What Are Auditable Requirements

Auditing is both an art and a science, a combination of an auditor's technical knowledge of a subject and their ability to digest and analyze large amounts of information in a short timeframe and then make a judgment-based decision of conformance or non-conformance. When auditing, you must determine 'what is an audible requirement.'

What Are 'Auditable' Requirements?

Within all organizations, there are thousands of obligations that the company has to meet so that they satisfy their various stakeholders. These stakeholders include the government, regulators, customers, workers, shareholders, local communities, or their social obligation to their communities and society.

From an organizational perspective, each obligation is a 'requirement.' These requirements are what the company must fulfill in its day-to-day operations. Often the requirements are embedded within company documentation (policies, procedures, work practices, etc.) and are done without conscious thought of meeting a requirement. But, the challenge for auditors is that while the activities might be being done, not all requirements are 'auditable.' Essentially, only requirements that have a deliverable are auditable.

Auditors will rarely have the luxury of time that would allow them to verify that all requirements within the organization are being fulfilled. Auditors, therefore, need to be conscious of auditing the requirements that they believe are most important and that, by verifying, will meet the scope of the audit.

For experienced auditors, identifying 'auditable' requirements becomes second nature simply because they are familiar with verifying requirements that, if met, will give greater confidence that lesser requirements are also being met. As a result, experienced auditors will often try to determine what is auditable during the preparatory phase of an audit. This is simply the 'pre-read' section, where the auditor has requested, received, reviewed, and analyzed the organization's various documents, procedures, and requirements.

Unfortunately, inexperienced auditors will often struggle to identify auditable requirements because they need to know what's essential and what's not during this preparatory stage. Inexperienced auditors should continually try to improve their understanding of the businesses and industries they are auditing. Understanding key business processes, activities, tasks, high risks, and any known issues will help them identify what's essential and not. Where there are technical requirements to be understood, they must seek clarification from suitably qualified people and never assume knowledge they don't have.

Understanding the Requirements

Not all HSE management systems are perfectly integrated and not aligned with any ISO Standard such as ISO9001 or ISO45001. HSE Management Systems are written by individuals who often lack sufficient understanding of the business for which the HSE-MS will be applied and, therefore, whether the commitment or obligation they describe needs to be auditable or just for information.

ISO Standard auditing is simplified by the fact that they use common terminology that makes it easier to determine what are mandatory requirements against those that are recommendations. Generally speaking, auditable requirements are those that are preceded by a 'shall' statement. ISO defines the following;

• "shall" indicates a requirement

• "should" indicates a recommendation

• "may" is used to indicate that something is permitted

• "can" is used to indicate that something is possible

It is incumbent on the auditor to understand the organization's interpretation of its internal documents if there is no standardization or alignment with ISO. Unless doing an ISO audit, the auditor must think from the position of what the company believes to be necessary, not what they believe to be important.

Policies, Objectives, Plans, Procedures, and Work Instructions

Policies are generally those sit at the top of the organization's management system document hierarchy. Often, they are written at such a high level that most auditors need help to identify all the components necessary to judge whether the policy statements have been implemented effectively or not. It is difficult to clearly identify whether policies are 'auditable' requirements or simply a statement of intent. Despite this, auditors should, at a very minimum, seek to understand whether employees understand the policies, as this knowledge is a guidepost to whether those same people are implementing lower-tier documents.

Objectives generally bridge the gap between the aspirational statements of the policies and the actions necessary to meet those. Objectives are also aspirational, but they are measurable goals, usually associated with a metric, against the targeted goals that the organization sees as necessary steps to achieve its policy statements. A simplistic example might be "Reduce incident rates by 10%". These generally become the scope of the audit.

Plans, procedures, and work instructions are where most auditors will feel most comfortable. These are where the vast majority of the auditable requirements are outlined (i.e., the 'shall,' 'should,' 'may,' and 'can' type statements). Whilst every company will have its own structure and terminology for this level of the document (e.g., standard, procedure, operating instruction, operating manual). Whatever the title, these are generally the 'how to' documents (checklists, process, SOP, etc.) and will detail the actions to achieve the tasks and the activities of the organization (hopefully in alignment with meeting their objectives). During the predatory stage of an audit, auditors should take the time to understand the document structure of, and if necessary, seek clarity from, the organization and ensure they're asking relevant and considered questions to their interviewees – it's a waste of valuable time asking a CEO or Director about work instructions and equally wasteful to ask an operator about business strategy.

Organizational Records

Organizational records are often an area in which many organizations don't do so well. They simply do the job and often don't maintain good records of what they've done. For this reason, it's essential for auditors to realize that there are better tools to define conformity to a requirement than records alone. Records themselves are simply a historical description of what has already happened, and a record doesn't necessarily constitute current conditions or circumstances. Whilst it might be not very optimistic, auditors should also consider that records aren't always 100% accurate or a true reflection of what has occurred - many an organization has been caught out falsifying records.

For an auditor, records are a good source of organizational context. Records exist because they are meant to contain details that are considered important to demonstrate the overall health of the organization. Experienced auditors will take the time to review relevant records, identify commitments within the upper-tier documents that require records, and understand whether these records are being maintained. From an HSE perspective, good examples of records that help develop organizational context are incident records, training records, hazard records, management reviews, or internal audit records.

Traceability for the Client

It is vital that any findings generated by the auditor are clearly specified against the auditable requirements. The client deserves to understand the requirement against which non-conformities are being raised. Findings should include the requirement (i.e., document number, revision number, section, sub-section, abstract, etc.), a statement of the non-conformity, and, importantly, the evidence to support there was a deficiency observed against that requirement. Using 'nice to have' statements in an audit doesn't help anybody, the auditor may wish to express improvement opportunities, but these also need to be explained clearly and concisely with examples.

Auditing Opinions

It is an essential component of any audit that auditors interview the organization's staff. This is essential because it gives insights and critical information that might not be available purely based on a document review or site observations.

However, whilst opinions (of the interviewees or the auditor) may ultimately contribute to an audit observation or improvement opportunity, they should never be the sole basis of a non-conformity. In terms of ensuring the client is getting the full value of the auditor and their experience, opinions should not be discounted entirely, but they must be carefully considered in terms of the scope of the audit.

Auditors should remain vigilant in filtering out opinions from facts and always be aware of their biases. It's an unfortunate irony that the more experienced an auditor is, the more likely they are to have strong opinions on what they believe to be the right and wrong way of doing things.

Most Of All, Be Aware

Auditing is never an easy job. As an auditor, it takes a reasonable degree of self-awareness to know your limitations and to ensure you don't unfairly or unjustly make statements, assertions, or findings that aren't accurate and based on evidence. However, focusing on auditable requirements makes the auditor's job easier.

References

https://www.iso.org/foreword-supplementary-information.html

#Audit #Auditable #Requirements #Obligations #Records #Opinions #ISO