Why Certification or Regulatory Auditors should not use a checklist

Women with checklist knows on office door

We know that when we do an audit, we use a checklist to help us remember what to ask and what to look for – and it normally has a place for us to write down what we’ve seen (the evidence). There is normally a column that allows us to mark some form of symbol to show the finding: C for conformance, NC for nonconformance, O for observation, or something similar.

And what is wrong with that, you might ask? Well, it can drive bad processes, bad procedures and ultimately bad management systems, and it’s not good for your business.

You see, certification auditors and regulatory auditors audit against a standard, either a national one such as an Australian standard or an international one such as ISO. These standards include requirements and are often written in a very generic, ‘catch all’ sort of way, so that they cover all industry types and all sizes of business. They are not written in a way that suits an individual business – they are written so as to group requirements together in a way that is logical.

“…They are not written in a way that suits an individual business.”

For example, there may be a section on purchasing which details what requirements an organisation needs to meet when it buys something: what criteria suppliers need to meet, the inspections and checks that are required, the documentation and records needed. Some businesses, however, have a central purchasing function where all the purchasing is done by one group, whereas other businesses may have their purchasing decentralised, therefore people across a range of departments or functions may be buying things.

If the auditing body develops a checklist around the standard that they are auditing against, the logical way to write this is the same way that the standard is written – to follow the requirements of the standard. So in this instance, all the purchasing requirements would be in one section, grouped together. Make sense? Of course it does.

We are now going to flip from the organisation that writes the criteria or checks against it, to the business that is being checked –  the one that has to comply with the requirements. We are now looking at this from the point of view of the auditee rather than the auditor.

To be an efficient and effective business, it needs to operate in a way that suits itself, that suits its method of operation, its people, and its strategic direction. The business may operate at one site or it may have many locations, with some locations permanent (like the branches of a bank) and some locations temporary (like a construction project).

The structure of businesses also vary, with some having a flat management structure, some a hierarchical management structure, and some may have a matrix structure. And then there are family businesses, listed companies, corporations, government departments, and multinationals. And some have fewer than 10 employees, some with thousands.

Now back to the auditor and the job they have to do – which is to audit and follow and complete the checklist. Using a checklist is a bit like reading a book… the auditor starts at the beginning and works through each question until the end, then stops.

You can see where I’m heading here…

Because the auditor is reviewing the business against a checklist that does not align with the business, something has to give. And what gives is often the business’s management system because it’s the auditor who has the power; and over time the business’s management system starts to look a lot more like the checklist than it looks like the business. In some extreme cases there are businesses that have “more than one management system”, each one written to suit a particular auditor, standard or regulation.

Another issue that drives the wrong behaviour is the report template. If the report template is again laid out in the same format as the audit criteria, this is something else that is “suggesting” the business management system (BMS) is best when it fits nicely with audit criteria. So when the audit criteria, the BMS and the audit report all align, everyone is happy and the certificate is issued. What could be simpler?

So what is the answer? 

As we can see, having a detailed checklist which is in the same format as the criteria, then writing a report which follows and remains in the same format as the checklist, is all very good and efficient for the auditor, but it is not very good for the business because it is not how the business operates.

I like to think there is a better way. When I audit, I use a prompt sheet. A prompt sheet is different to a checklist – it is not as detailed and it doesn’t have a place to record information. The recording of information is done on a blank notepad so that you, as the auditor, have the flexibility to ask the same question multiple times, and record all the different answers. If you audit at multiple locations you can use the prompt sheet over and over again, whilst still recording your evidence in the notebook against each of the locations.

And as for the audit report, you are primarily writing it for the business that you are auditing, not for yourself; write the report around the business’s processes, their locations, and their functions – not around your own requirements. 

In summary

If you are a certification or regulatory auditor, please don’t audit in such a way that encourages the organisation or business that you are auditing to end up with a management system that suits your needs, but doesn’t suit theirs.



Note: This article was originally posted on Exemplar Global’s The Auditor Online.


Related Articles

Leave a Reply

Your email address will not be published.

“Well structured content, fantastic presentation by Miguel and loads learnt. The ISO 27001 training is helping me understand my clients’ needs better and make useful recommendations. Moreover, this was so much fun – thanks team!”

“Overall very valuable course. Balance of theory with practical workshops was excellent. Trainers stuck to the timetable very well.”

“To be honest, I wasn’t really looking forward to the training and wasn’t too sure what to expect. It turned out to be quite enjoyable and a really great experience which I put down to the facilitators, Pat and Tom and the group. Both Pat and Tom shared their breadth of knowledge and experiences and were really engaging.”

“Great presentation of the course, engaging facilitators and good use of group work. I found the course to be a great refresher for an audit course I did 10 years ago and now feel more motivated to go audits in a non-bow tie way!”

“Trainers’ knowledge was excellent, their knowledge made the training and learning easy.”