Posts Tagged ‘Internal audit’
ISO 9001 Internal Auditing What, When, How?
Most companies understand the idea of auditing but not the concept of “Process Auditing” as expected to be compliant within both ISO 9001 and their own quality management system. Even companies that are currently registered to the standard may not have a thorough means for evaluating its processes through their internal audit program. Which processes are expected to be audited under ISO 9001?
The ISO 9001:2008 standard is quite vague as to what should to be audited or even how often these processes should be reviewed. The standard indicates that audits be carried out at planned intervals to determine whether the quality management system conforms to the planned arrangements, to the requirements of the standard and the organizations own quality management system requirements. So what is an appropriate interval for your company? Ask yourself,” What is the worst that can happen and where could it happen”? Where are we having the most problems now? Look at your interrelationship of processes and pinpoint the likely areas that have the most chance of resulting in non-conformance. Conduct a risk assessment to determine where the highest risks are, and which risks may produce the most significant impact on your product performance (Status and importance of the processes). Now audit these processes, interview staff, observe activities and view relevant records then determine if there are weaknesses and assign corrective actions. Go back to these areas after the corrective actions are put in place and determine if the actions have accomplished the desired effect. If the actions are effective, close out the audit and move on to the next process.
Don’t audit a process for the sake of having an audit record to show an auditor. If a process is functioning properly it does not need to be audited once a year. Nowhere in the ISO 9001 standard does it say you have to audit all of your processes once a year. You are in the driver seat, and you will determine what, when, and how you will audit your system.
ISO 9001 Done Right, Done Wrong, What is the Ultimate Goal?
I have had the chance, as a consultant and Lead QMS Auditor, to see ISO 9001 in companies big and small in many industries such as manufacturing, service, technology, aerospace, warehousing and others. I’ve grown to understand a few things that seem to make all the difference in how ISO 9001 impacts an organization, either positively or negatively.
In the worst of circumstances, some companies regard their ISO 9001 certification as an accessory that has been uncomfortably inserted into the fabric of the organization. In these companies, ISO 9001 is something to present to an auditor once a year. When the annual audit comes due, everyone rushes around to tidy up the place because “we can’t allow them to see how we really live”. Somehow they placate the auditor enough to come away with an extensive list of corrective actions to address, while still retaining their certification. Once the auditor leaves, the “QMS” is quickly shoved aside so it is out of the way of the “actual” business that needs to get done.
Somewhat better are those companies who at least try to keep up with everything through the year unless an “emergency” comes up or everyone becomes too busy. Unfortunately the crisis-of-the-month and the too-busy-with-the-customer excuses are quite routine and, worse, acceptable justification to “work around the system”. In too many cases these short term lapses become the standard operating procedure. Once the dust settles things get mostly caught up until the next “all hands on deck” is signaled. These companies commonly think of ISO as a “necessary evil” that has to be tolerated.
On the flip side, there are a significant number of ISO 9001 certified organizations who appear to “get it” when it comes to achieving real value from their ISO 9001 quality management system and have incorporated it into their daily business processes. In these companies, the management team has learned how to use the requirements imposed by the standard to their advantage by solving real problems and consistently achieve real improvements in business objectives. These organizations actually achieve real benefits by using the standard as a lever for improving both customer satisfaction and their own bottom line.
I have worked with many ISO 9001 success stories over the years and have come to realize that there are a few unmistakable similarities in how they were able to reached their goals .
In either case, the “magical prescription” to achieve genuine value from IS0 9001 are a direct result of:
- Keeping it simple (K.I.S.S)!
- Focusing on business importance!
- Never doing anything just to please an auditor!
A Better Way to Manage Internal Audits and Management Reviews
Many organizations struggle with how to manage and maintain their internal audit and management review processes. While no one sets out to deliberately miss manage these processes, they can take on a life of their own. So, how do you better manage these processes? The ISO 9001 standard does not expressly tell you how, but it does tell you what is expected. Does the standard say you have to actually meet to satisfy this clause of the standard or does it tell you that you have to review the necessary criteria at set interval? If it were possible for top management to review all of the in-puts and out-puts of a management review and assign actions with follow-up, without actually sitting in a meeting, how much more time could be spent on actually improving your systems?
Meeting/audit module in CIS Software is a powerful management action item tool and may be used for many other functions other than just meetings and audits. Because of its design and ability to assign action items to a manager or group of managers and to follow-up on these action items until completion, this module is truly invaluable.
By using the meeting/audit module, there is no need to hold follow-up meetings to review and ensure that previous action items from a meeting or internal audit were completed. Since holding these follow-up meetings is the normal management approach in most organizations, this module alone will cut your valuable meeting time by more than 30 %.
Furthermore, the meeting/audit module includes special tools for Process Auditing. Since the management meetings are all shown on the master calendar and audits may be scheduled monthly, quarterly or yearly, the internal audit plan is always at the click of a mouse. Furthermore, the auditor and auditee is always informed of these audits on their personal calendar and on the master calendar
WHAT IF WE DON’T PASS THE ISO 9001 REGISTRATION AUDIT?
There are basically three things that can happen in a registration audit:
- Your company may “pass ”the iso audit, (in official language, your company will be “recommended for registration”), in which case the company will receive its official registration in about a month.
- Your company may be told that a follow-up visit must be scheduled and that if corrective action on all nonconformities found during the audit is successfully completed by that visit, registration will be issued.
- Your registrar may find that your company has quite a bit of work to do before it will be ready for registration, and another registration audit will have to be scheduled.
In all cases, the registration auditor will report all findings to your management before he or she leaves, so that your company knows where it stands.
