Determining the Status and Importance of the Processes and Areas to be Audited

[wywy2020]

If you were looking specifically for the word risk, then you would be correct, but, if you understand the term "managing risks" as identifying the critical aspects that could lead to a failure and prioritize the use of the resources wisely, then ISO 9001:2008 is full of examples for that line of thought.

I will offer one example. In ISO 9001:2008, we have the following requirement

the bold font clearly indicates a "risk-based" approach to develop an audit schedule and the intent is clear to identify processes/areas which represent a higher risk to product conformity and customer satisfaction, and prioritize, emphasize, scrutinize, etc. such processes/areas with a higher intensity, frequency, depth, etc.

In my mind, this is a typical case where the authors of 9001:2008 wrote a requirement using a risk-based mindset, without using the word risk. So, from that perspective, I am in the field of those who believe that, (if well understood) ISO 9001 has always been supposed to be a risk-based approach to managing quality.

how u demonstrate to auditor that ur audit program is taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits?

 

[AMIT BALLAL]

Re: "Context of the Organization" in 4.1 of ISO 9001

how u demonstrate to auditor that ur audit program is taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits?

Divide processes in three categories:
1. Customer oriented / core (PPC, Quality, etc.),
2. Supporting (Stores, Purchasing, etc.),
3. Managerial (Business Planning, QMS, etc.).

Define frequency of auditing of these processes eg. Category-1 processes to be audited more frequently as compared to other 2, category-2 processes to be audited more frequently than category-3- but less than category-1.

THIS WILL DEMONSTRATE IMPORTANCE BASED AUDITING.

Based on the performance of processes (Monitored through effectiveness, efficiency measures, Quality objectives), frequency to modified. Or additional audits to be conducted whenever performance found poor.

THIS WILL DEMONSTRATE AUDITING BASED ON PROCESS PERFORMANCE.


Thanks,
Amit

 

[wywy2020]

9.2 Internal audit - consideration

9.2 Internal audit it stated that audit programme shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;

How do you all demonstrate this to the auditor that the above consideration has been taken?

 

[Marc]

How do you all demonstrate this to the auditor that the above consideration has been taken?

You discuss and show him your audit schedule. How do you plan your audit schedule? It's a matter of explaining that to the auditor.

Discussions on the "status and importance" requirements go back some years here. Here are some of the "status and importance" discussions from the past.

I look forward to contemporary responses in this thread.

 

[tony s]

Unlike in 2008, the 2015 version no longer includes the STATUS as one of the things to consider in establishing, implementing and maintaining an audit program.

At any rate, when I consider status, I look into the maturity, adequacy of resources, knowledge/skills/experience of personnel, complexity, stability of a the process. If we have just established a new process, this process will be scheduled for a more frequent audit.

For IMPORTANCE, my approach is the same with the others. Processes that are more critical in the realization of the company's products and services have more frequent audits. These will include processes that have direct interaction with the customer including the specifications, materials, equipment needed to realize the products and services.

 

[Marc]

Unlike in 2008, the 2015 version no longer includes the STATUS as one of the things to consider in establishing, implementing and maintaining an audit program... <snip>

Yes, but as you say - You still consider status in your audit planning. The standard may not explicitly state it as a requirement, but it is part of good internal audit procedure/system and audit planning practices.

 

[tony s]

Yes it adds value.

 

[Colin]

how u demonstrate to auditor that ur audit program is taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits?

By not just re-issuing last year's programme with a new date on it!

Look at your processes, which would have the biggest impact if it went wrong? - you might even do a simple risk assessment on each process. That will give you a start point until you can use historical data to help you.