Stage 1: Initiate the audit

Before doing anything else a team leader needs to be appointed to own and run the audit process. With the team leader chosen the audit team needs to reach out to the client to understand the context of the auditee. At a minimum the following needs to be established:

  • The objective: Why is the audit being done?
  • The scope: What are the boundaries of the audit? (e.g. are only specific locations or specific activities being audited?)
  • The criteria: What requirements are the team auditing against?

Before starting the audit get confirmation in writing that the above has been approved by upper management.

(This is going to be a theme but) it’s also important to set the expectation now that there is a level of uncertainty with the result of an audit and whether what the audit finds is a true reflection of the organisation. Remember that an audit takes place during a limited amount of time by a limited number of people. If an organisation wants 100% certainty everything is correct, then they need to audit 100% of their system which is practically impossible. It might be worth discussing what level of certainty do they require? It’s fairly safe to say that sampling 10% can yield 90% certainty. For an example of how you would apply this, if you need to audit entries in a log book, if you audit the first 1 entry of every 10 and they are all correct, you could say you have a 90% degree of certainty that the rest of the entries are also correct.

Stage 2: Document review

Before even planning your audit start with reviewing documentation. This can include:

  • Policies
  • Manuals
  • Procedures
  • Previous audit reports

Compare their documentation against the audit criteria and use this as an opportunity to identify gaps early on. Have open conversations about the gaps that you see, you might need to push timelines back as a result to allow the auditee to better prepare.

Pro-tip: Look for a grievance process during document review to give out to people who try to air their miscellaneous grievances with you during the audit.

Stage 3: Plan for the audit

Assign work to each of the members in an audit team. Each team member should prepare their own work documents (e.g. checklists, forms) for the tasks assigned to them.

It needs to be clear from the start which parties are responsible for what (e.g. will PPE be provided or is it BYO?)

Have a timetable for the audit. Ensure that your timetable includes lunch for the audit team and wiggle room in the case that tasks run longer than expected. The audit team may need to adjust their workday to match the auditees.

Focus audit tasks to the right people within an organisation:

  • Top management should know strategy and objectives (they might have dated knowledge on processes).
  • Middle management/process owners should know processes best.
  • Workers are best to speak to delve into a part of a process (avoid looking into their performance).

Stages 4-7: Conduct the audit

Stage 4: Conduct an opening meeting

Start the audit with an opening meeting. Ensure that you touch on the following:

  • Thanks: For having us.
  • Audit parameters: Objectives, scope and criteria.
  • Audit risks: Anything organisation OH&S specific, the uncertainty level of audit sampling.
  • Confirmations: Audit plan, timetable, that you will strive for minimal interference, any interim meetings, requirements, date and time of closing meeting.
  • Communication: How you will communicate and in what language, that notes will be taken and they are confidential.
  • Reporting: The methods (verbal at the time, verbal in closing meeting, formal written report), grading process (major, minor, observation).
  • Appeals & Termination: Appeals process and conditions of an audit termination.

This meeting should include the following participants:

  • The audit team.
  • The main auditee contact who is acting as the sponsor for the audit.
  • Key stakeholders from the auditee’s organisation, such as managers or department heads relevant to the audit scope.

Stage 5: Gather evidence

Evidence can be records, statements of fact or other relevant information. Be sure to go where the activity happens and where records are generated. If you find a bad example, hunt for more examples to see if it is common or not. Be visible documenting in front of people and ensure you only document the process, not the individual.

When dealing with people align the language you use to the people you are speaking with. Try your best to be “unknowledgeable”:

  • Act like you don’t know anything.
  • Avoid asking for evidence that they do process Y for thing X.
  • Instead, ask what processes that they have around X.
  • Let them tell you what they do.

When you have questions for auditees, explanations are generally best from process owners and demonstrations are best from process workers.

Utilise all of the following different question types:

  • Open: Get the auditee talking.
  • Closed: Direct the auditee and keep on track.
  • Probing: Uncover more details.
  • Challenging: Question contradictions.
  • Reflecting: Test your understanding.
  • Summarising: Show you’ve been listening and your notes are correct.

