What to expect during an ISO 9001 audit

[GreatNate]

Would any have any power points or a path to short video clips on a live audit scenario that I could share with my team in preparation of the our stage 2 audit coming up.

Something similar to like a role play, or a video with real scenarios that take place during an audit in a manufacturing setting.

Anything would be greatly appreciated

 

[Marc]

ISO 9001? ISO 14001? ISO ?????

 

[Michael_M]

This is a hard one to answer as there are several 'considerations', I have only been audited to AS9100 (both C and D) which includes the requirements of ISO9001.

How many employee's do you have: This could decide if there will be one 'main' auditor or several auditors.

I have had 3 different auditors in the past and each audits differently and focuses on different things. The first auditor picked a random job and walked the process of the job from start to finish auditing the processes as we got to them. The other two audited for examples of the clauses with each clause having a 'set time'. One of the two wanted to see printed paper, the other was fine with digital records.

The best advice I can give is to answer the question the auditor asks, do not lie as he/she will then ask for proof/verification. However, you don't need to add to the answer with more information than was asked. Be pleasant and give the auditor your full attention while he/she is talking to you. Don't fear the audit, the auditor is there to help and see if there are any missing requirements.

This next part is from my personal experience: I am the one who leads the auditor from place to place and I stay with the auditor as they are asking questions. I try to stay quite when they are asking questions, however, I will interject if I have to translate 'standard speak' to 'company speak'. For example, if the auditor say something like "I am here to audit the control of externally provided processes", I might step in and say "purchasing" since that is the term we use. For the most part, I answer about 75% of the questions on a one-on-one basis as I am the management representative only when he/she wants to talk to others do I take him around or in the very rare case, I don't know the answer.

 

[GreatNate]

This is a hard one to answer as there are several 'considerations', I have only been audited to AS9100 (both C and D) which includes the requirements of ISO9001.

How many employee's do you have: This could decide if there will be one 'main' auditor or several auditors.

I have had 3 different auditors in the past and each audits differently and focuses on different things. The first auditor picked a random job and walked the process of the job from start to finish auditing the processes as we got to them. The other two audited for examples of the clauses with each clause having a 'set time'. One of the two wanted to see printed paper, the other was fine with digital records.

The best advice I can give is to answer the question the auditor asks, do not lie as he/she will then ask for proof/verification. However, you don't need to add to the answer with more information than was asked. Be pleasant and give the auditor your full attention while he/she is talking to you. Don't fear the audit, the auditor is there to help and see if there are any missing requirements.

This next part is from my personal experience: I am the one who leads the auditor from place to place and I stay with the auditor as they are asking questions. I try to stay quite when they are asking questions, however, I will interject if I have to translate 'standard speak' to 'company speak'. For example, if the auditor say something like "I am here to audit the control of externally provided processes", I might step in and say "purchasing" since that is the term we use. For the most part, I answer about 75% of the questions on a one-on-one basis as I am the management representative only when he/she wants to talk to others do I take him around or in the very rare case, I don't know the answer.

Thanks Marc

we are a very small Manufacturing. shop with a lot of "green" employees going through a first time certification audit. There will be one auditor. I feel like I need to give them some good examples of what will possibly take place to better prepare them.

The advice you gave me is excellent and thank you for it.

more is welcome if anyone else wants to help or chime in

 

[Tagin]

we are a very small Manufacturing. shop with a lot of "green" employees going through a first time certification audit. There will be one auditor. I feel like I need to give them some good examples of what will possibly take place to better prepare them

Speaking from a 9001 perspective....

You'll want to prepare the employees based on their individual levels of authority and responsibility. Typically a line worker has little to no authority and is responsible just to see that their assigned activity is done. So, for them its providing them things like QMS awareness: do they know who they report to? do they know how to get the assignments for their tasks? do they know where/how to get the correct instructions for that task...and how do they know those are the correct instructions?, what is the company trying to achieve quality-wise - in general terms - not necessarily being able to quote the quality policy verbatim, do they know quality is expected from them? how do they measure/identify/etc. that what they are producing is conforming?) and what do they do if something goes wrong - is there a clear escalation path or procedure to follow? They have no need to know clauses, or cite ISO language - it's management & quality's job to have provided them the tools, processes and training to do their jobs and know how to escalate bad product, broken tools, and other similar exceptions.

