Auditing to ISO 9001:2008 - How do we qualify ourselves?

[John Broomfield]

Whilst I agree with a lot of what is being said about not turning internal audits into external audits, there is a requirement to address ISO 9001 within the internal audit process.

Clause 8.2.2 refers: 'The organisation shall conduct internal audits at planned intervals to determine whether the quality management system

a) conforms to the planned arrangements, to the requirements of this International Standard and to the .....'

So whilst I don't care whether I see clauses on audit reports or checklists (or procedures come to that), I think the auditor can legitimately ask how the organisation are checking to see that the standard is being met.

Colin,

I agree! Apart from providing evidence of auditing for conformity to the system standard, including the requirement from the audit criteria in the nonconformity statement it is very useful for all sorts of reasons. Here are four of them:

1. It helps define the problem clearly.
2. It helps focus the efforts of the corrective action team.
3. It may remind the corrective action team of other relevant requirements.
4. It may stop the auditor from inventing a requirement where none exists.

Another legitimate auditor question could be "how do you ensure the corrective action team is familiar with the specific requirements relevant to the nonconformity?"

I recommend tying every nonconformity back to the relevant clause mainly to stop some auditors from inventing their own requirements.

For those auditors who say we should not cite the relevant clause from the relevant standard please explain why?

 

[Jim Wynne]

For those auditors who say we should not cite the relevant clause from the relevant standard please explain why?

It's possible to write the documentation and design the processes such that they meet the requirements of the standard without making explicit reference to the standard. In fact, I think it's preferable to do it that way for a number of reasons, not the least of which is to avoid the old "ISO says..." thing.

 

[Phiobi]

Colin,

I agree! Apart from providing evidence of auditing for conformity to the system standard, including the requirement from the audit criteria in the nonconformity statement it is very useful for all sorts of reasons. Here are four of them:

1. It helps define the problem clearly.
2. It helps focus the efforts of the corrective action team.
3. It may remind the corrective action team of other relevant requirements.
4. It may stop the auditor from inventing a requirement where none exists.

Another legitimate auditor question could be "how do you ensure the corrective action team is familiar with the specific requirements relevant to the nonconformity?"

I recommend tying every nonconformity back to the relevant clause mainly to stop some auditors from inventing their own requirements.

For those auditors who say we should not cite the relevant clause from the relevant standard please explain why?

If it helps ALL of our NCR's, from internal audits refer to the root department, procedure and ISO clause. Sometimes it is hard to pick the exact cause but it makes for a good statistic at the annual management review to highlight the future areas of improvement

 

[AndyN]

I agree Jim!

There's too much reliance by too many individuals on what ISO says, without a clear articulation of why it's a useful thing to do! As for designing a system of documentation with references to ISO, I have no idea what value that might be, either.

I believe there's too little time spent by most internal audit process owners with coaching their auditors to know whay systems should be in place and why. as a result we default to the external auditor training they've had and expect the IA to be able to go and make something of an audit. Colin's correct in his assertion that auditors should know the basic 'blocking and tackling' of the system; - document & record control, roles responsibilities etc.

Having looked back over what John wrote I'm not sure I understand any of his commments in the context of the role of an IA. Maybe, John, you could help me with some further discussion? I know you to be a man of some repute in the industry - maybe I'm a bit slow this morning!

If an IA has a clear 'scope' and 'criteria' and is given direction etc by the audit program manager, then they shouldn't be 'inventing' stuff. I've done this kind of thing before audits - like a 'team huddle' (I like the game of American football, so many analogies) to sort out what's going to happen....before the audit!

 

[John Broomfield]

Colin, I have a different idea about this.

There's another way to go about this requirement - if the internal auditor comes back with a report that says, let's say, that a number of gauges are no longer available at a maching center and parts aren't being gauged according to the control plan, what requirement of ISO 9001 is being affected here?

