About TCAW- Subscription Info
November 2000
Vol. 9, No. 10, 61, 62, 64,
Regulations and You
cartoon of rolling out red carpet for ISOWelcoming a Conformance Audit

With careful preparation, an official review can be a beneficial experience for both parties.

An audit is a review of actual practice against some concept of good or standardized practice to confirm the system function. It is a methodical examination of the presence or absence of objective evidence in support of the stated system requirements. In the past two decades, audits have become a way of life for measuring an organization’s conformance to expectations. This article describes the steps in an audit cycle and the activities associated with those steps.

Objectives of an audit
The goal of any audit should not only be to verify compliance with stated expectations, but also, if possible, to help improve the existing system. Whether the audits are of products, processes, or systems, there are essentially four types:

  • first-party audits, which a company uses to evaluate its internal activities;
  • second-party or customer audits, which a company uses to evaluate the activities of its vendors, contractors, agents, licensees, or other parties;
  • third-party audits, which a regulatory body uses to judge the activities of the organization it is assigned to regulate; or
  • voluntary certification audits, which a standards body or its agents use to assess an organization’s compliance with nationally or internationally accepted standards such as ISO 9000 and 14000.

The positive aspects of an audit include proving satisfactory compliance with requirements, improving a company’s image, satisfying customers, and providing an opportunity for further improvements. However, some individuals typically view an audit as a loss of productive time, disruption of routine, a weapon used by regulators for punishment, and a snapshot that does not necessarily represent normal, long-term performance.

An audit cycle includes planning and preparation, implementation of the audit, a conclusion, and a follow-up. Arter (1) estimates that an auditor spends 25% of total audit time in preparation, 50% in conducting the audit, 15% in report preparation, and 10% in closure of the audit. In some sense, a complete audit cycle is similar to Deming’s plan–do–check–act cycle (2). Thus, an audit should be looked upon as an aid to continuous improvement.

An audit can only be as good as the preparation for it, on both the part of the auditor and the “auditee”. For the auditor, it is useful to know ahead of time some details about the organization that is being audited. If more than one auditor is involved, a team leader should be chosen to delegate work assignments.

Auditor. For the auditor, a checklist of what is to be audited is the most useful document to prepare before the audit. It provides a structure for reviewing items, maintains uniformity among different auditors on the team, allows data to be recorded in a consistent fashion, and helps to manage the limited time available for the audit (see box). The checklist should contain the areas that will be examined, what evidence is being looked for, the standards against which the practice is being compared, and the actual findings and observations, whether positive or negative. The checklist should be tailored to the organization’s activities.

A second useful document is the audit plan. Normally, this is a one-page document listing the purpose and scope of the audit, the team members, the schedule, the documents and the areas that will be audited, and the standards against which the auditee will be measured. This document should be shared with the auditee at the beginning of the audit so that both parties know what to expect.

Auditee. It is natural for an auditee to be anxious before the audit. But if all systems are properly in place and all staff are properly trained, the audit should not be a dreaded ordeal but rather a tool for continuous improvement. Here are some of the important steps an organization can take before the actual audit so that the process goes smoothly:

  • Go through practice assessments. Learn from these and correct the deficiencies.
  • Make sure everyone knows what will be happening.
  • Show strong management support; managers should be present at the opening and closing meetings.
  • Have staff available to answer questions or produce documents.
  • Make sure all staff are on board.
  • Make sure all manuals and documentation are easily accessible.
  • Ask managers to review progress at the end of each day’s audit to track what is happening.

Conducting an audit
The heart of a successful audit is open communication between the auditor and the auditee. The audit should consist of three phases: the opening meeting, the audit, and the closing meeting.

The opening meeting. During this meeting, the audit schedule and plan should be distributed and, after discussion, modified if appropriate. The auditor should clearly explain the goals and scope of the audit and which documents and practices will be reviewed. This opening meeting should not last more than 30 minutes. If the auditor is new to the site, it would be useful for the auditee to give an overview of the organization and a brief tour of the facilities. However, the auditor should be wary not to get so involved in this “show and tell” exercise that the primary function of auditing is neglected.