The ISO Audit and Compliance to ISO 9001 Certification Requirements
There are two types of auditing that are required, to become registered to the standard: auditing by an external certification body (external audit) and audits by internal staff trained for this process (internal audit). The aim is a continual process of review and assessment, to verify that the system is working as it’s supposed to, find out where it can improve and to correct or prevent problems identified. It is considered healthier for the internal auditor to audit outside their usual management line, so as to bring a degree of independence to their judgments.
Under the 1994 standard, the auditing process could be adequately addressed by performing “compliance auditing”:
- Tell me what you do (describe the business process)
- Show me where it says that (reference the procedure manuals)
- Prove that this is what happened (exhibit evidence in documented records)
How this led to preventive actions was not clear.
The 2000 standard uses the process approach. While the iso internal auditor performs similar functions, they are expected to go beyond mere auditing for rote “compliance” by focusing on risk, status and importance. This means they are expected to make more judgments on what is effective, rather than merely adhering to what is formally prescribed. The difference from the previous standard can be explained as follows:
Under the 1994 version, the question was broadly “Are you doing what the manual says you should be doing?”, whereas under the 2000 version, the question is more “Will this process help you achieve your stated objectives? Is it a good process or is there a way to do it better?”
ISO 9001:2008 only introduces clarifications to the existing requirements of ISO 9001:2000 and some changes intended to improve consistency with ISO 14001:2004. There are no new requirements. A quality management system being upgraded just needs to be checked to see if it is following the clarifications introduced in the amended version.
The Real Purpose of The Internal Audit
How a management system is audited and the data that comes out of a management system is analyzed will directly relate to how much money a company saves by using an ISO 9001 system. If a company wants the most from its internal audit system, it must go above and beyond checking to see if it does what it says, says what it does.” Questions such as these must be asked:
- How is the effectiveness of this process measured?
- What is done when desired results are not achieved?
- Why is something done in a certain way?
- How do other departments affect this process?
- What could improve this process?· What are some preventive actions that can be taken or have already been implemented for this process to prevent a potential problem?
The answers to these questions are what management will review to decide if it needs to, or should, take action to improve the process. The management team does not really care about pages of filled out checklists in a book that says the processes match the procedures and that there were no findings. If the management team is going to invest time and resources into the iso internal audit activity, it wants to have information brought to it on how it can improve processes and ultimately make the company better.
Documenting a management system: The Manual
The first step in implementing an ISO 9001 system is to document a quality management system. The required documentation is a quality manual that could be called a business systems manual because it covers the scope of the entire business, not just the quality aspects. There also are six required procedures (control of documents; control of records; internal audits; and control of nonconforming product, corrective action and preventive action). The company may define any additional documentation.
The business systems manual. There are three requirements to be included:
1. A scope that includes any exclusions
2. The procedures or reference to the procedures for the management system
3. A complete description of the interaction between the various processes that are required to operate the business.
These are the only requirements of a manual. Yet so many companies write 30- to 60-page manuals that have so much detail and often refer to outdated processes or requirements. When written correctly, the manual could be a perfect marketing tool to send to customers that simply tells them the scope of the management system and provides a picture of the interrelation of processes. The interrelation of processes can be as simple as an overall picture of how a company’s processes flow, and needs to incorporate control of production/service (planning, measuring and monitoring) and continual improvement processes (control of nonconforming, corrective and preventive action, and internal audit, analysis of data and management review).
Quality Management Principle (# 8 Mutually beneficial supplier relationships )
An organization and its suppliers are interdependent and a mutually beneficial relationship enhances the ability of both to create value
Key benefits:
- Increased ability to create value for both parties.
- Flexibility and speed of joint responses to changing market or customer needs and expectations.
- Optimization of costs and resources.
Applying the principles of mutually beneficial supplier relationships typically leads to:
- Establishing relationships that balance short-term gains with long-term considerations.
- Pooling of expertise and resources with partners.
- Identifying and selecting key suppliers.
- Clear and open communication.
- Sharing information and future plans.
- Establishing joint development and improvement activities.
- Inspiring, encouraging and recognizing improvements and achievements by suppliers.
Quality Management Principle (# 7 Factual approach to decision making )
Effective decisions are based on the analysis of data and information
Key benefits:
- Informed decisions.
- An increased ability to demonstrate the effectiveness of past decisions through reference to factual records.
- Increased ability to review, challenge and change opinions and decisions.
Applying the principle of factual approach to decision making typically leads to:
- Ensuring that data and information are sufficiently accurate and reliable.
- Making data accessible to those who need it.
- Analysing data and information using valid methods.
- Making decisions and taking action based on factual analysis, balanced with experience and intuition.
- Stronger quality management systems
Auditing Calibration: ISO 9001
In the internal auditing of monitoring and measuring processes, it is important for auditors to understand the difference between monitoring and measuring:
1. monitoring implies observing, supervising, keeping under review (using monitoring devices); it can involve measuring or testing at intervals, especially for the purpose of regulation or control
2. measuring considers the determination of a physical quantity, magnitude or dimension (using measuring equipment)
Section 7.6 of the ISO 9001:2008 standard requires that an organization must determine the monitoring and measurement to be done and the monitoring and measurement equipment needed to provide evidence of conformance of products to requirements.
Auditors should confirm that, in addition to providing the necessary calibration records and assuring the related measurement uncertainty and traceability, their organization is aware of and has implemented, as appropriate, a metrological confirmation system as described in ISO 10012 adequate to the extent and types of the measurements performed.
The internal auditor needs to understand how their organization performs process control and the impact that the information, obtained from using these “devices”, has on this process control.
When the impact is relevant, auditors should evaluate issues such as:
- How their organization validates that “the monitoring and measuring device” is consistent with the monitoring and measurement requirements.
- How their organization assures the information validity.
- The competence of the responsible to design “the monitoring and measuring device”
- How their organization validate the consistency of the results