whether or not auditors may give advice and recommendations. In some audits, auditors may not, while in others, the main value of the audit is the list of recommendations on the most practical way to attain compliance.
  If you may not give advice and recommendations, avoid getting too involved in quality maintenance because auditors are not responsible for program quality.
• In organizations with confidential or secret information, auditors might not be permitted to some kinds of information, or may not interview some people on particular topics.
• Under the standards applying to auditors, individuals may be identified in the report when they have significant responsibilities. The standards are referred to in the scope, and the language of audit will presumably be English.

Purpose.The purpose of the audit is to establish compliance or otherwise with a relevant standard (or standards). It may be:

1. compliance with a specified standard, such as an ISO/AS standard
2. compliance with the full range of legislation affecting the organization. This required a generic knowledge of legislation, and some knowledge of industry-specific legislation.
3. compliance with a specific area of legislation. This is most common in highly regulated industries where non-compliance carries serious risks.
4. compliance with internal control systems, including policies and procedures,
5. the extent to which board or chief officers’ (CEO, COO, CFO) decisions have been implemented.
6. compliance with Key Performance Indicators (KPIs) and Critical Success Factors (CSFs)
7. effectiveness in meeting the organization's own objectives.

In education, the purpose will most likely be specified as compliance with a quality framework, relevant legislation, and the organization's own policies and procedures. It may also mention any other compliance documents.

It might also require you to either find an existing standard or develop a new standard to address audit purposes. (See above in the section on audit standards.)

Background check

Get a general idea of the organization you are going to audit so you can plan for it better.

If possible, check the results of previous audits. This will highlight any higher risks, and give you a better idea how the entity works. Ask if there are any outstanding issues from previous audits. For example, you may be doing the audit to check whether serious non-compliances have been rectified. There may be recommendations that you should read.

Identify the stakeholders. The stakeholders in an audit are anybody involved in the entity that is being audited according to the audit scope.

Relevant people inside the organization usually include:

• senior management;
• members of decision making committees and forum;
• managers concerned with the unit/section being audited
• team leaders;
• information disseminators;
• people who design and maintain systems;
• consultation networks.

Outside your organization, they can be:

• organizational clients,
• individual clients,
• allied services,
• service contract agencies,
• quality accreditation agencies.
• project managers,
• contractors,
• employer and employee associations, and
• community groups.

Check the kind of data. If it is mainly computer data, you must have sufficient computer skills to navigate the software, although you may (and probably should) ask the auditee for help. You are not expected to be familiar with their software, especially as many organizations use bespoke software or make bespoke modifications. It is unreasonable of an auditor to ask the auditee to print off computer data only so that you can read it on hard copy.

Choose a standard

Choose a standard (or standards). You might choose from many different kinds of relevant standards, for example:

• ISO/AS standards
• British standards
• Product standards
• Industry standards
• Accounting standards
• Competency standards

Standards and evidence guidelines

Read through the standards and evidence guidelines very carefully. Ask about anything you don’t understand. You will be expected to have a good working knowledge of the standard that you are using and be able to guide your team, and to make reliable judgments on compliance with it. If there are evidence guides, or any statements interpreting the standards, then you should thoroughly familiarize yourself with them.

In an ideal situation, you would go through the entire standard and discuss it sentence by sentence as a group, examining the examples of evidence and looking at possible interpretations. This might be very time-consuming but will probably produce the best results. In any case, you will need to have a very sound understanding of them before you start auditing.

You need to see the relationships between different parts of the standard. The tricks and traps are the relationships between similar items in different parts of the document. For example:

• An early section might list policies that are given in detail in later sections.
• A policy might be separate from the requirement to inform students and staff of that policy.
• In some cases, the same item of evidence can meet multiple requirements.

In a franchise or licensing arrangement, just because the center has done it right doesn’t mean that their partner organizations do it equally well. Having satisfactory policies and procedures does not ensure that they are uniformly well implemented. For example, the central college might provide all the information that should be provided to applicants. Partners, however, could easily bypass some information and fail to refer prospective students to the website.

Writing a new standard

If you can't find a suitable standard of any kind, you might have to write a new one. Before you start, check what requirements it must meet.

You then have two options. The first option is to simply be able to adapt an existing standard by editing it in a word processor. Keep notes of the principles you use to change it and put them in a preface. If you do it well, the new standard will comply with the original, and further validation will be quite easy.