Avoid leading questions.

Listening is very important when gathering evidence. Be an active listener and try to remove distractions during meetings (e.g. get people away from the issues on the floor). Be patient, empathise and summarise your understanding. Explain that you are here to audit a process, not them. Be careful not to take ownership of their problems though, people may try to dump their issues on you.

Pay attention to non-verbal communication. Gestures, eye contact, relative positions and facial expressions are all important too.

Stage 6: Conduct a team meeting

This is where you complete the draft of your report. Findings them to fall into three categories:

  • Major non-conformance: The organisation has no process, or the outcome is not effective for meeting the requirement.
  • Minor non-conformance: The organisation does not fully meet, or the outcome is only partly effective for meeting the requirement.
  • Observation: While conformant to the criteria, it may benefit from an improvement (aka: Opportunity For Improvement).

Warning: Do not use the phrase non-compliant as that relates to legal matters.

In your team meeting everyone should take it in turns to (in order) bring up:

  • Their findings
  • Their references
  • Their reasoning

The team leader should query the rest of the team to see if they have anything to add. While there should ideally be consensus, the final call comes down to the team leader.

This time should also be used to prepare for the closing meeting.

Other language-based nuances to note:

  • Complete = All expected content is contained within a document.
  • Correct = The content conforms to reliance sources such as standards.
  • Consistent = The content is consistent within itself and with other related documents.
  • Current = The content is up to date.

Stage 7: Conduct a closing meeting

End the audit with a closing meeting (with the same participants from the opening meeting) ensuring that you touch on the following:

  • Thanks: For a successful audit.
  • General summary: Sampling uncertainty, attendance list, findings are prepared and agreed upon.
  • Audit outcome: Are the recommended for certification or adequately meet the standard?
  • Audit findings: What are the non-conformances and observations, positive comments, areas that were not covered but within scope.
  • Reporting process: Explain process, the time frame and distribution requirements.
  • Required auditee responses: Timeframes for response to non-conformances, process for minors being upgraded to majors.
  • Method of verification: Their action plan and associated evidence for follow-up or next visit.

When disclosing non-conformances during audit findings, the auditor who discovered it should be the one to report it during the meeting. The lead auditor should just back the auditor who is bringing it up.

Stage 8: Audit report

With the audit complete you next need to write the audit report, which should include:

  • The objective, scope and criteria of the audit.
  • A confidentiality statement and disclaimer about the audit being a sample (see below).
  • Reference documentation.
  • (if an external audit) Whether recommended for certification or not.
  • An accurate overview of what happened using sector specific language.
  • Dates and places of audit, and auditee representatives.
  • Areas not covered but within audit scope.
  • Details of findings (both non-conformances and observations) and references.

The audit report should not include any surprises. Unless some appeal was made, the audit report should just be formal documentation of what was outlined in the closing meeting.

It is important to include a disclaimer about the audit being a sample of the auditee’s operations, the follow is an example:

“The audit evidence is based on samples of the available information. There, there is an element of uncertainty in auditing, and those acting upon the audit conclusions should be aware of this uncertainty.”

Stage 9: Close-off the audit

Once all planned audit activities have been carried out the audit should now be considered complete. At this point documented information pertaining to the audit should be retained or disposed of as per the agreement between the participating parties. Unless legally required to, the audit team and managers should not disclose any audit information or reports without explicit approval from the audit client and, if appropriate, the auditee. If disclosure is necessary, inform the audit client and auditee as soon as possible.

Stage 10: Audit follow-up

During the audit non-conformances that require corrective actions may have been identified. These actions are decided upon and undertaken by the auditee within an agreed timeframe. The auditee should keep the audit programme managers and/or the audit team informed of the status of these actions. The completion and effectiveness of these actions should be verified, possibly as part of a subsequent audit. Outcomes should be reported to the audit programme manager and the audit client for management review.