Archive for the ‘Internal Auditing’ Category
ISO 9001, What Should I Be Auditing and How Often?
The ISO 9001 standard does not specifically tell you what processes need to be audited or how often they should be audited. It does however state that the audits you do perform should be planned, and based on status and importance. So what does this translate to mean? Should you audit everything process every year, maybe, maybe not. The standard does not tell you how often, how many or what to audit, you decide what makes since for your organization (where can you get the most value and keep your quality system functioning as intended).
The best advise that I can give is review your process maps, non-conformances, past internal and third party audits, and determine where your quality management system needs attention. Where are the black holes that cause lost time, lost money, customer dissatisfaction (where are the points that are or could significantly impact your ability to satisfy your customer or grow your business). Answer these questions and you will be able to develop a planned audit schedule that will add value to your quality system. Don’t audit every process every year unless every process in your system is not functioning as you intended it to or does not meet the ISO 9001 standard requirements. If this is the case you would not be certified in the first place. Don’t audit for the sake of auditing this is costly and time consuming, get the most out of your internal audits by making them address real issues that can improve the entire quality system.
How many audits should you conduct each year? You decide how many audits will be enough to keep your quality management system functioning properly. Keep in mind, you cannot successfully improve your processes unless you periodically review them. Nothing stays the same, so if you don’t review your processes periodically they will come back to bite you via loss of business, non-conformances, increased costs, obsolete documentation, and ultimately loss of certification.
Quality Management Systems Auditing, Make It Worth Your Time
With the upgrade of the ISO9000 series of standards from the 1994 to 2008 series, the focus of the audits has shifted from purely procedural adherence towards measurement of the actual effectiveness of the quality management system or the total process, and the results that have been achieved through the implementation of a QMS. And now with the upgrades of the AS9100 quality standard, there are even more ways to develop and implement corrective and preventive actions that will greatly benefit the organization.
Audits are an essential management tool to be used for verifying objective evidence of processes, to assess how successfully processes have been implemented, for assessing the effectiveness of achieving any defined target levels, to provide evidence concerning reduction and elimination of problem areas. For the benefit of the organization, quality auditing should not only report non-conformances and corrective actions, but also highlight areas of good practice. By highlighting these areas other departments may share information and amend their working practices as a result, which contributes to continual improvement.
There are times that auditing feels like an arduous ordeal, and those being auditee feel as though they are being personally judged. The most important part of conducting an audit is to communicate with the auditee the intent of the audit and their role in it. For an audit to give meaningful information back to the organization, you must get the cooperation of those being audited. Let them know that the audit is not a tool to punish but rather an opportunity to improve the organization as a whole. Finds are not bad things, quite the contrary they are the building blocks for the continued success of the organization (continual improvement). Why not make it the responsibility of each employee to contribute at least one opportunity for improvement each year. Just think how much better your company will be after one year.
ISO 9001 Internal Auditing What, When, How?
Most companies understand the idea of auditing but not the concept of “Process Auditing” as expected to be compliant within both ISO 9001 and their own quality management system. Even companies that are currently registered to the standard may not have a thorough means for evaluating its processes through their internal audit program. Which processes are expected to be audited under ISO 9001?
The ISO 9001:2008 standard is quite vague as to what should to be audited or even how often these processes should be reviewed. The standard indicates that audits be carried out at planned intervals to determine whether the quality management system conforms to the planned arrangements, to the requirements of the standard and the organizations own quality management system requirements. So what is an appropriate interval for your company? Ask yourself,” What is the worst that can happen and where could it happen”? Where are we having the most problems now? Look at your interrelationship of processes and pinpoint the likely areas that have the most chance of resulting in non-conformance. Conduct a risk assessment to determine where the highest risks are, and which risks may produce the most significant impact on your product performance (Status and importance of the processes). Now audit these processes, interview staff, observe activities and view relevant records then determine if there are weaknesses and assign corrective actions. Go back to these areas after the corrective actions are put in place and determine if the actions have accomplished the desired effect. If the actions are effective, close out the audit and move on to the next process.
