DGQ Interview with Manuel Santos
In this interview, Manuel Cordas dos Santos, CEO of the consulting firm GUKSA, explains where the audit process still falls short and what role the aspects of “process” and “risk” play in this context. He also highlights the connection to and benefits of requirements management. It becomes clear that this opens up new opportunities for the audit as well.
In many companies, audits don't always have the best reputation, especially among management. Why is that?
dos Santos: A key reason lies in the way audit results are communicated. Audits rely on highly standardized technical terminology that often does not correspond to the language of thought and decision-making used by management. Terms such as “major deviation” or “minor deviation” often make it difficult for company leadership to immediately grasp their significance for economic success, risk exposure, or the achievement of strategic goals.
Management primarily thinks in terms of value creation, risk, and the sustainability of business success. This is precisely where a communication gap arises. Furthermore, traditional audits often focus in isolation on individual processes or organizational units. The interplay between processes, risks, and strategic goals—and thus the actual drivers of business decisions—is often overlooked.
Yet it is precisely these connections that are of central importance for the further development of corporate strategy and could constitute the true added value of an audit from a management perspective.
What, then, would be the right attitude toward audits?
dos Santos: The right approach to audits is to view them as a strategic management tool. Audits are not merely a means of formally complying with standards; above all, they serve to make risks transparent and actively support the achievement of corporate goals. It is crucial to look beyond standards and systematically embed customer-specific requirements within the organization.
These requirements are contractually defined and are therefore directly linked to legal certainty and economic stability. A modern audit must therefore identify the risks that may arise from non-compliance—and how processes and requirements management can specifically help manage these risks and ensure the company’s long-term success.
How can you benefit from audits?
dos Santos: Companies benefit most from audits when they are consistently designed with a focus on risks and requirements. By systematically incorporating customer requirements, audits create transparency—both for management and for the entire organization. Risks are not only made visible but can also be managed in a targeted manner.
This approach fosters conscious, forward-looking action: risks are transformed into opportunities, processes are made more robust, and expectations are reliably met. This not only increases customer satisfaction but also strengthens the company’s competitiveness in the long term.
What does a successful audit look like to you?
dos Santos: A successful audit is not measured by documenting as few nonconformities as possible. This perspective can be misleading and create a false sense of security, because relevant interactions and systemic relationships remain undetected.
In my view, the key lies in not viewing audits solely through the lens of standards, but rather in focusing on their business value. It is crucial to take a holistic view of the consequences of non-conformities—considering the interplay between processes, risks, and customer requirements.
An audit is successful when it not only identifies weaknesses but also identifies concrete opportunities based on deviations, specifically mitigates risks, and thereby actively contributes to the organization’s continued development and to ensuring its business success.
In addition to a risk-based approach, a process-oriented approach is also important to you. What do you mean by that?
dos Santos: To me, a process-oriented and risk-based perspective means viewing the organization as an integrated whole system. The focus is not on individual functions or departments, but on end-to-end processes with their interactions, interdependencies, and risks. This is precisely where the key levers for quality, efficiency, and goal achievement lie.
In concrete terms, this means that normative requirements—such as those from IATF 16949 should not be interpreted in isolation, but rather structured in alignment with actual business processes. Organizing these requirements into overarching process sections creates transparency and highlights where risks arise, how they impact operations, and where they can be specifically managed. This is precisely where the added value of modern audits lies.
This approach makes it possible to identify specific areas for improvement, manage risks proactively, and use audits as an effective tool for organizational development—going far beyond mere compliance with standards.
Are “risk” and “process” two separate areas here, or do they work together?
dos Santos: In my view, risk and process perspectives are not separate disciplines, but rather two inseparably linked perspectives. Risks always arise within processes—and processes only have an impact when they interact with the associated risks.
An integrated approach means viewing the organization as an interconnected system: processes, their interfaces, and interactions are assessed together with the resulting risks. This is the only way to identify causes, effects, and opportunities for improvement in a holistic manner. Risk and process perspectives can thus be effectively combined. Centralized requirements management is, of course, helpful in this regard.
