Bip 2015-2009

Process Management Auditing
for ISO 9001 :2008

Process Management Auditing for ISO 9001 : 2 008
Understanding ISO 9001 : 2 008 and Process-based Management Systems
Creating a Process-based Management System for ISO 9001 : 2 008 and beyond
Process Management Auditing
for ISO 9001 :2008
Rob Peddle and Ian Rosam

(The High Performance Organisation Group Ltd)
Process Management Auditing for ISO 9001 :2008
P ro cess M anagement Au diting fo r I SO 9 0 0 1 : 20 0 8
T his seco nd editio n p u b lished in the U K in 20 0 9
by
B SI
3 8 9 C hiswick High Ro ad
Lo ndo n W4 4AL
© B ritish Standards I nstitu tio n 20 0 9
F irst editio n p u b lished b y B SI in 20 0 3
I S BN 9 78 0 5 8 0 6 76 5 8 1
f
B SI re erence: B I P 20 1 5
A catalo gu e reco rd fo r this b o o k is availab le fro m the B ritish Lib rary.
C opyright subsists in all BSI publications. Except as permitted under the
C opyright, D esigns and Patents Act 1 9 88 no extract may be reproduced, stored
in a retrieval system or transmitted in any form or by any means – electronic,
photocopying, recording or otherwise – without prior written permission from BSI.
I f permission is granted, the terms may include royalty payments or a licensing
agreement. D etails and advice can be obtained from the Copyright Manager, British
Standards Institution, 3 89 Chiswick High Road, London W4 4AL.
G reat care has b een taken to ensu re accu racy in the co mp ilatio n and p rep aratio n
o f this p u b licatio n. Ho wever, since it is intended as a gu ide and no t a de f nitive
statement, the au tho rs and B SI canno t in any circu mstances accep t resp o nsib ility
fo r the resu lts o f any actio n taken o n the b asis o f f

the in o rmatio n co ntained
in the p u b licatio n no r fo r any erro rs o r o missio ns. T his do es no t a ffect yo u r
statu to ry rights.
Typ eset b y M o no lith – www. mo no lith. u k. co m
f
P rinted b y Ber o rts
v
F o re wo rd: The au diting wo rld has change d –
Are yo u re ady?
The changes to ISO 9 0 0 1 : 20 0 0 no w co ntained in ISO 9 0 0 1 : 20 0 8 are relatively
mino r in natu re, bu t they have rein fo rced p ro cess management as a strategic
ap p ro ach to the management o f o rganizatio ns, bo th big and small. Ho wever,
maj o r events that hap p ened as the 20 0 8 versio n was b eing p u blished, fo r
examp le, the fnancial meltdo wn, have rein fo rced so me key messages fro m
ISO 9 0 0 1 . They have highlighted the failure o f traditio nal co mp liance based
auditing techniques to identi fy the risks being taken within management
systems and individual p ro cesses. These techniques were no t the o nly failures,
bu t they co ntribu ted signi fcantly to the o verall o utco me, the co nsequence o f
which has been a bill fo r $ 1 , 0 0 0 , 0 0 0 , 0 0 0 , 0 0 0 o f aid p ump ed into the eco no my
by the main G 20 go vernments during late 20 0 8 and 20 0 9 . In terms o f co rrective
actio n that is so me co st!
O f co urse, j u st like third p arty registratio n o rganizatio ns, the large
co mp anies that failed had emp lo yed co mp etent and kno wledgeable p eo p le to
carry o u t the audits, to rep o rt fndings to the highest level, and who had the
backing o f p eo p le that co unted. They had senio r management, no n-execu tive
and executive directo rs who were very exp erienced. So what went wro ng? Why
was it that altho ugh the au dits were being carried o u t, they didn’t highlight the
risks that p eo p le were taking and get the message to tho se who needed to kno w
to allo w them to do so mething ab o ut it?
In sho rt, the au dito rs were p rimarily fo cused o n co mp liance and altho ugh
systems and p ro cesses co mp lied, it did no t make them e ffective. It was their
level o f e ffectiveness that failed. It’s the level o f e ffectiveness that we see and
exp erience and that p ro duces the o utco mes fro m what o rganizatio ns are do ing.
In the end, o rganizatio ns are resp o nsible fo r their o utco mes and the e ffect they
vi
have o n the wo rld aro u nd them, and their au diting sho u ld help them manage
the risks su rro u nding this.
So what do es this mean fo r u s as au dito rs? F o r o ne thing, it means
that we canno t j u st rely o n co mp liance and the checking o f reco rds. M o re
imp o rtantly, we have to u nderstand ho w p eo p le wo rk to gether to deliver these
o u tco mes, their b ehavio u r and the cu ltu re, as it is p eo p le who create risk no t
p ap er and co mp u ters. B u t ho w do we au dit b ehavio u r and aren’t we already
do ing this? O ne o f the key fallacies with the au diting indu stry is the nu mb er
o f o rganizatio ns and au dito rs that p ro mo te themselves and b elieve that they
are already assessing e ffectiveness – their marketing material is fu ll o f it. I n
f
reality this o ten o nly amo u nts to go o d co mp liance au diting rather than a real
assessment o f e ffectiveness. This is desp ite the b est intentio ns o f the au dito rs
co ncerned and an indu stry trying to mo ve b eyo nd co mp liance. I t is no t their
fau lt. I t is the au diting p ro cess that has b een fo llo wed fo r so many years that has
failed and so far very few have really addressed this p ro b lem, b u t tried to b ase
new metho ds o n what has limitatio ns – co mp liance au diting.
I t is against this b ackgro u nd that this b o o k has b een u p dated. I t has b een
written to help au dito rs ado p t so u nd au diting p ractices that wo rk and to help
them au dit e ffectiveness as well as co mp liance. Au diting b ehavio u rs and cu ltu re,
which is u ltimately where we b elieve au diting will end u p , requ ires advanced
au diting skills that are o u tside the sco p e o f this b o o k. This b o o k will, ho wever,
create the gro u ndwo rk fo r them, as the p rincip les co vered here are the b asis o f
these mo re advanced techniqu es. I f yo u feel yo u wo u ld like to kno w ho w to
au dit b ehavio u rs then p lease email the au tho rs who can p ro vide case stu dies and
examp les o f o rganizatio ns that are already ado p ting the ap p ro ach at:
I an. ro sam@the-hp o . co m
Ro b . p eddle@the- hp o . co m
C ontents
Introduction 1
•
We
introduce
the
challenge
that
auditors
face
to
develop
the
co mp etences requ ired to e ffectively au dit against the new
I SO 9 0 0 1 : 20 0 8 S tandard and the ever increasing demands o f

b u siness fo r au diting activity to add mo re valu e. We examine the
o p p o rtu nities availab le fo r the fo rward thinking au dito r.
1. Putting the p rocess ap p roach into context 5
•
A
quick
overview
of
the
process
approach
to
ensur that
we
have a co mmo n u nderstanding o f f
the b asic termino lo gy b e o re
develo p ing o u r au diting skills, kno wledge and co mp etences.
2. The requirements o f IS O 9 0 01 : 2 008 – An auditor’s p ersp ective 9
•
T he
eight
key
principles
of
ISO
9001:2008
and
the an,
do,
check, act metho do lo gy are the basic techniqu es that fo rm the
fo u ndatio n o f the e ffective audito r. A clear u nderstanding o f these
and ho w they can be ap p lied to a business will help the audito r
stru cture their au diting ap p ro ach bo th at system and p ro cess level.
3. The system-p rocess-p rocedure relationship 17
•
T he
primary
role
of
a process
management
auditor to
discover
to what extent the p ro cess is b eing managed and what e ffect
this has o n the achievement o f f
b u siness o b j ectives. B e o re we
can u ndertake any p ro cess management au dit we mu st f rst
ap p reciate ho w a management system wo rks and the interactio ns
that go o n b etween the o verall system, p ro cesses and p ro cedu res.

Pro ce s s M anage me nt Au diting fo r IS O 9 0 0 1 : 2 0 0 8
viii
4. Auditing to o ls and te chnique s 21
•
With
the
fundamentals
that
make a
management
system
understo o d, we no w turn o ur attentio n to the detail o f ho w yo u
sho uld actually co ndu ct an au dit starting with the to o ls and
techniqu es that can be emp lo yed.
5. Planning and p re p aring a p ro ce s s audit 31
•
Auditing
is
80
per
cent
preparation and
20
per
cent
actual
auditing, which so unds like a bit o f an o ld wives’ tale until yo u
actually carry o ut an audit and then yo u realize j ust ho w true it is!
6. C arrying o ut a p ro ces s audit – C o mp liance vs e ffe ctive ne s s 38
•
S tarting
with
the
managing
director will
help
put
the
process
and
system into the co ntext o f the bu siness that yo u are au diting.
O nce this o ften daunting step is co mp leted it will feed the
au diting o f the p ro cess’ o wners and teams in o rder to assess
the e ffectiveness o f the management system in relatio n to the
business o bj ectives.
7. f
I de nti ying and re p o rting f ndings – M o ving b e yo nd co mp liance 44
•
What
are
the
objectives
of
your
audit report?
A straightforward
eno ugh qu estio n, but ho w many audito rs actu ally ask themselves
this be fo re they write and p resent their rep o rt?
8. As s e s s ing imp ro ve me nts 50
•
The
auditor’s
role
is
not
to
identify w
improvements
should
take place or what the organization should do. It is to provide
in formation to management on areas o f risk or where opportunities
for improvement exist with an explanation that outlines the
potential impact on the organization if these are addressed.
9. What p e rs o nal attrib u te s do audito rs ne ed? 53
•
Auditing
is
a skill
and
like
any
other skill
needs
practice
to
hone
it. It invo lves an ability to evalu ate o r learn fro m the exp erience,
sub sequently changing the auditing style o r ap p ro ach to add
mo re valu e to the activity.

C o nte nts
ix
1 0. C o nclu s io n and the way fo rward 63
• I
n this
book
we
cover
the
basic
principles
of
au diting,
and
these
need time and p ractice to b e e ffective fo r the reader to tru ly
u nderstand the p rincip les invo lved. I n o ther wo rds reading the
b o o k witho u t the p ractice will no t b u ild co mp etence. We o u tline
ways in which au dito rs can fu rther b u ild their co mp etence in
o rder to add mo re valu e to o rganizatio ns.
Ap p endix 1 . E xamp le au dito r qu es tio ns 73
• T
his
appendix
seeks
to
provide
some
example
questions
based
o n the ap p ro aches u sed. The examp les are gro u p ed b y the
relevant I S O 9 0 0 1 : 20 0 8 clau se fo r ease o f f

re erence, to gether with
qu estio ns that co u ld b e asked to demo nstrate co mp liance alo ng
with tho se that seek to test e ffectiveness.
f
Re e re nce s 95
1
Introduction
Has something changed?

2008 saw the release o f the new ISO 9 001 : 20 08 Standard and started the clo ck
ticking fo r o rganizatio ns already registered to its 200 0 p redecesso r to make the
transitio n to the new Standard. At the same time the clo ck also started ticking fo r
audito rs to beco me co mpetent to audit against this new Standard. Altho ugh o nly a
relatively mino r change fro m the 200 0 versio n, the fact is that many o rganizatio ns
and audito rs have no t fully implemented the intentio n o f the 20 00 versio n. This
f
new update there o re allo ws this to be reviewed, and any sho rtco mings to be
addressed witho ut the need to also address o ther signi f cant changes.
T here was a mixed resp o nse to the issu e o f I SO 9 0 0 1 : 20 0 0 fro m b o th
b u sinesses and au dito rs alike. B u sinesses welco med the new versio n o f the
Standard and as a resu lt qu estio ned the ro le internal and external au dito rs
sho u ld p lay. The u p date emp hasized the need fo r mo re added valu e to the
service au dito rs generally p ro vide. Au dito rs o n the o ther hand also welco med
f
the new Standard b u t u n o rtu nately many have no t no ticeab ly changed their
ap p ro ach to the au dits they co ndu ct. The 20 0 8 versio n adds mo re p ressu re o n
them to do so .
T he resu lt o f this di fference b etween exp ectatio n and p ractice is a virtu al
stand-o ff b etween au dito rs and b u siness that has le t p eo p le f feeling co n u sed f

and in many cases extremely fru strated.
T his b o o k is aimed at p eo p le who wish to cu t thro u gh this co n u sio n f

and gain a b etter u nderstanding o f the o verall ap p ro ach requ ired fo r p ro cess
management au diting u sing I SO 9 0 0 1 : 2 0 0 8 .

This book attempts to explain:
• what business should expect from auditors;

• what auditors should expect from business;
• the actual role o f an auditor in today’s process driven business environment;
and
• the key competences required to audit process management.
For those who fully adopted the need to audit both compliance and
e ffectiveness, and the reporting o f business risk as a result o f it, this book will
hope fully give them some additional tips. For those who have not, this will be
the start o f a learning experience that should make them a much more valuable
resource to their organizations. It will also help them to secure their own future
as a valuable resource to support the e ffective delivery o f business goals.
Auditors and the business – A partnership?

So from what has been said so far, you can already see that the relationship
between auditor and business must really be seen as a partnership, i f the true
value to the business is to be realized. When this relationship is working
e ffectively there is the potential for the ‘auditor–business’ relationship to become
a powerful tool to drive the business towards the achievement o f its obj ectives.
It should not be about the auditors telling the business what it already knows.
The two key factors for this win–win partnership to succeed are:
• a competent auditor; and

• strong business leadership willing to learn and to improve the organization.
I f either o f these two factors are missing then the value o f auditing to the business
is signif cantly reduced (see Figure I. 1 ) .
Challenges facing auditors and businesses alike

ISO 9001 : 2000 and hence ISO 9001 : 2008 have radically changed, the implications
o f which have had signif cant impact on businesses and auditors alike.
The fundamental shi ft towards process management and away from

procedural compliance requires a completely di fferent approach when it comes
to auditing. It also requires a signi f cant change in the associated competences o f
an auditor i f they are to audit process management e ffectively.
Businesses need to understand the importance ISO 9001 : 2008 places on

the senior management to lead an organization from the front through obj ective
I ntro du ctio n
setting, key process identi f cation, allocation o f process ownership, performance

monitoring and improvement.
Auditors have to understand how a business operates and, if they are to

be effective as auditors in this ‘new world’, how to gather information about the
organization’s effectiveness and how their fndings need to be reported to add value
to the business. O ften the failure o f auditors to understand this basic requirement
is the prime reason why they can fail to meet expectations (see Figure I. 1 ) .
The challenge for auditors to understand how businesses operate and how
they, as auditors, can add value, is one that auditors must rise to i f they are to
continue to support businesses e ffectively. Many will have to set aside old values
and belie fs about auditing compliance based systems, change the way they look
and view obj ective evidence and look to learn new skills in order to become
competent process management auditors.
Trad i ti on al au d i tor- Standards and

bu si n ess rel ati on sh i p frameworks
Au d i tor focu sed on

com pl i an ce on l y
Bu si n ess focu sed on

obj ecti ves
Customer and
stakeholder needs
Au d i tor-bu si n ess
partn ersh i p approach
Au d i tor focu sed on

Standards and
frameworks
th e bu si n ess
Customer and
supporting the Bu si n ess focu sed
stakeholder needs
business on obj ecti ves
F igu re I . 1 T he audito r–b u s ines s relatio ns hip

5
1. Putting the p ro ces s ap p ro ach into co ntext
What is a p ro ces s -b as ed management s ys tem?
This b o o k will no t make any attemp t to describ e in detail p ro cess-based
management systems as o ther bo o ks within this series co ver this in mo re dep th
than we co u ld ho p e o r want to do here. Ho wever, a qu ick o verview is ap p ro p riate
to ensu re that we have a co mmo n u nderstanding o f the b asic termino lo gy.
What is a management s ys tem?
A defned framework o f key business processes working together to achieve

the stated business objectives, and customer and other stakeholder needs.
T he examp le in F igu re 1 . 1 is taken fro m a real o rganizatio n and describ es, at a
high level, the p ro cesses that go to make u p its o verall b u siness management
system. I t is p ertinent to the o rganizatio n itsel f and u ses a langu age and layo u t
that can b e easily u ndersto o d b y cu sto mers and sta ff alike. Typ ically this wo u ld
b e describ ed in the o rganizatio n’s qu ality manu al.
The p ro ces s , a de f nitio n:
An activity or series o f joined-up activities that convert(s) an input into an

output (adding value through the process).
Pro ces s M anageme nt Auditing fo r IS O 9 0 0 1 : 2 0 0 8
Understand
stakeholder and
market needs
Improving our Developing our

performance business objectives
Managing our
finances
Developing
Measuring and our staff
evaluating our Generate and win
performance business
Managing projects
Supplying parts
Managing service
support
F igure 1 . 1 E xamp le management s ys tem
I f the b u siness management system identi f es what p ro cesses the o rganizatio n
needs, then p ro cess de f nitio ns o r p ro cess map s de f ne the mechanism/activities
the o rganizatio n is requ ired to co mp lete in o rder to achieve its stated o b j ectives
to fu l f l cu sto mer and stakeho lder needs. See F igu re 1 . 2 fo r an examp le o f a
p ro cess map .
Pro ces s management, a de f nitio n:
The e ff
ectiv e co ntro l o f a s eries o f activ ities that co nv erts inp uts into o utp uts
w hils t b o th adding v alue and co ntinually imp ro v ing its p er f

o rmance related
to the o utco mes req uired.
P u t ano ther way, i f we are to manage a p ro cess e ffectively we need to p lan and
imp lement its delivery u sing the ap p ro p riate equ ip ment, kno wledge, etc. and
f
measu re its p er o rmance against targets. T hese p er o rmance measu res are b ased f
o n the p u rp o se o f the p ro cess and b y measu ring against these we can identi y f
f
gap s in p er o rmance, which can fo rm the b asis fo r imp ro vement activity. T he
Putting the p rocess ap p roach into context
aim is to analyse the actual results achieved (compared against the target), to
learn from the information and trends created and to use information as a basis
Approva l of i ssu e
for actions for change or improvement. More details on process management
and indeed systems thinking can be found in books 1 and 2 o f this series ( for
details on these, see the References chapter at the end o f this book).
As a process management auditor we need to test how effectively this is

taking place!
No
I d e n ti fy we b s i te
D i re c to rs Ap pro ve ?
e n h an ce m e n t Ye s
B ri e f websi te s u ppl i e r,
M o n i to r d e ve l o p m e n t
O p e rat i o n s D i re c to r
o btai n s pec an d co s ts
ag ai n s t s p e c
Arran g e a n y p ro b l e m s
U s e r tes t u pd ate a n d
B ack u p P C we e kl y
to b e reso l ved , te s t
re po rt fi n d i n g s to
O p e rat i o n s M an ag e r an d arran g e b ac k u p
an d ad vi s e e ve ryo n e
O p e rati o n s D i re c to r
o f we bs i te
a ffe ct e d
M odi fi ca ti on s:
I d e n ti fy a n I T pro bl em
Al l s taff
an d re p o rt
F igure 1 . 2 Examp le p rocess map
Auditing a p rocess-based management system
Prior to any attempt to carry out a process management audit you must frst Da te: 04/08/2009
understand the principles o f the process-based management system and the

context in which processes are managed.
Processes do not operate in isolation, they are linked together to form an

overall management system. This management system provides the framework
for the organization to:
• understand customer and stakeholder needs;

BSI /PM : Si obh a n Fi tzgera ld
• understand the constraints, regulations and other infuences placed on

the business;
BI P 201 5 Fi le n a m e: 2009-01 73 0_1 .2.eps

• develo p its b u siness p lan and/o r o b j ectives;
• de f ne and imp lement its co re and su p p o rt p ro cesses;
• estab lish f
its key p er o rmance indicato rs o r measu res; and
• analyse f
its p er o rmance and make imp ro vements in o rder to achieve its
b u siness p lan and/o r o b j ectives.
As an au dito r yo u have to u nderstand these p rincip les in o rder to carry o u t a
f
su ccess u l au dit and maximize the valu e o f yo u r au dit rep o rt to the o rganizatio n.
T he p rincip les ab o ve relate to a system and are tested b y carrying o u t a ‘systems
management au dit’ . I n this b o o k we are co ncerned with ‘p ro cess management
f
au dits’ and there o re the p rincip les are at a lo wer level b u t still fo llo w the same
general ap p ro ach, to :
• u nderstand the p u rp o se o f the p ro cess;
• u nderstand inp u ts and o u tp u ts and the o b j ectives o f the p ro cess;
• de f ne the step s o r activities o f the p ro cess;
• estab lish p ro cess e ff ciency and e ffectiveness measu res; and
• analyse f
p ro cess p er o rmance and make imp ro vements b ased o n this.
What the organization wants

An au dito r sho u ld no t b e u nder any illu sio ns that the o rganizatio n is o nly
lo o king fo r an au dit rep o rt co ntaining detailed f ndings o n the o rganizatio n’s
co mp liance to I SO 9 0 0 1 : 20 0 8 . T hey are mo st certainly no t, as there is mu ch
mo re that they no w exp ect.
What the o rganizatio n really wants is a rep o rt fro m the au dito r describ ing
the imp act o n the o rganizatio n o f the f ndings in relatio n to co mp liance with
I S O 9 0 0 1 : 2 0 0 8 . I n o ther wo rds the o rganizatio n’s viewp o int is that:
• b u siness co mes f rst and the Standard seco nd;
• the au dito r is u sing I SO 9 0 0 1 : 20 0 8 as a management to o l, a gu idance
do cu ment that describ es activity; and
• f ndings against the Standard need to b e interp reted into o rganizatio nal
langu age and their imp act highlighted.
T he au dit rep o rt is fo r f
management u se as in o rmatio n to help highlight
f
imp ro vement o p p o rtu nities and to identi y risks to the b u siness. The
management are mo re likely to resp o nd p o sitively to yo u r rep o rt i f it is b u siness
fo cu sed, as they can clearly see the b ene f ts to the b u siness o n making any
imp ro vements reco mmended.

