Generic audit of management systems: fundamentals

Author(s):

Stanislav Karapetrovic (Department of Industrial Engineering, Daltech/Dalhousie University, Halifax, Nova Scotia,
Canada)

...Show all authors

Abstract:

As competition in the global economy grows, management systems are becoming increasingly complex and diverse.
Management system audits, applied for the examination of system effectiveness and compliance with planned
arrangements, seem to be following the same path. This paper addresses the fundamental models, concepts, principles
and practices of management system auditing, with the objective of improving the consistency and effectiveness of
audits across quality, environmental, financial, safety, maintenance and other auditing disciplines. The concept of a
generic audit is introduced on the basis of the systems approach. Discipline‐specific audit definitions are analyzed, and a
generic audit definition is depicted. Quality, environmental and accounting audit principles are compared, and a set of
basic features of a generic audit is illustrated and discussed. Common audit practices are subsequently illustrated,
followed by an outline of the structure and content of a generic audit guideline, together with the proposed two‐prong
approach to the development of the generic audit.

Keywords:

Audit, Quality audit, Environmental audit, Audit standards, Systems theory

Type:

Technical paper

Publisher:

MCB UP Ltd

Copyright:

© MCB UP Limited 2000

Published by MCB UP Ltd

Citation:

Stanislav Karapetrovic, Walter Willborn, (2000) "Generic audit of management systems: fundamentals", Managerial
Auditing Journal, Vol. 15 Issue: 6, pp.279-294, https://doi.org/10.1108/02686900010344287

Downloads:

The fulltext of this document has been downloaded 5186 times since 2013

Article

Introduction

Choose
Section:

Wars of the future will not be waged for land or natural resources, but more so for information and knowledge.
Whoever is able to collect and make use of the relevant information from the extreme wealth of available data and
intelligence, will win. Even today, knowledge of adequate and pertinent information helps companies win the
competition wars. Satisfying customers with the quality of products and services is certainly one area of business that
requires timely and reliable information. In order to achieve this objective, a company must know not only what the
customers want, but also whether its operations and resources are adequate. Managers must retrieve the right
information for proper decision making. Do past performance and results indicate competent management? Do known
mistakes demonstrate bad decisions or just out‐of‐luck situations? Which improvements would rectify the undesirable
situation? Questions such as these demand correct and reliable examination of decision‐making processes and other
relevant criteria of business performance. A qualified and competent auditor can conduct such an examination and then
report the results to management. Auditing as a source of information has become very useful in modern business,
especially with businesses’ increasing complexities and pressures for continuous adaptation and improvement.

When in recent years formal management system standards, such as the ISO 9000 series, were successfully adopted by
international businesses, special system auditing was concurrently introduced. A manager can call on an internal or
external auditor to assess the implementation of the company’s quality management system. The auditor will then
conduct an impartial and competent examination of the compliance of the system with appropriate standards, as well as
an evaluation of the system’s suitability to achieve quality objectives (Karapetrovic and Willborn, 1998a). After an
external audit by an accredited registrar, in the case of confirmed compliance and suitability, the company becomes
publicly registered. With over 300,000 worldwide registrations to date, ISO 9000 quality systems and quality audits have
become a valuable support to management. Increasingly, quality audits are being used for the primary purpose of
continuous quality improvement, and not strictly compliance to stated requirements (Willborn and Cheng, 1994; Burr,
1997; Hunt, 1997; Russell and Regel, 1996; Russell, 1997; Gardner, 1997; Walker, 1998; Barthelemy and Zairi, 1994;
Wharton, 1997). This international success in the quality management field spurned other disciplines, such as
environmental management, to introduce their own management system standards (ISO 14001, 1996) and respective
auditing guidelines (ISO 14010/11/12, 1996). Unfortunately, substantial differences among the audits and audit
guidelines of various management systems still remain (Willborn, 1982, 1993; Karapetrovic and Willborn, 1998b).
Responding to the needs of business and the general public, making these audits more compatible has become an
important international issue.

In this paper, we examine the fundamentals of management system auditing, looking for ways to improve audits from
the management and the customer point of view, and to address increasing requests for the harmonization of discipline‐
specific audits. The need for a generic audit solution is presented, followed by a study of the definitions, concepts and
the fundamental principles and practices of auditing. Subsequently, the systems approach is used to illustrate the
concept of a generic audit. Interrelationships of the presented systems model and existing quality and environmental
audit guidelines are discussed, followed by an outline of the structure and content of the proposed generic audit
guideline. We conclude with a statement on the applicability of this work to businesses and standard writers who are
directed to make management system standards and corresponding audit guidelines more compatible and cost‐
effective.

