The Auditor General’s Report – An auditor’s questions

 

Do you see what’s missing in all the reports about and responses to the Auditor General’s Report? 

write2rest 

For over 30 years I’ve been responsible for business processes ranging from Research and Development to Customer Feedback, in companies which report turnover in billions of dollars.

I’ve spent the second half of my career in quality management. I know how processes are designed, resourced, implemented, examined and confirmed.

I know about legal requirements, industrial standards and moral/ethical decision making.

For a time I was responsible for assuring that nineteen manufacturing sites and research centres as well as dozens of contract manufacturers and hundreds of suppliers did the right things: followed defined and approved processes to specify, order, receive, make, release, store, deliver, service and improve products.

I've conducted, reviewed and responded to many audits. Audits are required by most quality-related regulations and standards. Audits are especially powerful when conducted by skilled auditors.

Meetings during the course of an audit

During audits it's customary for the auditors to hold an opening meeting on day one, debrief meetings at the end of each day and a closing meeting on the last day to summarize all issues. By the time of the closing meeting, all auditees and their managers will know what ‘non-conformances’ are likely to be included in the auditors’ report, and the severity rating for each non-conformance. They will therefore be unsurprised by the final report.

The severity ratings used in most organizations can be mapped to levels similar to these: critical (‘fix it within a week’), major (‘fix it within 3 months’), minor (‘fix it within 6 months’) and opportunity-for-improvement (‘do it when you’ve done the other things’).

Good department managers

Over the years I have found that good department managers not only welcome audits. They keep the spectre of audit before their subordinates and peers all the time. They insist that their people co-operate fully with auditors. They use audit results to make changes – of people, processes and procedures.

Good department managers understand and accept that every audit will find issues. They are eager to know the issues and to “close the audit findings.”

Example of a positive response to an audit

Once, during day 2 of a 4 day audit, we uncovered a system issue in one department. I thought it was likely to be rated as either a critical or a major non-conformance. I reported it during the daily debrief. The auditees agreed our observation about the system was correct.

After the meeting, the Manufacturing Director asked the department’s Manager and his team to stay back for a discussion. I learned later that they met from 6 to 9 pm.

The next day, I was surprised that instead of the usual driver, the Manufacturing Director came to the hotel at 8 am to pick up the audit team of which I was the leader.

As his driver took us to the factory, the Manufacturing Director told me that he understood the non-conformance and that he would not disagree to it being rated critical. He said he and the department head had already discussed it with another of our factories (in another country) and had found a way to correct the system.

He explained the proposed solution to me and asked if the change would result in the site returning to compliance with company policy and all applicable regulations and standards – since we were exporting the product to many countries. I agreed it would.

Duration of key audit-related activities

Usually it takes a month for the auditors to send a draft audit report to the auditees for review. The reason it takes so long is that a verification process is used: everything stated as fact must be confirmed. Also, the severity rating of each non-conformance must be checked to ensure it’s the same as the rating given to similar non-conformances found elsewhere – whether in the same site or on the other side of the planet.

So I was very surprised when, 3 weeks after I completed the site audit, I received a message from the Manufacturing Director inviting me to return and perform a re-audit to confirm that the issue had been fixed. He even offered to pay all the expenses associated with my trip, since I had not budgeted it in my department.

I was very pleased with the positive way in which he had responded to the non-conformance I had found. However, I declined to do the re-audit, because there’s a process to be followed – as you will know if you’ve ever been audited by quality professionals.

Elements of a good audit process

This is the typical process (with some details omitted in the interest of clarity):

An audit is scheduled, often a year in advance.

The audit is resourced with auditors having the skills appropriate to the activities performed at the site to be audited.

The audit is performed. The audit includes review of effectiveness of actions taken to correct issues reported in the previous audit report. (If anything is not confirmed to be fixed, a critical non-conformance will be raised; if this happens, you can be quite sure heads will roll.)

Within 30 days the draft audit report is sent to the auditees for review and corrections.

Within 7 days the confirmed audit report is formally issued by the Lead Auditor.

Within 30 days a detailed Corrective Action Plan (sometimes including disciplinary actions) is sent by the leader of the audited site to the auditor for review of adequacy.

Within 14 days a final Corrective Action Plan is approved by the Lead Auditor, who generally expects all non-conformances to be fixed within 30 days of the date on which the Corrective Action Plan is approved.

Monitoring status of responses to audits

Monthly status reports are sent by the leader of the audited site to the Lead Auditor until all corrective actions are completed, and a re-audit is performed to confirm the actions are effective.

In parallel, the Office of the Auditor issues monthly or quarterly status reports which indicate whether non-conformances are being closed as planned. A key element in these reports is a tabular or graphical trend chart which shows the state of conformance of each site, region and business over time (often for 3 years).These reports go all the way to the office of the CEO.

In the companies I have worked for, all of the above also applies to financial auditing. Occasionally I’ve lead, trained or guided teams who’ve worked on fixing issues involving financial policies, e.g. buying or selling goods and services, as these usually involve changes to each site’s selling and procurement procedures.

Concluding thoughts

Do you see what’s missing in all the reports about and responses to the Auditor General’s Report?

Is there a re-audit process?

Is severity assigned to each issue observed? Is severity elevated if an issue from a previous audit is not fixed?

Can auditees honestly claim they are surprised by some issues included in the Audit Report? Are there Corrective Action Plans?

Is there a monitoring process? When and how will the audit be closed?

Who's being commended for timely and effective response to audit findings?

Finally, an audit is a snapshot taken at ‘a moment in time.’ What about the processes the auditors did not have time to audit? How big is the iceberg?