At our last Surveillance audit, one of the OFI's was to do Process based Internal Audits, instead of auditing to the elements of the standard.

We had identified the processes already, so if we were to follow the "tracing method", i.e.; if Purchasing was a process, then one could follow an order for steel both backwards and forwards thru the system.

Would we not cover several processes in this case, and have accomplished the auditing of those also? For instance, one would cover Order Entry, Purchasing, Receiving Inspection, Production, Final Audit, etc?

Thanks

At our last Surveillance audit, one of the OFI's was to do Process based Internal Audits, instead of auditing to the elements of the standard.

We had identified the processes already, so if we were to follow the "tracing method", i.e.; if Purchasing was a process, then one could follow an order for steel both backwards and forwards thru the system.

Would we not cover several processes in this case, and have accomplished the auditing of those also? For instance, one would cover Order Entry, Purchasing, Receiving Inspection, Production, Final Audit, etc?

Thanks

Hello 5litre,

Welcome to the Cove!

There are many great threads and posts about (internal) Process Audits.
Interesting, and oh yes....also emotional and very heated at times....

But to give you some idea; take your example of purchasing.
You could begin by simply asking: "What is required of this process?" What are the objectives of the Purchasing Process? We can call this Input.
Next you could ask: "Did this indeed happen?" Did the Purchasing Process deliver the expected results? We call this Output. If the output meets the input requirements, you could say that this is an effective process. If not, you investigate (audit) the elements that make up this process. You could look at people, information, materials, equipment, environment, etc., that impact the process.

Auditing is a process of great discovery to find out where the strengths and opportunities for improvement in the process exist. I don't want to repeat what's already been discussed in the Cove.....but you'll get the idea.

Seek here at the Cove, and you will find.

Wishing you the best.

Stijloor.

Hello 5litre,

Welcome to the Cove!

There are many great threads and posts about (internal) Process Audits.
Interesting, and oh yes....also emotional and very heated at times....

But to give you some idea; take your example of purchasing.
You could begin by simply asking: "What is required of this process?" What are the objectives of the Purchasing Process? We can call this Input.
Next you could ask: "Did this indeed happen?" Did the Purchasing Process deliver the expected results? We call this Output. If the output meets the input requirements, you could say that this is an effective process. If not, you investigate (audit) the elements that make up this process. You could look at people, information, materials, equipment, environment, etc., that impact the process.

Auditing is a process of great discovery to find out where the strengths and opportunities for improvement in the process exist. I don't want to repeat what's already been discussed in the Cove.....but you'll get the idea.

Seek here at the Cove, and you will find.

Wishing you the best.

Stijloor.


I suggest one should begin by reviewing the metrics, the criteria, the inputs and outputs, as preparation. This shows the auditor how effectively the process is performing, and gives some starting audit trails.

Then audit the sequence of the process itself. Flow charts, procedures, work instructions, turtles...whatever you have.

Finally, don't forget to audit the linkages to relevant linked supporting processes. This is where a lot of the efficiencies are lost.

Short, sweet, simple 3 point approach to process auditing.

You could begin by simply asking: "What is required of this process?" What are the objectives of the Purchasing Process? We can call this Input.
Next you could ask: "Did this indeed happen?" Did the Purchasing Process deliver the expected results? We call this Output. If the output meets the input requirements, you could say that this is an effective process. If not, you investigate (audit) the elements that make up this process. You could look at people, information, materials, equipment, environment, etc., that impact the process.



One must be careful not to confuse the difference between what the inputs and outputs are and other requirements for the process, including controls. Certainly, the objectives for the process must be taken into consideration, but they're not inputs. Indeed, they are necessary for the process to be measured and monitored, but inputs, they aren't.

It's just like a vehicle used to complete a journey. You put fuel in it, and you measure acceleration/speed/time or distance covered on that fuel, to meet the objective of getting somewhere as fast or frugally as possible. The output is, of course the work done by the engine, plus noise, exhaust, heat etc (which should add up to the input...)

In your example, the input to purchasing is a demand/requisition for something to be bought, the output is a PO which describes that demand in sufficient detail for a supply to comply. An objective for the process might be the time taken to 'convert' the requisition into an authorized PO placed with a supplier.

As Helmut stated, the internal auditor should have studied these and any process/process control documentation which describes the assignment of their audit. After detailed planning, the auditor must then ask very focused questions of management and have them demonstrate the process is a) being done per the description and b) meeting the objectives set. If it's not performing, what are they doing about it?

Going into an audit without any planning/knowledge of the process and asking vaugue questions will be a voyage of discovery, but that's not what an internal audit is for.......

but how can audit traceability in this case ?

if we audit the sales process for example and we take the example of a order of steel of a new supplier then we should check Order Entry (in Purchasing process ), Receiving Inspection , test during production (in the production process ) , qualification of the new material (technical process )
then the introduction of this supplier in the list of qualified suppliers (prurchasing process) .

In this case we should audit 4 process to verify traceability .