Audit: the need for a solution

Choose
Section:

When people think about audits, they commonly perceive some formal examination of their tax returns by the
governmental revenue services. If one owns a business, accounting audits with the purpose of evaluating financial books
and activities may also come to mind. Audits have been a part of the accounting profession for centuries. In recent
decades, however, auditing processes have emerged in other business disciplines. At first, quality professionals started
to use what they referred to as “quality audits” for evaluation of quality programs and the effectiveness of these
programs to achieve quality objectives. Soon thereafter, environmental auditing of corresponding management systems,
as well as health and safety audits, came forth. Today, you can audit your maintenance engineering practices, ergonomic
programs or even perform a social or ethical audit (Vinten, 1998a). Questions about the similarities and differences of
discipline‐specific audits naturally follow such developments. Are the fundamental principles of auditing common to all
disciplines? Are the auditing methodologies used similar in nature? Are the levels of auditor qualifications and
competence comparable? How are audit programs, i.e. aggregates of individual audits, managed across disciplines?
Ultimately, if financial, quality, environmental, health, safety and other types of audits are compatible and similar in
nature, should they be somehow aligned and integrated for the purposes of saving resources and eliminating
redundancies?

Pressing the issue of audit harmonization and integration is the related development in management systems. The last
15 years have seen the explosion of management system standards in the fields of quality assurance and environmental
management and the proliferation of industry‐specific guidelines for management systems in automotive,
telecommunication, software, health and other industries. Faced with such a wealth of standards and guidelines
describing management systems, many companies have started aligning and integrating their respective systems for
quality, environmental and safety management (e.g. Kurtzman and Brewer, 1997; Hofmann and Trory, 1996; Wilkinson
and Dale, 1999; Beechner and Koch, 1997, Karapetrovic and Willborn, 1998c and d). However, when requiring
registration of integrated management systems, the visits by separate quality and environmental audit teams,
performed according to different schedules, at different times, and using different methods, would shatter their
expectations of a like integration of audits. And even if a registrar shows up with a joint team of auditors, problems
related to independent and unrelated internal quality, environmental, safety and financial audits are far from being
solved. The following are just a few of such problems:

• duplication of efforts across different audit programs;

• inconsistencies in applying separate audit guidelines and procedures;

• diminished cost‐effectiveness;

• disagreements among audit teams on common or related issues;

• unnecessary multiple interruptions of auditee departments;

• misalignment of audit objectives and principles;

• lack of a unique and coordinated audit policy;

• difficult communication of contrasting audit results;

• missed synergy benefits (system is better than a sum of its parts);

• restrained sharing of resources and expertise of auditors;

• difficulties in internal auditing of integrated management systems.

All these difficulties, paired with the increased pressures for harmonization of management systems and related audits
(Karapetrovic and Willborn, 1998b, Wilkinson and Dale, 1999), point to the fact that some changes in the direction of
alignment and integration of management system audits are required. However, the extent to which these changes are
to be performed still remains an open question. Understanding the different issues and objectives that drive quality,
environmental, financial and other audits, as well as the distinct qualifications and competencies of auditors, some
companies simply request simultaneous audits of their management systems. This would involve separate audit teams,
under separate management, but the audits would take place at the same time. Others demand an additional level of
harmonization, relying on a single audit team, with team expertise spanning different disciplines. Such an approach
would call for a joint audit. In a joint audit, quality and environmental auditors may, for instance, conduct their
examinations separately, but would follow the same audit plan, have the same team leader, and conduct a single
opening/closing meeting. Yet another level would require an integrated audit, where discipline‐specific audits would
lose their separate identities. Integrated audits require auditors competent and qualified in several disciplines, and
would be conducted as a single audit, from planning and design, through execution, to reporting and completion.
Obviously, a solution is required that could accommodate these diverse requests, and at the same time, provide for an
integrative approach to management system auditing. We believe that the concept of systems‐based generic auditing,
together with a sound generic audit guideline, will attain this objective.

In attempting to present this solution, we proceed with a discussion on the meaning of the generic audit concept, and
the proposed systems approach framework.

