Professional Documents
Culture Documents
Creating a Process-based Management System for ISO 9001 : 2 008 and beyond
Process Management Auditing
for ISO 9001 :2008
by
B SI
3 8 9 C hiswick High Ro ad
Lo ndo n W4 4AL
I S BN 9 78 0 5 8 0 6 76 5 8 1
f
B SI re erence: B I P 20 1 5
agreement. D etails and advice can be obtained from the Copyright Manager, British
G reat care has b een taken to ensu re accu racy in the co mp ilatio n and p rep aratio n
statement, the au tho rs and B SI canno t in any circu mstances accep t resp o nsib ility
statu to ry rights.
f
P rinted b y Ber o rts
v
Are yo u re ady?
mino r in natu re, bu t they have rein fo rced p ro cess management as a strategic
maj o r events that hap p ened as the 20 0 8 versio n was b eing p u blished, fo r
examp le, the fnancial meltdo wn, have rein fo rced so me key messages fro m
ISO 9 0 0 1 . They have highlighted the failure o f traditio nal co mp liance based
systems and individual p ro cesses. These techniques were no t the o nly failures,
bu t they co ntribu ted signi fcantly to the o verall o utco me, the co nsequence o f
co mp anies that failed had emp lo yed co mp etent and kno wledgeable p eo p le to
carry o u t the audits, to rep o rt fndings to the highest level, and who had the
and executive directo rs who were very exp erienced. So what went wro ng? Why
was it that altho ugh the au dits were being carried o u t, they didn’t highlight the
risks that p eo p le were taking and get the message to tho se who needed to kno w
In sho rt, the au dito rs were p rimarily fo cused o n co mp liance and altho ugh
systems and p ro cesses co mp lied, it did no t make them e ffective. It was their
level o f e ffectiveness that failed. It’s the level o f e ffectiveness that we see and
exp erience and that p ro duces the o utco mes fro m what o rganizatio ns are do ing.
In the end, o rganizatio ns are resp o nsible fo r their o utco mes and the e ffect they
Process Management Auditing for ISO 9001 :2008
vi
have o n the wo rld aro u nd them, and their au diting sho u ld help them manage
o u tco mes, their b ehavio u r and the cu ltu re, as it is p eo p le who create risk no t
do ing this? O ne o f the key fallacies with the au diting indu stry is the nu mb er
f
reality this o ten o nly amo u nts to go o d co mp liance au diting rather than a real
assessment o f e ffectiveness. This is desp ite the b est intentio ns o f the au dito rs
fau lt. I t is the au diting p ro cess that has b een fo llo wed fo r so many years that has
failed and so far very few have really addressed this p ro b lem, b u t tried to b ase
I t is against this b ackgro u nd that this b o o k has b een u p dated. I t has b een
them au dit e ffectiveness as well as co mp liance. Au diting b ehavio u rs and cu ltu re,
which is u ltimately where we b elieve au diting will end u p , requ ires advanced
au diting skills that are o u tside the sco p e o f this b o o k. This b o o k will, ho wever,
create the gro u ndwo rk fo r them, as the p rincip les co vered here are the b asis o f
these mo re advanced techniqu es. I f yo u feel yo u wo u ld like to kno w ho w to
au dit b ehavio u rs then p lease email the au tho rs who can p ro vide case stu dies and
examp les o f o rganizatio ns that are already ado p ting the ap p ro ach at:
I an. ro sam@the-hp o . co m
Ro b . p eddle@the- hp o . co m
C ontents
Introduction 1
•
We
introduce
the
challenge
that
auditors
face
to
develop
the
co mp etences requ ired to e ffectively au dit against the new
•
A
quick
overview
of
the
process
approach
to
ensur that
we
have a co mmo n u nderstanding o f f
the b asic termino lo gy b e o re
•
T he
eight
key
principles
of
ISO
9001:2008
and
the an,
do,
check, act metho do lo gy are the basic techniqu es that fo rm the
•
T he
primary
role
of
a process
management
auditor to
discover
to what extent the p ro cess is b eing managed and what e ffect
this has o n the achievement o f f
b u siness o b j ectives. B e o re we
viii
•
With
the
fundamentals
that
make a
management
system
understo o d, we no w turn o ur attentio n to the detail o f ho w yo u
•
Auditing
is
80
per
cent
preparation and
20
per
cent
actual
auditing, which so unds like a bit o f an o ld wives’ tale until yo u
•
S tarting
with
the
managing
director will
help
put
the
process
and
system into the co ntext o f the bu siness that yo u are au diting.
business o bj ectives.
7. f
I de nti ying and re p o rting f ndings – M o ving b e yo nd co mp liance 44
•
What
are
the
objectives
of
your
audit report?
A straightforward
eno ugh qu estio n, but ho w many audito rs actu ally ask themselves
•
The
auditor’s
role
is
not
to
identify w
improvements
should
take place or what the organization should do. It is to provide
•
Auditing
is
a skill
and
like
any
other skill
needs
practice
to
hone
it. It invo lves an ability to evalu ate o r learn fro m the exp erience,
ix
• I
n this
book
we
cover
the
basic
principles
of
au diting,
and
these
u nderstand the p rincip les invo lved. I n o ther wo rds reading the
• T
his
appendix
seeks
to
provide
some
example
questions
based
f
Re e re nce s 95
1
Introduction
transitio n to the new Standard. At the same time the clo ck also started ticking fo r
audito rs to beco me co mpetent to audit against this new Standard. Altho ugh o nly a
relatively mino r change fro m the 200 0 versio n, the fact is that many o rganizatio ns
and audito rs have no t fully implemented the intentio n o f the 20 00 versio n. This
f
new update there o re allo ws this to be reviewed, and any sho rtco mings to be
addressed witho ut the need to also address o ther signi f cant changes.
b u sinesses and au dito rs alike. B u sinesses welco med the new versio n o f the
Standard and as a resu lt qu estio ned the ro le internal and external au dito rs
sho u ld p lay. The u p date emp hasized the need fo r mo re added valu e to the
service au dito rs generally p ro vide. Au dito rs o n the o ther hand also welco med
f
the new Standard b u t u n o rtu nately many have no t no ticeab ly changed their
ap p ro ach to the au dits they co ndu ct. The 20 0 8 versio n adds mo re p ressu re o n
them to do so .
For those who fully adopted the need to audit both compliance and
e ffectiveness, and the reporting o f business risk as a result o f it, this book will
hope fully give them some additional tips. For those who have not, this will be
the start o f a learning experience that should make them a much more valuable
resource to their organizations. It will also help them to secure their own future
as a valuable resource to support the e ffective delivery o f business goals.
It should not be about the auditors telling the business what it already knows.
The two key factors for this win–win partnership to succeed are:
I f either o f these two factors are missing then the value o f auditing to the business
is signif cantly reduced (see Figure I. 1 ) .
The challenge for auditors to understand how businesses operate and how
they, as auditors, can add value, is one that auditors must rise to i f they are to
continue to support businesses e ffectively. Many will have to set aside old values
and belie fs about auditing compliance based systems, change the way they look
and view obj ective evidence and look to learn new skills in order to become
competent process management auditors.
Customer and
stakeholder needs
Au d i tor-bu si n ess
partn ersh i p approach
high level, the p ro cesses that go to make u p its o verall b u siness management
system. I t is p ertinent to the o rganizatio n itsel f and u ses a langu age and layo u t
that can b e easily u ndersto o d b y cu sto mers and sta ff alike. Typ ically this wo u ld
Understand
stakeholder and
market needs
Developing
Measuring and our staff
evaluating our Generate and win
performance business
Managing projects
Supplying parts
Managing service
support
the o rganizatio n is requ ired to co mp lete in o rder to achieve its stated o b j ectives
p ro cess map .
The e ff
ectiv e co ntro l o f a s eries o f activ ities that co nv erts inp uts into o utp uts
P u t ano ther way, i f we are to manage a p ro cess e ffectively we need to p lan and
imp lement its delivery u sing the ap p ro p riate equ ip ment, kno wledge, etc. and
f
measu re its p er o rmance against targets. T hese p er o rmance measu res are b ased f
o n the p u rp o se o f the p ro cess and b y measu ring against these we can identi y f
f
gap s in p er o rmance, which can fo rm the b asis fo r imp ro vement activity. T he
Putting the p rocess ap p roach into context
aim is to analyse the actual results achieved (compared against the target), to
learn from the information and trends created and to use information as a basis
Approva l of i ssu e
for actions for change or improvement. More details on process management
and indeed systems thinking can be found in books 1 and 2 o f this series ( for
details on these, see the References chapter at the end o f this book).
No
I d e n ti fy we b s i te
D i re c to rs Ap pro ve ?
e n h an ce m e n t Ye s
B ri e f websi te s u ppl i e r,
M o n i to r d e ve l o p m e n t
O p e rat i o n s D i re c to r
o btai n s pec an d co s ts
ag ai n s t s p e c
Arran g e a n y p ro b l e m s
U s e r tes t u pd ate a n d
B ack u p P C we e kl y
to b e reso l ved , te s t
re po rt fi n d i n g s to
O p e rat i o n s M an ag e r an d arran g e b ac k u p
an d ad vi s e e ve ryo n e
O p e rati o n s D i re c to r
o f we bs i te
a ffe ct e d
M odi fi ca ti on s:
I d e n ti fy a n I T pro bl em
Al l s taff
an d re p o rt
Prior to any attempt to carry out a process management audit you must frst Da te: 04/08/2009
• estab lish f
its key p er o rmance indicato rs o r measu res; and
• analyse f
its p er o rmance and make imp ro vements in o rder to achieve its
f
su ccess u l au dit and maximize the valu e o f yo u r au dit rep o rt to the o rganizatio n.
f
au dits’ and there o re the p rincip les are at a lo wer level b u t still fo llo w the same
general ap p ro ach, to :
• analyse f
p ro cess p er o rmance and make imp ro vements b ased o n this.
What the o rganizatio n really wants is a rep o rt fro m the au dito r describ ing
the imp act o n the o rganizatio n o f the f ndings in relatio n to co mp liance with
• f ndings against the Standard need to b e interp reted into o rganizatio nal
T he au dit rep o rt is fo r f
management u se as in o rmatio n to help highlight
f
imp ro vement o p p o rtu nities and to identi y risks to the b u siness. The
fo cu sed, as they can clearly see the b ene f ts to the b u siness o n making any
2. T he requ irements o f IS O 9 0 0 1 : 2 0 0 8 – An
T he p rincip le s b e hind I S O 9 0 0 1 : 2 0 0 8
Do you know the eight key principles at the heart o f ISO 9001 : 2008 and
what the ‘PDCA’ methodology is? I f the answer is no, then you need to learn
them quickly and thoroughly i f you are going to be a competent auditor (see
Table 2. 1 ) . These are the basic principles that will form the foundation o f
your auditing technique, and are shown in Section 0. 2 in the introduction to
ISO 9000: 2000. They are what di fferentiates a success ful organization from one
that is not, and form the foundation o f ISO 9001 : 2008.