The second option is to write a new one from scratch. This might not be difficult if you can be fair on all stakeholders, cover all normal eventualities, and write in clear, plain English.

The hard work is in getting all stakeholders to agree on it. If you have very few stakeholders and will only use it once for a specific purpose, it might not be too difficult. But your task could be quite difficult if:

• there is an adversarial relationship between groups of stakeholders, and/or
• the standard will be in use for a long time
• revising the standard will also be difficult
• there is a lot at stake in your audit (e.g. a company merger).

Manage audit risks

Some kinds of internal audits and some audit standards encourage a general assessment of business risk before the audit.

You can make a preliminary evaluation during planning in order to better plan the audit. These may be based on off-site consultations or reviews of relevant organizational documentation, information and data.

During the audit you need to notice risk factors rising and falling. An auditee might be much better or worse than it looked at first site.

Identifying risks

Identify and record the risks. If you think it's a real risk that affects what the entity does, you need to put it in writing. Existing lists of risks will probably be helpful, but do not blindly follow them. You need to identify risk factors s for each case.

Generally speaking, an audit is lower risk if:

• The activity is easy to get right
• The entity has adequate internal controls
• The entity has not long been audited and found to be compliant
• Auditors will probably not make errors
• Non-compliance results in negligible or little harm, and
• For colleges, previously accredited by another accreditor.

Consider the size of the organization. Being large or small does not determine compliance levels, but it does suggest that you might audit them in different ways.

Some small organizations have weak systems and improvise a great deal. If the auditee is a large organization operating over a number of sites or in a range of activities, you normally need to consider the risk for each site or kind of activity. If an organization has operations in a range of sizes, an auditor would target the larger ones, and consider only a sample of the smaller activities, all other factors equal.

Consider these factors:

1. How competent and experienced are auditee staff in their current roles?
2. Is the activity difficult or easy to "get right"? That is, "What are the inherent risks?"
3. What are the consequences of getting something wrong?
4. Does the entity have a good track record of compliance? Is there a culture of maintaining high standards?
5. Does the entity have controls in place to check its activities?
6. Do its policies and procedures to cover all normal eventualities?
7. How long since it was last audited?
8. How accurate is the information that is to be audited? It might be incomplete, difficult to verify, or contain frequent errors. It might be manufactured, that is, generated specifically for the auditor and not a contemporaneous record of actual events. It might even be falsified, perhaps by an individual or in collusion between a number of persons.
9. Consider the possibility of auditor error. If you sample activities, you risk missing items not included in the sample. Members of the audit team might misinterpret information.

Assess risks

1. Identify and record the risks. If you think it's a real risk that really affects what the entity does, you need to put it in writing.
2. For each risk:
3. On a scale of 1 – 5, how much harm would it cause if it occurred? E.g.
1. threat to the interests of stakeholders
2. financial security of the entity
3. harm to the entity's reputation and credibility
4. harm to the auditor's reputation and credibility, financial loss.
4. On a scale of 1 – 5, how probable is its occurance?
5. Calculate the risk: "Risk = Probability of occurance x Amount of harm"

This gives a result as follows

• Low priority risks:
• Negligible harm but very probable
• Very probable but no harm
• No harm and probably will never happen
• Medium priority risks:
• Medium levels harm and medium probability of occurrence
• Lower levels harm and higher probability of occurrence
• Higher levels harm and lower probability of occurrence
• High Priority Risks:
• Already happening and has significant consequences
• Unless we step in and do something, it will probably happen and have significant consequences.

You need to put a strategy in place for anything that gives a result of nine or above.

Write a risk analysis

Your risk analysis will be based on the above, and may include:

1. What are the risks?
2. How did they arise?
3. Who does it affect?
4. What will be the effects of high risks on individuals and the organization?
5. How will you manage risks and their potential consequences? What controls can you put in place beforehand? How can you test that they work?

Determine methods

Most audits use simple methods, such as interviews, observing activities, examining internal documentation and records (for example, meeting minutes, reports, or log books) and examining of reports from external sources, e.g. external laboratory reports and vendor ratings.

