Psychology of an Audit

1.0 Binding Requirements for Auditors

  1. International Conformity Assessment
    1. API’s Monogram Program Rules
    2. API Quality Registrar Rules
      1. API is certified by US Quasi-Government Accreditation Body (ANAB)
    3. Industry requirements
      1. ISO 17021, Conformity assessment – Requirements for bodies providing audit and certification of management systems
        • Establishes rules for organizations like the API for conducting audits
      2. ISO 19011, Guidelines for auditing management systems
        • Establishes rules for auditors and auditor behaviors
  2. Ethics policy of the organization that certifies auditors (IRCA, Exemplar Global)
  3. API’s Ethics Policy
    1. Can’t have relatives in the auditee’s facility being audited
    2. Can’t have relationships with personnel in the auditee’s facility being audited
  4. The API has a Confidentiality Agreement with the auditee’s facility
    1. API auditors are contractors; they have a confidentiality agreement
      1. The API does not recognize the need for an auditor to have a confidentiality agreement directly with the auditee’s facility
      2. The API does not recognize the need for an auditor to have a confidentiality agreement with 3rd party providers
  5. API’s Conflict of Interest Policy
    1. Auditor shall not have worked for auditee 2 years prior
    2. Auditor shall not work for auditee 2 years after
    3. Potential signs of conflict
      • Auditor hands auditee personnel a business card
      • Auditor states they own a consulting business
      • Auditor consults for your competitor
      • Auditor identifies the projects they are currently working on
      • Auditor discusses their “customers”
      • Auditor makes recommendations
      • Auditors have preferences of how things are implemented

2.0 Audit Preparation by the Auditor

  1. An auditor may request supplemental information
    1. Prior to coming onsite to perform the audit
      • The API maintains the auditee’s quality manual
      • The auditor may request and obtain (with the auditee’s consent) a copy of the manual
      • The auditor should not be allowed to have other internal documents (procedures, work instructions, confidential information) before the audit
  2. However, an auditor may review public information
    1. The auditee’s website
      • Product claims
      • Quality Management System criteria / claims
      • Customers
      • Markings such as the API monogram, logos, etc.
      • Product catalogs, part numbers, etc.
      • Quality manual, procedures, certifications
    2. Industry publications and listings
    3. Google Earth to view an aerial layout of the auditee’s facility
    4. Other publicly available data
      • Facebook
      • LinkedIn
  3. An auditor should inquire about
    1. Hours of operation
    2. Days of operation
    3. Local holiday information
    4. Personnel protective equipment requirements
    5. Available space for meetings
    6. Names of key personnel and interfaces
  4. An auditor should provide an audit plan that includes
    1. Specific audit criteria
    2. The areas to be audited
      • Estimated times / dates of quality management system criteria to be audited
      • Names of departments
  5. It is important to keep the auditor to the schedule and times they set
    1. Over-extending a visit in any area may have ramifications

3.0 Things You Need to Consider Prior to the Audit

  1. Staffing – ensure that the correct management and key personnel are available
  2. Working Space – ensure that a conference room or suitable space will be available
  3. Offsite Document Storage – notify the auditor if any files are stored offsite; allow time to access them
  4. Lunches – recommend lunches be brought in to save time and support audit tasks

4.0 Granting the Auditor Limited Access

  1. Auditors should be treated as any other visitor
    1. Required to sign in and sign out daily
    2. Be issued an identification badge or visitor badge
    3. Be required to meet the auditee’s personnel protective equipment requirements
  2. Access to the internet should only be provided to the general Internet (only) through guest access and the auditee’s information technology department requirements
  3. Auditors should not be issued private access information to computer systems or access cards to the facility
  4. The auditor is not allowed to access any contractor, consultant or employee confidential information; for example, QSI’s IMS Software
  5. Auditors should be escorted at all times
  6. There should be a “No Camera”, “No Photograph” policy in place. Do not allow the auditor to freely take pictures. If any pictures are requested, they should be taken by a member of the auditee’s staff. If an auditor requests to use the photo in their report, ensure there is nothing proprietary about the content.

IMPORTANT: Any photographs taken by the auditee should be given to the auditor, where necessary, as a printed copy.