Customer focus Understanding what customers need and expect from the organization
Involvement of people Ensuring that all are involved in order that their abilities can be used
10
Process approach Obj ecti ves are m ore l i kel y to be ach i eved wh en acti vi ti es are seen ,
accord i n gl y
Systems approach to f
I d en ti yi n g th e i n d i vi d u al bu si n ess processes an d ord eri n g th em so
Continual f
I m provi n g bu si n ess per orm an ce sh ou l d be th e obj ecti ve o f an y
Mutually benefcial E n h an ced val u e i s created by worki n g cl osel y wi th su ppl i ers th at can
1 + 1 = 3!
Plan E stabl i sh th e obj ecti ves an d processes n ecessary to d el i ver resu l ts i n accord an ce
Do I m pl em en t th e processes
Check M on i tor an d m easu re processes agai n st obj ecti ves, pol i ci es an d req u i rem en ts an d
report th e resu l ts
11
Approva l of i ssu e
M aking s e ns e o f IS O 9001 : 2008
Si gn a tu re:
There is a danger that i to grasp the p rincip les o
ISO 9 0 0 1 : 20 0 8 they will undermine what they are trying to achieve, and increase
the p o ssibility o f reducing the added value they can bring to the business. This
basic requ irement fo r audito rs to understand the p rincip les b ehind it, no t j ust
the detail o f I SO 9 0 0 1 : 20 0 8 seems o bvio us, but exp erience to date highlights the
fact that the maj o rity o f audito rs do no t grasp these basic p rincip les. As a result,
there are huge variatio ns in the p ercep tio n business has o f what ISO 9 0 0 1 : 20 0 8 is
abo ut and the value that e ffective auditing can bring to them.
D a te:
Pl an 1 Pl an 2 Th e fu tu re
Act 1 Do 1 Act 2 Do 2
M odi fi ca ti on s:
M odi fi ca ti on s:
Ch eck 1 Ch eck 2
12
Let’s give yo u an examp le. When trying to estab lish ho w a p ro cess o wner
• p ro cess o u tp u ts;
• cu rrent f
p ro cess p er o rmance;
I f yo u test tho se areas listed in the p aragrap h ab o ve then yo u are also go ing to b e
• 4. 2. 1 G eneral;
• 4. 2. 3 C o ntro l o f do cu ments;
• 5 . 4. 1 Qu ality o b j ectives;
• 6. 3 f
I n rastru ctu re;
• 6. 4 Wo rk enviro nment;
• 7 P ro du ct realizatio n; and
f
sectio ns so there o re it mu st fo llo w that yo u canno t au dit it as a series o f sep arate
13
A question o f compliance?
Compliance with what? Does it comply with:
The meaning o f the word ‘compliance’ conj ures up images o f rigid procedures
that must be worked to by the letter. However, when you read ISO 9001 : 2008 it
re fers to the need for documented procedures in only six places. These are for:
• control o f documents;
• control o f records;
• internal audit;
• control o f non-con forming product;
• corrective action; and
• preventive action.
You must assume from this that ISO 9001 : 2008 is e ffectively allowing an
organization to decide for itsel f what, i f any, activities it provides written
procedures to support.
Going back to our question o f compliance, then yes, this is obviously very
easy to check as the evidence will be in the form o f documented procedures for
the six areas identi f ed above. We can check that they are being applied, thus
complying with the requirements o f ISO 9001 : 2008.
Auditors have to come to terms with the fact that although they might
like to see evidence documented, as this gives them a sense o f reassurance, the
likelihood is that much evidence may well not be documented and they will
have to assess the organization accordingly.
Pro ces s M anageme nt Auditing fo r IS O 9 0 0 1 : 2 0 0 8
14
and no n-do cu mented, we have listed b elo w examp les o f b o th. T he examp les
traditio nal au diting as it is all b lack and white, right o r wro ng. C o nversely
think ‘ho w can I assess this? ’ This is a qu estio n that is ho p e u lly answered in f
su b sequ ent chap ters o f this b o o k.
• lo g o f ap p ro ved o rders;
• delivery no te;
• p ro cess sta ff memb ers kno wing ho w they co ntrib u te to the achievement o f a
• p ro cess f
p er o rmance indicato rs that relate to p u rp o se o f the p ro cess and/o r
b usiness o b j ectives;
with its requ irements b u t to do it in a manner that adds valu e to the b u siness,
f
ab o ve anything that has go ne b e o re and that tho se au dito rs who have little o r
15
levels in the o rganizatio n, no t j u st o p eratio nal activities as in the p ast. T his will
mean au diting senio r management and indeed the mo st senio r manager, the
b etween senio r managers and sta ff, in an e ffo rt to disco ver ho w fo cu sed the
o rganizatio n really is o n the eight p rincip les and the P D C A cycle. This will b e
the real test requ ired to determine the level o f co mp liance with I SO 9 0 0 1 : 20 0 8 .
T here is o ne last facto r that au dito rs mu st co nsider when they carry o u t an au dit
and that is the qu estio n o f system and o rganizatio nal matu rity.
management system?
• What can I reaso nab ly exp ect to f nd at this stage in its develo p ment?
As an auditor, you will not be able to answer these questions without knowledge o f
the business. That knowledge can come from either working for the organization in
question or from the responses you get during the course o f the actual audit. Either
way you have to make certain j udgements about how you will audit and what you
ISO 9 001 : 2008 is unique in this way, it can take acco unt o f the maturity o f
the management system and allow an auditor the ability to use their j udgement to
determine no t o nly whether the basic principles are being applied, but also to what
extent the business is using them to drive itsel f fo rward. N o two organizatio ns are
alike and, indeed, o rganizatio ns will mature over time. An audit there o re needs to f
take account o f its maturity i f it is to help it to keep impro ving o ver time.
Pro ce s s M anage me nt Au diting fo r IS O 9 0 0 1 : 2 0 0 8
16
Corporate
g o ve rn an ce /
Corporate soci al
respon si bi l i ty
Bu si n ess
excel l en ce m odel
I SO 90 04
8 principles
PDCA cycle
I SO 900 1
M atu ri ty
The primary ro le o fa pro cess management audito r is to disco ver to what extent
the p ro cess is being managed and what e ffect this has o n the achievement o f
f
business o bj ectives. In o rder to do this success ully, as we have already disco vered,
f
B e o re yo u can u ndertake any p ro cess management au dit yo u mu st f rst
C hapter 1 o f this boo k gave a brie f o verview o f the management system and
pro cesses with examples fo r each, and it is being able to make the co nnectio ns
between these and suppo rting pro cedures that yo u need to fo cus o n.
M anagement s ys tem
De f ned b y senio r management and o wned b y the head o f sco p e, typ ically
18
Management system
Overal l m an ag em en t system org an i g ram
Process
Th e ‘what’ we d o l evel
Proced u res
Procedures
Procedures Th e ‘how’ we d o i t l evel
Typ ically 8 to 1 5 high level p ro cesses are identi f ed and they in tu rn link o r are
Pro ce s s manage me nt
Related directly to the management system are the p ro cesses themselves, which
exist to co nvert inp u t requ irements into cu sto mer o u tp u t requ irements thro u gh
a series o f valu e adding activities. I n o ther wo rds they p ro vide the mechanism
di fferent dep artments within the o rganizatio n wo rk to gether to wards this aim.
19
To o many au dito rs au dit p ro cesses in iso latio n, failing to make the vital
F ailu re to make these co nnectio ns will resu lt in an inco mp lete, inadequ ate and
no n-valu e-adding au dit. I t’s rather like checking a ro u te map witho u t kno wing
• Are f
there p ro cess p er o rmance measu res?
• Do the measu res relate to the o b j ectives/are we measu ring the right things?
• Is f
the p er o rmance kno wn and are e ffective imp ro vement actio ns in p lace?
f
ho p e ully yo u can b egin to ap p reciate that to b e a su ccess u l au dito r requ ires f
co nsiderab le skill and co mp etence. These skills and co mp etences need to b e
in di fferent areas than have b een requ ired in the p ast in o rder to make the
f
necessary co nnectio ns and identi y issu es wo rthy o f rep o rting.
Procedures
f
T his is o ten a very di ff cu lt co ncep t fo r many p eo p le to co me to terms with.
what extent they have do cu mented p ro cedu res, whereas the 1 9 9 4 versio n o f the
Standard requ ired virtu ally all o p eratio nal activities to b e do cu mented. There
is a certain reassu rance o ne gets fro m having things do cu mented and there is
• What risks to the p ro cess are there b y no t having p ro cedu res do cu mented?
• I f the risks are high, has the o rganizatio n co nsidered them and cho sen an
• I f there are p ro cedu res are they adequ ate fo r the risks they are co ntro lling?
The p ro cess o wner sho uld have co nsidered what, i f any, p ro cedu res are required
f
they have go t it right o r identi ying any p o tential risks they may have o verlo o ked.
Pro ces s M anageme nt Auditing fo r IS O 9 0 0 1 : 2 0 0 8
20
f
actu al p er o rmance o f the p ro cess.
f
H o p e u lly this s ectio n o f the b o o k has go ne so meway to clari y this f fo r yo u .
F igu re 3 . 2 su mmarizes typ es o f au dits dep ending u p o n the level yo u are lo o king
System
level
Process
level
Procedures
Compliance
level
S ho w me what you do !
system and the basic understanding that an audito r needs to have in o rder
message in particular being driven ho me time and again: ‘Sho w me the evidence! ’
Abo ve all else audito rs have been trained to assess what an o rganizatio n do es
against what it said it do es, basing any decisio n as to ho w well they did it o n the
as ISO 9001 : 2008. This style o f auditing may then be relevant to check that speci fc
detailed requirements are being met and e ffectively applied.
22
Au dito r to o ls
There are basically two tools that should be used in both preparing for and
carrying out a process management audit (see Figure 4. 1 , Figure 4. 2 and
Table 4. 1 ) . Neither o f them is complicated and in fact they are j ust plain common
sense. Both, however, require the auditor to understand how a business works
through its processes in order to use them e ffectively. This is one o f the key
competences o f a success ful process management auditor.
Once you understand them, they are so powerful that you can apply them
to any process within any business, regardless o f industry sector.
P u rp o se o f th e
p ro cess
M o n i to r
Th e p ro cess i tsel f
p erfo rm a n ce
Key p erfo rm a n ce
F igure 4. 1 Au dito r to o l 1
In process management auditing you are testing every one o f the boxes in each
process you audit at every level within each process, i. e. you go round this cycle
with everyone you interview. The questions you use to test each one o f the
boxes will be phrased slightly di fferently and will be in a manner suitable to the
person being interviewed, but nonetheless they will follow the same cycle. This
aspect is critical for success ful auditing. It is no good asking a member o f sta ff a
question that they do not understand, or using ‘management style’ or ‘standard’
language that they cannot relate to what they do. For example asking someone
what ‘resources’ they use may not be understood, asking what ‘equipment’ they
use might be. There is no right or wrong, but the language you use is important
Au diting to o ls and te chniqu e s
23
and needs to be based on the needs o f the auditee not the auditor. It needs to be
in the language used by the people within the organization itself.
