Usually someone new to auditing is quite confused about the ISO 9001 audit process. I frequently get asked the question: What exactly is there to “audit” on an annual basis? What Do You Audit?
Are you having a hard time understanding exactly how an internal audit is performed? Perhaps you have a LEAN QMS (Quality Management System) where processes are comprehensive, clearly defined and follow a set structure. When problems arise, do you deal with them in real time? So if your are handling the problems, what do you audit?
Many organization have put in place a rock solid depiction of a process with a complete list of steps that personnel follow. So what exactly is there left to “audit” on an annual basis? If you keep coming back to the question of “what do you audit”, you are thinking of a conformance audit.
ISO 9001 Auditing is more than looking at checklists and checking boxes to confirm the existence of a criteria being met. This is a low level method of auditing and it is not clear it is helping anybody. What you really want to ask is “is it effective?” Is it working, providing a return on your investment, advancing you toward your goals? If it is not effective, then you have an audit finding. The audit finding is a gap in effectiveness.
The basic principle of auditing is too look for evidence to support a conclusion on whether or not the QMS is effective. You do this by looking for gaps between the actual work you see happening and the criteria being audited.
These gaps occur in four main areas: Plan, Do Check, Act or PDCA for short. PDCA is the structure of an effective management system. Auditing is the process of looking at all the elements of effectiveness to determine weaknesses in effectiveness and therefor, what needs improving so that we are continuously improving. This is the basis of process auditing.
It is all about targets… PDCA is the process of setting targets, collecting data on the target, checking the data against the target, and taking action towards the target.
If you cannot find any gaps then you must work in a world class facility that is perfectly effective. Since no organization is perfect, you will find at least one gap, which becomes your finding and the basis for your audit report. Even in world class facilities you have findings, but the findings look more like Opportunities For Improvement (OFI) or gap in perfection than a gap in effectiveness.
A perfect QMS does not mean perfect quality. It means an effective system is in place to deliver continuous improvement and customer satisfaction. The auditor looks for areas that are working well and signs where it is not. It may be that your system is simple and very good. But there are always areas for improvement in productivity and efficiency. Improvement is about doing more with less. It is up to management to explain to the auditor how the QMS is designed to do more, over time, with less and then show how well that plan is working out.
All companies have weaknesses in some areas. Management Review is about ensuring the effective allocation resources of time, money, people, infrastructure. It is not about fixing problems, that should be done at the process level by process owners. In Management Review, process owners bring solutions that need resources. There are always resource constraints, diminishing returns, and actions that fail to deliver results. There are always opportunities for improvement or gaps which become your findings.
It is top management’s responsibility to build an effective management system. You are highlighting areas in the company that are not effective, in order for top management to take action. Keep in mind, you are doing this for top management, not ISO 9001. Shouldn’t your top management want to know If something they are in charge of is not doing what it is intended to do? Your ISO 9001 audit report explains to top management what is not effective. The answer to “What Do You Audit?” should be clear.