Thursday, April 13, 2023

Never lie to your auditor

This topic came up in the comments to one of my earlier posts, and I've been promising to address it for a while. In a sense I feel funny saying anything, because I think most of us would always tell our auditors the truth anyway. But the very fact that so many people felt the urge to bring the subject up tells me that a few words might be in order.

Image by Roland Schwerdhöfer from Pixabay

The whole question comes up because there are a few people out there who think of an audit purely in terms of getting the certificate at the end. They have no wider perspective, but they know that someone wants them to have a certificate: maybe it's the boss, maybe it's a customer ... it could be anyone. But someone wants it. And so they think backwards: In order to get a certificate, we have to pass the audit; in order to pass the audit, we have to tell the auditor what he wants to hear; so as long as I say things that sound good, we should be fine. Of course this way of thinking about it is wrong every step of the way. But a few people don't see the bigger picture. So that's what I want to spell out here.

There are several different kinds of reasons not to lie to your auditor. Some reasons are immediate and practical, while others take a step back to look at the larger picture. Then, of the practical reasons, some are high-minded and some are low-minded. In order to have a fair distribution, I'll give you one example of each kind.

High-minded practical reasons

The first practical reason not to lie to an auditor is that an audit is supposed to be a value-added activity. The purpose of an audit is to ascertain what is really going on. If you get a bad score in an audit, that's not because the auditor is being mean to you. The score represents a reality about whether your organization is running in a reliable way. If you fail in some area, that's just a flag to notify you of the cold, hard fact that you run big risks in that area. Never mind the audit report—the real worry is that Something Bad is going to happen in that area and it will hurt the whole company. Better fix it now, while the only damage is an unfavorable report, than wait till it blows up in your face. 

From this point of view, lying to your auditor is like disabling your fire alarm: sure, the noise won't interrupt you, but wouldn't you rather know if there were a fire?

Low-minded practical reasons

Another practical reason not to lie to your auditor is that you'll never get away with it anyway. In an earlier post I said that making a convincing fake is five times as hard as doing things right the first time. That's true, but everyone who has ever conducted an audit knows there's more to it. For years I have argued that there is a Special Providence for ISO Auditors, and I've described it like this:

  • The client has a drawer full of 100 files. 
  • Ninety-eight of those files are perfect. Two are wrong. 
  • You, the auditor, close your eyes and randomly pull three files out to check.
  • One of the ones you pull out will be wrong.

It's uncanny how often this works. I've had it happen to me when I do internal audits, and I've watched external auditors do the exact same thing. Those auditors wrote us up, too.

So maybe you think you've been really clever and pulled the wool over the auditor's eyes. In another minute he'll gesture at the stack of papers he just handed back to you and ask, "Wait ... can I look at that one again?" And, starting in that moment, the whole story you've spun for him will unravel.

Taking a step back

Those are examples of practical reasons not to lie to your auditor, but there's a whole other kind of reason too: one that is more fundamental than any of these. It's just about asking your team members or colleagues ... Why are we even having this conversation in the first place? Why would it ever occur to you to lie in an audit? Aren't you better than that? From this perspective, all of the practical reasons—you won't get away with it, or you will profit from the information that an honest audit gives you—feel a little discreditable, even though they are valid. Why should we have to give reasons for telling the truth in a case like this? Don't we all know that it's the right thing to do, and a better way to live?

Sure we do. We know this. We've got this.

⸻⸻⸻⸻⸻⸻⸻⸻

In other news, I'll be away from my computer for the next two weeks. So this blog will go on hiatus through the end of April. I'll be back on the first Thursday morning in May. See you then!

          

Thursday, April 6, 2023

Advice before an audit

In the last couple of posts, I've talked about how organizations respond to internal and external audits. While we are on the subject, I thought it might be useful for me to show you some of the advice that I usually give organizations when they are preparing for an audit. Of course the details are always a little different each time. But there are certain common themes that always recur. I'll list them here (in bold), along with a few comments (in normal text) to explain what I mean.

Please note: I have created a PowerPoint presentation with this information and more, that you can use to train your organizations in advance of an audit. You can find it on my page of Downloadable files. Please adapt it as needed so that it fits your organization's specific policies and procedures. You might also want to copy it onto a template with your logo. 😀

What are these audits?

First, I cover the very basics.

Our company undergoes audits to ISO 9001:2015.
  • Internal audits by our own personnel.
  • External audits by our external registrar.
These audits are a mandatory part of our Quality program.
They assess how well our system of business processes complies with:
  • ISO 9001:2015
  • Our company's rules and directives
  • Our individual policies and procedures
The audits also look to find room for improvement.

What do I have to do before an audit?

Auditees are often nervous before an audit, so I explain that the only "preparation" they need to do is the same thing they do every day anyway. This helps them relax a bit.

