I received a phone
call from an ex-student, wherein she as an auditor wanted to add value by using
her experience and expertise in advising the management on how they should
improve the system.
I asked her if she
had found any NCs (Non Conformities) during the audit. She said not really but
she had recommendations to make based on her experience. My response to her was
to please consider that auditors and managements have distinctly different
roles. Though both performing their due diligence correctly will eventually
benefit the management system/ the organization. It is when auditors want to
add value and virtually impose their will, ideas,make recommendations or look for a reflection of their ideas that the seed of management failure
occurs. Auditors are SME (Subject Matter Experts) in auditing, the standard(s)
and the process approach etc.
We must respect the organization by
agreeing that the managements are the SME in their business and specialty and
in meeting customer requirements and ensuring the service and goods (products)
are delivered to meet requirements. If they do not meet the requirements, the
greatest service we do as auditors is to provide a
correctly written NC. It is for the management to follow up on the
NC and carry out RCA (Root
Cause Analysis).
Is she not obliged to assist in RCA and problem solving as an auditor? My
response is that RCA and problem
solving starts when auditors leave. Of course there may be occasions when
as internal auditors you perhaps wear two hats; a challenging situation. Yet
with a little maturity it can be ensured that the two roles are not mixed.
Verification which follows the implementation of the RCA results, does indeed, need a little "research", but might I
suggest, not of what you as an auditor expect, but of what is acceptable to the organization.
I further advised my readers to consider that by giving advice are you
taking on the management's
role? From my experience, whenever auditors do that, they slowly kill the
management. Often the first step in that death of an organization is that the
management just does what the auditors recommend/advice, forgetting their role at the
Act stage of the P-D-C-A cycle in terms of Management Review (MR) clause 5.6 of
ISO 9001. Please always remember the role of the auditors in the 'murder' of Enron.
Yes with your consultant's hat, it is acceptable. I agree. After all the
managements use consultants, not auditors, for advice.
Captain Arora. Agreed. The auditor must always remain independent and objective and understand the auditor - managerment relationship. Management establishes priorities of resources and manages risk. I, as an auditor, must maintain my perspective and research, determine, and report on the conformance/nonconformance of the organization. I do not own the company, therefore, I do not own the issue or it's corrective action. There are a lot of ways to solve a problem and my way may not always be best for the company. I tell people that I am responsible for the "who", "what", "where", and "when" of problem or issue identification. Management is always responsible for the "why" and "how" the issue occurred and always responsible for establishing the corrective actions.
ReplyDeleteI agree with you Laurel You are providing clear objective evidence indicating how a requirement has not been met resulting in the failure (nature of the NC). This then becomes the driver of Correction and Corrective Action (CA) to be carried out by the management. CA of course is based on RCA (Root Cause Analysis).
ReplyDelete