Home Resources Blog November 2018

The Imperative of Leadership

07 November 2018
So far in this series we have looked at five audit imperatives, the imperatives of culture, assurance, improvement, governance and context. It is now time to consider the sixth and arguably most important of all the audit imperatives, that of leadership.

We now recognise that these are all topics that a competent management systems auditor must not only understand, but must be remain actively conscious of when carrying out assessments, because each and every one of these will impact the manner in which the audit is conducted, and the results that the audit achieves. 


This article examines the relationship between leadership and auditors from two perspectives.

Firstly, we consider the role auditors play in ensuring that organizations are being effectively led. In most organizations it is not practical or indeed possible for stakeholders to be present on site in order to determine for themselves that their requirements are being suitably addressed. Instead they must rely on us, management system auditors, to act as their advocates. We are entrusted to confirm on their behalf that the organization’s leadership are acting in the best interests of those the organization was established to serve. Unfortunately, recent high profile corporate governance failures have highlighted to us that this is not always the case. It is precisely in these instances that internal audit must be prepared to report any failings they discover in the way the organization is being led. 

Secondly, we will consider auditor’s as leaders in their own right, as individuals who are ideally placed to drive through change within their auditee’s organizations. Whether you are a first, second or third-party auditor you must posses the necessary gravitas to get things done. Simply identifying risks, issues and opportunities for improvement is not sufficient if the auditee then fails to act upon these. How should an auditor respond when faced with a top management that refuses to move forwards? How can they persuade those in authority at the most senior levels that things must be done differently in the future? These are not insignificant challenges, but they are challenges that all auditors must overcome. Later in this article we’ll consider he we might go about engaging the senior management team but first we need to understand what we mean by ‘leadership’.

What is Leadership?

‘Leadership’ and ‘management’ are terms which are often used interchangeably however there are actually very different functions and it is important that auditors understand this difference.  Peter Drucker was an acknowledged pioneer in the development of management education and the inventor of the concept of management by objectives. He summed up the difference between leadership and management in the following quotation:

 ‘Management is about doing things right. Leadership is about doing the right things’

What Drucker is telling us here is that management focusses on control, organisation and planning whilst leadership is about inspiring and motiving people, bringing people with you because they want to come with you, not because you tell them to come with you. 

Warren Bennis, author of ‘Becoming a Leader’ also put it well when he said:
‘Leadership is the capacity to change vision in to reality’

Great leaders have the ability to translate their ideas and aspirations into something tangible – to make dreams a reality, however difficult this may be. They are prepared to challenge convention and break down barriers to achieve their goals. This is very different from the orderly world of management where the head dominates the heart.

So, it is important for us to understand that management and leadership are not the same. It is perfectly possible for an individual to be a good manager but a poor leader, in much the same way that it is possible for an individual to be a good leader but a poor manager.

As auditors we should now be aware that the new annex SL based management system standards have taken us away from consideration of ‘management commitment’ to consideration of ‘leadership and commitment’. Whist this may seem like a minor change in wording, in practical terms this is a seismic shift, for not only are we now seeking objective evidence that the management system is controlled, organised and planned, but we are also seeking evidence that the organization’s top management are fully committed to the success of the management system and are visible and vocal in its support.

The Criticality of Good Leadership

Figure 1

Figure 2

Whilst the diagram in figure 1 is drawn from ISO 9001:2015, it is representative of many similar diagrams in other annex SL based management system standards. All of these place leadership right at the centre of the management system and identify the two-way relationships that need to exist between leadership and planning, leadership and support/operations, leadership and performance review and leadership and improvement. When auditing ISO based management systems we need to evidence that these relationships are not only in place, but are working effectively. 

Many auditors will have already noted that a number of ISO management system standards now explicitly recognise that effective leadership, as demonstrated by top management, is a critical success factor for the management system. Without such leadership the management system is likely to fail.

ISO DIS 9004:2017 Quality Management –Quality of an organization Guidance to achieve sustained success takes this further. This tells us that without effective leadership not only is the management system at risk, so too is the business overall. Leadership is once again identified as lying at the heart of organisations that enjoy success over time.  

