Stumbled on this quite interesting site, which will open up on the discussion forum (read the slating comments on ISO auditors).

http://www.iia.org.uk/knowledgecentre/q&a/discussion.cfm

Thank's Martin,

Yes.... Interesting site.... Were you thinking about any particular post?

/Claes

None in particular Claes, just though it might interest others.

I stumbled on it today thinking 'who are these guys trying to steal the IRCA's limelight' and was very interested in the 'wider' world of auditing shown in this website. I was particularly interested in the comments made in the discussion forum that showed a certain disdain for ISO9000 internal auditors that felt they knew it all about auditing.

I was also interested to read there definition of what an audit is, particularly the openness of it being a 'consultancy' exercise as well - in the ISO world we would smart at such suggestions.

I think those interested in auditing could do well to see what these guys are about - I even saw that someone was doing an MSc in Auditing !!

I think the site also shows how the ISO9000 world is in 'catch up' regarding auditing effectiveness, comments made in the discussion forum suggest that these guys see ISO auditors as 'box ticking policemen' - perhaps true, very interesting !

The problem with considering the comments on that site is that it is not geared towards quality auditors, but financial auditors instead.

Financial and business auditors have always looked down their noses at quality auditors and consider quality audits a waste of time. However, with things changing, they may be looking to the quality auditors when they have to start looking at business processes.

Hi Jim :bigwave:

Sorry to dissapoint you, but I won't be drawn into a debate on semantics by a trick question. :D

Ok Jim, I will give you the benefit of the doubt :D

When I mentioned Quality Auditors I was using a generic term to refer to a traditional ISO Quality Systems Auditor. This is in contrast to a Financial Auditor who will primarily focus on the finance side of a business. As it stands now, there is a difference between the two, even though they are similar. But, both sides are going to have to adapt in the futre as they begin to merge.

Jim,

I do think the role of a quality auditor does need to change. I know of too many internal auditors that could quote the standard word for word, but don't understand anything about how their company operates. In order to be an effective auditor I think you need to understand the various processes of the company and how they all relate to each other.

I'm not sure about managers being part of the audit team, but they definitely need to support the audit program (so I guess in a way they would be part of the team). The auditor role should still fall to one or two people (or however many depending on company size). But the auditor should have a wider range of skills and knowledge than what is provided in a traditional ISO 9001 auditor course. This is why I see a merging of auditors being a good idea. If you have a person who understands the company processes and also has an understanding of business practices, I think this would be an ideal person to conduct audits. This would also be very beneficial to the company as well.

Sure, you're required to check compliance to the standard, but why stop there? Check to see if all the processes are effective and efficient and look for areas to improve.

Jim

My thoughts are that you cannot check for compliance to ISO9001 from a desk, you have to see what is actually being done complies.

I do agree that efficiency and effectiveness checks, and the degree to which we meet objectives are better done by other formal measurement methods, and in fact ISO9001 tells us to do this 'outside' of the audit process in clause 8.2.3 on measurement of processes.

Jim

I appreciate the argument, but how does that fit with the ISO9001 clause 8.2.2 on INTERNAL audit, where it says that this process shall determine whether the QMS conforms to the requirements of ISO9001.

Also would anyone consider that a six monthly review of the system by an external body is adequate to determine the conformance of the system ?

(assuming that those that chose the ISO9001 model did so because they wanted their system to match it for positive benefits)

For what its worth, I agree that the monitoring of the quality system must be an ongoing process. However, the bi-yearly look at that system by someone who is not working within it can be valuable precisely because they are not involved in the system.

Craig

Although the third party auditors are not involved with the system they may have a certain vested interest in keeping us sweet maybe - just an opinion.

Jim

I said nothing about the format of the audit, and never mentioned clipboard checks as a requirement. The requirement is:-

"ISO 9001:2000, Quality management systems – Requirements
8.2.2 Internal audit
The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
b) is effectively implemented and maintained."

i.e. Internal audits must determine system conformance to ISO9001.

M Greenaway said:

Craig

Although the third party auditors are not involved with the system they may have a certain vested interest in keeping us sweet maybe - just an opinion.



Martin:

Yes, it depends on the auditor, does it not? We can hire "yes men" or we can actually try to get same value for our money and effort.

