ISO 9001 - Requirement for Process Audits

[Jen Kirley]

Re: ISO 9001 - Process audits

One of my clients used a well-known / reputable registrar and apparently the company line from them was that, because of 0.2, the process approach to internal auditing was a hard requirement and we (my client) would receive an NC if the process approach was not followed.

We had the choice of taking the process approach (which, as Randy points out certainly has merit) or changing registrars. This point was non-negotiable with them. Other registrars (different clients) weren't so rigid.

This is not intended to disparage the registrar or dispute their approach but just point out that there may be some registrar-dependent variances.

I've noticed that CB auditors' interpretation of some elements in the standards vary, but the fact is that in ISO 9001:2008 the Quality management systems - Requirements start with 1, Scope. To be enforceable, a process approach to auditing would need to be included in the Requirements section.

I have looked for more guidance on this in the ISO informational documents titled Guidance and Use of the Process Approach for management systems and found "audit" referred to only as one example in a list of measurement processes. Even ISO 19011:2015, Guidelines for auditing management systems, refers to the process approach only as one of the listed recommended skills auditors should have (see A.4, page 32). I even did a search for "process audit" in ISO 17021:2011, Conformity assessment - Requirements for bodies providing audit and certification of management systems, and found nothing.

Based on all that, I would write an Opportunity for Improvement suggesting the process approach to auditing in order to help measure process effectiveness, but I wouldn't write a nonconformity because there isn't anything in the Requirements part of the ISO 9001:2008 standard to write it against. If ANAB reviewed my audit report and decided I had "softgraded" with this OFI, I would welcome that as input based on the lack of anything more substantial.

 

[Big Jim]

Re: ISO 9001 - Process audits

I've noticed that CB auditors' interpretation of some elements in the standards vary, but the fact is that in ISO 9001:2008 the Quality management systems - Requirements start with 1, Scope. To be enforceable, a process approach to auditing would need to be included in the Requirements section. <snip>

+1

The results of your research pretty much matches mine.

 

[yodon]

Re: ISO 9001 - Process audits

While the "Process Approach" in auditing makes absolute sense, the choice is still yours. The CB's insistence on this approach should have been clarified during the contract review stage with the CB. Or was it?

The auditor didn't write a NC at the time but said he would in the next surveillance audit if we didn't "go process." As everyone has pointed out, the process approach makes more sense so it turned out to be a battle I didn't see worth fighting. The auditor could well have been 'threatening us with the whip' to push us in the right direction (or he may well have been willing to defend it to ANAB - will never know).

To answer the question, though, no, that wasn't clarified in the contract review (that I can recall).

 

[mallen92705]

Our auditor also "showed us the whip" to get us to move to process audits. Isn't it amazing that an auditor's "interpretation" (or what they have been told to enforce from ANAB or the OEM's) can be written up as a nonconformance?

Essentially, they are writting you up for something that you had no way of knowing. Wouldn't it be great if the Registrars shared these ANAB / OEM driven changes with their customer's prior to entering their facility and "showing the whip"? (or worse yet, actually issuing a NC)

The Registrars are essentially the supplier to the certified organizations. Could you imagine the beating you would take as a supplier if you failed to communicate key information regarding your product or service to your customers?

 

[Jen Kirley]

Our auditor also "showed us the whip" to get us to move to process audits. Isn't it amazing that an auditor's "interpretation" (or what they have been told to enforce from ANAB or the OEM's) can be written up as a nonconformance?

Essentially, they are writting you up for something that you had no way of knowing. Wouldn't it be great if the Registrars shared these ANAB / OEM driven changes with their customer's prior to entering their facility and "showing the whip"? (or worse yet, actually issuing a NC)

The Registrars are essentially the supplier to the certified organizations. Could you imagine the beating you would take as a supplier if you failed to communicate key information regarding your product or service to your customers?

ISO has put out a number of informational documents like the 544R3 "Support package" I already linked in an earlier post. It's free.

I can understand your frustration with the lack of clarity, the guess work. That's why the Cove is such a great place to network. I can also understand frustration with CB auditors blowing hot and cold. It isn't easy to "calibrate" auditors and every system we encounter is a little different. And we aren't supposed to consult, so some auditors seem inclined to just say what's nonconforming (as we are actually told to do) make a client guess as to a good approach. We can vaguely say "Well I've seen it done XYZ way in other places" but the line we dare not cross is very near to that.

