Failure to properly manage audit actions can have disastrous consequences. In this blog, safety expert Bridget Leathley brings us through the 5 reasons why audits fail.
What is an audit supposed to do?
A management system is the sum of an organization's structures, roles and responsibilities, processes and plans for achieving an objective. Management system standards cover many topics, including quality, environment, information security, and occupational health and safety.
The role of an audit is to collect and evaluate evidence to check that a management system is working as expected, and to find opportunities for improvement. Accreditation audits are carried out by external bodies to check that an organization meets a particular standard, such as the international standard for occupational health and safety management systems (OHSMS) ISO 45001. However, internal audits of OHSMS are essential, whether or not an organization is seeking external accreditation.
There were many, many mistakes that together led to the devastating fire at Grenfell Tower in London in 2017, killing 72 people. As well as construction issues during refurbishment, the Grenfell Tower Inquiry highlighted failures to manage audit actions.
Over many years, audits of the organization responsible for Grenfell Tower discovered that thousands of fire risk assessment actions, along with other safety actions, were not being dealt with. Actions identified in one period were not always followed up in the next review. The list of actions became longer and longer. It is believed that there were over 5000 fire risk assessment actions outstanding at the time of the fire.
It was no surprise to find in the many, many documents on the Grenfell Inquiry website, an Excel spreadsheet being used to record and track actions from various audits, and in another case, an action table buried inside a pdf.
Grenfell was not the first major accident where following up actions from earlier audits might have prevented disaster. In 1983 an audit of an offshore oil installation recommended that firefighting pumps should be left in automatic mode when there were no divers nearby. In 1988, there was an explosion which prevented staff getting to the controls to operate the firefighting pumps. The audit action hadn’t been implemented – the pumps were on manual, the fire spread, and 167 people died on Piper Alpha.
Why audits fail – and what you can do about it
Here are five reasons why audits fail - and what you can do about it.
1. Lack of resources
Audits might seem like a ‘nice to have’. If resources are stretched, we always want to focus on getting on with the main job. But you could be throwing money away – audits might identify activities that could be removed because they aren’t adding to safety, or errors that are perpetuated because no one has looked for them.
Overcome this problem by planning. Focus audits initially on the areas where you have most to gain. This could be higher-hazard tasks, more frequent tasks, or locations where there is a higher-than-average number of incidents. If the audits are in the work plan, it will be easier to negotiate the resources needed. Make sure you have the right audit tools – walking around with a ring binder full of paper notes makes an audit challenging.
Picking a mobile solution that allows you to add photos, document and sound recordings into each audit finding will reduce the time spent to report results.
2. Lack of competence
Internal audits are sometimes delegated to junior staff, because they are cheaper and it is seen as a useful way for them to learn about an organization. While shadowing an auditor would be an excellent learning process, someone new to an organization might not be sure what they are looking for, or what they are seeing. Is the ladder being used correctly? Is that the right sort of PPE for that job?
Some audit tools will provide images to support audit questions, so the auditor can compare what they see with what they should be able to see. Make sure people have appropriate training to understand the purpose of an audit. When I asked one untrained auditor how his site was so perfect every month, his answer astonished me. ‘I thought the purpose was to tick everything on the list. I didn’t realize we were supposed to find problems.’
3. Auditing work as imagined, not work as done
During lockdown, some audit organizations were offering remote audits. Necessarily, these focused on what the available paperwork said was happening. Some audits, even when there is an opportunity to look further, focus on what has been written down.
Auditing neat paper forms full of ticks gives a reassuring feeling that all is right with the world. But when were the ticks added? And do they represent real checks made? It used to be that the only clue I had that housekeeping checklists or hazard checks had been completed an hour before I arrived was that they were all in the same pen; in real time, people rarely use the same pen every time.
Now, electronic checklists make it impossible to retrospectively tick multiple weeks – every check is time-stamped, and in many cases tagged to a location and a person. But even this doesn’t go far enough – when you audit, how do you know the check was actually made? One approach is to ask people to show you how they make a check. If there is a systematic failure, it might be because people don’t know what to do.
In one organization I found manager after manager at different sites who couldn’t show me how to make all the checks that they had been signing off. What started as an audit became a coaching session.
4. Audits for ‘assurance’
The perception of audits is often that they should provide assurance that all is well, so auditors feel pressure to produce favorable findings. You need an auditor who will unsettle any cozy view that everything is fine: you want them to look for opportunities for improvement.
I’ve worked with organizations where managers are ‘scored’ on how well they do in a six-monthly audit. As a result, they don’t raise any issues, they won’t admit where they can’t meet a safety requirement because of lack of resources, and they will hide problems from a casual auditor who looks only at the paperwork. Senior management will think everything is fine – until something goes badly wrong.
Be skeptical if audit results are always positive. Auditors are not doing their job if they don’t identify areas for improvement. Audits are more impartial where there is support to collect other forms of evidence – such as photographs of equipment and workplaces, copies of servicing records, or readings from monitoring devices (such as temperature or pH).
5. Lack of independence
If the auditor is the person who created the system, it will be difficult for them to find faults. External auditors can be more independent, but they can suffer from not understanding the organizational context, and they can still be biased by wanting to please the customer.
Many businesses find a successful approach is to use managers from a different department, or for multi-site organizations, from a different location. They will understand context and share the goal of wanting the business to be successful, but can retain objectivity because their job is not at risk.
Additional benefits arise when departments talk to each other during the audit, with lessons shared and best practice from one area applied to another.
An audit that only checks the paperwork is unlikely to find opportunities for improvement. Auditors must be trained and supported with the time and tools to do a good job, and encouraged to look beyond the tick boxes. Where actions are identified to improve the OHSMS these must be followed through – not left in an Excel spreadsheet to be discovered when something goes wrong.
If you want to learn more about how to effectively manage actions through to completion, learn more about our Corrective Action Tracking software.