Internal Audit Matrix Process Query

[ReworkIT]

S/he has to audit the process and it's intrinsic robustness.

I think my head is going to explode!What am I missing? I thought ISO standards clearly described requirements. Like, documents need to be approved and things like that. Equipment needs to be calibrated. Non-coplying products needs to be identified. All of what I get, honestly. But some of you are telling me that audits HAVE to be done on a process and I read 9.2.2 and can't see those words. I've seen here at the Cove that other standards say that's what has to be done, but we don't do those standards. Why can't I find the words process audit in ISO 9001? Should I be looking someplace else?

 

[howste]

I think my head is going to explode!What am I missing? I thought ISO standards clearly described requirements. Like, documents need to be approved and things like that. Equipment needs to be calibrated. Non-coplying products needs to be identified. All of what I get, honestly. But some of you are telling me that audits HAVE to be done on a process and I read 9.2.2 and can't see those words. I've seen here at the Cove that other standards say that's what has to be done, but we don't do those standards. Why can't I find the words process audit in ISO 9001? Should I be looking someplace else?

I think you've established that the words "process approach" don't exist in the internal audit clause. As with most requirements in ISO 9001, the "how to" is not specified. In order to be effective, you need to decide a method that will help give you the best results regardless of whether there is a "shall" in the standard.

I'll illustrate this point with some quotes from an experienced and knowledgeable member (who I haven't seen around for a while) that has helped a lot of new auditors to understand why the process approach is a good idea in audits - even if it's not required (bolding is mine):

I think you've arrived at the stage of development where you need to change strategy from doing (simple) compliance audits to more "strategic" audits. To explain: If you are simply basing your internal audits on the various requirements of ISO and procedures, you will get to this place where you know everything you need to know (checklist or not). Where you need to get to is to evaluate the processes (as Jennifer correctly suggested) to the place where you take a look at new/changed things or performance.

While it's NOT a requirement, doing "element" audits like this doesn't tell you or - crucially - management, anything of any importance/use. It could take many months to link a finding in one element to another. You *should* be doing them by process. Did you get this approach from any training?

I had to learn this stuff like you! I wouldn't bother with ISO 19011 - far too complicated! Maybe you could rustle up the same kind of money and have someone come in to mentor you - do you have access to state grants for training? It could be used for some "OJT" for setting up and doing process based audits. Maybe one or more of our members here are in your neighborhood and could come by...

You really should be auditing the "process" of design and development, not the element. The process SHOULD have been created and, in doing so, some evaluation to show where each requirement of ISO 9001/AS9100 7.3 has been addressed. Your checklist should then be developed from the process, including the specifics of inputs, outputs, responsibilities, authorities, objectives and measurements your own management have laid down. This will make your task SO much easier.

Typically, internal audits are conducted on your OWN management system. The idea is that you audit the processes you have, not to the standard. Otherwise you end up with making a simple "Yes/No" and that can be done without a checklist by reviewing the standard and asking "do we do this?" - not really an audit!

So, the best way - and will involve work on your part, but "the more you put in, the more you get out" and your audits will be more effective if you study the QMS processes of your organization and use those to audit the actual practices of your colleagues.

 

[Kronos147]

Why can't I find the words process audit in ISO 9001? Should I be looking someplace else?

Yes.

The requirements of the standard have been laid out according to the high level structure, which means that there are clauses and the writers put stuff in the clause holders. That does not mean they are exclusive.

The nature of the system is you have to relate the requirements in meaningful ways, like relating them to your system.

The standard is laid out with 'threaded' requirements. Process approach is one. I have done this with AS9100 Rev. D and failed to highlight the differences, so I challenge you to check my work against ISO 9001:2015. Green text is the paraphrased standard, my comments in black.


[FONT=&quot]0.1 General[/FONT]
[FONT=&quot]The process approach enables an organization to plan its processes and their interactions.[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]The PDCA cycle enables an organization to ensure that its processes are adequately resourced and managed, and that opportunities for improvement are determined and acted on.[/FONT]
[FONT=&quot]
[/FONT]

[FONT=&quot]We plan, do (perform), check (inspection and audit), and act (corrective action) our processes.
[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]0.2 Quality Management Principles -Process Approach
[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot][FONT=&quot][FONT=&quot]The process approach is one of the seven principles.
[/FONT][/FONT][/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]0.3.1 Process Approach: General[/FONT]
[FONT=&quot]Understanding and managing interrelated processes as a system... This approach enables the organization to control the interrelationships and interdependencies among the processes of the system...[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]The process approach involves the systematic definition and management of processes, and their interactions, so as to achieve the intended results... Management of the processes and the system as a whole can be achieved using the PDCA cycle (see 0.3.2) with an overall focus on risk-based thinking (see 0.3.3) aimed at taking advantage of opportunities and preventing undesirable results.[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]4.4.1 AQMS and its Processes[/FONT]
[FONT=&quot]The organization shall determine the processes[/FONT]
[FONT=&quot]
[/FONT]
This is a step that if organizations[FONT=&quot][/FONT] do not consider carefully will result in an ineffective system

[FONT=&quot]
[/FONT]
[FONT=&quot] needed for the quality management system and their application throughout the organization, and shall:[/FONT]
[FONT=&quot]a. determine the inputs required and the outputs expected...[/FONT]
[FONT=&quot]b. determine the sequence and interaction of these processes;[/FONT]
[FONT=&quot]c. determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes;[/FONT]
[FONT=&quot] [/FONT][FONT=&quot]g. evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;[/FONT]

