Desk Reference Guide For the Auditing (CQA) Fundamentals II E-Learning class at

Transcription

1 Desk Reference Guide For the Auditing (CQA) Fundamentals II E-Learning class at Content Provider: JP Russell Instructional Design By: J.P. Russell Web Design: Tracy Ryder E-Learning Provider: QualityWBT Center for Education Important Note: The Desk Reference Guide is a facsimile of the on-line class material. It may include some images but does not include: marking key phrases, direct links to glossary, interactive exercises, quizzes, graded tests with feedback, animations, hyperlinks to handouts, and EG Bag examples. Table of Contents Auditing Fundamentals 2 Auditor Competencies.. 15 Audit Program and Business Applications B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 1 of 54

2 Lesson 1: Auditing fundamentals [This lesson is medium length, discusses words used in auditing and the purpose of audits.] The following is a discussion of the important terms and their meanings. Please supplement your understanding by using the glossary. Basic Terms and Concepts {PART I.A. OF THE CQA BOK} [CQA 2004 BOK Description: Define and differentiate basic quality- and audit-related terms, such as quality, quality assurance, quality control, evidence, finding, observation, noncompliance, and nonconformance.] The following is a discussion of the important terms and their meanings. Please supplement your understanding by using the glossary. 1. General Discussion: Quality: For something to contain or be quality, it must be measurable. Some dictionaries define quality as "general goodness". We cannot measure general goodness and therefore dont know if quality is achieved or not. Things like requirements, expectations, reliability, and performance are all measurable and can be quality. Quality Control - Quality Assurance - Quality Management : You can think of these as different levels, just like there are different levels of documents (such as specifications, detailed instructions, and procedures). Quality control is the item-by-item inspection compared to predetermined requirements. Quality Assurance includes inspection as well as other activities, such as auditing, to provide confidence that quality will be achieved. Quality Management--also called a Quality Management System--provides the overall guidance that may call for the reduction of inspection and control activities and more reliance on supplier partnerships. Observation: An observation is not classified as bad or good. As part of an audit or investigation, auditors make observations that may be used as evidence to show 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 2 of 54

3 conformance or nonconformance to the audit criteria. The word observation is used by some organizations to indicate a potential nonconformity or a very minor nonconformity such as a defect. This notion is not generally supported by the ISO community or ASQ Quality Audit Division. What is important is that you know the context of how the word is being used for situations you encounter. Finding: As familiar as this term appears (used by many organizations and industries) there are considerable differences of opinion about its definition. Some authors claim a finding is negative, while others claim a finding can be positive and negative. However, most agree that the term finding should describe systemic observations and overall results of an evaluation. 2. New standards introduce new terms and consolidate others: ISO 9000 family of standards and the derivative standards have brought on several new terms in In the 90s, ISO 9001 was about quality assurance and quality systems. In the 2000 decade, ISO 9001 is about quality management systems. Now, organizations may have several different management systems (such as quality, environmental, safety and health). Each management system (quality, environmental and so on) may be audited. An audit of a quality management system (QMS) is called a quality system audit. An audit of an environmental system would be an environmental system audit. While there has been a proliferation of ISO 9001 spin off standards for different industry sectors, the number of system auditing standards have been continually reduced. In 1994 countries gave up their individual quality audit standards (in the US it was ANSI/ASQC Q1-1986, Generic Guidelines for Auditing of Quality Systems) in favor of an international consensus auditing standard called ANSI/ISO/ASQC Q , Guidelines for Auditing Quality Systems. In 2002, a new standard (ANSI/ISO/ASQ QE19011, Guidelines for Quality and/or Environmental Management System Auditing) was issued that combines quality and environmental audit guidelines to further reduce the proliferation of auditing standards. A fall-out of combining the quality and environmental standards is that there is no definition for a quality audit or environmental audit; just the term audit is defined. The ANSI/ISO/ASQ QE19011, Guidelines for Quality and/or Environmental Management System Auditing standard is an important document for auditors because it is a consensus standard. 3. Compliance versus Conformity: There has been over a decade of disagreement whether compliance and conformance are the same thing or are different. The ISO folks are making a case that there is a difference. They are promoting the idea that a noncompliance occurs when there is violation of a law, regulation, code or contract (if legally enforced). While a nonconformity occurs when there is a difference between actual performance and requirements. Further, the ISO folks prefer to use the term conformity instead of conformance. Even though it is not apparent that this tenet improves the effectiveness 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 3 of 54