Alternative methods may also involve discussion groups, surveys, alternative information, and data. Some kinds of audits use sampling techniques. In most cases, a rule of thumb is quite sufficient, but if you are sampling sizable amounts of data, you will need to get mathematical data on the size of a representative sample.

A few audits also require laboratory testing and skills assessments of staff. These are naturally more complex, and may depend on specialist subject matter expertise. There are many possible methods and you may combine them. Assessment methods may include:

• directly observing performance
• giving practical tasks
• written/oral/computer-based questioning
• using standardized instruments
• considering third party reports
• considering authenticated prior achievements
• using measuring and testing equipment
• considering statistical data on OHS and/or workplace relations

In any case, the principal of validity still applies: the way you assess something must be a good fit for what is assessed.

Write audit plan

Prepare your audit plan. It must be written down, even if it follows a set approach. It must also be flexible enough to allow necessary changes of emphasis, and allow individuals to be identified when they have significant responsibilities.

Your plan usually needs to specify:

1. the audit scope, objectives, focus, and outcomes
2. relevant documents and standards
3. names of audit team members
4. audit team roles
5. a timeline, with places and dates where necessary
6. locations to be inspected
7. times of specific meetings and people to be interviewed
8. confidentiality requirements (e.g. board members, audit committee members)
9. the ways you will collect evidence (including any sampling methodology and statistical measures)
10. information and data required to be on hand
11. feedback and reporting strategies and timelines
12. contingency plans
13. legal disclaimers
14. reporting procedures including:
1. give the date you will issue the report
2. a final report to the
3. name who will receive the report (e.g. Board, CEO, any other managers. accreditation authority, etc.)
15. special requirements for
1. access to records, sites or specialist personnel
2. resources
3. lines of communication

Note: If client and auditee are separate entities the plan for report distribution should protect the interests of both.

The audit plan may also address:

• the language of audit
• any relevant background research
• competency of auditor/s
• record-keeping and processing arrangements
• quality assurance methods
• legislation, codes of practice, standards, guidance materials, benchmarks
• evaluation and review mechanisms

The audit plan form in this website will be appropriate for all normal audits. But you might need to write a separate planning document, and get it approved by your supervisor or stakeholders.

Schedule

Audits have simple schedules if they are all on one site, involve small numbers of people, and have priority over other activities.

After that, it can be quite difficult. Get it in writing and have all stakeholders check it. Include places, time, meetings with individuals, equipment, etc.

Budget

Some audits have complex budgets if they:

• use a range or expert personnel (especially outside consultants)
• use technological testing equipment
• require preparation of skills testing instruments
• require auditors to travel to a variety of sites, especially if they need accommodation

You might need financial resources, such as budget allocations, travelling/subsistence allowances, and motor vehicle hire.

Physical resources

You might also need physical resources, such as motor vehicles, measuring equipment, photographic equipment, computer equipment, office location, personal protective equipment, telephone equipment, stationery, documentation (e.g. standards), electronic recording, and office communication equipment.

Contingencies

What if things don't go as planned? You might blow the budget. Then what? What if a car breaks down?

If an auditee objects to something you want to do as auditor, it is usually because they are nervous and defensive; they are not necessarily hiding a non-compliance. It is first of all a matter of conflict resolution, and a calming deflection might work wonders.

If the auditee continues to object, simply mark it as non-compliance due to lack of evidence. This is unlikely, as the negative result is not in their interests.

Write tools

You will need forms and questionnaires to work with.

Audit tools are instruments for collecting evidence and conducting the analysis and evaluation. They are not the same as the audit criteria or benchmark.

They may be developed specifically for the purpose, adapted from existing tools, or already existing commercial products. They will include performance checklists, sets of interview questions, descriptions of required characteristics to be checked. You will also need working papers, records, a way to document the auditee's systems, ways to control for errors (e.g. potential error matrix) and audit reporting.

It is good practice to have a five-column checklist on a landscape layout. The five columns are:

1. Standards
2. Specific evidence to be looked for or questions to be asked
3. Evidence sighted
4. Auditor comments and reasons for any decisions (e.g. exemplary practice, nature of deficiency, suggested improvement)
5. Compliant/non-compliant

Check:

• Your recording system needs enough detail to reveal any discrepancies and justify any conclusions you reach.
• When standards have many internal repetitions, it is good practice to arrange standards so that you audit each item only once.

