What happens to your standard when the auditor goes to work?

So, you are now finished with your standard and all the rules that an audit firm (let's call it a CAB - a Conformity Assessment Body) has to follow.

Before you press send and go live with your new system, maybe it is time to sit back and think through how all of your work will be used in the field. Your system will work best if it fits the needs of the users, the client, CAB, Accreditation Body (AB), stakeholders and anyone else that needs to use your system.

Today, let's consider what happens to your system of requirements when they are used by a CAB. In brief, your system is dis-assembled and re-assembled into a new set of procedures, forms, checklists and requirements that fit the way the CAB is organized... 

  • All the requirements that apply to the CAB, including process and timelines are separated from those that apply to the client. The CAB builds the requirements that it must follow in its own internal systems and procedures.

  • All the requirements that apply to the client are put into checklists and other audit tools that are used to audit clients.

  • The CAB's auditors are then trained to use these checklists and audit tools when auditing a client.

It is important to realize that auditors are not walking into an audit carrying copies of your standard, audit rules or other scheme documents, they are carrying materials that the CAB has developed based on your system requirements that are merged with the CAB’s own procedures. Their goal is to ensure that the audit can be carried out in the most efficient and effective manner possible, at least from their perspective.

CABs conducts audits following a standardized template. Most CABs will use ISO 19011 as the basic template and will add a few tweaks to make it their own. ISO 19011 lays out how an auditor conducts an audit. It includes such wonders as the outline for an opening and a closing meeting and other such innovations. The steps in ISO 19011 mean that the auditor is not just using your standard to evaluate the client, they have a number of steps that they should follow. These steps are necessary to ensure that the auditor does a thorough job and that client knows what is going on and what they have to do.

Before a CAB is allowed to conduct audits, its system must be fully reviewed to ensure that all of your requirements made it into the CAB’s re-assembled system. This is done by the AB and it is a key role that the AB assumes. Unless you have built your own expertise to do this job, you will need a competent AB to fully review the CAB’s system.

If this sounds complicated and a little confusing, it is because it is.

Your standard, scheme requirements, rules for auditors and such are most effective when your system is designed to be taken apart and put back together. It needs to be designed so that an AB can fully check the CABs incorporation of your system into theirs. It needs to take into account how auditors work in the field.

It also needs to take into account time…

The time that an auditor has on site with the client - so as you review your system keep in mind some key questions:

  • How many hours does an auditor have per day to ask questions?

  • How many questions can an auditor ask (and get answered) in an hour?

  • Does the auditor have to travel from one site to another and how much time does that take?

  • Auditors need to eat lunch, so allow time for that.

  • Remember that the auditor has to include an opening and closing meeting with the client to explain what will happen in the audit and what the audit has found.

The time that it takes for each step in the process:

  • For your system to be fully developed;

  • For the CAB to incorporate your system into its own;

  • For the AB to assess the CAB and make sure that your system is fully incorporated; and

  • For the CAB to plan, execute and take a decision on any single client.

What happens during an audit is often as important (if not more important) than the specifics of what is being audited. I do not mean to suggest that what is in the standard is not important, but how the audit is conducted should be considered when your standard, requirements and other rules are developed.