5.0 An Auditor’s Perceived “Power”

  1. An auditor has no power; it’s all a perception
  2. An auditor has no direct decision on whether or not an auditee attains a license or certification; the decision is that of the API
    1. They should make informed decisions about conformity or nonconformity based upon audit evidence (interviews, records, observations) and report the results in the API Audit Report
  3. An auditor’s unprofessional conduct and inadequate audit practices can influence the outcome of an audit. Therefore, it is essential to monitor their performance to ensure objectivity and impartiality.
  4. It is important to spot and identify behavioral issues and improper requests when they occur
    1. It is professional and good business practice to discuss behavioral issues as they occur with auditors
    2. Reason: not saying something may be an acceptance of improper behavior
  5. An auditor cannot judge how good or how poorly an auditee performs; however, they may state an informed opinion based upon the audit evidence they gather
  6. An auditor should not indiscriminately touch or handle an auditee’s tools or equipment without permission
  7. An auditor should not attempt to operate any equipment or devices
  8. An auditor must always be escorted; they should not be allowed to stray
    1. Safety is always a concern
    2. An auditee’s privacy is always a concern
    3. An auditee’s Trade Secret and intellectual property are paramount
  9. An auditor cannot disallow an auditee’s consultant to be present during an audit
  10. An auditor may or may not know all of the procedural and technical requirements of the API
  11. An auditor cannot tell you how something “must” be implemented
  12. It is important for the auditee to demonstrate:
    1. Its professionalism
    2. Its level of interest
    3. Its presence
      • Having more than a single guide
      • Using managerial and technically competent personnel as audit guides
    4. Its control over activities during an audit
      • Monitoring auditor questions
      • Monitoring employee responses
      • Monitoring employee emotions / level of stress
      • Intervening when necessary
    5. Its intervention, if appropriate, when
      • Safety issues are identified
      • Improper behavior is identified
      • When an auditor is asking leading questions with a motive other than verifying conformity or nonconformity

6.0 An Auditor’s Behavior

  • Must be professional
  • Must not be aggressive or demeaning
  • Must not become angry
  • Must remain neutral at all times
  • Must not place blame
  • Must be cooperative

7.0 Possible Auditing Techniques Used by the Auditor

An auditor may employ specific techniques to obtain information or cause an auditee to act a specific way; for example:

  1. Breaking the ice
    • Discussing an auditee’s personal effects or photographs
  2. Questioning
    • Open-ended questions (allow the auditee to continue talking; this could lead to unintended or unproductive disclosures)
      • Could result in less focused or off-topic responses
      • May introduce risks of revealing sensitive or irrelevant information
      • Could potentially compromise the efficiency or direction of the audit
    • Closed-ended questions (yes or no)
    • Systematic questions (questions asked in the order in which Q1 or the QMS is presented)
    • Positioning questions (the auditor knows the answer, they are testing the auditee’s knowledge)
    • Fishing questions (testing if the auditee agrees or disagrees with something)

    Note: Respond only to the question asked, and only to the level of detail necessary to ensure the auditor understands. Do not go off-topic.

  3. Body Language
    • Stepping closer to an auditee
    • Hand gestures
    • Facial gestures
    • Smiling
    • Frowning
  4. Pace
    1. Jumping into details without understanding high-level requirements
    2. Rapid questioning
    3. Slowing questioning
    4. Pausing
    5. Appearing to be reflective
    6. Using words or sounds like:
      • “hmmmm”
      • “uh huh”
      • “I see”
      • “Really”
      • “No”
      • “ok, ok”
    7. Not allowing appropriate time for an auditee response
    8. Interrupting the auditee
    9. Jumping from one subject to another
    10. Using voice projection
      • Speaking louder to show command
      • Speaking softer to draw in the auditee
    11. Jumping to conclusions
      • This may be a method of getting the auditee to admit a nonconformity whether or not one actually exists

Note: The techniques above are ways of extracting more information from an auditee.

8.0 An Auditor’s Job

  1. To review an auditee’s quality management system
  2. To determine if the quality management system is conforming or nonconforming to specified requirements
    • An auditor may follow audit trails
  3. Auditors may examine objective evidence presented by the auditee
    • Auditors may not dictate how requirements must be implemented
    • An auditor has to demonstrate “why” something does not meet requirements; an opinion is not sufficient. Objective evidence must be identified in a nonconformance report.
  4. Auditors may request additional information, talk to personnel, follow audit trails
  5. Unusual Requests / Discussions
    1. Wanting to talk to an auditee’s vendors (onsite or offsite)
    2. Refusing to review evidence submitted by the auditee
    3. Attempting to be influential
    4. Requesting commercial information such as pricing or competitive data
    5. Requesting to see personnel information protected by law
    6. Requesting trade secrets, confidential, or intellectual property information
    7. Asking for access to the auditee’s computer systems
    8. Asking for copies of procedures or the entire QMS
    9. Asking for computer screen prints for their report
    10. Requesting to take information offsite
    11. Requesting to use their camera or phone to take pictures
    12. Requesting information related to consultants or contracted auditors
      • The auditee usually has confidentiality agreements and cannot disclose this information
    13. Demeaning competitive activities or output (tortious interference, slander)
    14. Demanding activities be implemented in a specific way
    15. Requesting dinner or entertainment
    16. Requesting the auditee’s handouts (marketing or promotional materials)
    17. Discussing competitor information

9.0 Auditor Requests for Supplemental Information

  1. To use for documentation of an audit nonconformity
    1. Code of Practice
      • If necessary, any pictures should be taken by the auditee and only used with permission
      • The auditor should not be given trade secrets, confidential info, or IP (e.g., copies, screenshots, photos)
  2. The API is not interested in seeing the auditee’s procedures, detailed reports, or other documentation
  3. API staff must review the auditor’s report
    • API requires auditors to summarize evidence that supports audit statements and checklist questions
  4. If an auditor asks for needless information, they are not doing their job and are attempting to shortcut API requirements

10.0 Design Packages and Specific Product Information

  1. Be sure to have design packages available onsite for every product identified on your API Application or API Monogram Program License(s).
  2. A competent engineer must be available to review the design packages with the auditor.
  3. It is important to have product produced and documentation available for all designs. If not, questions about the facility’s Manufacturing Capability may be raised.