Set up the audit

The head auditor should contact the auditee and set up the audit. Give them the agreed period of notice and inform them of any conditions applied.

Your list. Make a list of all the documents will you need so you don’t forget anything. These will include current checklists and questionnaires, entry meeting agendas and forms, and authorizations, You might also need briefing documents for your audit team members or for auditees.

Who? The audit team will liaise with a key person, whose title will probably be administrator or manager. The key person should be able to give you priority with no interruptions from phone calls, other responsibilities, or appointments. Ask whether other staff will be available.

Where? If you have never been there, make sure you know exactly how to get there. Finding an address might not be enough; you might need to know where in the building it is. Where can you park your car? What is the probablility of traffic delays?

When? Set a date and a start time. Give them time to organize their information and check that other personnel will be available.

How long? Set an end date, but consider the possibility that a full audit can take longer that planned if you find that evidence is insufficient or there are other sites to visit.

What? Explain what will be audited and make sure that the auditee knows how to be audited. Ask whether you will be able to observe the organization’s activities. For example, if you are auditing an educational institution, you might ask whether classes will be held during that time and whether you could observe them.

What on-site resources might you need? Usually you'll just need to borrow a desk, but you might also need an interview room, a meeting venue, and perhaps even materials, stationery, or equipment.

What is the auditee responsible for? The auditee is responsible to:

1. provide accompanying staff if necessary
2. inform employees about audit
3. provide all necessary resources
4. provide all necessary accesses

Start the audit

The audits begins with an opening meeting with senior auditee management, called an entry meeting. Organize the entry meeting in advance at a mutually agreed time

As a formal meeting, the entry meeting should:

1. introduce the audit team
2. review and confirm the scope and objectives of audit
3. summarize the methods that the team will use
4. establish official communication links, i.e. the key person with whom you need to relate
5. confirm the resources and facilities the audit team will need. You won’t really need much, but you’ll need to be introduced to people and have access to records and people.
6. clarify that the auditee is responsible to (a) provide accompanying staff if necessary, (b) inform employees about audit, and (c) provide all necessary resources and access
7. confirm schedules and logistical arrangements
8. change the plan, schedules and arrangements if necessary
9. confirm time and date for closing meeting.
10. confirm that they understand the purpose and processes
11. negotiate what they are responsible for and confirm they understand it correctly
12. clarify anything that is unclear.

Keep a signed written record of any decisions made.

It is also highly advisable to ask whether they have done an internal audit or some other kind of compliance check. If they have, it means that they have already done lot of work interpreting the standards for their situation and locating evidence. Ask for a copy and it will simplify the audit greatly. You might only need to go through it in detail and check that it is correct.

The audit process (with the forms and meetings in this website) gives you a communication strategy that is adequate for almost all smaller organizations. However, in a much larger audit, you may also need to put a more comprehensive communication strategy in place. It might include:

• identifying the organization's communication and reporting channels
• methods for the disseminating and promoting the audit, and perhaps also its methods and processes
• identifying external communication and networks that can be used as part of the audit
• regular reporting meetings with persons who have specific responsibilities
• ways of regularly informing people of the evaluation
• communicating timelines
• special reporting requirements

Besides being transparent about what the team will do, all members of the audit team need to establish rapport so that people feel that you are working together with them. Listing your experience or credentials might make you sound pompous, and a friendly, collaborative attitude will normally get you further.

Get oriented

1. Start by arriving on time or early.
2. Introduce yourself and your team to the main person with whom you will work. Explain your role and put them at ease with the process. They might be very nervous, and might easily become defensive. You'll probably also get introduced to other people.
3. Get them to start by showing you around their workplace and telling what they do. People are less nervous in familiar surroundings talking about things they know. Ask how the organization works. You'll quickly get a good general picture of what’s going on and how it happens. They might answer many questions that you intend to ask anyway, so instead of wasting time, it will probably save lots of time.
4. Find a place where you can base yourself and locate key documents (such as their main policy documents and any relevant reports). This is when you start the audit proper. (If key documents don’t exist for a criteria, you can quickly mark "Non-compliant" and move on to the next step.)

Relating to auditees

You will need to communicate effectively with a range of different people in the organization. You may have to navigate cultural issues that affect communication. Getting people on side is a large part of the auditing. This includes:

• gaining their confidence and commitment to make them relaxed and less defensive,
• giving constructive, interactive feedback
• promoting consultation and ownership
• enhancing their confidence and commitment to the quality system and its audits.