9
2. T he requ irements o f IS O 9 0 0 1 : 2 0 0 8 – An
au dito r’s p e rs p ective
T he p rincip le s b e hind I S O 9 0 0 1 : 2 0 0 8
Do you know the eight key principles at the heart o f ISO 9001 : 2008 and
what the ‘PDCA’ methodology is? I f the answer is no, then you need to learn
them quickly and thoroughly i f you are going to be a competent auditor (see
Table 2. 1 ) . These are the basic principles that will form the foundation o f
your auditing technique, and are shown in Section 0. 2 in the introduction to
ISO 9000: 2000. They are what di fferentiates a success ful organization from one
that is not, and form the foundation o f ISO 9001 : 2008.
Tab le 2 . 1 T he e ight p rincip les b e hind I S O 9 0 0 1 : 2 0 0 8
Principle What it means
Customer focus Understanding what customers need and expect from the organization
as a whole and not just from an individual request or order
Leadership M anagement (anyone responsible for the activity o f others) at all
levels creating and maintaining an environment aimed at achieving the
business objectives in which others can operate
Involvement of people Ensuring that all are involved in order that their abilities can be used
and enhanced to maximum benef t for themselves and the organization

Process Management Auditing for IS O 9001 : 2008
10
Principle What it means
Process approach Obj ecti ves are m ore l i kel y to be ach i eved wh en acti vi ti es are seen ,
u n d erstood an d m an aged th rou gh processes an d resou rces al i gn ed
accord i n gl y
Systems approach to f
I d en ti yi n g th e i n d i vi d u al bu si n ess processes an d ord eri n g th em so
management th at th ey d el i ver resu l ts an d obj ecti ves e ff ci en tl y an d e ffecti vel y
Continual f
I m provi n g bu si n ess per orm an ce sh ou l d be th e obj ecti ve o f an y
improvement organ i zati on – i t m u st i m prove an d ch an ge over ti m e
Factual approach to E ffecti ve f

d eci si on s are based on i n orm ati on th at h as been an al ysed
decision making an d n ot pu rel y on a feel i n g o f wh at n eed s to be d on e
Mutually benefcial E n h an ced val u e i s created by worki n g cl osel y wi th su ppl i ers th at can
supplier relationships a ffect you r d el i verabl es an d n ot agai n st th em – i t i s real l y a case o f
1 + 1 = 3!
The Plan, Do, C heck, Act methodology (PDC A)
T he P D C A metho do lo gy o r cycle is the o ther key p rincip le o f I SO 9 0 0 1 : 20 0 8
and its ap p licatio n mu st b e evident within the o rganizatio n at b o th system
level and within individu al p ro cesses. I t can b e describ ed as in Tab le 2. 2, and
visu alized as in F igu re 2. 1 .
Table 2. 2 PDC A methodology
Plan E stabl i sh th e obj ecti ves an d processes n ecessary to d el i ver resu l ts i n accord an ce
wi th cu stom er req u i rem en ts an d bu si n ess obj ecti ves an d pol i ci es
Do I m pl em en t th e processes
Check M on i tor an d m easu re processes agai n st obj ecti ves, pol i ci es an d req u i rem en ts an d
report th e resu l ts
Act Take acti on to con ti n u al l y i m prove process per orm an ce f

T he re qu ire me nts o f IS O 9 0 0 1 : 2 0 0 8 – An au dito r’s p e rs p e ctive
11
M aking s e ns e o f IS O 9001 : 2008
f audito rs fail fu ndamental f
Si gn a tu re:
There is a danger that i to grasp the p rincip les o
ISO 9 0 0 1 : 20 0 8 they will undermine what they are trying to achieve, and increase
the p o ssibility o f reducing the added value they can bring to the business. This
basic requ irement fo r audito rs to understand the p rincip les b ehind it, no t j ust
the detail o f I SO 9 0 0 1 : 20 0 8 seems o bvio us, but exp erience to date highlights the
fact that the maj o rity o f audito rs do no t grasp these basic p rincip les. As a result,
there are huge variatio ns in the p ercep tio n business has o f what ISO 9 0 0 1 : 20 0 8 is
abo ut and the value that e ffective auditing can bring to them.
D a te:
Pl an 1 Pl an 2 Th e fu tu re
Act 1 Do 1 Act 2 Do 2
Ch eck 1 Ch eck 2
Con ti n u al bu si n ess i m provem en t
Opera tor: N ora D a wson 77 69

Da te: 04/08/2009
F igure 2 . 1 Vis u al rep res e ntatio n o f PD C A cycle
When yo u read I S O 9 0 0 1 : 20 0 8 yo u read it clau se b y clau se and as yo u read
it yo u so o n realize o ne sectio n ru ns into ano ther and is linked to many mo re,
which is why, as an au dito r, it is imp o ssib le to au dit I SO 9 0 0 1 : 20 0 8 sectio n b y
sectio n, it has to b e au dited almo st in its entirety to make any sense.

BSI /PM : K PARKI N SON
D epa rtm ent:
P 201 5 Fi le n a m e: 2009-01 7 30_2.1 .eps

12
Let’s give yo u an examp le. When trying to estab lish ho w a p ro cess o wner
manages and mo nito rs the p er o rmance o f f their p ro cess yo u need to test:
• links to the o verall b u siness o b j ectives;
• p ro cess inp u ts;
• p ro cess o u tp u ts;
• the p ro cess itsel ; f

• links to o ther p ro cesses;
• in fo rmatio n/p ro cedu res requ ired to su p p o rt p ro cess activities;
• cu rrent f
p ro cess p er o rmance;
• imp ro vement activities; and
• p eo p le invo lved in the p ro cess.
I f yo u test tho se areas listed in the p aragrap h ab o ve then yo u are also go ing to b e
testing the fo llo wing clau ses o f I SO 9 0 0 1 : 20 0 8 :
• 4. 2 D o cu mentatio n requ irements;
• 4. 2. 1 G eneral;
• 4. 2. 3 C o ntro l o f do cu ments;
• 4. 2. 4 C o ntro l o f reco rds;
• 5 M anagement resp o nsib ility;
• 5.1 M anagement co mmitment;
• 5.2 C u sto mer fo cu s;

• 5.3 Qu ality p o licy;
• 5 . 4. 1 Qu ality o b j ectives;
• 5 . 4. 2 Qu ality management system p lanning;
• 5. 5. 1 Resp o nsib ility and au tho rity;
• 5. 5. 2 I nternal co mmu nicatio n;
• 5.6 M anagement review;
• 6. 1 P ro visio n o f reso u rces;
• 6. 2 Hu man reso u rces;
• 6. 3 f
I n rastru ctu re;
• 6. 4 Wo rk enviro nment;
• 7 P ro du ct realizatio n; and
• 8 M easu rement, analysis and imp ro vement.
P u t it ano ther way, a b usiness do es no t o p erate as a series o f u nco nnected
f
sectio ns so there o re it mu st fo llo w that yo u canno t au dit it as a series o f sep arate
sectio ns. U nderstanding the key p rincip les b ehind I SO 9 0 0 1 : 20 0 8 allo ws yo u to
b e mo re relaxed in yo u r audit ap p ro ach. Instead o f wo rrying ab o u t the detailed
co mp liance to every single sectio n in I SO 9 0 0 1 : 20 0 8 yo u sho u ld b e lo o king fo r

the ap plicatio n o f the p rincip les. Yo u are then ab le to assess the e ffectiveness o f
these linkages and the e ffect f
they have o n the p er o rmance o f the p ro cess, i. e.
what they are designed to deliver.

The requirements o f ISO 9001 :2008 – An auditor’s perspective
13
A question o f compliance?
Compliance with what? Does it comply with:
• the six mandatory procedures (see the next list) ?

• the eight principles?
• the PDCA cycle?
The meaning o f the word ‘compliance’ conj ures up images o f rigid procedures
that must be worked to by the letter. However, when you read ISO 9001 : 2008 it
re fers to the need for documented procedures in only six places. These are for:
• control o f documents;
• control o f records;
• internal audit;
• control o f non-con forming product;
• corrective action; and
• preventive action.
You must assume from this that ISO 9001 : 2008 is e ffectively allowing an
organization to decide for itsel f what, i f any, activities it provides written
procedures to support.
Going back to our question o f compliance, then yes, this is obviously very
easy to check as the evidence will be in the form o f documented procedures for
the six areas identi f ed above. We can check that they are being applied, thus
complying with the requirements o f ISO 9001 : 2008.
So what happens if the organization decides not to document any other

procedures to support its process activities, can it still comply with ISO 9001 : 2008?
The answer is very clearly yes, provided it can also demonstrate compliance with
the eight principles and the PDCA cycle.
What is obj ective evidence?

Compliance to the eight principles and the PDCA cycle is unlikely to be
demonstrated through the evidence found in documented procedures, but more
than likely from subj ective evidence drawn from interviews with management
and sta ff alike. We must there fore conclude that obj ective evidence can be in
both documented and non-documented format.
Auditors have to come to terms with the fact that although they might
like to see evidence documented, as this gives them a sense o f reassurance, the
likelihood is that much evidence may well not be documented and they will
have to assess the organization accordingly.
14
To help yo u u nderstand what is meant b y these two terms, do cu mented
and no n-do cu mented, we have listed b elo w examp les o f b o th. T he examp les
o f do cu mented evidence will p ro b ab ly lo o k very familiar to tho se u sed to
traditio nal au diting as it is all b lack and white, right o r wro ng. C o nversely
the examp les fo r no n- do cu mented evidence will no do u b t make yo u sto p and
think ‘ho w can I assess this? ’ This is a qu estio n that is ho p e u lly answered in f
su b sequ ent chap ters o f this b o o k.
E xamp les o f do cu mented o b j ective evidence:
• signed p u rchase o rder;
• u p -to -date cu sto mer acco u nt f le;
• lo g o f ap p ro ved o rders;
• delivery no te;
• cu sto mer co mp laint letter and co rrective actio n p lan; and
• au dit rep o rt.
E xamp les o f no n- do cu mented o b j ective evidence:
• p ro cess sta ff memb ers kno wing ho w they co ntrib u te to the achievement o f a
maximu m 3 0 seco nd cu sto mer waiting time;
• p ro cess o wner kno wing the cu rrent p er o rmance o f f their p ro cess;
• p ro cess sta ff kno wing the cu rrent p er o rmance o f f their p ro cess;
• an imp ro vement p ro j ect that co ntrib u ted to increasing o n-time delivery;
• p ro cess f
p er o rmance indicato rs that relate to p u rp o se o f the p ro cess and/o r
b usiness o b j ectives;
• management and sta ff f

b o th b eing ab le to identi y who the cu sto mer is and
what their requ irements are; and
• p eo p le at all levels having the ab ility to co ntrib u te to b u siness imp ro vement.
T he intent o f I SO 9 0 0 1 : 20 0 8 is no t to fo rce an o rganizatio n to simp ly co mp ly
with its requ irements b u t to do it in a manner that adds valu e to the b u siness,
thu s this is the ap p ro ach yo u as an au dito r need to take. N o t j u st trying to p u t
a tick by all the clau se headings o f I SO 9 0 0 1 : 20 0 8 , b u t investigating ho w they
wo rk to b ene f t the o rganizatio n.
N ew territo ry – Interviewing the managing director!
E ven at this stage in reading this b o o k yo u sho u ld b e b eginning to realize that
b o th the skills and co mp etences o f a p ro cess management au dito r are a level
f
ab o ve anything that has go ne b e o re and that tho se au dito rs who have little o r
no ap p reciatio n o f ho w a b u siness o p erates and the p rincip les o f I SO 9 0 0 1 : 20 0 8
will f nd it di ff cu lt to carry o u t a p ro cess management au dit.

The re quire ments o f IS O 9 0 0 1 : 2 0 0 8 – An audito r’s p ers p e ctive
15
O ne o f the greatest challenges facing au dito rs is the need to au dit at all
levels in the o rganizatio n, no t j u st o p eratio nal activities as in the p ast. T his will
mean au diting senio r management and indeed the mo st senio r manager, the
managing directo r o r chie f execu tive o ff cer, as p art o f the au dit.
Su b sequ ent sectio ns o f this b o o k will co ver in mo re detail ho w to p rep are
fo r and carry o u t an interview with the managing directo r, b u t in the meantime
here are so me things fo r yo u to think ab o u t.
• Ho w will yo u co p e with this challenge?
• What qu estio ns will yo u ask the managing directo r?
• Why will they b e interested in talking to yo u ?
• C an yo u au dit them in j u st 1 5 –3 0 minu tes?
As the evidence o f co mp liance may no t b e do cu mented and will almo st certainly
b e mo re su b j ective, so increasingly the au dito r needs to test the co mmu nicatio n
b etween senio r managers and sta ff, in an e ffo rt to disco ver ho w fo cu sed the
o rganizatio n really is o n the eight p rincip les and the P D C A cycle. This will b e
the real test requ ired to determine the level o f co mp liance with I SO 9 0 0 1 : 20 0 8 .
B e gentle with me, I’m no t mature!
T here is o ne last facto r that au dito rs mu st co nsider when they carry o u t an au dit
and that is the qu estio n o f system and o rganizatio nal matu rity.
M anagement system matu rity qu estio ns sho u ld b e asked su ch as:
• Ho w lo ng has the o rganizatio n b een develo p ing its p ro cess-b ased
management system?
• What can I reaso nab ly exp ect to f nd at this stage in its develo p ment?
• What sho u ld I p u t in my au dit rep o rt that wo u ld help the o rganizatio n, b y
adding valu e at this stage o f their matu rity?
As an auditor, you will not be able to answer these questions without knowledge o f
the business. That knowledge can come from either working for the organization in
question or from the responses you get during the course o f the actual audit. Either
way you have to make certain j udgements about how you will audit and what you
will ultimately report back to the organization.
ISO 9 001 : 2008 is unique in this way, it can take acco unt o f the maturity o f
the management system and allow an auditor the ability to use their j udgement to
determine no t o nly whether the basic principles are being applied, but also to what
extent the business is using them to drive itsel f fo rward. N o two organizatio ns are
alike and, indeed, o rganizatio ns will mature over time. An audit there o re needs to f
take account o f its maturity i f it is to help it to keep impro ving o ver time.
16
Corporate
g o ve rn an ce /
Corporate soci al
respon si bi l i ty
Bu si n ess
excel l en ce m odel
I SO 90 04
8 principles
PDCA cycle
I SO 900 1
M atu ri ty
F igu re 2 . 2 D iagram s ho wing o rganizatio n matu rity
BI P 201 5 Fi le n a m e: 2009-01 7 30_

17
3. The s ys tem-p ro ces s -p ro cedure relatio ns hip
S ys tem, p ro ces s and p ro cedures in co ntext
The primary ro le o fa pro cess management audito r is to disco ver to what extent
the p ro cess is being managed and what e ffect this has o n the achievement o f
f
business o bj ectives. In o rder to do this success ully, as we have already disco vered,
this may o r may no t invo lve do cumented pro cedures.
f
B e o re yo u can u ndertake any p ro cess management au dit yo u mu st f rst
ap p reciate ho w a management system wo rks and the interactio ns that go o n
b etween the o verall system, p ro cesses and p ro cedu res.
C hapter 1 o f this boo k gave a brie f o verview o f the management system and
pro cesses with examples fo r each, and it is being able to make the co nnectio ns
between these and suppo rting pro cedures that yo u need to fo cus o n.
M anagement s ys tem
T he management system de f nes the o verall sco p e o f the b u siness, which is in
tu rn su p p o rted b y any nu mb er o f p ro cesses that requ ire management, which in
tu rn are su p p o rted, where ap p ro p riate, b y p ro cedu res, as sho wn in F igu re 3 . 1 .
De f ned b y senio r management and o wned b y the head o f sco p e, typ ically
the managing directo r, the management system is a visu al rep resentatio n o f

an o rganizatio n’s p ro cesses needed to deliver the b u siness p er o rmance at f
the highest level and co ntains everything fro m b u siness p lanning thro u gh to
develo p ing sta ff.

18
Management system
Overal l m an ag em en t system org an i g ram
own ed by h ead of scope, typi cal l y th e M an ag i n g
Di rector ( M D ) /C h i ef Execu ti ve Offi cer ( CE O)
M easu res overal l bu si n ess perform an ce
Process
Th e ‘what’ we d o l evel
Own ed by Process Own er
M easu res overal l pro cess perform an ce
Proced u res
Procedures
Procedures Th e ‘how’ we d o i t l evel
Su pports process acti vi ty
F igu re 3 . 1 T he management s ys te m in co ntext
Typ ically 8 to 1 5 high level p ro cesses are identi f ed and they in tu rn link o r are
delivered thro u gh any nu mb er o f o p eratio nal p ro cesses co ntaining the detail o f

what activities are p er o rmed.f
Pro ce s s manage me nt
Related directly to the management system are the p ro cesses themselves, which
exist to co nvert inp u t requ irements into cu sto mer o u tp u t requ irements thro u gh
a series o f valu e adding activities. I n o ther wo rds they p ro vide the mechanism
that allo ws the o rganizatio n to achieve its o b j ectives, with a fo cu s o n ho w the
di fferent dep artments within the o rganizatio n wo rk to gether to wards this aim.
J u st b y having p ro cesses do es no t ensu re that the b u siness will achieve its
o b j ectives. They need e ffective management and it is this ‘p ro cess management’
that yo u need to fo cu s o n when au diting. To b e ab le to do this e ffectively yo u
f rst need to u nderstand ho w p ro cesses sho u ld b e managed in a manner that
su p p o rts the b u siness in the achievement o f its stated o b j ectives.

The system-p rocess-p rocedure relationship
19
To o many au dito rs au dit p ro cesses in iso latio n, failing to make the vital
co nnectio ns b etween b u siness o b j ectives and p ro cess o u tp u ts and measu res.
F ailu re to make these co nnectio ns will resu lt in an inco mp lete, inadequ ate and
no n-valu e-adding au dit. I t’s rather like checking a ro u te map witho u t kno wing
where yo u are trying to get to – all a b it p o intless.
Yo u need to b e thinking ab o u t asking the p ro cess o wner the fo llo wing

qu estio ns.
• What is the p u rp o se o f this p ro cess?
• Ho w do es it co ntrib u te to the o rganizatio n achieving its b u siness o b j ectives?
• Are f
there p ro cess p er o rmance measu res?
• Do the measu res relate to the o b j ectives/are we measu ring the right things?
• Is f
the p er o rmance kno wn and are e ffective imp ro vement actio ns in p lace?
T here are many mo re qu estio ns related to assessing p ro cess management b u t
f
ho p e ully yo u can b egin to ap p reciate that to b e a su ccess u l au dito r requ ires f
co nsiderab le skill and co mp etence. These skills and co mp etences need to b e
in di fferent areas than have b een requ ired in the p ast in o rder to make the
f
necessary co nnectio ns and identi y issu es wo rthy o f rep o rting.
Procedures
f
T his is o ten a very di ff cu lt co ncep t fo r many p eo p le to co me to terms with.
I S O 9 0 0 1 : 2 0 0 8 allo ws o rganizatio ns the freedo m to decide fo r themselves to
what extent they have do cu mented p ro cedu res, whereas the 1 9 9 4 versio n o f the
Standard requ ired virtu ally all o p eratio nal activities to b e do cu mented. There
is a certain reassu rance o ne gets fro m having things do cu mented and there is
no do u b t that having do cu mented p ro cedu res do es make co mp liance au diting
p o ssib le. I n themselves, ho wever, p ro cedu res do no t help u s to carry o u t an
e ffective p ro cess management au dit.
So when yo u are au diting the activities within a p ro cess itsel f yo u sho u ld
b e thinking ab o u t asking the fo llo wing qu estio ns.
• What risks to the p ro cess are there b y no t having p ro cedu res do cu mented?
• I f the risks are high, has the o rganizatio n co nsidered them and cho sen an
alternative way to redu ce them, su ch as training?
• I f there are p ro cedu res are they adequ ate fo r the risks they are co ntro lling?
• Do the p ro cedu res add valu e o r j u st increase b u reau cracy?
The p ro cess o wner sho uld have co nsidered what, i f any, p ro cedu res are required
to sup p o rt p ro cess activities. Yo ur ro le is to help the p ro cess o wner by co n f rming
f
they have go t it right o r identi ying any p o tential risks they may have o verlo o ked.
20
Yo u will b e wo rking in p artnership with them to imp ro ve b o th the p o tential and
f
actu al p er o rmance o f the p ro cess.
Auditing the s ys tem, p ro ces s and p ro cedures
T he fo cu s o f this b o o k is p ro ces s management au diting b u t in o rder to s et this
in co ntext yo u need to reco gnize that p ro ces ses do no t o p erate in is o latio n.
f
H o p e u lly this s ectio n o f the b o o k has go ne so meway to clari y this f fo r yo u .
F igu re 3 . 2 su mmarizes typ es o f au dits dep ending u p o n the level yo u are lo o king
at in the o rganiz atio n and as an au dito r yo u need to remain co nscio u s o f these
co nnectio ns thro u gho u t yo u r au dit.
System
level
Process
level
Procedures
Compliance
level
F igure 3 . 2 S ummary o f auditing levels
BI P 201 5 Fi le n a m e: 2009-01 73 0_3.2.eps

21
4. Auditing to o ls and techniques
S ho w me what you do !
So far we have lo o ked at so me o f the fundamentals that make up a management
system and the basic understanding that an audito r needs to have in o rder
to carry o ut a p ro cess management audit. We no w tu rn o ur attentio n to the
detail o f ho w yo u sho u ld actually co nduct an audit starting with the to o ls and
techniques that yo u sho u ld ado p t.
F o r years, audito r training has had a co nstant theme to it with o ne
message in particular being driven ho me time and again: ‘Sho w me the evidence! ’
Abo ve all else audito rs have been trained to assess what an o rganizatio n do es
against what it said it do es, basing any decisio n as to ho w well they did it o n the
do cumented evidence they have been sho wn.
This technique o f auditing is only relevant for assessing process management
when compliance auditing to a speci fc regulatory standard is required, such as

those used in the medical or pharmaceutical industries, or against a standard such
as ISO 9001 : 2008. This style o f auditing may then be relevant to check that speci fc
detailed requirements are being met and e ffectively applied.
F o r the remainder o f this bo o k, the fo cus will be o n au diting the
e ffectiveness o f p ro cess management, also required by ISO 9 0 0 1 : 20 0 8 . This
requires di fferent to o ls and techniqu es to tho se required fo r bo th system and
co mp liance auditing, and we need to reco gnize these di fferences.