Generic audit: the systems approach

Choose
Section:

Generic audit

In the realm of management systems, “generic” is the term commonly used to describe systems or associated
frameworks that transcend industry or geographical boundaries. For instance, ISO 9000 and ISO 14000 are generic
management system standards that are universally applicable to virtually any organization, regardless of its size, place of
business, ownership or market environment. In particular, ISO 9000 standards have been successfully introduced in
manufacturing, service and non‐profit organizations in over 120 countries (ISO, 1998). Such use of the term correlates
with its prevalent meaning of “belonging to, or being a characteristic of, a group or class”, and its synonym “universal”,
found in most dictionaries (e.g. Webster’s, 1973; Drysdale, 1990). Typically, the group, class, or “genus” referred to is a
discipline‐specific management system. For example, the standards from the ISO 9000 series belong to the quality
management group/class, and can be universally used for quality management. The same is true for ISO 14000 and
environmental management, and so on.

The current needs of industry, however, are propelling the move away from discipline‐specific systems, towards all‐
encompassing or integrated management systems and related audits (Wilkinson and Dale, 1999; Karapetrovic and
Willborn, 1998c). Therefore, we propose to broaden the term “generic” to include a class of audit that would span
across quality, environmental, safety or financial disciplines. A “generic audit”, and the corresponding guideline, would
be universally applicable to any management system, irrespective of its purpose, boundaries, location or outputs. An
organization could use such audits to examine the effectiveness and efficiency of a quality management system, to
assess the compliance of an environmental management system with appropriate standards, or to improve upon
existing safety and ergonomic practices. It could also apply a generic audit if only one formal management system (say
the one for quality) is in place, or if separate systems exist, or even in the case that the organization is operating an
integrated management system for quality, environmental, safety, ergonomic, maintenance, financial and other
purposes. Generic audits would provide a consistent, systematic, independent and objective service aimed at continuous
improvement, to the various levels of the hierarchy, from top management to frontline personnel. In other words, this
kind of audit would extend over many business dimensions and be discipline‐, location‐, organizational size‐,
product/service/process type‐, hierarchical level‐ and industry‐generic.

Inherent in its generic character is some level of harmonization and possible integration of existing discipline‐specific
audits. This would involve the adoption of identical or at least compatible characteristics of well‐established quality,
environmental and financial auditing guidelines, but also some blending or alignment of their dissimilar attributes.
Willborn’s (1982; 1993) work on the compilation and comparison of quality and financial auditing guidelines provides a
source of defining such characteristics. Naturally, a generic audit would have to be flexible enough to accommodate
diverse functional objectives, and yet sound enough to ensure consistency of the application and achievement of the
common audit policy of an organization. So, how can we systematically accomplish these antagonistic goals without
losing the important benefits of the generic audit? As commonly is the case, half of the answer lies in the question, or to
be more precise, in one of its parts: “systematically”.

Systems approach in auditing

The main purpose of a generic audit is to respond to the users’ needs for a practical, clear and consistent introduction to
the auditing of management systems. This can best be achieved by viewing and presenting all auditing decisions and
activities directly in relation to the stated objectives. Once we know the purpose and objective (i.e. “Why do we want an
audit?”), the audit can be planned (“How do we do what we want to do?”), resources are determined and provided
(“What do we need to do it?”), auditing processes are performed (“Where, when, how and who will do it?”), and results
are communicated and reviewed (“How do we know that we have done what we wanted?”). Namely, we apply the
logical systems approach, where a “system” is conceptualized as a set of interrelated processes and resources for
achieving a common objective (Karapetrovic and Willborn, 1998a). The above‐mentioned sequence of activities flows
irrespective of any particular auditing discipline, and is in fact common to all management activities. Karapetrovic and
Willborn (1998b) illustrate this “generic” virtue of the systems approach with respect to auditing using an example of
the current quality (ISO 10011, 1990) and environmental (ISO 14010/11/12, 1996) auditing guidelines.

The main advantage of the systems approach in generic auditing is that it focuses on the examination of
interdependencies of management system elements within a particular discipline, but also across quality,
environmental, financial and other disciplines. This provides for a better understanding of the overall business system,
and alignment of underlying management systems toward the global organizational goal. According to Goldratt (1990),
the pioneer of the theory of constraints and synchronous manufacturing, making more money now and in the future is
such a goal for most businesses. In essence very similar and compatible with the systems approach to management,
Goldratt’s theories demonstrate an all‐encompassing management philosophy that includes a consistent set of
principles, procedures, and techniques in which every action is evaluated in terms of the common global goal of the
organization (Srikanth and Cavallaro, 1987). All organizational elements, meaning the various processes, resources and
objectives, should be inter‐linked and geared to achieve this common goal. While they were initially designed for
manufacturing problems in inventory control and scheduling of operations, Goldratt’s principles can be applied in other
areas, such as auditing.