The body of the audit

This is basically doing what you have planned. You will mostly be interviewing, checking documents, and observing. In a few cases, however, you might conduct tests, e.g. control systems, staff competence.

Document everything during the audit. Use forms and checklists to record all observations and evidence, and relate them to standards.

Stay alert to evidence relevant to audit results. Auditees often don't know what is relevant and may be more compliant (or non-compliant) than they think.

Interviews

As a member of an audit team, you have the authority to interview various people in the auditee organization and observe what they do. In an educational institutition, you should try to observe some classes if you can.

Do interviews in private because the answers may be different if others are present. While you're at it, you should if possible, discuss the auditee's self-assessment checklist. Interview people at different levels, e.g. management, administration and workfloor. Substantiate your observations and verify information by independently getting the same information from other sources.

Lead questions give you a good overall picture of what is happening, so you can locate the aspects you need to concentrate on and treat them fairly in context. Done well, they also help put the auditee at ease.

Here are some ideas for starters:

• "How does your organization work?"
• "How does your department work?"
• "What is the history of this program?"
• "Why do you need your program to be recognized?"
• "How does your program work?"
• "How does this system work?"
• "Why have you chosen the approach that you did?"
• "What would you do if a disabled person applied to become a student?"
• "If your graduates went to work in the industry, what standard of literacy would they need?"
• "How does your quality assurance system work?"
• "How does your management system work?"
• "How does your document control system work?"
• "You seem to be non-compliant on this point. Is there any more evidence that you could show me?"

Do people understand what to do and do it correctly?

• Ask what they understand of the policies.
• Ask what they actually do (or plan to do).
• Ask why they do as they do
• Ask how they have documented it (or plan to document it)
• Ask about contingencies: "What would you do if …?"

Get candid appraisals, for example:

• "How does information flow within the organization? Are there bottlenecks or misunderstandings?"
• "What are the three biggest strengths of this college?"
• "What are the three biggest weaknesses of this college?"
• "What improvements would you suggest?"

Interviewees often suggest improvements to auditors that their supervisors have never heard. You cannot presume that supervisors have actively listened for ways to improve. Besides, staff are often reluctant to suggest changes for fear that it will be interpreted as personal criticism.

Documents

Look at the auditee's documentation:

• Previous quality audits and inspections. What impact do they have on the current audit? Ask if the auditee has taken corrective actions and check them.
• The organization's policies, procedures (also called work instructions)
• Public website and intranet
• Information systems for recording and reporting

For other possible kinds of documents, see the Appendix.

Explore

Look for corroborating evidence and follow up potential problems. People write all sorts of things on bits of paper hoping that auditors will believe them. And people spin all sorts of tales. You don’t have to accept anything at face value.

Look for documentary evidence wherever possible. Ask different people questions independently about what actually happens. Take note of aberrations—things that don’t fit the pattern or potentially do not comply with policy. Ask why.

Actively explore anything that you suspect to be non-compliant. (As auditor, you have the authority to do so.) Identify any risk factors and check anything suspicious. Follow up clues on apparent noncompliance to standards, even if they are not on checklists. Remain alert to evidence that requires more auditing. Do not just passively accept whatever people show you, but avoid unfairly going on a witch hunt.

Explore evidence until you can draw conclusions based on a range of evidence over a period of time.

1. Look for corroboration. Do report items reflect reality? Do people understand and implement the organization's policies and procedures? Can you verify findings by getting the same information independently from other sources?
2. Determine whether the system documents are adequate for quality needs.
3. Determine whether the auditee's procedures are able to reach the desired objectives.
4. It is good practice to make notes of interpretations of criteria. It is also good practice to write down novel and innovative ways of complying with them.

Interpret evidence

As you go, interpret evidence. You’ll often be asking questions like:

• Do auditees personnel know, understand and apply procedures and other quality-related documents?
• Are systems efficient?
• Are system documents adequate for the organization’s quality needs?
• Are the auditee's procedures able to reach the desired objectives?
• Ask "Is the evidence reliable, valid, authentic, sufficient, current, and consistent?"
• What about audit standards that make conflicting requirements? E.g. evidence of compliance with one standard is evidence of non-compliance with another. You'll have to make a judgment call and justify your decision.