4 of audits or fixes any problems, it does highlight the need for compliance audits and helps stress the difference between compliance and other types of audits. Purpose of Audits {PART I.B. OF THE CQA BOK} [CQA 2004 BOK Description: Describe and examine how audits are used to assess organizational effectiveness, system efficiency, process effectiveness, business performance, risk management and conformance to requirements.] Quality audits were first used around the World War II era. They were used in very complex or high risk operations such as the nuclear, aviation, and electronics industries. The theory being, a check by an independent person of an organization would give the person or organization requiring the check, higher levels of confidence that regulations, standards, and other rules were being followed. Audits are independent investigations of a product, process, or system. By examining documentation, implementation, and effectiveness, quality auditing is used to evaluate, confirm, or verify activities related to quality 1. Auditing has been used by governments as a tool to fulfill oversight responsibilities for regulated industries. An audit or threat of an audit has influenced many organizations to operate within regulatory or statutory requirements. The same would hold true for certain customer supplier relationships, to ensure contractual requirements are being met. Audits directed at ensuring specified rules are being followed are called compliance audits. 1 The Quality Audit Handbook, 2000, Quality Press With the advent of computers and more real time data collection, one might conclude that auditing would be on the decline. If anything, auditing has increased. While audits are still being used as an oversight tool to verify compliance, they are now being used internally as a management tool for continual improvement. Management benefits from receiving factual, unbiased, non-binding feedback to improve processes, products, and services. Audits can be used by any type of industry, whether product or service. Audits can be used for any size of organization (large or small). The practices and techniques used in auditing are the same (or similar) for quality, safety, environmental, or operational 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 4 of 54

5 audits. Audits provide management with information that can be used to: - provide input for management decisions (so that quality problems can be prevented or rectified) - inform management of actual or potential risks - identify areas for continuous improvement - assess personnel training effectiveness and equipment capability - provide visible management support of the quality program - verify compliance to regulators² 2 The Quality Audit Handbook, 2000, ASQ Quality Press Internal audits can provide information that can be used for improvement and to prepare organizations for external audits. If audits are not effective, they can be a drain on resources and constitute an added cost without apparent benefits. External audits can be used to verify agreements between two organizations and can be used to share information and make technology transfers. External audits can be used to promote mutual confidence, better communication and understanding between parties. 2. Auditing performance: Audits can be conducted for the purpose of determining conformance and performance. Audits can be performed to assess organizational effectiveness, system efficiency, process effectiveness, business performance, risk management and conformance to requirements. The purpose of most audits is to determine compliance or conformity of a system, process, or product. An auditor may determine if the documented system conforms and if it has been effectively implemented. Auditors can also determine effectiveness based on ability of the organization to achieve stated objectives. The CQA BOK terms show how auditing is moving to audits that add more value. Organization, system, process and business all describe an entity. The key words used to describe an audit purpose are effectiveness, efficiency and performance. These three words are related because they are linked to management s interests to stay competitive or to respond to demands to provide more services with fewer resources. Historically, compliance and conformity audits are more closely linked to the cost of doing business and maintaining status quo. In the book The Process Auditing Techniques Guide, the author states Besides the 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 5 of 54

6 step-by-step adherence to requirements, auditors should assess the effectiveness of the process steps. Process performance observations may include: redundancies, inefficiencies, waste, unnecessary rework and non value-added steps or tests. Experts state that if a process is meeting output objectives, it is an effective process. Management determines the goals and objectives. Your data should indicate whether the process owners are measuring results against the stated objectives/goals. They should know if the process objectives are being achieved. 3. Identify Risk: Another important term is risk management. There is risk in everything we do and it constantly changes. In the book Continual Improvement Assessment Guide: Performing and Sustaining Business Results, the author explains that the performance improvement assessments are the same as process audits except that auditors are not restricted to verification of conformity. Auditors should look for indicators of ineffectiveness and inefficiency such as waste or redundancy. The final report should include opportunities for improvement and identifying unacceptable process risks. Risk management Later in the book, the author states Neither people nor organizations can exist without risk. The kind and degree of risk must be managed. There may be safety (worker or customer injury), environmental (pollution, fines), financial (loss of revenue, excessive cost) and customer goodwill (loss of future sales) risks. Management needs to be informed of risks to the organization as input into the decision making process. Certainly, auditors should be aware that effectiveness, efficiency, performance and risk are important factors when determining the purpose of an audit. 4. International guidance: The new ANSI/ISO/ASQ QE19011, Guidelines for Quality and/or Environmental Management System Auditing standard, has example purposes that include determining effectiveness. Clause 6.2.2, Defining audit objectives, scope and criteria, includes purposes for: evaluation of the effectiveness of the management system in meeting its specified objectives identification of areas for potential improvement of the management system. This helps legitimize the use of auditing as a management tool for improvement and not just for determination of conformance or compliance. However, not many auditors actually know how to determine ineffectiveness, areas of inefficiency, poor performance or unacceptable risks. 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 6 of 54

