Auditing has no purpose if it is not going to assess the systems in relation to current risks.  Organizations like individuals have good times, slow times, struggles, growth times, unexpected windfalls, and unexpected trials and tribulations.  Each of these conditions imposes itself on the management systems of the organization and each creates conditions that can cause stress to processes and systems.  It should be one of the first priorities of an auditor to determine and understand what current conditions are influencing the organization and how they are affecting the organization’s performance.

External Auditing / Internal Auditing

The approach to auditing based on organizational risk is different for an internal audit.  Unlike an external auditor’s independent outlook, the internal auditor is more intimately involved in the current business situation and outlook.  As a result internal auditors must take a somewhat different approach to the audit.  When assessing the risks, the internal auditor must be very careful not to introduce their own biases.  This can be observed when auditors place too much emphasis on one process or department,

The opening meeting

The opening meeting of an audit is the time to ask the general questions as to the current business environment.  This is the point when the auditor determines the general context of the audit.  If things are going well and there is growth, new customers, or new products the auditor must be prepared to look for risks associated with new requirements, new processes or stresses created by increased work load.  The auditor should also look for changes to the QMS in order to meet new customer requirements or new system requirements in order to address technological changes.  In contrast, if the organization is dealing with a downturn in business, the auditor must consider stress due to reduced resources.  Upon leaving the opening meeting, the auditor should have a basic overview strategy for the audit.

Performance

Once past the opening meeting, the auditor’s next step is to analyze and verify the organization’s performance.  Both, customer related and internal performance numbers should be reviewed.  The auditor should be looking for evidence of poor performance, either negative trends or intermittent failures which can indicate that negative stresses are influencing the company’s ability to operate effectively.  These negative effects may or may not be caused by the indicators discussed in the opening meeting however, in either case they immediately become a focus for the audit.

Management Review

In the audit of management review the auditor further addresses the story in the context of the performance.  The objective is to clearly understand how management has addressed the contributors to stress on the management system and whether the actions taken have been effective or not.

QMS Audit

If the auditor has done a good job of clarifying the company’s story, evaluating the potential stresses, and identifying the performance effects of those stresses, then the remainder of the audit should be focused on verifying and evaluating the actual process activities and their actual performance.  In short, do the processes how evidence that the stresses identified are effectively controlled and that additional unidentified stresses do not exist.

Summary

Auditing should be about the organization’s story.  Audits provide the feedback as to the effectiveness with which the QMS is controlling both processes as they are designed and the ability of those processes to control the stresses currently acting upon the organization.

Return to Processes Management Home Page