Process obj ecti ves Speci f cal l y th e obj ecti ves an d targets for th i s process th at m u st
Key perform an ce M easu res d i rectl y rel ated to th e process i tsel f an d overal l bu si n ess
process m easu res obj ecti ves, i n th e way cu stom ers m easu re th e process
perform an ce f
process per orm an ce
f f
per orm an ce an d th e target per orm an ce l evel req u i red
Auditor tool 2 follows a similar theme but extends to include those things
that support the process in terms o f:
• the competence o f those working within the process to effectively carry out
their tasks;
• the resources needed for process activities to be performed adequately;
• the knowledge and in formation needed to e ffectively carry out activities
within the process;
• the budget for the process that takes account o f the likely future demands on
the process.
These infuences or constraints are only examples and in reality there may well
be others. What you are looking for is anything that affects performance o f the
process, and it can come from any management discipline. Process management
auditors therefore need a basic foundation in a range o f business activities
and disciplines. For example how can an auditor assess or make judgements
on someone’s competence if they have no understanding o f human resource
management principles?
Pro ce s s M anage me nt Au diting fo r IS O 9 0 0 1 : 2 0 0 8
24
Measure
F igure 4. 2 Au dito r to o l 2
Au diting te chniqu e s
Questioning
Taking each b o x o f ‘au dito r to o l 1 ’ let’s lo o k at each o ne in tu rn and try to wo rk
areas and issu es to raise; whatever they are they need to test the e ffectiveness
o f the p ro cess. As yo u go thro u gh the step s in the cycle yo u may well b e ab le
f
to identi y areas where yo u need to dig a b it deep er, ask mo re qu estio ns and
test any co mp liance issu es that may b eco me ap p arent. I nexp erienced p ro cess
management au dito rs tend to stay in the detail o f co mp liance o nce they are in
BI P 201 5 Fi le n a m e: 2009-01 7 30_4.2.eps
it. The ‘art’ is to keep the cycle in mind as yo u carry o u t the au dit and ‘dip ’ into
in o rder to b u ild the links. I t is no t easy at f rst to make this change, b u t o nce
25
m an agem en t system ?
process m easures • H ow are th e process m easu res l i n ked to bu si n ess obj ecti ves
an d m easu res?
process?
monitoring process i s?
• H ow o ften f
i s process per orm an ce m easu red ?
• H ow i s f
per orm an ce d ata com m u n i cated to th e process team ?
I mprovement • H ow d o f
you i d en ti y i m provem en t i ssu es?
f
process per orm an ce?
process team ?
Pro ce s s M anage me nt Au diting fo r IS O 9 0 0 1 : 2 0 0 8
26
Questioning techniques
The questio ns detailed abo ve need to be tho u ght abo ut and tailo red to suit the
individual being interviewed and the level at which they sup p o rt the p ro cess.
what the o rganizatio n’s b usiness o bj ectives are wo uld o ften be p o intless in many
fo reign langu age! But beware that this is no t always the case and, imp o rtantly,
to ask and in this case it might be asking the o p erato r who they co nsider is their
custo mer and ho w they kno w they are meeting their custo mer’s requirements.
Managers
Audito rs that u nderstand this dynamic and use it e ffectively in co nj unctio n with
an audito r has o n the co mp any’s p erfo rmance the mo re valuable the audit rep o rt
27
Objective evidence
I f we have estab lished that the qu estio ns and qu estio ning techniqu es yo u u se
as an au dito r vary acco rding to the p erso n b eing interviewed and the level they
are wo rking at within the p ro cess, then it mu st also fo llo w that the o b j ective
su ppl i er i n pu ts an d
targets?
• Wh at are you r obj ecti ves • Tel l s/sh ows you • U n d erstan d s process
an d targets? f
per orm an ce
d em on strate l i n kage
28
• C an you d escri be th e • Tel l s/sh ows you • Tel l s/sh ows you
process?
• H ow d o an y proced u res • Tel l s/sh ows you l i n ks to • Tel l s/sh ows you wh en
req u i red for th ose con text o f process revi ewed i n l ast year
• H ow d o you d eci d e • Tel l s/sh ows you th e • Tel l s/sh ows you process
f
per orm an ce o f th e o f th ei r n eed s to process to th e cu stom er
• H ow d o you kn ow wh at • Sh ows f
you per orm an ce • Tel l s/sh ows you
o f th e process i s?
f
per orm an ce m easu red ?
• H ow i s f
per orm an ce d ata • Tel l s/sh ows you • Tel l s you /sh ows you
com m u n i cated to th e
process team ?
• H ow d o you i d en ti y f • Abl e f
to l i n k per orm an ce • Tal ks th rou gh m eth od s/
own er
to i m provi n g process
f
per orm an ce?
29
Yo u will no tice that the resp o nses yo u get in terms o f evidence are likely to b e
verb al rather than do cu mented, which means yo u have to determine fact fro m
f ctio n j u st b y listening to what p eo p le are saying.
an examp le.
Q uestion: Ho w do you kno w w hat the current per o rmance o f f the pro ces s is ?
They also tell you that since the measures were introduced six months ago
they have achieved an average o f 97.5 per cent deliveries on time and are on
schedule for six stock turns for the frst hal f o f the year.
checklist.
The pro ces s s ta ff member’s is to tell you that the process owner
res ponse
meets with all the process staff once a month in the canteen where they talk
through various items o f interest including performance statistics. They tell you
that a lot o f what the process owner says is not o f much interest to them apart
from the delivery and stock turn measures as this has a direct bearing on the
amount o f bonus they receive each quarter.
They tell you that delivery performance o f only 97.5 per cent has meant a
reduced bonus for the last two quarters, but the achievement o f six stock turns
so far this year has at least given them a bonus payment albeit small.
Yo u listen and co mp are their resp o nses to tho se o f the p ro cess o wner, making
f
any no tes o n yo u r checklist. Yo u then ask yo u rsel : ‘Have I eno u gh evidence to
demo nstrate that the qu estio n has b een answered adequ ately and am I satis f ed
f
that the p er o rmance o f the p ro cess is kno wn at all levels in the p ro cess and
b y the p eo p le who need to kno w? ’ What is yo u r co nclu sio n b ased o n the two
30
I hope you concluded that yes, the performance o f the process was known at all
levels in the process and by the people who needed to know. All this despite the
fact you did not see a single piece o f paper!
Congratulations! You have just audited Subclauses 5.1, 5.2, 5.4.1, 5.5.3,
7.1, 8.1, 8.2.3, 8.4 o f ISO 9001:2008.
Methods of auditing
Quite rightly most methods o f auditing involve face-to-face interviews/discussions
with people in order to gain information and an understanding o f how effectively
something is being done. However, this is not always practical to do because o f
geographical locations, the high number o f people needed to be seen or constraints
on cost or time.
Organizations that have multiple sites spread over a large geographic area,
including different countries, and those with large numbers o f home or feld
based employees are probably best suited to alternative methods o f auditing
other than face to face.
31
actual auditing, which so unds like a bit o f an o ld wives’ tale until yo u actually
carry o u t an audit in a way that delivers bu siness e ffectiveness fndings and then
yo u realize j ust ho w true it is!
P rep aratio n starts right back with a basic understanding o f the p rincip les
e ffective pro cess management, audito rs are no rmally simply no t spending eno ugh
increasingly relaxed abo ut the style they have ado p ted and their kno wledge
I still p rep are and u se an au dit p lan and checklist every time I am asked to
32
a fle and fo rgo tten abo ut. A go o d p lan will be develo p ed well in advance o f the
audit, by the audito r, and certainly no t in iso latio n. They will co n fer with the
• any sp ecial requirements the au dito r may have, e. g. wo rking lunch, desk,
• the names o f individu als to be seen during the audit with sp eci fc meeting
times; and
• date by when the rep o rt will be issu ed and who it will be distrib uted to .
P lease re fer to Tab le 5 . 1 fo r an examp le o f an audit p lan. By far and away the
mo st imp o rtant p arts o f any audit p lan are the details co ncerning the p eo p le
who will be seen and the sp eci fc meeting times that have been agreed. Audito rs
canno t exp ect to turn up and have p eo p le sat aro und all day o r o ver many days,
waiting fo r the audito r to audit them. As an audito r yo u sho uld assume that no
co mmence the audit exp ecting p eo p le to auto matically be availab le. They then
wo nder what they are go ing to do fo r the remainder o f the day when they
disco ver all the p eo p le they need to sp eak to are either o n a co urse, o n ho liday
In p rep aring yo ur au dit p lan yo u will need to take into co nsideratio n the
ensuring that yo u allo cate the mo st ap p ro p riate amo u nt o f time to each o f the
p eo p le yo u need to interview.
Planning and p re p aring a p ro ce s s au dit
33
Criteria/standard to be used ISO 9001 :2008 and the organization’s stated business objectives
Date aud it report to be issued 7 July 2009 to the fnance director and managing director
Meeting room for the two days with power, telephone and videocon ference facilities.
No need to organize lunch, the sta ff canteen will be fne.
25 June 2009
9. 00 am Finance director (process owner) Face to face London
1 0. 00 am Finance assistants × 4 Face to face as a group London
1 1 . 00 am Finance assistant Videocon ference Paris
1 2. 00 noon Finance assistant Videocon ference Frankfurt
1 . 00 pm Lunch Canteen
2. 00 pm Finance assistant Videocon ference New York
3. 00 pm Financial controller Telephone Nairobi
4. 00 pm Managing director Face to face London
4. 30 pm Consolidate in formation Meeting room, London
26 June 2009
9. 00 am Production director Face to face London
1 0. 30 am Production sta ff members × 8 Face to face as a group London
1 2. 00 noon Production manager Videocon ference Paris
1 . 00 pm Lunch Canteen
2. 00 pm Production manager Telephone Nairobi
3. 00 pm Finance director Face to face London
4. 00 pm Gather in formation and close audit
Process Management Auditing for ISO 9001 :2008
34
One o f the major issues facing you is the time available, as this impacts on your
ability to test the responses you get with the greatest range o f people possible,
thus assuring yourself that the evidence you are fnding is a true refection o f
what is happening. This is not something new and auditing has never pretended
to be anything else other than a sample, but you must be satisfed that the
sample size is large enough.
Whatever you decide you should always start and end with the process
owner. Start o ff with them:
• togather information, which you can go on and test throughout the process;
• tounderstand if they have any particular areas they themselves may want
you to assess or review and provide feedback on.
Finally, conclude the audit with them so that you can confrm your fndings and
provide overall feedback on what you found.
• ensure you cover all the questions/areas required to meet the audit objectives;
• act as a focal point for the audit, as it is easy to become distracted as you
follow the audit trail;
• allow you to record notes against specifc questions as you go, so you can
easily reference them when talking to different people;
• ensure you can easily compile the audit report from the notes you have made
without relying on just your memory.
But how do you decide what you should include in your checklist? Well, how
detailed you make your checklist is a very personal thing and is likely to depend
upon several factors not least how experienced you are and your ability to read
the detail described on the checklist without disturbing the fow and focus o f
the audit itself.