7 Professionally conducted audits to verify compliance or conformity, along with the identification of possible improvement areas, are still the most widely performed audits. Lesson 2: [This lesson is medium length. It discusses types of audits, audit criteria, and responsibilities of participants.] Types of Audits: Part I.C of the CQA BOK [CQA 2004 BOK Description: Define and differentiate various audit types, such as product, process, system, management, compliance, first-party, second-party, thirdparty, internal, external, desk, department, and function.] 1. Product, process and system audits: A product audit determines if product requirements (tangible characteristics or attributes) are being met. A process audit determines if process requirements (methods, procedures) are being met. A system audit determines if system requirements (manual, policy, standards, regulations) are being met. All audits require planning (systematic), are documented, are independent, and collect evidence to verify conformance to the audit criteria. A key difference between audits and other types of evaluations (such as reviews and self assessments) is the requirement for some level of independence. You cannot audit yourself or your own work. 2. Improvement audits: Performance audit, continual improvement audit (assessment), value-added audit and management audit are some of the audit names that provide a better indication as to the purpose of the audit. If you told someone you were going to do a compliance audit, they would know what to expect and what the objective might be. If you told someone you were going to do a performance or continual improvement audit, they would know it is something different. Continual improvement, performance, management and value-added audits can all be either system, process or product audits. 3. Auditing Process-based systems and audit techniques There is an increased focus on viewing processes as part of a system and they can be improved. See image below. 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 7 of 54

8 Process auditing techniques are being used to audit management systems (quality, environmental, safety, etc.). Process audit techniques (discussed in Auditing (CQA) Fundamentals I and the Process Auditing Techniques class) are more effective than traditional elements method techniques. The ISO 9001:2000 process-based quality management system is particularly suited for process auditing techniques because the system is developed around sets of defined processes. The QMS standard requires organizations to identify the processes needed for the quality management system, their application throughout the organization and to determine the sequence and interaction of these processes. The process term is also used to describe techniques used when conducting an audit. For example, an auditor may use process audit techniques during a system audit (audit processes of the system). By its very nature, process auditing implies an action such as transforming inputs into outputs. Dennis Arter (author of Quality Audits for Improved Performance) has always linked process auditing to an action verb such as filling, stamping, purchasing, reacting, cutting and so on. Process auditing is evaluating the steps and activities that create the action or transform the inputs into outputs. This is a very useful approach because it focuses on the work cycle and deliverables instead of on isolated requirements. Many standards are organized in a random series of elements or sections. This has resulted in many auditors auditing organizations element by element to verify conformance to requirements. This is sometimes called the "element method." Auditing by element is a very effective method for tracing requirements; however, it does not consider the inputs, outputs and interacting activities of other processes, and therefore is less effective overall. One example of a drawback of the element method is that an auditor may be assigned a calibration control element (clause 7.6) to audit. It would be easy for the auditor to go to the Quality Assurance department (see schedule above) without regard to the devices used in manufacturing or in engineering. Also, using the element method, manufacturing (see above image) may not be audited for inputs of customer requirements or engineering changes. Another example of element method weakness is not linking purchasing responsibility to monitor supplier performance with QA s incoming inspection results during the audit. It is common for one auditor to be assigned purchasing while another auditor is assigned receiving and inspection resulting in the linkages and common processes between the two areas going untested. Process auditing provides value by examining process controls, risks, and achievement 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 8 of 54

9 of objectives. Auditors and management can benefit by conducting process audits and using process techniques to better test and evaluate system controls. 4. Type by relationship Audits are also characterized by the relationship between the auditing organization and the auditee organization. Information differentiating the types of audits being performed is used to communicate to others. The audit type should match with the audit purpose for certification, qualification, shipping approval, or improved efficiency. The model for the different types of audits by relationship was covered in Auditing (CQA) Fundamentals I, Lesson 1. Important Points about External and Internal Audits: External second- and third-party audits are normally more formal than internal audits. Passing a thirdparty audit may confer a certificate, license, approval, recognition, registration, or award from an independent organization. Third-, second-, and first-party audits can be product, process, or system audits. Third-party audit results are considered more reliable than second-party audits. Second-party audit results are considered more reliable than first-party audits due to the nature of the relationship (independence). The benefits of quality system registration claimed by external third-party registrar organizations are that they: 1. Give confidence to customers 2. Reduce market barriers 3. Increase competitiveness 4. Decrease audit costs compared to multiple customer audits External second-party audits are audits of suppliers to monitor adherence to a contract or are required for continued approval status. Prior to approval as a supplier or contract, an audit may be conducted to determine if the supplier has the capability to meet requirements of the intended customer. Audits conducted prior to a business relationship may be called surveys or assessments. Internal first party audits are when employees of an organization audit other parts or departments of the same organization (to ensure unbiased and objective results). Internal audits may be conducted by a single individual or cross functional team from the same location, or representatives from another location or corporate headquarters. Internal audits can be conducted against any agreed upon criteria 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 9 of 54