22
Au dito r to o ls
There are basically two tools that should be used in both preparing for and
carrying out a process management audit (see Figure 4. 1 , Figure 4. 2 and
Table 4. 1 ) . Neither o f them is complicated and in fact they are j ust plain common
sense. Both, however, require the auditor to understand how a business works
through its processes in order to use them e ffectively. This is one o f the key
competences o f a success ful process management auditor.
Once you understand them, they are so powerful that you can apply them
to any process within any business, regardless o f industry sector.
P u rp o se o f th e
p ro cess
P ro cess o b j ecti ves

I m p ro ve
a n d ta rg ets
M o n i to r
Th e p ro cess i tsel f
p erfo rm a n ce
Key p erfo rm a n ce
p ro cess m easu res
F igure 4. 1 Au dito r to o l 1
In process management auditing you are testing every one o f the boxes in each
process you audit at every level within each process, i. e. you go round this cycle
with everyone you interview. The questions you use to test each one o f the
boxes will be phrased slightly di fferently and will be in a manner suitable to the
person being interviewed, but nonetheless they will follow the same cycle. This
aspect is critical for success ful auditing. It is no good asking a member o f sta ff a
question that they do not understand, or using ‘management style’ or ‘standard’
language that they cannot relate to what they do. For example asking someone
what ‘resources’ they use may not be understood, asking what ‘equipment’ they
use might be. There is no right or wrong, but the language you use is important
Au diting to o ls and te chniqu e s
23
and needs to be based on the needs o f the auditee not the auditor. It needs to be
in the language used by the people within the organization itself.
Tab le 4 . 1 De f nitio ns o f the e lements o f audito r to o l 1
Pu rpose o f th e process Wh y th e process exi sts – su ppl i er i n pu ts an d cu stom er ou tpu ts
Process obj ecti ves Speci f cal l y th e obj ecti ves an d targets for th i s process th at m u st
an d targets rel ate to th e overal l bu si n ess obj ecti ves an d targets
Th e process i tsel f Th e acti vi ti es i n vol ved i n th e process
Key perform an ce M easu res d i rectl y rel ated to th e process i tsel f an d overal l bu si n ess
process m easu res obj ecti ves, i n th e way cu stom ers m easu re th e process
M on i tori n g System ati c, regu l ar m on i tori n g o f th e m easu res i n ord er to assess
perform an ce f
process per orm an ce
I m provem en t Acti vi ti es th at are d esi gn ed to cl ose th e gap between cu rren t
f f
per orm an ce an d th e target per orm an ce l evel req u i red
Consequently the evidence provided by people being interviewed will also be

appropriate for their level within the process and will almost certainly be mainly
non-documented and subjective.
Auditor tool 2 follows a similar theme but extends to include those things
that support the process in terms o f:
• the competence o f those working within the process to effectively carry out
their tasks;
• the resources needed for process activities to be performed adequately;
• the knowledge and in formation needed to e ffectively carry out activities
within the process;
• the budget for the process that takes account o f the likely future demands on
the process.
These infuences or constraints are only examples and in reality there may well
be others. What you are looking for is anything that affects performance o f the
process, and it can come from any management discipline. Process management
auditors therefore need a basic foundation in a range o f business activities
and disciplines. For example how can an auditor assess or make judgements
on someone’s competence if they have no understanding o f human resource
management principles?
24
Competence Knowledge Risk

Resources Budget
Inputs Outputs
Activity Activity Activity Activity
Measure
Procedures Improve Monitor

Procedures
F igure 4. 2 Au dito r to o l 2
Au diting te chniqu e s
Questioning
Taking each b o x o f ‘au dito r to o l 1 ’ let’s lo o k at each o ne in tu rn and try to wo rk
o u t the mo st ap p ro p riate qu estio n to ask, and the p lace to lo o k fo r answers.
As we go thro u gh each b o x we will, in additio n, inclu de all the elements fro m

‘au dito r to o l 2’ . Rememb er, ho wever, that evidence is no t o nly gathered thro u gh
qu estio ning, b u t b y a range o f techniqu es.
T he end resu lt will b e an au dit checklist yo u will b e ab le to u se to p rep are
fo r and to au dit mo st p ro cesses. Yo u may well b e ab le to co me u p with o ther
areas and issu es to raise; whatever they are they need to test the e ffectiveness
o f the p ro cess. As yo u go thro u gh the step s in the cycle yo u may well b e ab le
f
to identi y areas where yo u need to dig a b it deep er, ask mo re qu estio ns and
test any co mp liance issu es that may b eco me ap p arent. I nexp erienced p ro cess
management au dito rs tend to stay in the detail o f co mp liance o nce they are in
BI P 201 5 Fi le n a m e: 2009-01 7 30_4.2.eps
it. The ‘art’ is to keep the cycle in mind as yo u carry o u t the au dit and ‘dip ’ into
the detail as requ ired, co ming o u t o f it to mo ve o n to o ther p arts o f the cycle
in o rder to b u ild the links. I t is no t easy at f rst to make this change, b u t o nce
yo u ’ ve do ne it a few times it will b eco me mu ch mo re ‘seco nd natu re’ .

25
Tab le 4. 2 Au dito r qu es tio ns
Part o f auditor tool 1 Question
Purpose o f the process • H ow d oes th e process su pport th e bu si n ess strategy an d
obj ecti ves?
• Wh at are th e process’ su ppl i er i n pu ts an d cu stom er ou tpu ts?
• H ow d o you d eterm i n e wh at th e cu stom er req u i rem en ts are; i s
th i s th e u l ti m ate cu stom er?
• Wh ere d o you get you r work from ?
Process objectives • H ow d o you d eterm i n e you r obj ecti ves an d targets?
and targets • Wh at are you r obj ecti ves an d targets?
• H ow d o th ey l i n k to an d su pport th e overal l bu si n ess obj ecti ves?
• H ow d o you pl an for fu tu re cu stom er d em an d s an d th e l i kel y
resou rces req u i red to su pport th em ?
The process itsel f • C an you d escri be th e process?
• H ow d o an y proced u res su pport th e process?
• Wh o i s you r cu stom er?
• H ow d o you kn ow wh at you r cu stom er req u i rem en ts are?
• H ow d oes th i s process i n teract wi th oth er processes i n th e
m an agem en t system ?
• Wh o d o con si d er as you r su ppl i er?
• H ow d oes you r su ppl i er su pport you ?
• H ow d o you d eterm i n e th e com peten ci es req u i red for th ose
respon si bl e for process acti vi ti es?
Key perform ance • H ow d o f

you d eci d e wh at key per orm an ce i n d i cators to u se?
process m easures • H ow are th e process m easu res l i n ked to bu si n ess obj ecti ves
an d m easu res?
• H ow d oes you r cu stom er m easu re th e per orm an ce o f f th e
process?
Perform ance • H ow d o you kn ow wh at th e cu rren t per orm an ce o f f th e
monitoring process i s?
• H ow o ften f
i s process per orm an ce m easu red ?
• H ow i s f
per orm an ce d ata com m u n i cated to th e process team ?
I mprovement • H ow d o f
you i d en ti y i m provem en t i ssu es?
• H ow d o process team m em bers con tri bu te to i m provi n g
f
process per orm an ce?
• H ow to you eval u ate th e su ccess o f i m provem en t acti vi ti es?
• H ow h ave i m provem en t acti on s a ffected f

process per orm an ce?
• H ow are i m provem en t acti on s com m u n i cated to th e
process team ?
26
Questioning techniques
The questio ns detailed abo ve need to be tho u ght abo ut and tailo red to suit the
individual being interviewed and the level at which they sup p o rt the p ro cess.
F o r instance, asking an o p erato r carrying o ut a p ro cess activity i f they kno w
what the o rganizatio n’s b usiness o bj ectives are wo uld o ften be p o intless in many
o rganizatio ns as the o p erato r wo uld mo re than likely think yo u were talking a
fo reign langu age! But beware that this is no t always the case and, imp o rtantly,
u se yo ur o wn kno wledge o f yo ur o wn o rganizatio n to get the language right.
As an audito r yo u have to co nsider what is the mo st ap p ro p riate questio n
to ask and in this case it might be asking the o p erato r who they co nsider is their
custo mer and ho w they kno w they are meeting their custo mer’s requirements.
‘Auditors have to manage How do you … ?

this dynamic’ Explain to me how… ?
Directors Who do you… ?
Managers
Staff Show me how…

Tell me how…
F igu re 4 . 3 Ap p ro p riate que s tio ning te chniqu es
Audito rs that u nderstand this dynamic and use it e ffectively in co nj unctio n with
bo th o f the au dito r to o ls will gather the greatest amo u nt o f in fo rmatio n relevant
to ho w e ffectively the bu siness is managing its p ro cesses. The mo re in fo rmatio n
an audito r has o n the co mp any’s p erfo rmance the mo re valuable the audit rep o rt
they can generate fro m it beco mes.

27
Objective evidence
I f we have estab lished that the qu estio ns and qu estio ning techniqu es yo u u se
as an au dito r vary acco rding to the p erso n b eing interviewed and the level they
are wo rking at within the p ro cess, then it mu st also fo llo w that the o b j ective
evidence yo u o b tain will also vary acco rdingly.
I n C hap ter 2 we lo o ked at examp les o f do cu mented and no n-do cu mented
o b j ective evidence, so let u s no w co nsider what typ es o f o b j ective evidence
we might f nd at di fferent levels in the b u siness, dep ending u p o n who we are
au diting and what qu estio ns we are asking.
Taking so me o f the qu estio ns fro m the Tab le 4. 2, Tab le 4. 3 o u tlines the
likely o b j ective evidence yo u might exp ect to f nd.
Tab le 4 . 3 O b j ective evidence
Question Evidence from process owner Evidence from process staff
• H ow d oes th e process • C l ear u n d erstan d i n g o f • U n d erstan d s wh at th e
su pport th e bu si n ess obj ecti ves process i s th ere to d o
strategy an d obj ecti ves?
• Wh at are th e process • Tel l s you wh at th ey are • Tel l s you wh at th ey are
su ppl i er i n pu ts an d
cu stom er ou tpu ts?
• H ow d o you d eterm i n e • Abl e to l i n k to cu stom er • Abl e to l i n k to n ext
wh at th e cu stom er ou tsi d e th ei r process an d step i n th e process an d
req u i rem en ts are; i s th i s d escri be req u i rem en ts d escri be req u i rem en ts
th e u l ti m ate cu stom er?
• H ow d o you d eterm i n e • Li n k to overal l com pan y • U n d erstan d s th ei r rol e i n
you r obj ecti ves an d obj ecti ves an d targets th e process
targets?
• Wh at are you r obj ecti ves • Tel l s/sh ows you • U n d erstan d s process
an d targets? f
per orm an ce
• H ow d o th ey l i n k to • C l ear u n d erstan d i n g o f • U n d erstan d s com pan y ’ s
an d su pport th e overal l overal l com pan y obj ecti ves ai m s
bu si n ess obj ecti ves? an d targets an d can
d em on strate l i n kage
• H ow d o you pl an for • Tel l s/sh ows you pl an , gi ves • I n tou ch wi th process
fu tu re cu stom er d em an d s exam pl e o f h avi n g d on e i t cu stom ers an d m akes
an d th e l i kel y resou rces previ ou sl y su ggesti on s to process
req u i red to su pport th em ? own er

28
Question Evidence from process owner Evidence from process staff
• C an you d escri be th e • Tel l s/sh ows you • Tel l s/sh ows you
process?
• H ow d o an y proced u res • Tel l s/sh ows you l i n ks to • Tel l s/sh ows you wh en
su pport th e process? process acti vi ty u sed an d h ow
• H ow d oes th i s process • Tel l s you wh at th e • U n d erstan d s th ere are
i n teract wi th oth er l i n ks are an d h ow th e l i n ks to oth er processes
processes i n th e com m u n i cati on between an d kn ows h ow th ey
m an agem en t system ? th em works work
• H ow d o you d eterm i n e • U n d erstan d s rol es an d • Kn ows own com peten cy
th e com peten ci es com peten ci es i n th e an d h as been apprai sed /
req u i red for th ose con text o f process revi ewed i n l ast year
respon si bl e for process acti vi ti es, l i n ked to
acti vi ti es? obj ecti ves
• H ow d o you d eci d e • Tel l s/sh ows you th e • Tel l s/sh ows you process
wh at key per orm an ce f i n d i cators an d wh i ch l i n k to m easu res bei n g u sed
i n d i cators to u se? obj ecti ves
• H ow d oes you r • D em on strates cu stom er • U n d erstan d s process
cu stom er m easu re th e com m u n i cati on by l i n kage f

per orm an ce i n rel ati on
f
per orm an ce o f th e o f th ei r n eed s to process to th e cu stom er
process? m easu res
• H ow d o you kn ow wh at • Sh ows f
you per orm an ce • Tel l s/sh ows you
th e cu rren t per orm an ce f f

i n orm ati on f f
per orm an ce i n orm ati on
o f th e process i s?
• H ow often i s process • Tel l s you • Tel l s you
f
per orm an ce m easu red ?
• H ow i s f
per orm an ce d ata • Tel l s/sh ows you • Tel l s you /sh ows you
com m u n i cated to th e
process team ?
• H ow d o you i d en ti y f • Abl e f
to l i n k per orm an ce • Tal ks th rou gh m eth od s/
i m provem en t i ssu es? d ata to i m provem en t acti on i d eas an d l i n ks to process
own er
• H ow d o process team • Tel l s you an d can gi ve • Kn ows h ow an d wh o to
m em bers con tri bu te exam pl es from team su ggest i m provem en ts to
to i m provi n g process
f
per orm an ce?
• H ow to you eval u ate th e • Li n ks f

back to per orm an ce • C om m u n i cati on from
su ccess o f i m provem en t d ata to d em on strate process own er
acti vi ti es? e ffecti ven ess

Auditing tools and techniques
29
Yo u will no tice that the resp o nses yo u get in terms o f evidence are likely to b e
verb al rather than do cu mented, which means yo u have to determine fact fro m
f ctio n j u st b y listening to what p eo p le are saying.
B u t ho w can yo u do this? Let’s take j u st o ne o f the qu estio ns and u se it as
an examp le.
Q uestion: Ho w do you kno w w hat the current per o rmance o f f the pro ces s is ?
is to tell you that they have two process

The pro ces s o w ner’s res po nse
measures, products delivered on time as a percentage and number o f product

stock turns in a year. The targets are 99 per cent on-time delivery and 1 2 stock
turns per year respectively.
They also tell you that since the measures were introduced six months ago
they have achieved an average o f 97.5 per cent deliveries on time and are on
schedule for six stock turns for the frst hal f o f the year.
Yo u j u st listen to what they say and make a no te o f f

the in o rmatio n o n yo u r
checklist.
The pro ces s s ta ff member’s is to tell you that the process owner
res ponse
meets with all the process staff once a month in the canteen where they talk
through various items o f interest including performance statistics. They tell you
that a lot o f what the process owner says is not o f much interest to them apart
from the delivery and stock turn measures as this has a direct bearing on the
amount o f bonus they receive each quarter.
They tell you that delivery performance o f only 97.5 per cent has meant a
reduced bonus for the last two quarters, but the achievement o f six stock turns
so far this year has at least given them a bonus payment albeit small.
Yo u listen and co mp are their resp o nses to tho se o f the p ro cess o wner, making
f
any no tes o n yo u r checklist. Yo u then ask yo u rsel : ‘Have I eno u gh evidence to
demo nstrate that the qu estio n has b een answered adequ ately and am I satis f ed
f
that the p er o rmance o f the p ro cess is kno wn at all levels in the p ro cess and
b y the p eo p le who need to kno w? ’ What is yo u r co nclu sio n b ased o n the two
resp o nses ab o ve?

30
I hope you concluded that yes, the performance o f the process was known at all
levels in the process and by the people who needed to know. All this despite the
fact you did not see a single piece o f paper!
Congratulations! You have just audited Subclauses 5.1, 5.2, 5.4.1, 5.5.3,
7.1, 8.1, 8.2.3, 8.4 o f ISO 9001:2008.
Methods of auditing
Quite rightly most methods o f auditing involve face-to-face interviews/discussions
with people in order to gain information and an understanding o f how effectively
something is being done. However, this is not always practical to do because o f
geographical locations, the high number o f people needed to be seen or constraints
on cost or time.
As mentioned at the start o f this chapter, auditors should be fexible in

their approach and be prepared to consider alternative methods and techniques o f
auditing that do not rely on just face-to-face interviews. These could include:
• groups – a number o f process staff, suppliers, customers or stakeholders can

be interviewed within a group environment to save the time and expense o f
travelling to them individually;
• questionnaire – could be used to assess a variety o f issues, can be done
confdentially to improve the honesty o f the responses;
• email – again, any number o f process sta ff, suppliers, customers or
stakeholders can be interviewed remotely, as a group, to save the time and
expense o f travelling to them individually;
• telephone – this can be usually a very quick and simple way to confrm
information;
• videocon ference – planned well in advance, this method can be a really
effective way o f interviewing people working miles apart or even in different
countries.
Organizations that have multiple sites spread over a large geographic area,
including different countries, and those with large numbers o f home or feld
based employees are probably best suited to alternative methods o f auditing
other than face to face.
31
5. Planning and p rep aring a p ro ces s audit
F amiliarity b reeds contemp t!
So mebo dy o nce to ld u s that auditing is 8 0 p er cent p rep aratio n and 20 p er cent
actual auditing, which so unds like a bit o f an o ld wives’ tale until yo u actually
carry o u t an audit in a way that delivers bu siness e ffectiveness fndings and then
yo u realize j ust ho w true it is!
P rep aratio n starts right back with a basic understanding o f the p rincip les
o f I SO 9 0 0 1 : 20 0 8 and the P D C A cycle and go es right thro u gh to familiarizing

yo u rsel f with the o rganizatio n’s management system, sp eci fc p ro cesses and
their o u tp uts.
Having been witness to numero us audits by bo th certi fcatio n o rganizatio ns

and internal audito rs o ver many years, I have rarely seen an audito r who has
prepared adequately fo r an audit. Whether it is failing to arrange meetings in
advance, lo sing sight o f the audit o bj ectives o r no t understanding the links o f
e ffective pro cess management, audito rs are no rmally simply no t spending eno ugh
time preparing fo r their audits.
P eo p le who regularly carry o ut audits do beco me blasé as they beco me
increasingly relaxed abo ut the style they have ado p ted and their kno wledge
o f I SO 9 0 0 1 : 20 0 8 . I n do ing so they sho w a certain co ntemp t by rarely u sing
checklists o r feeling the need to e ffectively p lan ahead.
E ven tho u gh we have carried o ut hundreds o f audits o ver many years
I still p rep are and u se an au dit p lan and checklist every time I am asked to
co nduct an au dit, and s o sho uld yo u .

32
It’s all in the planning…

An audit p lan needs to co nsist o f mo re than the audit date, start and fnish
times and the dep artment name being audited, to avo id being p ro mp tly p ut in
a fle and fo rgo tten abo ut. A go o d p lan will be develo p ed well in advance o f the
audit, by the audito r, and certainly no t in iso latio n. They will co n fer with the
ap p ro p riate members o f the o rganizatio n to ensure they agree to the timings.
A go o d audit p lan is likely to co ver the fo llo wing:
• o bj ective o f the au dit;
• what standard( s) are b eing used as the au dit criteria, e. g. ISO 9 0 0 1 ;
• date the audit is to be carried o u t;
• who the audito r( s) will be;
• any sp ecial requirements the au dito r may have, e. g. wo rking lunch, desk,
p o wer sup p ly fo r lap to p co mp u ter;
• what p ro cesses/activities are go ing to be audited;
• what metho ds o f auditing are to be used;
• the names o f individu als to be seen during the audit with sp eci fc meeting
times; and
• date by when the rep o rt will be issu ed and who it will be distrib uted to .
P lease re fer to Tab le 5 . 1 fo r an examp le o f an audit p lan. By far and away the
mo st imp o rtant p arts o f any audit p lan are the details co ncerning the p eo p le
who will be seen and the sp eci fc meeting times that have been agreed. Audito rs
canno t exp ect to turn up and have p eo p le sat aro und all day o r o ver many days,
waiting fo r the audito r to audit them. As an audito r yo u sho uld assume that no
o ne is go ing to see yo u unless yo u have p rearranged the meeting. Ap art fro m

anything else, it is j u st bad manners, and it will lead to a p o o r relatio nship with
the au ditees, so it is critical i f the au dit is to b e success fu l.
We have lo st co unt o f the times audito rs tu rn u p at an o rganizatio n and
co mmence the audit exp ecting p eo p le to auto matically be availab le. They then
wo nder what they are go ing to do fo r the remainder o f the day when they
disco ver all the p eo p le they need to sp eak to are either o n a co urse, o n ho liday
o r have o ther meetings! I t’s all in the p lanning.
In p rep aring yo ur au dit p lan yo u will need to take into co nsideratio n the
o verall time available to yo u to carry o u t the audit and then wo rk backwards
ensuring that yo u allo cate the mo st ap p ro p riate amo u nt o f time to each o f the
p eo p le yo u need to interview.
Planning and p re p aring a p ro ce s s au dit
33
Tab le 5 . 1 E xamp le o f an audit p lan
PROCESS AUDIT PLAN

Objective o f the audit To assess the maturity o f the process in order to identi fy
any gaps in current performance against the audit criteria
detailed below
Date(s) audit to be carried out 25 and 26 June 2009
Criteria/standard to be used ISO 9001 :2008 and the organization’s stated business objectives
Process(es) to be aud ited ‘Managing our capital assets’

‘Purchasing plant and equipment’
Auditor(s) Carl Ford
Date aud it report to be issued 7 July 2009 to the fnance director and managing director
Any special requirements:
Meeting room for the two days with power, telephone and videocon ference facilities.
No need to organize lunch, the sta ff canteen will be fne.
People to be seen, when and how:
25 June 2009
9. 00 am Finance director (process owner) Face to face London
1 0. 00 am Finance assistants × 4 Face to face as a group London
1 1 . 00 am Finance assistant Videocon ference Paris
1 2. 00 noon Finance assistant Videocon ference Frankfurt
1 . 00 pm Lunch Canteen
2. 00 pm Finance assistant Videocon ference New York
3. 00 pm Financial controller Telephone Nairobi
4. 00 pm Managing director Face to face London
4. 30 pm Consolidate in formation Meeting room, London
26 June 2009
9. 00 am Production director Face to face London
1 0. 30 am Production sta ff members × 8 Face to face as a group London
1 2. 00 noon Production manager Videocon ference Paris
1 . 00 pm Lunch Canteen
2. 00 pm Production manager Telephone Nairobi
3. 00 pm Finance director Face to face London
4. 00 pm Gather in formation and close audit
34
One o f the major issues facing you is the time available, as this impacts on your
ability to test the responses you get with the greatest range o f people possible,
thus assuring yourself that the evidence you are fnding is a true refection o f
what is happening. This is not something new and auditing has never pretended
to be anything else other than a sample, but you must be satisfed that the
sample size is large enough.
Whatever you decide you should always start and end with the process
owner. Start o ff with them:
• togather information, which you can go on and test throughout the process;
• tounderstand if they have any particular areas they themselves may want
you to assess or review and provide feedback on.
Finally, conclude the audit with them so that you can confrm your fndings and
provide overall feedback on what you found.
Preparing your audit checklist

As an auditor you should never underestimate the usefulness o f an audit checklist
and just how important it will be to you. The purpose o f the checklist is to:
• ensure you cover all the questions/areas required to meet the audit objectives;
• act as a focal point for the audit, as it is easy to become distracted as you
follow the audit trail;
• allow you to record notes against specifc questions as you go, so you can
easily reference them when talking to different people;
• ensure you can easily compile the audit report from the notes you have made
without relying on just your memory.
But how do you decide what you should include in your checklist? Well, how
detailed you make your checklist is a very personal thing and is likely to depend
upon several factors not least how experienced you are and your ability to read
the detail described on the checklist without disturbing the fow and focus o f
the audit itself.
Before you can begin to prepare your audit checklist you frst have to
design it or, should you fnd it useful, copy the example shown in Table 5.2.
Your design will no doubt evolve over time to refect your own personal style
and needs.
Having decided on what your checklist will look like you now have
to populate it with all the questions you are going to need to ask in order to
complete your audit. These are the questions that will test:
Planning and preparing a process audit
35
• the eight principles o f ISO 9001:2008;

• the e ffective implementation o f the Plan, Do, Check, Act methodology;
• auditor tool 1;
• auditor tool 2; and
• actual process activities.
This means all o f the things we covered when looking at the auditor tools and
objective evidence in the previous chapter.
In addition, your checklist should include questions or areas to look at

that are specifc to the process or processes you are auditing. In order for you
to do this you will have to undertake some research and make requests for
information from relevant people. This is a relatively straightforward task if the
audit is going to be carried out internally as you will know the organization and
will be able to acquire the appropriate information. However, this can prove to
be more o f a challenge when you have no prior knowledge o f the company.
Typically your research should focus on trying to obtain information on:
• what the organization does and who its customers are;

• its mission, vision, policies and business objectives;
• organization structure and process ownership;
• the management system structure and links between processes;
• copies o f process maps; and
• company and process performance data.
You should allow yourself plenty o f time in advance o f the audit to gather the
information and compile your checklist. Remember the audit starts from the
moment you start compiling information and preparing your checklist, not from
the moment you ask your frst question o f the process owner; it is much too late
by then to get it right if you have not planned thoroughly.
I f you are not able to carry out the background research or obtain the
information you would like in order to prepare thoroughly for the audit, then
you must allow yourself more time to carry out the audit itself and to collect this
as you proceed. This is certainly not the most effcient way to carry out an audit,
but sometimes you will have no choice. Without this information your audit
will be fawed, so you must obtain it early on if you are to be effective.
As I said right at the outset o f this chapter preparation is 80 per cent o f

the audit and you have to ensure you have prepared adequately to avoid being
led by people rather than you leading the audit. Remember that you are there to
control the audit, not them.
36
Tab le 5 . 2 E xamp le au dit checklis t
PRO C E S S M AN AG E M E N T AU D I T C H E C KLI S T
Su bj ect: Au d i tor: D ate: Au d i t N o. :
C h eckl i st
Re f. N o. I tem C om m en ts Report Re f.
Planning and preparing a process audit
37
To summarize the p rep aratio n requ ired:
• make sure yo u fully understand the eight p rincip les and the P D C A cycle;
• be clear o n the o bj ective o f the audit;
• p lan the audit care fully making sure yo u allo cate the ap p ro p riate time to
each element and samp le eno ugh p eo p le;
• book meetings with p eo p le well in advance, do n’t exp ect them to j ust be
waiting fo r yo u !
• u nderstand the management system and p ro cess co nnectio ns;
• kno w the bu siness o bj ectives and custo mer requ irements and make the
co nnectio ns to p ro cess o utp uts; and
• always use a checklist!