The systems approach in auditing allows for the optimization of quality, environmental, health and safety, ergonomic
and financial audits towards a single global objective (say to continuously measure and improve organizational
performance), rather than optimizing separate audits with respect to unrelated objectives. The latter approach, dubbed
“mechanistic” by Hirzel (1998), inevitably leads to sub‐optimization and waste. Explaining why the systems concept is
more appropriate in today’s business environment, Hirzel (1998) states:

The mechanistic approach emphasizes the reduction of responsibilities and tasks into separate manageable elements.
But more can be learned about an organization by examining the whole and its relationships and patterns.

Because all audit elements (processes, resources and individual audit objectives) are subjected to the achievement of
the global auditing goal, the audit system becomes inherently dynamic and adaptive to the changes or disturbances in
the system environment. For a further discussion on the dynamic properties of auditing, see Peters (1998) and Willborn
(1990).

For example, if a company’s market share has decreased, a series of generic audits covering different functions can be
immediately scheduled and conducted to discover the causes of poor performance. The focus is placed on the most
important causes that bear the largest risks if not corrected and prevented. It could be found, for instance, that a
combination of a steadily decreasing quality and reliability of a particular product, paired with its poor environmental
performance and an increased cost of the product distributors’ services, is the main source of the share decline. Without
the systems approach in auditing, all that could be affirmed are separate quality, environmental and financial problems,
that individually may have caused only negligible damage.

Therefore, a generic audit is conceived as a single system, a set of interdependent quality, environmental, financial and
other discipline‐specific audit processes, that function harmoniously and using various human, material, information and
infrastructure resources, are aimed at achieving a common organizational audit objective. Depending on the required
focus and individual organizational objectives, this flexible system can be leveraged to attain specific quality,
environmental, safety, etc. goals. For example, as illustrated on top of Figure 1, if we want to improve environmental (or
quality) performance, our generic audit will become an environmental (or quality) audit system. The generic audit
system is also a subsystem of the generic business system (Figure 1: bottom). Discipline‐specific audits are, therefore,
subsystems of quality, environmental and other management systems.

Viewing audits in this manner certainly stands to reason. Successful organizations, smaller ones in particular, manage
their business in an integrative fashion. Namely, they simply design and implement whatever processes and resources
necessary to achieve the objectives of growth, improvement and profitability. Therefore, they only have a single, generic
business system, and separate quality, environmental, financial, human resources management systems are just
manifestations of this generic system with respect to different product or service dimensions. The quality dimension, for
instance, relates to the ability of the product or service to meet customer requirements, and in order to ensure this
performance, adequate processes and resources are combined into a quality management system. However, the
product or service is unique, and we can not physically separate its quality from, for example, environmental
characteristics. The same is true for management systems. Under the systems view, audits are recognized conceptually
and practically, as directly connected to the respective management systems. As an independent subsystem, the generic
audit serves as an effective and important aid in the management of a generic business system. For a more detailed
description of the linkages between audits and respective management systems, the interested reader is referred to
Karapetrovic and Willborn (1998a‐d).

To ensure proper interdependencies of discipline‐specific audits, as well as an adequate alignment of audit objectives
and processes, the following two sections represent a generic audit definition, principles and practices, as well as an
outline of a generic audit guideline. The audit principles introduce the systems view by first outlining basic audit
purposes and objectives, followed by adequate audit planning and resource deployment, reliable processes for
evaluating relevant evidence, and reporting unbiased judgments. Finally, the auditor’s competence as the human agent
in such an audit system is seen as the most important prerequisite for achieving audit objectives. Here again the systems
view applies, as is explained in the generic audit guideline.

Auditing definitions, principles and practices

Choose
Section:

Definitions

The understanding of what auditing is and what it is not differs with the areas and types of application. In the auditing of
management systems, for instance, the ISO 10011 (1990) guideline for quality audit specifies that the auditor evaluates
the suitability and effectiveness of the system implemented by a company. The similar guideline for auditing
environmental management systems, namely ISO 14011 (1996), considers that such a general judgement of the system
effectiveness is not the responsibility of the auditor, who is only to verify compliance with audit criteria. Still, both these
international audit guidelines have many similar, if not identical, features and requirements (Karapetrovic and Willborn,
1998b). This is hardly surprising, considering the shared history and close ties between the quality and environmental
technical committees (TC 176 and TC 207 respectively) that drafted the guidelines.