Before you can begin to prepare your audit checklist you frst have to
design it or, should you fnd it useful, copy the example shown in Table 5.2.
Your design will no doubt evolve over time to refect your own personal style
and needs.
Having decided on what your checklist will look like you now have
to populate it with all the questions you are going to need to ask in order to
complete your audit. These are the questions that will test:
Planning and preparing a process audit
35
This means all o f the things we covered when looking at the auditor tools and
objective evidence in the previous chapter.
You should allow yourself plenty o f time in advance o f the audit to gather the
information and compile your checklist. Remember the audit starts from the
moment you start compiling information and preparing your checklist, not from
the moment you ask your frst question o f the process owner; it is much too late
by then to get it right if you have not planned thoroughly.
I f you are not able to carry out the background research or obtain the
information you would like in order to prepare thoroughly for the audit, then
you must allow yourself more time to carry out the audit itself and to collect this
as you proceed. This is certainly not the most effcient way to carry out an audit,
but sometimes you will have no choice. Without this information your audit
will be fawed, so you must obtain it early on if you are to be effective.
36
PRO C E S S M AN AG E M E N T AU D I T C H E C KLI S T
C h eckl i st
Re f. N o. I tem C om m en ts Report Re f.
Planning and preparing a process audit
37
• make sure yo u fully understand the eight p rincip les and the P D C A cycle;
• p lan the audit care fully making sure yo u allo cate the ap p ro p riate time to
• book meetings with p eo p le well in advance, do n’t exp ect them to j ust be
waiting fo r yo u !
• kno w the bu siness o bj ectives and custo mer requ irements and make the
6. C arrying o u t a p ro ce s s au dit –
B ringing it to ge the r
Ho pe fully by the time yo u are abo ut to start the audit yo u have fully prepared
and have a clear understanding o f ho w yo u will satis fy yo ursel f that the pro cess is
I f yo u are no t p ut o ff by this then let’s get o n with the au dit, starting with the
39
wo nder what yo u are do ing here. Yo u glance do wn and, to yo ur relie f, see the
checklist yo u so care fully p rep ared. Re ferring to the frst qu estio n yo u enqu ire,
‘Ho w is b usiness? ’ Yo u have started the au dit.
D oes this sound familiar? Feeling intimidated by someone like the managing
director is nothing new, but when you have to audit that same person in an e ffort
o b j ectives, measures, current p erfo rmance etc. yo u will no t b e able to test the
As a general rule yo u will o nly have a limited amo u nt o f time with these
Being co mp letely clear abo ut the o bj ectives o f the interview and the o u tco mes
yo u requ ire is essential and will p revent yo u beco ming sidetracked and co ming
yo u r meeting and yo u are in co ntro l o f it. Yo u will gain real resp ect i f yo u do –
bu t i f yo u do n’t …
With any lu ck the managing directo r will discuss the cu rrent state o f the market,
custo mers’ needs and ho w the o rganizatio n is wo rking hard to develo p sales and
imp ro ve margins. Within this discu ssio n yo u sho uld begin to draw o u t what
the b usiness o bj ectives are and ho w they p lan to mo ve the o rganizatio n fo rward
to achieve them. This in fo rmatio n is key and yo u need to be making detailed
and the questio ns yo u need to ask and yo u can usually get thro u gh it within
3 0 minu tes. I tend to fnd that mo st managing directo rs, o nce they get talking,
becau se they never realized the audit was actually go ing to be abo u t the b usiness
itsel f, rather than ISO 9 0 0 1 : 20 0 8 ! O nce they start do ing this, then yo u kno w
that yo u are p art o f the way to having a co nvert. The rest o f the j o urney will be
made o nce they see the bu siness value o f yo u r rep o rt and fndings.
Pro ces s M anageme nt Auditing fo r IS O 9 0 0 1 : 2 0 0 8
40
f
B e o re yo u co nclu de the meeting have a qu ick lo o k at yo u r checklist to
ensu re yo u have everything yo u need fo r the next p art o f the au dit and then ask,
like me to lo o k at in additio n? ’ N o te any resp o nse yo u get and then thank them
T his is p articu larly imp o rtant i f the au dit is to b e sp read o ver any length
o f time, when it wo u ld b e di ff cu lt to keep track o f all the resp o nses and even
harder to recall them at the right time. T his is esp ecially so i f yo u are trying to
test the e ffectiveness o f co mmu nicatio n and need to kno w exactly what o ther
p eo p le have said.
p rep ared b y fo llo wing the same ru les and o p ening the dialo gu e b y asking them,
‘Ho w is b u siness? ’
C heck and co n f rm with the p ro cess o wner that the au dit p lan is still
f
Re er to yo u r checklist co nstantly. P ro vided yo u p rep ared it tho ro u ghly
it sho u ld inclu de the qu estio ns yo u need to test the eight p rincip les, P D C A and
au dito rs to o ls 1 and 2.
What yo u are testing is e ffectiveness, which inclu des the fo llo wing.
• T he link b etween what the managing directo r said and what yo u are no w
b eing to ld b y the p ro cess o wner – are they saying the same things?
41
p ro cess team?
• Has f
the p ro cess o wner estab lished p ro cess p er o rmance measu res?
• Has f
the p ro cess o wner co mmu nicated the p er o rmance resu lts to the
p ro cess team?
• What actio ns are the p ro cess o wner and p ro cess team taking when there is
f
a gap in the p er o rmance against the stated o b j ective o r target?
f
Re er to Tab le 4. 2 fo r mo re qu estio ns and Tab le 4. 3 fo r the likely o b j ective
evidence yo u co u ld f f
nd and can there o re make a no te o f o n yo u r checklist.
f
interview with the p ro cess o wner as an in o rmatio n gathering exercise, so ensu re
yo u reco rd as mu ch o f f
the in o rmatio n yo u are given as p o ssib le. Yo u will need
f
Again, b e o re yo u co nclu de the meeting have a qu ick lo o k at yo u r
checklist to ensu re yo u have everything yo u need fo r the next p art o f the au dit
and then ask, ‘I s there anything yo u wo u ld like fro m my au dit, are there any
the main p art o f the au dit and b egin to au dit p ro cess sta ff, to gether with lo o king
at the vario u s co nnectio ns with o ther p ro cesses within the o rganizatio n. Sticking
Whereas the o b j ectives o f the interviews with the managing directo r and
f
p ro cess o wner were p rimarily in o rmatio n gathering, the au dits o f p ro cess sta ff
f
are no w ab o u t testing this in o rmatio n in o rder to determine ho w e ffectively the
42
• Are the o b j ectives/o u tp u ts o f the p ro cess u ndersto o d and are they linked to
• Is the pro cess measured and are the measurements the same as what the
• Do p ro cess sta ff kno w what the cu rrent p er o rmance o f f the p ro cess is?
• Ho w f
is in o rmatio n co mmu nicated to p eo p le wo rking within the p ro cess
f
p er o rmance?
f
Re er to Tab le 4. 2 fo r mo re qu estio ns and Tab le 4. 3 fo r the likely o b j ective
to ; and
• ho w f
co mp etent p eo p le are/ eel they are to p er o rm their assigned tasks. f
at the right level in the p ro cess. To achieve this rememb er the qu estio ning
p hrase these in a manner that will ensu re they are u ndersto o d b y yo u r au ditees
and that will p ro vide yo u with adequ ate evidence as an answer to yo u r qu estio n.
G ive me a b reak!
T here are a lo t o f p ressu res o n au dito rs and yo u sho u ld never b e a raid to take f
a b reak du ring the au dit in o rder to give yo u rsel f an o p p o rtu nity to co llect yo u r
f
tho u ghts, p u t the in o rmatio n yo u have gathered into co ntext and to generally
f
satis y yo u rsel f that yo u are p ro gressing as p lanned.
f
As yo u review any in o rmatio n, no tes and o u tstanding qu estio ns it will
a ffo rds yo u the o p p o rtu nity to determine the sp eci f c fu rther qu estio ns yo u need
Carrying out a process audit – Compliance vs e ffectiveness
43
to ask in o rder to co mp lete the au dit and co mp ile yo u r rep o rt adequ ately. Sho u ld
f
p ro ceed, never b e a raid to add items to yo u r checklist.
sho u ld f nish o n time, with everyb o dy o n yo u r list having b een au dited and
p ro cess management.
f
N o w is the time to b egin to si t yo u r way thro u gh all the in o rmatio n yo u f
have and to co llect yo u r tho u ghts ready to co mp ile yo u r rep o rt and rep o rt b ack
directo r p rio r to generating yo u r f nal au dit rep o rt and indeed there may well
7. f
I de nti ying and re p o rting f ndings –
M o ving b e yo nd co mp liance
Re p o rt o b j e ctive s
b u t ho w many au dito rs actu ally ask themselves this be o re they write and f
p resent their rep o rt? A lo t o f the au dit rep o rts we read clearly demo nstrate that
the au dito r did no t ask themselves this qu estio n and i f they did they drew the
wro ng co nclu sio n fro m it. The mo st co mmo n misinterp retatio n o f this qu estio n
co mes fro m I SO 9 0 0 1 : 20 0 8 au dito rs, b e they internal o r third p arty au dito rs.
they add virtu ally no valu e to the o rganizatio n and are u su ally igno red b y senio r
management.
The real o b j ective certainly has to b e to reco rd all the areas where the
o ther wo rds the rep o rt f ndings will add valu e to the o rganizatio n b y highlighting
issu es that, i f f
addressed, will imp ro ve the p er o rmance o f the bu siness.
f
co ntain in o rmatio n that:
45
We appreciate that auditors and, in particular, third party audito rs, have a di ffcult
j ob in striking the right balance between repo rting co mpliance with ISO 9 001 : 2008
whilst trying to encourage impro vement based o n the maturity o f the organization’s
management system. However, that said, this do es not stop auditors trying to
achieve this balance in order to add value to the organization. A ter all, they are a f
supplier to the organization that is in turn the audito r’s custo mer. What they want
so mething is wro ng, so meo ne is to blame, there has been a failu re, the system has
f
so tware-b ased co mp u ter p resentatio n. T he cho ice is yo u rs. Tab le 7. 1 p ro vides
an examp le o f an internal au dit rep o rt temp late that we have u sed and yo u
f
are welco me to co p y and mo di y in o rder to co me u p with a versio n yo u feel
f
co m o rtab le u sing.
p o ssib le to enco u rage the o rganizatio n to address the issu es raised with the
u ltimate aim o f f
imp ro ving their b u siness p er o rmance. B u t ho w can yo u achieve
o f actu al au dit rep o rts, clearly sho wing b o th p o sitive and negative rep o rting
46
Audit summary
Audit fndings
Re f. N o.
