A Day In The Life Of An Auditor
I was recently presented with the opportunity to observe an audit of three ISO standards conducted by NQA’s Quality Principal Auditor, David Winterburn.
David has been involved in the certification industry for thirty years and has a wealth of knowledge about different businesses and their operations. He says one of the biggest challenges an auditor faces is keeping up with legislation changes, as requirements for meeting standards grow more stringent.
I joined David on a two-day audit, where he reviewed management systems and interviewed members of staff to assess whether their business met the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Affinity for Business
The client we visited was Affinity for Business, a clean and waste water retailer that sells water and sewage services to businesses, with customers ranging from SMEs to international airports.
Affinity for Business is a relatively new business, although Affinity Water, which is a water wholesaler and owned by the same people, has been a client of NQA for many years.
Following market reform in the industry in 2017, businesses gained the opportunity to select who their clean and waste water retailer would be. So unlike household customers, who don’t have a choice who they pay for their clean and waste water services, businesses can now switch to any retailer they like, the competition in the market was introduced to drive up customer services and make pricing more competitive.
Requirements for achieving compliance in this industry are demanding and there is much more that goes into being a water retailer than I realized.
As Safety, Health, Environment and Quality (SHEQ) Manager Rosemary Brown says: “it’s quite an interesting business. You turn a tap on and water comes out. You don’t really think about how it gets there”.
Interestingly, Affinity for Business is one of NQA’s first clients to be working towards ISO 45001:2018, the new standard for occupational health and safety management, and almost certainly one of the first in their industry.
The importance of certification bodies
While water companies are regulated by Ofwat and a number of other industry bodies, they also seek certification from accredited third party certification bodies as a way of demonstrating their commitment to the provision of quality services to their customers. Minimizing the impact their business has on the environment is equally important to Affinity for Business as they seek to provide a quality product to the customers they serve and communities they work in.
In addition to demonstrating their commitment to quality, achieving third party accredited certification provides a framework for developing the business. As Rosemary says; “certification provides a standard to work to internally. The fact that constant improvement is required means we don’t rest on our laurels”.
This is particularly important for Affinity for Business as it helps them stand out amongst their competitors, in demonstrating commitment to customers, the environment and their team.
“It’s a very competitive market and we need to be able to at least meet competitor qualifications, if not exceed them” says Rosemary.
ISO certification offers more than just credibility to Affinity for Business, however, as Rosemary says it “enhances what we do and allows us to develop new products”.
A typical day as an NQA auditor
So what does a typical day look like as an NQA auditor?
While factors such as business size, industry and environment will have an impact on how the actual day looks, the activities conducted by the auditor vary little as they seek to understand whether the client is meeting the requirements of the standard/s.
This was a Stage 1 audit, which focuses on reviewing the management system, checking implementation of the system has begun and raising findings to address prior to the Stage 2 audit.
As this audit took place over two days, I’ve detailed the events of the second day as the first day was spent reviewing internal policies and meeting members of the team.
7-9am: travel and breakfast
The day starts by travelling to the client’s site. This can involve anything from driving a couple of hours to getting up at 3am to catch a flight to get there. Luckily for me, Affinity for Business is based in Welwyn Garden City, so it wasn’t too early a start.
9am – 1pm: document assessment and interviews
The second day of the audit begins with interviewing a staff Health and Safety representative to understand how Health and Safety is managed and monitored internally. Evidence is provided in the form of processes, agendas and minutes that are shared with every employee.
The focus then shifts to the involvement of Top Management in addressing issues raised and implementing suitable solutions. While Health and Safety issues feature on the agenda for Management Review meetings, there are no minutes covering these discussions, suggesting these issues are not being addressed by Top Management.
Due to three different standards being audited there are a large number of documents to be reviewed, many of which are stored in different folders and locations on the company’s network, and the suggestion was made that creating a single repository could be a more efficient way of managing these documents.
One question that arose during the audit was how to demonstrate the competence of an internal auditor. As this individual needs to be able to provide objective evidence, they often sit outside the team responsible for implementing the management system and it may be unclear as to how to demonstrate competence.
I learned that in order to demonstrate competence as an internal auditor, there must be some form of documentation to certify this. A certificate from an external training course is suitable, but a memo of competence referencing their experience that has been circulated internally is also acceptable evidence of competence.
As with all standards, interpretation of clauses may vary and the requirement to meet the standard may appear unclear. The important thing is not to panic when you’re being audited – if a finding is raised, this is identified to help improve the operations of the business.
1pm – 4pm: reviewing policies and assessment collation
The final part of the audit focused on reviewing the policies for meeting each ISO standard and ensuring there was clear communication of who was responsible for the policy and the activity set out in the policy. This was a particularly useful exercise for the Health and Safety policy, as auditors are required to review incident logbooks to check that the policy has been implemented, and I learned that all incidents including near misses must be recorded.
After spending an hour finalising the report, David called the client back into the meeting room, summarised how the business was performing, highlighted areas of concern and advised he was recommending Affinity for Business move to Stage 2 of the audit process. A copy of the report was then emailed across for their reference and the date for the Stage 2 audit was agreed.
The business of being in business
One thing I learned from this audit is businesses are required to do much more than I realised to demonstrate compliance. In addition to being audited by a certification body they are likely to have an industry body they are accountable to, in addition to other legal standards they are required to meet.
Affinity for Business’ time and hospitality was much appreciated. It was great to observe evidence of their commitment to quality, environmental sustainability and occupational health and safety, and we’re looking forward to returning for a Stage 2 audit.