Audit Checklists: A help or hindrance?
When carrying out management system internal audits for health & safety, environmental, and quality some organisations use standard audit checklists, but do these checklists add value to the audit process or dumb it down?
Developing a personal audit checklist is a vital part of planning for each audit that I focus on during audit training courses. The process of reviewing the audit criteria such as relevant legislation, company procedures, and standards (eg: ISO 14001, ISO 9001, OHSAS 18001) enables the auditor to make sense of the requirements, structure them into a series of logical questions, avoid repetition during the audit, and arrive well prepared. I stress that these checklists should not just be a list of questions to ask, but also physical evidence to look for, and documents to review, thus incorporating the full range of audit evidence. In its simplest form an audit checklist could be the relevant company process or procedure annotated or highlighted by the auditor, to use as an aid memoir during the audit.
Trainee auditors value this discipline of developing a checklist, but as systems mature standard audit checklists may develop either informally or formally. I have observed internal auditors swapping checklists from previous audits in order to save each other time. Auditors should always review of the previous audit of that area as part of their audit, and because audit reports normally list the questions asked, this is another way that internal auditors can obtain a pre-prepared checklist. Take this a step further and the organisation or audit manager may decide to standardise the audit checklist and request or require that the standard checklists are used. Formalised checklists sometimes have an extra column added entitled ‘guidance’ that gives the auditor specific information on what to check, the minimum standard required, and even the amount of sampling to carry out. At the extreme end of this standardisation spectrum a scoring system may be added to the checklist, so that each audit can be numerically ranked, forcing the auditor to boil down the report findings into a single number.
So far we have seen that formulation of audit checklists has a value when planning and carrying out an audit, pre-prepared checklists save auditors time, and some organisations value the standardised approach that checklists bring to the audit process. However there are four main issues we should be aware of when using standard audit checklists to avoid dumbing down.
Firstly a key attribute of auditors defined in ISO 19011 is to be ‘observant’, and like any other skill, observational ability has to be practiced. It is impossible to predict when developing a standard audit checklist every potential scenario or audit trail that may arise, so we have to, and should, rely on the observational skills and spontaneity of each auditor. Auditors should expect the unexpected, and therefore be able and willing to tailor the audit on-the-hoof. For example when planning audits I am sometimes told by the auditee that it will be a bad time to carry out the audit because the process will be shut-down, there is a rush job on, or there are adverse weather conditions. I argue that this is a good time to visit because it will test if HSEQ risks are controlled in ‘abnormal’ as well as ‘normal’ circumstances. Therefore I recommend that if audit checklists are used there is a large section at the end encouraging the auditor to include any location or temporal specific findings.
Secondly an advantage of using teams of internal auditors is that each individual has strengths in different areas and over time different auditors will audit each topic. Some may focus more on the practical elements, and others on the record keeping. In this respect an audit checklist will improve consistency, but we should ensure that is not at the cost of diversity and personal intuition.
Thirdly is the issue of using standard checklists to score an audit or compare audits. I would argue that scoring has little or no place in a management system audit which should focus on ‘health of the system’ issues such as the sequence and interaction of the processes, leadership, risk planning and control, provision of resources, and improvement. Management system audits findings can be complex in nature and uncover process inefficiencies. Recommendations may involve allocation of responsibilities, measuring different metrics, or improving review processes. It is impossible to boil such findings down to a single number, or a pass / fail. A desire to do so reveals a misunderstanding of what a management system auditing is, and the added-value it can deliver to an organisation. However scoring systems do have a value in inspections such as skip inspections, site inspections, or PPE inspections especially where a large number of identical inspections are being carried out. The resulting score allows management to rapidly identify poorly performing sites or area of the business. My ongoing mission to elucidate the difference between audits and inspections may the topic of another blog!
Lastly organisations change, legislation changes, and the level of risk changes. If audit checklists are a formal part of the audit process then they will need to be reviewed and updated each time other areas of the management system change or they will become out of date. Therefore standard audit checklist should be subject to version control like any other controlled document in the management system.
This article is by Marek Bidwell of Bidwell Management Systems who provides a comprehensive ‘Internal Audit Service’ including on-site audit training for your audit teams, ongoing mentoring, and a full contracted out internal audit service, covering ISO 14001, ISO 9001, and OHSAS 18001 standards.
Email: firstname.lastname@example.org organisations use standard audit checklists, but do these checklists add value to the audit process or dumb it down?