The Audit - forward control of unwanted Events
The audit is the tool to see if the activities that are specified in each of the management activity areas or
"elements" of the management system are carried out as intended.
The basic thinking is that the objectives of the element cannot be obtained if the activities contained in the
element are not properly carried out. And if the element objectives are not met, then it will not be likely that
the objective(s) of the overall management system will be reached. Of course, this assumes that the elements are
relevant to the management system objective(s).
Using an audit to improve your management system
Using your own audit system will be good if you want to verify to what extent your management
system is being implemented, not so much for improving your system. For that you would better use an audit system
that includes more or other elements than those of your own system. That way you will be able to get a gap analysis
indicating areas where you may be able to improve the system that you have.
When selecting an audit for improving your management system it may be best to use an audit system
that is commercially available or which you can "borrow" from a friendly company. When using an external system,
you may also want to consider to use auditors or consultants who are familiar with that system.
You may want to consider an audit done by a certification body but be aware that they may be used
providing certificates at the minimum level required for certification and that may give you a certificate but may
not help you to improve your system.
Checklist or questionnaire - the audit reference
Basically, the audit is done using a checklist or questionnaire covering the items that are contained in
the management system. The checklist may have been developed from an external reference document such as:
- a particular piece of legislation
- an industry standard
- a certification norm
Using an external reference, the steps involved in making a useable audit document will include:
- transferring each item in the reference document into a question. This allows the auditor person to ask the
questions. This is the easiest part of the process which basically boils down to transforming each relevant
sentence into a question.
- deciding which answer to each of the questions will be considered acceptable. This is the difficult part of
the process but a vital one as the audit results should be consistent between auditors and interpretation
margins should be as limited as reasonably possible.
Please look at some audit system examples.
Audit systems may be provided with value factors to allow scoring. This would very helpful when communicating
audit results to relevant parties, including management and when setting objectives for further
The get consistent results from different auditors, the auditors should be knowledgeable about:
- the audit process
- the subjects being audited
- the checklist being used
- which answers would be acceptable answers to the audit questions
Auditors should be given sufficient time to properly carry our audits and make the audit report. This may be an
aspect in case audits are carried out by auditors working for commercial certification institutes.
The last bullet point is critical. There must be a good understanding between auditors about what is the
acceptable answer otherwise the audit results may vary widely between auditors. The acceptance margins should be as
narrow as reasonably possible.
Auditors should be given adequate training and retraining to stay in tune with developments that concern the
audit checklist, the audio process and the acceptability of answers to the audit questions.
In case of accredited certification, interpretation between auditors of different Certification Institutes may
be a crucial issue. Certification issues are commercial organizations. Competition between Institutes may tempt
Institutes and their auditors to seek the lower end of the interpretation margin.
The audit process
The audit process would normally consist of:
- review of management system documentation
- one or more site or location visits
- verification of the working of the management system both in the office and on location
I used to carry out audits with the ISRS (International Safety Rating System) and predecessors between 1075 and
1991. ISRS - by the way - is less sensitive to competition issues as ISRS is a proprietary product (from 1978 ILCI
and since 1991 DNV, Det Norske Veritas). I used to carry out
Opinion Surveys prior to the actual on-site audit. This provided me
with valuable information about the way people felt about their safety management system, before going through
the process of verification.
Verification of would include:
- review of system documents (to verify contents and structure of the management system)
- review of registrations (containing data in relation to the execution of management system activities). If
the audit is done by an external auditor, it is recommended that internal audits be done and verified during
the external audit.
- interview of persons assumed to have knowledge of system and execution of activities
- site/location visits to observe physical conditions and the behavior of people during
The audit report
The findings of the audit will result in an audit report containing:
- a description of the process
- sites/locations visited
- persons interviewed
- commendation of positive findings
- deviations found and recommendations to correct
As applicable for later review, the auditor shall keep notes of audit findings in addition to those used in the
In case of a certification audit, the report may also serve as the basis on which the certificate will be issued
of withheld. The value of reports generated after the certification audit may be limited due to competition issues
between Certification Institutes and the limited time allowed for report preparation.
When you audit a management system all aspects: content, structure and related "how to" documents should be looked
Most audit systems I am aware of pay attenti0on to content and "how to". Including the element structure,
however, is a different matter and may not be present in most audit (and management) systems.
If you would leave out the structure, you are leaving out what I would consider the "engine" that
drives element activity implementation towards success and with that you are leaving out an important driver
towards management system success. I would even argue that, if that structure is not there,
the management system cannot be effective or at least it will be difficult to get the wanted results or it may take
longer to get there.
Higher abstraction level audits
This concerns internal audits only and does not apply to certification audits which have a different
If you want to do a quick audit of a management system to see if the system is working as it
should, you may consider to carry out audits at a higher abstraction level by concentrating on the
- a sufficient number of relevant elements
- the structure of those, including the assessment of execution and results.
The reasoning behind this is that it would be very unlikely, or at least very difficult, to reach desired
management system results if the "improvement loop" - the structure from element objectives to evaluation of
activities and results - is not there or not closed.
These audits should not replace the traditional in-depth audits but may be in addition to those. One of the
prerequisites of doing these higher level audits is that objectives for elements and the overall management system
shall be as specific and clearly defined as is necessary depending on the type of industry you are in.
In fact the in-depth audit, going into the element details regarding the activities - what, when, by whom and
how - may only be required if the clearly defined objectives are not obtained. A good approach may be to have an
in-depth audit once every 3 years with annual higher level audits in between.