Do We Have to Comply with Our Own Procedures?

[sagai]

Thank you John, I have not yet recognized the message of 8.2.3 , I am pleased to learn it based on your post, Cheers

 

[John Broomfield]

Thank you John, I have not yet recognized the message of 8.2.3 , I am pleased to learn it based on your post, Cheers

sagai,

Too many auditors believe the systems they audit depend on them.

In fact many auditors used to prefer it that way (job security I guess).

Increasingly though I find auditors, and more importantly their auditees, are getting the message.

Auditing the effectiveness of process monitoring and of managers invoking the necessary system improvements works well.

And it all flows from "I am here to see how well your management system helps you to do good work" not "I am here to verify your conformity to your procedures".

Cheers,

John

 

[ssz102]

this question is very nice what you saide

though i don't the standard 1994, the purpose of audit is comply to all our procedure documentation and operation and records

so you can comparison one by one for item in standard

that's suggestion for reference only

 

[John Broomfield]

this question is very nice what you saide

though i don't the standard 1994, the purpose of audit is comply to all our procedure documentation and operation and records

so you can comparison one by one for item in standard

that's suggestion for reference only

ssz102,

If management want obedience to procedures then they must require it and continuously show their commitment to their requirement by what they do.

Management may say "ISO 9001 says that you must obey our procedures" but that has been untrue since the year 2000.

Auditors do not do repeat the role of management. Such auditing would be a waste. Such auditing would not be independent, impartial and objective. Such auditing makes the system depend on its auditors.

Such auditing stops managers from continuously demonstrating their personal commitment to requirements. Instead they say "the auditor says you must obey our procedures".

Auditors independently, objectively and impartially gather and evaluate evidence of how well the management system (this includes what the managers say and do) enables the employees to determine the requirements and monitor their meeting of the requirements and make improvements as and when required.

Have I have interpreted your post correctly?

John

 

[ssz102]

ha ha, yor are so professional on quality management system audit;

and this is also delivery opinion for my first on this website and pleased to see you

now back to the topic, the quality management system are more stress on process whether can comply with operation and spoken and so on; the purpose of audit to ensure the process are more simply and effectively;

that's my understand what is ISO, while i remember, i come frome china and english is not well, hope you don't mind

thanks!

 

[Paul Simpson]

During an internal audit, is it necessary to follow the process or should I just be looking at results of the process?

My thinking is that I should follow them through the process to see if what they are doing matches what is documented, not to catch them doing it wrong, but so, I can improve the documentation to allow for the variation in doing it right, therefore, "maintaining" the system.

It seems to me that only looking at process results is more indicative of a system audit and doesn't really help to improve the processes.

Thanks for your input.

Steve

Hi, Steve. I take it when you say 'follow the process' you mean compare it with the documented procedure? Please correct me if I am wrong. I am also assuming this is an internal audit of your own system - again please correct me if this is not the case.

But in answer to the question - Yes - as part of your internal audit you should be looking at the procedure being used to see that people are complying. I'll pick up the 'why do this' below.

ssz102,

If management want obedience to procedures then they must require it and continuously show their commitment to their requirement by what they do.

Management may say "ISO 9001 says that you must obey our procedures" but that has been untrue since the year 2000.

:mg: Where did this come from? Let me just quote a few requirements of ISO 9001 (2008 edition) to put this particular urban myth to bed - for once and for all (as if that will happen! ) Compliance with procedures is still a significant part of the quality management systems standard.

4.2.1 d d) documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes.

So this requires the organisation to establish what documents are needed to control its processes. If the organisation decides it needs a documented procedure then it comes under this requirement.

... and then in the section on management representative it says the organisation's top management appoint one of their managers to:

5.5.2 a a) ensuring that processes needed for the quality management system are established, implemented and maintained,

So here the top team are allowed to delegate the responsibility to someone to put these procedures in place.


... and a bit of repetition here:

7.1 In planning product realization, the organization shall determine the following, as appropriate:
b) the need to establish processes and documents, and to provide resources specific to the product;

So when planning all the 'doing' bits the company has to make sure that everything necessary is in place.