Identifying and reporting fndings – Moving beyond compliance
47
What to say …
T he fo llo wing are examp les o f what to s ay in an internal au dit rep o rt.
a) The organization does not currently monitor customer satis faction. Monitoring
the perception customers have will enable the organization to better understand
how it can meet both their current needs and future expectations, allowing the
organization to beneft from a more proactive approach to customer care.
b) The organization does not currently have a documented procedure for the control
o f the records it produces. The documenting o f a procedure for the control o f
the organization’s key records will ensure that the responsibilities for record
retention are known and that these important records are protected from damage
or deterioration and only retained for the maximum specifed period, allowing
archive storage space to be kept to a minimum.
c) The infrastructure o f the organization appeared to be adequate for the services
being provided; however, there was no process by which the infrastructure is
reviewed on an ongoing basis, which could affect the organization’s ability to
meet future customer demands. Therefore the organization would beneft from
linking together the review o f market/customer needs and the infrastructure
required to deliver them.
d) The organization is to be congratulated on the decision it has made to introduce
new computer terminals and o ffce furniture in the call centre. The staff spoken
to all commented on what a signifcant di fference this has made to both their
com fort and ability to read the new screens. This has undoubtedly contributed
to the reduction in staff sickness time and number o f customer complaints due to
keying errors.
O f f
co u rs e there is a need to reco rd no nco n o rmances agains t clau ses b u t it
is the imp act o n the o rganiz atio n and the o b j ectives o f the senio r manager that
is imp o rtant.
Pro ces s M anageme nt Auditing fo r IS O 9 0 0 1 : 2 0 0 8
48
What turns yo u o n?
Which version o f the report fndings did you prefer reading? Which version
do you think the managing director would prefer to read and would encourage
them to do something? Precisely, the second version, and this is the style you
should be adopting in the writing o f your audit reports. The report is all about
the business and nothing about subclauses in ISO 9001:2008 because managing
directors are not interested in the detail o f what the Standard says.
As any good politician would tell you it is all in the spin. We are not
suggesting we all need to become politicians, but, as auditors, we could all learn
a trick or two from them and spin our reports positively. A fter all, we are trying
to infuence our ‘customer’ to make the improvements we have identifed.
As an auditor you should ask yourself the question, ‘Am I hiding behind
ISO 9001:2008 with my comments in the audit report?’ We tend to fnd that
the more experience an auditor has o f how businesses operate the greater the
chance their audit report will add value. Conversely auditors who have a limited
knowledge o f how businesses operate tend to hide behind ISO 9001:2008 as this
is all they know and feel comfortable with.
The fnal check every auditor should perform on their audit report before they
present it is the ‘So What! ’ test. Here is an example:
‘… the quality policy had not been signed by the managing director… ’
S O WHAT!
Identifying and reporting fndings – Moving beyond compliance
49
Improvement action
The audit report should only contain the fndings o f the audit and not
suggestions for the improvement action to be taken. This way the auditor can
remain independent and the organization does not feel obliged to adopt any o f
the auditor’s suggestions for improvement, even if it does not agree with them. By
doing this, the auditor is also passing the responsibility for taking improvement
action back to the process owner.
f
au dito r’s ro le is no t to identi y ho w imp ro vements sho u ld take p lace o r what the
f
o rganizatio n sho u ld do . I t is to p ro vide in o rmatio n to management o n areas
o f risk o r where o p p o rtu nities fo r imp ro vement exist with an exp lanatio n that
o u tlines the p o tential imp act o n the o rganizatio n i f these are addressed.
f
T here o re what the o rganizatio n do es i f it decides to address these
issu es is u p to the management b alancing the o ther o rganizatio nal needs and
requ irements with the au dit f ndings. D o n’t fo rget that carrying o u t au dits is
o nly o ne so u rce o f f
in o rmatio n management is receiving u p o n which decisio ns
f
can b e b ased. They will also b e receiving in o rmatio n o n cu sto mer satis actio n f
and b u siness resu lts etc. , which co u ld mean that they may well igno re the
au dit f ndings and co ncentrate imp ro vement activity in o ther areas where the
greatest b u siness b ene f t can b e achieved. This b eing the case au dito rs sho u ld
f f
no t b e disheartened i , a ter carrying o u t an au dit reco mmending areas fo r
imp ro vement, management do no t ap p ear to act o n the in o rmatio n. f
at a single p ro cess the au dito r is lo o king at the system as a who le. M any o f the
Assessing imp rovements
51
same skills are requ ired, b u t it needs a still wider b u siness u nderstanding fo r the
au dito r to b e su ccess u l. f
As with any au dit this needs to b e schedu led and au dito rs ap p o inted in exactly
the same way as fo r a fu ll au dit. The main di fference is asso ciated with the sco p e
o f the au dit, which is generally limited to the sco p e o f the p revio u s au dit rep o rt
I n p rep aring fo r a fo llo w-u p au dit the au dito r needs to review the p revio u s
rep o rt and, in p articu lar, to u nderstand the b u siness reaso ns fo r reco mmending
the imp ro vements and the b u siness risks o r imp act asso ciated with them.
imp ro vements to estab lish what actio n has b een taken and the p u rp o se in taking
the actio n. The same to o ls and techniqu es can b e u sed to carry o u t a fo llo w-u p
au dit as have b een describ ed earlier fo r p ro cess management au dits. So , in
estab lishing the p u rp o se and the aim o f the actio n o r imp ro vement the au dito r
f
is identi ying what the p ro cess o wner is trying to achieve. I t is no t go o d eno u gh
p lace. What the au dito r needs to estab lish is ho w e ffective the actio n has b een,
i. e. has the aim o f the imp ro vement activity b een met, has it wo rked/so lved the
p ro b lem etc. F ro m estab lishing the aim the au dito r can then review the actu al
imp ro vement activity o r co rrective actio n taken, the resu lts gained and identi y f
any fu rther imp ro vement needed to meet the o riginal intentio n o r p u rp o se.
f f
C o nsequ ently, a ter in o rmatio n has b een gathered fro m the p ro cess
o wner, the techniqu e can b e u sed to gather in o rmatio n f fro m o ther p eo p le either
T hro u gh a series o f f
sho rt in o rmatio n gathering activities fo llo wing the
whether o r no t the actio n has b een e ffective in reso lving the issu e highlighted in
the o riginal au dit rep o rt and has b een carried o u t in a ‘timely’ manner. Timely in
this sense b eing b ased o n the size and imp act o f the change o r imp ro vement and
the risk the o rganizatio n faces in no t carrying o u t the change qu ickly eno u gh.
52
in any way the au dito r needs to make a j u dgement o n the p o tential imp act o n
the o rganizatio n. I f the j u dgement is that the o rganizatio n is at risk then the
f
matter sho u ld b e re erred to the system o wner, i. e. a ‘higher au tho rity’ than the
p ro cess o wner, who sho u ld b e asked to intervene to address the issu e and advise
the au dito r acco rdingly. What the system o wner do es in reso lving the issu e is
T his will p ro vide clarity to b o th the au dito r and the p ro cess o wner.
53
Au diting as a s kill
Auditing is a skill and like any other skill needs practice to hone it. It involves
ISO 1 901 1 describes these attributes and although not an exhaustive list,
it does provide a use ful insight into what is expected. Above all the auditor
should be ethical; auditors are placed in a position o f trust by management to
investigate how e ffectively the organization is being managed. As we have seen
auditors need to assess e ffectiveness o f actions taken as well as compliance.
54
Adopting an open mind goes hand-in-hand with carrying out the audit in a
tactful and diplomatic manner. Remember the easiest way to gather information
is to ask people what is happening, what they do, how they could improve what
they do etc. How the auditor handles this conversation, even if auditing using
email and other non-traditional methods o f auditing, is critical to success. I f the
auditor criticizes what someone is doing or how a manager is managing their
part o f the business then that person is likely to be more reluctant to provide
the auditor with the information they need. Remember people are o ften not
the problem, most o f the time it is the system they are operating in, so identify
where the system is failing rather than seeking to criticize, blame or expose the
individual. The results will be far more welcome and o f considerably more value
to the organization.
What personal attributes do auditors need?
55
56
self-reliant, and having the necessary equipment and motivation to see the audit
through without the support from other auditors.
The auditor needs to have a mix o f skills and knowledge to be effective. These
are interdependent and should not be considered or developed in isolation o f
each other, i.e. no one area is more important than the other – they complement
each other.
It goes without saying that the auditor should be able to follow the
organization’s auditing procedure and approaches.
The auditor should be able to create an audit plan based on the scope o f
the audit. This should show who is going to be audited, how and when and be
agreed by the process owner. The effective use o f time is very important. Auditors
should not forget that for most organizations auditing is an overhead, a cost to be
borne by the organization. Therefore the organization needs to not only get value
from the audit but also collect, collate and report information and other data
effciently and effectively. The audit plan should refect this need and auditors
should adopt approaches and methods that are appropriate. As mentioned early
in the book these approaches may well be non-traditional in nature but will be
more cost-effective without distracting from the value o f the audit.
With the plan in place, agreed with the process owner and communicated
to those being audited, it is the responsibility o f the auditor to ensure that the
audit is carried out as planned, keeping to the timescales as shown. Sometimes in
What personal attributes do auditors need?
57
an audit the audito r will disco ver areas that need mo re investigatio n than the time
allo cated will allo w o r, perhaps, so meo ne else needs to be interviewed who wasn’t
o n the o riginal plan. In these circumstances the plan may need to be amended
and this is the audito r’s respo nsibility. It is no t go o d p ractice fo r the audito r to
f
either start late o r to end an interview a ter the time previo usly indicated o n the
plan. The auditee will be exp ecting the plan to be fo llo wed. I f the plan needs to
be amended then the audito r sho uld discuss o r co mmunicate this to the pro cess
o wner o r the perso n sho wing the audito r ro und the o rganizatio n, i f o ne is being
used, in o rder that a revised plan can be agreed and co mmunicated. This may
f f
in o rmatio n. Planning an additio nal interview is p re erable to igno ring the o riginal
f
sensitive b u siness o r o rganizatio nal in o rmatio n b u t also to p erso nal feelings
and views that may b e exp ressed b y an individu al o r gro u p . C learly the au dito r
may well b e p ro vided with sensitive b u siness in o rmatio n as p art o f f the au dit
any ‘situ atio ns’ it is b est to simp ly say no thing and u se the in o rmatio n f fo r the
p u rp o se fo r which it was given, i. e. fo r the au dit. T his ap p ro ach will avo id and
and examples from people no t directly carrying out the task involved. For
f
example let’s say you are auditing the manu acturing process, then you may
f
gather in o rmatio n from the sales team, i. e. the people who generate the o rders
and those who dispatch pro ducts and services as well to gain their views and
the impact the production pro cess has on them. O r perhaps you are auditing an
impro vement process as well as auditing the people involved in the actual process
o r impro vement. Yo u could also interview the people a ffected by the change
to determine how e ffective the change has been in impro ving per o rmance. In f
gathering these views from people ‘o utside’ the process being audited but a ffected
by its impact, the auditor may well be gathering views and opinio ns fro m a number
regarding e ffectiveness. These views and opinio ns also need to be kept con f dential
and no t shared either with o ther auditees, e. g. ‘I was speaking to X and he said … ’,
o r o utside the audit. I f the auditor breaches this con f dentiality then it is likely that
58
Auditors should focus their attention on signi f cant issues. This does not
mean that areas o f detail should be ignored but that the audit should focus on
what is important to the success o f the process and the organization rather than
areas that have little impact or signi f cance in the overall picture. Some auditors
get a reputation for ‘nit-picking’, i. e. identi fying or making an issue o f small
areas that in themselves have little or limited impact on performance. I f the
auditor is in any doubt as to whether or not an issue should be raised then think
about the manager who will be receiving the report, will they be interested? Is it
important to them?
o ften comes from a range o f sources from across the organization. The various
parts o f information are then ‘added’ together to form a view or fnding. It is o ften
not a case o f taking one ‘piece’ o f information in isolation but adding different
data together to form the ‘picture’. There fore a key principle is to test or verify the
different pieces o f information to conf rm their appropriateness and accuracy.
