Auditing ISO9001:2000 and Differences between ISO 9001:1994 and ISO 9001:2000


Fully vaccinated are you?
Just some thoughts:

From: ISO 9000 Standards Discussion
Date: Fri, 17 Nov 2000 15:52:30 -0600
Subject: Re: Auditing and the new standard /Oliveira/Hankwitz

From: "Hankwitz, John"

> In the new standard we will have, as a minimum, 6 procedures.
> How do we audit without a procedure? It will depend more on
> auditors habilities?
> Marcos Oliveira


Excellent question. I think we will see the answers to this question evolve over the next year or so. For now, we are looking at the basic changes in perspective presented in the new version of the standard, then tailoring our audits to look at the new perspective.

1. "Conformance" has shifted to "Performance"
2. ISO 9k2k is Based on a Modern "Business Model"
3. Focus on Efficiently and Effectively Providing Customer
Satisfaction instead of Preventing Nonconformity in Process
& Product.
4. Goals, Objectives and Resources are now driven by analysis
and fact.
5. Do It, Prove It, Improve It!

My vision of ISO 9k2k fits well into Deming's SIPOC Model. (Supplier-Input-Process-Output-Customer) The flow illustrated in the 9k2k standard is somewhat similar (using creative visualization) of how I envision the quality system to operate.

I see the "Process" as Product Realization (those process that provide added value to the ultimate customer - GEMBA?), then position Resource Management (those processes providing support to Product Realization) under, and feeding into Product Realization.

Feedback is provided from Product Realization, Resource Management, and the Customer into Measurement, Analysis and Improvement. Output from MAI feeds into Management Responsibility, stationed under, and feeding into Product Realization and Resource Management. Management then provides goals, objectives and resources to Product Realization and Resource management to enable effective and efficient provision of Customer Satisfaction. So, something like the following very crude flow would represent the Quality Management System:
|----------| |-------------| |----------|
| Supplier | Input | Product | Output | Customer |
|(Customer)|--------->| Realization |---------->| |
|----------| |-------------| |----------|
^ ^ . |
| | . |
| | . V
| |------------| . |-------------|
| | Resource | | Measurement |
| | Management |---->| Analysis |
| |------------| | Improvement |
| ^ |-------------|
| | |
| | |
|----------------| |
| Management | |
| Responsibility |<----------------

I see our auditors checking how effectively and efficiently all these processes are meeting their intended goals. Exactly how we will do that is still somewhat fuzzy. We have only two to three years to figure it all out.

John Hankwitz

[This message has been edited by Marc Smith (edited 22 November 2000).]
Elsmar Forum Sponsor


Fully vaccinated are you?
From: ISO 9000 Standards Discussion
Date: Fri, 17 Nov 2000 15:57:56 -0600
Subject: Re: Auditing and the new standard /Oliveira/Green

From: Joseph & Susan Green

"Marcos Oliveira" stated and asked:
> I would like to propose a question:
> In the old version of ISO 9001/2, auditors compare procedures
> with records of actions. At that time, we had, as a minimum,
> 17 procedures.
> In the new standard we will have, as a minimum, 6 procedures.
> How do we audit without a procedure? It will depend more on
> auditors habilities?
> Marcos Oliveira

Joe Green's response:

If an organization generates a product, the methods used to produce that product are to be defined by the organization. (call them processes, or whatever you like) ISO happens to use the term processes.
(To comply with 9K2K "realization processes" must be adequate to the task)

Methods used to generate a product start somewhere advance in a sequence, interact with other methods and the logical result is finished product. (To comply with 9K2K "sequence and interactions must be identified")

Methods used to generate a product must be capable, measurable, and analyzed to ensure product conformity and process effectiveness. (Hopefully those methods may be also subjected to scrutiny for improvement opportunities).

An organization with no "visible" methods would be easy to identify.

9K2K Standard Users are required to include "visible" (audit able) methods in their QMS.

Auditor's are required to determine "visibility" and "effectiveness"
(Not Efficiency; though efficiency should be included sought by a sane organization.)

The following minimum methods (processes) (procedures) must also be "visible". They are necessary to any organization who thoughtfully chooses to voluntarily comply with ISO 9001;2000 Document control
Control of nonconforming product
Corrective/preventive action
Preventive action

I purposely numbered the above comments so that others may comment on the accuracy or lack of accuracy contained in each premise.

Joe Green


Fully vaccinated are you?
From: ISO 9000 Standards Discussion
Date: Mon, 20 Nov 2000 13:14:08 -0600
Subject: Re: Q: Beyond Compliance /Arter/Scalies

From: "Charley Scalies"

> From: Dennis Arter
> Beyond Compliance
> As many of you know, I teach and perform "management" audits,
> which are more than the usual compliance audits. (See my
> article in the June 2000 issue of the ASQ magazine Quality
> Progress for more details.) These audits examine compliance
> to rules, just like ISO 9001 registration audits. They also
> evaluate the effectiveness and suitability of those rules.
> Resulting findings are written as cause (problem) and effect
> (business pain), with supporting examples (observations). This
> is significantly more than the typical nonconformity issued
> from the registration audit.
> My colleagues are asking me, "Dennis, please tell us of
> companies that are successfully performing management audits,
> so that we may benchmark their methods." Unfortunately, I do
> not have any really great examples. (Hmmm. Is this just
> theory? I sometimes wonder.)

