What are the most important skills in auditing

As ISO develops a standard for auditor competence, Sarah-Jayne Russell asks: What are the most important skills in auditing?

This article first appeared in Qualityworld magazine, April 2010, entitled: "The sum of many parts".

Gone is the image of auditors simply as intimidating figures behind clipboards asking awkward questions. Just as the rest of the quality profession has evolved from control to assurance, the role of management systems auditors is becoming increasingly complex as the subjects and scope of audits diversify.

In 2002 when ISO published ISO 19011, the guidelines for management systems auditing, there were only two ISO requirements standards, ISO 9001 and ISO 14001. Now there are standards for food safety, information security, supply chain management and a raft of sector-specific versions of ISO 9001. Not only that but whether the audit is internal or external, checking for compliance or evaluating areas for improvement, has a huge impact on the skills needed by auditors.

While the objectives behind each audit and the areas examined differ there can be no doubting the powerful impact that an auditor can have on an organisation. Nina Abbassi, managing director of Abbassi Ltd, is an experienced auditor who has been designing and delivering auditor training courses for many years. She says:“In simple terms, if auditors do not know what they are doing they can mess up a company. If an organisation is told that it must take actions on audit findings they are totally dependent on the skill of the auditor for the relevance of those actions. If an auditor raises non-conformities that are unjustified an organisation can create procedures or documents that are not useful. Auditors can have a major impact on the direction of an organisation and its success.”

Bearing in mind the strong influence auditors can have on an organisation there is a clear need to ensure that such professionals are competent. However, before an employer or auditee can define the necessary knowledge and skills, Nina argues that questions must be asked about the audit. “The scope and objective ofan audit defines the competence of the auditor required,” she says. “If an organisation only wants a compliance audit then the skills needed to complete the audit are much more limited than for an audit with the objective of continuous improvement.”

That said, certain knowledge, skills and behaviours are particularly desired by organisations employing auditors, those being audited and those relying on the outcomes of audits. Knowledge of the standard being audited against and the organisation being audited are key and it is universally agreed that deft time management and communication skills are crucial. Auditors must also have the practical skills associated with conducting audits such as the ability to understand audit scope, plan audits, sample effectively, interview auditees, analyse data, write coherent audit reports and work well both independently and as part of a team.

Unfortunately, unlike the capabilities listed above, many of the important skills needed by good auditors are dependent on personality and cannot necessarily be gained through training. Basil Dutton, a quality management systems auditor who represents Canada in the development of ISO 19011, says: “A good auditor must possess the fundamental skill of effective communication − having a personality that supports this is an obvious advantage. Being personable is a huge asset.”

Gary Illingworth, FCQI CQP, head of quality, battlespace, protection and awareness at Selex Galileo, leads a quality assurance team of 30 who are involved in internal auditing. For Gary the value of internal auditing is in an auditor’s ability to identify risk early on and to mitigate it. He argues: “More important than whether someone has experience of auditing is the set of behaviours they have – how they work in a team, how they communicate, how authoritative, flexible and adaptable they are.

“Essentially, internal auditing is about being able to influence the business. Anyone can say ‘this is wrong,what are you going to do about it?’ but that doesn’t fix the problem. It’s about how we behave and how we work at all levels of the business to improve it. “A person’s knowledge or skills gaps can be addressed easily if they have the correct behaviours. People can be trained fairly quickly in how to perform an audit, but to be able to deploy those skills is a lot more difficult.”

At certification body Lloyd’s Register Quality Assurance, third-party auditors are expected to have knowledge of LRQA’s business assurance methods and the specific standard being audited against. They also need knowledge of the cultural norms for the location of the client, business and technologies that are specific to the client and the specific organisational structure of the client. This is alongside more generic auditing skills and,as Alexander Sutherland, LRQA corporate technical director, puts it: “Auditors are expected to be ethical,open-minded, diplomatic, tenacious, observant, self-reliant and have moral courage”.

To ensure its auditors have the correct knowledge and skills, LRQA has an intensive training programme.Alexander explains: “Each of our assessors goes through an assessor-under-training process managed by qualified lead supervisors. This ensures they learn about the strategic intent behind our business assurance and equips assessors with the tools to not only verify compliance with standards, but also help clients to improve current and future performance. Initial training is supplemented throughout auditors’ time working with LRQA through compulsory classroom and e-learning training packages as well as mentoring and coaching while on the job.”

Because auditees look for more information on how continuous improvement will improve their business, a broader understanding of business is important says Nina. “Business acumen is very important for auditors these days. They definitely need both technical knowledge of the organisation being audited and the wider industry sector in which it performs.”

Other important skills not to be forgotten are objectivity and the ability to create an atmosphere of trust.Dominic Wilson, senior manager, change audit at Aviva, says: “Without creating an air of trust, those being audited will never open up and be honest with you. Without their honesty it is unlikely you will truly identify and fully appreciate the issues they face.”

