Internal audit has been a requirement of ISO9001 since its inception, and was inherited from the line of standards that preceded the ISO document. For many organisations internal audit is seen simply as a requirement, something to be undertaken, a cost of doing business. For those involved with the delivery of the internal audit process, a series of myths have been generated which over time change their order of importance, or emphasis. These myths are sustained by two group attitudes. The first is that of the audit practitioners who in the absence of any serious involvement by their management have to rely on statements extolling the supposed benefits of a frequently unwelcome audit process. The second is the failure of the majority of management teams to become involved in the direction and control of the audit process, stemming from a lack of any serious appreciation of the potential benefits of a well managed and conducted audit process.
The myths described here remain active within the audit fraternity because they sound as though they are factual. Although they are myths they sound credible, and include: - Audits and verification; Audits and improvement; Audits and compliance. There are others that fall into this category of Myth, but these are some of those more frequently expressed.
Verification. Audits are about verifying a situation. This view of auditing dates back to its origins in product inspection. Early auditing was indeed little more than an inspection activity with a new title intended to identify defects and report the failure to whoever would listen. In part this approach to audit conduct and management still pertains, and is responsible for the poor image of the perpetrators of the process. Audits are not about verification - or Compliance, as we shall see later, but about information. The aim of an audit is to notify. Are the systems in use adequate for purpose, are they being operated as intended, and are they achieving the intended outcomes. This requires the gathering of information, an informed assessment of the data, and a conclusion. Verification doesn't feature in this sequence.
Compliance. It is a common practice for internal audit to be conducted in a manner that is focused on the degree to which the organisation is compliant with a Standard (e.g. ISO9001) or with its self imposed requirements. While this may be very interesting to someone, it fails to address the primary reason for audit - to provide some information that will inform the management task and aid decision making. Managers require details about the Adequacy Application and Effectiveness of the systems they implemented inside the organisation. A compliance statement fails miserably to provide this information. Compliance audits do not test the ability of the rules to achieve organizational objectives. The auditor assumes the rules are good and leaves analysis to others.
Improvement. Audits as a driver for improvement is a comparative late comer to the myth table, and first became evident with the publication of the ISO9001 requirement to 'continually improve (the management system). Audits are too infrequent, limited in scope, and lack the necessary expertise to be the driving force for any continuous improvement effort. They might sustain a corrective action plan, but this definitely isn't continuous advancement. To suggest that an audit program will actually drive improvement suggests that the organisation's workforce will do nothing to improve business processes and practices in the absence of an audit report. It also ignores the fact that audits are not the prime source of information for managers. Coupled with the myths of Verification and Compliance, and recognizing that auditors support more than one myth, it is clear that improvement, and certainly continuous improvement, cannot ensue from the conduct of an audit. Continuous improvement is driven by managers and staff with the necessary commitment, skills and motivation to identify and implement improved working methods and techniques. Audits cannot lead or drive this process.
With internal audit properly managed and conducted, and with auditors responsible to an audit sponsor - the champion of the audit, it is possible to overcome the effects of these myths - over time. In part the problem lies with the auditors also, who although they may not express these few myths openly, tend to behave as though they are part of their basic training and induction to the audit profession. Managers must alter their approach to audit, but auditors need to make adjustments as well. With a task of this magnitude it may well be that the only way to make that change is to hire new auditors.
------
Ed Bones formed Meon Consulting to assist clients with managing their businesses in a manner compliant with ISO 9001/14001. Ed had earlier held a number of senior positions with big companies in the UK, Europe and the USA. He has written and delivered lectures on quality improvement and TQM.
http://www.rent-an-auditor.co.uk. Please visit
http://www.rent-an-auditor.co.uk/contactus.html to obtain your FREE copy of the Presentation.