My training curriculum of internal auditors fall somewhere in the middle. (How boring!)

Certainly we do compliance audits but, more importantly, determinations of suitability and effectiveness are what internal audits should be all about. After all, internal auditing is a management activity. The greatest procedures in the world are of questionable value if they don't lead to the desired result. A cow chip wrapped in gold foil is not a nugget. While I instruct auditors to point out the pain, I leave the root cause up to the process owner. Of course, in the overwhelming majority of cases I deal with, the root cause hits you square in the face. There is little investigating needed. But because "my auditors" do not carry the organizational legitimacy/power of management auditors I try to keep them out of trouble.

While I am on the subject, I'll share a little exercise that I start every audit workshop with (poor grammar but I think you understand). "You have 30 minutes in which to conduct an internal audit to verify - with objective evidence - whether or not the quality system is effective. Can you do it? How would you do it?" By the end of the course they can. I suspect most list members could also.

Charley Scalies
Quality Pragmatitioner (cute, huh?)

John C

John Hankwitz,
You listed the following items and claimed that they are basic changes in perspective between ISO 9001:94 and the 2000 version:
1. "Conformance" has shifted to "Performance"
2. ISO 9k2k is Based on a Modern "Business Model"
3. Focus on Efficiently and Effectively Providing Customer Satisfaction instead of Preventing Nonconformity in Process & Product.
4. Goals, Objectives and Resources are now driven by analysis and fact.
5. Do It, Prove It, Improve It!

I disagree entirely. In the scope of ISO 9001:94, customer satisfaction is identified as the primary aim of the standard and it is to be achieved through management’s implementation of the policy which is defined as being, ‘relevant to organisational goals’ and including ‘objectives for quality’. The purpose of improved conformance is improved performance and this hasn’t changed in any way with the introduction of 2000. There has been a lot of talk about focus on the customer but all that has been added is that we must identify the customer’s requirements and have an adequate means of communication with them. As was pointed out recently (by Marc I think) this is hardly the great innovation of the new millenium - some of us could figure that out for ourselves.

What is surprising about the 2000 version, is not it’s change in perspective and updated approach, but it’s lack of the same. The old system suffered from being seen as a quality technique rather than a management tool and in this, the new version has regressed rather than improved and we will suffer for it. As regards development of preventive measures - they are notable by their absence and the emphasis of the standard is still the old ‘wait til it goes wrong and then collect data’ approach. Modern business recognises that things such as market niche selection, communication, logistics, planning, material control, etc, etc are as important, or more so, than ppm, but there’s nothing about the quality of these things, in fact, there is still nothing about the quality of administration, despite the fact that managers, planners and decision makers can do more harm in a half hour than the production people can do in a year. I think it’s fair to say that the standard is still in the ‘60s and there’s no new perspective whatsoever.

Regards how to audit without a procedure;

The fact is that, for all practical purposes, you can’t. The standard requires that internal audit establishes whether the system conforms to planned arrangements. So let’s take an example; You go to a process that doesn’t have a procedure and ask the first operator what he’s doing.
‘Just banging these screws in with this hammer’.
‘Is that in accordance with planned arrangements?’
‘Sure is. Look, I know what you’re thinking - most people use a screwdriver, but can you imagine how much time and money we’ve saved since we started using the hammer? And we’ve never had a complaint.’

What are you going to do? Write him up against your own, personal, non-objective opinion? You can’t. In fact you can’t do any **** thing but trace back through the line of authority, trying to find someone that will tell you that it is wrong. If they all stick to the story, you haven’t a chance. If you find disagreement, then who is right? You have no way of finding out. You can initiate an investigation but, if the outcome still is to use the hammer, then you’re out of the game.

Auditing without a documented process against which to compare, is a contradiction of terms. It’s like clapping with one hand. Similarly, it is not possible to make objective decisions based on subjective material.

So forget it. You can’t do it. Don’t even try.

Personally, if I came across a process without a procedure, I’d write them up for it and, at the closing meeting, I’d refer them to 4.1 in ISO 9001:2000 where it tells them to document the quality system, and then I’d refer them to ISO 9000:2000, 2.7.1 where it defines documentation in terms of what it does, including; achieving conformity to customer requirements and improvement, provision of training, repeatability and traceability, objective evidence, evaluation of the effectiveness and continuing suitability of the quality management system. The implication is that, without documentation, you’re going to underachieve in these areas. To that, I’d add the impossibility of auditing and that thirty years in industry has taught me that, if it isn’t written down, it doesn’t exist.
rgds, John C

Alberto Carrizo Kacheff

Dear colleagues:

May I remind you that the so frequently referred to "process" (against the less frequently cited "procedure") is considered by the new standard as documented for of the set of activities. If that does not mean procedure, I don´t know what it actually means.

