A lot of our customers, and
as I teach students and QMII alumni, have asked me about auditors, particularly
internal auditors, who are pressurized to do quick audits and preferably without
too many NCs (Non Conformities). Then there are auditors who have opinions (!),
some who have been auditing for many years and start thinking they have the
best advice. So who is a good auditor? What is the correct role of an auditor?
Here is what I think.
I first like to refer our alumni to an
article I wrote some years back on “embracing audits and not fearing them”:
If auditors could improve a system then Enron would still be around. It is
the management that improves the system. Their dependence on auditors weakens the system. A weak management
needs advice! Managements including Top Management should be challenging the
auditors against requirements and appreciating the inputs to be used in the
P-D-C-A (Plan-Do-Check-Act) cycle and playing their part at the A-act stage to
review the system (refer clauses under ISO 9001:2008 5). Once this fundamental
is clear this conflict between auditors and managements (Auditee) will not
remain significant.
Nowhere in ISO 9001:2008 does the standard ask the auditors to focus on
non-conformities (NCs) Clause 8.2.2 urges auditors to look for conformity. So
the intent of an auditor should be to look for conformity (unlike inspectors
who go seeking non conformity). "The only bad NC is the one you do not
know about - IJ Arora", so if while looking for conformity they do find
a NC both the auditor and auditee (as also the audit client) should be
delighted and use the input to do correction and CA (Corrective Actions).
Of
course the fundamental requirement is that the NC be based on a requirement being shown clearly by objective
evidence to have not been met. A well written NC is worth its weight in gold.
It is the starting point for correction, drives CA and when closed provides
valuable data points, leading to data which the managements must convert into
information which when analyzed enables PA (preventive Action) and as we look
ahead to ISO 9001:2015, it will replace the PA and provide the input for risk
assessment at the P stage of the P-D-C-A cycle.
If only the auditors would stop trying to replace the managements, stop
adding value to audits by giving advice, both the auditors and the managements
would be better off.