Type and Control of Outsourced Processes - ISO 9001 Clause 4.1

[Marc]

<snip> I do want them to document them in an appropriate manner. <snip>

If it's not a requirement, as long as they have a system and it is being followed, as an auditor what you want is not relevant.

 

[howste]

NOTE 2 An “outsourced process” is a process that the organization needs for its quality management system and which the organization chooses to have performed by an external party.

The organization shall establish and maintain a quality manual that includes... c) a description of the interaction between the processes of the quality management system.

Referencing the above two quotes from the standard (my emphasis), your auditor could certainly argue the point that the interactions with the outsourced processes must be contained in the quality manual. However, if the controls for these processes were contained within a larger process (such as purchasing) I still don't think the names of the processes would necessarily be found in the manual. If this were the case, the auditor would need to find the controls identified in the purchasing process. If they could be found there (not necessarily in a list), I don't see a problem. In fact, the standard hints that there might be purchasing information describing the controls:

NOTE 3... The type and extent of control to be applied to the outsourced process can be influenced by factors such as... c) the capability of achieving the necessary control through the application of 7.4.

 

[Big Jim]

I'm seeing a lot of this these days.

As a consultant I include outsourcing in the quality manual either in 4.1 where outsourcing is mentioned or in 7.4 where the control usually takes place, or in both. I do this because many auditors seem to be looking for this, and these are auditors from several registrars.

As an auditor I can usually find the answer on how they handle outsourcing in their purchasing process if it is documented or in their purchasing practice if it is not documented. Sometimes it is in 7.5.1 where they control production and the traveler provides detail of the specific outsourcing and the inspection results when it returns is on the traveler. It is usually there somewhere and an auditor needs to look in the obvious places.

It is still the responsibility of the auditee to know his system and be able to point out how something like this is handled in their organization.

Most important though is that auditing should be a joint effort between the auditor and the auditee. They should both be helpful on determining how the organization is functioning. An organization with an infant quality management system needs more patience, understanding, and empathy than an organization with a mature system.

 

[tony s]

If your documentation the pre-dates your ISO 9001 QMS are NOT a part of your current QMS then your auditor MAY have a valid argument. That said, "define" does not necessairly equate with "document".

Any document that we need for our QMS is a part of our QMS.

Referencing the above two quotes from the standard (my emphasis), your auditor could certainly argue the point that the interactions with the outsourced processes must be contained in the quality manual.

It is not that I want a "list." I really don't require a particular format. I do want them to document them in an appropriate manner.

They already have documented their internal processes. I simply suggest they identify their outsourced processes on the same document, whatever that document is.

We actually identified the outsourced processes on our business process map that is included on the first section of our quality manual.

To give you a background, our organization is just one part of a financial institution who outsource some processes like investigation of loan borrowers, assessment of environmental compliance, fund sourcing, etc. that we need for our lending operations. Most of the controls are already documented on the financial institution's credit manual (which pre-dates the quality manual)

Again, this is about not having a list. It is not about whether the company was prepared for the audit. Typically if they are not prepared to clearly explain what their outsourced processes are and how they are both controlled and tracked, they have more problems than this specific area.

Since the credit manual was there years before the QMS, I believe that we're discerning enough to identify what are the processes that other departments perform in our behalf.

If it's not a requirement, as long as they have a system and it is being followed, as an auditor what you want is not relevant.

Yes I fully agree.

 

[Helmut Jilling]

We actually identified the outsourced processes on our business process map that is included on the first section of our quality manual.


To give you a background, our organization is just one part of a financial institution who outsource some processes like investigation of loan borrowers, assessment of environmental compliance, fund sourcing, etc. that we need for our lending operations. Most of the controls are already documented on the financial institution's credit manual (which pre-dates the quality manual)

If the outsourced processes are identified on your business process map, and the controls are documented, and those documents are included in your overall QMS system, I do not understand why an auditor should have raised an issue with that. As you described it, it sounds fine.

 

[tony s]

Hi Helmut,

Yes that's what we thought until our auditor wanted us to "identify" and "document" (exactly his wording) the type and extent of controls in our quality manual.

During the closing meeting he further explained that by having a list or similar defining the type and extent of control for each outsourced processes will satisfy the requirement.

 

[Helmut Jilling]

Hi Helmut,

Yes that's what we thought until our auditor wanted us to "identify" and "document" (exactly his wording) the type and extent of controls in our quality manual.

During the closing meeting he further explained that by having a list or similar defining the type and extent of control for each outsourced processes will satisfy the requirement.

In this I would agree with Marc, the auditor is incorrect. You have identified the outsourced processes, and they can link to the documents where you have defined the controls. Identifying them on a list is not necessarily the best way to do it. Especially if the controls are extensive, as they seem to be. You have the right to request a review by the CB, or by the auditor himself.

 

[Marc]

Things haven't really changed

As a consultant I include outsourcing in the quality manual either in 4.1 where outsourcing is mentioned or in 7.4 where the control usually takes place, or in both. I do this because many auditors seem to be looking for this, and these are auditors from several registrars.

I'm going a bit off topic, but this reminds me of the 'good old days' and why I still advise clients to write their quality manual to correlate with the standard. I remember the days of auditors coming in and saying "Well, you don't mention it in your quality manual" with the expectation that your quality manual should address every section/clause of the standard. Statistical techniques was one that came up a lot in small Mom & Pop shops where there really wasn't a need for statistical techniques. The auditor would say that the company had to at least address it by saying they don't use any statistical techniques, but should the need arise they would address it by implementing a system for it.

I thought in part the whole 'process approach' and the theory behind it, the *BIG* change in ISO 9001:2000 was eliminated any need to reference every section/clause of the standard was a bygone era. I thought now it was essentially OK if you had one big honkin' flow chart (top level process map) which showed the interactions of the major processes and that's about it.

Things really haven't changed much. ISO 9001 (in this case) is still a standard that an auditor must audit to, and the auditor may choose not to use a checklist, but the auditor still has to ensure in some way that s/he has checked every requirement of the standard during the audit. If the major systems are referenced in the quality manual.

I know a lot of you here do not like checklists. I suggest you watch the Daily Show from 2010.02.03. Jon interviews Atul Gawande author of "The Checklist Manifesto: How to Get Things Right". When I used to fly as a pilot I swore by checklists and I still do.

In a way, a quality manual, to me, is a sort of checklist. Not to mention it helps the company as they learn the requirements. As for auditors, if it's in, or linked to, in the quality manual it makes an audit a lot easier *in my opinion*.

 

[Jim Wynne]

Re: Things haven't really changed

I know a lot of you here do not like checklists. I suggest you watch the Daily Show from 2010.02.03. Jon interviews Atul Gawande author of "The Checklist Manifesto: How to Get Things Right". When I used to fly as a pilot I swore by checklists and I still do.

In a way, a quality manual, to me, is a sort of checklist. Not to mention it helps the company as they learn the requirements. As for auditors, if it's in, or linked to, in the quality manual it makes an audit a lot easier *in my opinion*.

Atul Gawande is a remarkable guy. I linked to an New Yorker article of his in this post.

As for the general topic of this thread, I think it's a good idea to have a system for dealing with outsourced processes, not just to make it easy for auditors, but to deal with suppliers in a uniform and consistent manner. One often-overlooked aspect is the construction of purchase orders, and providing training for purchasing people in that regard. Too many POs don't specify requirements properly, and purchasing people are often unaware of the importance of it. Codifying supplier requirements is (imo) the best way to deal with control of outsourced processes.