10 (contract, standards, procedures, specifications, policy, and so on). Internal audits are the most flexible and can identify the most opportunities for improving the organization. When two or more systems (quality and environment) are audited at the same time, it is called a combined audit. When two or more audit organizations (two customers or agencies audit a supplier organization) audit at the same time, it is called a joint audit. Audit Criteria {PART I.D. OF THE CQA BOK} [CQA 2004 BOK Description: Define and distinguish between various audit criteria, such as standards, contracts, specifications, policies, and quality awards.] Determining Requirements to Audit Against: The ISO internal audit standard uses the phrase "identification of requirements for the audited activity." The standard also uses the term audit criteria. The term criteria is used in the ISO standard to allow more flexibility. Organizations can be audited against any given criteria. The audit criteria could be anything from a policy, to a law, quality award criteria, objective, goal, plan, or contract, and so on. It may also be something they promised or are supposed to do. Note that ANSI/ISO/ASQ Q : Defining audit objectives, scope and criteria specifies that the audit criteria are used as a reference against which conformity is determined and may include applicable polices, procedures, standards, laws and regulations, management system requirements, contractual requirements or industry/ business sector codes of conduct. Auditors do not make up the rules, auditors audit against existing rules, requirements, procedures, instructions, etc. The requirements or audit criteria are found in documents. It is popular to think of these documents as coming from different levels. Picture a triangle split into four levels (top to bottom). The top level would be policies; this is followed by the second document level where descriptive manuals would come into play. Lower than these at the third level would be how-to procedures (process specific). At the bottom of the triangle would be the fourth level; it would contain documents such as details, instructions, drawings, contracts, specifications, plans, forms, etc. Roles and Responsibilities of Audit Participants: Part I.E. of the CQA BOK [CQA 2004 BOK Description: Define and describe the functions and responsibilities of various audit participants, including audit team members, lead auditor, client, auditee, 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 10 of 54

11 etc.] There is a handout and short activity online. Lesson 3: AUDITING FUNDAMENTALS [This lesson is medium length, discusses ethical conduct of auditors and audit program managers. There is a test at the end that you must pass to continue.] Ethical, legal, and professional Issues {PART I.F. OF THE CQA BOK} Auditing requires a high level of trustworthiness. Auditors are entrusted with sensitive information that if improperly disclosed, could affect the performance of an organization or prove detrimental to individuals. For this reason, auditors should be ethical and adhere to a code of conduct. A competent auditor is required to be ethical at all times. 1. Audit Credibility [CQA 2004 BOK Description: Identify and apply ethical factors that influence audit credibility, such as auditor independence, objectivity, and qualifications.] Credibility is a core requirement for every auditor and audit program. If there is a credibility issue, audit programs will not be successful and findings will be suspect. 1.a. ASQ Code of Ethics Take a moment to review ASQ's Code of Ethics listed in the handout. When you first read the code, think about the implications in your everyday activities. 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 11 of 54

12 Now read it a second time and think about changes that need to be made with current or future situations. Ethical considerations are an important part of planning and conducting an audit. Ethical standards can affect both the eligibility of an individual auditor and that of the auditing organization to conduct audits. 1.b. Conflict of Interest Applicable ASQ Code of Ethics clause: 2.2 Will inform each client or employer of any business connections, interests, or affiliations that might influence my judgment or impair the equitable character of my services. Auditors should disclose any potential conflict of interest before an audit is conducted. When there is a conflict of interest, the auditor should withdraw or decline to conduct the audit. If there is a potential conflict of interest, the client or audit program manager should either; 1) select another auditor for the audit, 2) ensure that the area of concern is assigned to a different auditor, or 3) determine that sufficient time has passed and a conflict of interest no longer exists. A conflict of interest could exist if: 1. there is an exchange or promise of something with monetary value, 2. there is a business or personal relationship, or 3. the auditor attempts to audit his or her own work. Examples of conflict of interest are: Monetary Value: 1. Invested in the organization to be audited, e.g. stocks, partnership, interest, 2. Acceptance or promise of a gift having value, 3. Contestant in a contest or sales promotion sponsored by the auditee organization. 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 12 of 54

