Auditing support and management processes

rogerpenna

Involved In Discussions
#1
So far, in our company internal audits, we audit areas/departments, instead of auditing processes. Probably because we have processes written as procedures, but unlike a process map, when writing, you can make a process less cross-sectional across departments. In the writing, it can focus on a single area/department.

I do intend to change this and be more process oriented, and audit processes

We do have mapped with low granularity our Core, Support and Management processes. (they are not modelled yet however, as they are only written as procedures. Also, from my perspective, it seems several SubProcesses were written as subtopics of the Procedures that represent macro Processes)

My question is... to what extent should non-core processes have KPIs created, have their inputs and outputs, etc, mapped and written?

And specially, to what extent should non-core processes be audited in ISO?

If ISO objective is the client, should audits spend time with processes which are not considered to add value to the client, as Core Processes do?
 
Elsmar Forum Sponsor

John Broomfield

Staff member
Super Moderator
#2
So far, in our company internal audits, we audit areas/departments, instead of auditing processes. Probably because we have processes written as procedures, but unlike a process map, when writing, you can make a process less cross-sectional across departments. In the writing, it can focus on a single area/department.

I do intend to change this and be more process oriented, and audit processes

We do have mapped with low granularity our Core, Support and Management processes. (they are not modelled yet however, as they are only written as procedures. Also, from my perspective, it seems several SubProcesses were written as subtopics of the Procedures that represent macro Processes)

My question is... to what extent should non-core processes have KPIs created, have their inputs and outputs, etc, mapped and written?

And specially, to what extent should non-core processes be audited in ISO?

If ISO objective is the client, should audits spend time with processes which are not considered to add value to the client, as Core Processes do?
Roger,

Your system comprises processes that directly add value for your client and processes that enable these process to add value.

Recruiting and training is a good example of support processes that are essential to the effectiveness of your system.

So, both core and support processes should be audited for their effectiveness and conformity. Before they are audited processes are monitored and corrected as necessary and this means that the people responsible for these processes need to know what their processes are meant to achieve.

Process objectives are essential but starting with your core processes and core process objectives start with your organization’s or project’s mission.

Best wishes,

John
 

rogerpenna

Involved In Discussions
#3
can we leave anything out of auditing?

isn´t part of the manual defining the scope of the QMS?

if we must obviously include core processes... then support processes because these are essential for the core processes to function properly and add value to the client... and I would guess several management processes somehow either also help the business run (and thus add value to client) or basically are part of the ISO requirements themselves (like strategic planning, risk assesment, etc)........

... then what's the use of defining a scope for the QMS? It will always end up being 100% of the company's processes, won´t it? :confused::confused:
 

John Broomfield

Staff member
Super Moderator
#4
can we leave anything out of auditing?

isn´t part of the manual defining the scope of the QMS?

if we must obviously include core processes... then support processes because these are essential for the core processes to function properly and add value to the client... and I would guess several management processes somehow either also help the business run (and thus add value to client) or basically are part of the ISO requirements themselves (like strategic planning, risk assesment, etc)........

... then what's the use of defining a scope for the QMS? It will always end up being 100% of the company's processes, won´t it? :confused::confused:
Roger,

In defining the scope of your management system what processes do you have in mind to omit from internal audit and why?

We may find these processes are completely unnecessary work.

Mind you, not every process may be subject to external audit and this is why many organizations have two scope statements.

Thanks,

John
 

rogerpenna

Involved In Discussions
#5
The question was more on the theoretical side... I mean, why define scope if everything is important?


And if a process not needing to be in the scope is useless, then it should be eliminated. But if it's eliminated, then again the scope will be 100% of the processes of the company.

IF I could, I would eliminate probably Accounting and some Financial processes. They are important but highly bureaucratic. They are mostly about doing the same stuff on time, not more efficiently. And as that, it's quite impossible to find relevant indicators... although maybe I am thinking more in terms of areas/departments here.
 
#6
The question was more on the theoretical side... I mean, why define scope if everything is important?


And if a process not needing to be in the scope is useless, then it should be eliminated. But if it's eliminated, then again the scope will be 100% of the processes of the company.

IF I could, I would eliminate probably Accounting and some Financial processes. They are important but highly bureaucratic. They are mostly about doing the same stuff on time, not more efficiently. And as that, it's quite impossible to find relevant indicators... although maybe I am thinking more in terms of areas/departments here.
When you audit a process, there are many, many supporting processes which also need to be present and checked during an audit. The purpose of a defined scope should include these things and at the same time provide for limits for the auditor to 1) enable to audit objective to be fulfilled and b) limit the extent to which these support activities are being audited.

It may be that you have a different way to do you audits, but for the past 30 years, having a scope is best practice to ensure a complete audit.
 

John Broomfield

Staff member
Super Moderator
#7
The question was more on the theoretical side... I mean, why define scope if everything is important?


And if a process not needing to be in the scope is useless, then it should be eliminated. But if it's eliminated, then again the scope will be 100% of the processes of the company.

IF I could, I would eliminate probably Accounting and some Financial processes. They are important but highly bureaucratic. They are mostly about doing the same stuff on time, not more efficiently. And as that, it's quite impossible to find relevant indicators... although maybe I am thinking more in terms of areas/departments here.
Roger,

That is why I asked what processes (work) you'd like to exclude.