The audit. The auditor will review the organization’s policy documents pertaining to the area being audited. It is not necessarily the job of the auditor to point out the deficiencies of the policy, but to verify that the actual practices follow the policy. However, if the audit is conducted to check compliance with a national or international standard, it is perfectly legitimate to review whether the organization’s policy documents comply with the standards’ requirements.

The auditor will review the physical or chemical measurement data to check that it is properly obtained, documented, and traceable.

During the interviews, the auditor needs to keep an open mind, put the auditee staff at ease, and ask open-ended questions. For example, instead of asking, “Do you have a quality control program?”, ask the staff to describe their quality control program.

An outside auditor, in particular, would rarely know all the technical details of the organization being audited. Hence, it is important to listen closely and compare the information against both internal and external standards. Again, it is not necessarily an auditor’s place to solve the company’s quality problems. However, it may not be inappropriate during the closing meeting for an auditor to offer nonmandatory alternatives for improving a company’s systems. In the case of an internal audit, the purpose is generally for the auditor to suggest ways to improve the system. Some organizations may think of their internal quality assurance auditors as troublemakers or worse. This need not be so if the audits are conducted in the spirit of cooperation and teamwork, and if both parties regard them as ultimately leading to customer satisfaction.

As the result of an audit, the auditor may find that the site is in full compliance; if not, depending on the seriousness of the deviations, an auditor may classify them as findings or observations based on the objective evidence. ISO 8402 defines objective evidence as information that can be proved true, based on facts obtained through observation, measurement, test, or other means. Most of the objective evidence should come from the system records showing consistent performance of activities.

There will be isolated events, but several nonconformities, taken together, will constitute a major finding of a system’s failure to comply.

The closing meeting. Before holding the closing meeting with the auditee, the auditor should organize the findings and observations. If a team did the audit, any differing opinions among the team members must be reconciled so that the auditee receives one clear opinion. It is a good idea for the lead auditor to open the meeting, give the overall assessment, and let individual team members speak about the specific areas that they covered. Time should be allowed for the auditee to ask questions and for the auditor to explain any point of dispute. However, under no circumstance should this discussion degrade into an argument or a debate. The auditor should outline the findings and observations and suggest necessary actions to correct the areas of nonconformance. The auditor and auditee then need to agree on a timetable for completing the corrective actions.

Following up
There are at least two parts to an audit follow-up: the report and the response to it. Within a reasonable time, the audit team members should prepare a detailed report giving the scope of the audit and the findings or observations based on objective evidence and then review it for accuracy and consistency before sending it to the auditee organization. The report should be succinct. It should not include the names of the staff members who were interviewed or their comments. Strengths and weaknesses of the sections that have been audited should be summarized.

After receiving the written report, the auditee management should verify the accuracy of the findings or observations and prepare a plan to correct the areas of nonconformance within a reasonable time frame. A record must be kept of the corrective actions taken, and this information needs to be provided to the auditor. Sometimes the auditor schedules a follow-up visit simply to check that the deficiencies have indeed been corrected. This is more likely to happen if the reported deficiencies were so serious that no certification of compliance could be provided without a repeat audit. Usually, however, the audit findings from the previous audit would be specifically checked during the next audit to ascertain that they were satisfactorily corrected. After a certain time, the organization should check to ensure that the corrective action taken has indeed resolved the noncompliance.

There is no doubt that an audit is a stressful time for all involved. If the auditor does the task well, an audit is an opportunity to celebrate good systems already in place. And who would not want to have them authenticated, either by an internal or an external auditor? By following the norms suggested in this article, it is possible to make an audit a pleasant and, more importantly, beneficial experience for both parties.


  1. Arter, D. R. Quality Audits for Improving Performance; ASQC Quality Press: Milwaukee, WI, 1989.
  2. Deming, W. E. Out of the Crisis; MIT Press: Cambridge, MA, 1986.  

R. A. Kishore Nadkarni is a quality assurance auditor at Hill Top Research, Inc., in East Brunswick, NJ.

Return to Top || Table of Contents

 CASChemPortChemCenterPubs Page