... and a bit more duplication:

7.5.1 The organization shall plan and carry out production and service provision under controlled conditions.
Controlled conditions shall include, as applicable,

b) the availability of work instructions, as necessary,

So again if the organisation decides they are necessary then documents should be in place to control how work is done.

... and finally the role of audit:

8.2.2 The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and

... now IMHO that is compliance auditing. It is not the full role of an internal audit but it is part of it and it can be extremely significant where procedures need to be strictly adhered to.

Auditors do not do repeat the role of management. Such auditing would be a waste. Such auditing would not be independent, impartial and objective. Such auditing makes the system depend on its auditors.

A lot depends on what you intent is here, John. You are of course right that auditing does not repeat management's supervisory role but it does provide an independent view of whether the organisation is following procedures that top management downwards feel are necessary.

Such auditing stops managers from continuously demonstrating their personal commitment to requirements. Instead they say "the auditor says you must obey our procedures".

How does compliance auditing do this?

If you have weak management they might play the 'auditor' card but that shouldn't stop an auditor evaluating compliance. To the extent that the organisation determines it needs procedures the audit has to determine that people are following them. If there is a finding that says 'Procedures not being followed' then the organisation has three (or even more) choices:

1. Re-enforce the procedure
2. Change the procedure to reflect what people are doing
3. Delete the procedure

Auditors independently, objectively and impartially gather and evaluate evidence of how well the management system (this includes what the managers say and do) enables the employees to determine the requirements and monitor their meeting of the requirements and make improvements as and when required.

Have I have interpreted your post correctly?

John

... and the first stage of determining this is to see if they are working to any procedures for the processes they work in.

Steve,

Ask the people operating the process how they know it is working effectively (4.1) and what they do on finding that the process is failing to fulfill its objectives (4.1).

Ask the people operating the process how they monitor conformity to their procedures (8.2.3) and what they do on finding that the procedure needs to be changed (8.2.3).

Auditees should already be improving their processes without the help of the auditors. If not find out why managers are not seeking information on where the system needs to be improved so the system is improved without relying on the auditors.

Focus on how well the management system (includes leadership) helps the employees to determine and fulfill requirements; including the requirement for continual improvement.

Do not allow auditors to become the only people enforcing the procedures and driving improvements. In a mature management system no more that 20% of the CARs should come from audit.

John

All of the above is fine, John and I don't disagree with it but (as in the title of the thread) - one of the prime reasons for an audit is to establish:

8.2.2 ... whether the quality management system ... conforms to the planned arrangements ...

 

[John Broomfield]

ha ha, yor are so professional on quality management system audit;

and this is also delivery opinion for my first on this website and pleased to see you

now back to the topic, the quality management system are more stress on process whether can comply with operation and spoken and so on; the purpose of audit to ensure the process are more simply and effectively;

that's my understand what is ISO, while i remember, i come frome china and english is not well, hope you don't mind

thanks!

ssz102,

Welcome to the Cove!

Yes, ISO recognizes that effective organizational management systems are process-based. ISO 9001 mentioned this in 1987 and 1994 but most readers missed it perhaps because they were more used to creating sets of documented procedures that were also specified less subtly.

So ISO explicitly promoted and specified (see clause 4.1) the process-approach in the year 2000 version of ISO 9001.

This means we are looking at the management system beyond what happens to be documented. Indeed very important parts of the management system are not documented such as the care and respect necessary for it to be effective in helping employees to fulfill objectives and other requirements.

Beyond clause 4.2.1 of ISO 9001, the undocumented procedures (see the definition of procedure in the normative reference ISO 9000) are very important too.

You wrote that auditors simplify processes. However, leaders simplify the processes not the auditors. Auditor competencies are very useful for process analysis and improvement (with the process owners and the process teams) but this is not done through the audit process.

Process is the work of machines and humans (possibly animals too) and procedure is the organization's specified way of doing the work. The processes should bring the necessary resources and controls to the work so the work adds value to the process inputs and so the process outputs meet requirements.