38
6. C arrying o u t a p ro ce s s au dit –
C o mp liance vs e ffe ctive ne s s
B ringing it to ge the r
Ho pe fully by the time yo u are abo ut to start the audit yo u have fully prepared
and have a clear understanding o f ho w yo u will satis fy yo ursel f that the pro cess is
being managed e ffectively. Here is a brie f reminder o f what yo u are abo ut to do :
• test fo r the eight I SO 9 0 0 1 : 20 0 8 p rincip les;
• test that the P D C A ( P lan, D o , C heck, Act) cycle is embedded;
• fo cu s o n o utco mes in o rder to test fo r e ffectiveness;
• u se audito r to o ls 1 and 2 to help yo u make the links to cu sto mers and
sup p liers and fro m system to p ro cess to p eo p le;
• ask the mo st ap p ro p riate questio ns based o n the p erso n yo u are auditing’s
level within the o rganizatio n;
• test whether p ro cess activities are e ffective;
• test co mp liance to p ro cedu res, standards and regulatio ns, as ap p ro p riate;
• u se yo ur checklist to remain fo cused and to reco rd in fo rmatio n.
I f yo u are no t p ut o ff by this then let’s get o n with the au dit, starting with the
managing directo r, who will p ut the p ro cess and system in co ntext.
I nter vie wing the managing dire cto r
Yo u tu rn u p at the managing directo r’s o f fce do o r at the agreed time, p ro bably
a bit nervo us – are they in a go o d mo o d? I s the exchange rate favo urable? D id
they win at go l f yesterday? !

Carrying out a process audit – Compliance vs e ffectiveness
39
They call yo u in and immediately in fo rm yo u that they have to leave fo r

ano ther meeting in 3 0 minutes so yo u will have to be quick. Yo ur mind go es
blank, yo ur mo uth go es dry, yo u r heart b eats a little faster and yo u begin to
wo nder what yo u are do ing here. Yo u glance do wn and, to yo ur relie f, see the
checklist yo u so care fully p rep ared. Re ferring to the frst qu estio n yo u enqu ire,
‘Ho w is b usiness? ’ Yo u have started the au dit.
D oes this sound familiar? Feeling intimidated by someone like the managing
director is nothing new, but when you have to audit that same person in an e ffort
to extract information from them, it can be even more daunting (particularly so if
they have never been great supporters o f ISO 9 001 : 2008) .
This interview is critical. Why? Because i f yo u do no t su cceed in
gathering in fo rmatio n to help yo u gain a clear understanding o f the business
o b j ectives, measures, current p erfo rmance etc. yo u will no t b e able to test the
subsequent e ffectiveness o f p ro cess management and the co nnectio ns to the
o verall bu siness needs.
As a general rule yo u will o nly have a limited amo u nt o f time with these
p eo p le, so yo u have to make the little time yo u do get as p ro du ctive as p o ssible.
Being co mp letely clear abo ut the o bj ectives o f the interview and the o u tco mes
yo u requ ire is essential and will p revent yo u beco ming sidetracked and co ming
away wishing yo u had asked a p articular questio n. Rememb er again that it is
yo u r meeting and yo u are in co ntro l o f it. Yo u will gain real resp ect i f yo u do –
bu t i f yo u do n’t …
A go o d ap p ro ach is to start with a general questio n like ‘Ho w is bu siness? ’
With any lu ck the managing directo r will discuss the cu rrent state o f the market,
custo mers’ needs and ho w the o rganizatio n is wo rking hard to develo p sales and
imp ro ve margins. Within this discu ssio n yo u sho uld begin to draw o u t what
the b usiness o bj ectives are and ho w they p lan to mo ve the o rganizatio n fo rward
to achieve them. This in fo rmatio n is key and yo u need to be making detailed
no tes o f it o n yo u r checklist as yo u go , so that yo u can re fer to them later o n as a
‘memo ry j o gger’ and to help with su bsequ ent meetings.
Be co nscio u s o f time, stay fo cu sed o n the o bj ectives o f the interview
and the questio ns yo u need to ask and yo u can usually get thro u gh it within
3 0 minu tes. I tend to fnd that mo st managing directo rs, o nce they get talking,
fo rget abo ut their next meeting and end up chatting fo r u p to an ho u r, usually
becau se they never realized the audit was actually go ing to be abo u t the b usiness
itsel f, rather than ISO 9 0 0 1 : 20 0 8 ! O nce they start do ing this, then yo u kno w
that yo u are p art o f the way to having a co nvert. The rest o f the j o urney will be
made o nce they see the bu siness value o f yo u r rep o rt and fndings.
40
f
B e o re yo u co nclu de the meeting have a qu ick lo o k at yo u r checklist to
ensu re yo u have everything yo u need fo r the next p art o f the au dit and then ask,
‘I s there anything yo u wo u ld like fro m my au dit, are there any areas yo u wo u ld
like me to lo o k at in additio n? ’ N o te any resp o nse yo u get and then thank them
fo r their time and leave.
I’ll make a no te o f that!
I t is all to easy to get carried away listening to p eo p le and fo rgetting to make
a no te o f what they said o r sho wed yo u , b u t it is su ch an imp o rtant p art o f

au diting that it is wo rthy o f a fu rther sep arate mentio n to remind yo u to do it.
T his is p articu larly imp o rtant i f the au dit is to b e sp read o ver any length
o f time, when it wo u ld b e di ff cu lt to keep track o f all the resp o nses and even
harder to recall them at the right time. T his is esp ecially so i f yo u are trying to
test the e ffectiveness o f co mmu nicatio n and need to kno w exactly what o ther
p eo p le have said.
Interviewing the p ro ces s o wner
P ro cess o wners can b e j u st as fo rmidab le as the managing directo r so b e
p rep ared b y fo llo wing the same ru les and o p ening the dialo gu e b y asking them,
‘Ho w is b u siness? ’
C heck and co n f rm with the p ro cess o wner that the au dit p lan is still
alright and that the p eo p le yo u wish to sp eak to will b e availab le.
As with the managing directo r b e qu ite clear ab o u t the o b j ective o f the
interview. Yo u r f nal rep o rt mu st b e ab le to co nclu de ho w e ffectively the p ro cess
was b eing managed, so make su re yo u keep fo cu sed o n this and do no t b eco me
distracted b y o ther issu es the p ro cess o wner may wish to talk ab o u t.
f
Re er to yo u r checklist co nstantly. P ro vided yo u p rep ared it tho ro u ghly
it sho u ld inclu de the qu estio ns yo u need to test the eight p rincip les, P D C A and
au dito rs to o ls 1 and 2.
What yo u are testing is e ffectiveness, which inclu des the fo llo wing.
• T he link b etween what the managing directo r said and what yo u are no w
b eing to ld b y the p ro cess o wner – are they saying the same things?
• Has the managing directo r co mmunicated the business o bj ectives adequately?
• Has the p ro cess o wner interp reted them co rrectly?

41
• Has the p ro cess o wner related them to their p ro cess?
• Has the p ro cess o wner co mmu nicated the o b j ectives do wn to the
p ro cess team?
• Has f
the p ro cess o wner estab lished p ro cess p er o rmance measu res?
• Do the measu res relate to the o b j ectives?
• D o es the p ro cess o wner kno w the cu rrent p er o rmance o f f the p ro cess
against the o b j ectives and targets?
• Has f
the p ro cess o wner co mmu nicated the p er o rmance resu lts to the
p ro cess team?
• What actio ns are the p ro cess o wner and p ro cess team taking when there is
f
a gap in the p er o rmance against the stated o b j ective o r target?
• Ho w do p ro cess team memb ers co ntrib u te to imp ro vement activities?
• Ho w do es the p ro cess o wner kno w imp ro vement actio n is e ffective?
f
Re er to Tab le 4. 2 fo r mo re qu estio ns and Tab le 4. 3 fo r the likely o b j ective
evidence yo u co u ld f f
nd and can there o re make a no te o f o n yo u r checklist.
J u st as in the interview with the managing directo r, yo u sho u ld treat the
f
interview with the p ro cess o wner as an in o rmatio n gathering exercise, so ensu re
yo u reco rd as mu ch o f f
the in o rmatio n yo u are given as p o ssib le. Yo u will need
it to co mp lete the main p art o f the au dit.
f
Again, b e o re yo u co nclu de the meeting have a qu ick lo o k at yo u r
checklist to ensu re yo u have everything yo u need fo r the next p art o f the au dit
and then ask, ‘I s there anything yo u wo u ld like fro m my au dit, are there any
areas yo u wo u ld like me to lo o k at in additio n? ’ N o te any resp o nse yo u get and
then thank them fo r their time and leave.
Interviewing process staff

Having interviewed the p ro cess o wner yo u are no w in a p o sitio n to mo ve o nto
the main p art o f the au dit and b egin to au dit p ro cess sta ff, to gether with lo o king
at the vario u s co nnectio ns with o ther p ro cesses within the o rganizatio n. Sticking
to yo u r au dit p lan b egin to au dit the p ro cess sta ff.
Whereas the o b j ectives o f the interviews with the managing directo r and
f
p ro cess o wner were p rimarily in o rmatio n gathering, the au dits o f p ro cess sta ff
f
are no w ab o u t testing this in o rmatio n in o rder to determine ho w e ffectively the
p ro cess is b eing managed.
What yo u are testing is e ffectiveness, which inclu des checking p ro cess
sta ff u nderstanding o f su ch issu es as the fo llo wing.

42
• Are the o b j ectives/o u tp u ts o f the p ro cess u ndersto o d and are they linked to
what the p ro cess o wner said?
• Is the pro cess measured and are the measurements the same as what the
p ro cess o wner said?
• Do p ro cess sta ff kno w what the cu rrent p er o rmance o f f the p ro cess is?
• Ho w f
is in o rmatio n co mmu nicated to p eo p le wo rking within the p ro cess
and is this as describ ed b y the p ro cess o wner?
• Do p ro cess sta ff kno w ho w they can co ntrib u te to imp ro ving p ro cess
f
p er o rmance?
f
Re er to Tab le 4. 2 fo r mo re qu estio ns and Tab le 4. 3 fo r the likely o b j ective
evidence yo u will f nd and can make a no te o f o n yo u r checklist.
I n additio n, yo u are also testing:
• ho w e ffectively the co nnectio ns to o ther p ro cesses are o p erating;
• that p ro cess activities are b eing imp lemented e ffectively;

• that any p ro cedu res, standards o r regu lato ry requ irements are b eing wo rked
to ; and
• ho w f
co mp etent p eo p le are/ eel they are to p er o rm their assigned tasks. f
Rememb er the audit dynamic
As an au dito r yo u have a du ty to remain co nscio u s o f u sing the right qu estio ns
at the right level in the p ro cess. To achieve this rememb er the qu estio ning
techniqu es diagram in F igu re 4. 3 . So altho u gh we have su ggested the items yo u
sho u ld b e testing du ring the au dit, it is still very mu ch u p to yo u , the au dito r, to
p hrase these in a manner that will ensu re they are u ndersto o d b y yo u r au ditees
and that will p ro vide yo u with adequ ate evidence as an answer to yo u r qu estio n.
G ive me a b reak!
T here are a lo t o f p ressu res o n au dito rs and yo u sho u ld never b e a raid to take f
a b reak du ring the au dit in o rder to give yo u rsel f an o p p o rtu nity to co llect yo u r
f
tho u ghts, p u t the in o rmatio n yo u have gathered into co ntext and to generally
f
satis y yo u rsel f that yo u are p ro gressing as p lanned.
f
As yo u review any in o rmatio n, no tes and o u tstanding qu estio ns it will
help to fo cu s yo u r mind o n the au dit o b j ective. I , f fo r whatever reaso n, yo u
f nd yo u rsel f no t b eing ab le to co n f rm what is actu ally hap p ening within the
o rganizatio n, and u p to this p o int in the au dit yo u are no t a p o sitio n to rep o rt
ho w e ffectively the p ro cess is b eing managed, then the b reak is essential. I t
a ffo rds yo u the o p p o rtu nity to determine the sp eci f c fu rther qu estio ns yo u need
43
to ask in o rder to co mp lete the au dit and co mp ile yo u r rep o rt adequ ately. Sho u ld
yo u f nd that yo u do no t have su ff cient evidence to make a j u dgement as yo u
f
p ro ceed, never b e a raid to add items to yo u r checklist.
They think it’s all over …

I f yo u have stu ck to the au dit p lan and no t b eco me to o distracted the au dit
sho u ld f nish o n time, with everyb o dy o n yo u r list having b een au dited and
with yo u having a clear u nderstanding o f ho w e ffective the o rganizatio n is at
p ro cess management.
f
N o w is the time to b egin to si t yo u r way thro u gh all the in o rmatio n yo u f
have and to co llect yo u r tho u ghts ready to co mp ile yo u r rep o rt and rep o rt b ack
to the p ro cess o wner and/o r managing directo r.
Yo u sho u ld discu ss yo u r f ndings with the p ro cess o wner and/o r managing
directo r p rio r to generating yo u r f nal au dit rep o rt and indeed there may well
b e so me items that requ ire clari f f

catio n. P lease re er to the next chap ter o f this
b o o k where this will b e exp lo red in mo re detail.

44
7. f
I de nti ying and re p o rting f ndings –
M o ving b e yo nd co mp liance
Re p o rt o b j e ctive s
What are the o b j ectives o f yo u r f

au dit rep o rt? A straight o rward eno u gh qu estio n,
b u t ho w many au dito rs actu ally ask themselves this be o re they write and f
p resent their rep o rt? A lo t o f the au dit rep o rts we read clearly demo nstrate that
the au dito r did no t ask themselves this qu estio n and i f they did they drew the
wro ng co nclu sio n fro m it. The mo st co mmo n misinterp retatio n o f this qu estio n
co mes fro m I SO 9 0 0 1 : 20 0 8 au dito rs, b e they internal o r third p arty au dito rs.
I S O 9 0 0 1 : 20 0 8 au dito rs typ ically co nsider the o b j ective o f their rep o rts
to b e to reco rd all the areas where the o rganizatio n did no t co mp ly with
I S O 9 0 0 1 : 2 0 0 8 . This is why when yo u read a rep o rt written with this o b j ective
they add virtu ally no valu e to the o rganizatio n and are u su ally igno red b y senio r
management.
The real o b j ective certainly has to b e to reco rd all the areas where the
o rganizatio n did no t co mp ly with I SO 9 0 0 1 : 20 0 8 , b u t mo re imp o rtantly to
p rio ritize where these no n-co mp liant areas a ffected f

b u siness p er o rmance. I n
o ther wo rds the rep o rt f ndings will add valu e to the o rganizatio n b y highlighting
issu es that, i f f
addressed, will imp ro ve the p er o rmance o f the bu siness.
Rememb er that I SO 9 0 0 1 : 2 0 0 8 is p u rely a mo del to help yo u achieve
b u siness su ccess, so this is what f ndings sho u ld fo cu s o n. Yo u r rep o rt sho u ld
f
co ntain in o rmatio n that:
• reco gnizes go o d p ractice;
• identifes instances o f no n-co mpliance in the co ntext o f business f

per o rmance;
Identi fying and rep orting fndings – Moving beyond comp liance
45
• reco gnizes the matu rity o f the management system; and
• enco u rages the o rganizatio n to imp ro ve its p er o rmance. f
We appreciate that auditors and, in particular, third party audito rs, have a di ffcult
j ob in striking the right balance between repo rting co mpliance with ISO 9 001 : 2008
whilst trying to encourage impro vement based o n the maturity o f the organization’s
management system. However, that said, this do es not stop auditors trying to
achieve this balance in order to add value to the organization. A ter all, they are a f
supplier to the organization that is in turn the audito r’s custo mer. What they want
from yo ur audit report must surely be considered important?
When is a non-comp liance a business op p ortunity?
The wo rd no n-co mp liance has a very negative feeling ab o ut it, fo r examp le
so mething is wro ng, so meo ne is to blame, there has been a failu re, the system has
b ro ken do wn. I f yo u rep o rt yo ur audit f ndings in a series o f no n-co mp liances

then yo ur rep o rt will also have a very negative feeling abo u t it.
Let us suggest so mething revo lutio nary: do no t u se the wo rd no n-
co mp liance in any audit rep o rt yo u write, think o fa p o sitive alternative instead.
J u st think fo r a mo ment ab o ut ho w yo u co u ld change the language yo u cu rrently
use in this way. What e ffect wo uld this have o n yo ur auditees?
What to rep ort
T he u ltimate design o f yo u r au dit rep o rt may b e co nstrained b y the need
to ado p t a standard temp late o r fo rmat u sed b y yo u r o rganizatio n, which is
almo st certain to ap p ly to third p arty au dito rs. I f yo u have no su ch co nstraints
then yo u are free to cho o se a fo rmat that allo ws yo u to rep o rt yo u r f ndings in
the mo st ap p ro p riate way, which co u ld b e anything fro m an A4 temp late to a
f
so tware-b ased co mp u ter p resentatio n. T he cho ice is yo u rs. Tab le 7. 1 p ro vides
an examp le o f an internal au dit rep o rt temp late that we have u sed and yo u
f
are welco me to co p y and mo di y in o rder to co me u p with a versio n yo u feel
f
co m o rtab le u sing.
We have talked o f the need to make yo u r au dit rep o rt as p o sitive as
p o ssib le to enco u rage the o rganizatio n to address the issu es raised with the
u ltimate aim o f f
imp ro ving their b u siness p er o rmance. B u t ho w can yo u achieve
this? T he b est way to demo nstrate what we mean is to sho w yo u so me extracts
o f actu al au dit rep o rts, clearly sho wing b o th p o sitive and negative rep o rting
styles. Yo u can then see fo r yo u rsel f what we mean.