59
co mp liance au diting.
This extends to understanding ho w the vario us pro cesses that make up the
system interact with each o ther and ho w suppo rt o r re erence do cumentatio n such f
f
as pro cedures and o ther in o rmatio n is p o sitio ned and used within the system. It
wo uld also include ho w reso urces, equipment, budgets, co mpetence, team wo rk,
kno wledge, o ther standards and framewo rks, kno wledge, enviro nmental, health
f f
and sa ety and regulato ry requirements, in o rmatio n techno lo gy, intellectual
pro perty, management ability and techniques, results, changes etc. can imp act
f
o n pro cess per o rmance. This do es no t have to be an in-depth understanding
but sho uld, at the very least, be an awareness o f the po ssible impacts so that the
f
I n additio n, as mentio ned b e o re, the au dito r needs to have an ap p reciatio n
the o rganizatio n has interp reted these bu siness activities into the management
f
system and there o re into its p ro cesses.
f
Ano ther imp act o n p ro cess p er o rmance that the au dito r needs to b e
aware o f and u nderstand is that the o rganizatio nal cu ltu re will a ffect b o th the
f
au dit and, p o tentially, p ro cess p er o rmance. The au dito r needs to ap p reciate the
o rganizatio nal cu ltu re they are wo rking in and wo rk within this, mo di ying their f
au diting techniqu es and metho ds acco rdingly.
co vered the b u siness kno wledge needed in o ther sectio ns, this area relates to the
‘qu ality’ -sp eci f c kno wledge that needs to b e u ndersto o d. Qu ality termino lo gy
is, in e ffect, b u siness termino lo gy that we have already co vered. T his can
to o ls and techniqu es that have traditio nally b een u sed b y qu ality p ro essio nals. f
O f co u rse as the management system is p ro cess b ased and as these p ro cesses
co ver a range o f management discip lines, inclu ding ‘qu ality discip lines’ , the
60
• failure mode and e ffect analysis, which could be used in a design and
development process; and
• cause and e ffect analysis, which could be used in an improvement process.
Understanding these tools gives the auditor a wider and deeper appreciation
o f how traditional ‘quality’ techniques can be used to improve and support
process performance.
• Not all auditors have the same level o f auditing competence. Di fferent
auditors will have di fferent auditing experiences and skills. As processes run
across the organization, inevitably auditees will occupy di fferent positions
within the business. They will have di fferent responsibilities at di ffering
levels with the business, di fferent attitudes and experiences; the same
auditor may not have su ff cient skill to audit them all. A good compliance
auditor does not necessarily have the competence to audit the e ffectiveness
o f a business planning process.
• Lack o f con f dence or experience. Although this is o ften caused largely by
inexperience, nonetheless it is a critical factor i f the audit is to be a success.
A good example o f this is an auditor with compliance auditing skills
being asked to audit the managing director to determine how e ffective the
61
and disciplines that need to come together (be integrated) in a system and
the processes that support it? It is o ften this area that is overlooked but is
probably the most important in enabling the auditor to assess e ffectiveness.
When auditing the e ffectiveness o f the management o f a process this area
is probably more important than technical specialisms. At the time o f
writing the focus for appointing auditors is o ften based on their technical
competence not on their management ability. As ISO 9001 : 2008 is based
on the e ffectiveness o f management to manage their organization to deliver
results and to ensure customer satis faction, perhaps organizations should
now consider appointing auditors on their management ability rather than
their technical expertise.
• Planning the audit – as we have seen auditors have different skills and may
even be in di fferent locations so the available audit resource needs to be
62
team to reach consensus on what the different strands mean when they are
added together. How this is achieved can vary but on occasions individual
team members may disagree with each other. At this point the lead auditor
needs to have the skill to facilitate the team to reach a sensible conclusion
that will make sense to the team, the process owner and support the
improvement o f the organization. Coupled with this is the ability to write an
audit report that is e ffective in portraying the fndings and conclusions o f the
audit. The fndings need to be succinct, clear and easy to understand showing
what obj ective evidence has been identif ed to support the conclusions.
The lead auditor needs to be able to j usti fy the statements made, i f
required, and to enter into discussions as to how the areas identi f ed might
be resolved. The lead auditor should, however, be care ful not to recommend
actions as part o f the audit. O ften when reporting areas for improvement
there is a temptation to ‘recommend’ how a particular issue may be resolved
or improved. There may well be many ways that a problem could be
resolved, some unknown to the audit team or outside the scope o f their
understanding. Improvements are likely to be subj ect to the organization’s
improvement process (as required by ISO 9001 : 2008) and it is this activity
that will identi fy the causes and recommend solutions. Lead auditors need to
be care ful with recommendations, o ften it is best to report statements o f fact
and leave the actions and recommendations for improvement to the manager
concerned – that’s their responsibility.
• Managing the audit as it is progressed – the lead auditor is responsible for
managing the audit as it is carried out. This may mean resolving issues,
some o f which may be con frontational in nature. This can o ften require tact
and diplomacy (hence the attributes listed in this bullet list) . It may also
mean identi fying potential problems that could occur and taking appropriate
action to prevent them from happening.
• Developing the auditors – by their nature lead auditors tend to be more
experienced managers as well as auditors. This experience can be used to
develop auditor competence, identi fying training needs and taking part in
training and development activity that will improve auditor performance.
63
T here are many typ es o f au dito r. Au dito rs who are emp lo yed to au dit
co mp liance will still b e requ ired, as this ap p ro ach will b e needed to ensu re
requ irements o f sp eci f c detailed standards are b eing met. F o r tho se requ ired to
skills and techniqu es are no t u sed and enhanced o ver time. I n this b o o k we
have o nly co vered the b asic p rincip les, and these need time and p ractice to b e
e ffective and fo r the reader to tru ly u nderstand the p rincip les invo lved. I n o ther
O ur experience sho ws that the development o f these key skills takes time,
and as co mpetence builds so auditors create their o wn style and appro ach based
o n the techniques outlined. This appro ach has created a far mo re interactive and
value adding appro ach to auditing. Audito rs report that they not o nly f nd out
f
more in ormatio n quicker, but that they are also f nding o ut value adding areas fo r
impro vement that wo uld no t have been identi f ed so lely fro m compliance auditing.
These are key skills that need to be mastered fo r the future. In additio n
an o verview level o f the di fferent management skills and techniques used within
an o rganizatio n. This may include understanding f nance, health and sa ety, new f
pro duct develo pment, impro vement techniques, asset management and strategy
and business planning fo r example, all o f which a ffect either pro cess o r system
need to be an expert in all areas, which is impo ssible. But audito rs will need an
64
But this is precisely the in formation that management need and want.
Auditing, both third party and internal, is a cost to organizations, and by not
providing the required information that adds value, auditors will be doing their
employers and customers a disservice. As importantly, they are also giving people
the opportunity to reduce the importance o f auditing and auditors. In such a
situation, organizations quite naturally look for other solutions to their problems
and if that means not using auditors in the traditional manner then so be it.
Very few organizations fail to understand the need for improvement and
change to enhance their performance. Auditors have a vital role to play, but only
i f they adopt the techniques and approaches required.
As we have already seen, systems and processes are living entities, they
are the real world in which we work and operate. Auditing is a measurement o f
performance in that it should identi fy areas o f noncon formance and business
risk to the achievement o f process and system obj ectives. An example audit
report is shown below in Figure 1 0. 1 , which was created following an audit
o f an organization’s ful f lment process. In doesn’t matter that you do or do not
understand what ful f lment is in detail, what matters is the underlying auditing
principles that have been applied.
65
h as m et th e m i n i m u m l evel req u i red to be cl assi f ed as m eeti n g th e req u i rem en ts o f th e fram ework from wh i ch th i s
assessm en t was created . C on gratu l ati on s, you have achieved our Bronze Award.
Overview & Result against Per ormance Drivers f
Per ormance
f Description %
Driver
1 Th e rel ati on sh i p wi th su ppl i ers i s m an aged an d e ffecti ve 33.8
4 f
Su ppl i er an d pu rch ase ord er i n orm ati on i s accu rate an d m ai n tai n ed 4 7. 6
66
People taking part in this assessment were asked to identi y their main involvement. The di erence in perception
f ff
Approva l of i ssu e
between these groups measured against the per ormance drivers is shown below.
f
You can:
Si gn a tu re:
• Consider these di erences and where they may a ect per ormance, this may identi y risk areas
ff ff f f
• Review any speci f c elements where individual groups have a low result
• Understand any real gaps between the perception o di erent groups f ff
1 00
80
Average % Response
D a te:
60
40
20
0
1 4 5 6 7 10
M odi fi ca ti on s:
M odi fi ca ti on s:
2 3 8 9
Performance Drivers
Group 1 2 3 4 5 6 7 8 9 10
Da te: 1 7 /08/2009
Buy products/services 26% 55.9% 65.2% 58.9% 47.4% 59.2% 50.4% 41 .3% 64.8% 56%
Plan and orecast inventory
f 60.5% 64.8% 51 .4% 57.1 % 69.4% 45.7% 58.1 % 71 .9% 54.3%
Manage and launch products 55% 35.8% 45.5% 37.1 % 44.3% 31 .1 % 26% 1 6.7% 20% 40%
Coordinate and manage 40% 74.4% 73.3% 82.9% 54.3% 80% 60% 80%
logistics
BSI /PM : Si obh a n Fi tzgera ld
Manage warehouse teams 32.5% 35.1 % 33.3% 37.9% 48.6% 37.5% 42.5% 20% 46.7% 20%
Manage non-warehouse 30% 21 .2% 1 8.8% 22.9% 37.1 % 1 4.7% 24% 20% 20%
teams
Depa rtm en t:
Sell products 45.7% 50% 30% 30% 37.5% 30% 33.3% 40% 50%
tuare:
tu
Approva
l ofl of
are:
Approva
tugn
re:
Approva
tugn
aSi
Approva
Si gn
Si gn aSi
Conclusion and the way forward
67
te: te:
M y main invol vement in Pl anning and Purchasing process is
te:Da
aDa
Buy products/services Pl an and forecast inventory
te:
D aD
M anage and l aunch products Coordinate and manage l ogistics
Sel l products
on s:
on s:
s:ti s:
s:ti s:
on
on
The l argest di fferences are l ikel y to indicate that there may be business risks. The most signi f cant di fferences are:
tica
tica
on
on
s:
s:
fi
fi
ca
ca
ti
ti
on
on
odi
odi
Per ormance Driver Highest Lowest %
fi
fi
Mtica
Mtica
odi
odi
f
fi
fi
Mca
Mca
di erence
M odi
M odi
fi
fi
ff
M odi
M odi
77 69
77 69
6 The pl anning process is managed and Coordinate and M anage non-warehouse teams 65 . 3
7 769
wson
control l ed manage l ogistics
7 769
wson
1 7/08/2009
wson
Da
Air freight spending is justi f ed and
7/08/2009
10 Coordinate and M anage warehouse teams 60
wson
aDa
ora
1/08/2009
NDora
aND
control l ed manage l ogistics
/08/2009
ora
Ntor:
Opera ora
Ntor:
4 Suppl ier and purchase order in formation Coordinate and M anage non-warehouse teams 60
1 7te:
Operator:
Da
te:
tor:
is accurate and maintained manage l ogistics
17
Opera
te:
te:Da
Opera
DaDa n tzgera
ntzgera
aFi Fi ld ld ld
ldtzgera
ntzgera
en t:
nSi
t: t:
Si
enrtm
rtmen
Si:/PM
:/PM obh
epa
rtm
en t:
BSI
/PM
epa
D
rtm
BSI
/PM
Depa
D
BSIBSI
Depa
68
Analysis:
For each o these strengths, reviewing the di erences between each department/team/ unction
f ff f
may indicate where urther improvement could be made. Where a ‘%’ is shown without a
f
number this indicates this department/team/ unction were not asked about this per ormance
f f
driver.