You see, I wouldn't suggest that the internal auditor go 'armed to the teeth' with the ISO 9001 reqirements or a checklist based on them. By evaluating findings - and it may not be just one audit, the audit program can show if the ISO stuff is still in place and effective.......My concern is that too many well intentioned auditors rush off, using their external auditor training and get all caught up in finding stuff that doesn't really exist, because they 'interpreted' the standard differently.

Andy,

"audit evidence indicates that that a number of gauges are no longer available at a maching center and parts aren't being gauged according to the control plan, what requirement of ISO 9001 is being affected here?"

Take a look at clause 7.1. There always is a relevant clause, more than one maybe. but there is always one that will guide the corrective action team the best.

 

[John Broomfield]

It's possible to write the documentation and design the processes such that they meet the requirements of the standard without making explicit reference to the standard. In fact, I think it's preferable to do it that way for a number of reasons, not the least of which is to avoid the old "ISO says..." thing.

Jim,

Agreed, our clients have developed their process-based business management systems this way since 1986.

Still, though I see no good reason for omitting the clause reference from any nonconformity statement.

John

 

[AndyN]

Andy,

"audit evidence indicates that that a number of gauges are no longer available at a maching center and parts aren't being gauged according to the control plan, what requirement of ISO 9001 is being affected here?"

Take a look at clause 7.1. There always is a relevant clause, more than one maybe. but there is always one that will guide the corrective action team the best.

Exactly my point!

It could be one of a number of requirements of 'ISO' but, for internal auditors, the point should be to use the 'criteria' they were sent to audit against! If it's the control plan, then that's the thing they should report against. This is one area that current training often fails to address - the selection of 'scope' and 'criteria' and many classes default to a 'CB' audit story which is easy - the criteria is 'ISO'.

The audit program manager should be deciding, from a review of findings, the criteria etc., which requirement of the standard (maybe TS in this case) is being held non-compliant.

IMHO and with 20+ years of experience in all kinds of audits, it's a huge leap of faith to have IA's (many of whom only audit 1 - 2 times a year) be figuring this kind of stuff out! It's the audit process owners job.......

 

[Jim Wynne]

Andy,

"audit evidence indicates that that a number of gauges are no longer available at a maching center and parts aren't being gauged according to the control plan, what requirement of ISO 9001 is being affected here?"

Take a look at clause 7.1. There always is a relevant clause, more than one maybe. but there is always one that will guide the corrective action team the best.

If the control plan (and gage control systemt) is based on the standard's requirements (and it should be) then you can just cite the control plan as the requirement being violated. If an external auditor can't connect the dots, the deficiency is with the auditor.

 

[John Broomfield]

So, we are dumbing down internal audit in favor of smartening process ownership?

The audit criteria include the control plan and the standard. From the stated evidence the control plan does not conform to clause 7.1 while the gauges conform to the control plan.

The auditors serve the corrective action team or person by citing 7.1.

 

[AndyN]

So, we are dumbing down internal audit in favor of smartening process ownership?

The audit criteria include the control plan and the standard. From the stated evidence the control plan does not conform to clause 7.1 while the gauges conform to the control plan.

The auditors serve the corrective action team or person by citing 7.1.

I don't believe that it has anything to do with 'dumbing down'. It's a different auditing/auditor model.

The fundamental difference here is with competency and focus, John. IA's are frequently not experienced either as auditors or with the business they're auditing. CB auditors, conversely are required to selected by SIC/NAICS code and do audits frequently. Two different ends of the bell curve, so to speak.

So, if you also consider in the fact that most auditor training is predicated on external auditor 'stories', I believe that you have to do a lot more coaching, planning and easing the IA along - not to dumb it down, but just because nothing else works as well!! If you don't believe me, just take a look at some of the cries for help here made by IA's.

The real travesty is that RABQSA etc. misses the point with their 'competency based' training and should have restructured the auditor training into two branches IA and External auditors (supplier qa and CB auditors) - they are, after all very different in many ways.