 |
 |
|
 |
All about Auditability
By David Powley DNV Certification Ltd
'Management systems are an exercise in bureaucracy and burden without
actually addressing risks and delivering performance'. This quote, from
a sceptical commentator, although a prejudiced generalisation actually
characterises a dilemma faced by many. How much system description and
documentation is needed to enable a management system to successfully
withstand a performance-based audit? David Powley, of DNV Certification,
offers context and advice to those who audit, implement and maintain management
systems for quality, environment and safety & health (QESH).
Management system (MS) specifications have been formulated with auditing
in mind. These include ISO 9001 (quality), ISO 14001 (environment) and
the quasi-standard OHSAS 18001 (safety & health). In many clauses
of the specifications there are mandatory requirements for documentation
such as written procedures and records. In other clauses, the need for
documentation is optional for the organisation depending on circumstances.
So, how should an organisation react to this? Obviously, a natural trend
is to minimise the amount of documentary burden but how can this be achieved?
In order to discuss this it is worthwhile going back to the basics of
auditing of management systems.
What is an audit? The common definition for an audit of an MS is 'a systematic
evaluation of the adequacy of and adherence to planned
arrangements'. There we have it - a very important statement - but before
we go further, let's clarify some terms.
Planned arrangements are the way things are meant
to be by virtue of customer requirements & expectations, regulatory
conditions, best practice, continual improvement, the appropriate science
etc. In other words they are desired sets of conditions and can include:
| • |
processes, procedures and instructions |
| • |
approved codes of practice |
| • |
organisational structure |
| • |
plans, schematics and drawings |
| • |
licensing conditions (e.g. consents) and other
regulatory requirements |
| • |
conditions in a contract with a customer |
| • |
numerical values or acceptance criteria e.g. emission
limits, exposure limits, purity specifications of product etc. |
| • |
staff deployment and job descriptions |
| • |
project descriptions, management programmes or
quality plans |
| • |
training syllabus and training plans |
| • |
permits (for hot work, confined spaces etc.) |
Adequacy in this sense means
the capability of these planned arrangements, as presented to
an auditor, to achieve what is meant to be achieved. Basically,
the auditor checks that they are meaningful. It is one thing to scrupulously
follow (or adhere to) the planned arrangements but are they 'good'?
Obviously, in some cases the auditor has to assume adequacy. These are
the conditions specified by the interested parties of the organisation
and include the written contracts with customers, the written regulatory
licence conditions, approved codes of practice etc. In other words the
adequacy is given 'off the shelf' and should be taken as read.
In all other cases the auditor makes a judgement regarding acceptable
or best practice and this is where the auditor's capability is tested.
The auditor, in the systematic evaluation, is considering whether they
can achieve what is meant to be achieved and is often guided by risk identification.
For example, s/he may ask:
| • |
Will this training regime or syllabus enable people
to fully understand the hazards of this substance and the risk presented
when they are working with it? |
| • |
Does this type of packaging of engineering parts,
as specified in the organisation's procedure, meet with customer expectations
even though a type of packaging was not specified in the contract? |
| • |
Although the frequency of effluent monitoring was
not actually specified in the discharge consent, will once per month
be sufficient to assess the effectiveness of the treatment plant with
a view to preventing or minimising polluting discharges to a controlled
water? |
A special mention is required here for assessing adequacy
of planned arrangements for improvement objectives and targets in QESH
management systems. This will be covered later but suffice it to say at
this stage that the auditor will not be satisfied with wish lists - s/he
looks for reality and achievement.
Adherence (or compliance) within this context quite simply
means the extent to which the planned arrangements, as described, are
being followed.
So that is what is required for audit - make your planned arrangements
good and make sure they are demonstrably being followed. Simple isn't
it? Or is it? The difficulty of course is doing all of this without creating
a monstrous bureaucracy, which is where we started. In other words - strike
the balance between minimising the paper burden and making the MS auditable
i.e. making the planned arrangements capable of being systematically evaluated
for adequacy and adherence (or compliance).