46
Tab le 7 . 1 E xamp le o f internal au dit re p o rt temp late
PROCESS MANAGEMENT AUDIT REPORT
Audit objective: Auditor: Date(s) o f audit:
Criteria for audit: Process(es) audited:
Audit summary
Audit fndings
Re f. N o.
Identifying and reporting fndings – Moving beyond compliance
47
What not to say …

T he fo llo wing are examp les o f what no t to say in an internal au dit rep o rt.
a) There was no evidence that the organization was monitoring customer

satis faction as required by ISO 9001 :2008, Subclause 8.2.1 .
b) There was no evidence o f a documented procedure for the control o f records as
required by ISO 9001 :2008, Subclause 4.2.4.
c) There was no evidence that the organization had reviewed its infrastructure as
required by ISO 9001 :2008, Subclause 6.3.
What to say …
T he fo llo wing are examp les o f what to s ay in an internal au dit rep o rt.
a) The organization does not currently monitor customer satis faction. Monitoring
the perception customers have will enable the organization to better understand
how it can meet both their current needs and future expectations, allowing the
organization to beneft from a more proactive approach to customer care.
b) The organization does not currently have a documented procedure for the control
o f the records it produces. The documenting o f a procedure for the control o f
the organization’s key records will ensure that the responsibilities for record
retention are known and that these important records are protected from damage
or deterioration and only retained for the maximum specifed period, allowing
archive storage space to be kept to a minimum.
c) The infrastructure o f the organization appeared to be adequate for the services
being provided; however, there was no process by which the infrastructure is
reviewed on an ongoing basis, which could affect the organization’s ability to
meet future customer demands. Therefore the organization would beneft from
linking together the review o f market/customer needs and the infrastructure
required to deliver them.
d) The organization is to be congratulated on the decision it has made to introduce
new computer terminals and o ffce furniture in the call centre. The staff spoken
to all commented on what a signifcant di fference this has made to both their
com fort and ability to read the new screens. This has undoubtedly contributed
to the reduction in staff sickness time and number o f customer complaints due to
keying errors.
O f f
co u rs e there is a need to reco rd no nco n o rmances agains t clau ses b u t it
is the imp act o n the o rganiz atio n and the o b j ectives o f the senio r manager that
is imp o rtant.
48
What turns yo u o n?
Which version o f the report fndings did you prefer reading? Which version
do you think the managing director would prefer to read and would encourage
them to do something? Precisely, the second version, and this is the style you
should be adopting in the writing o f your audit reports. The report is all about
the business and nothing about subclauses in ISO 9001:2008 because managing
directors are not interested in the detail o f what the Standard says.
As any good politician would tell you it is all in the spin. We are not
suggesting we all need to become politicians, but, as auditors, we could all learn
a trick or two from them and spin our reports positively. A fter all, we are trying
to infuence our ‘customer’ to make the improvements we have identifed.
Are yo u hiding b ehind IS O 9 0 0 1 : 2 0 0 8 ?
As an auditor you should ask yourself the question, ‘Am I hiding behind
ISO 9001:2008 with my comments in the audit report?’ We tend to fnd that
the more experience an auditor has o f how businesses operate the greater the
chance their audit report will add value. Conversely auditors who have a limited
knowledge o f how businesses operate tend to hide behind ISO 9001:2008 as this
is all they know and feel comfortable with.
There is no substitute for an in-depth knowledge o f the workings o f all

business processes, not just the theory but the actual experience o f how they
work. This includes the processes such as business planning, asset management
and managing marketing – whatever title you may give them within your
organization. Auditors who fail to get to grips with truly understanding these
processes will spend their auditing life hiding behind ISO 9001:2008 rather
than translating it into business improvement language. They will fail to provide
added value to the organization.
The ‘S o What! ’ test
The fnal check every auditor should perform on their audit report before they
present it is the ‘So What! ’ test. Here is an example:
‘… the quality policy had not been signed by the managing director… ’
S O WHAT!
Identifying and reporting fndings – Moving beyond compliance
49
I f an audit report is to add value to the organization it has to contain in formation

that could help the organization improve its performance and ultimately make
money (or at least not overspend) . Meeting fnancial targets is a prerequisite for
the maj ority o f organizations and o ften the key purpose o f their existence.
Improvement action
The audit report should only contain the fndings o f the audit and not
suggestions for the improvement action to be taken. This way the auditor can
remain independent and the organization does not feel obliged to adopt any o f
the auditor’s suggestions for improvement, even if it does not agree with them. By
doing this, the auditor is also passing the responsibility for taking improvement
action back to the process owner.
Improvement action should be le ft with the appropriate people within

the organization itsel f to determine. What action is taken, by whom and within
what timescales are all decisions that the organization should make for itsel f,
based on what is appropriate for the business, how it will bene f t and the other
current priorities it has.
50
8. As s e s s ing imp ro vements
Pu tting the imp ro ve me nt in co nte xt
As we have seen fro m carrying o u t the au dit o f p ro cess management the
f
au dito r’s ro le is no t to identi y ho w imp ro vements sho u ld take p lace o r what the
f
o rganizatio n sho u ld do . I t is to p ro vide in o rmatio n to management o n areas
o f risk o r where o p p o rtu nities fo r imp ro vement exist with an exp lanatio n that
o u tlines the p o tential imp act o n the o rganizatio n i f these are addressed.
f
T here o re what the o rganizatio n do es i f it decides to address these
issu es is u p to the management b alancing the o ther o rganizatio nal needs and
requ irements with the au dit f ndings. D o n’t fo rget that carrying o u t au dits is
o nly o ne so u rce o f f
in o rmatio n management is receiving u p o n which decisio ns
f
can b e b ased. They will also b e receiving in o rmatio n o n cu sto mer satis actio n f
and b u siness resu lts etc. , which co u ld mean that they may well igno re the
au dit f ndings and co ncentrate imp ro vement activity in o ther areas where the
greatest b u siness b ene f t can b e achieved. This b eing the case au dito rs sho u ld
f f
no t b e disheartened i , a ter carrying o u t an au dit reco mmending areas fo r
imp ro vement, management do no t ap p ear to act o n the in o rmatio n. f
T he real test is to determine whether the system is imp ro ving – b u t
that is all ab o u t au diting the management o f a system, a su b j ect that is little
u ndersto o d, rather than au diting a p ro cess, which we have co vered in this
b o o k. The b asics o f system management au diting are similar to tho se o f p ro cess
management au diting, the main di fference b eing o ne o f level. I nstead o f lo o king
at a single p ro cess the au dito r is lo o king at the system as a who le. M any o f the
Assessing imp rovements
51
same skills are requ ired, b u t it needs a still wider b u siness u nderstanding fo r the
au dito r to b e su ccess u l. f
Planning and carrying out a follow-up audit
As with any au dit this needs to b e schedu led and au dito rs ap p o inted in exactly
the same way as fo r a fu ll au dit. The main di fference is asso ciated with the sco p e
o f the au dit, which is generally limited to the sco p e o f the p revio u s au dit rep o rt
f ndings, rather than the entire p ro cess.
I n p rep aring fo r a fo llo w-u p au dit the au dito r needs to review the p revio u s
rep o rt and, in p articu lar, to u nderstand the b u siness reaso ns fo r reco mmending
the imp ro vements and the b u siness risks o r imp act asso ciated with them.
I n terms o f p rep aring yo u r au dit p lan yo u sho u ld aim to discu ss the
imp ro vements to estab lish what actio n has b een taken and the p u rp o se in taking
the actio n. The same to o ls and techniqu es can b e u sed to carry o u t a fo llo w-u p
au dit as have b een describ ed earlier fo r p ro cess management au dits. So , in
estab lishing the p u rp o se and the aim o f the actio n o r imp ro vement the au dito r
f
is identi ying what the p ro cess o wner is trying to achieve. I t is no t go o d eno u gh
j u st to determine whether the co rrective actio n o r imp ro vement has taken
p lace. What the au dito r needs to estab lish is ho w e ffective the actio n has b een,
i. e. has the aim o f the imp ro vement activity b een met, has it wo rked/so lved the
p ro b lem etc. F ro m estab lishing the aim the au dito r can then review the actu al
imp ro vement activity o r co rrective actio n taken, the resu lts gained and identi y f
any fu rther imp ro vement needed to meet the o riginal intentio n o r p u rp o se.
As describ ed earlier the au diting to o l sho wn in F igu re 4. 1 can b e u sed in a
similar way when carrying o u t fo llo w-u p au dits.
f f
C o nsequ ently, a ter in o rmatio n has b een gathered fro m the p ro cess
o wner, the techniqu e can b e u sed to gather in o rmatio n f fro m o ther p eo p le either
invo lved in the change/imp ro vement o r a ffected b y it.
T hro u gh a series o f f
sho rt in o rmatio n gathering activities fo llo wing the
assessing techniqu e o u tlined earlier, the au dito r will so o n b u ild u p a view as to
whether o r no t the actio n has b een e ffective in reso lving the issu e highlighted in
the o riginal au dit rep o rt and has b een carried o u t in a ‘timely’ manner. Timely in
this sense b eing b ased o n the size and imp act o f the change o r imp ro vement and
the risk the o rganizatio n faces in no t carrying o u t the change qu ickly eno u gh.
T he feedb ack o f the au dit f ndings is to the p ro cess o wner, as b e o re, in a f

fo rmat that yo u wo u ld typ ically u se fo r all au dits.
52
What happens if the improvement has not

been carried out?
I f an imp ro vement has either no t b een fu lly co mp leted o r no t even addressed
in any way the au dito r needs to make a j u dgement o n the p o tential imp act o n
the o rganizatio n. I f the j u dgement is that the o rganizatio n is at risk then the
f
matter sho u ld b e re erred to the system o wner, i. e. a ‘higher au tho rity’ than the
p ro cess o wner, who sho u ld b e asked to intervene to address the issu e and advise
the au dito r acco rdingly. What the system o wner do es in reso lving the issu e is
u p to them with any o u tco me b eing u sed to determine whether o r no t a fu rther

fo llo w-u p au dit is requ ired. E very o rganizatio n will need to b e clear ab o u t the
metho d o f escalatio n they will u se in su ch cases, and when it sho u ld b e u sed.
T his will p ro vide clarity to b o th the au dito r and the p ro cess o wner.
53
9. What p ers o nal attrib u tes do au dito rs ne ed?
Au diting as a s kill
Auditing is a skill and like any other skill needs practice to hone it. It involves
an ability to evaluate or learn from the experience, subsequently changing the

auditing style or approach to add more value to the activity. Clearly competence
to audit is a key requirement but to enable this competence to be built (something
that is less easy to train) are the personal attributes, inherent in any good auditor.
These attributes underpin the auditing activity and are the basis upon which
competence is built.
ISO 1 901 1 describes these attributes and although not an exhaustive list,
it does provide a use ful insight into what is expected. Above all the auditor
should be ethical; auditors are placed in a position o f trust by management to
investigate how e ffectively the organization is being managed. As we have seen
auditors need to assess e ffectiveness o f actions taken as well as compliance.
To assess e ffectiveness requires the auditor to ‘expose’ areas o f strength and

weakness, identi fying where the organization can make improvements or
changes that will enhance performance. In talking to di fferent people at di fferent
levels within the organization, o ften being party to ‘sensitive’ in formation, the
auditor should be care ful to ensure that con f dentiality is maintained at all times,
whatever the pressure to disclose sources o f in formation. This is not always easy
and sometimes pressure is exerted, but those seeking the in formation should
be made aware that its disclosure will break con f dentiality, which may result
in auditees being reluctant to take part fully in later audits to the detriment o f
future audits and there fore the organization.
54
Equally the results should be a fair and honest refection o f the

fndings, reporting facts and not seeking to apportion blame or falling into
the ‘solutionism’ trap. ‘Solutionism’ is where the auditor writes their report
explaining how managers should actually carry out the improvements or
resolve problems. No matter how well meaning, it is o ften dangerous to make
recommendations to managers on how they should manage their organization –
that’s their job, not the auditors. Many books or guides on auditing o ften suggest
that the auditor should make recommendations but this needs to be done with
care. It is one thing to make a statement that something is blatantly incorrect
or is not working as well as it could and provide the evidence to support this.
It is quite another to go further than this and suggest how the improvement
should be carried out. Very seldom does the auditor have as good a view o f the
organization as the manager. How the manager resolves problems or implements
an improvement is up to them. Following the appropriate process, o f course, is
up to them. So, report the facts and leave any recommendations on what needs
to be done or action that could be taken until after the audit. We have seen
a number o f internal and external auditors ruin a very good audit by making
recommendations that are inappropriate and get a negative reaction from the
manager – so be aware.
Auditing for effectiveness o ften involves understanding what is happening.

How an organization manages its business, how people carry out their tasks,
what equipment they use and how they comply with legislation for example is
up to them and the auditor can expect to see or observe activity that is different
between one organization and another and even between one department or site
and another in the same organization. In other words there is not necessarily
a right or wrong way. Auditors need to be open-minded as to the activities
undertaken and willing to consider different views or interpretation. What is
more important is how effective these actions are on the fnal result achieved.
Adopting an open mind goes hand-in-hand with carrying out the audit in a
tactful and diplomatic manner. Remember the easiest way to gather information
is to ask people what is happening, what they do, how they could improve what
they do etc. How the auditor handles this conversation, even if auditing using
email and other non-traditional methods o f auditing, is critical to success. I f the
auditor criticizes what someone is doing or how a manager is managing their
part o f the business then that person is likely to be more reluctant to provide
the auditor with the information they need. Remember people are o ften not
the problem, most o f the time it is the system they are operating in, so identify
where the system is failing rather than seeking to criticize, blame or expose the
individual. The results will be far more welcome and o f considerably more value
to the organization.
What personal attributes do auditors need?
55
When auditing there is o ften a sense o f something being right or not

quite right, it’s a feeling. You can’t be certain because you might not have the
evidence, but an instinct that there may be something that is taking place that
is either incorrect or wrong or could be improved. This ‘second sight’ is all
about perception, how the auditor sees, reads and understands situations. This
perception may be drawn from looking at evidence from different sources – an
adding together o f information that doesn’t quite make sense and needs testing
or examining further. Auditors need to develop and, more importantly, use this
ability. O ften the in formation an auditor needs won’t ‘stare them in the face’ or
be straightforward and needs ‘digging out’ based upon reading a given situation.
Another area based upon perception is collecting ‘perception-based’ information.
This is o ften more valuable than fact-based or document-based evidence. The

problem is that how people perceive situations, activities or events is o ften not
evidenced by documents – it’s o ften verbal or an interpretation. The auditor
there fore needs to be able to turn this information into fact or obj ective evidence.
This is achieved by using an appropriate sample size, testing the perception to get
to the facts. This may mean that someone has perceived an event incorrectly or
drawn the wrong conclusions. The auditor’s j ob is to work with these perceptions
and draw conclusions separating the fact from the fction.
To do this requires persistence, the ability to keep going even though

auditees may put obstacles in the way. You may not get exactly the information
you need or you simply get frustrated knowing there is something to be identif ed
but you simply can’t fnd it. I f you fnd yourself in this situation keep going, think
about the obj ectives o f the business and the scope o f the audit. How important
is it, will it put the business at risk? Perhaps a different approach is required to
gather the information. Persistence is not about pursuing something for the sake
o f it, it is about making a j udgement for the sake o f the business, the audit and
importance o f the issue.
Following on from persistence is the need to make decisions in a timely

manner based on the evidence that has been gathered. These conclusions should
be clear, unambiguous and understandable. This allows the auditee to be able to
review the conclusion or fnding using the evidence the auditor has provided.
Poor conclusions based on poor analysis leads to the auditee not being able to
understand what the conclusion is about or why the issue has been raised. O ften
poor analysis o f the evidence results in con fusion and inevitably fndings that
are lower level detail (mainly compliance related) rather than the identi f cation
o f improvements or the need for change to enhance e ffectiveness.
O ften auditors fnd themselves working on their own, gathering information

whilst they work with the auditees. This ability to work independently is an
attribute not to be underestimated. This requires the auditor to be a self-starter,
56
self-reliant, and having the necessary equipment and motivation to see the audit
through without the support from other auditors.
How about knowledge and skill?

For auditors, knowledge and skill can fall into a number o f areas:
• knowledge and skills o f auditing itself;

• the management system and its supporting processes that are being audited
as well as the organization or business itself;
• pro fessional knowledge around the subject o f quality; and
• specialist knowledge o f supporting business processes such as business
planning, human resources, fnance, etc.
The auditor needs to have a mix o f skills and knowledge to be effective. These
are interdependent and should not be considered or developed in isolation o f
each other, i.e. no one area is more important than the other – they complement
each other.
Knowledge o f the auditing principles

Knowledge o f the auditing principles is aimed at ensuring that audits are carried
out in a consistent manner following a defned approach. These principles
are identifed in ISO 19011 and should support any auditing procedures and
approaches that the organization has in place.
It goes without saying that the auditor should be able to follow the
organization’s auditing procedure and approaches.
The auditor should be able to create an audit plan based on the scope o f
the audit. This should show who is going to be audited, how and when and be
agreed by the process owner. The effective use o f time is very important. Auditors
should not forget that for most organizations auditing is an overhead, a cost to be
borne by the organization. Therefore the organization needs to not only get value
from the audit but also collect, collate and report information and other data
effciently and effectively. The audit plan should refect this need and auditors
should adopt approaches and methods that are appropriate. As mentioned early
in the book these approaches may well be non-traditional in nature but will be
more cost-effective without distracting from the value o f the audit.
With the plan in place, agreed with the process owner and communicated
to those being audited, it is the responsibility o f the auditor to ensure that the
audit is carried out as planned, keeping to the timescales as shown. Sometimes in
57
an audit the audito r will disco ver areas that need mo re investigatio n than the time
allo cated will allo w o r, perhaps, so meo ne else needs to be interviewed who wasn’t
o n the o riginal plan. In these circumstances the plan may need to be amended
and this is the audito r’s respo nsibility. It is no t go o d p ractice fo r the audito r to
f
either start late o r to end an interview a ter the time previo usly indicated o n the
plan. The auditee will be exp ecting the plan to be fo llo wed. I f the plan needs to
be amended then the audito r sho uld discuss o r co mmunicate this to the pro cess
o wner o r the perso n sho wing the audito r ro und the o rganizatio n, i f o ne is being
used, in o rder that a revised plan can be agreed and co mmunicated. This may
include go ing back to an auditee to check a p articular issue o r to gather mo re
f f
in o rmatio n. Planning an additio nal interview is p re erable to igno ring the o riginal
plan, ho wever tempting this may be.
T he au dito r needs to maintain co n f dentiality. This no t o nly ap p lies to
f
sensitive b u siness o r o rganizatio nal in o rmatio n b u t also to p erso nal feelings
and views that may b e exp ressed b y an individu al o r gro u p . C learly the au dito r
may well b e p ro vided with sensitive b u siness in o rmatio n as p art o f f the au dit
that sho u ld no t b e shared either within the o rganizatio n itsel f o r externally –
it mu st remain co n f dential. T here is a temp tatio n to share in o rmatio n with f

wo rk co lleagu es b u t the au dito r do esn’t necessarily kno w what has b een
co mmu nicated and what hasn’t and the reaso ns fo r f

this. T here o re to avo id
any ‘situ atio ns’ it is b est to simp ly say no thing and u se the in o rmatio n f fo r the
p u rp o se fo r which it was given, i. e. fo r the au dit. T his ap p ro ach will avo id and
p revent any di ff cu lt situ atio ns o r misu nderstandings.
The same applies to views expressed by auditees. To assess the e ffectiveness

f f
and to gather in ormation required o ten requires the auditors to gather views
and examples from people no t directly carrying out the task involved. For
f
example let’s say you are auditing the manu acturing process, then you may
f
gather in o rmatio n from the sales team, i. e. the people who generate the o rders
and those who dispatch pro ducts and services as well to gain their views and
the impact the production pro cess has on them. O r perhaps you are auditing an
impro vement process as well as auditing the people involved in the actual process
o r impro vement. Yo u could also interview the people a ffected by the change
to determine how e ffective the change has been in impro ving per o rmance. In f
gathering these views from people ‘o utside’ the process being audited but a ffected
by its impact, the auditor may well be gathering views and opinio ns fro m a number
o f different people to create the ‘obj ective evidence’ and to fo rm a conclusion
regarding e ffectiveness. These views and opinio ns also need to be kept con f dential
and no t shared either with o ther auditees, e. g. ‘I was speaking to X and he said … ’,
o r o utside the audit. I f the auditor breaches this con f dentiality then it is likely that
the auditee will be less fo rthcoming f

with in ormatio n the next time an audit takes
place, thereby reducing the e ffectiveness o f the audits taking place.

58
Auditors should focus their attention on signi f cant issues. This does not
mean that areas o f detail should be ignored but that the audit should focus on
what is important to the success o f the process and the organization rather than
areas that have little impact or signi f cance in the overall picture. Some auditors
get a reputation for ‘nit-picking’, i. e. identi fying or making an issue o f small
areas that in themselves have little or limited impact on performance. I f the
auditor is in any doubt as to whether or not an issue should be raised then think
about the manager who will be receiving the report, will they be interested? Is it
important to them?
Collecting information is the key requirement o f the audit. The information
o ften comes from a range o f sources from across the organization. The various
parts o f information are then ‘added’ together to form a view or fnding. It is o ften
not a case o f taking one ‘piece’ o f information in isolation but adding different
data together to form the ‘picture’. There fore a key principle is to test or verify the
different pieces o f information to conf rm their appropriateness and accuracy.
Auditors need to develop a ‘sixth sense’ to help them with knowing

how o ften and when additional in formation is needed to determine or veri fy
a fnding. It is not possible to review or look at every document or piece o f
in formation used or generated by a process. In addition it is very rare that the
amount o f time allowed for the audit would be su ff cient to interview every
manager or sta ff member involved in the process. This is compounded by the
need to gather in formation from those outside the process. To manage this the
auditor can use sampling techniques to help determine what in formation is

required. Although these can be scienti f cally and statistically based the auditor
can also apply common sense. For example i f there are six proj ects to look at
then perhaps two could be sampled; i f there is su ff cient di fference in the two
then perhaps a third could be reviewed to con f rm the fnding. Or i f there are
25 0 employees who need to have obj ectives and understand how they ft into
the process then perhaps 1 0 could be interviewed for fve minutes (5 0 minutes
in total) rather than two for 25 minutes (still 5 0 minutes in total) to allow the
auditor to gain a wider view o f what is happening.
Understanding management systems and processes

As we have outlined earlier in this book and in others that make up this series,
understanding what a process-based management system actually is and the
principles o f managing an organization by process is really important. It is not
the intention to revisit the principles o f process management and its impact on
organizational performance but auditors who do not understand the principles
59
will no t b e ab le to au dit e ffectively, o tenf f nding it di ff cu lt to mo ve b eyo nd
co mp liance au diting.
This extends to understanding ho w the vario us pro cesses that make up the
system interact with each o ther and ho w suppo rt o r re erence do cumentatio n such f
f
as pro cedures and o ther in o rmatio n is p o sitio ned and used within the system. It
wo uld also include ho w reso urces, equipment, budgets, co mpetence, team wo rk,
kno wledge, o ther standards and framewo rks, kno wledge, enviro nmental, health
f f
and sa ety and regulato ry requirements, in o rmatio n techno lo gy, intellectual
pro perty, management ability and techniques, results, changes etc. can imp act
f
o n pro cess per o rmance. This do es no t have to be an in-depth understanding
but sho uld, at the very least, be an awareness o f the po ssible impacts so that the
audito r is able to fo rm j udgements o n po ssible areas fo r impro vement.
f
I n additio n, as mentio ned b e o re, the au dito r needs to have an ap p reciatio n
o f general bu siness p ro cesses, what might make u p such a p ro cess and ho w
the o rganizatio n has interp reted these bu siness activities into the management
f
system and there o re into its p ro cesses.
f
Ano ther imp act o n p ro cess p er o rmance that the au dito r needs to b e
aware o f and u nderstand is that the o rganizatio nal cu ltu re will a ffect b o th the
f
au dit and, p o tentially, p ro cess p er o rmance. The au dito r needs to ap p reciate the
o rganizatio nal cu ltu re they are wo rking in and wo rk within this, mo di ying their f
au diting techniqu es and metho ds acco rdingly.
What pro fessional knowledge does an auditor need?

T he f nal area o f kno wledge is that relating to qu ality. Accep ting that we have
co vered the b u siness kno wledge needed in o ther sectio ns, this area relates to the
‘qu ality’ -sp eci f c kno wledge that needs to b e u ndersto o d. Qu ality termino lo gy
is, in e ffect, b u siness termino lo gy that we have already co vered. T his can
b e extended to inclu de qu ality management p rincip les, which are, in e ffect,

b u siness management p rincip les.
Where sp eci f c ‘qu ality’ kno wledge is o f u se is in u nderstanding sp eci f c
to o ls and techniqu es that have traditio nally b een u sed b y qu ality p ro essio nals. f
O f co u rse as the management system is p ro cess b ased and as these p ro cesses
co ver a range o f management discip lines, inclu ding ‘qu ality discip lines’ , the
au dito r can exp ect these to o ls and techniqu es to b e fo u nd o r u sed in the
ap p ro p riate p ro cesses. E xamp les o f this co u ld b e:
• statistical co ntro l, which co u ld b e u sed to assist the measu rement o f

f
p ro cess p er o rmance;
60
• failure mode and e ffect analysis, which could be used in a design and
development process; and
• cause and e ffect analysis, which could be used in an improvement process.
Understanding these tools gives the auditor a wider and deeper appreciation
o f how traditional ‘quality’ techniques can be used to improve and support
process performance.
What skills does the audit team leader need?

