What Are Auditable Requirements
Auditing is both an art and a science, a combination of an auditor’s technical knowledge of a subject and their ability to digest and analyse large amounts of information in a short timeframe, and then make a judgement based decision of conformance or non-conformance. When auditing though, you have to start with determining 'what is an audible requirement'.
What Are 'Auditable' Requirements?
Within all organizations, there are literally thousands of obligations that the company has to meet so that the satisfy their various stakeholders. These stakeholder include the government, regulators, customers, workers, shareholders, local communities or even their social obligation to their communities and society as a whole.
From an organization perspective, each of these obligations are 'requirements'. These requirements are what the company must fulfil in their day-to-day operations. Often the requirements are embedded within company documentation (policies, procedures, work practices etc.) and are done without conscious thought of having to meet a requirement. But, the challenge for auditors is that whilst the activities might be being done, not all requirements are 'auditable'. Essentially, only requirements that have a deliverable are auditable.
Auditors will rarely, if ever, have the luxury of time that would allow them to verify that all requirements within the organization are being fulfilled. Auditors therefore need to be conscious to audit the requirements that they believe are most important, and that by verifying, will meet the scope of the audit.
For an experienced auditor, identifying 'auditable' requirements becomes second nature simply because they are familiar with verifying requirements that, if met, will give greater confidence to lesser requirements are also being met. Experienced auditors will often try to determine what is auditable during the preparatory phase of an audit. This is simply the 'pre-read' section, where the auditor has requested, received, reviewed and analysed the organizations various documents, procedures and requirements.
Unfortunately, inexperienced auditors will often struggle to identify auditable requirements because they don't know what's important and what's not during this preparatory stage. Inexperienced auditors should continually try to improve their understanding of businesses and industry that they are auditing. Understanding key businesses processes, activities, tasks, high-risks and any known issues will help them to identify what's important and what's not. Where there are technical requirements to be understood, then they must seek clarification from suitably qualified people, never assume knowledge you don't have.
Understanding the Requirements
Not all HSE management systems are perfectly integrated and certainly not in alignment with any ISO Standard such as ISO9001 or ISO45001. HSE Management Systems are written by individuals who often lack sufficient understanding of the business for which the HSE-MS will be applied, and therefore whether the commitment or obligation their describing needs to be auditable or just for information.
ISO Standard auditing is simplified by the fact that they use common terminology that makes it easier to determine what are mandatory requirements against those that are recommendations. Generally speaking, auditable requirements are those that are preceded by a ‘shall’ statement. ISO defines the following;
“shall” indicates a requirement
“should” indicates a recommendation
“may” is used to indicate that something is permitted
“can” is used to indicate the something is possible
It is incumbent on the auditor to understand the organization’s interpretation of their internal documents if there is no standardization or alignment to ISO. Unless doing an ISO audit, the auditor must think from the position of what the company believes to be important, not what they believe to be important.
Policies, Objectives, Plans, Procedures and Work Instructions
Policies are generally those sit at the top of the organizations management system document hierarchy. Often, they are written at such a high level that the most auditors would struggle to identify all the components necessary to judge whether the policies statements have been implemented effectively or not. It is difficult to clearly identify whether policies are ‘auditable’ requirements or simply a statement of intent. Despite this, auditors should, at a very minimum, seek to understand whether employees understand the policies, as this knowledge is a guidepost to whether those same personnel are implementing lower tier documents.
Objectives generally the bridge the gap between the aspirational statements of the policies and the actions necessary to meet those. Objectives are also somewhat aspirational, but generally they are measurable goals, usually associated with a metric, against the targeted goals that the organization sees necessary steps to achieve their policies statements. A simplistic example might be “Reduce incident rates by 10%”. These generally become the scope of the audit.
Plans, procedures and work instructions are where most auditors will feel most comfortable. These are where the vast majority of the auditable requirements are outlined (i.e. the ‘shall’, ‘should’, ‘may’, ‘can’ type statements). Whilst every company will have their own structure and terminology for this level of document (e.g. standard, procedure, operating instruction, operating manual). Whatever the title, these are generally the ‘how to’ documents (checklists, process, SOP’s etc.) and will detail the actions to achieve the tasks and the activities of the organization (hopefully in alignment with meeting their objectives). During the predatory stage of an audit, auditors should take the time to understand the document structure of, and if necessary seek clarity from, the organization and ensure they’re asking relevant and considered questions to their interviewees – it’s a waste of valuable time asking a CEO or Director about work instructions and equally wasteful to ask an operator about business strategy.
Organisational records are often an area that many organizations don't do so well, they simply do the job and often don't maintain good records of what they've done. For this reason it's important for auditors to realise that records alone aren't always the best tool to define conformity to a requirement. Records themselves are simply a historical description of what has already happened, and a record doesn't necessarily constitute current conditions or circumstance. Whilst it might be pessimistic, auditors should also consider that records aren't always 100% accurate or a true reflection of what has occurred - many an organisation has been caught out falsifying records.
For an auditor, records are a good source of organisational context. Records exist because they are meant to contain details that are considered important to demonstrating the overall health of the organization. Experienced auditors will take the time to review relevant records, identify commitments within the upper tier documents that require records and understand whether these records are being maintained. From a HSE perspective, a good example of records that help develop organisational context are incident records, training records, hazard records, management reviews or internal audit records.
Traceability for the Client
It is important that any findings generated by the auditor are clearly specified against the auditable requirements. The client deserves to fully understand the requirement against which a non-conformities are being raised. Findings should include the requirement (i.e. document number, revision number, section, sub-section, abstract etc.), a statement of the non-conformity and, importantly, the evidence to support there was a deficiency observed against that requirement. Using 'nice to have' statements in an audit don't help anybody, the auditor may wish to express improvement opportunities, but these also need to be explained clearly and concisely with examples.
It is an essential component of any audit that auditors interview the organizations' staff. This is essential because it give insights and critical information that might not be available purely based on a document review or site observations.
However, whilst opinions (of the interviewees or the auditor) may ultimately contribute to an audit observation or improvement opportunity, they should never be the sole basis of a non-conformity. In terms ensuring the client is getting the full value of the auditor and their experience, opinions should not be discounted entirely, but they must be carefully considered in the terms of the scope of the audit.
Auditors should remain vigilant in filtering out opinions from facts and always be aware of their own bias. It's an unfortunate irony that the more experienced an auditor, the more likely they are to ave strong opinions on what they believe to be the right and wrong way of doing things.
Most Of All, Just Be Aware
Auditing is never an easy job and as an auditor it takes a good degree of self-awareness to know your limitations and to ensure you don't unfairly or unjustly make statements, assertions or findings that aren't accurate and based in evidence. By focusing on auditable requirements the auditors job becomes just that little bit easier.