Understanding the
audit trail
argues that a comprehensive audit trail is essential for a successful audit
There are numerous of important elements in carrying out a professional audit. Some requirements, such as the need to audit the process, are defined in ISO 9000. There is, however, one element of auditing that is missing in the terms and definitions in ISO 9000 – the audit trail.
The failure to carry out a process audit following an audit trail is the single most important reason why audits are not effective.
What is an audit trail?
In the absence of a definition from ISO 9000, a standard dictionary definition for 'audit' and 'trail' arrives at the following: an audit trail is an examination, by a qualified person, of an activity following the path that has been left by the process. But what does this mean in practice?
Although applied by some auditors, the use of an audit trail is by no means universally accepted. It is the failure to ensure all audits employ process audits following an audit trail that undermines their credibility. Auditors should understand the path of the process that they are auditing and perform the audit accordingly, ensuring that the requirements of the process are being met.
For example, as a matter of course auditors will visit the shop floor. This enables the auditor to see what is taking place and to identify the specific order numbers of jobs that are going through at that time. From this information it is easy to identify in the sales department the agreed specification for that product or service and select relevant samples to be chosen. This means the process can be checked to ensure that what takes place is controlled and will meet the required specification. From here, the audit trail is picked up and followed through.
Using the audit of a purchasing activity as an example, you need to identify what material or equipment has been purchased for your sample order. It is always important to understand what drives the process. In this case, it is normally the requisition, which defines what is wanted.
If the auditor does not understand the specification, then he or she cannot check if the process being followed meets the requirements of the requisition.
- what does the requisition require – does this comply with the agreed specification?
- how is the decision to purchase made?
- how is the specification decided? Is it adequate?
- who decides what is required and do they have the authority?
- who chooses the supplier and by what criteria?
- what is the process for bid evaluation?
- how is the specification advised to the supplier?
- are national or international standards used?
- what controls the process?
- are there any special packing delivery requirements?
These are just some of the issues that need to be addressed, many of which follow the clauses of ISO 9001.
Correct samples
The starting point for the audit is to use the chosen samples and identify the process path and the controls that were applied. It is vital that the samples are linked and come from the same trail. Too frequently, audit samples are taken at different stages of the process and are not related or linked to the initial sample chosen, which means that an auditor is unable to verify that the process is working. He will only be able to check if that particular document is filled in correctly.
Procedures, forms, checklists and so on, all ensure that a process is managed and controlled effectively. It is essential that auditors take the time to understand what is required from the process they are auditing.
It is impossible for a second- or third-party auditor to carry out an audit of an organization if the auditor does not take the time to understand the specification of its product or service, including statutory and regulatory requirements. It is this professional approach to auditing that allows the auditor to identify any weaknesses in the process and decide if an organization is capable of meeting the specified requirements. The audit trail approach applies to any audit be it an internal, second- or third-party audit.
About the author
David Seear is a chartered engineer and head of PDQ Management Services. He formerly worked as head of quality and performance for Shell UK materials and has represented the UK on ISO/TC 176 for three years.
E: daveseear@btinternet.com
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
