No deficiencies noted.

Once, I overheard someone telling an uninvolved third party that I had "given" them something in relation to my work. I am unwilling and unable to repeat the exact language used because the extensive use of argot would make it difficult for someone outside the organization to understand, but it was the equivalent of: "He gave us a clean bill of health."

A word of caution... I am a professional auditor. I report: "No deficiencies noted." That means that I didn't note any problems, not that no problems exist.

"No deficiencies noted." is the very best result of an audit you can hope for. This is because a professional auditor is providing independent, objective oversight to your organization, and his time, like yours, is limited. He cannot possibly evaluate every single aspect of your organization without causing him to lose independence and objectivity and hence become a liability.

And a professional auditor most certainly does not "give" you anything, let alone "a clean bill of health." Barring outright fraud, there's usually something wrong with the way you work. In my experience, there's always something wrong. Typical findings include:

As the number of interfaces between organizational entities proliferate, the probability of one or more of the above problems occurring increases1. The probability that the problem will intersect areas within the scope of the audit, and be noted, also increases.

Therefore, when auditing large organizations, an auditor is more interested in ensuring that the client has a plan in place to identify and correct problems when they occur, not in demonstrating that problems do not exist2.

Because problems are guaranteed to occur, the very best result of an audit is: "No deficiencies noted." It would be criminal to give the client the impression that "No deficiencies noted." means that no problems exist.


A matrixed organization is the worst possible management structure for ensuring the personal accountability of people for their work, other than no management at all. This is why many information technology organizations specifically select a matrixed organization as their management structure. Because of the sheer number of interfaces between organizational entities, the network of relationships ensures no individual acting in a management capacity is alone accountable for failure. This has a tendency to temper senior management when looking for someone to blame, in particular for problems which cannot be anticipated, and in organizations with a "zero tolerance" approach to failure.
And it is for this reason that standards such as ISO 9001 require the organization asserting compliance with the standard to document their corrective and preventive action procedures.

Last updated: Thursday, 28 July, 2011