Understand your job:
  • What do you do? Why do you do it?

Everybody can talk about the work they do all day. So when I start by explaining that many of the questions really will be that simple, again, it helps put the auditees at their ease.

  • What inputs do you receive? From whom?
  • What do you do to those inputs?
  • What are the outputs you generate? Who are the customers for those outputs?

For employees who don't normally think in terms of processes, questions like these help them frame their answers in terms that the auditor will understand.

  • What are your risks? How do you mitigate them?

Of course risk is a major topic in the latest edition of the ISO 9001 standard.

  • The things you do every day … are they working? How do you know?

Often the answer to these last questions will reference some kind of KPI. But sometimes it won't. The thing is, you still have to know if things are working, and most employees do know! They might just have to be reminded that they know it.

Know what policies and procedures govern your work, what they mean, and how you follow them.
Prepare some examples of your current work and be able to explain them.

What do I have to do during an audit?

Here is where the advice becomes more critical. Everyone knows his job already, but not everyone knows how to talk to an auditor in such a way that the conversation is helpful and makes good use of the time.

Put the auditor to sleep” … that means, show that everything is being done the way it is supposed to be done.

I've already discussed at length what this does mean and what it doesn't mean. As a reminder, the real message is that you should make sure you are compliant to all your rules, and then just show the auditor proof of your compliance ... confidently.

Answer the question the auditor asks, not what you wish he’d ask.

I've seen a lot of auditees cause confusion because they didn't answer the question that the auditor asked. They wanted to talk about something else. But the auditor has a reason for asking every single question on his list, so the most helpful thing you can do is stick to the point.

Don’t describe what you think the process is supposed to be, or what it should be if only they’d listen to your advice. Describe what you really do. 

Some people think an audit is a great chance to throw their boss under the bus for not listening to their brilliant ideas. But in reality this is never a winning strategy. On the one hand, the auditor will probably see what you are doing and won't write up an internal dispute. (I worked with one auditor who made it a categorical rule, "I never write up issues that are really company politics.") On the other hand, if you do try to throw your boss under the bus, how is your boss going to feel about that afterwards? Won't it make it harder to work together?

In short, if you do this, everybody loses. When the auditor asks how you carry out the process, tell him what you do today. If he then asks, "Do you have any ideas how to improve your process in the future?" of course then you can say "Yes."

Tidy your area.

This isn't a requirement of the ISO standard, but it is a courtesy to the auditor and it means your interview won't be derailed by irrelevant issues.

Feel free to say, “I can’t find that now but I’ll get back to you.” Then do it.

Some people get flustered if they are trying to find something while another person is watching them. Auditors understand this. So it is always fair to say, "I'm feeling flustered right now, but I know I can find the thing you want to see and I will get it to you soon."

Make sure you understand any findings before the auditor leaves.

This should be common sense. If you are going to have to fix something, you want to understand how it is broken.

Don’t argue.

Auditors love to think about the ins and outs of the standards they audit. So they have probably already thought of all the angles you are going to try. If you start arguing, they'll treat it like a game. Just remember, they live with the standards night and day. They should know the standards better than you do. So they are not going to lose the game.

Naturally if an auditor has misunderstood the facts, you are fully within your rights to clarify them, so that he has an accurate picture of what is going on. But arguing about the interpretation of the standard is not likely to get you very far.

I once worked with an auditor who put it this way: “Arguing with an auditor is like wrestling with a pig in mud. After a while you realize the pig is enjoying himself.

Don’t guess or bluff. Don’t criticize. 

Guessing or bluffing means you'll probably say something wrong. It never helps to do that. And criticizing anyone—your co-workers, your boss, the company's management, or the auditor—is guaranteed to be a losing strategy, as I described above.

Never lie.

"This above all," as Polonius says. Maybe I should write a whole post on just this one topic.

What do I have to do after an audit?

Here I describe what kinds of findings you can get out of an audit (Opportunities for Improvement, Minor Nonconformities, or Major Nonconformities) and what you have to do with each one. If you get an OFI, you should think about it but you are not obligated to go farther. If you get a Nonconformity, you have to analyze it to determine the root cause, and then build an action plan which will permanently correct it. Depending on the organization, there may be a variety of special procedures to use, but the overall structure that I describe for an 8D is generally a good one to apply. Then finally you have to be able to provide objective evidence to prove the effectiveness of your corrective action. I'm not giving many details in this post because I have discussed so many of these topics in earlier posts. But of course they are important! (The presentation on my Downloads page does go into more detail.)

This, then, is the advice I give to organizations as they prepare for an audit or a program of audits. I hope you find something in here helpful for your organization too.

           

Five laws of administration

It's the last week of the year, so let's end on a light note. Here are five general principles that I've picked up from working ...