Let's start with the so-called manual. Of the three specifications concerned
only ISO 9001 actually uses the term 'manual'. However in all cases there
is a requirement for what amounts to the same thing. For this reason rather
than getting into terminology it is better to decide what is actually
required, which is to enable an interested party to see at a glance what
the MS is. This is a combination of (1) an overall description of the
scope or extent of the MS, (2) a presentation of the core elements of
the system and their interactions and (3) references to relevant planned
arrangements. This latter part can be regarded merely as a map or sign-poster,
which presents a linkage between the clauses of the specifications/standards
and the planned arrangements with which the organisation
deems it is addressing those clauses. There is no need to re-iterate the
clauses of the specifications. Even for the most complex organisations
and management systems, the above requirements can be met with a mere
few pages. Brevity is the key.
In order to consider planned arrangements with regard to bureaucracy and
burden it is important to recognise the two groups of interested parties
involved - these are the users of the planned arrangements (i.e. the workforce
of the organisation) and the auditors (i.e. third-party auditors, possibly
customers, internal auditors etc). The users within the organisation are
selected, developed and trained on the basis of them being competent to
work according to the described planned arrangements and therefore the
need for written word may not be great. This can be expressed by Fig 1.
 |
Common sense says that as competence of personnel performing
a role increases so the need for written instruction decreases. In these
situations where there is little written word, the adequacy of planned
arrangements will all rest on the capability of the people performing
the work. This is a generalisation and there are of course situations
where written word will always be needed for example where numerical data
is concerned or where there may be frequent change. Also the MS specifications
make it obligatory for documented procedures in certain instances and
in others where their absence may create risk - the latter demand is obvious.
So outside of these obligatory and particularly demanding risk situations
the organisation can exercise discretion. This makes sense - the organisation
has deployed personnel on the basis of their capability to handle the
roles without the necessity of their constantly referring to written procedures.
So what about the other group of interested parties - those who audit
the MS? A certification body should deploy a third party management system
auditor (3PMSA) or audit personnel on the basis of matching up their capability
with that required for the particular contract in question. This will
embrace many issues of adequacy such as awareness of health, safety, environmental
and quality based legislation, best practice, specific knowledge of the
industry sector and its current acceptable and best practice etc. So if
this exercise were carried out well the 3PMSA, like the capable employees
of the organisation, would have less need of documented procedures or
written word provided that s/he has been given some basic account of the
way activities should be performed. Though it should be pointed out that
auditing in this way with a minimal amount of written word presents risks
(to the audit outcome) and could take longer - the account given to the
auditor by a particular employee should represent the way in which other
employees operate and it may be necessary to sample several employees
to establish a degree of consistency of operation, if consistency were
an important issue.
It is probably different for the cases of internal auditors and customer
auditors. Why is this so? Internal auditors are usually selected for their
independence and capability as auditors alone. Very often they are not
expected to be competent to give a judgement of what is adequate for a
department or activity they are not familiar with. In these circumstances
the inexperienced would rely on the entire adequacy being presented to
them in the form of the written stipulations or procedures. As such they
would operate only as adherence (or compliance) auditors. If the internal
auditors had earlier worked in these situations or departments then so
much the better - they are able to have an opinion on adequacy within
their findings but this may not be the norm. Similar considerations may
need to be made for clients or customers who audit your organisation.
They may not regard themselves as experts in your business area and may
expect you to have written procedures that embrace adequacy. Even so,
some imagination may be exercised in producing descriptions of planned
arrangements. Photographs, schematics, flow diagrams and other more graphical
representations may be better than a thousand words.