[FONT=&quot]Internal Audits can be considered performance indicators, no? If not, how else? Ask the process owner? One of the other seven management principles is Evidence Based Decision Making.[/FONT] [FONT=&quot][/FONT]
[FONT=&quot] [/FONT] [FONT=&quot]
[/FONT]
[FONT=&quot]5.1.1 Leadership and Commitment: General[/FONT]
[FONT=&quot]Top management shall demonstrate leadership and commitment with respect to the quality management system by:[/FONT]
[FONT=&quot]d. promoting the use of the process approach and risk-based thinking;[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]5.3 Organizational Roles, Responsibilities and Authorities[/FONT]
[FONT=&quot]Top management shall assign the responsibility and authority for:[/FONT]
[FONT=&quot]a. ensuring that the quality management system conforms to the requirements of this International Standard;[/FONT]
[FONT=&quot]b. ensuring that the processes are delivering their intended outputs;[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]6.1.2 Planning: Actions to Address Risks and Opportunities[/FONT]
[FONT=&quot]The organization shall plan: [/FONT]
[FONT=&quot]a. actions to address these risks and opportunities; [/FONT]
[FONT=&quot]b. how to: [/FONT]
[FONT=&quot]1. integrate and implement the actions into its... processes [/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]8.1 Operational Planning and Control [/FONT]
[FONT=&quot]The organization shall plan, implement, and control the processes (see 4.4) needed to meet the requirements..., and to implement the actions determined in clause 6, by:[/FONT]
[FONT=&quot]b. establishing criteria for:[/FONT]
[FONT=&quot]1. the processes; [/FONT]
[FONT=&quot]2. the acceptance of products and services;[/FONT]
[FONT=&quot]d. implementing control of the processes in accordance with the criteria;[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]9.2.2 The organization shall: [/FONT]
[FONT=&quot]a. plan, establish, implement, and maintain an audit program(s), which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]I was upset when I read this clause. The drafters FAILED miserably (IMO) to establish the very heart of your question, necessitating all of this explanation. A more strongly worded statement about auditing your processes would have helped.[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]A little historical perspective, ISO9001:1994 was not process-based, and it was not beneficial for organizations that audited the clauses. It didn't related to "what they did" (i.e. processes). ISO 9001:2000 introduced the concept, and ISO 9001:2008 tried to re-enforce the concept.
[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]By adding the Process Approach to both the seven management principles and Leadership and Commitment, perhaps the drafters felt they had established their point.
[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]9.3.2 Management Review: Inputs[/FONT]
[FONT=&quot]The management review shall be planned and carried out taking into consideration:[/FONT]
[FONT=&quot]c. information on the performance and effectiveness of the quality management system, including trends in:[/FONT]
[FONT=&quot] 3. process performance and conformity of products and services;[/FONT]
[FONT=&quot] 6. audit results;[/FONT][FONT=&quot][/FONT]

Audit results and objective results are often used to gage process performance and conformity of the system.

I hope this makes it a little more clear!

 

[Big Jim]

Let's clear up something before it gets more tangled.

Internal audits are NOT required to be process based. It is encouraged, as it is within the concept of process based thinking.

You can develop an old fashioned elements of the standard checklist if you so desire for internal auditing. That said I don't recommend that old thinking.

Certification body auditors are required to perform process based certification body audits. They are required to base the audit on the organization's description of the interaction between the processes, which is usually a chart. This description is something the organization is required to document (maintain documented information in the 2015 standard).

 

[Jen Kirley]

I understand your point and it's very true for the actual QMS. I'm still struggling to understand why I can ONLY audit processes? Can't I also audit a customer requirement being implemented "within" a process? Can't I also audit something like a regulation being implemented in our product design group on a new product. My auditor trainer suggested that many options are open to us, under "scope and criteria". Are you tell me the trainer is wrong?

Processes that are included in your QMS and its scope need to be audited.

It's true that there is an expectation for process auditing, and it's also true that there is no "Thou shalt use the process audit method" to march to. If you want to ensure the process is effective, why not look at all of its parts?

Please pay attention to the guidance document Sidney showed here. While it does not have "shalls," it does provide insight about expectations from the people who originated the standard. That is valuable information - less guessing and mind-reading is a good thing!

The customer requirement is an input to the process, as is a regulation, and by all means should be included in the audit. Customers and regulators are relevant interested parties. Not having been present in the class you took, I am not able to comment on exactly what the instructor said, its context or if it was right or wrong.

 

[Big Jim]

If not auditing your processes, what, do you think, should be audited?

This is a great document and I encourage following it, but stay focused on the fact that this is GUIDANCE, not requirements.

 

[Stijloor]

Our Members get too often wrapped up in what's required and what makes common sense. Process audits per ISO 9001:2015 are not required, even though this practice makes more sense.

OK y'all?

 

[Stijloor]

In addition to my previous post, I would like to add that the sector-specific (automotive) standard IATF 16949:2016 makes (shall) references to the process approach in two clauses:

• 7.2.3 Internal auditor competency..... a) understanding of the automotive process approach for auditing, including risk-based thinking;
• 9.2.2.2 Quality management system audit...... "using the process approach..."

So, while the automotive industry is on board and makes the process audits mandatory, ISO 9001:2015 does not.

 

[Rich Shippy]

FWIW,
What I did is list the ISO 9001:2015 requirements on the left side of a spread sheet, and our process flows on the right ,next to the standard's requirement (our documented information is embedded in the flows). Then we simply audit the process flows and get the standards requirements in the same activity. The process orientated audit concept seems to cause confusion. Hope that helped.

 

[Jadey52803]

Rich Shippy,

Can you elaborate a little more on this? It sounds like you, essentially, put together an ISO requirements matrix and matched up the docs you have against the standard's requirement? Is that correct?