I was asked this question recently. The management of contractors is part of a number of standards. And one of the key issues regarding contractors is the communication of expectations or requirements. For example: what procedures are they to follow when on site; what proof of certification and training are they expected to provide to demonstrate competence.
There seem to be two extremes when it comes to the method that organizations choose to communicate requirements and expectations to their contractors:
1. Full control – conducting the training and tracking of all of the requirements.
2. Hands off – making the expectations known through a contract or sign back form and putting the onus on the contractor to keep track of their information.
The first definitely ensures an organization has taken reasonable care. The same can’t be said for the second approach. Many companies fall somewhere in the middle.
So how do I typically audit contractor management? No matter what approach or level of control an organization has decided to take, I start with a procedure. Does the procedure meet the standard? Then, is the procedure being implemented? How can I verify the implementation when no contractors are on-site to interview or include in my sample?
There are a couple of sources of information that we can use to find out who these contractors are:
1) Visitor sign in sheets – Are the contractors required to sign in to the site every day? If yes, then find their names and the companies that they belong to, as well as when they came on site.
2) Who brings the contractors on-site the most? Facilities? Maintenance? Engineering? Talk to them and find out who they hire. This will provide you with the company names and the types of projects/work they are involved with.
3) Purchasing and accounts payable departments – someone has to pay the bills. You may not get individual names of the employees, but you will get company names and the purchase orders and/or invoices will have a description of the type of work that was done.
Once you have names (personnel and company) along with the dates they visited the site, you can evaluate the compliance to the procedure through the associated paperwork generated. For example:
1) The procedure requires that all employees of a subcontractor are required to review a specific “Contractor Rules” document. Once read, they sign off that they understand. This is required to be done prior to starting work on-site and annually after that (if required). Based on names and dates in the visitor sign-in log, you can compare when the individuals came on-site and when they completed the sign-off. Did they start working on-site before signing off? Did they continue coming to the site after a year and haven’t re-signed?
2) Contracting company is required to submit evidence of competence of the employee. They submit the licenses and applicable training cards at the start of the contract. Based on the visitors log, you collect names of the employees that come on-site. You can compare names with records. What I have seen before is after some time a new employee comes to the site (for any number of reasons: vacation.sick fill-in; replacement), but then the contractor does not send the competency records for the new worker before sending them to the site.
This just demonstrates some alternate methods to audit the contractor management process, rather than just relying on the auditee’s “List of Contractors”. I find that this “list of Contractors” is incomplete half of the time. SO by looking at other sources of information, you can also verify the effectiveness of the process of managing the information. Ultimately, if you can find a contractor working on-site, include time to interview them as well, in order to ascertain their level of awareness of the information that they were intended to receive.