Don’t audit a process for the sake of having an audit record to show an auditor. If a process is functioning properly it does not need to be audited once a year. Nowhere in the ISO 9001 standard does it say you have to audit all of your processes once a year. You are in the driver seat, and you will determine what, when, and how you will audit your system.
ISO 9001 Internal Auditing Success
The third party auditor will audit your system once or twice a year, so why do you have to conduct internal audits? The first and most obvious reason is, if you wait for the third party auditor to tell you your system is in trouble, you are missing the point of continuous improvement all together. The second reason is that the third party registrar does not consider the surveillance audit as an internal audit. The standard requires that “you” perform planned internal audits of your system based on status and importance of the processes and areas to be audited. If you do not know whether or not your quality management system conforms to your planned arrangements, or the standard, then how can you determine if you are improving? The ISO 9001 standard is based on the Plan, Do, Check, Act principle of continuous improvement. Internal Auditing is the “Check”, and without it you may never know when to act.
The internal audit process need not be a time consuming; there are many ways an internal audit can be accomplished. Every day we conduct countless audits without even knowing it. A manager who walks the plant floor may notice a process which is not working as intended, a worker may notice that the forms he, or she is using are outdated , receiving may find that the same supplier never send the correct paperwork with the products they provide; these are audits that never get documented. These audits are not planned, but they are audits none the less. The planned audits do not have to include all of the processes in your facility once a year, remember “Status and importance”. Go after the low hanging fruit first, (areas where you are having issues), then review the other areas as needed. Whatever you do, DO SOMETHING, or your entire quality system will fail to accomplish the goals and objectives you have set for your organization. My philosophy is simple, if you are going to invest the time and money to become certified, get the full value of certification or you will be wasting your resources for nothing.
Making the Grade
Once your business has been up and running for a few years, it is easy to take some of the day-to-day practices for granted. Often times, people will become complacent and important details may be overlooked. One of the best ways to check the status of your company and ensure that all of your ducks are in a row is with an ISO Internal Audit.
Through this auditing system, you will get an objective view of all of your business practices and record keeping. There are several companies that provide certified third-party auditors that can help you get a gauge on your business and point out areas that aren’t up to snuff. No matter what product or service you are providing, it is important to maintain quality records and documentation, and an internal audit can ensure that you are doing just that.
Are Your Suppliers Meeting The Requirements Of ISO 9001:2008?
There are various ways in which your supplier can claim that its quality management system meets the requirements of ISO 9001:2008. These include:
- Supplier’s declaration of conformity: Your supplier makes a declaration affirming that its QMS meets ISO 9001:2008 requirements, usually supported by legally-binding signatures. This declaration can be based on your supplier’s internal audit system, or on second party or third party audits;
- Second party assessment: your supplier is audited directly by its customer (e.g., by you, or by another customer, whose reputation you respect) to check if its QMS meets ISO 9001:2008 requirements and your own requirements – sometimes used in contractual “business-to-business” transactions;
- Third party certification: your supplier uses an accredited Certification Body (Registrar) to audit and verify it’s conformity to ISO 9001:2008 requirements. This third party then issues a certificate to your supplier describing the scope of its QMS, and confirming that it conforms to ISO 9001:2008.
HOW DO I ANSWER AN AS9100 AUDITOR’S QUESTIONS?
I am a third party AS9100 auditor, (your registrar’s auditor). In my experience, I have seen a lot of apprehension while auditing. The whole purpose for auditing a quality management system is to improve the overall organization so that it can compete more successfully. The auditor is not looking for faults in a system; they are looking for compliance to the standard. If a non-conformance is found, it should be viewed as and opportunity to improve, not as a reason to reprimand. The best advice for answering an auditor’s questions is … just be polite and honest. In general, the auditor is not out to trick or deceive you, so you should return the favor. Here are a few more tips you should know when talking to auditors:
• When talking to an internal auditor, you should feel free to offer any information on the subject being tackled that you feel is important, even if it’s not specifically asked for. Your internal auditors are there to help improve the system for everyone. Don’t be afraid to ask the internal auditor a question or ask for advice.