In order to be able to conceptualize a generic audit, we have to come to some operational definition of the audit. Table
I presents a selection of available audit definitions from a total of ten dictionaries, guidelines and standards, together
with brief comments on the acceptability and effectiveness of each definition for generic audit purposes. The selection
indicates a diverse understanding of auditing in various disciplines, including quality, environment, software
development and external financial accounting. Nevertheless, the essence of auditing as an independent, listening,
examining, evaluating, and reporting activity, as well as a management information source, is also emphasized. On
examination of these concepts, the following definition of a generic audit is suggested: “Independent and documented
system for obtaining and verifying audit evidence, objectively examining the evidence against audit criteria, and
reporting the audit findings, while taking into account audit risk and materiality”. This definition is based on the current
developments at the international level, namely the ISO 19011 audit guideline. It is relatively brief, applicable to all
management systems, and may include product and process audits, if required. It may also embody examinations of
suitability and effectiveness of a management system to meet objectives, but can also be reduced to a simple evaluation
of compliance. Another advantage of this definition is its agreement with the systems approach (an audit is primarily a
system, especially a management support system, rather than a management tool). To illustrate interrelationships
among other concepts related to the audit, including the audit system, audit program, audit processes, resources and
policies, a concept diagram is presented in Figure 2.

Principles

Apart from the understanding of the term “audit”, in the century‐old auditing practice, certain basic commonalities have
evolved even as the business environment has changed. We can refer to these commonalities as “audit principles”,
defined in the words of Schandl (1978) as “a group of guidelines or recommendations to be followed in auditing practice
if we want a good audit, a correct opinion or judgement.” Historically, the earliest known auditing dates back to ancient
Rome, where an auditor was a public officer who observed certain transactions and reported them if a
misrepresentation occurred (Schandl, 1978). Interestingly though, the ancient accounts of auditing maintained several
fundamental principles that are still common to audits today. For instance, auditors were independent, i.e. not a party
to the proceedings, they were objective in their observations and they had a duty to report the findings. Therefore, in
spite of the passage of time, the auditing practice in general, and auditing principles, remain basically unchanged. While
the ISO 10011 (1990) quality audit guideline implies most of these principles, the subsequently published one for
environmental management system lists auditing principles in a special document (ISO 14010, 1996), that logically
precedes the audit process (ISO 14011, 1996) and auditor qualifications (ISO 14012, 1996). Although the principles of
sound auditing have been widely used and are well established in the accounting and internal auditing fields, such an
explicit listing of audit principles in environmental management has greatly helped to enhance the understanding of
management system auditing.

Figure 3 (top) lists in a tabular format the fundamental audit principles from three different sources: accounting, quality
and environmental management. It shows compatibility among the essential rules for guiding auditing activities. For the
purposes of planning, conducting and improving upon generic audits, these principles could be streamlined on their
common basis, and perhaps augmented with a general principle of continuous improvement. For instance, Arter (1998)
states the following five universal principles of auditing:

1. 1 audits indicate if adequate controls are in place;

2. 2 auditors are competent;

3. 3 audits are proficient, fact‐based, and performed professionally;

4. 4 audits result in information that meets auditee needs and allows problems to be corrected; and

5. 5 audit systems are managed for excellence.”

After taking into account the stated principles from different management fields, a set of principles that could be used
for the generic audit is proposed. This set, arranged according to the systems approach, is presented in Figure 3
(bottom).

The purpose of outlining auditing principles is to guide good auditing practice, especially in the management system
area. While most auditors and their clients would agree with these principles, detailed practices still vary. One major
concern is that some of the stated principles are still unknown or may be violated in practice. For instance, proper audit
methods, such as statistical sampling techniques, may not be applied systematically in all audit disciplines. The auditee
or the client may perceive audit results as inconsistent and based on inadequate data, questionable evidence, or second‐
rate judgements. Auditors may be inadequately trained and possess unverified qualifications and competence. Their
work may be perceived as inconsistent (Stratton, 1995). Although such a faulty auditing performance appears to be an
exception, there is a need for upgrading and continuous improvement of management systems auditing (Willborn and
Cheng, 1994; Walker, 1998; Stratton, 1995; Druckman, 1997; Stranak and Stratton, 1997). A statement of common audit
practices may facilitate such improvement.