What is requirements management? What is the basic idea behind it?
dos Santos: Requirements management involves systematically identifying and evaluating all relevant requirements and effectively integrating them into the organization. This includes, in particular, customer requirements, as well as specifications from standards, legal regulations, and industry-specific standards. The central idea is to consistently link these requirements to business processes so that their significance for individual process steps, roles, and responsibilities becomes clear.
This automatically provides a comprehensive view of risks and interdependencies: Where requirements are not clearly implemented, risks arise—for quality, legal compliance, and ultimately for the company’s success. This is precisely where the close connection between process and risk analysis becomes apparent.
However, the true essence of requirements management lies in a shift in mindset. It helps executives and employees better understand where there is room for improvement in the management system in order to efficiently and reliably implement contractually relevant, customer-specific requirements. The key lies in strategically aligning the resulting opportunities with the company’s overall strategy—thereby turning requirements management into a true value driver.
Where is requirements management used?
dos Santos: Requirements management is not a one-off activity but takes place on a daily basis within a company—ideally as an integral part of all relevant business processes. Requirements play a role wherever decisions are made, services are provided, or interfaces are managed.
In practice, however, these requirements are often not fully implemented because they lack transparency or their relevance in day-to-day operations is underestimated. This is precisely where requirements management comes in: it ensures that requirements are made visible, understandable, and effectively integrated into processes.
Requirements management can be applied across all industries. Whether in manufacturing, services, or regulated sectors—it creates clarity, fosters a shared understanding, and ensures that organizations reliably meet their obligations while simultaneously capitalizing on opportunities for improvement.
What are the benefits of requirements management?
dos Santos: Requirements management offers companies clear strategic value. It creates the necessary structure to systematically capture, evaluate, and reliably implement customer-specific requirements. At the same time, it ensures transparency within the organization—a crucial factor in increasing acceptance among both senior management and employees across departmental boundaries.
Effective requirements management enables the quality and management system to respond quickly and effectively to changing customer requirements. Legal requirements, regulatory requirements, standards, and contractual obligations are taken into account and integrated throughout the entire process chain.
In addition, requirements management improves connectivity throughout the supply chain, as processes and procedures are better aligned with those of customers and suppliers. This reduces legal and liability risks, such as those arising from unclear or inadequately implemented contractual requirements.
Last but not least, requirements management highlights interdependencies and opportunities for optimization within the organization, identifies new opportunities, and thereby makes a tangible contribution to increasing competitiveness and ensuring the company’s long-term success.
And how does that fit in with the concept of a process-oriented and risk-based audit?
dos Santos: A process-oriented and risk-oriented audit is the logical outcome of this approach. Without this integrated approach, a modern audit is virtually inconceivable, as it brings to light the real-world interactions and risks that shape every organization. No company is risk-free—what matters is how consciously and systematically these risks are managed.
This is precisely where the audit comes in: it provides clarity on where risks arise in processes, what impact they may have, and where effective measures need to be taken early on. When properly understood, the audit thus evolves from a mere verification mechanism into an active management tool that makes risks manageable and strengthens the organization in the long term.
To wrap things up, here’s a tip from you: How can we restore greater credibility and acceptance for audits?
dos Santos: Audits gain credibility and acceptance when they are presented in a language that decision-makers can understand. When audit results are presented in a way that is immediately understandable and relevant to management and the organization, perceptions change fundamentally. Tools such as a risk/opportunity map provide significantly more clarity here than purely normative categories such as major or minor nonconformities, as they directly address business-related issues.
Transparency is equally important: Showing the degree to which requirements are met throughout the processes makes it clear where the organization stands—and where specific action is needed.
Another key factor is the culture of accountability. Findings from audits should not be used as an excuse to assign blame, but rather viewed as specific challenges that must be addressed collectively. This is precisely where the opportunity lies to improve processes and further strengthen our customer focus.
Last but not least, it’s worth shifting your perspective: if you consistently view audits through the lens of requirements management, it quickly becomes clear just how well the two approaches complement each other. This connection creates structure, relevance, and strategic value—and is thus a key lever for regaining trust, acceptance, and lasting credibility for audits, particularly among management.