How to perform an ISO 9001 audit of top management without fear

You are a junior internal auditor and the internal audit manager assigned you the responsibility to audit top management in your organization. Are you afraid of the situation? Read this article to find out how to perform a top management audit according to ISO 9001 while doing what is expected of you, and how to leave a good impression on top management. Learn in this article three key pieces of advice to guide your preparation and execution.

For more about how to conduct an internal audit, read the article Five main steps in ISO 9001 internal audit.

Use an objective, fact-based approach

You are the ISO 9001 expert in the conversation, and the conversation will be based on ISO 9001. Auditors should base their approach on facts, on evidence, and run away from emotions and feelings. If you are afraid of auditing your top management, concentrate on the audit objectives and on the facts and evidence that you need to collect to do your job.

Remember that an audit is more about listening than questioning. So, when starting to audit a topic, use open-ended questions to get top management talking about the organization, what they do, and what the results are. Prepare your questions and do your homework. Ask a friend to impersonate top management and rehearse your audit. Ask your questions, analyze possible answers, and decide what will be acceptable evidence that you will ask to see.

Use ISO 9001 as a basis to prepare and perform your audit

Internal auditors follow ISO 19011:2018 when preparing and performing an audit, and they use ISO 9001:2015 as the main basis for developing their checklist. Here are the topics you’ll need to include in your top management audit:

  • Management commitment;
  • Context and interested parties;
  • Risks and opportunities;
  • Customer focus;
  • Quality policy, objectives, and action plans;
  • Responsibility and authority;
  • Internal communication;
  • Product and / or service and process performance; and
  • Management review.

For example, you can start your audit by asking top management what they can tell you about the context of the organization, and then compare their answer with all the internal and external factors that you know, by being part of the same organization. Don’t just make a theoretical and dry question about the context; frame the topic using examples relevant for the organization. These days, when I audit an organization in the European Union that exports into the UK, I introduce the context issue with a concrete question like: “How are you preparing your organization for the day after Brexit?”

Whatever the answer, ask if they have changed anything since last year, and how they monitor and update those topics. Then you can do the same with a question about the interested parties. Try to figure out if the identification was complete, if it makes sense, if it is updated, and if it is translated into action or monitoring.

How to perform an ISO 9001 audit of top management without fear

When auditing objectives, performance, and management review, check and stress the importance of effectiveness. Where does top management want to lead the organization? How will they know if they were successful or not? What will they change in the way they do things to get there? What resources are needed? Who is responsible for the change? Is there an action plan? Who monitors execution and performance? Is there any evidence? For more about management review, see the article How to make management review more practical.

Use a language that top management understand and care about

Remember, you as an internal auditor, most likely, know more about ISO 9001 than top management. If you start speaking in ISO language, perhaps you will lose top management’s attention during the audit due to a failure in communication. So, try to translate ISO 9001 requirements into plain English, and more, try to translate ISO 9001 requirements into plain English with a business bias.

Don’t speak about obsolete documents; speak about the costs and loss of reputation that could happen because the organization is using obsolete documents. Don’t speak about quality control nonconformities; speak about money losses. For example, once, when auditing a hotel, I invited the general manager to make the translation of number of blocked rooms per month into money lost due to having no rooms available. He was so amazed with the figure in euros that he jumped off the chair.

In another example, an industrial organization was very proud of their low numbers for scrap material. So, they saw no need for action. They produced top-grade material, non-top-grade material, and scrap. I invited them to calculate the amount of non-top-grade materials and their average price to see how much they were losing for not selling at the top-grade price. And, as a final example, while auditing a healthcare organization I invited top management to translate post-operation infection rate into number of extra days of hospitalization and, from there, into euros not billable. They were speechless.

Money is a powerful language for top management to understand you, but it is not the only one. They also care about market share, customers lost or gained, margins and differentiation from the competition, and risks to avoid and opportunities to take advantage of. For more about bridging the barrier between the quality professionals and senior management, read the article Bridging the communications gap with management in the context of ISO 9001.

So, what if you find nonconformities?

And, if you find nonconformities, be polite and diplomatic when communicating them. Try not to surprise top management; instead, try to lead them to the conclusion themselves by comparing what you both find with the requirements of the management system. Remember, you do not approach the audit of top management as trying to blame them directly, but to find eventual nonconformities in processes together, as this is an internal audit and both sides are working to achieve the same goals for the organization.

For more help on how to perform an internal audit in your company, enroll in this free online training: ISO 9001:2015 Internal Auditor Course.

Advisera Carlos Pereira da Cruz
Carlos Pereira da Cruz
Carlos Pereira da Cruz has over 30 years of experience working as a consultant, trainer, and auditor with ISO 9001 and ISO 14001. He is a university teacher and author of several books on strategic management, ISO 9001, and ISO 14001, as well as an ISO 9001 author.