Evaluate the evidence and make a decision of compliant or non-compliant and record it as planned. If you find non-compliances, your responsibility is simply to identify them clearly. If the scope permits, you may suggest improvements.

Things that look like non-compliances

When interpreting criteria, good auditors can differentiate between three things that can all look like non-compliances:

• Errors. These are minor clerical and typographical errors that do not represent system failures.
• Possible improvements. It is compliant but could be improved, e.g. better documentation.
• Risks. It is compliant but could easily go wrong.
• Actual non-compliance.

The inadequate trap

Many standards require that something be adequate or sufficient. Judgements based on these requirements depend on criteria for determining how much or how many is enough. (In some cases, the standard against which you audit will give a standard, but not always.)

Consequently, any judgement of inadequate or insufficient needs an expicit criteria, which you should put in your report, probably with an explanation of your reasons for your conclusions. Without it, your conclusions are no more than personal opinions.

Investigate

See what needs to be investigated further. If you suspect a noncompliance or a risk during the audit, you have a right and duty to investigate it more thoroughly, even if it is not on your checklist. In general, this means gathering more evidence. This may be by:

• Asking more questions with greater detail
• Asking a wider range of people
• Looking at a wider sample of documents
• Scrutinizing the documents
• Conducting more tests
• Increasing the size of your sample.

On making changes

The lead auditor can make changes to the audit while the audit is in process, with the written agreement of other parties. If the audit goals appear to be unattainable, the lead auditor should tell the client and the auditee as soon as possible.

If things go wrong ...

Not many people like being audited. Most are nervous and can easily become defensive if they fear a negative result.

The worst case scenario in an audit is that a small miscommunication creates antagonism that snowballs and becomes too complex to sort out. If it degenerates further the audit might easily fail. Both the auditor and auditee become defensive and dig in on their positions, and the auditee might then clam up completely.

It leaves each side blaming the other. The auditor must give the auditee non-compliant on everything, as the auditee did not provide evidence of compliance. The auditee will complain that the auditor's attitude subverted the audit. The formal report might then contain mistakes and apparent dishonesty.

If you are an audit team leader, it is your role to efficiently resolve any problems arising with auditee and relevant parties. You don’t have the option of giving up the right to make the judgment of compliant/non-compliant.

What you can do:

• Listen carefully to their reasons for objecting; they might be right.
• Take a break.
• Get independent advice:
• Refer the matter to a specialist.
• Ask the relevant government department or professional association.
• Explore the auditee's opinion.
• If the difficulty involves a new interpretation of the audit standard, check what it says and any existing interpretations.
• Give your judgment, and note the reasons for the auditee's opinion in the comments list.
• Refer the matter to your supervisor to ensure that difficulties are resolved efficiently.

If still in doubt in more serious cases, you might need to get a determination in writing. However, this will usually take too long for the audit and your audit report would probably advise that the matter should be reviewed, and give the reason for the ambiguity.

In the end, it is your call, and you will need to be able to prove that you are correct.

The last resort

If necessary, an auditor can make changes during an audit while the audit is in process with the agreement of other parties.

If the audit goals appear to be unattainable, tell your supervisor and the auditee:

• In some cases, unattainable goals would normally be interpreted as non-compliances because the auditee could not demonstrate compliance.
• In other cases, you might simply run out of time, or be unable to audit some key locations. In these kinds of cases, you can only report "Not audited."
• If you can't access evidence that is outside the auditee's responsibility or ability to provide it, simply write the details in your report. You can't say they are either compliant of non-compliant because you couldn't audit it.

Exit meeting

Preparation

Prepare to give an oral report, with a written report to come later. Immediate feedback is most beneficial to the auditee. The longer they wait, the less they take notice of it. Unfortunately, this is not practical in a complex audit where you need considerable time to write and mull it over, or where considerable traveling is involved for another visit.

You might feel that you have very little to say in the exit meeting if you have been working closely with key people throughout the audit and communicating with them. But you must still hold the exit meeting to make sure that they understand your findings.

Think carefully about how you will tell people the compliance situation, any non-compliances, and possible improvements.