Craig

True Craig, very good point.

OK so how do we get around the 'requirement' of ISO9001 regarding internal auditing addressing the conformance of the system to the requirements of ISO9001 ?

Can we say that this part of the internal audit process is in effect sub-contracted to our third party auditor ?

Thats the only way I see around it, but it does rather bend the rules in my opinion.

Also why would we want to bend the rules to such an extent ? Can we really get nothing out of conducting internal audits against the requirements of the standard ??

I was just thinking (I know -- dangerous stuff). What if we look at it from a different angle?

If we get the cert from the registrar, they agree that at that time we are compliant "to the requirements of" the standard, so our procedures and processes as well as our documentation is compliant at that time, right?

As time goes by let's say we decide to change something -- a procedure for contract review, for one example. If a knowledgable person (auditor, QM, etc.) reviews the change and agrees that it is still compliant to the standard's requirements, we should be safe there. If all changes are thusly approved to ensure ISO compliance prior to the change implementation the idea of checking procedures, processes, and documentation during an "internal audit" for conformance to the standard might be redundant. Most of the audit time could then be spent on ensuring that the procedures, processes, and documentation is actually being FOLLOWED/DONE as written or determined, and that they are effective, and looking for those elusive "opportunities for improvement".

Maybe this is what Jim is aiming at? :confused:

Mike

Yes its a very strong argument for the redundancy of the requirement to internal audit against the requirements of the standard. However isnt is reliant on us having documents for everything we do ?

Martin,

I don't think it is reliant on having docs for everything, but I admit to being undecided on the issue of new/different ways to audit. I'm still thinking on it. If I have a procedure that is unwritten -- say it is done by training and no written procedure is required by ISO or internal need -- and it was acceptable to be that way when I got the cert, it should be okay unless/until I change it. If/when I change it, if I first I review to make sure that the proposed new way is still compliant, I should be okay and not need to verify compliance of that procedure to ISO during some later internal audit. I may need to verify by later audit that the users are actually following this new procedure at a later date, but the issue of conformity to ISO is already handled. Or am I missing something?

OK Mike.

So where you do not have a written procedure the ISO auditor would have to audit the witnessed activity against the requirements of the standard would they not ?

It couldnt just be a desk audit could it ?

M Greenaway said:
OK Mike.
So where you do not have a written procedure the ISO auditor would have to audit the witnessed activity against the requirements of the standard would they not ?

It couldnt just be a desk audit could it ?

In my scenerio, where the procedures are not written, the ISO registrar auditor "would have to audit the witnessed activity against the requirements of the standard", yes. If it was not compliant, no cert. So, let's say it is compliant and I get the cert. Unless/until I formally change that procedure, or unless/until someone stops following the procedure properly (unauthorized change) we are compliant there -- no need to re-verify compliance to the ISO std. Yes, the person running the process could stop following it and do something else on his own (unauthorized change), but this could also happen if there were a written procedure.

So, most of my time is spent making sure that the approved procedure (whether written or not) is actually being done (not whether it is ISO compliant) and looking for opportunities for improvement.

Changes would get a "real-time audit" at the time of consideration for approval to verify ISO compliance.

I'm not trying to be argumentative here -- but tell me where you think I'm screwed-up (anyone).

We've adopted the following audit philosophy here. The requirements of the standard are verified by the external auditor. The registar confirms that our documentation and procedures satisfy the standard. When we do internal audits, we look at our own procedures and verify that they are being followed and that they are effective. However, we do verify things with the standard so that we can say we are checking comliance, but the primary focus of the audits are looking at effectiveness and areas for improvement.

Basically, we do it the way that is most valuable for us, and then jump through the hoops when doing the paperwork to keep the external auditor happy. :vfunny: :bonk:

Richard, I could just about copy your post and put my name on it, too. That's pretty much what we do. At the beginning of each internal audit, the auditors look at the procedures relevant to the area (yes, they are written)and we talk about the relevant parts of the std.

In the areas that we have audited before, although I really havn't thought of it until Mike just brought it up, we are mostly looking for unauthorized changes. Most of ensuring compliance of the standard is my job - when I design parts of the system. Of course, QA gets audited too, so that is when most of the checking up on me (and standard compliance)is done. Except, of course, for the visits of the friendly neighborhood 3rd party auditor.