13 Relationship: 1. Previous employee of auditee organization or their major competitor. 2. A close friend or relative works for the auditee organization. 3. Previous or close working relationship with the auditee organization, or personnel in the area being audited (a common issue for internal audits). Some audit programs require a waiting period (2 or 3 years) before an auditor can audit an area where they previously worked. 4. Doing other work for the auditee organization may bring the credibility of the audit results into question. 5. Bad blood or prior personality conflict with either auditee personnel or a close friend of the auditee personnel. Independent of system 1. Auditor was involved with establishing and/or implementing the controls being audited. Conflicts of interest may adversely affect, or appear to affect, the objectivity and impartiality of the audit results. (Any such appearance must be avoided). In both external and internal audits, conflict of interest situations must be dealt with in such a way that the audit results are objective and impartial and the credibility of the audit function is maintained. 1.c. Confidentiality Auditors must recognize the sensitive nature of proprietary information and its potential effect on audits. Applicable ASQ Code of Ethics 2.4 Will not disclose information concerning the business affairs or technical processes of any present or former employer or client, without his or her consent. Protecting Information Auditors must not disclose proprietary information gained during an audit. For external audits, it is common for auditors to sign a confidentiality, or non-disclosure agreement, prior to the audit. The agreement can cover the members of the audit team, as well as the audit organization and any other assignees who may be privileged to see 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 13 of 54

14 the proprietary information. For internal audits, it is common for employees to sign confidentially, or non-disclosure, agreements as a condition of employment. It is advisable for auditors to seek legal counsel before signing any legal agreements. Confidentiality agreements should be limited to proprietary information and there should be a release after a specified period of time, or when the information becomes part of the public domain. Non-disclosure agreements involving the audit organization should be signed by an officer of the organization. The need for confidentiality agreements or security clearances should be determined prior to the audit and may affect audit team selection. In some cases, auditors may be required to pass a security screening. Certain government projects may require a confidential or top secret clearance. It is okay to discuss audit situations at department meetings and training programs, but not to disclose the specific auditee organization. Auditors must also be diligent not to inadvertently disclose information with body language, such as nods or facial expressions. Audit evidence (such as records, drawings, and pictures) should be safeguarded. If an auditor wants to take pictures (e.g. using a digital camera), the auditee organization should approve its use and stipulate any restrictions. Audit Techniques In general, highly sensitive information should only be viewed if absolutely necessary to complete the audit objectives and scope. Auditors should not view sensitive information just for curiosity. When auditors are not allowed access to areas needed to complete the audit objectives, such limits should be stipulated in the report so that management will be aware of any special circumstances regarding the information reported. 3. Professional Conduct and Responsibilities [CQA 2004 BOK Description: Define and apply the concepts of due diligence and due care, with respect to confidentiality, conflict of interest, the discovery of illegal activities or unsafe conditions.] Professional conduct is adherence to the code of ethics. Auditors have responsibility to 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 14 of 54

15 their employer and themselves to take the code of ethics seriously. Besides following the code of ethics, some other practices for professionals would be: 1. Don't complain about colleagues, the audit organization, or other organizations audited in front of the auditee personnel 2. Honor all commitments, obligations, and laws 3. Be honest and above board with your business dealings 4. Look professional in your manner and attire Besides professional conduct, auditors should practice good etiquette when conducting audits. Discovery of illegal or unsafe conditions or activities Go to the handout, read the five mini case studies 1 and answer the questions at the end. Then compare your responses to the answer-discussion handout. If an auditor observes unethical or unsafe conditions, the auditor is obligated to report it. The auditor reports it to the lead auditor; then the lead auditor reports it to the client, the audit program manager, the auditee management, or all three. Audit program guidelines must be followed when unethical or unsafe conditions are observed. 1 Russell, Puzzling Auditing Puzzles, Quality Press, 2000 Response Guidelines may include: 1. Assessment of the unethical or unsafe situation 2. Verification of the situation with records, personal observation, or by another auditor (keep a record of what you found) 3. Notification of the client, auditee management, and/or audit program manager as appropriate 4. Obtaining legal counsel if there are risks (liability, litigation) to the auditor or audit organization 4. Liability Issues 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 15 of 54