Naturally, any such integrative effort would require a relatively broad consensus of interested parties from different
disciplines. Rather than working in parallel on similar and compatible issues, as was done in the past (see Vinten (1998b)
on the contested territory of internal audit), stakeholders in the auditing issue should sit together, work out a common
ground, and use the inevitable synergy effects to their advantage. Representatives from various international
professional organizations, including the Institute of Internal Auditors (IIA), International Federation of Accountants
(IFAC), joint quality and environmental auditing committee under the umbrella of the International Organization for
Standardization (ISO), and other concerned bodies, should certainly be involved. This joint group could then be given a
task to develop a set of generic auditing guidelines, using the input from all relevant sources (such as existing audit
standards) and disciplines. The ISO format of making decisions by consensus seems to be useful for this work. Once
drafted, these guidelines would be adopted by all participating bodies as international standards, and a permanent
committee would revise and improve them according to the needs and state‐of‐the‐art developments. The use of the
guidelines should be championed by international and national professional organizations, including for example the
American Society for Quality (ASQ), the Chartered Institute of Public Finance and Accountancy (CIPFA), and the
American Institute of Certified Public Accountants (AICPA). Undoubtedly, these common auditing standards should be
included in the body of knowledge required for auditor qualifications, regardless of the auditing discipline. A more
detailed proposal for such guidelines is addressed later in the paper.

Practices

Perhaps of all the characteristics of discipline‐specific audits, the most common are the accepted practices of planning,
conducting and reporting on the audit. Audit practices, or the audit process, relate to the flow of activities from the
conception of an individual audit to the evaluation of whether the audit has achieved set objectives. This is the area that
will probably bring the least contention among experts from different audit disciplines (Karapetrovic and Willborn,
1998b). Because of their similarity, the harmonization of audit practices for the purposes of generic auditing should be
relatively straightforward, barring any obstacles of a “political” nature.

A good way to represent a process or a flow of activities is to use a graphical tool, such as a flowchart or business
process mapping. Flowcharts are invaluable tools of auditors, regardless of the discipline, because they graphically
represent all the information required for the knowledge and evaluation of particular process steps and decision points.
Therefore, the individual audit process can be represented with a compact flowchart. While the earliest quality
management audit standards, such as the American Q1 (ANSI/ASQC, 1986) and Canadian Q395 (CSA, 1981) depict the
audit practices using flowcharts, the presently valid quality (ISO 10011, 1990) and environmental (ISO 14010/11/12,
1996) audit standards do not. Unfortunately, the current developments regarding a new quality and environmental
audit guideline at the international level do not point in the direction of using flowcharts. Nevertheless, we have
illustrated the generic audit process with a flowchart in Figure 4.

The audit process is normally initiated directly by a client. For example, a company’s top management may want to
assess the effectiveness of the overall management system to achieve set objectives. However, provisions in an audit
program (set of individual audits) or the audit system (set of programs) can also launch individual audits. For instance, an
environmental program may specify that individual audits are to be conducted every six months, or when a follow‐up on
a previous risk‐based audit is required. Following initiation, audit objectives, scope and criteria are identified, provisions
are made for audit management, and general timelines and the required extent of resources are identified.
Subsequently, the feasibility of attaining set objectives is evaluated, together with the examination of the required
qualifications and competence of auditors. Although the feasibility and existence of the qualifications and competence is
likely, it is by no means guaranteed. For example, an auditor who exclusively has experience in the manufacturing
industry may not feel competent to assess a quality management system in a university environment or in a non‐profit
organization. Or perhaps it is not possible to achieve all objectives within a set time and with given resources. This would
render a planned audit unfeasible. Another solution, such as the revision of the audit plan or acquiring another auditor
or technical expert, is required. Following the confirmation of feasibility and competence, the audit is planned and
adequate processes and resources are designed. This includes:

• audit plan preparation;

• working papers design;

• audit risk assessment (evaluating the probability that the audit will result in an incorrect finding (ISO 14010,
1996));

• preparation of the required auditing methodologies, such as checklists, discovery/acceptance sampling

methods and flowcharts.

