Off to a Good Start
Initial contact can be formal or informal but must include seven action items
by J.P. Russell
Clause 6.2.6 of the U.S. supplement for the International Organization for Standardization's (ISO) auditing standard provides guidelines for establishing initial contact with the auditee. The auditee usually knows there is going to be an audit but doesn't yet know the specifics.
ANSI/ISO/ASQ QE19011S-2004, Guidelines for Quality and/or Environmental Management Systems Auditing, says the initial contact with the auditee for the purpose of arranging the actual audit can be formal or informal.
The dictionary definition for "informal" misses the mark for the auditing field. The dictionary links informal with the word "casual," an activity carried out without formal prescribed procedure or ceremony, and lists a synonym as "unofficial."
Initial contact with the auditee is not unofficial because the audit program manager or lead auditor must follow certain guidelines. Further, I would never describe any part of an audit as casual.
The person making the initial contact should align the formality with the situation and comply with audit program procedures. An example of being very formal could be a letter informing the auditee of its obligations, asking the auditee organization to provide specific information and stipulating the required communication methods. The letter could be signed by the audit team leader and audit program manager, with an optional cover letter signed by the person or the representative of the organization that requested the audit (audit client).
Formal or informal
A fax or an e-mail is less formal than a letter sent by express mail, although all provide a record of communication. E-mail responses are normally more highly structured than first contacts made by telephone. I would, however, recommend following up a telephone conversation with a note or an e-mail reviewing what was discussed and agreed on.
Finally, don't overlook a face-to-face meeting that could be considered informal or formal. For internal audits, this could be chatting in a hallway or dropping by the manager's office. For external audits, it might be a formal meeting in the general manager's office or in a conference room.
The level of formality in the initial contact will depend on the type of audit. External audits are more formal than internal ones. Third-party regulatory and certification audits are more formal than internal department audits.
Who and what
The auditing standard supplement then says contact should either be made by those responsible for managing the audit program (audit program manager) or the audit team leader (lead auditor). The standard lists action items to be completed as part of the initial contact. The seven action items make up the purpose or reason for the initial contact with the auditee:
- Confirm authority.
- Provide information about timing and the audit team.
- Establish communication channels.
- Request access to documents and records.1
- Determine site safety rules.
- Make arrangements for the audit.
- Agree on attendance of observers and need for guides.
1. Confirm authority
The audit team and its organization must first verify that it has authority to conduct the audit. The lead auditor or audit program manager does not ask the auditee for the authority, but instead states that an audit is planned and asks if there are any problems or issues regarding that plan.
Normally, authority for the audit has already been communicated by top management, and the auditee will say he or she was expecting it or knew something was planned. Every once in a while, however, the auditee representative will say, "No one told me there was going to be an audit." Or they might ask if the audit team has approval from an executive or clearance to view proprietary operations.
For internal audits, authority to conduct the audit has been previously agreed to by management, but there could be department issues regarding approval or the timing of the audit.
If you are conducting an audit to verify compliance to regulations, the auditing organization has legal authority to conduct the audit. For second-party audits, in which the customer has contractual authority to conduct the audit, it is still important to ensure the supplier is OK with the plan to conduct an audit.
Though not specifically mentioned in ISO 19011S, confirming authority should include the type of audit—quality management system, integrated management system or process—to be conducted.
Confirmation of authority is a simple, straightforward action item, but if skipped or assumed, it can cause a considerable amount of angst, confusion and embarrassment later on.
2. Provide information
This step answers the when and who questions. Composition of the audit team needs to be shared with the auditee representative and should include how many auditors, auditors in training, interpreters, technical experts or specialists, and observers will participate.
If certain auditors are going to focus on specified areas, as in a process audit, they can also be identified. For instance, one auditor might be assigned to order entry and another to the rebuild shop. (They should also be identified in the audit plan.)
Next, the auditor needs agreement on when to conduct the audit, although a date or time period might have already been established in a published schedule or agreement between the client, audit program manager and auditee management.
The lead auditor and audit program manager will say the audit is scheduled for a particular date or time period (sometime this week, perhaps). Normally, the auditee acknowledges the date. Things change, however, and circumstances can dictate a change in the date or time period.
It is wise to reschedule if events beyond the auditee's control occur and could put achievement of the audit objectives at risk. Perhaps the auditee organization received a statewide award and is going to be visited by its state congressional representative that day. Perhaps the day scheduled for the audit turns out to be the same day the Environmental Protection Agency or National Institute for Occupational Safety and Health decided to audit the organization.
Changing the timing, however, might change the audit team composition, depending on individual availability.
3. Communication channels
Normally, the auditee organization has identified a person to represent it by being a conduit for all communications. The communication channel could be a person or the means for transmitting information. Perhaps all requests for information will be channeled through an audit coordinator.
