Do We Have to Comply with Our Own Procedures?

[John Broomfield]

So after all the principled 'brave new world' stuff over the last few weeks you're now 'pleased to report' there is a 'you shall follow procedures' requirement to be built in to the common text?

Paul,

All along I have said auditors should not assume that the procedures have been made mandatory by the standard (as was the case before the year 2000); auditors should first check with management:

• Enlightened managers may cause employees to want to use, monitor and improve their procedures.
• Other managers may threaten employees for not obeying procedures even when the employees know the procedures do not work.

Auditors need to sense A or B and how to investigate and report whether the management system is helping employees to meet requirements.

I still say that assuming the unimplemented procedure is effective and enforcing it remains something an auditor should never do. I say it is better to find out and report why the procedure is not being used.

John

 

[Jim Wynne]

<snip>
I still say that assuming the unimplemented procedure is effective and enforcing it remains something an auditor should never do. I say it is better to find out and report why the procedure is not being used.

1. Auditors should never be charged with enforcing anything.
2. Auditors should objectively assess processes, including assessment of whether or not documented procedures are being followed.
3. Audit findings should be reported to management at the relevant level, and if it's found that documented procedures are not being followed but the processes are effective, the documented procedures should be gotten rid of or changed to reflect actual practice.

 

[tyker]

Paul,

All along I have said auditors should not assume that the procedures have been made mandatory by the standard (as was the case before the year 2000); auditors should first check with management:

• Enlightened managers may cause employees to want to use, monitor and improve their procedures.
• Other managers may threaten employees for not obeying procedures even when the employees know the procedures do not work.

Auditors need to sense A or B and how to investigate and report whether the management system is helping employees to meet requirements.

I still say that assuming the unimplemented procedure is effective and enforcing it remains something an auditor should never do. I say it is better to find out and report why the procedure is not being used.

John

If the management has complied with 4.1 and 4.2.1 (c) and (d) then it has identified the necessary documents (including procedures) which are necessary for the effective implementation of the management system. If an auditor finds that those documents are not being followed a non-conformity can be raised for failure to implement and maintain the system. I've never come across an auditor even trying to, let alone being allowed to, enforce a procedure. I've experienced many instances of auditors reporting a failure to effectively implement a procedure but that's different.
Finding out why a procedure is not being followed is part of the corrective action which is management's job. The auditor might be curious to know and, particularly for internal auditors, may have helpful information. But it is not the auditors job to determine and/or implement the actions necessary to overcome the non-conformity.

 

[AndyN]

One aspect of this discussion doesn't fully come to the front is whether the process/procedure being implemented (whether documented or not) is actually effective.

What someone actually does IS (frequently) effective, when compared to what was defined in a document (some of us remember examples of the instructions we tried to follow when assembling something we've bought) but I rarely hear of auditors (of any type) prosecuting the audit to determine effectiveness of that process/procedure!

This one fact, alone, will help management determine what is necessary in the matter of action. Sadly, and all too often it's missing from an audit report. "They weren't following procedure" has two potential outcomes. So the auditor didn't help management, did they? No wonder management don't get behind audits, or support any resulting actions, when the auditor didn't even give them much of a shove in the right direction!

 

[Paul Simpson]

One aspect of this discussion doesn't fully come to the front is whether the process/procedure being implemented (whether documented or not) is actually effective.

I tried to summarize the thread here.

<snip>

This is part of the thread (albeit to my memory nobody has directly mentioned the process approach). Let me summarize:

• This all (re)started with Steve’s post here when he was asking whether internal auditors should follow the process and check to see if people are following what the process says they should be doing.
• John Broomfield replied saying that they shouldn’t - here
• My first post on the subject was challenging the idea that there is not a requirement for people to follow procedures and in particular John's statement: ‘Management may say "ISO 9001 says that you must obey our procedures" but that has been untrue since the year 2000.’
• You entered into discussion with John Broomfield (who I had refused to debate with by this time) on the subject of process validation - here.
• and my response just followed your thread - here

</snip>

because the thread had already gone a long way from the original question.

