Do External Audits bring Change?

It depends – I think this isn’t the right questions but is a substitute for a harder question, namely;

What level of trust and influence do internal Safety personnel have with key decision makers?

An audit by definition is an assurance activity which identifies that the initial controls and front line checks are completed as per the systematic approach adopted by an organisation. An external audit should not be a control activity which unfortunately I see all too often as per the 3 levels of defence model.

I would say that external audits help or substitute for the below groups of organisations

1. Those operational teams who have low trust dynamics with their Safety team or are unable to be influenced by their Safety teams
2. Those operational teams who have a lower amount of resources allocated to control and internal audit functions.
3. Organisations starting out on an improvement cycle with limited internal Safety resources (number and competence). One could argue is there even a need to audit here.

In an ideal world, external audits should confirm what the organisation already knows, has improvement or recovery plans in place for and provides assurance to the leadership team.

One trend I am seeing outside of the Project world is to only externally audit to either ISO or AS standards. In a Project setting typically a client will conduct a desktop to their own requirements against the Contractors management system and then audit to the system rather than their own requirements. As good as your internal audits are they are still prone to bias (and gaming) from both auditees and auditors and key critical controls of your system should be included with any generic standard audit. I would hope that all auditors should do this, even for accreditation audits, yet understand that all auditors aren’t equal.

To leave you with a bit of a brain buster around 3rd party verification – we trust our people with making decisions that materially can affect their own safety as well as the financial safety of the organisation. Yet we place a higher value on a relatively uninformed, transactional auditor relationship to give us the ‘real’ state of play, to verify that we are doing what we have said and committed to. I understand why we do it, yet do we often appreciate the trust tradeoff when we commission one of these audits? Is this even factored in? As without a mature mindset around transparency, governance and improvement, this will likely be the outcome from your teams – do, but do not believe.