Accounting processes should ensure suppliers are paid only for conforming products and that your company is paid per the contract so it can invest in improvement. Accounting processes also provide management with information so they can avoid trading while insolvent. But you may also find that accounting already is audited for compliance with GAAP.

Your list of processes (in your separate post) mentions budgeting and this process interacts with cost accounting I would think.

Of course, you'll be ensuring that your processes are monitored and corrected (by those responsible) and audited (by someone who is more independent) according to each processes' importance, reliability and maturity. But we try to keep in the system only those processes that add value or enable value.

Please remember that processes are work carried out by animal, human, machine or a combination of any two or three of these. Using this definition you'll see that an area or department cannot be a process.

As to granularity we see activities or tasks that are parts of processes and that processes tend to be cross-functional.

I would question if an organization without a purpose and scope is really is able to work as a system.

Organizations used to exclude some business processes from their QMS but big-Q thinking exposed the fallacy of this and ISO 9001:2015 has finally caught up.

Best wishes,

John
 

AMIT BALLAL

Trusted Information Resource
#8
As John mentioned, for example, If Accounting process has any risks associated to QMS (such as supplier won't supply next lot of material, unless payment of earlier material is made), then Accounting has to be included in scope of QMS and therefore has to be audited. Similarly, if IT process has a risk of loss of data/records related to QMS, then it also has to be included.
Standard doesn't give the freedom to exclude any process from auditing. But you can define frequency of audits based on importance or processes, as per the categorization already done by you.
 
Thread starter Similar threads Forum Replies Date
D Auditing Management Support - ISO 9001:2008 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
J Auditing of Support Function IATF 16949 - Automotive Quality Systems Standard 9
S Auditing Sales and Marketing Processes and Technical Support Canada Medical Device Regulations 2
C List of MDSAP Auditing Organizations Medical Device and FDA Regulations and Standards News 1
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 4
cscalise Suggestions for MDR Auditing tools EU Medical Device Regulations 1
D ISO 13485, FDA 21 CFR 820 and Auditing the Accounting Department ISO 13485:2016 - Medical Device Quality Management Systems 5
S Risk based internal auditing Internal Auditing 6
Randy Remote auditing (for disaster, disease, disturbance etc...) during the Neo Coronavirus Pandemic and Social Distancing Registrars and Notified Bodies 7
K ANVISA B-GMP Auditing requirements for Contract Manufacturers Other Medical Device Regulations World-Wide 0
F AS9100D Internal auditing requirements Internal Auditing 3
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
G Best Practices for IT auditing - Is a session-id necessary for a complete audit trail? IEC 27001 - Information Security Management Systems (ISMS) 0
I Questions to ask when auditing for Organizational Leadership and Planning for the QMS? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
tony s What is the automotive process approach for auditing? IATF 16949 - Automotive Quality Systems Standard 2
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
R I've been auditing for a CB for 18 years General Auditing Discussions 10
P Consultant Auditing Qualifications Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 23
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 146
M We still have not received our certificate due to a 'backlog' with our auditing body Registrars and Notified Bodies 25
N Online Internal Auditing Course for ISO 13485 - Suggestions ISO 13485:2016 - Medical Device Quality Management Systems 8
A Agenda for 8D audit on Supplier's side - Auditing Corrective Actions General Auditing Discussions 5
U Internal auditing - Company employees or contract second party Internal Auditing 10
J Recomended Values - Auditing process in a supplier IATF 16949 - Automotive Quality Systems Standard 18
M Canada - Registrars that allow e-auditing for ISO 9001? Registrars and Notified Bodies 4
K Internal Auditing - Umbrella QMS and Multiple Standards Oil and Gas Industry Standards and Regulations 4
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
supadrai Auditing Organization dragging their heels on issuing our MDSAP Surveillance Audit Confirmation Letter - everyone is nervous ... are we the only ones? Canada Medical Device Regulations 7
Ed Panek Supplier Auditing - No purchases from our key suppliers in the last 24 months ISO 13485:2016 - Medical Device Quality Management Systems 5
P Auditing "process validation" process 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
qualprod Effective Auditing advice needed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
M Acceptance of remote auditing techniques - Can you help me with my research? General Auditing Discussions 0
GStough Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay? General Auditing Discussions 11
qualprod Auditing Product and Services doubts ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
F It is acceptable moving remote locations staff to manufacturing plant for auditing? IATF 16949 - Automotive Quality Systems Standard 3
D MSDS / GHS Walk-through / Auditing Occupational Health & Safety Management Standards 6
Pmarszal Supplier Auditing Services (Audit Needed?) General Auditing Discussions 4
S ISO 9001 Audit Observations - Transitioning my career into auditing Career and Occupation Discussions 16
G AS9101 Rev F - Worksheets for internal auditing AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
N API Q2 clause 6.2.2.1 Auditing Outsourced Suppliers Oil and Gas Industry Standards and Regulations 5
M Auditing processes followed by employees placed on client's site Internal Auditing 4
S ISO 13485:2016 and MDSAP internal auditing ISO 13485:2016 - Medical Device Quality Management Systems 6
M Auditing a Contractor in EMS and Non Conformity Report General Auditing Discussions 1
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
S ISO 9001:2015 - Internal Auditing - Audit to the Standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
B Auditing Senior Management to determine the Effectiveness of Management Processes IATF 16949 - Automotive Quality Systems Standard 6

Similar threads

Top Bottom