Note: Some auditing standards require you to have already written the audit report for the exit meeting. In these cases, audit closing meetings are normally held within an agreed period after the client has viewed the written report.

Hold the exit meeting

Close the audit with a meeting to explain clearly the audit results. It should be documented. (See the model form.) Examine results and findings against audit objectives and present them to the auditee. Make sure that they understand the report. This normally means that you give them an opportunity to ask questions.

Get agreement on the arrangements for providing the written report.

Give them feedback. Tell them what they are doing excellently. Almost every organization does at least something very well. Suggest improvements where applicable, and explain and discuss the consequences of the audit outcome. Negotiate any follow-up process with client/auditee. Decide on any actions to correct non- compliances and get agreement on timelines for their completion.

Refer the matter to your supervisor if your audit decisions could be disputed, or if you fail to negotiate agreements about non-compliances and corrective actions.

Draft the report

Draft your written report. This is fairly easy if you have taken good notes as you go; even easier if you have used a well-designed form.

Put "Strictly Confidential" and the date on the front page, and list yourself as author. (You must take responsibility for your work.)

The report of audit results must be:

• written
• clear and conclusive
• without delay
• very consistent with the oral report you gave in the exit meeting.

Otherwise, the report contents may vary according to the situation and the audit standards you are following. The report should contain:

1. the agreed objectives and scope of the audit
2. specified audit requirements
3. audit plan details
4. identities of audit team members (i.e. your name and any team members you had.)
5. timeframe in which the audit was conducted
6. identification of the auditee's representatives
7. outline of the auditing process, including obstacles encountered
8. information on confidentiality
9. list of people or organizations who should get a copy of your report
10. retention of auditing records, including work documents
11. standards documents
12. audit results
    1. objective evidence of compliance
    2. observations and items of noncompliance, with objective evidence
    3. judgment on extent of compliance
    4. commendation of good practice
    5. your evaluation of the system's ability to achieve defined objectives
    6. examination and evaluation of controls associated with systems, activities and processes
13. recommendations for improvement
14. follow-up required, e.g. corrective actions for discrepancies or non-compliances, setting out the action required to correct the problem and the time limit for completion.

Edit the report and send it

Give the report some time to settle (at least overnight). As you reflect on it, you may realize that you have been too harsh or too lenient on some points.

You will need to make final recommendations on actions to be taken. If you are unsure for any reason, ask colleagues for their advice before you make anything final.

Then edit it to its final form.

At about this stage, you will need to record audit findings in your organization's information management system. (Usually that means giving the right person a copy for filing.) You might also have to lodge an internal report.

If you haven't done the exit meeting yet, you’re now ready for it. If you have already done it, then send the written report to the auditee and/or client.

The audit is completed on submission of the audit report and the closing meeting. The auditee is responsible for any corrective actions necessary.

Follow up

Some kinds of quality audits end when the report is handed over and the exit meeting is done. The auditor is no longer responsible for what the auditee does. Some audit standards, however, require auditors to follow up on corrective actions. (A few audit standards blend the two. The auditor can hold the exit meeting and give the auditee a limited time period to submit further evidence before the report is finalized. This is fair as it takes the "sudden death" element out of the audit.)

Follow-up is usually a meeting with the client on agreed date after the auditee has had long enough to implement corrective actions. Other kinds of follow-up are:

1. Promptly inform supervisors of discrepancies that have serious or immediate risks to the organization
2. Report persistent problems in achieving compliance
3. Recommend improved procedures to supervisors
4. Check the rigor of original audit findings
5. Verify that recommendations and controls are effective, particularly in correcting non-compliance(s)
6. Issue a new non-compliance report if required
7. Consult with managers on how to improve the quality system
8. Develop and implement a plan to improve the quality system
9. Check that relevant certification is maintained.

Review

It is good practice to do a review after each audit.

Your supervisor or a colleague will independently get feedback from the auditee. If you must do it yourself, it should be either anonymous or processed by a third party. Questions will most likely be something like this:

1. Was the auditor polite and fair?
2. Was the auditor sufficiently knowledgeable?
3. Did the auditor stay within the defined audit bounds and protocols?
4. Was the auditor thorough?
5. Did the auditor use time effectively?
6. Did the auditor listen and understand people's viewpoints?