The need to audit processes and their management for e ffectiveness and
compliance, particularly in larger organizations, may well mean that audit teams
may be needed. In the past where compliance to procedures was the only real
requirement, individuals working on their own were o ften su ff cient to carry out
an audit. This may well not be the case when auditing processes, for a number
o f reasons as follows.
• Not all auditors have the same level o f auditing competence. Di fferent
auditors will have di fferent auditing experiences and skills. As processes run
across the organization, inevitably auditees will occupy di fferent positions
within the business. They will have di fferent responsibilities at di ffering
levels with the business, di fferent attitudes and experiences; the same
auditor may not have su ff cient skill to audit them all. A good compliance
auditor does not necessarily have the competence to audit the e ffectiveness
o f a business planning process.
• Lack o f con f dence or experience. Although this is o ften caused largely by
inexperience, nonetheless it is a critical factor i f the audit is to be a success.
A good example o f this is an auditor with compliance auditing skills
being asked to audit the managing director to determine how e ffective the
management system is in meeting business obj ectives. Although in some

organizations this may well be acceptable, even promoted in others, it may
place the auditor in a position where they are not going to do j ustice to
themselves or the audit. This may simply be because they are not o f the
right grade, position or may not have the con f dence or experience to audit
a senior manager.
• Lack o f understanding o f the business and the process. To audit processes
e ffectively auditors require an understanding o f a wide range o f business
principles. This does not have to be an in-depth understanding but an
awareness. For example it is o ften commented that auditors need an
understanding o f quality, health and sa fety, and environmental issues (the
integration myth) , but what about business planning principles or how an

asset is managed or how people develop skills, i. e. management principles
61
and disciplines that need to come together (be integrated) in a system and
the processes that support it? It is o ften this area that is overlooked but is
probably the most important in enabling the auditor to assess e ffectiveness.
When auditing the e ffectiveness o f the management o f a process this area
is probably more important than technical specialisms. At the time o f
writing the focus for appointing auditors is o ften based on their technical
competence not on their management ability. As ISO 9001 : 2008 is based
on the e ffectiveness o f management to manage their organization to deliver
results and to ensure customer satis faction, perhaps organizations should
now consider appointing auditors on their management ability rather than
their technical expertise.
With di fferent auditors having di fferent interpersonal skills, di fferent levels o f

understanding o f management disciplines and o f con f dence, as well as auditing
processes that run across the business, o ften it is easier and more appropriate to
operate in audit teams. When operating in a team someone needs to lead it and
take responsibility for its direction and activities. Leading an audit team is not
about technical or specialist competence in the area concerned. I f it was, then
lead auditors would indeed be a rare animal. Leading a team requires leaderships
skills associated with ensuring that the audit process is run e ff ciently and
e ffectively. These skills fall into a number o f areas as follows.
• Planning the audit – as we have seen auditors have different skills and may
even be in di fferent locations so the available audit resource needs to be
appointed accordingly based on the process to be audited. In addition the

method or approach needs to be considered. Traditionally auditing has been
completed face to face on a one-to-one basis. To audit e ffectively this does
not have to be the case. The auditor can use many methods including email,
telephone, short questionnaires and videocon ference for example, as covered
in previous sections.
• Representing the audit team – as part o f the audit this will probably mean
discussing and planning the audit with the process owner or management
team member. This would include agreeing who is to be audited, the scope
o f the audit and any particular aspects o f the process that need special
attention. At the end o f the audit the lead auditor will also present/report the
audit fndings back to the process owner or managing director and agree any
follow-up action required.
• Completing the audit report – as the auditing is being conducted by a team,
the lead auditor is responsible for bringing the different ‘strands’ o f the
audit together in order to reach conclusions. Identifying non-compliances
is normally straightforward, identifying areas for improvement that will
enhance performance can be more diff cult to agree. This o ften requires the
62
team to reach consensus on what the different strands mean when they are
added together. How this is achieved can vary but on occasions individual
team members may disagree with each other. At this point the lead auditor
needs to have the skill to facilitate the team to reach a sensible conclusion
that will make sense to the team, the process owner and support the
improvement o f the organization. Coupled with this is the ability to write an
audit report that is e ffective in portraying the fndings and conclusions o f the
audit. The fndings need to be succinct, clear and easy to understand showing
what obj ective evidence has been identif ed to support the conclusions.
The lead auditor needs to be able to j usti fy the statements made, i f
required, and to enter into discussions as to how the areas identi f ed might
be resolved. The lead auditor should, however, be care ful not to recommend
actions as part o f the audit. O ften when reporting areas for improvement
there is a temptation to ‘recommend’ how a particular issue may be resolved
or improved. There may well be many ways that a problem could be
resolved, some unknown to the audit team or outside the scope o f their
understanding. Improvements are likely to be subj ect to the organization’s
improvement process (as required by ISO 9001 : 2008) and it is this activity
that will identi fy the causes and recommend solutions. Lead auditors need to
be care ful with recommendations, o ften it is best to report statements o f fact
and leave the actions and recommendations for improvement to the manager
concerned – that’s their responsibility.
• Managing the audit as it is progressed – the lead auditor is responsible for
managing the audit as it is carried out. This may mean resolving issues,
some o f which may be con frontational in nature. This can o ften require tact
and diplomacy (hence the attributes listed in this bullet list) . It may also
mean identi fying potential problems that could occur and taking appropriate
action to prevent them from happening.
• Developing the auditors – by their nature lead auditors tend to be more
experienced managers as well as auditors. This experience can be used to
develop auditor competence, identi fying training needs and taking part in
training and development activity that will improve auditor performance.
63
1 0. C o nclu s io n and the way fo rward
What do e s the futu re ho ld fo r qu ality audito rs ?
T here are many typ es o f au dito r. Au dito rs who are emp lo yed to au dit
co mp liance will still b e requ ired, as this ap p ro ach will b e needed to ensu re
requ irements o f sp eci f c detailed standards are b eing met. F o r tho se requ ired to
au dit p ro cesses, ho wever, the fu tu re is b leak i f ap p ro p riate au diting/assessment
skills and techniqu es are no t u sed and enhanced o ver time. I n this b o o k we
have o nly co vered the b asic p rincip les, and these need time and p ractice to b e
e ffective and fo r the reader to tru ly u nderstand the p rincip les invo lved. I n o ther
wo rds reading the b o o k witho u t the p ractice will no t b u ild co mp etence.
O ur experience sho ws that the development o f these key skills takes time,
and as co mpetence builds so auditors create their o wn style and appro ach based
o n the techniques outlined. This appro ach has created a far mo re interactive and
value adding appro ach to auditing. Audito rs report that they not o nly f nd out
f
more in ormatio n quicker, but that they are also f nding o ut value adding areas fo r
impro vement that wo uld no t have been identi f ed so lely fro m compliance auditing.
These are key skills that need to be mastered fo r the future. In additio n
audito rs need to be much mo re business aware, with an understanding at least at
an o verview level o f the di fferent management skills and techniques used within
an o rganizatio n. This may include understanding f nance, health and sa ety, new f
pro duct develo pment, impro vement techniques, asset management and strategy
and business planning fo r example, all o f which a ffect either pro cess o r system
management auditing. This is no t an exhaustive list and we are no t saying yo u
need to be an expert in all areas, which is impo ssible. But audito rs will need an
appreciatio n o f these o ther areas in o rder to audit the ‘j o ined-up’ nature o f bo th

pro cesses and systems and to help drive the need fo r them to impro ve and change.
64
Why do organizations want or need this?

For many years auditing has o ften been seen to add little value, providing
management with predominantly low-level in formation on which to base
decisions. This has mainly been provided by compliance based audits or audit
reports that do not provide in formation to management that either stimulates
the need for change or identi f es risks o f which they were not previously aware.
But this is precisely the in formation that management need and want.
Auditing, both third party and internal, is a cost to organizations, and by not
providing the required information that adds value, auditors will be doing their
employers and customers a disservice. As importantly, they are also giving people
the opportunity to reduce the importance o f auditing and auditors. In such a
situation, organizations quite naturally look for other solutions to their problems
and if that means not using auditors in the traditional manner then so be it.
Very few organizations fail to understand the need for improvement and
change to enhance their performance. Auditors have a vital role to play, but only
i f they adopt the techniques and approaches required.
As an organization’s business management system evolves, so its complexity,

scope and maturity changes. This is quite natural and as the management system
changes so the role o f the auditor will also change and be enhanced over time.
This changing state will provide further opportunity for auditors but they will
also require enhanced auditing techniques, methods and approaches to give

management the information they need.
As we have already seen, systems and processes are living entities, they
are the real world in which we work and operate. Auditing is a measurement o f
performance in that it should identi fy areas o f noncon formance and business
risk to the achievement o f process and system obj ectives. An example audit
report is shown below in Figure 1 0. 1 , which was created following an audit
o f an organization’s ful f lment process. In doesn’t matter that you do or do not
understand what ful f lment is in detail, what matters is the underlying auditing
principles that have been applied.
To help with understanding the report:
• Page 1 covers the risks to the delivery o f obj ectives.

• Pages 2 to 6 cover the analysis o f data to identify where potential risks may
exist. These can be seen by comparing scores from di fferent groups o f people
taking part as well as the absolute scores.
• Page 6 covers speci f c noncon formances (in this case there aren’t any) .
Conclusion and the way forward
65
In the example below:

• Audit scores at 40% represent ‘OK performance’, i.e. compliance.
• Scores above 40% indicate increasing levels o f e ffectiveness o f activities in delivering
the objectives.
• Scores below 40% indicate areas o f risk or noncon formances that need to be addressed.
Overall Result: 49.6 % – Bronze Level

B ased on th e evi d en ce provi d ed by th e peopl e taki n g part i n th e assessm en t th e resu l ts sh ow th at you r organ i sati on
h as m et th e m i n i m u m l evel req u i red to be cl assi f ed as m eeti n g th e req u i rem en ts o f th e fram ework from wh i ch th i s
assessm en t was created . C on gratu l ati on s, you have achieved our Bronze Award.
Overview & Result against Per ormance Drivers f
Per ormance
f Description %
Driver
1 Th e rel ati on sh i p wi th su ppl i ers i s m an aged an d e ffecti ve 33.8
2 Th e pu rch asi n g process i s con trol l ed to en su re i t i s e ffecti ve 5 0. 6
3 E veryon e i n vol ved i n th e process works togeth er as a team 5 7. 3
4 f
Su ppl i er an d pu rch ase ord er i n orm ati on i s accu rate an d m ai n tai n ed 4 7. 6
5 Su ppl i ers d el i ver wh at th ey are asked to 4 8. 4
6 Th e pl an n i n g process i s m an aged an d con trol l ed 55.1
7 C u stom er servi ce l evel s are ach i eved 42
8 F orecasts are accu rate an d u pd ated i n a ti m el y m an n er 41 . 8
9 I n ven tory val u e an d fll rate are m an aged 5 6. 3
1 0 Ai r frei gh t spen d i n g i s j u sti f ed an d con trol l ed 48

66
PERFORMANCE BY MAIN INVOLVEMENT GROUPS
People taking part in this assessment were asked to identi y their main involvement. The di erence in perception
f ff
between these groups measured against the per ormance drivers is shown below.
f
You can:
Si gn a tu re:
• Consider these di erences and where they may a ect per ormance, this may identi y risk areas
ff ff f f
• Review any speci f c elements where individual groups have a low result
• Understand any real gaps between the perception o di erent groups f ff
1 00
80
Average % Response
D a te:
60
40
20
0
1 4 5 6 7 10
2 3 8 9
Performance Drivers
Opera tor: N ora Da wson 7 769

Performance Driver
Group 1 2 3 4 5 6 7 8 9 10
Da te: 1 7 /08/2009
Buy products/services 26% 55.9% 65.2% 58.9% 47.4% 59.2% 50.4% 41 .3% 64.8% 56%
Plan and orecast inventory
f 60.5% 64.8% 51 .4% 57.1 % 69.4% 45.7% 58.1 % 71 .9% 54.3%
Manage and launch products 55% 35.8% 45.5% 37.1 % 44.3% 31 .1 % 26% 1 6.7% 20% 40%
Coordinate and manage 40% 74.4% 73.3% 82.9% 54.3% 80% 60% 80%
logistics
BSI /PM : Si obh a n Fi tzgera ld
Manage warehouse teams 32.5% 35.1 % 33.3% 37.9% 48.6% 37.5% 42.5% 20% 46.7% 20%
Manage non-warehouse 30% 21 .2% 1 8.8% 22.9% 37.1 % 1 4.7% 24% 20% 20%
teams
Depa rtm en t:
Sell products 45.7% 50% 30% 30% 37.5% 30% 33.3% 40% 50%
BI P 201 5 Fi le n a m e: 2009-01 7 30_Perfom a n ce dri vers ba r gra ph _01 a .eps

l oi sl
i ssu
tuare:
tu
Approva
l ofl of
are:
Approva
tugn
re:
Approva
tugn
aSi
Approva
Si gn
Si gn aSi
67
te: te:
M y main invol vement in Pl anning and Purchasing process is
te:Da
aDa
Buy products/services Pl an and forecast inventory
te:
D aD
M anage and l aunch products Coordinate and manage l ogistics
M anage warehouse teams M anage non-warehouse teams
Sel l products
on s:
on s:
s:ti s:
s:ti s:
on
on
The l argest di fferences are l ikel y to indicate that there may be business risks. The most signi f cant di fferences are:
tica
tica
on
on
s:
s:
fi
fi
ca
ca
ti
ti
on
on
odi
odi
Per ormance Driver Highest Lowest %
fi
fi
Mtica
Mtica
odi
odi
f
fi
fi
Mca
Mca
di erence
M odi
M odi
fi
fi
ff
M odi
M odi
77 69
77 69
6 The pl anning process is managed and Coordinate and M anage non-warehouse teams 65 . 3
7 769
wson
control l ed manage l ogistics
7 769
wson
1 7/08/2009
wson
Da
Air freight spending is justi f ed and
7/08/2009
10 Coordinate and M anage warehouse teams 60
wson
aDa
ora
1/08/2009
NDora
aND
control l ed manage l ogistics
/08/2009
ora
Ntor:
Opera ora
Ntor:
4 Suppl ier and purchase order in formation Coordinate and M anage non-warehouse teams 60
1 7te:
Operator:
Da
te:
tor:
is accurate and maintained manage l ogistics
17
Opera
te:
te:Da
Opera
DaDa n tzgera
ntzgera
aFi Fi ld ld ld
ldtzgera
ntzgera
BI P 201 5 Fi le n a m e: 2009-01 73 0_Perfom a n ce dri vers ba r gra ph _01 b.eps

obh
aFi

a: obh
aFi
en t:
nSi

Si: obh
t: t:
Si
enrtm
rtmen
Si:/PM
:/PM obh
epa
rtm
en t:
BSI
/PM
epa
D
rtm
BSI
/PM
Depa
D
BSIBSI
Depa
Fi le n a m e: 2009-01 73 0_Perfom a n ce dri vers ba r gra ph _01 b.eps

68
PERFORMANCE DRIVERS WITH HIGHEST SCORES – AREAS OF STRENGTH

Listed below are the strongest areas. Where they are above 60% they may be considered as a
strength.
Per ormance Driver
f %
3 Everyone involved in the process works together as a team 57.3
9 Inventory value and f ll rate are managed 56.3
6 The planning process is managed and controlled 55.1
Analysis:
For each o these strengths, reviewing the di erences between each department/team/ unction
f ff f
may indicate where urther improvement could be made. Where a ‘%’ is shown without a
f
number this indicates this department/team/ unction were not asked about this per ormance
f f
driver.
80
60
e e
e i ssu
40
li ssu
of
tu re:
ssu
l ofl iof
Approva
20 gn re:
tu a
Approva
Siare:
tu
Approva
Siagn
Si gn
0
3 9 6
Operations Planning
Da te:
Product Management Purchasing

Da te:
D a te:
Sales
ontis:on s:
ontis:on s:
ca
ca
tis:
tis:
fi
fi
on
on
tica
tica
odi
odi
cafi
cafi
fi M
fi M
M odi
M odi
M odi
Da7wson
769
D a wson 77 69M odi
77 69
1 7/08/2009
wson
1 7/08/2009
DNaora
e:7 /08/2009
N ora
tor:
N ora
ra tor:
Opera
te:
or:
1Da
69
PERFORMANCE DRIVERS WITH LOWEST SCORES – AREAS OF IMPROVEMENT

Li sted bel ow are th e weakest areas, wh i ch i n d i cate an opportu n i ty for real i m provem en t.
Per ormance Driver

f %
1 Th e rel ati on sh i p wi th su ppl i ers i s m an aged an d e ffecti ve 33.8
8 F orecasts are accu rate an d u pd ated i n a ti m el y m an n er 41 . 8
7 C u stom er servi ce l evel s are ach i eved 42
Analysis:
F or each o f th ese i m provem en t areas, fu rth er i n vesti gati on o f th e d i fferen ces f
wi l l i d en ti y possi bl e i m provem en t acti on s.
Results by Departments/Functions/Teams
Ap p ro va l o f i ssu e
Wh ere a grou p i s n ot sh own th ey were n ot asked abou t th i s per orm an ce d ri ver. f
Si g n a tu re:
Performance
Driver
34%
1 46.7%
26%
D a te:
25.7%
57.8%
8 1 7.1 %
41 .3%
M o d i fi ca ti o n s:
42.2%
42.4% Operati on s
O p e ra to r: N o ra D a wso n 7 7 6 9
40.7% Prod u ct
7
M an agem en t
24.3%
1 7 /08/2009
50.4%
Sal es
47.7%
D a te :
Pl an n i n g
Pu rch asi n g
Si o b h a n Fi tzg era ld
D e p a rtm e n t:
B SI / P M :
BI P 201 5 Fi le n a m e : 2 0 0 9 - 0 1 7 3 0 _P erfo rm a n ce d ri vers ( H o ri zo n ta l) b a r g ra p h _0 1 a . ep s

Ap p ro va l o f i ssu e
70
Si g n a tu re:
Wid est varian ce between Departm en ts/Team s/Fu n ction s

Th e h i gh est an d l owest scores are:
Performance
e
Driver
f i ssu
e
D a te :
ssu
tu re:
o fl io
rolva
n are:
46.7%
1
gtu
pva
26%
na
Apro
Si gSi
Ap p
57.8%
8 1 7.1 %
24.3%
7 50.4%
Da
D a te : te:
O p e ra to r: N o ra D a wso n 7 7 6 9
Pl an n i n g Prod u ct M an agem en t
1 7 /08/2009
Pu rch asi n g
D a te :
o n s:
o n s:
tis:
tis:
on
on
ca
ca
i fiti
i fiti
ca
ca
fid
fid
d io
d io
M oM
M oM
Si o b h a n Fi tzg era ld
76
n 7n 7 69
79
D e p a rtm e n t:
D a wso
a wso
B SI / P M :
29009
ra
/0
rao D
80
02
r:o N
//
78
BI P 201 5 Fi le n a m e : 2 0 0 9 - 0 1 7 3 0 _Pe rfo rm a n ce d ri ve rs ( H o ri zo n ta l) b a r g ra p h _0 2 a . e p s
N
10
to
: /
rar:
1 7
p eto
: te
Ora
Da
D a te
Ope
bh bn
oa Fi
ha Fi tzg
ntzg ra ld
e raeld
e n t:
Si: oSi
en t:
a rtm
: M
/P
BI P 201 5 Fi le n a m e : 2 0 0 9 - 0 1 7 3 0 _Pe rfo rm a n ce d ri ve rs ( H o ri zo n ta l) b a r g ra p h _0 2 b . e p s
rtm
PM
ep
/SI
Da
B SIB
D ep
5 Fi le n a m e : 2 0 0 9 - 0 1 7 3 0 _P erfo rm a n ce d ri vers ( H o ri zo n ta l) b a r g ra p h _0 2 b . e p s
5 Fi le n a m e : 2 0 0 9 - 0 1 7 3 0 _P erfo rm a n ce d ri vers ( H o ri zo n ta l) b a r g ra p h _0 2 b . e p s
BI P 201 5
1
7
Driver
Performance
Sel l products
F igu re 1 0 . 1
Buy products/services
1 6.7%
20%
20%
M anage warehouse teams
Fi le n a m e :
M anage and l aunch products
24%
26%
26%
30%
30%
32.5%
33.3%
40%
Results for Main Involvement Groups taking part
41 .3%
42.5%
f
45.7%
50.4%
M y main invol vement in Pl anning and Purchasing process is to. . .

