What is Auditing?
Auditing is an on-site objective examination and evaluation of a process or a quality system to ensure its compliance requirements. An audit can apply to an entire organisation or to a specific function, process or production step and can be done internally or externally by a 3rd Party.
As defined in ISO 19011:2011—Guidelines for auditing management systems, an audit is a “systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [set of policies, procedures or requirements] are fulfilled.” Several audit methods may be employed to achieve the audit purpose.
Internal and External Audits
A first-party audit is performed within an organization to measure its strengths and weaknesses against its own procedures or methods and/or against external standards adopted by (voluntary) or imposed on (mandatory) the organization. A first-party audit is an internal audit conducted by auditors who are employed by the organization being audited but who have no vested interest in the audit results of the area being audited.
A second-party audit is an external audit performed on a supplier by a customer or by a contracted organization on behalf of a customer. A contract is in place, and the goods or services are being, or will be, delivered. Second-party audits are subject to the rules of contract law, as they are providing contractual direction from the customer to the supplier. Second-party audits tend to be more formal than first-party audits because audit results could influence the customer’s purchasing decisions.
A third-party audit is performed by an audit organization independent of the customer-supplier relationship and is free of any conflict of interest. Independence of the audit organization is a key component of a third-party audit. Third-party audits may result in certification, registration, recognition, an award, license approval, a citation, a fine, or a penalty issued by the third-party organization or an interested party.
Phases in Internal Audit process
Organisations sometimes do not see the need for internal audits rather viewing it as a duplicated effort. Internal audits are in most occasions more effective as it gives the organisation more information and at regular intervals rather than waiting for the external audits to happen. Internal audits also allows organisations to focus on areas of improvement rather than trying to find fault to help streamline their operations and make it more safe and effective. There are 4 key steps in the process.
- Planning the Audit Schedule – Scheduling the audit involves not just having the date assigned to the audit but ensuring all key personnel are available during the audit. Most employees fear “unannounced” audits and by planning and scheduling the audit the process owners will view it as time to make improvements in their current systems. Issuing an audit plan is a good follow up to scheduling the audit as it confirms the audit scope and sets out time to review the relevant processes. An audit plan is developed to ensure time and value of the audit.
- Conducting the Audit – An auditor covers various avenues during the audit and this is set out in the audit plan. An opening meeting is essential even in an internal audit as this provides context and focus to the audit. The auditor during the audit reviews records, interviews process owners and employees if necessary, observes processes and collects key valuable information. The auditees role is to provide evidence to the auditor that the processes are working effectively and as planned by their systems in line with relevant standards if any. The auditor will try and pick up areas that need improvements but also provide positive feedback to areas that are adding value to the overall process.
- Reporting on the Audit – Post the audit and the closing meeting, the auditor reports on areas that need attention or under performing as well improvements that might have been made from the previous audit. A formal written report is generally generated as a follow up to the audit and distributed to the relevant personnel. By identifying not only the non-conforming areas of the process, but also the positive areas and potential improvement areas, the auditee benefits from internal audits as it allows improvements on an on-going basis.
- Follow-up – As part of continuous improvement and as required by various schemes and standards, follow up is a critical element of the audit process. Corrective actions and improvements are key aspects of audit delivery, making sure the areas of concern are addressed and fixed. It also provides an opportunity to see how the system has evolved / improved over time.