16 [CQA 2004 BOK Description: Identify potential legal and financial ramifications of improper auditor actions, such as carelessness and negligence, in various situations, and anticipate the effect that certain audit results can have on an auditee's liability.] a. Personal and corporate If the audited organization depends on the information from the audit to make decisions, or if the organization is harmed as a result of the outcome of the audit, the auditor and audit organization could be held liable. An auditor has a responsibility to exercise due care. "Due care" (reasonable care) is a standard used by the courts to determine if actions fit the situation. If an auditor's actions or conduct are suspect, the auditor could be found negligent. Auditors face personal liability for their actions and the information they report. For example, if an auditor claimed an organization could forgo EPA audits if they were ISO registered and this turned out not to be the case, the auditor could be liable. An auditor also faces liability if the auditor instructs the auditee on how to fix a problem or how to address an audit finding. In a second-party audit situation, the auditee may seek a price adjustment to offset the cost of the solution; or, if the auditee later finds a more economical solution that the auditor should have known, the auditee could seek restitution. Auditors could be found in violation of securities laws if they receive insider information during the audit and use it to buy or sell stock for personal gain. An auditor could be found in violation of criminal codes if they were aware of illegal acts and did not report them. An auditor may, for example, observe an auditee substituting cheaper materials, although that information was not disclosed, (for example, adding sugar to orange juice to save on the cost of oranges). The auditor and audit organization are also liable for safeguarding information collected during the audit. Audit records are subject to discovery in legal proceedings. The auditor or audit organization could face other legal issues if audit records could not be found or they were destroyed before the specified retention time. b. Audit record disclosure: There should be a procedure for authorized release of audit records. Likewise, there should be a procedure for destruction (or return) of audit records no longer needed. For example, one organization that was concerned about product liability issues determined that audit reports should be destroyed after one year. They kept the corrective action records as proof of the audit. The audit organization is liable for unauthorized disclosure of audit records. For example, if an audit organization released supplier records to a customer (without supplier approval) and subsequently the supplier lost the contract; the audit 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 16 of 54

17 organization could be held liable for any damages. Lesson 4: AUDITOR COMPETENCIES [This lesson is long, discusses auditor characteristics, use of resources, handling conflict, communications and presentation techniques.] Competency is a popular term being used to assess auditor qualifications. People performing a process (task job) should be competent. When evaluating people to be auditors, we must evaluate auditor competencies. Auditor Characteristics {PART III.A. OF THE CQA BOK} [CQA 2004 BOK Description: Identify characteristics that make auditors effective, such as interpersonal skills, problem-solving skills, close attention to detail, cultural sensitivity, ability to work independently, in a group, or on a team.] Besides knowing audit process methods, auditors should have problem solving skills, such that, when faced with unanticipated situations, they can competently work out solutions to achieve the audit objective(s). It is important to note that the integration of races and culture in the United States, along with established global business trends, has created the need for auditors to be sensitive to diverse cultures and customs. The ANSI/ISO/ASQ QE19011:2002 auditing standard spends a considerable amount of text on auditor competencies. The ANSI/ISO/ASQ QE19011:2002 is a very important guideline standard for third-party auditing. It also provides guidance on how auditor competencies can be evaluated. Auditor competencies should be defined and potential auditors be evaluated on the required competencies. Auditor competence is based on the demonstration of: specified personal attributes 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 17 of 54

18 ability to apply knowledge and skills gained through education, work experience, auditor training and audit experience Continued competence is achieved through continual, professional development and regular, audit participation. The principles in the previous image under knowledge and skills are the audit principles of: - Ethical conduct: honesty, keep information confidential - Fair presentation: without prejudice - Due professional care: act in a manner that is reasonable for each situation - Independence: no vested interest, avoid conflicts of interest - Evidence-based approach: report facts and conclusion based on facts Resource Management {PART III.B. OF THE CQA BOK} [CQA 2004 BOK Description: Identify and apply techniques for scheduling people, events, logistics, and audit-related activities.] Planning is critical to good time management. Planning ahead includes the overall audit program schedule, the individual audit plan, and the interview schedule. Plans must be communicated to the interested parties (i.e., auditee, client, auditors). Plans must be acceptable to the interested parties (mutual agreement versus autocratic approach). Plans should be adjusted for such things as individual availability, organization shutdowns, complexity (or simplicity) of operations, outages, special events, start ups, idle time, shift changes, safety requirements (special equipment or training), etc. Avoid planning audits for the end of the month, quarter, or year, or around holidays. Time Management The notification letter should contain audit team needs so that the auditee can plan for any special arrangements. The need for escorts, box lunches, work space, photo copy services, special safety equipment, required clearances or health records should all be identified ahead of time. Needs should be anticipated and made known to the auditee. 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 18 of 54

