External Audits: Do’s and Don’ts

Whether you are being audited by a Notified Body or one of the Regulators, you are being audited by someone external to your organisation. This comes with great opportunities as well as difficulties. Here we explain the difficulties, how to have a pleasant, stress-free, unbiased, and effective audit, and of course talk about what to avoid at all cost!

We recommend sharing this article with everyone who is involved in your organisation’s audits, whether they sit with auditors in the boardroom, or supporting the audit from the ‘backroom’ (I heard once from our clients referring to it as the ‘War Room’). You can see our article on War Room Preparation for practical and detailed information.

What to Do:

  • Be polite, professional, and cooperative: here’s the fastest way to set the mood; think of the auditor as a colleague you haven’t met for a few months. You want to make your colleague feel welcome, get them what they ask for, and handle any disagreement politely. Don’t forget, the best business card is a firm handshake with a genuine smile on the top.
  • Follow through, always: If the auditor asks for something, they always write it down somewhere or remember what they asked for. They often use Checklists for conducting audits so nothing will be missed. Ensure, your team never forgets or ignores auditor’s requests and always follow through. There is a good chance that this happens unintentionally due to having too many requests flying around, or particularly when audits involve a combination of vertical (evidence to evidence) and horizontal (process to process) requests. If you miss requests, auditors may incorrectly sense that something must be wrong or if you are hoping that they forget, this may subject your system to an unnecessary level of scrutiny and a bad vibe during the audit which may affect the audit results (we are all human and no one benefits from a stressful audit).

This is exactly why we have created AuditMan to help companies manage their audits effectively and with minimum back and forth between auditor(s) and auditees, by ensuring transparency and using workflows.

  • Be honest with the auditor: If the document or record that is being requested does not exist, simply admit and explain why (if you know). This makes it much more likely that you don’t get a high level finding, or not get a finding at all. Let the auditor know beforehand, if you are aware of any issues that may affect the audit (e.g. no production happening on the day, or a key staff being away) so they can plan accordingly. Auditors don’t like surprises.
  • Review the Audit Plan, 3 times: this is to ensure all staff understand the scope of audit, areas that will be audited, session times that you need a Subject Matter Expert (SME) to come to the boardroom, and name of the auditor of course. During the Opening Meeting, let the auditors know if you need to change session times and the reasons. Expect reasonable deviations from audit plan times and inform auditees accordingly.
  • Have a process for managing unannounced audits: We have a separate article explaining What Happens During an Unannounced Audit. We also have the procedure created for Managing Audits (including unannounced audits) which you can find here (this is mandatory for CE/MDSAP certificate holders, and recommended for all). If you have a certificate issued by a notified body or regulator, chances are you have (or will be) subject to unannounced audits. These audits are conducted with minimum notice (usually you show up at work and see them waiting at the door with a coffee in hand and find out it’s audit day). You got 10-15 minutes to set-up for a quick opening meeting in the boardroom, gather all relevant staff, and take the auditor to production/operations area. Clock starts from the time someone in the organisation meets the auditor. This means everyone must know what (not) to do.

Unannounced Audits are very fast paced, only focusing on higher-risk areas such as production, product release, and CAPAs. So it is imperative not to waste your time grabbing procedures and printing them for the auditor, they are not interested, today.

Make sure all staff involved are (at least informally) trained on handling unannounced audits. Important: Ensure your staff never try to ‘fix’ things on the day, as auditors are heavily trained on spotting ‘quick fixes’.

