System audits and the process of auditing
System audits and the process of auditing
System audits are one of the key management tools for achieving the objectives set out in the policy of the organization. A system audit is a disciplined approach to evaluate and improve the effectiveness of a system. Audits are carried out in order to verify that the individual elements within the system are effective and suitable in achieving the stated objectives. The system audit also provides objective evidence concerning the need for the reduction, elimination and most importantly, prevention of non conformities. The results of these audits can be used by the management for improving the performance of the organization. System audits are carried out by the trained auditors who can be organization own staff or staff of an external auditing agency or independent professional auditors. They are carried out by looking up for objective evidence.
System audit is defined as “A systematic and independent examination to determine whether activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives.”
System audit is also defined as “A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.”
System audits are usually carried out for the following objectives.
- To evaluate the organization system against a system standard
- To determine the conformity or non conformity of the system elements with the specified requirements
- To determine the effectiveness of the implemented system in meeting the specified objectives
- To offer an opportunity for improvement in the system
- To meet statutory and regulatory requirements
In the latest approach to the systems audit, the auditors are expected to go beyond mere auditing for the compliance by focusing on risk, status, and importance. This means they are expected to make more judgments on what is effective, rather than merely adhering to what is formally prescribed.
Terms used in a system audit
- Audit – A planned and documented audit performed in accordance with manual, procedures records and other documents like checklists etc. for the intended purpose of verifying applicable elements of a system standard and its implementation.
- Audit Plan – Typically an audit report based on the applicable audit requirements in system standard for the activity/area being audited and the audit report summary, with additional questions/issues that are to be verified included in or attached to these documents as needed to ensure objectivity and impartiality. May also be a marked up copy of the procedure/process documentation, identifying evidence to be collected to verify conformance.
- Auditor – A qualified and trained individual who is authorized to perform specific audit functions under the direction of a lead auditor.
- Audit coordinator – Person with responsibility/authority for scheduling audits, selecting auditors (ensuring objectivity and impartiality), and ensuring issues raised are effectively addressed.
- Effectiveness – The evidence, including the relationship with inputs and outputs for the process, shows the process is working, driving performance, and supporting the organization’s policy, objectives, and compliance with requirements (laws, regulations, etc.).
- Finding – An issue needing resolution. It could be an actual problem (something requiring corrective action), a potential problem (something requiring preventive action), or any other opportunity for improvement (including those making us better and/or helping us be more fiscally responsible). These “problems” are also known as non-conformances with any element of the management system. All non-conformances must be formally resolved to assure effective correction of the observed condition and the adoption of system improvements or preventive measures to reduce or preclude the likelihood of recurrence. Types of findings are: (i) Major – The evidence shows the problem to be systemic (very big or bad) and/or requirements from the applicable standard are not addressed or adhered to. (ii) Minor – The evidence shows a problem, in need of attention, but not one where the system is broken down (simply needs a little touch-up) and/or a requirement or two from the applicable standard are not completely addressed or adhered to. (iii) Comment, opportunity for improvement, or observation – May be a praise or may be pointing out things that could use a little work (correction, preventive action, or opportunities for improvement). When all is said and done, the decision whether something is a major or minor is in the lead auditor’s hands. The tendency is to use “the benefit of doubt” (things start as a minor and escalate as supported by evidence) as the rule of thumb.
- Internal auditor – A qualified and trained individual of the organization who performs systems audits to report non-conformances and observations, and to evaluate the adequacy of corrective and preventive actions, reporting audit findings to the organization management.
- Lead auditor – A qualified and trained and certified individual, who is authorized to plan, organize, and direct system audit of an organization, to report non conformances and observations, and to evaluate the adequacy of corrective and preventive actions.
- Noncompliance – Evidence indicates the organization is not complying with a regulation, rule, or requirement where compliance is mandatory (i.e., law, corporate policy, etc.).
- Nonconformance – Evidence indicates the actions by those fulfilling a process and the information in supporting documentation do not conform to one another and/or requirements outlined in the system standard.
- Objectivity and impartiality – An expectation of both auditors and the process they employ. To be objective and impartial means to let the evidence speak for itself. Auditors and the audit process need to be free of bias and in pursuit of the truth with evidence to support conformance with the processes or activities being audited.
Types of audits
There are several types of audits as described below.
- Adequacy audit – This is the audit exercise which determines the extent to which the documented system, represented by the manual, the associated procedures, work instructions and record forms adequately meets the requirements of the system standard and if it provides objective evidence that the system is correctly designed in this respect.
