What an odd question you may respond, but is it really? Assuming we are talking about a typical organisation, where audits are planned in advance, conducted and reported in a more or less clearly defined manner, probably because of a mandatory requirement to undertake the audit, the question becomes more reasonable as we look closely at audit operations.
Remaining with our organisation that has perhaps an ISO9001 registration - and therefore a requirement to conduct internal audits as part of the maintenance of registration process - there is a management appointee having responsibility for the management system and consequently also the audit process. Driving this should be a Policy and an audit plan, although normally all one can see is an audit program, and that often defining what has happened rather than what should happen. However, whatever the planning or lack of planning, at some point an auditor sets forth to conduct an audit on some hapless individual or group.
All auditor training following the lead of the ISO Standards, specifically require the auditor to Plan the audit. There is planning and there is planning, and a successful audit is as much dependant on the planning as the execution. Given that an audit is meant to provide information to assist the management of the organisation, the planning of the audit should reasonably to be concentrated around the goals and objectives of that organisation. It is an unfortunate fact that such in depth planning as exists is rarely concentrated on the needs of the organisation as would be seen by a review of its business plans and objectives. Internal auditors have an innate pre-disposition to audit against requirements they believe important, and report anything and everything that offends against this perception of business priorities, regardless of significance. Internal auditors also tend to believe that their business managers have no appreciation of the job the auditors perform, or the benefits they think they bring to the organisation. It isn't surprising that both the auditors and their near supervision also usually think and believe that because of the managerial indifference to their audit work the same managers don't care about Quality or management systems.
So who does own the audit? For organisations typified here clearly the auditing group are the effective owners of the audit since their audit practice has alienated those who should be concerned with the outcome of each audit. In such companies it is the auditors who go after corrective actions, and 'escalate' issues to senior management. The same auditors fail to appreciate that it is their failings that lead to a rejection of internal audit as a tool for supporting process improvement. So long as the internal audit process is conducted as a confrontational exercise this situation will continue. But it doesn't have to be so. Organisations must change from internal audits that are remotely defined planned and reported, to a situation where audits are conducted directly for operational managers. Conducted also by auditors who know the management procedures and consequential requirements for assurance. Only then can internal management audits become a welcomed assessment of individual and collective performance and achievement, and produce results that enable the auditee and auditor together to rejoice in an activity and achievement that furthers the objective of individual and the organisation. This however will not happen while organisations act as though internal audit is a necessary evil, to be conducted as a damage limitation exercise, using auditors having no understanding of the basic fact that internal auditing is a social skill quite as much as it is a technical skill.
Remaining with our organisation that has perhaps an ISO9001 registration - and therefore a requirement to conduct internal audits as part of the maintenance of registration process - there is a management appointee having responsibility for the management system and consequently also the audit process. Driving this should be a Policy and an audit plan, although normally all one can see is an audit program, and that often defining what has happened rather than what should happen. However, whatever the planning or lack of planning, at some point an auditor sets forth to conduct an audit on some hapless individual or group.
All auditor training following the lead of the ISO Standards, specifically require the auditor to Plan the audit. There is planning and there is planning, and a successful audit is as much dependant on the planning as the execution. Given that an audit is meant to provide information to assist the management of the organisation, the planning of the audit should reasonably to be concentrated around the goals and objectives of that organisation. It is an unfortunate fact that such in depth planning as exists is rarely concentrated on the needs of the organisation as would be seen by a review of its business plans and objectives. Internal auditors have an innate pre-disposition to audit against requirements they believe important, and report anything and everything that offends against this perception of business priorities, regardless of significance. Internal auditors also tend to believe that their business managers have no appreciation of the job the auditors perform, or the benefits they think they bring to the organisation. It isn't surprising that both the auditors and their near supervision also usually think and believe that because of the managerial indifference to their audit work the same managers don't care about Quality or management systems.
So who does own the audit? For organisations typified here clearly the auditing group are the effective owners of the audit since their audit practice has alienated those who should be concerned with the outcome of each audit. In such companies it is the auditors who go after corrective actions, and 'escalate' issues to senior management. The same auditors fail to appreciate that it is their failings that lead to a rejection of internal audit as a tool for supporting process improvement. So long as the internal audit process is conducted as a confrontational exercise this situation will continue. But it doesn't have to be so. Organisations must change from internal audits that are remotely defined planned and reported, to a situation where audits are conducted directly for operational managers. Conducted also by auditors who know the management procedures and consequential requirements for assurance. Only then can internal management audits become a welcomed assessment of individual and collective performance and achievement, and produce results that enable the auditee and auditor together to rejoice in an activity and achievement that furthers the objective of individual and the organisation. This however will not happen while organisations act as though internal audit is a necessary evil, to be conducted as a damage limitation exercise, using auditors having no understanding of the basic fact that internal auditing is a social skill quite as much as it is a technical skill.