Archive for the ‘Internal Auditing’ Category
Making the Grade
Once your business has been up and running for a few years, it is easy to take some of the day-to-day practices for granted. Often times, people will become complacent and important details may be overlooked. One of the best ways to check the status of your company and ensure that all of your ducks are in a row is with an ISO Internal Audit.
Through this auditing system, you will get an objective view of all of your business practices and record keeping. There are several companies that provide certified third-party auditors that can help you get a gauge on your business and point out areas that aren’t up to snuff. No matter what product or service you are providing, it is important to maintain quality records and documentation, and an internal audit can ensure that you are doing just that.
Are Your Suppliers Meeting The Requirements Of ISO 9001:2008?
There are various ways in which your supplier can claim that its quality management system meets the requirements of ISO 9001:2008. These include:
- Supplier’s declaration of conformity: Your supplier makes a declaration affirming that its QMS meets ISO 9001:2008 requirements, usually supported by legally-binding signatures. This declaration can be based on your supplier’s internal audit system, or on second party or third party audits;
- Second party assessment: your supplier is audited directly by its customer (e.g., by you, or by another customer, whose reputation you respect) to check if its QMS meets ISO 9001:2008 requirements and your own requirements – sometimes used in contractual “business-to-business” transactions;
- Third party certification: your supplier uses an accredited Certification Body (Registrar) to audit and verify it’s conformity to ISO 9001:2008 requirements. This third party then issues a certificate to your supplier describing the scope of its QMS, and confirming that it conforms to ISO 9001:2008.
HOW DO I ANSWER AN AS9100 AUDITOR’S QUESTIONS?
I am a third party AS9100 auditor, (your registrar’s auditor). In my experience, I have seen a lot of apprehension while auditing. The whole purpose for auditing a quality management system is to improve the overall organization so that it can compete more successfully. The auditor is not looking for faults in a system; they are looking for compliance to the standard. If a non-conformance is found, it should be viewed as and opportunity to improve, not as a reason to reprimand. The best advice for answering an auditor’s questions is … just be polite and honest. In general, the auditor is not out to trick or deceive you, so you should return the favor. Here are a few more tips you should know when talking to auditors:
• When talking to an internal auditor, you should feel free to offer any information on the subject being tackled that you feel is important, even if it’s not specifically asked for. Your internal auditors are there to help improve the system for everyone. Don’t be afraid to ask the internal auditor a question or ask for advice.
• When talking to a third-party auditor, you should still be honest, but only answer their question. There is no need to volunteer information with third-party auditors.
• Never lie to an auditor… They often know the right answer before they ask the question.
• Answer the auditor’s question directly and with confidence when you know the answer. If you don’t feel very confident about answering a question, you can:
• Tell the auditor you don’t understand the question, and ask him or her to restate it.
• Take the time to find the answer in your area’s quality procedures or work instructions. (Remember, that’s what they’re there for!)
• Ask someone else, such as your manager, for help in answering the question (especially if you feel the question falls outside your
job responsibilities). Remember that the auditors want you to succeed. They are not “out to get you.”
The ISO Audit and Compliance to ISO 9001 Certification Requirements
There are two types of auditing that are required, to become registered to the standard: auditing by an external certification body (external audit) and audits by internal staff trained for this process (internal audit). The aim is a continual process of review and assessment, to verify that the system is working as it’s supposed to, find out where it can improve and to correct or prevent problems identified. It is considered healthier for the internal auditor to audit outside their usual management line, so as to bring a degree of independence to their judgments.
Under the 1994 standard, the auditing process could be adequately addressed by performing “compliance auditing”:
- Tell me what you do (describe the business process)
- Show me where it says that (reference the procedure manuals)
- Prove that this is what happened (exhibit evidence in documented records)
How this led to preventive actions was not clear.
The 2000 standard uses the process approach. While the iso internal auditor performs similar functions, they are expected to go beyond mere auditing for rote “compliance” by focusing on risk, status and importance. This means they are expected to make more judgments on what is effective, rather than merely adhering to what is formally prescribed. The difference from the previous standard can be explained as follows:
Under the 1994 version, the question was broadly “Are you doing what the manual says you should be doing?”, whereas under the 2000 version, the question is more “Will this process help you achieve your stated objectives? Is it a good process or is there a way to do it better?”
ISO 9001:2008 only introduces clarifications to the existing requirements of ISO 9001:2000 and some changes intended to improve consistency with ISO 14001:2004. There are no new requirements. A quality management system being upgraded just needs to be checked to see if it is following the clarifications introduced in the amended version.
Avoid documentation mistakes
If your company is preparing to become ISO 9001 certified, you should know what you need and what you don’t need. Some companies are overzealous and become obsessed with over-documenting their systems, rather than focusing on what their procedures actually are and documenting them. While ISO 9001 requires documented procedures, the standard doesn’t specify what they should include or how they should be formatted. The fact that many companies miss is that a third-party auditor will not be concerned with the format, but rather with the content of the procedures and how closely they align with what the company actually does.
Documents should be written to define a company’s processes, not to make processes sound more impressive than they are. A common nonconformance found in an ISO audit is not that a company was unable to meet a standard’s requirement, but its inability to meet a requirement in one of its own documents. A company can essentially sabotage itself by over-thinking its documentation. ISO 9001:2008 requires a manual and six documented procedures. Fulfill those requirements; other written procedures are unnecessary.