80
60
e e
e i ssu
40
li ssu
of
tu re:
ssu
l ofl iof
Approva
20 gn re:
tu a
Approva
Siare:
tu
Approva
Siagn
Si gn
0
3 9 6
Operations Planning
Da te:
Sales
ontis:on s:
ontis:on s:
ca
ca
tis:
tis:
fi
fi
on
on
tica
tica
odi
odi
cafi
cafi
fi M
fi M
M odi
M odi
M odi
Da7wson
769
D a wson 77 69M odi
77 69
1 7/08/2009
wson
1 7/08/2009
DNaora
e:7 /08/2009
N ora
tor:
N ora
ra tor:
Opera
te:
or:
1Da
Conclusion and the way forward
69
Analysis:
F or each o f th ese i m provem en t areas, fu rth er i n vesti gati on o f th e d i fferen ces f
wi l l i d en ti y possi bl e i m provem en t acti on s.
Results by Departments/Functions/Teams
Ap p ro va l o f i ssu e
Wh ere a grou p i s n ot sh own th ey were n ot asked abou t th i s per orm an ce d ri ver. f
Si g n a tu re:
Performance
Driver
34%
1 46.7%
26%
D a te:
25.7%
57.8%
8 1 7.1 %
41 .3%
M o d i fi ca ti o n s:
M o d i fi ca ti o n s:
42.2%
42.4% Operati on s
O p e ra to r: N o ra D a wso n 7 7 6 9
40.7% Prod u ct
7
M an agem en t
24.3%
1 7 /08/2009
50.4%
Sal es
47.7%
D a te :
Pl an n i n g
Pu rch asi n g
Si o b h a n Fi tzg era ld
D e p a rtm e n t:
B SI / P M :
70
Si g n a tu re:
Driver
f i ssu
e
D a te :
ssu
tu re:
o fl io
rolva
n are:
46.7%
1
gtu
pva
26%
na
Apro
Si gSi
Ap p
57.8%
8 1 7.1 %
24.3%
M o d i fi ca ti o n s:
M o d i fi ca ti o n s:
7 50.4%
Da
D a te : te:
O p e ra to r: N o ra D a wso n 7 7 6 9
Pl an n i n g Prod u ct M an agem en t
1 7 /08/2009
Pu rch asi n g
D a te :
o n s:
o n s:
tis:
tis:
on
on
ca
ca
i fiti
i fiti
ca
ca
fid
fid
d io
d io
M oM
M oM
Si o b h a n Fi tzg era ld
76
n 7n 7 69
79
D e p a rtm e n t:
D a wso
a wso
B SI / P M :
29009
ra
/0
rao D
80
02
r:o N
//
78
BI P 201 5 Fi le n a m e : 2 0 0 9 - 0 1 7 3 0 _Pe rfo rm a n ce d ri ve rs ( H o ri zo n ta l) b a r g ra p h _0 2 a . e p s
N
10
to
: /
rar:
1 7
p eto
: te
Ora
Da
D a te
Ope
bh bn
oa Fi
ha Fi tzg
ntzg ra ld
e raeld
e n t:
Si: oSi
en t:
a rtm
: M
/P
BI P 201 5 Fi le n a m e : 2 0 0 9 - 0 1 7 3 0 _Pe rfo rm a n ce d ri ve rs ( H o ri zo n ta l) b a r g ra p h _0 2 b . e p s
rtm
PM
ep
/SI
Da
B SIB
D ep
5 Fi le n a m e : 2 0 0 9 - 0 1 7 3 0 _P erfo rm a n ce d ri vers ( H o ri zo n ta l) b a r g ra p h _0 2 b . e p s
5 Fi le n a m e : 2 0 0 9 - 0 1 7 3 0 _P erfo rm a n ce d ri vers ( H o ri zo n ta l) b a r g ra p h _0 2 b . e p s
BI P 201 5
1
7
Driver
Performance
Sel l products
F igu re 1 0 . 1
Buy products/services
1 6.7%
20%
20%
Fi le n a m e :
M anage and l aunch products
24%
26%
26%
30%
30%
32.5%
33.3%
40%
Results for Main Involvement Groups taking part
41 .3%
42.5%
f
45.7%
50.4%
60%
58.1 %
D
aDte:
aD
a
te te
a:1
te:7
1 :1
/
770
/
1/8
7
00/
882
/
0/0
8
220
/90
2099
09 MM
oMd
oMo
idfi
d
o
i fi
ca
idfi
ca
i ti
fi
ca ti
o
cati
n
oti
o
s:
nno
s:s:
n s: Ap
Ap
Ap
pAp
ro
pp
rova
ro
pva
ro
lva
o
lva
f
l
oof
l
i ssu
f
oi ssu
f
i ssu
ie
ssu
ee e
Where a group is not shown they were not asked about this performance driver.
2 0 0 9 - 0 1 7 3 0 _P erfo rm a n ce d ri vers ( H o ri zo n ta l) b a r g ra p h _0 3 a . ep s
B SI / PM : Si o b h a n Fi tzg e ra ld D a te : 1 7 /08/2009 M o d i fi ca ti o n s: Ap p ro va l o f i ssu e
D e p a rtm en t: O p e ra to r: N o ra D a wso n 7 7 6 9 M o d i fi ca ti o n s: D a te : Si g n a tu re :
g
zg
ra
era
eld
ra
ldld DD
a te
D
a te:
a: te
1 7
:1 /
7
10/
780
//8
02/
802
/00
2909
09 MM
oM
doid
o
fiid
ca
fi
i fi
ca
tica
o
tin
ti
os:n
o s:
n s: Ap
App
Apro
p ro
pva
ro
va
l va
o
lfo
l if
ossu
f
i ssu
i ssu
e ee
Op
Oera
O
pepra
eto
ra
to
r:to
r:
N r:
N
o ra
N
o ra
oD
raD
a wso
D
a wso
a wso
nn
7n7
7679
6
7969 MM
oM
doid
o
fiid
ca
fi
i fi
ca
tica
o
tin
ti
os:n
o s:
n s: DD
a te
D
a te
a: te:
: SiS
giSi
n
ga n
gtu
a
n tu
are
tu
re
: re:
:
71
Pro ce s s M anage me nt Au diting fo r IS O 9 0 0 1 : 2 0 0 8
72
T he fact f
that there are no no nco n o rmances is interesting as the rep o rt there o re f
sho ws ho w e ffective f
the p ro cess is ab o ve the co n o rmance level. This is the very
f
in o rmatio n that managers need to kno w to b ring ab o u t change to what may
hap p en in the fu tu re f
and there o re redu ce the risk o f no t meeting their b u siness
o b j ectives.
actu ally do , no t j u st what they say they do o r write do wn, and the e ffect o f this
data fro m di fferent so u rces and then analysing it to rep o rt against b u siness
o b j ectives, valu es and o p eratio nal p rincip les. I T so lu tio ns are o ten u sed to f
co llect and manage the range and vo lu me o f data needed to do this e ffectively.
I T also p ro vides so lu tio ns to analyse this mass o f data and, thro u gh this, to b o th
f
o u tco mes and to identi y b u siness risks. The skills, kno wledge and to o ls to
achieve this are similar to tho se co vered in this b o o k, b u t b y their natu re and
e ffective au diting, altho u gh they will no t take yo u all o f the way. To address the
co nstraints and fru stratio ns that yo u will inevitab ly feel as yo u and yo u r skills
develo p , yo u may well need to co nsider the u se o f I T to help yo u make the next
With the au diting p rincip les and techniqu es exp lained, this ap p endix seeks to
a system, b y simp ly fo llo wing the clau ses o f the Standard – o rganizatio ns
simp ly do no t always wo rk that way. N o netheless the examp les are gro u p ed
b y clau se fo r ease o f f
re erence to gether with qu estio ns that co u ld b e asked to
demo nstrate co mp liance alo ng with tho se that seek to test e ffectiveness. T his
is no t an exhau stive list and all clau ses are no t co vered in the detail needed,
f
au dito r’s j o b is then to add this in o rmatio n to gether to fo rm the j u dgement o n
e ffectiveness. Also no tice that ‘o p en’ and ‘clo sed’ qu estio ns can b e u sed in b o th
areas – simp ly asking the qu estio n starting with what, ho w, where etc. do es no t
74
n o.
Sen i or m an agem en t f
Wh at m an agem en t i n orm ati on H ow d o you kn ow th at th e
d o you u se to m on i tor th e f
m an agem en t i n orm ati on you
processes? f
u se i s th e correct i n orm ati on to
sh ou l d n’ t be ou tsou rced ?
H ow i s th i s m an agem en t
d eci si on m ad e?
con trol l ed ?
wron gl y or bad l y?
j ob d on e correctl y?
rework or i s si m pl y con u si n g? f
4. 2 . 1 G en eral Sen i or m an agem en t Are proced u res d ocu m en ted ? H ow d i d you d eterm i n e wh at
75
n o.
4. 2. 2 Quality manual Senior management/ Do you have a quality manual? What is the purpose o f the
the customer?
work?
deliver results?
H ow do we improve things in
this organization?
in formation/documents?
Pro ce s s M anage me nt Au diting fo r IS O 9 0 0 1 : 2 0 0 8
76
n o.
management system?
Staff member Are management committed to When was the last time you
colleagues?
