hygiene zone
quality tools
quality techniques
human issues
quality awards
quality extra
visitor tools


Stay Informed
Sign up below to receive our Occasional Newsletter.

We Respect Your Privacy!

Web SaferPak
SaferPak: Food Packaging Safety, Food Safety, Business Improvement and Quality Management
       Home     About     Contact

All about Auditability
By David Powley DNV Certification Ltd

'Management systems are an exercise in bureaucracy and burden without actually addressing risks and delivering performance'. This quote, from a sceptical commentator, although a prejudiced generalisation actually characterises a dilemma faced by many. How much system description and documentation is needed to enable a management system to successfully withstand a performance-based audit? David Powley, of DNV Certification, offers context and advice to those who audit, implement and maintain management systems for quality, environment and safety & health (QESH).

Management system (MS) specifications have been formulated with auditing in mind. These include ISO 9001 (quality), ISO 14001 (environment) and the quasi-standard OHSAS 18001 (safety & health). In many clauses of the specifications there are mandatory requirements for documentation such as written procedures and records. In other clauses, the need for documentation is optional for the organisation depending on circumstances. So, how should an organisation react to this? Obviously, a natural trend is to minimise the amount of documentary burden but how can this be achieved? In order to discuss this it is worthwhile going back to the basics of auditing of management systems.

What is an audit? The common definition for an audit of an MS is 'a systematic evaluation of the adequacy of and adherence to planned arrangements'. There we have it - a very important statement - but before we go further, let's clarify some terms.

Planned arrangements are the way things are meant to be by virtue of customer requirements & expectations, regulatory conditions, best practice, continual improvement, the appropriate science etc. In other words they are desired sets of conditions and can include:

processes, procedures and instructions
approved codes of practice
organisational structure
plans, schematics and drawings
licensing conditions (e.g. consents) and other regulatory requirements
conditions in a contract with a customer
numerical values or acceptance criteria e.g. emission limits, exposure limits, purity specifications of product etc.
staff deployment and job descriptions
project descriptions, management programmes or quality plans
training syllabus and training plans
permits (for hot work, confined spaces etc.)

Adequacy in this sense means the capability of these planned arrangements, as presented to an auditor, to achieve what is meant to be achieved. Basically, the auditor checks that they are meaningful. It is one thing to scrupulously follow (or adhere to) the planned arrangements but are they 'good'?

Obviously, in some cases the auditor has to assume adequacy. These are the conditions specified by the interested parties of the organisation and include the written contracts with customers, the written regulatory licence conditions, approved codes of practice etc. In other words the adequacy is given 'off the shelf' and should be taken as read.
In all other cases the auditor makes a judgement regarding acceptable or best practice and this is where the auditor's capability is tested. The auditor, in the systematic evaluation, is considering whether they can achieve what is meant to be achieved and is often guided by risk identification. For example, s/he may ask:

Will this training regime or syllabus enable people to fully understand the hazards of this substance and the risk presented when they are working with it?
Does this type of packaging of engineering parts, as specified in the organisation's procedure, meet with customer expectations even though a type of packaging was not specified in the contract?
Although the frequency of effluent monitoring was not actually specified in the discharge consent, will once per month be sufficient to assess the effectiveness of the treatment plant with a view to preventing or minimising polluting discharges to a controlled water?

A special mention is required here for assessing adequacy of planned arrangements for improvement objectives and targets in QESH management systems. This will be covered later but suffice it to say at this stage that the auditor will not be satisfied with wish lists - s/he looks for reality and achievement.

Adherence (or compliance) within this context quite simply means the extent to which the planned arrangements, as described, are being followed.

So that is what is required for audit - make your planned arrangements good and make sure they are demonstrably being followed. Simple isn't it? Or is it? The difficulty of course is doing all of this without creating a monstrous bureaucracy, which is where we started. In other words - strike the balance between minimising the paper burden and making the MS auditable i.e. making the planned arrangements capable of being systematically evaluated for adequacy and adherence (or compliance).

Let's start with the so-called manual. Of the three specifications concerned only ISO 9001 actually uses the term 'manual'. However in all cases there is a requirement for what amounts to the same thing. For this reason rather than getting into terminology it is better to decide what is actually required, which is to enable an interested party to see at a glance what the MS is. This is a combination of (1) an overall description of the scope or extent of the MS, (2) a presentation of the core elements of the system and their interactions and (3) references to relevant planned arrangements. This latter part can be regarded merely as a map or sign-poster, which presents a linkage between the clauses of the specifications/standards and the planned arrangements with which the organisation deems it is addressing those clauses. There is no need to re-iterate the clauses of the specifications. Even for the most complex organisations and management systems, the above requirements can be met with a mere few pages. Brevity is the key.

In order to consider planned arrangements with regard to bureaucracy and burden it is important to recognise the two groups of interested parties involved - these are the users of the planned arrangements (i.e. the workforce of the organisation) and the auditors (i.e. third-party auditors, possibly customers, internal auditors etc). The users within the organisation are selected, developed and trained on the basis of them being competent to work according to the described planned arrangements and therefore the need for written word may not be great. This can be expressed by Fig 1.

Reliance on competence versus the written word diagram

Common sense says that as competence of personnel performing a role increases so the need for written instruction decreases. In these situations where there is little written word, the adequacy of planned arrangements will all rest on the capability of the people performing the work. This is a generalisation and there are of course situations where written word will always be needed for example where numerical data is concerned or where there may be frequent change. Also the MS specifications make it obligatory for documented procedures in certain instances and in others where their absence may create risk - the latter demand is obvious. So outside of these obligatory and particularly demanding risk situations the organisation can exercise discretion. This makes sense - the organisation has deployed personnel on the basis of their capability to handle the roles without the necessity of their constantly referring to written procedures.