Then the lead auditor sould set during the annnual audits plan an audit (or 2) specific for traceability which checks the interactions between all processes

but how can audit traceability in this case ?

if we audit the sales process for example and we take the example of a order of steel of a new supplier then we should check Order Entry (in Purchasing process ), Receiving Inspection , test during production (in the production process ) , qualification of the new material (technical process )
then the introduction of this supplier in the list of qualified suppliers (prurchasing process) .

In this case we should audit 4 process to verify traceability .

Then the lead auditor sould set during the annnual audits plan an audit (or 2) specific for traceability which checks the interactions between all processes


I would not audit the steel purchase of a new supplier when I am auditing the sales process. The trail would end with the output of sales information going into the purchasing process. Perhaps, I would audit the steel purchase of a new supplier when I am auditing the purchasing process, or perhaps manuafacturing.

Dear 5litre

Sorry , i wrote "sales" process by mistake in my previous post .
i should put "purchasing" process .

Could you please reformulate your answer accordingly .

Tanks .

but how can audit traceability in this case ?

if we audit the sales process for example and we take the example of a order of steel of a new supplier then we should check Order Entry (in Purchasing process ), Receiving Inspection , test during production (in the production process ) , qualification of the new material (technical process )
then the introduction of this supplier in the list of qualified suppliers (prurchasing process) .

In this case we should audit 4 process to verify traceability .

Then the lead auditor sould set during the annnual audits plan an audit (or 2) specific for traceability which checks the interactions between all processes

I'm confused by your question. Why do you want to audit traceability? have you been having a problem with being able to trace products back to mill certs from the steel supplier? When you do an audit, you don't have to cover every conceivable part of ISO 9001 in order to comply. Yes, you need to verify that certain things are done, but in the Purchasing process, the only requirement for traceability you could audit, is the PO requirements that you put on the supplier.

Dear 5litre

Sorry , i wrote "sales" process by mistake in my previous post .
i should put "purchasing" process .

Could you please reformulate your answer accordingly .

Thanks .


Well, yes, it would apply to the purchasing process. That would aytomatically make links to receiving, testing, etc. However, you do not have to audit each of those processes fully, just the links related to this one order.

I set up my schedules to audit each process, core or supporting, in full at some time during the year. Then, I only have to audit the relevant links to each process when they occur.

hjilling makes and excellent point concerning the auditing the links. I audit with several other auditors and have gotten in debates as some auditors believe that as part of the process audit the linked areas must be fully audited to all applicable standard clauses as well, which I do not agree with. Then you could be auditing many of the same cross functional areas such as training or purchasing multiple times, with little or no value.

hjilling makes and excellent point concerning the auditing the links. I audit with several other auditors and have gotten in debates as some auditors believe that as part of the process audit the linked areas must be fully audited to all applicable standard clauses as well, which I do not agree with. Then you could be auditing many of the same cross functional areas such as training or purchasing multiple times, with little or no value.


If you followed their logic to the end, you would continue to audit further and further from the process you began with until you had audited the whole system. It would be like pulling a piece of yarn and unraveling the entire sweater. Very inefficient approach.

I argue if you audit each support process thoroughly, then you know how robust each one is. Then, as you audit each core process, you only need to audit the links.

So, back to the original question......would I in actuality have audited 3-4 processes in my example? Would this fly with my registrar during a surveillance audit?

And how do you incorporate all the elements of the standard when auditing in this manner? ie: How does this relate to the Quality Policy / Mgmt Review?

Thanks

So, back to the original question......would I in actuality have audited 3-4 processes in my example? Would this fly with my registrar during a surveillance audit?

And how do you incorporate all the elements of the standard when auditing in this manner? ie: How does this relate to the Quality Policy / Mgmt Review?

Thanks

If the audit records show that all 4 were fully audited, along with the metrics for each, and the links to related core and supporting processes, then, yes, you should be able to take crdeit for auditing 4 processes.

If however, you audited primarily purchasing, and the others were just audited a little to establish the linkages, then you probably only audited Purchasing, per se.

You are quite at liberty to select whatever processes you want to audit, at whatever audit frequency you select - as long as it is based on 'status and importance".......etc.

If you can show auditing has considered the process approach, then I see no problem with being prepared for your upcoming surveillance. You don't have to have a whole calendar of audits scheduled out and you don't have to cover all the requirements every year etc. These are just 'wishes' of your external auditors. I'd suggest they should keep wishing and you can focus your audits on what processes are new/changed or performing poorly to plan.

There's some great guidance in ISO 9004 on this matter.:read:

Have a look for a thread which I posted a 'football' diagram (I'm away from my own computer so can't repost it) and take a look at that. It should help you get grasp of the way a process can be audited. I've even had external auditors recommend this approach to their clients, when they've seen me use it!!:lol:

So, back to the original question......would I in actuality have audited 3-4 processes in my example? Would this fly with my registrar during a surveillance audit?

And how do you incorporate all the elements of the standard when auditing in this manner? ie: How does this relate to the Quality Policy / Mgmt Review?

ThanksYou would not be auditing all four processes. You'd be auditing how effectively those four processes interact with, or support the original process. So you might visit four people, but three of them only briefly in order to verify their effective parts in handling the sample you drew when you started. If these other three processes are planned to receive their own audits, now isn't the best time. This one action can't really count as auditing all four of them for surveillance purposes unless you drew a large enough sample and were thorough while covering the questions in all these four groups. I would soon feel muddled.