Auditors are then allocated to audit teams, and specific audit assignments are given. Prepared audit methodologies may
be tested to ensure compliance with the audit objectives. The audit is executed in the well‐known sequence of: the
opening meeting – collection and verification of audit evidence – comparison of audit evidence against audit criteria –
summary of audit findings – closing meeting. Finally, the audit report is prepared, communicated and reviewed, which
concludes the audit process in some disciplines (e.g. environmental auditing). In quality auditing, the process continues
with preventive and corrective actions that eliminate the causes of poor performance or non‐conformances identified by
the audit (Russell and Regel, 1996).

Now that generic audit definitions, principles and practices have been identified, one question still remains. Namely,
how can this presentation of auditing fundamentals be strengthened, and partly revived, in the rapidly emerging field of
management systems auditing? As Pyzdek (1999) emphasizes for the quality field, no one best answer exists for auditing
either. Perhaps a request for continual professional development in discipline‐specific and generic auditing would help.
This would demand of auditors not only to demonstrate their competence in achieving the planned audit objectives on a
continuous basis, but also to recognize and use the best auditing practice identified across disciplines. Another
possibility is the augmentation of auditing as a “learned and regulated profession”, not only in accounting, but also in
the quality, environment, safety and other fields. Much like engineers, medical doctors and accountants, for instance,
auditors may organize their own associations, which would set the qualification, competence and professional
development requirements, and protect the auditors’ interests regardless of which area in auditing they are working in.
Universities should play a more important role here, by offering upper‐level undergraduate and graduate courses in
generic auditing. Without a doubt, the road to a full development and implementation of a generic audit will be
treacherous and daunting. In our opinion, however, at least a partial answer to the above question lies in the
development of an internationally accepted and discipline‐wide generic audit guideline, which would certainly be a step
in the right direction.

Generic audit guideline

Choose
Section:

Two‐prong approach

All management system standards of the International Organization for Standardization (ISO) are more or less generic
with respect to the type of industry or region where they are applied. This is also true for the associated audit
guidelines. The American National Standard Q1 (ANSI/ASQC, 1986) was even called “Generic guidelines for auditing
quality systems”. However, the auditing guidelines have still to overcome the discipline‐entrenched barriers, before
becoming truly generic. For instance, while quality management auditors must assess the quality system’s compliance to
audit criteria and the system’s effectiveness and suitability to meet set objectives, their environmental counterparts
restrict their evaluation to compliance with relevant criteria only. This represented an area of much contention in the
development of new quality and environmental auditing guidelines, dubbed “ISO 19011”. Due to increased pressures
from industry and other interested parties, ISO has mandated the appropriate quality and environmental management
subcommittees (TC176/SC3 and TC207/SC2 respectively) to initiate joint work on a single guideline for auditing quality
and environmental management systems. This work is currently under way, with the release of the international
standard expected in year 2001.

Current revisions of quality and environmental auditing guidelines point in the direction of a harmonized, if not even
integrated, audit standards. Harmonization relates to the effort of aligning the structure and content of the guidelines,
which would remain separate documents, but with a significantly increased compatibility. On the other hand,
integration would involve a complete amalgamation of guidelines into a single document. Nevertheless, revising
international standards is a complex task. The ongoing work, which started several years ago, has yet to produce a final
draft. Part of the difficulties encountered rest in the lack of conceptualization of auditing fundamentals. Auditors,
managers of audit systems and programs, and clients must be equipped with practical concepts that will strengthen and
simplify understanding and application of auditing. A mere listing of auditing principles, even in connection with the
subsequent outlining of audit processes and auditor qualifications, appears to be insufficient for such an understanding
to occur. The current revision of ISO audit guidelines will hopefully arrive at an internationally acceptable integrated
audit guideline. This should then facilitate joint or integrated audits of management systems in a company, since
managers are particularly interested in greater cost‐effectiveness of this type of auditing.