That's enough about adequate planned arrangements and their descriptions,
how about checking adherence to them? Record keeping is a common method
of showing adherence and probably the greatest source of burden in management
systems maintenance. The MS specifications make production of records
obligatory in certain situations in order to show compliance with planned
arrangements. Unfortunately this represents a failure to recognise that
other auditable devices exist. Looking on the bright side - wherever record
keeping is not stipulated there are many better ways in which an auditor
can check compliance and these are all based on outcomes. For example:
| • |
Interviewing people in order
to check 'absorption' of the content of a course is better than viewing
a record to show attendance. The 3PMSA should have been chosen on
the basis of competence to evaluate such things |
| • |
Observing the general appearance
of a location is a better device than an inspection record to show
an intention to maintain an acceptable state of housekeeping |
| • |
Witnessing the delivery
of bulk hazardous material, during audit may be better than the existence
of a document with a series of ticks in boxes. |
All of the main MS specifications have stipulations
to set and work toward achieving objectives and targets. An objective
in this sense is taken to mean an improvement objective - aiming for an
improved state. Examples are 'reduction of number of late deliveries by
10% based on previous year' or 'achieve 100% compliance with our trade
effluent discharge consent during current calendar year' or 'phase out
the use of hazardous substance X by year end'. A 3PMSA at least will want
to see some reality and commitment here given that certification is generally
now granted on the basis of capability to continually improve. Once again
s/he will be looking at the adequacy of and adherence to planned arrangements.
The adequacy is best expressed in the form of the 4W's:
What the objective is - a clear comprehensible statement.
Who has the responsibilities at various stages - people, departments,
units etc.
When each stage is due for completion - the timeframes.
How the objective or its various stages will be achieved - as seen
at the time of writing.
A 3PMSA does a reality check. S/he will look at the plan and timeframe
for the objective and interview relevant personnel in order to assess
the intentions. As part of this the 3PMSA considers measurability and
this is where adherence comes in. Are the objective and its associated
targets being met according to its measurable parameters? Records do have
their place in showing the reality and progress but the MS specifications
are not explicit regarding the keeping of records for this purpose. This
is no bad thing because other tangible options or outcomes alongside of
records may be available to show progress or the lack of it. Actually
looking at outcomes (tangible and intangible) or witnessing activities,
whichever is appropriate, is the surest way. For example:
| • |
An objective such as the installation of a new
or improved piece of environmental abatement technology can be reality
checked in the early stages by looking at the purchase order and at
later stages by looking at the installed equipment. |
| • |
The claimed improvement in customer satisfaction
may be ascertained by the auditor actually doing a short telephone
sampling of customer opinion - this may be reliable for auditors though
unpalatable for some organisations. |
| • |
The intended phase out of use of a hazardous substance
by a more benign substitute may be reality checked in initial stages
by looking at trial results with substitutes and the on-site presence
of samples of these substitutes. |
A management system need not be burdensome. A Company
working adequately - meaning according to best practice, employee safety,
legal requirements, customer needs and so on will have won more than half
of the battle in surely meeting the demands of standards. The task thereafter
is to demonstrate this (with minimum bureaucracy) for an audit using clear
planned arrangements and evidence of compliance. The third-party management
system auditor (3PMSA) should be capable of testing adequacy and adherence
without the need for production of copious paperwork. Internal auditors
and other parties may need more assistance in this respect. However through
good selection and some coaching and experience the internal auditor could
in time audit a management system with similar minimalist needs to those
of a 3PMSA.
| David Powley is a Principal Lead Integrated Management
Systems Auditor for DNV Certification Ltd. He is a Chartered Chemist
and Member of the Royal Society of Chemistry, Member of the Institution
of Occupational Safety and Health, a Principal Environmental Auditor
with the Institute of Environmental Management & Assessment, a
registered Lead Auditor with the International Register for Certificated
Auditors scheme for quality management systems and Lead Verifier for
EMAS. David has produced many published articles on management systems
for quality, environment and health & safety and their integration,
being regarded as a pioneer on the subject of integration. He is currently
finalising an experienced-based book on the subject of integrated
management systems. David can be contacted on dave.powley@dnv.com |
top of page |
|