Common Obstacles to ISO 9001 Implementation and Registration
1. Too much documentation – unnecessary procedures, work instructions, forms, etc.
2. Lack of top management commitment and support – top management pays lip service or does not get involved.
3. Not providing adequate resources – budget, personnel, consultant, training, etc., to get the job done effectively.
4. Resistance to change – some process owners and functional managers may resist changes to processes and accountability for objectives.
5. Not setting realistic timeframes for business management system(BMS) development and implementation
6. Not providing adequate information and training resulting in conflicting interpretation of requirements and what needs to get done.
7. Not communicating BMS plans
8. Lack of discipline – personnel not following policies and procedures
9. Not understanding processes and how to use them effectively to manage the business.
10. Policies and procedures imposed by head office or other organizations.
11. Improper use of BMS system tools – e.g., corrective action; management reviews; etc.
12. Not understanding ISO 9001 requirements; not getting external help; and getting poor support and interpretations from the Certification Body.
By recognizing these obstacles and hurdles, you should be able to successfully avoid them on the path to ISO 9001 certification.
Auditing The Supplier Selection and Evaluation Process
ISO 9001:2008 says you must select and evaluate your suppliers based on their ability to meet your requirements and evaluate them. There is no set method of doing either of these, but there are a few things that are common. It is important to understand that the size of your organization and the number and type of suppliers drives the form of supplier selection and evaluation. It is the internal auditor’s or external auditor’s responsibility to determine if the method selected is effective and is being followed.
The first step in evaluating the method used to select and evaluate is to determine what the standard actually says. This gives you the requirement by which we, (The auditor’s), will decide on compliance. The standard says that you shall; “evaluate and select suppliers based on their ability to supply products in accordance with the organization’s requirements.” Additionally it states you shall establish; “Criteria for selection, evaluation, and re-evaluation…” And; “Records of the results of evaluations and any necessary actions arising from the evaluation shall be maintained…”
This means that you (the organization) decide on the rules for your suppliers. As auditors we need to look at the criteria given for supplier selection and evaluation. It is important to remember that our job is not necessarily to pass judgment on whether we think the criteria is sufficient. Our job is to determine if those responsible for purchasing are aware of the criteria and are following the plan. We can make recommendations on the intrinsic worth of the criteria, but should limit our conformance decision to whether the standard is adhered to.
The second step is to determine the process used to meet the standard. Supplier selection and evaluation may be part of a single process, or may be two separate processes. The process approach is the best way to accomplish this objective. Meaning you must first determine all of the inputs and outputs of the supplier selection and evaluation processes. This is easily done by looking at how your organization describes their processes in the Quality Manual. Process maps can also provide you with much of the required information.
Auditing and Continual Improvement
The most important part of the audit is not what the auditor does in collecting the data, but what the manager does with the audit information. Managers must be prepared to take actions to correct audit finding and to recognize excellence. The actions taken to make improvements must not make the situation worse. The best approach is to meet with the people involved in the finding and ask for their ideas for improving the situation and to empower them to solve the problem. This allows them to assume ownership for the problem and for the solution. The manager must then seek commitment from people to resolve the problem within a certain time frame and make resources available to support improvements, if necessary.
The worst possible scenario is for managers to use audit information to punish people. Management must drive fear out of the organization. Punishing people will condition the organization to resist audits and hide problems from management. The manager must learn to receive bad news from an audit as an opportunity for improvement and then involve staff members in resolving the issue. Often the audit will bring to light performance problems that can be solved only by upper management. Although management alone has the authority to change the system, management can usually invite the people who work in the system to help diagnose the problem, make recommendations, and implement solutions for resolving the problem.
Successful organizations are those that learn to place a high value on continuous improvement. Everyone in the organization, from the managers in the strategic center to the individual contributors, must all share a belief in the positive discussion of problems and deficiencies as a necessary first step in achieving excellence.
Quality Management Principle (# 8 Mutually beneficial supplier relationships )
An organization and its suppliers are interdependent and a mutually beneficial relationship enhances the ability of both to create value
Key benefits:
- Increased ability to create value for both parties.
- Flexibility and speed of joint responses to changing market or customer needs and expectations.
- Optimization of costs and resources.
Applying the principles of mutually beneficial supplier relationships typically leads to:
- Establishing relationships that balance short-term gains with long-term considerations.
- Pooling of expertise and resources with partners.
- Identifying and selecting key suppliers.
- Clear and open communication.
- Sharing information and future plans.
- Establishing joint development and improvement activities.
- Inspiring, encouraging and recognizing improvements and achievements by suppliers.
Quality Management Principle (# 7 Factual approach to decision making )
Effective decisions are based on the analysis of data and information
Key benefits:
- Informed decisions.
- An increased ability to demonstrate the effectiveness of past decisions through reference to factual records.
- Increased ability to review, challenge and change opinions and decisions.
Applying the principle of factual approach to decision making typically leads to:
- Ensuring that data and information are sufficiently accurate and reliable.
- Making data accessible to those who need it.
- Analysing data and information using valid methods.
- Making decisions and taking action based on factual analysis, balanced with experience and intuition.
- Stronger quality management systems