Not every clause can reasonably be covered in every audit. You'd need to plan to ask a minimum of certain questions regarding needed controls such as how nonconformances are handled, how the process owner knows things are going well, traceability, control of documents and records, preservation of product, training and so on. Other questions can regard how well the process is being performed to plan, the outcomes, how managers are informed of problems and their responses, the auditees' awareness levels, and so on. You might want to examine the procedures to see how well they provide the needed plans to maintain compliance and value to the organization--I call that a "desk audit." It plays a part in almost all of my audits, as well as a review of computerized records that verify the process is going according to plan and in compliance to standard(s).

That said, you're not limited to a scope. If you're on a shop floor doing an audit of a certain process, I think it's a fine idea to record PMs, calibration, cleanliness, and safety aspects while you're there. Then, when it's time to audit these processes (planned maintenance, calibration etc) the sample has already been taken and compliance had been verified; you'd only need to audit the processes' management.

This last point is why I think process auditing is a good idea. It gives a chance to find a problem in any one of these contributing areas in between their regularly scheduled audits.

An audit management tool attached in this thread (http://elsmar.com/Forums/showthread.php?t=19223) includes a count of the times clauses have been covered in audits. Look way to the right on the spreadsheet.

Management reviews the audit metrics, and other things they find important like nonconformance data. Management is welcome to look at audit reports, but doesn't need to know details of how the audits were done or how the program knows if the standard is completely covered--unless they ask, of course. ;)

I hope this helps!

Hello 5litre,

Welcome to the Cove!

There are many great threads and posts about (internal) Process Audits.
Interesting, and oh yes....also emotional and very heated at times....

But to give you some idea; take your example of purchasing.
You could begin by simply asking: "What is required of this process?" What are the objectives of the Purchasing Process? We can call this Input.
Next you could ask: "Did this indeed happen?" Did the Purchasing Process deliver the expected results? We call this Output. If the output meets the input requirements, you could say that this is an effective process. If not, you investigate (audit) the elements that make up this process. You could look at people, information, materials, equipment, environment, etc., that impact the process.

Auditing is a process of great discovery to find out where the strengths and opportunities for improvement in the process exist. I don't want to repeat what's already been discussed in the Cove.....but you'll get the idea.

Seek here at the Cove, and you will find.

Wishing you the best.

Stijloor.

In addition to INPUTS and OUTPUTS when process auditing I have found it useful to look at:

CONTROLS What is in place to control this process(regs "EHS" "ISO" "FDA", Policies, SOPs, WI, Training, spot checks, KPI's, etc etc)

RESOURCES Is there sufficient resource to support the process (Equipment, people, IT Tools, Transport, facilities, etc etc)

Look at these in conjunction with Stijloor's above and I believe not only will you be performing a process audit but also improving the quality of the report and unearthing findings that might not have been found with a traditional approach. This provides opportunities for improvements that will benefit the process as a whole and not just fragments of it.

Anyway thats my thoughts

Good Luck:rolleyes:

RESOURCES[/B] Is there sufficient resource to support the process (Equipment, people, IT Tools, Transport, facilities, etc etc)


Ever found resource deficiencies and, if so, how did you raise it and what was the management decision?

RESOURCES[/B] Is there sufficient resource to support the process (Equipment, people, IT Tools, Transport, facilities, etc etc)


Ever found resource deficiencies and, if so, how did you raise it and what was the management decision?

If their really was inadequate resource under section 5.1 (e) Management Commitment, supply of resources.

Bear in mind that resource does not only refer to people, but; equipment, IT infrastructire, tools, training etc etc

hope this help vindaloo man :rolleyes:

If their really was inadequate resource under section 5.1 (e) Management Commitment, supply of resources.

Bear in mind that resource does not only refer to people, but; equipment, IT infrastructire, tools, training etc etc

hope this help vindaloo man :rolleyes:

So you haven't raised any observations for inadequate, insufficient, ineffective resources? Has anybody?

So you haven't raised any observations for inadequate, insufficient, ineffective resources? Has anybody?



I have a few times, but as a last resort. This finding can cause a lot of argument.

I agree with Helmut. It's really difficult to 'pin' a non-conformance to that one. What I have been careful to look at is if the QMS helps people work smart and not hard - like not calibrating everything at a given frequency, just because the manufacturer said so, etc. So, when I see data being used to enable clear decisions about the effectiveness and efficiency of the qms, I'm thinking the system will have enough intelligence/maturity that 'resources' will be looked after.........

ISO9000 says management responsibility includes 'ensure availability of resources' and all my regulations (GMP, GLP, GCLP) have words like 'ensure sufficient number of personnel, equipment, facilities'. Most of our clients are always interested in how much work we are engaged in, whether we have enough people to do the work, and whether we have sufficient space. I have planned an audit of 'Organisation & Personnel' for next week so I was starting to think how I would approach it with some interviews with senior management (I know I have to be careful and clever). Any tips would be most welcome.