Scope of assessment
Do audit scopes allow companies to take advantage of the wording of standards or do auditors overstep the mark? Paul Simpson examines the importance of scope
Each of the ‘big three’ standards requires that an organization defines and documents the scope of its management system:
* ISO 9001:2000 - The organization shall establish and maintain a quality manual that includes
a)the scope of the quality management system, including details of and justification for any exclusions
* ISO 14001:2004 - The organization shall define and document the scope of its environmental management system
* BS OHSAS 18001:2007 - The organization shall define and document the scope of its occupational health and safety management system
For each of these standards in turn, why is it important for an organization to accurately describe its scope?
* if it wants to demonstrate it has the capability to satisfy customer requirements for its products and services, you would expect its system scope to cover that
* similarly, if it wants to demonstrate environmental management then its system should cover the whole site and whole product lifecycle
* finally, for OHS, an organization should look after all of its people with a system
Organization scope
If this is true then why does the ISO definition of an organization include the vague ‘…. or part thereof…’? This implies that if I were to ignore one of the guiding principles about management commitment, my management system could be restricted to any area of the organization I choose.
Therefore we need to carefully consider scope when planning and conducting assessments. A restricted scope requires clear knowledge both within the organization marketing its capability and within the organization selecting its supplier on the basis of competence through certification. The indications are not good, however. You only have to look at the number of unaccredited or bogus certificates accepted as proof of competence by procurement functions to know that certification itself is not well understood, much less so the scope of certification.
As an example, as CEO of Megadeath Global Nuclear Processing and Dumping plc, I choose to put my paperclip-sorting department up for certification to all three standards and not take the risks associated with having an independent assessment of the company ’s full scope, as allowed under the definition of ‘organization’. What is more, any certification body operating a policy of open access is obliged to accept my application. Rarely would you see such blatant flaunting of the spirit of requirements.
Similarly, many certification bodies offer certification to management systems for a scope of registration where a significant proportion of work is carried out at customer premises. How would it be possible to do this without visiting a site?
Developing scopes
There may be genuine reasons why some scopes start narrow; many organizations will pilot a management system in one area with a plan to later implement and certify the full scope throughout the organization. This could account for not wanting to put MGNPD’s whole system up at one time for certification by Tough As Old Boots Registrations Inc, only to find major nonconformities on initial audit and a complete reassessment is required.
Scope creep - beware the over-enthusiastic auditor
The reverse can also be true when an auditor extends the bounds of their authority to include requirements outside agreed audit criteria, the standard, legal and customer requirements and the organization’s own documented system.
This can be shown when nonconformities are raised against requirements that don’t exist, perhaps by assessing outside scope or not covering the full scope. An example of each may help:
* nonconformities are raised for health and safety failings, typically against clause 6.3 or 6.4 of ISO 9001:2000. Now, unless the organization’s customer has placed additional requirements through their contract, the only justification for nonconformity against either clause is if you can show actual impact on quality of the finished product, not a potential impact. In the UK as individuals we do have a duty of care to bring any health and safety failings to the attention of the employer, but it doesn’t belong in any quality audit report
* a nonconformity may be written against a performance objective of 100 per cent on time delivery (OTD). Current performance is 99.8 per cent. At first this looks to be genuine but, for it to be a nonconformity, further investigation is required to cover the full scope of the management system. The auditor needs to delve further to check to see if the organization is analysing reasons for missing the target and/or is taking corrective action to improve OTD performance
Scope and assessment planning
There are time constraints on any assessment and it is a competitive market for certification bodies. Much pressure is put on reducing assessment time as a way of offering lower certification costs, but this should not be at the expense of quality of assessment.
Assessment remains a sampling activity, but samples should be selected by the audit team to cover the full scope of activity. Otherwise assessment is dumbed down to a commodity product able to be carried out as a document review in the boardroom or off site. By the same token, the requirements of each of the standards mentioned are substantial on their own without adding new requirements or auditing outside the scope agreed between the two parties.
Scope is vital to assessment; it should cover all relevant areas, act as a contract for auditor and auditee and set the agreed boundaries.