Similarly, the CQI competence framework also places leadership at the centre of its model. This recognises that no matter how competent a quality professional may be if they cannot affect change within their company then their net impact on their organization will be minimal.  This model applies to management system auditors just as equally as it does to quality directors, quality inspectors or quality engineers. If we cannot make people listen to us we may as well not be there.

Indicators of Good Leadership

So, if ISO and the CQI believe that leadership is so crucial what should we as auditors be looking for in order to satisfy ourselves that an organisation is well led, as opposed to well managed? Here are some of the things that would help to convince me I was looking at a well led organization: 

  • The organization has a compelling Vision
  • It is working hard to make the vision real
  • There is a well-rounded executive team built on complementary strengths
  • The executive team ‘walk the talk’, they lead by example
  • The organization encourages innovation
  • Top management foster group identification, ‘we are all part of one organisation’
  • Top management encourage and support their employees
  • The organization invests in talent management, it develops its people
  • The organization consolidates gains before moving forwards
  • Top management succession plan, they recognize and accept that there will come a time for others to take over
  • The organization creates checks and balances to prevent absolute power corrupting

Do you recognise these characteristics in your own organization and its top management? You are fortunate if you do. 

Leadership in Annex SL Based Management Systems

Whilst the indicators of good leadership set out above can be applied to each and every business there are specific leadership requirements which relate to organizations who hold third party ISO management system certificates.

In the ISO world leadership requirements apply at all level of the organization, however when we talk about leadership the focus tends to be on top management. ‘Top management’ is one of 21 Annex SL core terms and definitions which means its meaning is universal across all annex SL based standards. Top management are defined as the ‘person or group of people who directs and controls an organization at the highest level’.  Here the scope of registration becomes important. If the third-party certificate covers just a single factory in a group structure, then top management are those individuals who control or direct that factory. If however the certificate relates to the organization as a whole, then top management will be the CEO and Board of that organization.

Irrespective of who top management are there are specific duties and obligations placed upon them, and as there are now actions that they are required to undertake, auditors will need to audit top management to ensure that they are meeting their obligations.

So, What are Top Managements Obligations? 

Well top management are required to demonstrate leadership and commitment with respect to their management systems by:

  • Ensuring that the management system policy and management system objectives are established and are compatible with the strategic direction of the organization;
  • Ensuring the integration of the management system requirements into the organization’s business processes;
  • Ensuring that the resources needed for the management system are available;
  • Communicating the importance of effective management system management and of conforming to the management system requirements;
  • Ensuring that the management system achieves its intended outcome(s);
  • Directing and supporting persons to contribute to the effectiveness of the management system;
  • Promoting continual improvement;
  • Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

The first three of the above start with the word ‘ensuring’. This means that top management are able to delegate this activity to others in the organisation – they simply need to ensure that it is completed. The last five bullets however are activities that top management are not allowed to delegate, they must carry these out themselves. This in turn means that auditors must audit top management to obtain the necessary evidence to confirm that they are fulfilling their obligations. If they are not this needs to be reported and corrective action put in place.

Top management also have an obligation to set a management system policy that is appropriate to the purpose of the organization. This must provide a framework for the setting of management system objectives and must include commitments to satisfy applicable requirements and to continually improve the management system. The auditor should verify that the policy is available as documented information and that it has been communicated within the organization and is available to interested parties as appropriate.

We should also determine that top management have assigned and communicated the responsibilities and authorities for relevant management systems roles within the organization. This includes making sure that top management have assign the responsibility and authority for ensuring that the management system conforms to the requirements of relevant International Standard(s) and for reporting on the performance of the management system to top management.

Annex SL based standards also mandate that top management shall review the organization’s management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. Auditors should place great emphasis on the contents of documented information relating to management review meetings. Annex SL standards are prescriptive in respect of providing agenda items which must be dealt with (as a minimum) at these meetings. I would expect these subject areas and more (business specific issues) to be covered at such sessions. I would expect a full or near full attendance from top management and evidence of comprehensive coverage of each and every agenda item. Anything less would set the leadership alarm bells ringing. 