19 The auditor(s) should arrive on time and stick to the schedule. Not staying on schedule is indicative of poor time management and may antagonize the auditee. When schedule changes must be made (i.e. a need for more or less time), keep everyone informed. Circumvent auditee delay tactics such as: lengthy explanations or presentations, and elaborate tours of the organization. The auditor must maintain control from the opening meeting throughout the closing meeting. If delay tactics threaten the audit schedule and the accomplishment of the audit's purpose and scope, the lead auditor should notify both auditee management and the client. As a time saving measure, auditors will often combine lunch with an audit team meeting to compare notes and provide updates. Another technique for saving time is keeping the auditee informed of problems as they are found. This avoids confusion later when personnel are trying to recall the exact circumstances surrounding a problem identified during the audit. Auditors must address time-wasting tactics as soon as they appear. Conflict Resolution {PART III.C. OF THE CQA BOK} [CQA 2004 BOK Description: Identify typical conflict situations (disagreements, auditee delaying tactics, and interruptions) and determine the techniques for resolving them, such as negotiation and cool-down periods.] Conflict occurs when opposing ideas, thoughts, or actions collide. The best way to minimize conflict is to practice good communication skills by listening, expressing yourself in terms the auditee understands, focusing on the process instead of the people, keeping the auditee informed (thereby avoiding surprises), and being open-minded and flexible. Conflict occurs when there is misunderstanding, auditor or auditee bias (own agenda), surprises (by auditor or auditee) and genuine disagreements with the interpretation of requirements. In some cases, conflict could threaten the accomplishment of the audit objectives. Conflict can result in delays in the audit schedule, uncooperative or hostile behavior, and actual sabotage of the audit. Techniques for addressing conflict are: - Ensure that the auditee understands the situation by repeating information (perhaps using more auditee friendly terminology). 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 19 of 54

20 - Listen to the auditee s explanation of the situation. This may reconfirm your original judgment or reveal a different perspective. - Restate the requirement and share examples of possible audit evidence needed to show conformance to the requirement. - Explain the response options and the appeal process. If emotions surface, take time out for a cool-down period and/or interview other acceptable individuals. Then re-establish that the role of the auditor is to collect evidence that shows conformance to requirements (no tricks or hidden agendas). When appropriate, show empathy for the auditee's situation. For internal audits, talking to the interviewee in private may alleviate their concerns. Always assume the auditee is acting in good faith. Never try to intimidate (with bully tactics) the auditee to avoid addressing conflict. Communication Techniques {PART III.D. OF THE CQA BOK} [CQA 2004 BOK Description: Select and use written and oral communication techniques in various applications, such as technical reports, active listening, empathy, and paraphrasing.] The audit process is a service that relies heavily on good communication skills. Auditors should tell people what they are going to do, what they need while doing it, and after they do it, what they observed. The auditor's message should be clear to the users of the information. The message should be accurate, complete, and to the point. Common auditor techniques for effective communication are: - Hold opening and closing meetings - Practice active listening - Hold daily meetings to keep the auditee informed - Share checklist with the auditee - Keep escorts informed of problem areas and areas completed - Utilize newer communication devices such as a digital camera and where appropriate - Show empathy towards disruptions caused by the audit - Be flexible concerning schedule changes as long as the audit objectives can be achieved Depending on the situation, the auditor may need to reaffirm that the auditee has received and understood the information provided by the auditor. Auditors should observe how people react to information (maybe a positive nod) and, in some cases, 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 20 of 54

21 seek a positive affirmation that information was received and understood. If there are credibility concerns with the audit process, the auditor may need to assure the auditee that all information is confidential. Presentation Techniques* {PART III.G. OF THE CQA BOK} [CQA 2004 BOK Description: Define and apply various tools and techniques such as graphs, charts, diagrams, and multimedia aids for written and oral presentations made at opening, closing, and other meetings.] Presentations are made as a means to communicate information at the beginning and at the end of the audit. The lead auditor conducts the meetings. The lead auditor and audit team members should be dressed appropriately (per dress code of organization or audit program guidelines). *NOTE: CQA PART III, Sections E. (Interviewing...), F. (Team membership...), and H. (Verification...) will be discussed in the next lesson. PRESENTATION METHODS Presentation The lead auditor should take the head seat (it is the lead auditor s meeting) for easy eye contact with all attendees. Handouts, such as nonconformity or finding statements, should be copied ahead of time. The lead auditor should ensure presentation equipment needs have been met (flip chart, projector) and the room size is adequate for the planned audience. The lead auditor calls the meeting to order and presents the information according to the agenda. The presenter can utilize tools such as an overhead projector, data projector, dry erase board, digital camera, and flip charts to communicate the information. The lead auditor must ensure there are adequate support materials (such as markers), as well as technical support for the high tech devices. Handouts should not be handed out prematurely. For example, if at the exit meeting the nonconformities are handed out at the beginning of the meeting, 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 21 of 54