Resources include facilities, equipment, skills and knowledge. Some say money but laying a $20 bill on a process does nothing for it .

Controls include criteria (see 4.1c), procedures, care (for the requirements and for each other) and coordination.

The procedure should accurately reflect the effective process but often it does not. Process teams (usually cross-functional) and their supervisors monitor and correct processes (or their procedures) as necessary (see 8.2.3). Inaccurate procedures and ineffective processes should therefore be corrected by the process teams and their leaders long before the auditor arrives. Also they will have removed the root causes of repeated or expensive corrections from their management system long before the auditor arrives. Hence the suggestion that no more than 20% of CARs should come from audit.

I may have gone on too long but have I addressed your post?

John

 

[John Broomfield]

Hi, Steve. I take it when you say 'follow the process' you mean compare it with the documented procedure? Please correct me if I am wrong. I am also assuming this is an internal audit of your own system - again please correct me if this is not the case.

But in answer to the question - Yes - as part of your internal audit you should be looking at the procedure being used to see that people are complying. I'll pick up the 'why do this' below.

:mg: Where did this come from? Let me just quote a few requirements of ISO 9001 (2008 edition) to put this particular urban myth to bed - for once and for all (as if that will happen! ) Compliance with procedures is still a significant part of the quality management systems standard.


So this requires the organisation to establish what documents are needed to control its processes. If the organisation decides it needs a documented procedure then it comes under this requirement.

... and then in the section on management representative it says the organisation's top management appoint one of their managers to:

So here the top team are allowed to delegate the responsibility to someone to put these procedures in place.


... and a bit of repetition here:
So when planning all the 'doing' bits the company has to make sure that everything necessary is in place.

... and a bit more duplication:


So again if the organisation decides they are necessary then documents should be in place to control how work is done.

... and finally the role of audit:


... now IMHO that is compliance auditing. It is not the full role of an internal audit but it is part of it and it can be extremely significant where procedures need to be strictly adhered to.


A lot depends on what you intent is here, John. You are of course right that auditing does not repeat management's supervisory role but it does provide an independent view of whether the organisation is following procedures that top management downwards feel are necessary.
How does compliance auditing do this?

If you have weak management they might play the 'auditor' card but that shouldn't stop an auditor evaluating compliance. To the extent that the organisation determines it needs procedures the audit has to determine that people are following them. If there is a finding that says 'Procedures not being followed' then the organisation has three (or even more) choices:

1. Re-enforce the procedure
2. Change the procedure to reflect what people are doing
3. Delete the procedure

... and the first stage of determining this is to see if they are working to any procedures for the processes they work in.
All of the above is fine, John and I don't disagree with it but (as in the title of the thread) - one of the prime reasons for an audit is to establish:

Boris,

Sorry for shaking your world!

ISO 9001 no longer specifies that employees shall conform to procedures. It does however specify that top management shall demonstrate its commitment to requirements. Hence this would be top management specifying employee obedience not ISO 9001.

It also requires internal auditors to determine conformity to planned arrangements.

The planned arrangements may be command and control or the opposite of command and control (autonomy) but the plan is probably somewhere between the two extremes according to the situation.

Even if the planned arrangements are 100% command and control then it is top management that makes this clear to employees not ISO 9001.

I realize this shakes the world of control freaks. It also shakes the worlds of people who unreasonably accuse ISO 9001 of specifying command and control management.

But we would be wise to loosen up and apply the degree of control and autonomy (both are plans) required to the situation instead of trying to create mechanistic management systems.

Give me an adaptive management system every time.

John

 

[ssz102]

very useful for your comments!
thanks;
you can E-mail or SKYPE contact me if you don't mind; the details as below for E-mail and skype;

E-mail:[email protected]
skype:flyengle-sheng

 

[Bonhomme]

I don't get it ...

Do you say ISO 9001 doesn't require compliance to procedures ?

What's the whole point of having procedures if following them or not is irrelevant, then ?