Being Brave

ISO 19011 sets out a number of desire behaviours for auditors. Of these perhaps the one which is most important when auditing top management is ‘acting with fortitude’. This means the ability to act responsibly and ethically even though these actions may not always be popular and may sometimes result in disagreement or confrontation.  

Auditing top management will be a worrying prospect for many auditors. Whilst more enlightened members of top management recognise that being audited is a valuable check on their performance and a way to stop small problems from becoming big ones, others will see it as a threat to their authority and a challenge of their capability. This is understandable, no one likes to be criticised however there is no choice involved here – top management MUST be audited. Therefore, it is essential that auditors act professionally when they interview those in charge of the business. They must make them feel as if the audit is adding value and represents time well spent. To achieve this, auditors must plan ahead of the meeting, so they are clear on the topics they wish to discuss. We must focus on strategic matters such as policy, strategy and objectives, not minor issues far removed down the production line. We must demonstrate that they can understand and speak the language of the boardroom. We must not allow ourselves to become intimidated or misdirected from our audit plan as a result of being scared and we must never, ever misreport our findings if pressurised to do so. Who said the life of an auditor was easy?  

Demonstrating Leadership as an Auditor

So far we have concerned ourselves with the relationship between top management (effectively the organization’s leadership team) and the auditor. We have identified what we should be looking for to determine whether the leaders of organizations are acting in a manner which is consistent with meeting their stakeholder’s needs and expectations. For certificated organizations there are prescribed requirements that top management must meet (and which we as auditors must therefore check they are meeting), whilst for non-certificated organizations there are a number of indicators that we can use to help inform this decision. 

It is however appropriate at this point to also consider our own leadership abilities as opposed to the leadership abilities of our auditees. Whilst being an auditor is a very rewarding job it is also a very demanding job. It is highly pressurised, there is plenty of scope for potential conflict and disagreement and your credibility can be destroyed within seconds if the auditee proves you to be factually incorrect in your findings. The rewards are not great, hours are long, and the recognition of your efforts is not always there. So why bother? 

For me the answer has always been I’ve wanted to make a material difference and make the organizations I’ve worked for better places. In order to achieve this, I have had to consciously improve my own leadership skills in order to convince those in positions of power that change is required. This has been achieved through training and practical experience.  

With the introduction of annex SL based standards all auditors should take time to look at themselves, to carry out an honest appraisal of their own abilities. If you find yourself consistently struggling to get your messages across now is the time to upskill.


This series of Audit Imperative articles has sought to emphasised how important the role of audit is to organisations, and in particular the role of internal audit. Very often internal audit is seen as secondary to certification body audit, but this is an incorrect interpretation. Whilst third party audits are important because they determine whether an organisation will achieve or maintain its certification, it is internal audits that offer the greatest potential rewards to organisations if they are properly planned and appropriately resourced. The new version of ISO 19011 provides some excellent guidance as to how to achieve this and is recommended reading for those who need to design audit programmes, conduct audits or evaluate auditor competence.  
As auditors we do not always get the recognition that we deserve and, to be honest, some of this is undoubtedly our own fault. We do not always perform well, sometimes as a result of poor training or direction, and when we do, we do not always publicise our successes, so no one in the wider organisation knows we are doing well. Too often we are still seen as policemen, trying to catch our colleagues out and find errors. We must modify this perception. We are not working away, trying to identify our colleague’s mistakes because we want them to appear poor at their jobs. What we are actually doing is protecting our organisation from internal and external threats in a way that no other group of employees can do, by spotting problems before they have a chance to escalate and become major issues. Enlightened top management embrace internal audit because they recognise it is helping to keep them and their organisations out of trouble.  


Thank you for taking the time to read this series of articles. I hope that you have found them interesting and of some practical use. Most of all however I hope that they have served to convince you that as an auditor you are an important business professional who possesses skills and knowledge that is of great value to your organisation. Do not forget this and do not allow your organisation to forget this either.  I wish you every success in your audit career.

Richard Green