What Makes a Good Audit?
By Dennis AuBuchon
This book presents the audit process from two sides. Understanding the side of an auditor for an organization and understanding the side of those being audited for the auditor helps the process. The book presents and discusses the benefits of auditing for the auditor and those being audited through individual chapters within the book. In addition private industry and government auditing requirements are discussed and compared. Similarities and differences are also presented and discussed.
Authority to Audit/Right to Audit
The authority and the right to audit must be in place for audits to be performed. While this requirement is not as prevalent in internal audits it still must exist. This chapter will discuss the requirements which identify the authority and the right to audit from internal and external perspectives. The first to be discussed will be the internal audits.
Audits performed internally in an organization must have their authority documented in the system procedures and instructions. This documentation must identify the purpose of any audit and any contractual requirements that may be applicable. Many organizations perform internal audits as part of the operating system. The details of how audits are to be accomplished along with the personnel and requirements must also be identified. Audits performed internally must have the authority and right to audit provided in system documents. This kind of traceability is as important internally as it is externally.
External audits are another matter which requires more details in documenting both the right and the authority to audit. External audits are primarily ones conducted at outside suppliers of a prime contractor. There are contractual documents between these organizations which identifies the relationship between the parties. If audits are going to be planned or unplanned at suppliers the right and authority must be documented in contractual documents signed by both parties. Authority must be documented in enough detail to avoid confrontations. The language must be clear without the possibility of interpretations.
The economy as it is today there is much concern about products and/services being offered for sale to consumers. Companies have a right to audit their suppliers by whatever methods are available to them. It can be through their internal receiving operations or an onsite audit. Companies who have suppliers are responsible to the consumer who buys them for both the quality of the product and that it will meet their expectations. Expectations involve meeting the functional requirements as may be included in paperwork or as advertised. It is also a right of a government entity to audit either a prime contractor or their suppliers when they are being produced under government contracts. In either case the contractual language must allow for these types of audits. For a prime contractor who has government contracts for products or services it is important that the audit authority is in place in their prime contract and those of their suppliers. A prime contractor is an organization that has suppliers to perform or supply materials for an end product or service to their customers.
A prime contractor has the ethical and legal right to audit their subcontractors as necessary to validate conformance to the requirements. Ethics is the key here as problems at a subcontractor affects the reputation of a prime. If a subcontractor is performing or not performing certain requirements it reflects upon the prime when problems are encountered by a customer. A prime contractor must protect their reputation by assuring that audits can be performed and that they are good audits with accurate results
Suppliers of prime contractors who allow audits for products/services provided to a prime contractor by the government or any customer of the prime is sometimes overlooked when contracts are granted. Authority to audit between a prime contractor and their suppliers and customers of the prime contractor is necessary to assure conformance to requirements. Companies who produce products or services must be open to audits. Restriction of this activity will cause or should cause a reduction in market share and/or profit for the products/services they produce. Companies today must put customers at ease with the operating methods/principles they have in place. People want to feel comfortable about products they are buying. Those who are open to valid and reliable audits provide a better perception to the public. Allowing audits opens an avenue of feedback and opportunities to improve or correct deficiencies in their operating system. You may ask how this is an aspect of conditions that make a good audit.
The scenario of audit authority is important since a good audit must have the authority to be conducted. Without the authority to perform an audit and this directly affects external audits it restricts opportunities to obtain complete and reliable data directly from the source. Performing receiving inspections are within the responsibility of a company to validate products meet the contractual requirements. This in many cases is limited by the type of product being received. Some products must be examined or audited while they are being produced as some requirements may be hidden after certain processes are generated.
Sometimes the access may involve an assigned representative to monitor operations involving products/services affecting the end item to be delivered. I have seen in the past where there have been representatives of prime contractors who do a great job while others do not. A good audit in this environment must include the incentive to perform the tasks required. They must also have the support of the organization they work for to properly address any issues a representative may identify. This is something that is typical, I believe, in large companies and/or where a variety of subcontractors exist. While there needs to be limits to providing access by customers, customers and prime contractors have a right to know how well the system is operating in reference to their product/service. This access is key in having available information to conduct a proper and reliable audit.
With regards to performing internal audits the language must be clearly identified in the operating system/procedures. It should identify what audits will be performed and how/who will perform them. Audits of a company/organization must be routinely accomplished to determine the efficiency and effectiveness of the management system.
It is important to limit audit responsibilities to those that do not have a direct relationship/responsibility for the function to be audited. This does not mean to say that a department cannot establish their own system to keep their department operating within the requirements. It does however mean that the sole responsibility and official records of audits must be performed by persons outside the department/function being audited. While such positions as the quality department are responsible for the procedures and operation instructions they are not responsible for how the departments conduct the requirements in place.
This kind of authority allows for the establishment of integrity within the audit function of a company. Audits that are performed must be accomplished by persons who have been trained or have the experience to understand the operations being reviewed. To properly review an operation a person must have the capability to understand the function and operation methods being analyzed. Again auditors must have the applicable training to perform the audit responsibilities assigned. While an individual may have knowledge of audit techniques he/she must understand the process or procedure involved.
To summarize the subject authority to audit it must be clearly identified in all contractual and procedural documents that are generated. The proper documentation of authority to audit adds to the criteria for what makes a good audit. The documentation should address all aspects and types of audits as there are as many. Examples are financial, process, quality, procedural to name a few. Prime contractors have a right to validate by any means that they choose to assure products and/or services meet all their requirements. This they must do to validate and prove to their customers they have control of the quality and functionality of the products/services they have for sale. In addition any of the prime contractor’s customers also have a right when necessary to review any subcontractor affecting the product or service for which they have contracted.
An example of this is where prime contractors have are producing products under government contracts. The government has the right to audit the prime contractor and their subcontractors in monitoring the conformance requirements for products under government contracts. Local, state and the federal government has the responsibility to assure what is being purchased meets the conditions in the applicable contracts.