ISO 9001 Implementation in a Very Small Company

[Marc]

From: ISO Standards Discussion
Date: Mon, 14 Feb 2000 08:52:16 -0600
Subject: Re: Q: Very small company ISO implementation /Daniels/Humphires

From: Edwin Humphries

Phil & Susan

> I have been asked to assist a company of 2 people (and an
> out-of-town CEO) to implement ISO 9001. They design and
> sell unique products mainly to the military, although they are
> beginning to market them commercially. They do no
> manufacturing, their drawings are done by the engineering
> company that designs their molds. They purchase some
> components which they provide to their subcontractor who
> molds other parts, assembles units, and final packs the
> product.

That's one better than me: I've only helped a 3-person company (plus part-time CEO) to ISO 9001 certification.

> With only 2-3 people to perform all the tasks of running such
> an enterprise most responsibilities are shared to some extent.
> So the question becomes: How do you deal with Internal
> Audits? No one is truly "independent of those having direct
> responsibility for the activity being audited." Would this be a
> good place for an outside Internal Auditor?

For very small companies (we call them micro-businesses in Australia) Internal Audit is a major problem. In the case of the 3-person company, they had a sister company, and sub-contracted the task to them. I think sub-contracting is the way to go; there are alternative solutions that rely on informally networked companies sharing audit resources, but confidentiality issues come in to play.

The problem is to whom the company sub-contracts. There are several issues:

a) As a consultant, I help the company identify the issues, & review their options and needs. Then, if they decide on a sub-contract, offer to tender for the contract. I believe a client will find it a conflict of interest if I provide a seemingly self-serving solution to a problem they didn't know they had.

b) The company should at all cost avoid using, as a sub-contractor, anyone associated with their certifier/registrar, particularly one of their own auditors. This implies a clear conflict of interest (the same person is suggesting solutions to system problems, then ruling on whether those solutions meet ISO requirements), and no self- respecting auditor should alow him/herself to be placed in such a position.

c) Ideally, the sub-contractor should be a formally trained auditor. However, this is not mandatory - ISO makes no such stipulation, and it is more important that the auditor has experience relevant to your industry, as well as audit experience, than that he/she be formally qualified.

d) The contract should stipulate that the primary purpose of Internal Audit is system improvement and maintaining system relevance and conformance to documentation. This latter does not mean ensure the documented system remains in effect (as is so often the case) but that it conforms with the implemeted system (ie, if there is a difference, whichever makes most sense becomes the documented AND implemented system). Clearly Internal Audits should also identify areas of non-compliance with ISO 9000, and ensure on-going compliance when the system changes, but this is not the main aim.

> Since they do no manufacturing Para. 4.9 Process Control seems
> superfluous. Have you found that registrars' auditors accept this
> or do they tend to insist on stretching things to find something
> that sort of applies? They will be performing Receiving
> Inspections and Final Inspections.

This will depend on the certifier/registrar: I have experience with one who regards the Process Control element as applying to all processes within a company (including, for example, the purchasing process, the sales process, the accounting process, the ... well, you get the picture). I think the underlying purpose here is to get in more audit time (at $780/day), but it is a little difficult to argue them out of that interpretation.

However, in my view, you are correct, at least as far as 9001-1994 goes. 9001-2000 is another story, but thankfully, a different one!

Best Regards
Edwin Humphries

------------------snippo----------------

From: ISO Standards Discussion <jennejohnn@UWSTOUT.EDU>
Date: Mon, 14 Feb 2000 08:42:14 -0600
Subject: Re: Q: Very small company ISO implementation /Daniels/Kozenko

> No one is truly "independent of those having direct
> responsibility for the activity being audited." Would this be a
> good place for an outside Internal Auditor?

External auditors have the easiest time auditing very specific procedures; sounds like in this case, "very specific" would be tedious and impractical. If there's only two people performing, then you might consider "roles, responsibilities and authority" as the key -- whomever has the authority (to finalize, to ship, whatever) gets audited by the other person. If they both have such authority, then they audit each other's work. The real question to answer here is: what kind of audit findings are going to result in a cycle of continuous improvement? If you answer that and work backwards from there, you'll have a compliant system through I-2-K.

> Since they do no manufacturing Para. 4.9 Process Control seems
> superfluous. Have you found that registrars' auditors accept this
> or do they tend to insist on stretching things to find something
> that sort of applies?

4.9 applies to all processes, which I'm sure they have some of... Just sort through all the manufacturing lingo and pick those same spots a Registrar auditor would likely pick, that suit the operations flow. (Again, this covers the continuous improvement cycle, too.)

David Kozenko