So my heart is with you. And I can tell you that what we say here in the open is not considered consulting. So if you have questions, ask away. You are among friends.

 

[Big Jim]

Our auditor also "showed us the whip" to get us to move to process audits. Isn't it amazing that an auditor's "interpretation" (or what they have been told to enforce from ANAB or the OEM's) can be written up as a nonconformance?

Essentially, they are writting you up for something that you had no way of knowing. Wouldn't it be great if the Registrars shared these ANAB / OEM driven changes with their customer's prior to entering their facility and "showing the whip"? (or worse yet, actually issuing a NC)

The Registrars are essentially the supplier to the certified organizations. Could you imagine the beating you would take as a supplier if you failed to communicate key information regarding your product or service to your customers?

I rather doubt that ANAB is pushing writing nonconformances for not having a process based internal audit. They certainly know better. It is far more likely that ANAB encourages process based audits and that somewhere down the communication chain it is misunderstood.

Since there is so much buzz about process based internal audits, I wonder if it will be a requirement for ISO 9001:2015? That would be the natural time to apply it.

 

[Helmut Jilling]

I rather doubt that ANAB is pushing writing nonconformances for not having a process based internal audit. They certainly know better. It is far more likely that ANAB encourages process based audits and that somewhere down the communication chain it is misunderstood.

Since there is so much buzz about process based internal audits, I wonder if it will be a requirement for ISO 9001:2015? That would be the natural time to apply it.

I agree ISO and ANAB should make it more clear that internal audits are expected to be in a process approach, and I have complained to ANAB, CBs and ISO.

But, there are various documents (ISO 19011, 17021, APG and ANAB guidance docs) and when you take them all together, they do "discuss" processes and process approach frequently. They infer, imply and reference processes a lot. Why they can't just SAY IT (!), I don't understand either.

But, it is what it is. The process approach is a much better way to audit effectively. And, so, I recommend all internal auditors should learn how to do it. I think better we should move on and adopt it, than fight against what is inherently a better approach.

We have been instructed by our CB that ANAB and IAOB requires internal audits to be performed in a process approach. I write nonconformities about that as needed. I agree it should come from ISO and be put in the standard, or it should come from ANAB. I was disappointed they did not clarify that in the 2008/2009 update.

I wrote a white paper on process approach internal audits. It is available as a free download on my website (Jilling.com click on the "Tools" tab). For some reason, it won't let me upload it here, sorry.
Moderator Note: File attachment added

 

[AndyN]

I'm not sure they can do anything but suggest it, simply because not all audits need to be Process audits. Certainly only doing "element" audits isn't good, but there are other criteria to consider than treating everything as a process when auditing.

 

[Big Jim]

I agree ISO and ANAB should make it more clear that internal audits are expected to be in a process approach, and I have complained to ANAB, CBs and ISO.

But, there are various documents (ISO 19011, 17021, APG and ANAB guidance docs) and when you take them all together, they do "discuss" processes and process approach frequently. They infer, imply and reference processes a lot. Why they can't just SAY IT (!), I don't understand either.

But, it is what it is. The process approach is a much better way to audit effectively. And, so, I recommend all internal auditors should learn how to do it. I think better we should move on and adopt it, than fight against what is inherently a better approach.

We have been instructed by our CB that ANAB and IAOB requires internal audits to be performed in a process approach. I write nonconformities about that as needed. I agree it should come from ISO and be put in the standard, or it should come from ANAB. I was disappointed they did not clarify that in the 2008/2009 update.

I wrote a white paper on process approach internal audits. It is available as a free download on my website (Jilling.com click on the "Tools" tab). For some reason, it won't let me upload it here, sorry.
Moderator Note: File attachment added

As far as I know, I have never been told to write nonconformances when internal audits are not performed to the process approach, but I do write observations every time I see it. I may add that they nearly always do change over from that prodding.

While you are complaining, you might add that they offically come up with a better definition than something that has inputs and outputs. They use the same term, process, when they are obviously talking about business processes as in 4.1 that they use when they are obviously talking about manufacturing processes as in 7.5.2.

Unless or until they clear that up, there will continue to be confusion about exactly what they mean by the process approach.

 

[AndyN]

As far as I know, I have never been told to write nonconformances when internal audits are not performed to the process approach, but I do write observations every time I see it. I may add that they nearly always do change over from that prodding.

Since process audits are not required and there's a case for doing audits with another focus, why would you report an observation? Are they doing something else exclusively? Elements?