55%
60%
58.1 %
D
aDte:
aD
a
te te
a:1
te:7
1 :1
/
770
/
1/8
7
00/
882
/
0/0
8
220
/90
2099
09 MM
oMd
oMo
idfi
d
o
i fi
ca
idfi
ca
i ti
fi
ca ti
o
cati
n
oti
o
s:
nno
s:s:
n s: Ap
Ap
Ap
pAp
ro
pp
rova
ro
pva
ro
lva
o
lva
f
l
oof
l
i ssu
f
oi ssu
f
i ssu
ie
ssu
ee e
Where a group is not shown they were not asked about this performance driver.
Re s ults b y p er o rmance drive r

O
pOe
pOp
ra
eep
ra
to
ra
eto
ra
r:
to
r:
to
Nr:N
o
r:
Nra
oN
o
rara
o
Dra
D
aDwso
aD
a
wso
wso
an
wso
n
7n7n
6
779
667
9969 MM
oMd
oMo
idfi
d
o
i fi
ca
idfi
ca
i ti
fi
ca ti
o
cati
n
oti
o
s:
nno
s:s:
n s: DD
aDte
aD
a
te:
: te:
a te: S iSi
gSin
gSi
g
a
nng
tu
aan
tu
re
tu
are:
tu
:re:
re:
Pl an and forecast inventory
M anage non-warehouse teams

C o nclu s io n and the way
Coordinate and manage l ogistics

fo r ward
2 0 0 9 - 0 1 7 3 0 _P erfo rm a n ce d ri vers ( H o ri zo n ta l) b a r g ra p h _0 3 a . ep s
B SI / PM : Si o b h a n Fi tzg e ra ld D a te : 1 7 /08/2009 M o d i fi ca ti o n s: Ap p ro va l o f i ssu e
D e p a rtm en t: O p e ra to r: N o ra D a wso n 7 7 6 9 M o d i fi ca ti o n s: D a te : Si g n a tu re :
g
zg
ra
era
eld
ra
ldld DD
a te
D
a te:
a: te
1 7
:1 /
7
10/
780
//8
02/
802
/00
2909
09 MM
oM
doid
o
fiid
ca
fi
i fi
ca
tica
o
tin
ti
os:n
o s:
n s: Ap
App
Apro
p ro
pva
ro
va
l va
o
lfo
l if
ossu
f
i ssu
i ssu
e ee
Op
Oera
O
pepra
eto
ra
to
r:to
r:
N r:
N
o ra
N
o ra
oD
raD
a wso
D
a wso
a wso
nn
7n7
7679
6
7969 MM
oM
doid
o
fiid
ca
fi
i fi
ca
tica
o
tin
ti
os:n
o s:
n s: DD
a te
D
a te
a: te:
: SiS
giSi
n
ga n
gtu
a
n tu
are
tu
re
: re:
:
71
72
STATEMENTS THAT INDICATE POTENTIAL RISK

f
N o n on con orm an ces h ave been set for th i s assessm en t.
T he fact f
that there are no no nco n o rmances is interesting as the rep o rt there o re f
sho ws ho w e ffective f
the p ro cess is ab o ve the co n o rmance level. This is the very
f
in o rmatio n that managers need to kno w to b ring ab o u t change to what may
hap p en in the fu tu re f
and there o re redu ce the risk o f no t meeting their b u siness
o b j ectives.
Welco me to the new wo rld o f au diting e ffectiveness f

and p er o rmance.
I n the fo rewo rd we o u tlined the emerging ro le in au diting what p eo p le
actu ally do , no t j u st what they say they do o r write do wn, and the e ffect o f this
o n the delivery o f b u siness o b j ectives. These au diting skills b u ild u p o n tho se
co ntained in this b o o k, and o u t o f necessity invo lve co llecting vastly mo re
data fro m di fferent so u rces and then analysing it to rep o rt against b u siness
o b j ectives, valu es and o p eratio nal p rincip les. I T so lu tio ns are o ten u sed to f
co llect and manage the range and vo lu me o f data needed to do this e ffectively.
I T also p ro vides so lu tio ns to analyse this mass o f data and, thro u gh this, to b o th
u nderstand ho w the co mp lexity o f p eo p le wo rking to gether creates b u siness
f
o u tco mes and to identi y b u siness risks. The skills, kno wledge and to o ls to
achieve this are similar to tho se co vered in this b o o k, b u t b y their natu re and
data vo lu me need to b e signi f cantly enhanced, and I T p ro vides this su p p o rt.
Ap p lying the to o ls in this b o o k will take yo u a lo ng way do wn the p ath to
e ffective au diting, altho u gh they will no t take yo u all o f the way. To address the
co nstraints and fru stratio ns that yo u will inevitab ly feel as yo u and yo u r skills
develo p , yo u may well need to co nsider the u se o f I T to help yo u make the next
mo ve – b u t that is fo r the fu tu re o nce yo u have mastered the f rst step .
‘ LE ARN – C HALLE N G E – C HAN G E – RE N E W and change to auditing
b e havio u rs and true ris k. ’

73
Ap p endix 1 . E xamp le au dito r qu e s tio ns
With the au diting p rincip les and techniqu es exp lained, this ap p endix seeks to
p ro vide so me examp le qu estio ns b ased o n the ap p ro aches u sed. As exp lained
p revio u sly it is no t easy to assess the e ffectiveness o f a p ro cess o r, indeed,
a system, b y simp ly fo llo wing the clau ses o f the Standard – o rganizatio ns
simp ly do no t always wo rk that way. N o netheless the examp les are gro u p ed
b y clau se fo r ease o f f
re erence to gether with qu estio ns that co u ld b e asked to
demo nstrate co mp liance alo ng with tho se that seek to test e ffectiveness. T his
is no t an exhau stive list and all clau ses are no t co vered in the detail needed,
o therwise we wo u ld end u p with a b o o k o f qu estio ns and that is no t the p o int.
O ne co mmo n trend yo u will no tice is that asking a co mp liance qu estio n gives a
de f nitive answer, asking a qu estio n o n e ffectiveness f

p ro vides in o rmatio n – the
f
au dito r’s j o b is then to add this in o rmatio n to gether to fo rm the j u dgement o n
e ffectiveness. Also no tice that ‘o p en’ and ‘clo sed’ qu estio ns can b e u sed in b o th
areas – simp ly asking the qu estio n starting with what, ho w, where etc. do es no t
co nstitu te skills asso ciated with e ffectiveness testing.

74
Tab le A. 1 E xamp le que s tio ns fo r C laus e 4 o f IS O 9001 : 2008
Cl au se Req u i rem en t Q u esti on to wh om C om pl i an ce q u esti on E ffecti ven ess q u esti on
n o.
4. 1 I d en ti f cati on o f Sen i or m an agem en t Sh ow m e th e processes th at H ow d o you kn ow th e correct
th e processes m ake u p th e m an agem en t processes h ave been i d en ti f ed ?

system
Sen i or m an agem en t f
Wh at m an agem en t i n orm ati on H ow d o you kn ow th at th e
d o you u se to m on i tor th e f
m an agem en t i n orm ati on you
processes? f
u se i s th e correct i n orm ati on to
con trol a process?
Sen i or m an agem en t Wh at parts o f you r processes H ow d o you assess wh i ch
are ou tsou rced ? parts o f you r process sh ou l d or
sh ou l d n’ t be ou tsou rced ?
H ow i s th i s m an agem en t
d eci si on m ad e?
M an agem en t Wh at parts o f you r processes H ow d o you kn ow th at th e
are ou tsou rced ? ou tsou rced work i s bei n g
e ffecti vel y m an aged an d
con trol l ed ?
Staff m em ber Wh at j obs are gi ven to oth er f

H ow o ten , rou gh l y, i s work
peopl e ou tsi d e th e bu si n ess d on e by oth er peopl e ou tsi d e
to d o? th e organ i zati on com pl eted
wron gl y or bad l y?
Staff m em ber Wh at i s you r j ob? Wh at i s th e i m pact on th e
cu stom er i f you d on’ t get you r
j ob d on e correctl y?
Staff m em ber Wh at part d o you pl ay i n th e H ow d o you kn ow i f or wh en
process? you h ave d on e a good j ob?
Staff m em ber Wh at d o you d o? f

H ow o ten d o you get work th at
i s ei th er wron g, i n correct, n eed s
rework or i s si m pl y con u si n g? f
4. 2 . 1 G en eral Sen i or m an agem en t Are proced u res d ocu m en ted ? H ow d i d you d eterm i n e wh at
D o you h ave a q u al i ty m an u al ? m eth od an d approach i s o f m ost
I s th ere a statem en t o f q u al i ty ben e ft to you r organ i zati on ?
an d obj ecti ves?

Appendix 1
75
C l au se Req u i rem en t Q u esti on to wh om Com pl i an ce q u esti on E ffecti ven ess q u esti on
n o.
4. 2. 2 Quality manual Senior management/ Do you have a quality manual? What is the purpose o f the
management Show me your quality manual. manual?
Does it contain the right H ow is it used on a routine,
in formation outlined in the regular basis?
Standard? H ow is its content translated
into everyday activity?
Why is it written the way it is?
H ow does the manual
support the objectives o f the
organization and its image with
the customer?
Staff Do you know where to f nd What is this organization trying
the manual? to achieve?
Show me the quality manual. H ow does the organization
work?
H ow do we all work together to
deliver results?
H ow do we improve things in
this organization?
4. 2. 3 Document M anagement/staff Do you approve documents H ow o ften do you f nd that you
control prior to issue? use the wrong in formation or
Do you have a procedure? documents in this organization?
Show me how you control (Ask many people to build up a
the version. picture. )
Etc. Do you ever think that you use
out-o f-date in formation?
H ow do you know you are
using the most up-to-date
in formation/documents?
76
n o.
5. 1 M anagement Senior management H ow do you demonstrate H ow do you know that
commitment that you are committed the approaches you use to
to the development and d emonstrate commitment are
implementation o f the e ffective?
management system?
Staff member Are management committed to When was the last time you
the management system? saw/heard your manager
Or: concerned with meeting the
H ow committed are customer’s needs?
management to the What was this?
management system in this What was the impact o f these
organization? statements on you and your
colleagues?
Co m p a re th e a n s we rs give n b y b o th m a n a ge m e n t an d s ta ff a n d ide n t i f
y
a n y i n c o n s i s t e n c ie s .
5. 2 Customer focus Senior management H ow do you focus on the H ow do you prioritize the need s
needs o f the customer? o f d i fferent customers and other
stakeholders?
We can’t satis fy everyone
1 00 per cent o f the time, so how
do you manage this?
H ow is this in formation used to
set business objectives?
H ow do you validate the
in formation to ensure it is
correct (otherwise your
objectives could be incorrect)?
Senior management/ H ow do you identi fy customer H ow do you know that the
management needs? process for identi fying customer
needs is e ffective?
Senior management/ What process do you have H ow are customers’ needs
management to identi fy what customers’ translated into objectives that
needs are? are subseq uently measured by
What is your role in this customer satis faction activity?
process? H ow does it all link together?
Senior management Who is responsible for this H ow is this process managed,
process? controlled and improved on a
continual basis?
Appendix 1
77
C l au se Req u i rem en t Q u esti on to wh om C om pl i an ce q u esti on E ffecti ven ess q u esti on
n o.
5.3 Qu al i ty pol i cy Sen i or m an agem en t Sh ow m e you r pol i cy. Wh at factors d i d you con si d er i n
d eterm i n i n g th e pol i cy d etai l s?
Staff m em ber D o you kn ow wh at th e q u al i ty Wh at i s i m portan t to th i s
pol i cy i s or wh ere to fnd i t? organ i zati on ?
H ow i m portan t i s i t th at you
d o a good j ob – to you , to th e
cu stom er, to th e organ i zati on ?
I f th ere was on e th i n g th at th i s
organ i zati on h ad to ach i eve,
wh at wou l d i t be?
Sen i or m an agem en t H as th e pol i cy been H ow d o you kn ow th at you r
com m u n i cated ? em pl oyees u n d erstan d th e pol i cy
H ow? an d wh at i t m ean s to th em ?
5 . 4. 1 Qu al i ty Sen i or m an agem en t D o you h ave q u al i ty obj ecti ves? H ow d o you kn ow th e
obj ecti ves obj ecti ves are correct?
Wh o created th e obj ecti ves? H ow d o you kn ow th at th e
m an agem en t agree wi th th e
obj ecti ves set?
Are th e obj ecti ves m easu rabl e? H ow were th e m easu res
sel ected ?
H ow d o you kn ow th at th ese
are actu al l y ach i evabl e?
H ow m an y obj ecti ves are H ow d o th ese obj ecti ves
th ere? com pl em en t an d su pport each
oth er to m ove th e organ i zati on
forward ?
H ow d o you kn ow th at th ey
j oi n tl y d el i ver everyth i n g you
n eed to d o as a bu si n ess?
Lin k t h e a n s we rs to th e se qu e s tio n s wi t h th o se gi ve n in a n s we r t o
S u b c la u s e 5. 2 . Do th e a n s we rs li n k? D o t h e y m a ke se n se ?
M an agem en t Wh at are you r obj ecti ves? H ow d o you kn ow i f you r
Are th ey m easu rabl e? obj ecti ves l i n k to th ose o f th e
organ i zati on ?
H ow were th e obj ecti ves
created ?
78
n o.
5. 4. 2 Quality Senior management I s the management system H ow do you know that the
management d esigned to meet the management system has been
system planning objectives o f the business? d esigned to meet the objectives
H ow do you maintain the set?
integrity o f the management H ow do you ensure that the
system? integrity o f the management
system is maintained so that
customers are not adversely
affected during changes?
5. 5 . 1 Responsibility Senior management Are responsibilities and H ow are responsibilities
and authority authorities de f ned? communicated?
H ow do you know i f these
responsibilities are being applied
correctly?
H ow do you reallocate/reduce
responsibilities when needed?
5. 5 . 2 M anagement Senior management/ Who is the management Who in the management team
representation management representative? ‘champions’ the management
Show me what you do (to the system?
management representative) H ow e ffective is the
management representative
in helping the organization to
understand how it delivers
results and improves business
performance?
5. 5 . 3 I nternal Senior management H ow do you communicate H ow do you know that the
communication results to the rest o f the communication methods you
organization? use are e ffective?
M anagement H ow do you communicate H ow do you translate the
results to your staff? organization’s results into
in formation that directly
applies to your staff rather than
‘corporate/business speak’?
Does your manager provide you
with in formation on business
performance that directly applies
to you?
Appendix 1
79
n o.
Staff How well is the organization Does the in formation you are
performing? provided with mean anything to
Do management communicate you?
to you on this subject? Does the in formation relate
directly to your job?
How can you infuence these
results?
5.6 Management Senior management/ Do you hold a management How do management review
review management review? the performance o f the business?
What do you look at? How effective are these
What are the results o f the methods?
review? How do you know the actions
How do you record the actions agreed are aimed at delivering
from the review? the organization’s objectives?
Are discussions at reviews based
on improving results?
What subject areas are
discussed?
How do they relate to the
performance o f the business and
its objectives?
What factors do you use to
prioritize improvement activity?
80
n o.
6. 1 Provi si on o f Sen i or m an agem en t/ D o you al l ocate resou rces? H ow d o you kn ow th e
resou rces m an agem en t H ow d o you m an age resou rces you u se are al i gn ed
resou rces? to th e d el i very o f th e bu si n ess
Wh at resou rces d o you n eed ? obj ecti ves?
H ow d o you kn ow th at th e
resou rces req u i red con tri bu te
f
to sati s yi n g cu stom er n eed s/
req u i rem en ts?
6. 2 . 1 G en eral Sen i or m an agem en t/ H ow d o you recru i t peopl e H ow d o you kn ow th e
m an agem en t wh o are com peten t? bal an ce between trai n i n g an d
H ow d o you m an age peopl e’ s com peten ce an d th e n eed
com peten ces? for proced u res i s correct an d
H ow d o you bal an ce th e n eed e ffecti ve?
for proced u res wi th peopl e’ s H ow d o you kn ow you r peopl e’ s
com peten ces? com peten ces are su ff ci en t to
d el i ver th e bu si n ess obj ecti ves?
Staff Wh at resou rces d o you u se? I f th ere was on e th i n g th at
wou l d h el p you d o you r j ob
better wh at wou l d i t be?
6. 2 . 2 C om peten ce, M an agem en t H ave com peten ces been H ow d o you kn ow th e correct
awaren ess an d de f n ed ? com peten ces h ave been d e f n ed ?

trai n i n g Are trai n i n g n eed s i d en ti f ed ? Wh at m eth od s d o you u se to
D o you eval u ate trai n i n g eval u ate trai n i n g an d h ow d o you
i n terven ti on s? kn ow wh en to u se each on e?
D o you h ave trai n i n g record s? H ow d o you pri ori ti ze
H ow d o you com m u n i cate som eon e’ s l earn i n g/trai n i n g
th e i m portan ce o f you r sta ff ’ s n eed s?
acti vi ti es i n m eeti n g obj ecti ves? Wh at su pport d o you gi ve th at
H ow d o you m ake th em al l ows sta ff to appl y wh at th ey
u n d erstan d th i s? h ave l earn t i n th e workpl ace?
H ow d o you kn ow h ow e ffecti ve
th i s su pport i s?
H ow d o you kn ow th at you
h ave e ffecti vel y com m u n i cated
person al obj ecti ves to sta ff?

Appendix 1
81
n o.
Staff H as th e organ i zati on d e f n ed D o you th i n k th e com peten ces
th e com peten ces you n eed to de f n ed for you r j ob are correct?
d o you r j ob? H ow good are m an agem en t
D o you u n d erstan d h ow at revi ewi n g you r com peten ce
i m portan t you r acti vi ti es are? f

an d i d en ti yi n g wh ere you can
i m prove?
I n you r vi ew i s trai n i n g d el i vered
gen eral l y too l ate or too earl y on
occasi on s?
f
A ter you h ave recei ved trai n i n g
d oes som eon e ‘ test’ or ch eck
to see th at you can appl y th e
trai n i n g you h ave recei ved ?
H ow d o you r acti vi ti es h el p th i s
bu si n ess ach i eve i ts overal l goal s
an d obj ecti ves?
6. 3 f
I n rastru ctu re M an agem en t Wh at eq u i pm en t/assets d o you H ow d o you kn ow th at th e
h ave? eq u i pm en t i s capabl e o f
H ow i s th i s eq u i pm en t d el i veri n g th e obj ecti ves?
m an aged an d m ai n tai n ed ? H ow d o you kn ow th at you h ave
H ow i s th e eq u i pm en t pu rch ased an d com m i ssi on ed
pu rch ased ? th e m ost appropri ate
D o you back u p I T system s? eq u i pm en t?
Wh at processes d o you h ave to H ow d o you assess th e
m an age al l you r resou rces? e ffecti ven ess o f you r d i saster
D oes you r process cover recovery pl an s sh ou l d you r
acq u i ri n g, com m i ssi on i n g an d f

i n rastru ctu re fai l ?
d ecom m i ssi on i n g an asset? H ow d o you opti m i ze th e
Wh at approval s are gath ered f

per orm an ce o f f
you r i n ra-
for asset pu rch ase? stru ctu re resou rce?
H ow d o you kn ow th at
approval s for asset pu rch ases
fol l ow th e agreed govern an ce
ru l es for th e bu si n ess?
Staff Wh at eq u i pm en t d o you u se? H ow e ff ci en t i s th e eq u i pm en t
H ow i s th e eq u i pm en t you u se?
m ai n tai n ed ? H ow q u i ckl y i s i t repai red sh ou l d
i t breakd own ?
f
H ow o ten d oes eq u i pm en t
fai l u re a ffect you r prod u cti on /
servi ce d el i very?
82
n o.
6. 4 Work M an agem en t Wh at d o you con si d er to be H ow d o you kn ow wh en to
en vi ron m en t you r worki n g en vi ron m en t? m ake a n ew i n vestm en t i n th e
H ow i s th e worki n g worki n g en vi ron m en t?
en vi ron m en t m an aged ? H ow d o you m easu re th e
Wh at l egal an d regu l atory i m pact o f th e worki n g
req u i rem en ts d o you n eed en vi ron m en t on peopl e’ s
to fol l ow? m oti vati on to work h ere?
worki n g en vi ron m en t su pports
th e d el i very o f process an d
prod u ct req u i rem en ts?
Staff Wh at i s i t l i ke worki n g h ere?
I f th e worki n g en vi ron m en t
cou l d be i m proved h ow wou l d
i t be?
D o m an agem en t ever ask for
you r opi n i on on th e acceptabi l i ty
o f th e en vi ron m en t to d el i ver
wh at cu stom ers n eed ?
D oes th e en vi ron m en t you work
in a ffect f
you r per orm an ce an d
th e q u al i ty o f wh at i s prod u ced ?
Ap p e ndix 1
83
Tab le A. 4 E xamp le qu es tio ns fo r C laus e 7 o f IS O 9001 : 2001
n o.
7. 1 Planning M anagement What are the processes for H ow do you know the correct
o f product product realization? processes have been id enti f ed
realization H ow do these processes to meet the objectives set?
operate? H ow do you know that the
planning is an appropriate form
for the business?
H ow has this been ‘tested’
to maximize the operational
performance o f the organization?
7. 2. 1 Determination M anagement H ow do you determine what H ow do you know you have
o f requirements customers require? determined the customers’
related to the What statutory and regulatory requirements correctly?
product requirements relate to the H ow good do you think you
product/service? are at identi fying what your
What non-stated requirements customers’ need s really are?
are there? H ow e ffective is the business at
ensuring you don’t fall short o f
regulatory requirements?
Staff H ow do you identi fy H ow good do you think you (the
customers’ need s/ organization) are at identi fying
requirements? what your customers’ needs
really are?
7. 2. 2 Review o f M anagement H ow do you review the H ow much wasted work is
requirements organization’s capability to carried out in this organization as
related to the deliver what the customer a result o f you, or the customer,
product requires? changing what is required?
Show me the details.
Staff H ow do you know you are H ow o ften do you f nd that you
capable o f delivering what is can’t actually deliver what you
required? have agreed to?
7. 2. 3 Customer M anagement H ow do you communicate H ow do you know that
communication in formation to customers? customers know how to
What provision have you made communicate with the
that allows customers to raise organization e ffectively?
queries or provide you with H ow has this type o f
feedback? communication from the
customer affected what you have
done in the past six months?

84
n o.
7. 3 . 1 D esi gn an d M an agem en t H ow d o you pl an th e d esi gn H ow d o you opti m i ze th e u se
d evel opm en t an d /or d evel opm en t o f a n ew o f resou rces you h ave avai l abl e
pl an n i n g prod u ct or servi ce? to you ?
Wh at resou rces d o you n eed ? H ow d o you pri ori ti ze d i fferen t
proj ects?
H ow d o you kn ow th at you r
l i m i ted resou rces are bei n g u sed
i n su ch a way as to m axi m i ze th e
ben e ft to th e organ i zati on an d
i ts cu stom ers?
Staff H ow are n ew d esi gn s/ D o you th i n k th at th e
d evel opm en ts carri ed ou t? organ i zati on kn ows wh i ch
proj ects are m ore i m portan t
th an oth ers?
f
H ow o ten d o you get ‘ torn’
between th e n eed s o f di fferen t
proj ects an d d on’ t kn ow wh i ch
to d o f rst?
7. 3 . 2 D esi gn an d Proj ect m an ager Wh at factors d o you H ow d o you kn ow th e d esi gn
d evel opm en t con si d ered wh en d esi gn i n g/ i n pu ts h ave been i d en ti f ed

i n pu ts d evel opi n g a prod u ct or correctl y?
servi ce? f
H ow o ten d o you fnd, wh en
Wh at l egal an d regu l atory testi n g a prod u ct or servi ce, th at
req u i rem en ts are i m portan t? th e d esi gn i n pu ts h ave n ot been
i d en ti f ed correctl y?
D esi gn /d evel opm en t Wh at factors d o you H ow m u ch wasted e ffort d o you
team con si d ered wh en d esi gn i n g/ th i n k takes pl ace on d esi gn an d
d evel opi n g a prod u ct or d evel opm en t work?
servi ce? D o you th i n k you are care u l f
Wh at l egal an d regu l atory en ou gh wh en you d esi gn or
req u i rem en ts are i m portan t? d evel op prod u cts an d servi ces?
7. 3 . 3 D esi gn an d Proj ect m an ager Wh at d esi gn /d evel opm en t H ow m an y ch an ges are m ad e
d evel opm en t ou tpu ts d o you h ave? to d esi gn /d evel opm en t ou tpu ts
ou tpu ts D o th ey con tai n th e req u i red f

be ore th ey are correct an d can
prod u ct acceptan ce cri teri a? be u sed ?
d esi gn /d evel opm en t ou tpu ts are
rel evan t an d appropri ate to th e
n eed s o f th e rest o f th e bu si n ess?