Co m p a re th e a n s we rs give n b y b o th m a n a ge m e n t an d s ta ff a n d ide n t i f
y
a n y i n c o n s i s t e n c ie s .
5. 2 Customer focus Senior management H ow do you focus on the H ow do you prioritize the need s
stakeholders?
in formation to ensure it is
needs is e ffective?
continual basis?
Appendix 1
77
n o.
5.3 Qu al i ty pol i cy Sen i or m an agem en t Sh ow m e you r pol i cy. Wh at factors d i d you con si d er i n
H ow i m portan t i s i t th at you
d o a good j ob – to you , to th e
I f th ere was on e th i n g th at th i s
wh at wou l d i t be?
H ow? an d wh at i t m ean s to th em ?
m an agem en t agree wi th th e
sel ected ?
H ow d o you kn ow th at th ese
forward ?
H ow d o you kn ow th at th ey
n eed to d o as a bu si n ess?
Lin k t h e a n s we rs to th e se qu e s tio n s wi t h th o se gi ve n in a n s we r t o
S u b c la u s e 5. 2 . Do th e a n s we rs li n k? D o t h e y m a ke se n se ?
organ i zati on ?
created ?
Process Management Auditing for ISO 9001 :2008
78
n o.
5. 4. 2 Quality Senior management I s the management system H ow do you know that the
correctly?
H ow do you reallocate/reduce
5. 5 . 2 M anagement Senior management/ Who is the management Who in the management team
management representative
performance?
‘corporate/business speak’?
to you?
Appendix 1
79
n o.
Staff How well is the organization Does the in formation you are
performing? provided with mean anything to
Do management communicate you?
to you on this subject? Does the in formation relate
directly to your job?
How can you infuence these
results?
5.6 Management Senior management/ Do you hold a management How do management review
review management review? the performance o f the business?
What do you look at? How effective are these
What are the results o f the methods?
review? How do you know the actions
How do you record the actions agreed are aimed at delivering
from the review? the organization’s objectives?
Are discussions at reviews based
on improving results?
What subject areas are
discussed?
How do they relate to the
performance o f the business and
its objectives?
What factors do you use to
prioritize improvement activity?
Pro ce s s M anage me nt Au diting fo r IS O 9 0 0 1 : 2 0 0 8
80
n o.
H ow d o you kn ow th at th e
f
to sati s yi n g cu stom er n eed s/
6. 2 . 2 C om peten ce, M an agem en t H ave com peten ces been H ow d o you kn ow th e correct
i n terven ti on s? kn ow wh en to u se each on e?
H ow d o you kn ow h ow e ffecti ve
th i s su pport i s?
H ow d o you kn ow th at you
81
n o.
i m prove?
occasi on s?
f
A ter you h ave recei ved trai n i n g
H ow d o you r acti vi ti es h el p th i s
6. 3 f
I n rastru ctu re M an agem en t Wh at eq u i pm en t/assets d o you H ow d o you kn ow th at th e
h ave? eq u i pm en t i s capabl e o f
H ow d o you kn ow th at
ru l es for th e bu si n ess?
H ow i s th e eq u i pm en t you u se?
i t breakd own ?
f
H ow o ten d oes eq u i pm en t
servi ce d el i very?
Process Management Auditing for ISO 9001 :2008
82
n o.
H ow d o you kn ow th at th e
th e d el i very o f process an d
I f th e worki n g en vi ron m en t
i t be?
o f th e en vi ron m en t to d el i ver
in a ffect f
you r per orm an ce an d
th e q u al i ty o f wh at i s prod u ced ?
Ap p e ndix 1
83
n o.
7. 1 Planning M anagement What are the processes for H ow do you know the correct
regulatory requirements?
really are?
related to the deliver what the customer a result o f you, or the customer,
84
n o.
d evel opm en t an d /or d evel opm en t o f a n ew o f resou rces you h ave avai l abl e
proj ects?
H ow d o you kn ow th at you r
i n su ch a way as to m axi m i ze th e
i ts cu stom ers?
th an oth ers?
f
H ow o ten d o you get ‘ torn’
to d o f rst?
servi ce? f
H ow o ten d o you fnd, wh en
i d en ti f ed correctl y?
H ow d o you kn ow th at th e
85
n o.
j ob?
D o th ey provi d e you wi th th e
f
i n orm ati on you n eed ?
d evel opm en t proj ect team revi ews? for acti on s m i ssed ?
C om pared wi th you r
d evel opm en t proj ect team an d servi ces to ch eck th at you probl em s fou n d wi th prod u cts
servi ce l au n ch ed wi th m aki n g i t
f
per ect?
d evel opm en t proj ect team an d servi ces to ch eck th at you cu stom er req u i rem en ts h ave
d esi gn an d proj ect team i n to d esi gn s/d evel opm en ts? th e ch an ges to d esi gn s or
86
n o.
f
i n orm ati on d o you i n cl u d e on pu rch ase provi d e su ff ci en t f
i n orm ati on to
bu si n ess i n an e ff ci en t an d
e ffecti ve m an n er?
H ow d o you assess th i s?
prod u ct servi ces are wh at you ord ered ? fai l u res on wh at i s provi d ed to
servi ce provi si on f
con si sten cy an d con orm i ty o f f
per orm ed to provi d e su ff ci en t
processes?
Staff f
Wh at i n orm ati on d o you h ave H ow d o you kn ow th at wh at
con trol th em ?
87
n o.
processes for m eth od s i n pl ace to con trol processes you can n ot read i l y or
f
H ow o ten d o you reval i d ate m eth od s you u se are e ffecti ve?
7. 5 . 3 I d en ti f cati on M an agem en t f
D o you i d en ti y prod u cts? H ow h ave you d eterm i n ed to
an d traceabi l i ty f
H ow d o you i d en ti y prod u cts? wh at exten t i d en ti f cati on an d
traceabi l i ty o f th e prod u ct i s
req u i red ?
for m e?
Wh en probl em s ari se wi th
d eal wi th th em an d en su re th e
th e fu tu re?
88
n o.
th rou gh ou t th e en ti re process?
i d en ti f ed .
Sh ow m e h ow th e prod u ct i s
h an d l ed .
approved ? H ow i s m on i tori n g an d
eq u i pm en t. o f m on i tori n g or m easu ri n g
retested wh en a pi ece o f
m on i tori n g or m easu ri n g
89
n o.
(Co m p a re th is to th e a n s we rs
f ro m 5. 2 . )
8. 2. 2 I nternal audit Senior management Show me your aud it schedule/ H ow do you know when to
faces?
working etc. ?
business?
to the business?
compliance?
Process Management Auditing for ISO 9001 :2008
90
n o.
8.2.3 Monitoring and Senior management/ Show me your measures. How do you know these are the
and measurement o f management Show me the trends in correct measures?
8.2.4 processes and performance. What is the in formation telling
product Show me the targets for each you?
process. How do you know that the
in formation is accurate?
How do the measures link to the
business objectives?
How do you manage the process
and identi fy cost and waste
e ffciencies?
Give me an example.
8.3 Control o f Management Show me the procedure How do you know that non-
non-con forming to control non-con forming con forming products are not
product product. reaching the customer or being
How do you make sure non- used?
con forming products do not What is the impact on the
get used accidentally? business i f they are released
Do you keep records o f non- accidentally?
con forming products? Why do you need records?
What do you do with them?
Th e n c o m p a re th e a n s we rs f
ro m m a n a ge m e n t an d s ta ff to m a ke
a j u dge m e n t .
Management How do you handle product How do you know that any
recalls? product recall would be handled
to protect both the customer and
the image of the organization?
Appendix 1
91
n o.
f
per orm an ce? ben e ft to th e bu si n ess?
f
D oes th e i n orm ati on i n cl u d e H ow d o you m ake
f
d ata on cu stom er sati s acti on ? recom m en d ati on s for
f
D oes th e i n orm ati on sh ow i m provem en t based on th e
f
tren d s i n per orm an ce agai n st resu l ts ach i eved ?
o f i m provem en ts on th e resu l ts
ach i eved ?
H ow d o you kn ow th at an
better n ext ti m e?
i t d oes?
m i stake? u n n ecessary?
preven ti ve acti on s?
Process Management Auditing for ISO 9001:2008
92
1 . E s tabl i s h
b u s i n e s s o b j e cti ve s
2 . Au d i t pl an n i n g
M an ag e m e n t
s ys t e m
d o cu m e n ts I S O
9001 : 2008
3. C arry o u t au d i t/
I S O 1 40 0 1
veri fy acti o n
l e g al an d statu tory
re q u i rem en ts
4. Reco rd
observati on s
5. G e n e rate au d i t
8. Acti o n t ake n
repo rt
6. Act i o n Ye s 7. R es po n s i bi l i ty an d
re q u i re d ? t i m e s cal e s ag ree d
9. Cl ose au d i t
93
1 . PU RPO SE AN D SC O PE
1 .1 The purpose o f this procedure is to ensure the company’s operational activities are
being carried out in accordance with the requirements o f the management system and to
monitor compliance to external standards, including legal and statutory obligations. Where
omissions are highlighted this procedure ensures that appropriate timely action is taken in
2. AU D I T PLAN N I N G
2. 1 With re ference to the current business objectives, previous audit results, and the
responsible for generating an annual audit plan covering all relevant elements o f the
management system.
3. AU D I TI N G
3.1 Audits are carried out by the assigned auditor using the following documents as the criteria
(e. g. I SO 9001 : 2008, I SO 1 4001 , etc. ), legal and statutory req uirements, as appropriate.
3.2 During the audit the emphasis is placed on the witnessing o f objective evidence to veri fy
that the management system procedures meet the requirements o f any appropriate
externally originated standard and/or legal and statutory requirements and that they are
3.3 Any observations made during the course o f the audit are recorded by the auditor in the
4. RE PO RTI N G
4. 1 I f an opportunity to improve or a problem is identi f ed during the audit the auditor will
endeavour to agree suitable action and timescales for its completion, with the most
appropriate individual(s).
4. 2 At the end o f the audit the auditor completes an ‘audit report’ detailing their
observations and any action that may be necessary, including responsibility and timescales
for completion.
4. 3 The completed audit report is circulated to all staff responsible for taking the action. I t is
their responsibility to carry out the appropriate action by the agreed completion date. The
5. VE RI F I CATI O N O F AC TI O N
5.1 The action is veri f ed by the management representative as part o f the ongoing
audit plan for that activity or separately, as appropriate, to ensure that it has been
completed e ffectively.
5.2 When satis f ed that the action has been completed and is e ffective the management
Process Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Managing contact centres
New business W+T
Client service W+T
Client service operations W+T
Contact centre W+T
Managing f nances T
Managing facilities W C T
Marketing W C T
NOTE This audit schedule example is taken from an organization operating over three sites in Warrington, Thame and Crawley, hence the W+T+C, which indicate the
speci f c location to be audited.
95
Re ferences
International standards
ISO 9001 : 2008 , Quality management systems – Requirements
ISO 1 901 1 , Guidelines for quality and/or environmental management systems auditing
ISO 1 4001 , Environmental management systems – Specifcation with guidance for use