  • Have the main evidence ready: When was the last time you had an audit and the auditor didn’t ask for your Quality Manual, Quality Policy, Quality Objectives, and CAPA/Complaints register? We advise always having such evidence available (or accessible) in the boardroom.
  • Remind staff to review their CURRENT procedures: Most staff know how to go about their daily tasks, but being able to explain the process to the auditor is slightly different. Also ensure, that staff who have printed out their SOPs, Work Instructions, and forms have the latest revision (you’ll be surprised how many times I’ve raised nonconformances for such issues).
  • Keep it relevant: It’s okay to volunteer information, as long as it is directly relevant to what is being reviewed. Now, most consultants advise against this, this is not what auditors think; what exudes openness better than delivering more (relevant information) than what the auditor is asking for? This is based on several years of conducting regulatory audits of companies like yours.
  • Involve as many staff as you can: I always recommend involving relevant staff in the audits instead of just the quality assurance team handling everything. The benefit is twofold: (1) they understand why your company emphasizes doing things in accordance with company procedures, and (2) they realise the amount of scrutiny their work goes through and why a QMS is so important.
  • For medium-large companies, use a scribe: Scribe is a person sitting in the boardroom (or walking with the audit team during production area audit) taking notes of what auditors ask for, look at, or simply touch! The scribe also writes down who was interviewed and what questions were asked. The benefits are threefold: (1) the main auditee can focus on answering questions and explaining the process interactively, (2) you can refer back to scribe notes and ensure the auditor gets exactly what they need, and (3) you can train staff post-audit if you identify deficiencies in their competence. Our AuditMan platform comes with scribe function for all external audits which can be viewed by all staff involved. This way the backroom is not in the dark, and can know what’s happening in the front end so they can start preparing and managing their workload.

What NOT to Do:

  • Don’t take it personally: Remember at all times that the auditors are just doing their job. They are at your premises to find evidence of conformity, not for writing nonconformances! Nothing is (and shouldn’t be) personal; auditors understand that issues occur not because of individuals, but because of systems.
  • Don’t Grab, before you Get: There’s nothing worse than spending 15 minutes on getting the wrong document or record; If you are not sure what the auditor is asking for, politely clarify. Best way to do this is by simply saying “ok let me see if I got that, you’d like to see CAPA-2020-013 including the evidence of implementation?”.
  • Don’t argue, explain: The moment it starts to feel like an argument avoid it by saying “Can we get back to you on by lunch time?”, come back with more information and a fresh mind for both parties.
  • Don’t whisper: You don’t get nonconformances for doing this but it surely gives bad indications when the auditor asks for something, and the auditee whispers to another staff. It exudes dishonesty. This is another reason why we created AuditMan with a ‘whisper’ function so managers can explain their requests to the staff in the backroom without unintentionally looking like they are hiding something, or giving wrong clues for other processes not being presently audited.
  • Don’t guess: If you do not know the answer to a question, explain to the auditor and get the subject matter expert to address the question.
  • Do not answer for someone else: Sometimes the auditor wants to direct a question at a specific operator (e.g. in production area) and want them to answer so that they can assess training aspects. Remember, this may or may not have anything to do with the actual task being performed, but it is assessing level of awareness and competence. Never answer for the auditee, let them speak. You can clarify later if needed.
  • Don’t assume the auditor knows your processes: Briefly explain each process in simple terms but do not omit important information. Spend the time to explain what are the process inputs and what records must be generated.

Even if the auditor has audited your company before, most external auditors visit at least 40 companies a year. While being a fast learner is an absolute must for every auditor, they may have forgotten a lot in terms of workflows, and process details.

  • Don’t only use pre-select samples: If the auditor asks for RANDOM samples, ensure that you either give them a list (e.g. batch records, or complaints register) to sample from, or select randomly in front of them. It is ok to use pre-selected samples if the auditor does not specifically ask for random samples. But keep in mind, the best benefit of an external audit (apart from certification) is finding issues within the system and this is best achieved by using truly random samples.
  • Don’t disappear during breaks: Have a cup of coffee with the auditor during breaks, and do not talk about audit related matters. Build connection at personal level to release any tension. Remember auditor-auditee relationship is often ongoing. My recommendations are talking about recent or planned holidays, mutual friends and colleagues (it’s a small industry after all), and recent pleasant news. Best topics for lunch breaks are asking the auditors about how much travel they do, and asking about their hobbies and passions.
UserName LastName
No Comments

Sorry, the comment form is closed at this time.