Usually someone new to auditing is quite confused about the ISO 9001 audit process. I frequently get asked the question: What exactly is there to “audit” on an annual basis? What Do You Audit?
What is Auditing?
Are you having a hard time understanding exactly how an internal audit is performed? Perhaps you have a LEAN QMS (Quality Management System) where processes are comprehensive, clearly defined and follow a set structure. When problems arise, do you deal with them in real time? So if your are handling the problems, what do you audit?
Many organization have put in place a rock solid depiction of a process with a complete list of steps that personnel follow. So what exactly is there left to “audit” on an annual basis? If you keep coming back to the question of “what do you audit”, you are thinking of a conformance audit.
Conformance Audit
ISO 9001 Auditing is more than looking at checklists and checking boxes to confirm the existence of a criteria being met. This is a low level method of auditing and it is not clear it is helping anybody. What you really want to ask is “is it effective?” Is it working, providing a return on your investment, advancing you toward your goals? If it is not effective, then you have an audit finding. The audit finding is a gap in effectiveness.
Principle of ISO 9001 Auditing
The basic principle of auditing is too look for evidence to support a conclusion on whether or not the QMS is effective. You do this by looking for gaps between the actual work you see happening and the criteria being audited.
These gaps occur in four main areas: Plan, Do Check, Act or PDCA for short. PDCA is the structure of an effective management system. Auditing is the process of looking at all the elements of effectiveness to determine weaknesses in effectiveness and therefor, what needs improving so that we are continuously improving. This is the basis of process auditing.
PDCA in Auditing
The PDCA Loop or Wheel
It is all about targets… PDCA is the process of setting targets, collecting data on the target, checking the data against the target, and taking action towards the target.
- Planning: The ISO 9001:2015 standard (clause 4, 5, 6, 7) is about planning. In your example there is evidence that processes have been determined, but you make no mention of what process and QMS criteria (KPI or key performance metrics) are used. Are clear metrics, goals, or targets determined for all processes?Planning is a big area. Does your planning include evidence of identifying and preventing all risks? Do people have the resources to do their job? Do they have sufficient competence in the job? Have all customers been determined, satisfied?
- Do: Is there data being collected on those metrics (and other data in clause 8)? Are they following the process as determined? Do they have nonconformance data for each event where they didn’t follow the process? Is feedback collected and communicated?
- Check: Do they look at the data collected? Is the data used, analyzed, and communicated to others, as needed (clause 9)? Does the data provide evidence of strategic alignment, that risks are managed (there are no surprises), and how does this compare with your experience?
- Act: Do they take action on trends or what they discovered in the data (clause 10)? Action can be correction, corrective action, or preventive action. Is there clear evidence of improvement? Can you conclude that the QMS is effective?
If you cannot find any gaps then you must work in a world class facility that is perfectly effective. Since no organization is perfect, you will find at least one gap, which becomes your finding and the basis for your audit report. Even in world class facilities you have findings, but the findings look more like Opportunities For Improvement (OFI) or gap in perfection than a gap in effectiveness.
Effective Quality
A perfect QMS does not mean perfect quality. It means an effective system is in place to deliver continuous improvement and customer satisfaction. The auditor looks for areas that are working well and signs where it is not. It may be that your system is simple and very good. But there are always areas for improvement in productivity and efficiency. Improvement is about doing more with less. It is up to management to explain to the auditor how the QMS is designed to do more, over time, with less and then show how well that plan is working out.
Effective Management Review
All companies have weaknesses in some areas. Management Review is about ensuring the effective allocation resources of time, money, people, infrastructure. It is not about fixing problems, that should be done at the process level by process owners. In Management Review, process owners bring solutions that need resources. There are always resource constraints, diminishing returns, and actions that fail to deliver results. There are always opportunities for improvement or gaps which become your findings.
Effective Top Management
It is top management’s responsibility to build an effective management system. You are highlighting areas in the company that are not effective, in order for top management to take action. Keep in mind, you are doing this for top management, not ISO 9001. Shouldn’t your top management want to know If something they are in charge of is not doing what it is intended to do? Your ISO 9001 audit report explains to top management what is not effective. The answer to “What Do You Audit?” should be clear.