People w/more authority & responsibility need to be aware of the scope of what they do. How does the Purchasing Mgr, for example, determine when/where to buy from? How do they handle the need for approving a new vendor?, etc.

I find auditors like to go linearly from initial customer request to buy something to how do you negotiate and set expectations, create and place sales orders, do design work (that's a whole audit big piece in itself if you do design & development), purchase, receive, manufacture, ship, etc. (It depends of course, on the audit type - a surveillance audit will just look at different pieces of the company each year across several years.) But along the way, bring up questions like "what if the product that comes in doesn't match your PO...what is you process for handling that?", "what if the customer changes their order...how does that happen?" They'll be looking to see if people know where to find their process instructions, forms, records, etc. that they use and are responsible for, and do people know what to do if things go wrong.

Then there are the management reviews, corrective actions, risk, training records, etc. that you would typically handle with the auditor.

The auditor's job is to find evidence of conformity, not to dig and dig until they find that one thing that someone did wrong last year, and then scold you with a big nonconformance. However, N/C's do happen as part of audits, and they have to be taken in stride as being constructively intended (in most cases, at least) as part of the continuous improvement mindset. So, be sure to instill in employees that while they may strive to do well, it's not unusual or unexpected to get N/C's and neither they nor you need to be defensive or mad. In addition, the ISO standard has a lot of leeway for interpretation, so it may be that your interpetation and the auditor's don't line up. The auditor should explain the n/c's clearly, what the relevant clause is, and they may even hint at how it might get corrected. If you do get an n/c that's just wildly incorrect or unfair, you can always appeal the n/c.

 

[Marc]

Without knowing which standard (or standards) you'll get widely ranging answers.

In general, see the attachments.

Also see auditing related files in Free - "Cove Members" Files Directory

Consider giving your employees these: https://elsmar.com/elsmarqualityfor...ard-what-iso-9001-means-to-you_400-jpg.25453/

I used to print these out for clients in smaller companies and often took the time to laminate them. If less than 150 people I would personally hand them out to each employee which helped to "bond" with them and it also helped gain their trust.

A bit of fluff to say, but audits are typically easy in that employees (usually) know their jobs so answering questions is simple. I guess it was Deming: Drive Out Fear.

Where you have the most problem is where you have employees that fear for their jobs thinking that if they somehow screw up they will be fired. I found that mostly in places outside of the US. I have even seen employees literally faint when the auditor walked up to them. That is why when I did implementations I took special care to "bond" with as many employees as possible. I also often did what I'll call "pre-audits" where I did mock audits to prepare them.

You will also find many audit related files in the old Index of /Cove_Premium directory which has a lot of files, but most of them are also in the old Cove_Members directory.

If you really want them to be prepared, do mock audits. Often times I would bring in a real auditor - In part to audit my work in implementation (did I miss anything?) especially in companies with > 20,000 employees in multiple international facilities. But also to give employees actual experience.

I took a personal interest in every client company and in every employee. I believe that is why almost all of my clients came through with zero findings.

 

[Marc]

However, you don't need to add to the answer with more information than was asked.

This is one I missed in my post above. Very true - Employees should never volunteer information. Answer the auditor's questions. That is all.

It is also important to ensure that employees know to only answer questions about their job. I have seen many employees try to tell an auditor what someone else does, usually because of the way the auditor asks a question. If an auditor asks a question which isn't an employee's responsibility, the employee should be ready to say that it isn't part of when s/he does.

I also used to have at least one person as a "monitor" during audits. This person accompanied the auditor AT ALL TIMES. That is relatively standard procedure though. Never leave an auditor alone.