22 everyone's attention will go to what is on the paper and they will stop listening to the auditor who is presenting important information. PRESENTATIONS Present a professional image, be articulate, and practice your presentation techniques. In general, the lead auditor's level of dress should match the highest level of the person attending. The amount of preparation and style of presentation should match the situation. For example: Exit meetings should not be delayed for making fancy slides, nor should the CEO need to decipher last minute handwritten slides. Lesson 5: AUDITOR COMPETENCIES, CONTINUED [This lesson is medium length, discusses supplemental interview techniques (beyond what was presented in Auditing Fundamentals I, the auditing process), management of teams, and verification/ validation methods. There is a test at the end that you must pass to continue.] Interviewing Techniques {PART III.E. OF THE CQA BOK} [CQA 2004 BOK Description: Define and apply appropriate interviewing techniques (e.g., when to use either open-ended or closed question types, determining the significance of pauses and their lengths, or when and how to prompt a response), based on various factors, such as when supervisors are present, when interviewing a group of workers, and when using a translator.] Note that interview techniques were covered as part of the auditing process in Fundamentals I. In this lesson, there is important information about pausing and using translators. 1. Significance of pauses Besides the exchange of words during an interview, in the background are pauses. Pauses can be short or long. The length of a pause may be culturally related or it may reflect the ability to respond to a question or share the information. Auditors must be able to gauge the meaning of pauses and use them effectively 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 22 of 54

23 during an interview. Sometimes an auditor can use long pauses to glean more information from the auditee. If an auditee finishes a response and the auditor takes a long pause, the auditee may feel uncomfortable with the silence and continue by elaborating on the answer. 2. Using a translator When translators are used, interview time should be increased, perhaps doubled in some cases. Translator protocol includes: - The auditor should meet with the translator prior to the interview. It may be appropriate for the auditor and translator to agree that the translator makes the first statement to the interview by completing introductions and explaining their role as the translator and yours as the auditor. - Instruct the translator to be sure that he/she understands the words used in the questions and statements before translating them. Ensure the translator knows it is okay to ask for clarification. - The translator should limit interview translations to bite-sizes of information. Letting the auditor or auditee speak for five minutes before any words are translated could lead to significant inaccuracies in the translation. The auditor should work out a protocol with the translator before the interviews start. - Visual aids, such as pointing to or using objects can be helpful. Auditors can also use gestures for size dimensions. In some cases, there may be prejudice or resentment because of country or regional politics toward your nationality, culture or race. Take threats, or other indications of prejudice, very seriously. Prejudice: One time I was conducting a second-party audit using a translator. Just before starting the interviews (after the opening meeting) a supervisor told me that there could be trouble because I spoke English. I did not know what kind of trouble he was talking about, so I immediately stopped the audit. I did not want to put myself in danger or create problems for the organization I was auditing. Also, I needed to assess the situation to determine if it was going to be a very hostile audit, such that I might need a second person to accompany me on the audit interviews. Aft i ti ti th f th i d ti ith th l t d 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 23 of 54

24 After investigating the reason for the warning and meeting with the plant manager and business manager, it was decided that there would not be any problems because I spoke English. Team Membership, Leadership and Facilitation {PART III.F. OF THE CQA BOK} [CQA 2004 BOK Description: Define and use various techniques to support teambuilding efforts and to help maintain group focus, both as a participant and as a team leader. Recognize and apply the classic stages of team development (forming, storming, norming and performing). Identify various team member roles and apply coaching, guidance and other facilitation techniques necessary to effective team functioning.] 1. Techniques for team building and maintaining focus. Audit teams are ad-hoc teams formed to carry out the audit plan and achieve the audit objectives. Most audit teams are informal and have no team meeting agendas. Audit teams may or may not be cross functional. The leader of the team is normally selected by the client or audit program manager. The audit team process is normally task driven and only established for one audit. Task driven process teams stay focused on team objectives, such as the audit objectives. On occasion, audit teams may include activities to preserve the team spirit and foster intra team relationships. Seven primary elements of task driven audit process teams are: 1. Following the audit plan and considering modifications as necessary 2. Monitoring team progress and the audit schedule 3. Completing tasks assigned 4. Recording the results of the audit 5. Verifying audit objectives are being achieved 6. Making evidence-based decisions relative to the audit findings and audit progress 7. Identifying new action items, responsibilities, timing issues. Maintaining audit teams involves working with different personalities and ensuring the team is a cohesive and effective unit. The short duration of most audit teams does not make this an issue. However, there are still some basic team building techniques, which can be utilized to ensure that the team works together in the most effective and 44B51CEB-63FC-0892A7.doc 2005 JP Russell & Assoc. Page 24 of 54