In this video we’re going to explain what kind of evidence an external auditor needs to see when they come to your site. I've also provided my top three tips on things you can do prior to the audit in order to ensure it will be managed efficiently right the way through.
Enjoy!
Why do I need to be audited?
When an auditor comes to your site, their role is to audit your organisation against the different requirements in the standard. If they're conducting a stage 2 certification audit, they’ll audit you against each and every requirement in the particular standard that you are seeking certification to.
They are going to audit you against the standard, but also related processes and procedures that are part of your management system.
In order for the auditor to determine conformance against the requirement of the standard, they need to seek out objective evidence, reproducible, factual evidence. They can't just produce hearsay and anecdotes.
Sampling Approach to Auditing:
One thing to bear in mind when an external auditor comes to site, is that they are often taking a sampling approach.
A concrete example of this can be seen through safety inductions with a large number of employees on site. If your safety induction is aiming to make 120 people on site aware of your safety system, the auditor generally won't have time to look at each and every record, or interview every staff member who’s been through the induction.
Instead, they’ll tend to take a sample - a sub-set of those records and interviews from those staff who attended.
Types of Objective Evidence:
There are three key sources of objective evidence that auditors will be looking for, which are interviews, observations and records. We’ll talk about how you can approach this from your organisation’s perspective
Interview:
Auditors need to interview people involved in the particular work activity that might form part of the audit. Put simply, this means that they're going to ask a series of questions, whether they be open or closed questions.
I have written a detailed blog on the types of questions to ask in an audit, which you can check out here. In this blog, I have provided examples of different types of questions, including:
Open questions
Closed questions
Challenging questions
Summarizing/Reflective questions
Simple questions
In this kind of situation, auditors will be talking to people who have a lot of expertise in the process, so it’s important that your employees can really tell them anything they need to know about the process.
Observations:
The next way that auditors can gather evidence is by making observations. They may seek to observe certain work practices in place, and you can simply direct them out to where they need to go, whether its part of the production department or another team where they can go and observe that activity happening.
Records:
If you think about the requirements of the standard or in your management system, records aren’t required for absolutely everything, but where they are required, auditors will tend to ask for a sample of available records, as per our safety induction example.
From an auditor’s perspective, records are a key source of objective evidence, because they are reproducible and they are clearly factual, as well as records give auditors an insight into the history. They can observe today, they can interview people to try and determine some awareness, but it’s very hard to observe what happened last week or a month ago things like that.
Quality procedures is a good example of this - if you say you’re doing incoming inspections on raw materials an auditor can observe that happening in the present and interview people to get some insight. But if that’s a really critical control measure, they’ll need to see some records to see that’s happening consistently over time.
RECOMMENDATIONS:
We mentioned at the start of this blog that we would outline a couple of key recommendations that you can do prior to the audit taking place or to ensure that the audit is managed.
1. Do a Full Internal Audit of your Management System Prior to the Audit
Whether your management system is for food safety, environmental management or information security, we highly recommend that you do a full audit of the system both against the standard and against your own procedures.
The standard will say that you need to do this full audit anyway, but from an organisational perspective, use it as a tool to identify any gaps you might have, then turn that into an action plan. You can take all of those issues, raise them in your improvement or corrective action system and start taking out action on them prior to the external audit.
2. Understand Recurrent Events in your System Prior to the Audit
You need to focus on and understand anywhere in your procedures or processes where you've made certain commitments to do things on a recurrent basis.
As an example, you may have said you're going to calibrate your water quality probes once a quarter or you're going to do monthly on-site inspections. Whatever the case, you need to understand these recurrent events because in your audit, you just want to do a double check that they are actually being routinely completed.
As soon as an auditor sees a procedure and thinks "ah, these guys are saying they’re going calibrate the water quality probes 4 times a year", then they will expect to see records, and they will be looking, has it actually occurred 4 times a year?
3. Have a Main Contact Person within your Organisation
When the audit body first contacts you, ask to internally have a main contact person within your organisation. Whether you’re the assistant manager or the compliance manager, it doesn’t matter, but ensure that there is a main contact person.
This point of contact can then guide the auditor - giving them an overview at the start of the high level system, then point them to where the evidence they’ll need to see actually is within your system.
This person can also be used to mitigate any terminology issues that may arise - for example if the standard is calling something corrective action and we’ve called it improvement, just take that time, 15 minutes at the start to outline this.
A second critical point for having a contact person, is to say to the auditor, "if there’s any potential non-conformances can you come and talk to me before you debrief or before you finalize that finding". It is not uncommon, that the auditors worked with a particular team, production or operations, they suspect there’s a non-conformance but that evidence actually does exist elsewhere.
By establishing that protocol, that the auditor comes and speaks to the main contact person, where they suspect there’s a potential non-conformance, we can then direct them to where that evidence is held, perhaps over with the HR manager elsewhere.
We really hope you’re enjoying this video series. If you are, time to subscribe, we’ve got a whole range of videos that’ll help you through your journey to certification.
Comments