In the past, the parts of the standard were not included on the internal audit schedule. As I make up our new schedule, I am going to try to name the areas of the standard that apply to each subprocess/group in an attempt to put a little more emphasis on that, especially as our ISO 9001:2000 pieces are so young.

Richard Olson said:
However, we do verify things with the standard so that we can say we are checking comliance, but the primary focus of the audits are looking at effectiveness and areas for improvement.

Richard,

What "things" do you verify with the standard during internal audits? Do you only check CHANGED things to verify they conform?

As I run things thru my little mind I can see the possibility where if a company allows department managers, process managers, etc. to change procedures and, at the time of the change, no one audits them for ISO compliance, then periodic internal audits would need to check for compliance. If no changes are made, I cannot see a need for audits for ISO compliance. Am I off base?

Mike S. said:

I can see the possibility where if a company allows department managers, process managers, etc. to change procedures and, at the time of the change, no one audits them for ISO compliance, then periodic internal audits would need to check for compliance. If no changes are made, I cannot see a need for audits for ISO compliance. Am I off base?

Mike, I think you have it. The only thing I would add at this point is something our Engineering Department does to me every now and again: adding procedures without letting me know, and with no signature, rev. date, etc. Somehow, even with our internal audits, our external auditor has a way of sniffing them out. Internal audits are another chance to catch that kind of thing (didn't you call them "unauthorized changes" a few posts ago, come to think of it?).

Craig H.

:eek:

Mike S. said:
What "things" do you verify with the standard during internal audits? Do you only check CHANGED things to verify they conform?

We basically cross reference to the procedure in case the question comes up about checking compliance to the standard. Each of our written procedures indicates the relevant element of the standard and we periodically check it against the standard.

As far as checking any changes, that is done when the change is made, to make sure it still satisfies the standard. We do everything we can to prevent people making unauthorized changes. Any changes have to go through the relevant people and through quality so that it is checked, and everything is protected against unauthorized changes. Basically, it has to be signed off and agreed on before it's changed in the system. Of course it's impossible to prevent anything from ever happening, but we control it as much as possible.

Jim Wade said:

Unless, of course, your organization is one of the many that believes that reducing the number of discovered nonconformities is a meaningful objective!


Are you saying that it's not a good thing to strive for improvement? Or perfection (even though that's impossible)?

I think it's a good thing to shoot for reducing the number of non-conformances. That shows that you are playing by the rules (even though you might not agree with or like the rules). If you get through an external audit without any non-conformances, that means you have a very good QMS in place (or you're good at hiding stuff :vfunny: ). Granted, just having a good QMS doesn't mean much on its own, but it's still a pretty good accomplishment.

Something is going on today. This is the second time today that someone has responded to one of my posts and called me the wrong name. I don't think I have an alter-ego personality on here. Or do I? :confused: :bonk: :confused:


I agree that using the internal audit process as a tool to avoid NCs during the external audit is a waste, but realistically, isn't that sort of what you're doing? You look for problems during the internal audit and fix them. It just happens to work out that you find the problems before someone else does. But, that shouldn't be the focus of your audit.

You should be looking for problems so that you can improve the effectiveness of the company, not so you can improve your external audit reports. The fact that your external audits get better are coincidence.

Jim Wade said:

Sorry Richard, I have no idea how that happened. But I do know who was to blame and I shall punish him.

I think our views on this point are close enough, don't you? :agree:

rgds Jim


No problem. I've been called plenty of other names that can't be mentioned here :vfunny:

I would agree that we are expressing the same point, just saying it differently. :agree:

Mike

Can you elaborate on how you would formally approve a procedure where there is no formal procedure ?

Is this reliant on you holding in your memory the way everyone does their job ??

Jim

You say checking ISO9001 compliance is a waste of time and money, with deepest respect that is just your opinion isnt it ?

Isnt ISO9001 supposed to be a good and effective model for quality management, thus by complying with it arent we ensuring our system continues to be good and effective ?

The only answer to this, as I see it, is that ISO9001 is not a useful model for anything, in which case why re-invent the audit process ? Why not just jack it all in ??

