How independent are your internal audits?

Breaking the Deadlock:

In our yachting world, we pride ourselves in our short communication lines, optimised collaboration at all levels and utmost reactivity. To achieve that, operators work in very tight-knit communities where everybody, in theory, knows what everybody else is doing.

That could create a challenge in terms of independence of auditors, but the code recognizes that challenge and words it. 

12.5 Personnel carrying out audits should be independent of the areas being audited unless this is impracticable due to the size and the nature of the Company. 

In a very large corporation, operational departments run production based on their own procedures and work instructions. At regular intervals, auditors come from the upper storeys of a tower in a big city and examine the situation on the work floor. They are arguably independent. They may have participated in the creation of general management systems under which the work place operates, but did not write the work instructions.

In a small shipping company, however, the situation is very different. The DPA and auditors often are very close to, or even the same as, the operational managers. They have often written the whole system under which the ships operate, very likely down to the working instructions. When they are on board for an audit, does it feel like an independent scrutiny, or more like a review of the processes they manage on a daily base? Is it unreasonable to assume that while performing an audit, if they find a failing, they will very likely rather question the people than challenge their own system?

Guidance 41 of IACS for auditors of the ISM code does recognise such a challenge, and addresses it particularly in the appendix on “captain owners”. IACS formally recommends third party internal audits in those cases.

Let’s look at various aspects of an audit that would benefit from third party audits.

  1. the experience of the auditors.

Granted, most DPA’s today have followed some formal training, and they probably have sailing experience, albeit not necessarily in the same branch of the industry, possibly even in a navy. Given that one does not want to burden the ships unnecessarily, the audits would typically be one per ship per year. At the end of the day, your typical auditor’s experience would be anything from two to ten audits a year, while the rest of the time, they polish the system or manage operations, being closely involved in the very processes they “independently” audit.

2. An audit or a survey?

Given the lack of experience, companies often give a preset plan or a check list for the auditor to fill in. A very commonly seen drawback of this is that the less experienced auditor will stick to it to perform a good job. Once a deficiency or shortcoming is observed, it is recorded and one moves on. To be clear, the existence of a deficiency is not in itself a non-conformity. There is a possibility that the deficiency is known, recorded and handled to satisfaction. If not, then the non-conformity is not the deficiency itself, but a failing in a system that allowed it to exist. The auditor should not rest before that failing is identified.

This is an internal process that should go way deeper than during an external audit. The time allotted for internal audits, and their subsequent analysis at head office level is generally too short.

(The existence or not of a non-conformity and its handling is the subject of its own, up-coming article)

3. motivation.

Clearly, the objective of the code is continuous improvement. In small organisations, it can be clouded by the motivation to show that the system works. Many people in management still have the credo that the system works well if no non-conformities are raised. I could not agree less. When I was auditing companies on behalf of the RO/flag, one of my KPI’s was the relation between near misses, internal non-conformities, and findings from external audits. In many cases, the external audits raised more findings than all internal processes together. Does that seem logical? How can one man, coming from outside, not knowing your system and learning as he goes, suddenly discover in one day more improvement information than what your own DPA department has raised over one year with its intimate knowledge of the working of the company?

4. …or the lack of it

I have lived that scenario many times: the audit goes on, notes are taken, then there is the closing meeting. The auditor reviews his notes with the captain or head of department ashore, lists his findings, then chooses the one or the few worth writing about. The others are supposedly in good hands, I trust you to handle it, there is no time to fill in 10 forms… for whichever reason, most of the improvement information is lost. In addition, the auditor may be sympathetic to the ship’s staff, and not willing to impose too much on their time as they have to remain in good working terms.

5. A fresh look.

As a DPA, I have had to argue with some operational managers on the theme of having known, trusted, close to home external auditors each time, rather than letting the RO use their local staff. My view was that using auditors without a previous knowledge of our system would increase the chance of improvement information being identified. I do believe that it can also help in the scope of internal audits. There is also the chance that, when the auditee is stuck with an issue, an internal auditor will feed the auditee answers. At that point, an external auditor would have to work with the auditee to figure out the answers from available documentation, and coach them at the same time.

In Conclusion:

To sum up the advantages of using a carefully chosen third party auditor for your internal audits, you would have an experienced auditor, performing a real audit without interference from in house objectives and agenda’s, allowing the management to learn as much as possible from the working of their operations without the stress of the penalties potentially associated with external audits.

Bonus points kick in when that auditor has R.O. external audit experience, is given time to process the collected information into a constructive report, and possibly coaches the company DPA staff if they stand in during the audits.

That solution also helps the quandary of “who watches the watchers?”.
The Crew and Systems department of your company also needs internal auditing. Who does that, again, with experience and independence?

(images from Safety4sea, ABS, SEATAM, ClassNK)