Meanwhile Nina issues a warning: “When auditors become very experienced there is a danger of making assumptions and it is so important in auditing not to be judgemental. Experienced auditors must be careful they are not pre-judging a situation simply because they may have seen something similar before.”

Keeping up standards
General consensus is clear: management systems auditors have an important, influential role and they need a diverse range of skills in order to perform accurate, value-adding audits. However, opinions diverge on exactly how to assess an auditor’s ability and so ensure that they are sufficiently competent. Organisations with internal audit functions, such as Selex Galileo, create their own documents to assess the competence of those involved but for third-party certification bodies the issue of auditor competence is becoming increasingly important.

In the words of the CQI’s policy on third-party certification: “There is still significant variation in the quality and value of third-party certifications… and for this reason some purchasing organisations have reduced confidence”.

Such worries mean that ensuring the professionalism of auditors has become crucial. One way in which auditor’s competencies are assessed is through the requirements of professional certificates from organisations such as the International Register of Certificated Auditors and the American Society for Quality. There are also useful guidance documents on specific standards such as the Auditing Practices Group’s series of papers on auditing against ISO 9001 and the International Accreditation Forum’s mandatory documents. Most notably in recent years, however, have been the concerted efforts by ISO to define and regulate auditor competencies.

ISO first acknowledged the need to address auditors’ abilities with ISO 10011 parts 1, 2 and 3 published in the early 1990s. These guidance documents for quality management systems examined audit planning, managing an audit and auditor competence criteria. The guidelines were later echoed for environmental management in the ISO 14000 series before the decision was made to merge the documents and create one piece of auditor guidance: ISO 19011.

Published in 2002, ISO 19011 is an important document for internal, external and supply chain auditors and is now going through a long-overdue revision. Charles Corrie, business programme manager at BSI and secretary of ISO TC/176, explains: “ISO 19011 worked well when there were only two ISO management systems standards but now there are seven or eight, having only two paragraphs of competence criteria isn’t good enough. This has led the drive to revive ISO 19011 with the main work focused on bringing in additional competence criteria.”

The guidelines are also being developed to include more modern approaches such as process-based auditing, which wasn’t included in the first issue, and a section dedicated to audit risk – the failure of the auditing body to perform the audit correctly. ISO 19011, however, will remain purely guidance for auditors and not a requirements standard. This is where ISO 17021-2 comes in. Due for publication in December 2010, ISO 17021-2 aims to create a framework for the competencies needed to ensure an auditor is capable. Unlike ISO 19011, the standard is being developed by ISO’s policy development committee on conformity assessment and will apply only to third-party auditors.

The standard, which follows on from ISO 17021 – the requirements standard for auditing bodies – has caused considerable debate within the profession in its definition of competence. Paul Simpson, MCQI CQP, technical manager at the CQI, says: “ISO 17021-2 is trying to standardise certification from the point of view of putting in lines of requirements. It includes requirements for how to plan an audit, ensuring the competence of auditors and putting in place a system that says they’re competent, but it doesn’t actually help our understanding of what competence is.”

Others argue that such worries shouldn’t stop the standard’s development. Nina says: “Something being difficult to define doesn’t mean we should rule it out saying: ‘We can’t define competency, so we can’t assess it and we’re not going to have a standard.’ As an industry we have to look at how auditors demonstrate their capability whether that should be through qualifications, training, experience, references or an assessor watching audits.”

While the debate as to how to assess auditors’ skills will no doubt continue, there appears to be consensus that good auditors must possess a balanced combination of auditing knowledge and soft skills. David Straker, MCQI CQP, a quality consultant, says: “Both skillsets are equally important. To be an effective auditor you need to understand standards and business but also communicate well. Auditors need to make observations that lead to effective changes for their clients and the way they communicate can do a lot towards creating a constructive relationship.”

As the auditing profession looks to the future one thing is certain; the development of ISO 17021-2 and the revision of ISO 19011 will shape the expectations and understanding of competency for years to come.

Useful links

Auditing Practices Group
Created by ISO/TC 176 the APG publishes free guidance papers online for auditors of ISO 9001.

Offers auditing training courses and qualifications. The Body of Quality Knowledge is also a valuable resource for auditors.

IRCA’s quarterly e-zine includes useful advice and updates on all aspects of auditing and management systems standards.

International Accreditation Forum
Produces auditing guidance and requirements for organisations.

International Register of Certificated Auditors
Global certification body IRCA offers auditors professional recognition in a variety of management systems sectors, including environment and information technology.

Institute of Internal Auditors
The UK’s only professional body exclusively focused on internal auditing. The IIA hosts training courses and events and global audit practice guides can also be downloaded from its website.

The Auditor
Online edition of the bi-monthly newsletter includes practical articles on performing audits and topical debates.

Latest Job Listings