But your question is valid and better auditors will be able to assess and comment on how appropriate procedures are compared with actual practice. We are, after all, living in a world were there is even debate as to whether documented procedures are compulsory unless top management specifically say they are.

What someone actually does IS (frequently) effective, when compared to what was defined in a document (some of us remember examples of the instructions we tried to follow when assembling something we've bought) but I rarely hear of auditors (of any type) prosecuting the audit to determine effectiveness of that process/procedure!

True. But to do anything other than explain to the managers of a process that there is a discrepancy between what is required (by a documented procedure) and what is actually taking place requires an auditor with the competence to judge whether one is better than the other - I for one do not have a lot of faith that an auditor will be able to tell me that.

This one fact, alone, will help management determine what is necessary in the matter of action. Sadly, and all too often it's missing from an audit report. "The weren't following procedure" has two potential outcomes. So the auditor didn't help management, did they? No wonder management don't get behind audits, or support any resulting actions, when the auditor didn't even give them much of a shove in the right direction!

Again, apart from a gentle hint that actual practice could be considered effective we have to be very careful here. I have a couple of examples of following an auditor in and their 'helpful' recommendation would have lead to breaches of legislation and potential court action.

 

[John Broomfield]

1. Auditors should never be charged with enforcing anything.
2. Auditors should objectively assess processes, including assessment of whether or not documented procedures are being followed.
3. Audit findings should be reported to management at the relevant level, and if it's found that documented procedures are not being followed but the processes are effective, the documented procedures should be gotten rid of or changed to reflect actual practice.

Jim,

Before the audit clause 8.2.3 requires the process to be monitored and it or its procedure corrected as necessary to be effective.

Instead of ignoring the monitoring (and replacing it with auditing in the minds of the auditees) why not audit processes through the effectiveness of their monitoring?

That way auditors avoid leaving the auditee with the impression that the auditor says they must obey their procedures.

John

 

[Big Jim]

Jim,

Before the audit clause 8.2.3 requires the process to be monitored and it or its procedure corrected as necessary to be effective.

Instead of ignoring the monitoring (and replacing it with auditing in the minds of the auditees) why not audit processes through the effectiveness of their monitoring?

That way auditors avoid leaving the auditee with the impression that the auditor says they must obey their procedures.

John

I think you may be reading something additional into 8.2.3,

"The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate."

Procedures?

 

[AndyN]

Fair point, Paul, about 'recommendations' and I get that. However, if any auditor has, objectively looked at the results and performance of a process surely it's not too 'opinionated' to suggest that what they are doing, rather than what the QMS documents define, is what is 'working'. No foul there, is there?

 

[John Broomfield]

I think you may be reading something additional into 8.2.3,

"The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate."

Procedures?

Jim,

As I see it procedures specify how processes are carried out and process monitoring determines the conformity and effectiveness or status of a process.

These days procedures include the process objectives and other criteria for process effectiveness.

It is therefore reasonable to expect the auditee to use their documented (or undocumented) procedures for monitoring their processes long before the auditor arrives.

When monitoring finds the process is ineffective it, or its procedure or both, is or are corrected as necessary by the auditee.

John

 

[tyker]

Jim,

Before the audit clause 8.2.3 requires the process to be monitored and it or its procedure corrected as necessary to be effective.

Instead of ignoring the monitoring (and replacing it with auditing in the minds of the auditees) why not audit processes through the effectiveness of their monitoring?

That way auditors avoid leaving the auditee with the impression that the auditor says they must obey their procedures.

John

No argument with the first sentence.
I can't agree with the second one though. No-one, as far as I'm aware, has suggested ignoring monitoring; it is, after all, a mandatory requirement. I don't see how you evaluate the effectiveness of the monitoring without visiting the process and auditing the implementation of the procedures the organisation has deemed to be necessary?
As an auditor, I have no difficulty telling the auditee that ISO 9001 requires them to determine the controls/documents/procedures that are necessary to ensure the processes are effective and then work to them. How else do you interpret the expression "implement and maintain"?