So far, this current year, I have performed seven full assessments based on ISO/DIS and ISO/FDIS. The two following situations arose: 1)The new comers into ISO Quality Sistems insisted that just a few documents are needed (the 6 procedures) 2) The already certified against the departing ISO were thinking of elliminating documented procedures.

Both groups changed their minds when I called their attention to the concept of "procedure" as well as "institute" (document, review, implement and mantain information on a set of activities for a given purpose).

No doubt that we, lead assessors (mostly engineers) should review new concepts and definitions with a lawyer´s point of view and a dictionary at hand reach.
Thread starter Similar threads Forum Replies Date
Raffy Internal/External Lead Auditing Course for ISO9001:2000 Examination Training - Internal, External, Online and Distance Learning 2
C Auditing Clause 5 - Leadership in ISO9001:2015 Internal Auditing 4
M Auditing ISO9001/AS9100 7.3 Design and Development Quality System Effectiveness Manufacturing and Related Processes 12
B Simplifying ISO9001 Auditing by using PIs (Performance Indicators) Quality Manager and Management Related Issues 17
P Auditing to Combined ISO9001 and ISO14001 Systems General Auditing Discussions 5
J Setting up ISO9001 system - when to start internal auditing? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
G Auditing Top management: 6.3 ISO 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
A Information on Process-based Internal Auditing Needed Internal Auditing 6
Sortinghat Auditing the Manufacturing Process IATF 16949 - Automotive Quality Systems Standard 3
Q What is Process Auditing? Process Maps, Process Mapping and Turtle Diagrams 9
K Need Help With Auditing Suppliers Against ISO 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 50
R Auditing COT's Suppliers / First Post Supplier Quality Assurance and other Supplier Issues 2
K ISO 9001 Auditing in a Healthcare setting Process Audits and Layered Process Audits 15
S ISO 9001:2015 Internal Auditing Internal Auditing 8
H Auditing Santa's workshop General Auditing Discussions 0
C List of MDSAP Auditing Organizations Medical Device and FDA Regulations and Standards News 1
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 7
cscalise Suggestions for MDR Auditing tools EU Medical Device Regulations 1
J Auditing of Support Function IATF 16949 - Automotive Quality Systems Standard 9
D ISO 13485, FDA 21 CFR 820 and Auditing the Accounting Department ISO 13485:2016 - Medical Device Quality Management Systems 5
S Risk based internal auditing Internal Auditing 6
Randy Remote auditing (for disaster, disease, disturbance etc...) during the Neo Coronavirus Pandemic and Social Distancing Registrars and Notified Bodies 7
K ANVISA B-GMP Auditing requirements for Contract Manufacturers Other Medical Device Regulations World-Wide 1
F AS9100D Internal auditing requirements Internal Auditing 11
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
G Best Practices for IT auditing - Is a session-id necessary for a complete audit trail? IEC 27001 - Information Security Management Systems (ISMS) 0
I Questions to ask when auditing for Organizational Leadership and Planning for the QMS? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
tony s What is the automotive process approach for auditing? IATF 16949 - Automotive Quality Systems Standard 2
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
R I've been auditing for a CB for 18 years General Auditing Discussions 10
P Consultant Auditing Qualifications Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 23
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 149
M We still have not received our certificate due to a 'backlog' with our auditing body Registrars and Notified Bodies 25
N Online Internal Auditing Course for ISO 13485 - Suggestions ISO 13485:2016 - Medical Device Quality Management Systems 8
A Agenda for 8D audit on Supplier's side - Auditing Corrective Actions General Auditing Discussions 5
U Internal auditing - Company employees or contract second party Internal Auditing 10
J Recomended Values - Auditing process in a supplier IATF 16949 - Automotive Quality Systems Standard 18
M Canada - Registrars that allow e-auditing for ISO 9001? Registrars and Notified Bodies 4
K Internal Auditing - Umbrella QMS and Multiple Standards Oil and Gas Industry Standards and Regulations 4
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
supadrai Auditing Organization dragging their heels on issuing our MDSAP Surveillance Audit Confirmation Letter - everyone is nervous ... are we the only ones? Canada Medical Device Regulations 13
Ed Panek Supplier Auditing - No purchases from our key suppliers in the last 24 months ISO 13485:2016 - Medical Device Quality Management Systems 5
P Auditing "process validation" process 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
qualprod Effective Auditing advice needed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
M Acceptance of remote auditing techniques - Can you help me with my research? General Auditing Discussions 0
GStough Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay? General Auditing Discussions 11

Similar threads

Top Bottom