My last couple of posts (see here and here) have suggested a kind of relationship between an auditor and the audited organization that has real risks, so let me talk about them briefly.
There is a fundamental principle that auditors must not do consulting. The difference is that an auditor tells you what's wrong (how your organization is deviating from its requirements) and a consultant tells you how to fix it. The reason to keep these roles separate is that combining them poses a temptation for the auditor to abuse his authority: first, he writes up a list of nonconformities; second, he comes back charging $500 an hour to tell the organization what they have to do to clear the nonconformities; third, he comes back next year to see if they did exactly what he said — and if not, he writes more nonconformities, ad infinitum. Permanent employment for the auditor, but really bad for the client. If you separate auditing from consulting, you prevent this cycle. So the general rule is, "I can tell you that you don't conform to your requirements, but I can't tell you how to correct the problem."
The basic principle is a good one, especially in the case of an external (or third-party) auditor who gets paid every time he shows up on the premises. But for internal auditors the distinction between auditing and consulting is often not so practical. In the first place, unless the organization is large enough, whoever does the internal audits is very likely the same person who will be assigned to lead or coach the corrective action team because there is literally no-one else available and qualified. In the second place, even during the audit itself it's not unusual to hear the question, "Why is it wrong to do what I'm doing? I don't understand what that paragraph of the standard even means. What should I do differently so that I'm not violating the requirement?" When someone asks you a question like that, the line between explaining the finding and consulting on how to fix it becomes so thin it almost disappears.
In my last couple of posts, I say that sometimes you might talk to the organization's management before rating a finding, or you might take into account topics like the organization's overall level of maturity. This advice is most appropriate in internal audits, where the distinction between auditing and consulting is already compromised for the reasons I described above. What about the risk that the auditor might abuse his authority? In the internal case that risk is minimized because if the auditor starts asking for something crazy, the department can easily escalate over his head to his manager to ask for intervention. And when you are all on the same team — when you are all paid out of the same payroll — there is no advantage to the auditor in demanding things that don't make the company healthy and prosperous.
It is important to understand that there is a difference between auditing and consulting, and also why the line between them is drawn so sharply. But then when it comes to working in the real world, like with everything else, what you do depends on risk and judgement: what are the concrete risks here and now, and how do you judge that you can meet them most effectively?
No comments:
Post a Comment