- Compliance audit – This is the audit which determines the extent to which the documented system is implemented and observed within the organization.
- External audit – This is an audit carried out by the organization with whom there is a contract to purchase goods or services or intend to do so. It can be adequacy and/or compliance audit or both. It is also known as second party audit
- Extrinsic audit – This is an external audit carried out by an independent accredited third party using a standard to provide assurance on the effectiveness of the systems. This audit can also be adequacy and/or compliance audit or both. It is also known as third party audit.
- Internal audit – This is an audit which is carried out by an organization from its own internal sources for its systems for the purpose of providing assurance to the management that the systems are functioning properly and are effectively achieving the planned objectives. These audits are carried out by that staff of the organization which is not directly involved in the system. Sometimes organizations take the help of external agencies for carrying out the internal audit. It is also known as first party audit.
- Process or product audit – It is a vertical audit which looks into complete system that goes into the production of a specific end product or service.
Process of Auditing
The process of auditing can be divided into the following
- Audit initiation – It defines the scope and the frequency of the audit. The scope of the audit is determined on the needs of the organization and a decision is made with respect to systems elements such as activities, departments and locations etc. which are to be audited within a time frame. This is usually done along with the lead auditor. The frequency of the audit is determined after considering specified or regulatory requirements and any other pertinent factors. Both internal and external audits are to be part of the audit schedule. Usually the frequency of the internal audits is much more than the external audit since it provides input to the management not only about the normal functioning of the system but also inputs for the decision making.
- Audit preparation – As a basis for planning the audit, the auditor is to review the manual and the auditing procedure of the system and if there is any inadequacy it should be resolved first. After this an audit plan/programme is to be made along with the auditee. This programme is to be approved and after approval is to be communicated to the auditors and the auditees. This plan should include the following:
- The objective and scope of the audit along with the activities to be audited.
- The persons who are directly responsible for the audited activities and the audit scope are to be identified
- Reference documents such as the system standard and system manual etc. are to be identified on which the audit will be conducted
- The team members for the audit are to be finalized
- The date, time and the place of the audit is to be finalized
- The units of the organization are to be finalized
- The expected time and duration of each of the audit activity is to be decided.
- The schedule of meetings with the management need to be finalized
- Audit is to fulfill the requirement of the confidentiality if any is there in the system
- The language of the audit is to be decided
- The distribution of the audit report to be finalized
All the documents needed for the audit are to be made available to the auditors to facilitate auditing. The auditors also should prepare a check list to assist them during conducting of the audit. A further audit is sometimes necessary to check the corrective actions taken on a non conformity report (NCR).
- Audit execution – A structured audit is having the following four execution steps.
- An opening meeting – It is chaired by the lead auditor where he introduces the team members to the auditees, confirms the arrangements made for the audit, briefs the auditees about the audit details, explain to the auditees difference between major and minor NCRs, ensures that the guides are available during the auditing, explain the timings for daily liaisoning meetings and closing meeting. The opening meeting should include the senior management and all the persons involved in the audit.
- The examination and evaluation of the system – The audit is to cover entire scope and should run to the plan. During the audit clear and precise NCRs are to be raised based on sound objective evidence. Regular liaisoning meeting are to be held.
- A closing meeting – Like the opening meeting this meeting is also chaired by the lead auditor. It is held at the end of the audit. In preparation of this meeting auditors explain their findings during the audit to team members and these findings are reviewed and the actions to be taken on these findings are taken. During closing meeting the lead auditors briefs the audit scope, tells the findings of the audits. During the audit the NCRs noticed are explained by the team members and are handed over to the auditees. Team leader give an overall summary of the findings and the conclusions including the actions recommended.
- The audit report – This report is handed over during the closing meeting.
- Audit report – The lead auditor has the responsibility of the preparation of the audit report. The audit report should faithfully reflect the tone and the conduct of the audit. It is also to be signed with date by the lead auditor. The audit report contains only factual statement of discrepancies supported by the objective evidences. The audit report has the following items if applicable.
- The scope and the objective of the audit
- Details of the audit plan
- The standard and any other document against which the audit was conducted
- Observations of non conformity reports
- Audit team’s judgment to the extent of the compliance with the applicable standard and other document
- The ability of the system to achieve the objectives
- The distribution list for the audit report
Any communication made between the closing meeting and the issue of the report should be made by the lead auditor in the report. The system audit work flow is shown in Fig 1.
Fig 1 Work flow of a system audit