• When talking to a third-party auditor, you should still be honest, but only answer their question. There is no need to volunteer information with third-party auditors.
• Never lie to an auditor… They often know the right answer before they ask the question.
• Answer the auditor’s question directly and with confidence when you know the answer. If you don’t feel very confident about answering a question, you can:
• Tell the auditor you don’t understand the question, and ask him or her to restate it.
• Take the time to find the answer in your area’s quality procedures or work instructions. (Remember, that’s what they’re there for!)
• Ask someone else, such as your manager, for help in answering the question (especially if you feel the question falls outside your
job responsibilities). Remember that the auditors want you to succeed. They are not “out to get you.”
The ISO Audit and Compliance to ISO 9001 Certification Requirements
There are two types of auditing that are required, to become registered to the standard: auditing by an external certification body (external audit) and audits by internal staff trained for this process (internal audit). The aim is a continual process of review and assessment, to verify that the system is working as it’s supposed to, find out where it can improve and to correct or prevent problems identified. It is considered healthier for the internal auditor to audit outside their usual management line, so as to bring a degree of independence to their judgments.
Under the 1994 standard, the auditing process could be adequately addressed by performing “compliance auditing”:
- Tell me what you do (describe the business process)
- Show me where it says that (reference the procedure manuals)
- Prove that this is what happened (exhibit evidence in documented records)
How this led to preventive actions was not clear.
The 2000 standard uses the process approach. While the iso internal auditor performs similar functions, they are expected to go beyond mere auditing for rote “compliance” by focusing on risk, status and importance. This means they are expected to make more judgments on what is effective, rather than merely adhering to what is formally prescribed. The difference from the previous standard can be explained as follows:
Under the 1994 version, the question was broadly “Are you doing what the manual says you should be doing?”, whereas under the 2000 version, the question is more “Will this process help you achieve your stated objectives? Is it a good process or is there a way to do it better?”
ISO 9001:2008 only introduces clarifications to the existing requirements of ISO 9001:2000 and some changes intended to improve consistency with ISO 14001:2004. There are no new requirements. A quality management system being upgraded just needs to be checked to see if it is following the clarifications introduced in the amended version.
Avoid documentation mistakes
If your company is preparing to become ISO 9001 certified, you should know what you need and what you don’t need. Some companies are overzealous and become obsessed with over-documenting their systems, rather than focusing on what their procedures actually are and documenting them. While ISO 9001 requires documented procedures, the standard doesn’t specify what they should include or how they should be formatted. The fact that many companies miss is that a third-party auditor will not be concerned with the format, but rather with the content of the procedures and how closely they align with what the company actually does.
Documents should be written to define a company’s processes, not to make processes sound more impressive than they are. A common nonconformance found in an ISO audit is not that a company was unable to meet a standard’s requirement, but its inability to meet a requirement in one of its own documents. A company can essentially sabotage itself by over-thinking its documentation. ISO 9001:2008 requires a manual and six documented procedures. Fulfill those requirements; other written procedures are unnecessary.
Common Obstacles to ISO 9001 Implementation and Registration
1. Too much documentation – unnecessary procedures, work instructions, forms, etc.
2. Lack of top management commitment and support – top management pays lip service or does not get involved.
3. Not providing adequate resources – budget, personnel, consultant, training, etc., to get the job done effectively.
4. Resistance to change – some process owners and functional managers may resist changes to processes and accountability for objectives.
5. Not setting realistic timeframes for business management system(BMS) development and implementation
6. Not providing adequate information and training resulting in conflicting interpretation of requirements and what needs to get done.
7. Not communicating BMS plans
8. Lack of discipline – personnel not following policies and procedures
9. Not understanding processes and how to use them effectively to manage the business.
10. Policies and procedures imposed by head office or other organizations.
11. Improper use of BMS system tools – e.g., corrective action; management reviews; etc.
12. Not understanding ISO 9001 requirements; not getting external help; and getting poor support and interpretations from the Certification Body.
By recognizing these obstacles and hurdles, you should be able to successfully avoid them on the path to ISO 9001 certification.