The type of things that might need to be communicated are: requests for information, changes in schedules or logistics, audit team changes, or changes that have been agreed on—or will be agreed on when the audit plan is issued.
Establishing communication channels might also include naming the preferred communication tool. The lead auditor or audit program manager might want to be contacted by e-mail, and the auditee representative might want communications to go to his or her mobile phone. In some cases, a fax might be preferred because it creates a record.
The higher the noncompliance or nonconformity risks, the more formal the communication channels should be. Audits that represent a high risk to the auditee or audit program should be recorded in some manner for retrieval purposes. In some cases, it might also be prudent to request e-mail or voicemail verification that the message was received.
For internal audits, the auditee representative might be the department manager, management system representative or someone assigned the role of audit coordinator. ISO 19011's U.S. supplement requires the auditee representative for second-party audits to have the necessary knowledge and authority to respond to the needs of the audit that are communicated by the audit team.
4. Document and record access
Since the audit plan has not been issued yet, it is important to ensure that access to documents and records is not a problem. If it is a quality audit, the auditor will want access to documents related to the quality system. If it is a process audit of the scheduling section, for example, the auditor will want access to those documents and records.
This is not a major issue for internal audits, but there could be confidentiality issues for an external audit. With electronic documentation systems, there could be internet or intranet security concerns. Electronic access might also require some minimal training on how to navigate through the software program and how to access the help desk.
Access to documentation could be one of the communication channels you need to establish. Identify the contact person for accessing needed documents and records. Determine the necessary protocols in advance. If not now, agree on when and who should be involved in establishing the protocols.
5. Determine site safety rules
Almost all organizations have some type of personal safety rules. If it is a manufacturing or heavy equipment site (such as a construction site or an airport), there will be many rules. If it is an insurance office, the only rules might relate to emergency exits or bomb threats.
I recommend the audit team leader or audit program manager be proactive by ensuring and verifying that he or she is given all the rules. It can be upsetting to find out during or after the audit that those who cross a yellow line on the shop floor are supposed to wear ear protection or steel-toed shoes. This oversight puts the auditor in a position of breaking a personal protection rule as he or she verifies conformity to other rules.
Canned safety presentations sometimes must be viewed before access to a property is allowed. This must be conveyed to the audit team prior to the audit. I have arrived to conduct an audit, only to learn I must watch a 30-minute safety presentation before I start. This is an immediate disruption and puts the audit team 30 minutes behind schedule from the get-go.
If the safety presentation is available online as a streaming video or slide presentation, you can include it in your preparation steps before arriving at the audit location. Later, when the audit plan is distributed, the audit team leader might again ask about personal safety requirements.
6. Arrange the audit
I interpret "making arrangements for the audit" as conveying the meeting and workspace requirements with the auditee representative. Conversely, the auditee representative might share circumstances that are particular to his or her situation.
For external audits, the audit team will need a base camp to get organized, review results and perhaps conduct meetings. This could be a conference room, training room or empty office. Either during the initial contact or when the audit plan is distributed, the audit program manager or lead auditor needs to tell the auditee representative specifically what is needed in the room, such as electricity, internet access, telephone, flip chart, tables or desks, and chairs. If the audit is an external one, the auditor might ask about lodging in the area for the audit team.
7. Observers and guides
Guide and observer responsibilities are discussed in ISO 19011S, clause 6.5.3. At the initial contact step, information about the possibility of an observer attending the audit must be shared.
Perhaps someone could be observing for the purpose of certifying the auditor organization, or someone from the auditor organization's management could be observing for audit program or auditor performance assessment.
For most external audits, guides should be requested. For internal audits, guides might not be needed unless the operations are complex and the auditors are unfamiliar with departments or the functional areas being audited.
Ensuring all seven requirements are addressed will get you off to a good start. Planning, as in the plan-do-check-act cycle, is essential for ensuring that the doing part of the cycle is effective.
After the initial contact has been established, your next step might be to conduct a review of the documents and records requested to ensure conformity to the audit criteria.
According to ISO 9000:2005, a record is a special kind of document stating results achieved or providing evidence of activities performed. Procedure documents and record documents are quite different. For this article, the author chose to name documents and records separately to avoid confusion and repeated explanations that documents include records.
J.P. RUSSELL is president of J.P. Russell & Associates, Gulf Breeze, FL, and managing director for the Quality WBT Center for Education at www.QualityWBT.com. He is a fellow of ASQ, ASQ certified quality auditor, voting member of the American National Standards Institute/ASQ Z1 committee and member of the U.S. technical advisory group for International Organization for Standardization technical committee 176. Russell is the author of several ASQ Quality Press books, including Internal Auditing Basics (second edition) and Process Auditing Techniques, and editor of the ASQ Audit Handbook (third edition).