11.0 Retrieval of Information

  1. During the audit, the auditor may request information that is not immediately available. If records are in storage, this should be noted during the entrance meeting.
  2. API requires that information be available before the end of the audit. Do not wait until the last minute; ensure there is sufficient time for review.
  3. If the auditor claims retrieval took too long, remind them you formally presented it and it must be reviewed. If they issue a nonconformity for retrieval under these conditions, it can be contested.

Note: Maintain a list of documents that need to be retrieved but are not immediately available. Mark any documents the auditor refuses to review, so the record can be used to respond to nonconformities.

12.0 Extending the Audit / Working Late

  1. Prior to the audit, the auditor documents an Audit Plan and sends it to your company. The plan identifies at a minimum:
    • Total number of audit days and onsite time
    • Areas of the QMS to be audited
    • Approximate schedule of which subjects/departments will be audited

A possibility exists that an auditor may request to take items back to their hotel under the guise of catching up with the schedule:

  • Documented information from the QMS or software screenshots
  • Specific departmental work instructions
  • Other related materials

The response must always be “no” — the information is proprietary and cannot go offsite.

  1. The auditor may request to work late or extend the audit. They must present clear reasons why the audit needs more time.
  2. By nature, auditors catch up with notes and documentation offsite in the evening. Once the plan is set, more time should not be necessary.

If extenuating circumstances exist (e.g., additional processes or facility areas not identified in planning), actual extensions may be needed. It’s important to cooperate if expectations are reasonable. For example: leaving late on a day may be fine, but staying until late night is not reasonable.

13.0 Responding to the Auditor

  1. You are the “technical experts” responsible for your system, not the auditor.
  2. Keep your responses at the tier 2 procedural level whenever possible
    1. If additional explanation is needed, drill down into tier 3 work instructions, forms, and documented reports
  3. Manage the flow of information and the response
    1. Answer the question presented
    2. Be succinct; do not go into unnecessary details
    3. Watch the audit trail to see where the auditor may go next
    4. Ensure the auditor confirms their understanding of your response
  4. Do not allow the auditor to lead you into unnecessary situations
    1. Rapid questioning
    2. Making assumptions or unsubstantiated claims
    3. Moving from one subject to another
    4. Not understanding the auditee’s or API’s requirements
  5. It is important for you and your team to keep the auditor on track

14.0 Identification of Nonconformities and Their Clarification During an Audit

  1. Review nonconformances and concerns with the auditor daily. Reason: due to travel, the auditor may not have time at the end of the audit.
  2. If you do not agree with an auditor’s position, professionally push back. Example: a nonconformity about a missing material test report (MTR) may be invalid if the product design did not require one. Exhaust all evidence before agreeing.
  3. When an auditor documents a nonconformity, ensure:
    1. That nonconformities are graded as:
      • Minor or isolated
      • Major or systemic
    2. The language is clear and you understand what is written. It is harder to clarify later with API.
    3. Sample size is specified. Example:
      • 1 gage out of 10 missing calibration frequency → minor
      • 7 gages out of 10 missing calibration frequency → major
  4. Nonconformities impacting product
    • API scrutinizes each one, especially when API Product Specifications are involved
    • If nonconforming product has been shipped, API may reject your response unless you can prove you informed customers

Note: Reviews should be done by at least two staff members. A second review often improves clarity.

15.0 Closing the Audit; Comments on the API Audit Report

  1. Fully review the API Audit Report before the auditor leaves. If unfinished, at least ensure nonconformities and concerns are presented.
    • Discuss any areas that are not factual
    • Professionally discuss wording or facts that misrepresent actual conditions
  2. The API reviewers will check evidence in the report. There is a comment section at the end:
    • Do not make positive comments if something was unwarranted
    • Positive comments may be seen as endorsement and weaken future complaints
  3. After the auditor leaves, they have about one week to upload the full report into MyCerts. Review uploaded info against what was presented onsite.
    • Any additional information not presented during the exit meeting is not allowable
    • This situation should be reported to API

Note: API reviewers may still upgrade a concern to a nonconformity, or document new nonconformities based on their own review.

16.0 Post-Audit Contact

After the auditor has left the site, there is no reason for you to contact the auditor or for the auditor to contact you. Be careful not to have any conversations after the audit. Reason: post-contact may create a Conflict of Interest situation.

17.0 Complaints About the Auditor to the API

Complaints may be made about auditor behavior, unprofessionalism, ethics, or conflict of interest. Complaints should follow API’s guidelines posted on their website under Customer Feedback / Complaints.

Share the Post:

Psychology of an Audit