Then review your audit:

1. What did you learn? What did you do best? What would you do differently next time?
2. Do you need to change your documentation?
3. What did you do well? What did you not do so well?
4. Moderate with other auditors to ensure consistent audit results.
5. Record new interpretations of the standard and your reasons for them.
6. Evaluate the effectiveness and suitability in achieving audit objectives.
7. Investigate possible improvements in audit methods
8. Examine the audit system, activities, economy and efficiency. You can do the following:
1. Do an overall evaluation of the methods and effectiveness of the audit organization
2. Evaluate auditor performance
3. Review the audit reporting process and records
4. Examine complaints, appeals and other feedback received from auditee
5. Assess the audit results
6. Evaluate the effect of the audit outcomes on the auditee's activities, products and/or services
7. Examine mechanisms by which consistency of audits is achieved.
8. Give feedback to members of the audit team
9. Encourage audit team members to critique their own work as part of the audit team
10. Give advice for improvement and document it.

Revise your system

Some of the lessons learned will be personal ones for audit team members, such as how to put auditees at ease, use better questions, and resolve conflicts. You may also have a better idea of how different personalities function in an audit environment, and what they are good at and not so good at.

Other revisions will be more institutional, such as:

• clarifying ambiguities in standards, especially for difficult and unusual cases
• revising audit tools and forms
• revising audit policies and procedures

Appendix

Other kinds of documents that may be audited:

1. electronic databases, videos, intra/internet sites, training/learning programs, and photographs.
2. meeting minutes
3. reports
4. log books
5. reporting forms
6. reports from external sources
7. documented procedures
8. test results
9. systems specifications
10. user requirements definitions
11. the organization's plans and schedules for auditing work units
12. the organization's management structure, accountability, reporting and delegations
13. the people involved in the quality system and the resources they have
14. file records
15. audit history records
16. registry files
17. sources, records of auditee information
18. intelligence systems
19. enterprise quality manual
20. any documentation related to the quality elements being audited
21. customer complaints
22. hazard and accident reports
23. training records
24. certification documentation from clients/suppliers
25. material/equipment specifications.
26. documented instruction relating to the performance of tasks
27. interview reports
28. sets of oral/written/computer-based questions
29. checklists
30. logbooks
31. working guides
32. manuals
33. technical reports
34. standard operating procedures/work method statements
35. policies and procedures
36. employer/employee records
37. contractor records
38. third party records
39. use of technology
40. outcome of focus groups

References

"Handbook for Quality Audits of Organisations and Processes_, Ross Woods, January 2008 ©Ross Woods.
Complies with AS 3911.1-1992; NZS 10011.1-1992; ISO 10011.1-1:1990 published as Guidelines for Auditing Quality Systems Part 1: Auditing (Homebush, NSW: Standards Australia) (Wellington: Standards New Zealand) 1992.

Grant Gay and Roger Simnett, Auditing and Assurance Services In Australia, 2nd ed. (Sydney, McGraw Hill, 2003), Chaps 6, 7.

Head auditor

The head auditor is in charge of the audit and is responsible for the whole audit, including any members of the audit team. The head auditor:

1. oversees audit team members:
   1. helps select them
   2. defines the role of each one, and
   3. assigns their tasks
   4. re-assigns them if necessary
2. helps prepare an audit plan and define requirements
3. manages audit team resources during the audit.
4. complies with any relevant auditing requirements
5. represents the audit team to the auditee's management
6. reviews documentation
7. takes any necessary contingency actions.
8. reports serious noncompliance with standards immediately to auditee and client
9. reports illegal activities to authorities.
10. issues the final report to the client. If the client is not the auditee, some standards specify that it is the client's responsibility to provide the auditee's management with a copy.

If you have trainee auditors, you also need to make sure they know what to do and how to do it, and (later on) monitor how they are going.

Audit team members are only required to perform the duties assigned by a lead auditor, so the responsibility for the audit is ultimately not theirs.

The head auditor informs them what will be required of them. It may involve:

• the entry meeting
• the exit meeting
• scheduling
• contacting people to set up meetings
• writing leading questions for interviews
• setting up interviews
• checking records
• checking consistency of recorded information
• analyzing your information and making recommendations for the final report.

Students do not start as a head auditor and will be part of a team. However, the team might comprise only the lead auditor and the student. Later on, they may be given the role of head auditor, but will still work under supervision while in training.