However, we recommend a slightly different approach to provide for a sound foundation for generic auditing. Let us
refer to it as a “two‐prong approach”, where the first prong involves the ongoing development of an integrated quality
and environmental audit standard (ISO 19011) under the ISO auspices, and the second prong augments the first one by
originating a “generic audit guideline”. The prongs are simultaneous and supplement each other. The second prong is
similar, but not identical with the widely preferred alternative of a “core plus satellites” standard in the current ISO
revision efforts (Figure 5). The core is to include all common elements of the auditing policy, processes and resources,
regardless of the type of management system and the specific field of auditing. The satellites would have an identical
format (in other words they would be aligned by the “gravitational pull” of the core), and address specific issues in each
auditing discipline. Currently, only two satellites are planned, namely quality and environmental audit. In the future,
other disciplines could be added, assuming that the core of the standard would not change with the addition. And this is
where the problem lies. Such a separation of the “core” from the rest of the auditing standard, even if this is a “strong
core”, would still not sufficiently enhance proper understanding and application of the basic audit principles and their
underlying systems concept. With or without the “core”, audit principles and practices would still remain basically
unchanged. Therefore, we propose a separate generic audit guideline, which would outline an audit as a generic system,
and a linked subsystem of the generic management system (Figure 1). This guideline would be generic in itself, meaning
that it would not have special “satellites”, but rather address common (generic) principles and processes of auditing,
regardless of the discipline, industry or region of application. It would address the “best auditing practice” (Russell,
1997), providing the fundamentals of the current cutting edge knowledge in auditing. Inherent in this characteristic is
the need for constant benchmarking and change in order to be able to express what “the best in auditing” means at any
particular time. Developing generic audit guidelines along both prongs should provide a more solid foundation of
modern management system auditing.

Format and content

The proposed generic audit guideline should augment current or future audit standards that are more system or
discipline‐specific. This would allow the user of such documents to review the basic principles of generic auditing and
the fundamental features of the audit process, including audit quality assurance, before getting into the specifics of, say,
quality or environmental auditing. This structure is similar to the current ISO 14010/11/12 series of environmental
auditing standards. The systems approach, however, should achieve significant improvements for the user and the
generic auditing profession. The ISO format for such a document will be applied. The user is first introduced to the
purpose, scope, normative references, and definitions applicable to the guideline (Figure 6). The content of most of
these sections has been discussed earlier in the paper. The main body of the generic audit guideline would contain the
following three parts:
1. 1 general principles for auditing management systems;

2. 2 systems approach to generic auditing;

3. 3 quality assurance of generic audits.

The first part would list the fundamental principles of generic auditing, an example of which has been provided in the
above discussion on auditing principles. It would also provide some guidance on the implementation of these principles.
The second part conceptualizes an audit as a system, illustrates the basic features of the generic audit system model,
and discusses the management of different levels of audits, including individual generic audits, audit programs, and
finally the audit management system. Similar to the ISO 10011 (1990) quality audit standard, sections on audit
management of the generic guideline would address such issues as determining the organizational structure,
procedures, authority and responsibility for the audit system, as well as the measurement and improvement of audit
system efficiency and effectiveness. Three separate subsections of the second part of the guideline would illustrate
common audit policy and objectives, audit processes (in the flowchart form, as presented in Figure 4), and audit
resources, including auditors, information (audit evidence, criteria, findings and conclusions), methods (sampling,
flowcharting, checklisting, computer‐aided auditing) and infrastructure.

Finally, the third part would address quality assurance of generic audits, including the establishment of specific quality
assurance systems for auditing activities, reliability and maintainability of generic audits, and, probably the most
important issue, qualifications and competence of auditors as the human resource element of the audit system.
Qualifications refer to the aggregation of auditor’s education, training and experience, which makes the auditor eligible
to conduct audits. However, competence is a broader concept that involves a demonstrated and recognized ability to
consistently achieve audit objectives and assure the client and auditee of the quality of auditing services. The guideline
for generic audits would list the principles and methods for the evaluation of competence (for instance the application
of relevant audit methodology), methods for demonstration and recognition of competence, as well as the principles of
continuous professional development and improvement. Such quality assurance should provide good confidence to the
client and the auditee alike that the generic audit performance is satisfactory.

Conclusions

Choose
Section:

Ongoing audits of management systems must become more consistent, effective and generic across auditing disciplines.
The respective auditing standards and guidelines should follow the same path. These important objectives can best be
achieved if the proposed and briefly explained systems approach is applied. Particular attention should be paid to the
sound conceptualization of a generic audit, as well as its principles and practices. In this paper, the generic audit of
management systems, spanning quality, environmental, safety, ergonomic and other disciplines was illustrated using the
systems approach. Existing audit definitions were compared, and a generic audit definition was adapted. Subsequently,
audit principles from the quality, environmental and accounting disciplines were compiled, and a set of rules for a
generic audit was illustrated. Common audit practices were also depicted, followed by an outline of a generic audit
guideline. This guideline should act as an intermediary aid for management and auditors, as it links management
systems with respective audits. This would not counteract the ongoing revisions of respective international auditing
standards, as it aims at the same objective and user needs. Further development and implementation of such a
document requires some further research. The key to success is the open mind of a practitioner.

Table I Compilation of audit definitions