So what about the other group of interested parties - those who audit the MS? A certification body should deploy a third party management system auditor (3PMSA) or audit personnel on the basis of matching up their capability with that required for the particular contract in question. This will embrace many issues of adequacy such as awareness of health, safety, environmental and quality based legislation, best practice, specific knowledge of the industry sector and its current acceptable and best practice etc. So if this exercise were carried out well the 3PMSA, like the capable employees of the organisation, would have less need of documented procedures or written word provided that s/he has been given some basic account of the way activities should be performed. Though it should be pointed out that auditing in this way with a minimal amount of written word presents risks (to the audit outcome) and could take longer - the account given to the auditor by a particular employee should represent the way in which other employees operate and it may be necessary to sample several employees to establish a degree of consistency of operation, if consistency were an important issue.

It is probably different for the cases of internal auditors and customer auditors. Why is this so? Internal auditors are usually selected for their independence and capability as auditors alone. Very often they are not expected to be competent to give a judgement of what is adequate for a department or activity they are not familiar with. In these circumstances the inexperienced would rely on the entire adequacy being presented to them in the form of the written stipulations or procedures. As such they would operate only as adherence (or compliance) auditors. If the internal auditors had earlier worked in these situations or departments then so much the better - they are able to have an opinion on adequacy within their findings but this may not be the norm. Similar considerations may need to be made for clients or customers who audit your organisation. They may not regard themselves as experts in your business area and may expect you to have written procedures that embrace adequacy. Even so, some imagination may be exercised in producing descriptions of planned arrangements. Photographs, schematics, flow diagrams and other more graphical representations may be better than a thousand words.

That's enough about adequate planned arrangements and their descriptions, how about checking adherence to them? Record keeping is a common method of showing adherence and probably the greatest source of burden in management systems maintenance. The MS specifications make production of records obligatory in certain situations in order to show compliance with planned arrangements. Unfortunately this represents a failure to recognise that other auditable devices exist. Looking on the bright side - wherever record keeping is not stipulated there are many better ways in which an auditor can check compliance and these are all based on outcomes. For example:

Interviewing people in order to check 'absorption' of the content of a course is better than viewing a record to show attendance. The 3PMSA should have been chosen on the basis of competence to evaluate such things
Observing the general appearance of a location is a better device than an inspection record to show an intention to maintain an acceptable state of housekeeping
Witnessing the delivery of bulk hazardous material, during audit may be better than the existence of a document with a series of ticks in boxes.

All of the main MS specifications have stipulations to set and work toward achieving objectives and targets. An objective in this sense is taken to mean an improvement objective - aiming for an improved state. Examples are 'reduction of number of late deliveries by 10% based on previous year' or 'achieve 100% compliance with our trade effluent discharge consent during current calendar year' or 'phase out the use of hazardous substance X by year end'. A 3PMSA at least will want to see some reality and commitment here given that certification is generally now granted on the basis of capability to continually improve. Once again s/he will be looking at the adequacy of and adherence to planned arrangements. The adequacy is best expressed in the form of the 4W's:

What the objective is - a clear comprehensible statement.
Who has the responsibilities at various stages - people, departments, units etc.
When each stage is due for completion - the timeframes.
How the objective or its various stages will be achieved - as seen at the time of writing.

A 3PMSA does a reality check. S/he will look at the plan and timeframe for the objective and interview relevant personnel in order to assess the intentions. As part of this the 3PMSA considers measurability and this is where adherence comes in. Are the objective and its associated targets being met according to its measurable parameters? Records do have their place in showing the reality and progress but the MS specifications are not explicit regarding the keeping of records for this purpose. This is no bad thing because other tangible options or outcomes alongside of records may be available to show progress or the lack of it. Actually looking at outcomes (tangible and intangible) or witnessing activities, whichever is appropriate, is the surest way. For example:

An objective such as the installation of a new or improved piece of environmental abatement technology can be reality checked in the early stages by looking at the purchase order and at later stages by looking at the installed equipment.
The claimed improvement in customer satisfaction may be ascertained by the auditor actually doing a short telephone sampling of customer opinion - this may be reliable for auditors though unpalatable for some organisations.
The intended phase out of use of a hazardous substance by a more benign substitute may be reality checked in initial stages by looking at trial results with substitutes and the on-site presence of samples of these substitutes.

A management system need not be burdensome. A Company working adequately - meaning according to best practice, employee safety, legal requirements, customer needs and so on will have won more than half of the battle in surely meeting the demands of standards. The task thereafter is to demonstrate this (with minimum bureaucracy) for an audit using clear planned arrangements and evidence of compliance. The third-party management system auditor (3PMSA) should be capable of testing adequacy and adherence without the need for production of copious paperwork. Internal auditors and other parties may need more assistance in this respect. However through good selection and some coaching and experience the internal auditor could in time audit a management system with similar minimalist needs to those of a 3PMSA.

David Powley is a Principal Lead Integrated Management Systems Auditor for DNV Certification Ltd. He is a Chartered Chemist and Member of the Royal Society of Chemistry, Member of the Institution of Occupational Safety and Health, a Principal Environmental Auditor with the Institute of Environmental Management & Assessment, a registered Lead Auditor with the International Register for Certificated Auditors scheme for quality management systems and Lead Verifier for EMAS. David has produced many published articles on management systems for quality, environment and health & safety and their integration, being regarded as a pioneer on the subject of integration. He is currently finalising an experienced-based book on the subject of integrated management systems. David can be contacted on dave.powley@dnv.com







Back to previous page








top of page


home :: about :: contact :: terms

© 2006 SaferPak Ltd.