You also may want to look at some of these files: Attachment Listing

 

[Michael_M]

do they know where/how to get the correct instructions for that task...and how do they know those are the correct instructions?, what is the company trying to achieve quality-wise - in general terms - not necessarily being able to quote the quality policy verbatim, do they know quality is expected from them

I am going to add a couple of things.
During my stage 2 audit last year, the auditor asked every single person he talked to what the quality policy was (I admit, I was personally getting annoyed after the 20th person or so). I had printed out the quality policy on the business card stock you can purchase from an office supply store, this was one of the times I stepped in and clarified the question. I am very glad I passed these out as most employees (myself included) could not state the quality policy verbatim, but they could point to the card and say 'there it is".

One of the things I do before an audit is go around to everyone (we have 30-40 employee's) and remind them of a couple of things.
1. If they do not know an answer; "I don't know, but lets go find out" is a perfectly reasonable answer so long as they actually go find the answer.
2. The quality policy and where to find it.
3. Where and how to find the quality manual (AS9100 requires it still), procedures, work instructions, and other documents.

My company is AS9100d which follows the ISO9001:2015 requirements with additional requirements so my experience will be different than yours.

 

[Ed Panek]

If you dont have one create a spreadsheet that list the requirement and the document you have that addresses it. The auditor is going to go down a list asking for things. They wont ask always by the usual standard names so having a cheat sheet like this is helpful. This has created a lot of stress for us because I immediately thought I missed something when I knew that wasnt possible.

For example, the auditor might ask "Show me that you review your quality goals and discuss progress." You could ask "what section of the standard are you referencing?" An ISO 9001 auditor might say "section 9.3" You look at your cheat sheet and show 9.3 is Management Review. You might bring up an SOP for Management Review and also the MR minutes and hand them to him. Auditors speak standard speak. Users of QMS speak their QMS, not really the standard except when creating their QMS. 99% of the rest of the time you are just executing the QMS, not thinking, OK im doing this SOP that satisfies this requirement in 9001.

Thats why audits can be stressful. You know your QMS is ok because you reviewed it vs the standard but that was a year ago and you never thought of the standard again, maybe.

As far as the audit results, for ISO 13485 I was trained that you look for evidence of records the requirement is being met. If the first record reviewed is not acceptable, I was taught to dig deeper. If there are more unsat answers its a major NC, if it was just one unsat answer its minor. If all the records were satisfactory but you were confused trying to investigate as the process isnt so clear it could be an OFI.

 

[Marc]

could not state the quality policy verbatim

Things may have changed, but I do not remember any requirement in any standard (AS9100 may now - I don't have a copy to check) which required any employee to recite the quality policy verbatim. As I stated above, and even attached an example of, I also printed out the company quality policy, like you on standard business card stock and gave them to employees. See post #6 in this thread. In many companies they put up banners. In some every bulletin board had a copy.

What I remember being acceptable was for an auditor to ask "What does your company Quality Policy mean to you?" (this was in the TS 16949 days). I remember this because (caution - war story ahead...) I was working with what was a Borg-Warner facility which was way out in the boonies. I knew most of the employees, including most of their personalities. The auditor came to one guy who was a "griper". He always had a "bad" attitude. The auditor came around to the "What does your company Quality Policy mean to you?" question. The guy answered "It doesn't mean sh!t to me". The auditor was a bit taken aback, but due to the nature of the question he couldn't write a nonconformance. And no - The guy wasn't fired or anything. He was a known malcontent, but he really was a nice guy and he did his job well.

1. If they do not know an answer; "I don't know, but lets go find out" is a perfectly reasonable answer so long as they actually go find the answer.

Never saw that. IF they know their job and how to do it, their responsibilities, documentation which affects them, they know the answer unless the auditor asks a question which is outside the employee's job and responsibilities. I have seen asshat auditors do stupid things like ask "OK, you do this and then you do this and you give it to Joe (or Sally or - well you get the idea). What does Joe do with it?" I taught that the correct answer was the auditor would have to ask Joe, that what Joe did wasn't his/her job. This also is where an "escort" comes into play, as well. Many times an employee freezes up. It is acceptable for an escort to tell the auditor that they will have to go and ask Joe.

Just some more thoughts...