Auditors Conflict of Interest
Auditors Conflict of Interest
Published on October 21, 2016
|
|
Edward van Leent |
Last week I was attending the Data Centre World Asia which took place in Singapore. We had a lot of traffic at the booth and one of the visitors had a great question which I thought was worth sharing.
EPI is well known for conducting data centre audits and conformity certification based on the ANSI/TIA-942 and the visitor was enquiring about this service. This gentleman asked me, in the event should the audit reveal any non-conformities, would EPI help their designers fix the design issues? I told him that the EPI audit would identify potential non-conformities and we would indicate the actual requirement of the ANSI/TIA-942 but we would not be able to provide guidance on how to fix the problem.
The gentleman told me that he had also spoken to a competing organisation who is providing Tier certification based on their guidelines, or standard as the organisation itself likes to claim. He had asked the same question and they told him that they would discuss the full details with his engineering team about what and how to fix any potential design issues. The gentleman thought that this would be very helpful and a good thing…
So, what is wrong with auditors who assists customers in fixing what needs to be fixed? Well, ISO is very clear about this and it is called ‘Auditors conflict of interest’. Auditors, or the company they work for, cannot provide a solution for non-conformities and then audit those very same solutions they had provided themselves. There is an undisputable and fundamental reason why this rule is in place. Obviously, someone who provides the solution who then performs an audit on it will always provide a positive outcome when verifying the audit criteria.
The proper process is the auditor reviews the evidence of the auditee to establish whether the criteria of the standard are being met. The auditor will identify any non-conformity, indicate what was found and the actual requirement of the standard. After that it is up to the auditee to fix the non-conformity and present the new evidence to the auditor who again will do a review and verify the conformity to the standard.
There is clearly a big difference between being audited by credible organisations who have qualified auditors following ISO audit principles, versus organisations who have defined their own set of rules on how to undertake audits. Hence, it is always good to verify with the audit organisation what audit principles and process do they follow before engaging them to audit something as business critical as your data centre.
Leave your comment or read others' comments on Linkedin