Jim

Sorry to be repetative, but how do you control the changes.

I do agree with your argument to an extent in theory, i.e. if our third party auditors say our system is OK then it will continue to be OK unless we change something, no need to keep re-checking - sure.

But how do we control the changes, particularly in an ISO9001:2000 company where documented procedures might be minimal ?

Can we rely on our external auditors picking it up, where they often operate systems that audit the entire QMS over the period of the three year certificate duration, as such a process might only get audited once in three years against the standard ?

Isnt it perhaps the purpose of internal audit to pick up on these changes, due to perhaps 'natural drift'.

Jim

These changes, quote:-

"The registrar gives us a certificate that we comply. We then, as long as we actually operate our own system, continue to comply. We no longer need to check (until the system changes and then a quick deskcheck does the trick). "

If the system changes, and it is not a documented part of the system, how do we do a desk check ?

Checking compliance IS a requirement of ISO9001:2000, and was also a requirement of the 1994 standard. In fact the whole concept of an audit, in its broadest definition and encompassing all its variants, including financial audits, includes checking compliance.

Jim

You are forgiven.

Cant figure out how to quote properly in my posts, but you said:-

"I guess the answer is that the checker asks herself "does this change (that I've heard about but no-one cares enough about to document) mean that we no longer meet a requirement of ISO 9001?" and then acts according to the answer she gives herself. "

OK, so we are reliant on hearsay to identify system changes, which seems pretty weak, however you then go on to say that the checker asks whether the change meets ISO9001 requirements and acts accordingly.

Thats internal audit, that is what it does and what it is there for !!

So in order to strengthen the capture of system changes, lets schedule visits to all areas of the business over the course of the year, just in case the hearsay network is not functioning effectively.

Sounds good to me !

Sorry isnt that what we have done for years ?

Sure Jim

I cannot see that reliance on external certification audits will adequately keep a company compliant to ISO9001 (again assuming that a company chooses the ISO9001 model as a good thing, and wants to comply).

I cannot see that the argument that an external auditor can do a desk check for compliance is possible, unless every activity of the business is formally documented.

I cannot see the point of formally documenting every business process purely for the purposes of external audit.

I dont understand the desire of a company that chooses to model itslef on ISO9001 then wanting to keep its employees ignorant of its requirements.

Agreed to disagree - I very much look forward to your article in Quality World and compiling my response (hope they will publish that to).

;)

Jim Wade said:

But isn't that good news Craig? You pay them to do just that!

Unless, of course, your organization is one of the many that believes that reducing the number of discovered nonconformities is a meaningful objective!

rgds Jim

Jim, OF COURSE it's good. Embarrassing, too.

Craig H.

Jim

Who "assumed it meant check people follow procedures" ?

Not me - but I accept a lot did, fortunately I was trained by a very good instructor.

Did the ISO9001 authors also realise a mistake from the 1994 standard when they explicitly stated the need to check compliance to ISO9001 during internal audit in the 2000 revision ?

As to doing things purely for external audit purposes, I seem to recall in other threads that have touched on this subject that you stated that in order to facilitate the desk audit by the third party assessor, that you create some document which states how the company addresses each requirement of the standard (like an old style quality manual if you will).

And finally (phew) I think Craig made a good point about not selecting 'yes men' as auditors, is that what you have done in showing your proposal to 'several registrars' of which only one has issued an ISO9001 cert against this model ?

And finally finally (gee whizz) you have often openly condemed the whole third party certification process, so what value does your finding a registrar that certifies you prove ??

So wouldnt periodically checking that you continue to comply with the bits of ISO9001 THAT YOU LIKE through internal audit be useful, just in case of 'natural drift' ?

Jim

The cause of 'natural drift' in your scenario may well be due to the fact that no-one is allowed 'access' and knowledge of the ISO9001 standard - perhaps.

I agree that for the majority 'compliance' is to do with 'maintaining certification', but even if we are that short sighted we should still possibly get some value shouldnt we, after all this standard is supposed to be a good set of rules for managing quality, not just a random selection of tasks required for initiation ?

It sounds to me like your knocking of common auditing practices is not actually any fault of auditing, more fault, or perceived weakness in the standard itself.