Appendix 1
85
n o.
D esi gn / Wh at d esi gn /d evel opm en t C an you gi ve m e an exam pl e o f
d evel opm en t team ou tpu ts d o you h ave? wh en th e d esi gn /d evel opm en t
D o th ey con tai n th e req u i red ou tpu ts h ave n ot been
prod u ct acceptan ce cri teri a? u n d erstan d abl e?
H ow rel evan t are th e d esi gn /
d evel opm en t ou tpu ts to you r
j ob?
D o th ey provi d e you wi th th e
f
i n orm ati on you n eed ?
7. 3 . 4 D esi gn an d Proj ect m an ager/ f

H ow o ten d o you h ol d f
H ow o ten are agreed d ead l i n es
d evel opm en t proj ect team revi ews? for acti on s m i ssed ?
revi ew Wh at i s th e pu rpose o f th ese Wh y i s th i s?
revi ews? H ow are d i sagreem en ts or
Wh o atten d s th ese revi ews? con cern s on th e way forward
Wh at h appen s at th ese resol ved q u i ckl y an d to th e
revi ews? ben e ft o f th e bu si n ess?
C om pared wi th you r
com peti tors h ow good are you
at getti n g prod u cts to m arket?
7. 3 . 5 D esi gn an d Proj ect m an ager/ H ow d o you test prod u cts f

H ow o ten d o you i d en ti y f
d evel opm en t proj ect team an d servi ces to ch eck th at you probl em s fou n d wi th prod u cts
veri f cati on h ave d esi gn ed wh at you were f

an d servi ces a ter th ey are
su pposed to d esi gn ? rel eased ?
Wh at record s d o you keep? H ow d o you bal an ce th e n eed
an d ri sks to get th e prod u ct or
servi ce l au n ch ed wi th m aki n g i t
f
per ect?
7. 3 . 6 D esi gn an d Proj ect m an ager/ H ow d o you test prod u cts H ow d o you kn ow th at
d evel opm en t proj ect team an d servi ces to ch eck th at you cu stom er req u i rem en ts h ave
val i d ati on h ave d esi gn ed som eth i n g th at been m et wh en you are
m eets th e ori gi n al cu stom er or d esi gn i n g th e prod u cts an d
m arket n eed s? servi ces?
7. 3 . 7 C on trol o f Proj ect m an ager/ H ow are ch an ges i n corporated H ow d o you kn ow th at
d esi gn an d proj ect team i n to d esi gn s/d evel opm en ts? th e ch an ges to d esi gn s or
d evel opm en t d evel opm en ts wi l l h ave th e
ch an ges d esi red resu l ts?

86
n o.
7. 4 . 1 Pu rch asi n g Pu rch asi n g m an ager Wh at i s th e pu rch asi n g H ow d o you kn ow th at th e
process process? su ppl i ers you u se con ti n u e to
H ow d oes th e process work? con tri bu te to th e d el i very o f
Sh ow m e th e process worki n g. bu si n ess obj ecti ves?
7. 4 . 2 Pu rch asi n g Staff f

Wh at pu rch asi n g i n orm ati on H ow d o you kn ow th at you
f
i n orm ati on d o you i n cl u d e on pu rch ase provi d e su ff ci en t f
i n orm ati on to
ord ers? you r su ppl i ers, n ot too m u ch bu t
Wh at q u al i ty m an agem en t n ot too l i ttl e?
system req u i rem en ts d o you H ow d o you kn ow th at you r
i n si st u pon ? su ppl i ers are m an agi n g th ei r
bu si n ess i n an e ff ci en t an d
e ffecti ve m an n er?
H ow d o you assess th i s?
7. 4 . 3 Veri f cati on M an agem en t H ow d o you en su re th at H ow d o you red u ce th e ri sk o f
o f pu rch ased th e pu rch ased prod u cts an d bou gh t i n good s’ an d servi ce
prod u ct servi ces are wh at you ord ered ? fai l u res on wh at i s provi d ed to
Wh at acti on s d o you take you r cu stom ers?
to ch eck th at th e good s you
recei ve are OK?
7. 5 . 1 C on trol o f M an agem en t H ow d o you con trol H ow d o you pl an th e way i n
prod u cti on an d operati on al acti vi ti es to en su re wh i ch operati on al acti vi ti es are
servi ce provi si on f
con si sten cy an d con orm i ty o f f
per orm ed to provi d e su ff ci en t
th e servi ce or prod u ct? con trol s?
Wh at work i n stru cti on s, H ow d o you con trol th e ri sks o f
con trol pl an s or sch ed u l es d o operati on al acti vi ti es i n m eeti n g
you u se to con trol operati on al cu stom er req u i rem en ts?
processes?
Staff f
Wh at i n orm ati on d o you h ave H ow d o you kn ow th at wh at
to h el p you d o you r j ob? you are d oi n g m eets you r
H ave you been trai n ed to d o cu stom ers’ req u i rem en ts?
you r j ob? Wh at are th e greatest ri sks to
H ave you got th e ri gh t n ot ach i evi n g you r cu stom ers’
eq u i pm en t to d o you r j ob? req u i rem en ts an d h ow d o you
con trol th em ?
H ow d o you kn ow you h ave m et
you r cu stom ers’ req u i rem en ts?

Appendix 1
87
n o.
7. 5 . 2 Val i d ati on o f M an agem en t D em on strate th e val i d ati on H ow d o you con trol an y
processes for m eth od s i n pl ace to con trol processes you can n ot read i l y or
prod u cti on an d processes you can n ot read i l y econ om i cal l y veri y? f
servi ce provi si on or econ om i cal l y veri y. f H ow d o you kn ow th e val i d ati on
f
H ow o ten d o you reval i d ate m eth od s you u se are e ffecti ve?
th e process con trol s?
Staff H ow d o you test th e process? H ow d o you test th e process
to en su re i t m eets cu stom er/
prod u ct req u i rem en ts?
Wh at are th e cri teri a you u se to
m easu re process per orm an ce? f
7. 5 . 3 I d en ti f cati on M an agem en t f
D o you i d en ti y prod u cts? H ow h ave you d eterm i n ed to
an d traceabi l i ty f
H ow d o you i d en ti y prod u cts? wh at exten t i d en ti f cati on an d
traceabi l i ty o f th e prod u ct i s
req u i red ?
H ow d o you kn ow th e con trol s
for prod u ct i d en ti f cati on an d
traceabi l i ty are e ffecti ve?
Staff Sh ow m e h ow prod u cts are Wh at probl em s d oes poor
i d en ti f ed . i d en ti f cati on cau se you an d h ow
C an you fnd th i s xyz prod u ct d o you con trol th i s?
for m e?
7. 5 . 4 C u stom er M an agem en t D o you u se cu stom er property H ow d o you kn ow wh en
property i n th e process? cu stom er property i s u sed i n th e
H ow are probl em s wi th process?
cu stom er property reported H ow i s cu stom er property
back to th e cu stom er? i d en ti f ed an d protected ?
Wh en probl em s ari se wi th
cu stom er property h ow d o you
d eal wi th th em an d en su re th e
probl em d oes n ot ari se agai n i n
th e fu tu re?
Staff Wh en d o you u se cu stom er H ow d o you report probl em s
property? wi th cu stom er property?
Sh ow m e h ow you protect Wh at h appen s wh en you report
cu stom er property. a probl em ?

88
n o.
7. 5 . 5 Preservati on o f M an agem en t Sh ow m e h ow th e prod u ct i s f

H ow i s con orm i ty o f
prod u ct protected . th e prod u ct to speci f ed

req u i rem en ts m ai n tai n ed
th rou gh ou t th e en ti re process?
Staff Sh ow m e h ow th e prod u ct i s H ow d o you kn ow th at th e
stored . prod u ct i s ad eq u atel y protected
Sh ow m e h ow th e prod u ct i s d u ri n g al l stages o f th e process?
i d en ti f ed .
Sh ow m e h ow th e prod u ct i s
h an d l ed .
7. 6 C on trol o f M an agem en t H ave you i d en ti f ed al l H ow d o you d eterm i n e wh at
m on i tori n g m on i tori n g an d m easu ri n g m on i tori n g an d m easu ri n g i s
an d m easu ri n g eq u i pm en t? req u i red ?
d evi ces H as th e eq u i pm en t been H ow d o you kn ow th e resu l ts o f
cal i brated to a recogn i zed th e m on i tori n g an d m easu ri n g
stan d ard , e. g. N AM AS can be rel i ed u pon ?
approved ? H ow i s m on i tori n g an d
Sh ow m e th e record s for m easu ri n g eq u i pm en t ch ecked ?
m on i tori n g an d m easu ri n g Wh at d o you d o wh en a pi ece
eq u i pm en t. o f m on i tori n g or m easu ri n g
I s th e prod u ct recal l ed an d eq u i pm en t fai l s cal i brati on ?
retested wh en a pi ece o f
m on i tori n g or m easu ri n g
eq u i pm en t fai l s cal i brati on ?
Staff Wh at eq u i pm en t d o you u se to H ow d o you kn ow th e
m on i tor an d m easu re prod u ct m on i tori n g or m easu ri n g
or process per orm an ce tof eq u i pm en t you u se i s worki n g
speci f ed req u i rem en ts? correctl y?

Ap p e ndix 1
89
Tab le A. 5 E xamp le qu es tio ns fo r C laus e 8 o f IS O 9001 : 2008
n o.
8. 2. 1 Customer M anagement Do you measure customer What do you do with the
satis faction satis faction? in formation you get from
H ow do you measure measuring satis faction?
customer satis faction? H ow do you know the methods
you use are e ffective in gathering
the in formation you need?
H ow do you know that the
questions you ask/in formation
you seek is the right in formation?
(Co m p a re th is to th e a n s we rs
f ro m 5. 2 . )
8. 2. 2 I nternal audit Senior management Show me your aud it schedule/ H ow do you know when to
programme. audit each process given the
business risks your organization
faces?
M anagement Are the auditors independent? H ow do you allocate auditors
H ave you trained your auditors based on the purpose o f the
to audit e ffectively? process and competence
Can I see your audit reports? required?
Are non-compliances H ow do you train your auditors
addressed in a ‘timely’ fashion? to und erstand other business
management disciplines such as
budget control, marketing, team
working etc. ?
H ow do you know the audit
reports are providing you with
the in formation you need to
support the management o f the
business?
H ow does the auditing add value
to the business?
H ow have you addressed the
business impact o f the non-
compliance?
90
n o.
8.2.3 Monitoring and Senior management/ Show me your measures. How do you know these are the
and measurement o f management Show me the trends in correct measures?
8.2.4 processes and performance. What is the in formation telling
product Show me the targets for each you?
process. How do you know that the
in formation is accurate?
How do the measures link to the
business objectives?
How do you manage the process
and identi fy cost and waste
e ffciencies?
Give me an example.
Staff Show me the results you What is this in formation telling

achieve. you?
How can you infuence these
results?
8.3 Control o f Management Show me the procedure How do you know that non-
non-con forming to control non-con forming con forming products are not
product product. reaching the customer or being
How do you make sure non- used?
con forming products do not What is the impact on the
get used accidentally? business i f they are released
Do you keep records o f non- accidentally?
con forming products? Why do you need records?
What do you do with them?
Staff Show me the procedure How o ften do you release

to control non-con forming non-con forming products but
products. don’t record it for operational
How do you make sure non- reasons?
con forming products do not What is a non-con forming
get used accidentally? product?
Do you keep records o f non- How do you know that you
con forming products? handle all non-con forming
products the same way?
Th e n c o m p a re th e a n s we rs f
ro m m a n a ge m e n t an d s ta ff to m a ke
a j u dge m e n t .
Management How do you handle product How do you know that any
recalls? product recall would be handled
to protect both the customer and
the image of the organization?
Appendix 1
91
n o.
8. 4 An al ysi s o f d ata M an agem en t f

D o you an al yse per orm an ce? H ow d o you i d en ti y f
H ow d o you an al yse i m provem en ts th at m axi m i ze th e
f
per orm an ce? ben e ft to th e bu si n ess?
f
D oes th e i n orm ati on i n cl u d e H ow d o you m ake
f
d ata on cu stom er sati s acti on ? recom m en d ati on s for
f
D oes th e i n orm ati on sh ow i m provem en t based on th e
f
tren d s i n per orm an ce agai n st resu l ts ach i eved ?
targets? H ow d o you m on i tor th e i m pact
o f i m provem en ts on th e resu l ts
ach i eved ?
8. 5 . 1 C on ti n u al Sen i or m an agem en t/ I s th ere a process for con ti n u al H ow d o you kn ow th at
i m provem en t m an agem en t i m provem en t? i m provem en ts m ad e are
m an aged an d con trol l ed ?
H ow are appropri ate peopl e
i n vol ved i n i m provem en t acti vi ty?
H ow d o you kn ow th at an
i m provem en t d oesn’ t h ave an
ad verse i m pact on oth er acti vi ty?
Staff Wh at i m provem en ts h ave H ave i m provem en ts m ad e
taken pl ace? h el ped you d o you r j ob better/
H ave you been i n vol ved ? m ad e i t easi er?
D oes th i s organ i zati on l earn
from i ts m i stakes to m ake th i n gs
better n ext ti m e?
C u stom ers H as th i s organ i zati on H ow e ffecti ve d o you th i n k th e
i m proved ? organ i zati on i s i n i m provi n g wh at
i t d oes?
8. 5 . 2 C orrecti ve M an agem en t H ave you got a proced u re for H ow d o you kn ow everyon e
acti on correcti ve acti on th at covers d eal s wi th processi n g/prod u ct
th e areas o f th e Stan d ard ? errors or m i stakes i n th e sam e
D o you keep record s o f way to protect th e organ i zati on
correcti ve acti on s? an d i ts cu stom ers?
Staff Wh at i s a correcti ve acti on ? f

H ow o ten d oes th i s take pl ace?
Wh at d o you d o wi th a D o you th i n k you m ake too
processi n g/prod u ct error or m an y m i stakes th at are real l y
m i stake? u n n ecessary?
8. 5 . 3 Preven ti ve M an agem en t H ave you got a proced u re for H ow d o you kn ow th e correct
acti on preven ti ve acti on th at covers bu si n ess ri sks h ave been
th e areas o f th e Stan d ard ? i d en ti f ed an d acti on s pu t i n pl ace
D o you keep record s o f to red u ce th ese ri sks?
preven ti ve acti on s?
Process Management Auditing for ISO 9001:2008
92
1 . E s tabl i s h
b u s i n e s s o b j e cti ve s
2 . Au d i t pl an n i n g
M an ag e m e n t
s ys t e m
d o cu m e n ts I S O
9001 : 2008
3. C arry o u t au d i t/
I S O 1 40 0 1
veri fy acti o n
l e g al an d statu tory
re q u i rem en ts
4. Reco rd
observati on s
5. G e n e rate au d i t
8. Acti o n t ake n
repo rt
6. Act i o n Ye s 7. R es po n s i bi l i ty an d
re q u i re d ? t i m e s cal e s ag ree d
9. Cl ose au d i t
Figure A.1 Example o f a typical internal audit

process (fow diagram and procedure)
BI P 201 5 Fi le n a m e: 2009-01 73 0_A1 .eps

Ap p e ndix 1
93
Tab le A. 6 E xamp le p ro cedure
1 . PU RPO SE AN D SC O PE
1 .1 The purpose o f this procedure is to ensure the company’s operational activities are
being carried out in accordance with the requirements o f the management system and to
monitor compliance to external standards, including legal and statutory obligations. Where
omissions are highlighted this procedure ensures that appropriate timely action is taken in
order to correct the situation.
2. AU D I T PLAN N I N G
2. 1 With re ference to the current business objectives, previous audit results, and the
importance o f the processes to be audited, the management representative is
responsible for generating an annual audit plan covering all relevant elements o f the
management system.
3. AU D I TI N G
3.1 Audits are carried out by the assigned auditor using the following documents as the criteria
to audit against: current management system documents, externally originated standards
(e. g. I SO 9001 : 2008, I SO 1 4001 , etc. ), legal and statutory req uirements, as appropriate.
3.2 During the audit the emphasis is placed on the witnessing o f objective evidence to veri fy
that the management system procedures meet the requirements o f any appropriate
externally originated standard and/or legal and statutory requirements and that they are
being e ffectively implemented.
3.3 Any observations made during the course o f the audit are recorded by the auditor in the
form o f notes or on the ‘audit checklist’ document.
4. RE PO RTI N G
4. 1 I f an opportunity to improve or a problem is identi f ed during the audit the auditor will
endeavour to agree suitable action and timescales for its completion, with the most
appropriate individual(s).
4. 2 At the end o f the audit the auditor completes an ‘audit report’ detailing their
observations and any action that may be necessary, including responsibility and timescales
for completion.
4. 3 The completed audit report is circulated to all staff responsible for taking the action. I t is
their responsibility to carry out the appropriate action by the agreed completion date. The
management representative retains the original report.
5. VE RI F I CATI O N O F AC TI O N
5.1 The action is veri f ed by the management representative as part o f the ongoing
audit plan for that activity or separately, as appropriate, to ensure that it has been
completed e ffectively.
5.2 When satis f ed that the action has been completed and is e ffective the management
representative signs the audit report to close it.

Tab le A. 7 E xamp le au dit s che du le fo r an o rganiz atio n with three lo catio ns
Process Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Managing contact centres
 New business W+T
 Client service W+T
 Client service operations W+T
 Contact centre W+T
Managing contract assignments T

 New business T
 Client service and client service T
operations
 Contract recruitment T
Managing tactical assignments T
Managing in formation systems W+T
Managing land D services W C
Managing and developing people W C T
Managing f nances T
Managing facilities W C T
Marketing W C T
NOTE This audit schedule example is taken from an organization operating over three sites in Warrington, Thame and Crawley, hence the W+T+C, which indicate the
speci f c location to be audited.
95
Re ferences
International standards
ISO 9001 : 2008 , Quality management systems – Requirements
ISO 1 901 1 , Guidelines for quality and/or environmental management systems auditing
ISO 1 4001 , Environmental management systems – Specifcation with guidance for use
Other books in the process management series

BIP 201 3 (2009) Understanding ISO 9001 :2008 and Process-based Management
Systems, London, BSI (ISBN 978 0 5 80 6765 6 7)
BIP 201 4 (2009) Creating a Process-based Management System for ISO 9001 :2008
and beyond, London, BSI (ISBN 978 0 5 80 6765 7 4)

Bip 2015-2009

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bip 2015-2009

Uploaded by

Copyright:

Available Formats

Process Management Auditing

for ISO 9001 :2008

Understanding ISO 9001 : 2 008 and Process-based Management Systems

Rob Peddle and Ian Rosam

P ro cess M anagement Au diting fo r I SO 9 0 0 1 : 20 0 8

T his seco nd editio n p u b lished in the U K in 20 0 9

© B ritish Standards I nstitu tio n 20 0 9

F irst editio n p u b lished b y B SI in 20 0 3

A catalo gu e reco rd fo r this b o o k is availab le fro m the B ritish Lib rary.

C opyright subsists in all BSI publications. Except as permitted under the

C opyright, D esigns and Patents Act 1 9 88 no extract may be reproduced, stored

in a retrieval system or transmitted in any form or by any means – electronic,

photocopying, recording or otherwise – without prior written permission from BSI.

I f permission is granted, the terms may include royalty payments or a licensing

Standards Institution, 3 89 Chiswick High Road, London W4 4AL.

o f this p u b licatio n. Ho wever, since it is intended as a gu ide and no t a de f nitive

fo r the resu lts o f any actio n taken o n the b asis o f f

in the p u b licatio n no r fo r any erro rs o r o missio ns. T his do es no t a ffect yo u r

Typ eset b y M o no lith – www. mo no lith. u k. co m

F o re wo rd: The au diting wo rld has change d –

The changes to ISO 9 0 0 1 : 20 0 0 no w co ntained in ISO 9 0 0 1 : 20 0 8 are relatively

ap p ro ach to the management o f o rganizatio ns, bo th big and small. Ho wever,

auditing techniques to identi fy the risks being taken within management

which has been a bill fo r $ 1 , 0 0 0 , 0 0 0 , 0 0 0 , 0 0 0 o f aid p ump ed into the eco no my

by the main G 20 go vernments during late 20 0 8 and 20 0 9 . In terms o f co rrective

actio n that is so me co st!

O f co urse, j u st like third p arty registratio n o rganizatio ns, the large

backing o f p eo p le that co unted. They had senio r management, no n-execu tive

to allo w them to do so mething ab o ut it?

the risks su rro u nding this.

So what do es this mean fo r u s as au dito rs? F o r o ne thing, it means

that we canno t j u st rely o n co mp liance and the checking o f reco rds. M o re

imp o rtantly, we have to u nderstand ho w p eo p le wo rk to gether to deliver these

p ap er and co mp u ters. B u t ho w do we au dit b ehavio u r and aren’t we already

o f o rganizatio ns and au dito rs that p ro mo te themselves and b elieve that they

are already assessing e ffectiveness – their marketing material is fu ll o f it. I n

co ncerned and an indu stry trying to mo ve b eyo nd co mp liance. I t is no t their

new metho ds o n what has limitatio ns – co mp liance au diting.

written to help au dito rs ado p t so u nd au diting p ractices that wo rk and to help

I SO 9 0 0 1 : 20 0 8 S tandard and the ever increasing demands o f

o p p o rtu nities availab le fo r the fo rward thinking au dito r.

1. Putting the p rocess ap p roach into context 5

develo p ing o u r au diting skills, kno wledge and co mp etences.

2. The requirements o f IS O 9 0 01 : 2 008 – An auditor’s p ersp ective 9

fo u ndatio n o f the e ffective audito r. A clear u nderstanding o f these

and ho w they can be ap p lied to a business will help the audito r

stru cture their au diting ap p ro ach bo th at system and p ro cess level.

3. The system-p rocess-p rocedure relationship 17

can u ndertake any p ro cess management au dit we mu st f rst

ap p reciate ho w a management system wo rks and the interactio ns

that go o n b etween the o verall system, p ro cesses and p ro cedu res.

4. Auditing to o ls and te chnique s 21

sho uld actually co ndu ct an au dit starting with the to o ls and

techniqu es that can be emp lo yed.

5. Planning and p re p aring a p ro ce s s audit 31

actually carry o ut an audit and then yo u realize j ust ho w true it is!

6. C arrying o ut a p ro ces s audit – C o mp liance vs e ffe ctive ne s s 38

O nce this o ften daunting step is co mp leted it will feed the

au diting o f the p ro cess’ o wners and teams in o rder to assess

the e ffectiveness o f the management system in relatio n to the

this be fo re they write and p resent their rep o rt?

8. As s e s s ing imp ro ve me nts 50

in formation to management on areas o f risk or where opportunities