+ Sidebar

Auditing ISO 9001:2015 Without Documents

One of the most frequent…

One of the most frequent concerns raised by auditors about ISO 9001:2015 is how to audit a quality management system (QMS) that has little or no documentation. ISO 9001:2015 doesn’t include specific requirements for documented procedures and doesn’t require a quality manual. However, it does require “documented information” related to a number of requirements. Several of the new requirements: context of the organization (clause 4.1), actions to address risks and opportunities (clause 6.1), and organizational knowledge (subclause 7.1.6), have no such reference. So how can these “documentless” processes be audited?

ISO 9001:2015 defines an audit as a “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The standard defines audit criteria as a “set of policies, procedures or requirements used as a reference against which objective evidence is compared.” Finally, ISO 9001:2015 defines audit evidence as “records, statements of fact or other information, which are relevant to the audit criteria and verifiable.”

It may appear from these definitions that audit evidence and audit criteria must be documented. However, the key questions that come to mind when limited or no QMS documentation is available are:

  • How are audit criteria established?
  • What audit evidence is available to evaluate conformance?

The answer to these questions is found in understanding the QMS from the process approach and applying essential auditing skills.

Consider that every activity within an organization is a process that—by definition—takes inputs and converts them to an output typically of greater value through defined steps. Thus, the basic audit criteria for any process can then be derived through a set of process questions:

  • What is the desired output?
  • What input triggers action toward the desired output?
  • What steps are taken to transform the input to the output?

Every process must have a process owner who’s responsible for managing the process and its related outputs. Specifically, a process owner is responsible for:

  • Clearly identifying process output requirements
  • Determining process interfaces, including input triggers
  • Defining how the process is to be executed (process sequence and actions)
  • Establishing process performance goals
  • Evaluating potential process risks in achieving output requirements and process performance goals
  • Determining appropriate process and output controls
  • Identifying, obtaining, qualifying, and maintaining process resources
  • Monitoring ongoing process performance (process execution and outputs, both internal and external)
  • Changing/improving the process as necessary

Recognizing the process owner’s role makes it clear that audit criteria can be determined by interviewing the process owner. The process owner’s responses to the questions then become the basis for gathering the objective evidence to verify conformance to the stated audit criteria. This approach requires auditors to exercise several critical auditing skills:

  • Initiating the audit by interviewing the process owner to establish the audit criteria. This will challenge auditors to carefully listen to the process owner’s responses to audit questions and quickly organize this information into a process framework.
  • Be able to quickly develop open-ended audit questions based on the process owner’s response to the questions and gather relevant audit evidence from personnel working in the QMS process, including the process owner. This technique for gathering objective evidence is often referred to as corroboration.
  • Be capable of synthesizing auditee responses to determine alignment with audit criteria as described by the process owner and recognize relevant audit trails for exploring the sequence and interaction of QMS processes.

While this approach to auditing certainly depends heavily on auditors’ listening skills and ability to organize information, it also offers greater flexibility in the depth of questioning that can be pursued during an audit. The auditor is no longer limited to questions related to whatever is stated in QMS documentation.

This does mean a bit more work for the auditor—especially during the audit—and perhaps auditees will be nervous not having a script to follow when responding to auditors’ questions. However, the potential for exploring potential risks and opportunities related to QMS processes is much greater. These benefits will increase the value of audits and the information they can provide to process owners and the organization’s leadership in better utilizing their QMS for increased customer satisfaction and improved business performance.

About the author

Cathy Fisher is founder and president of Quistem LLC, which provides online and onsite management systems implementation, update, and assessment services for manufacturers and other industry sectors. Cathy has more than 30 years of respected auditing expertise, having led internal audit programs at many manufacturing organizations during her career. Cathy also has extensive experience conducting management system registration audits, as well as establishing supplier evaluation and development programs.

She has held numerous auditor certifications including ASQ CQA, RAB-Certified Quality Systems Auditor, and ISO/TS 16949 IATF-recognized auditor. She has conducted internal and external audits that total more than 1,000 audit days and trained hundreds of management systems professionals as auditors. Cathy is passionate about the value auditing can bring to organizations and enjoys mentoring the next generation of technical professionals to develop their auditor excellence.

The post Auditing ISO 9001:2015 Without Documents appeared first on The Auditor.

Guidance for SMEs Using ISO 9001 for Quality Management Just Released

ISO’s essential guide for small…

ISO’s essential guide for small and medium enterprises (SME) wishing to implement a quality management system (QMS) has just been updated, providing practical advice and concrete examples tailored specifically for small businesses.

ISO 9001:2015 for Small Enterprises  What to do? has just been updated to align with the newly revised version of one of ISO’s most popular standards, ISO 9001, Quality management systems – Requirements, updated in 2015.

The handbook was written by a group of experts from ISO/TC 176/SC 2, the technical subcommittee that developed ISO 9001:2015, and features useful information on everything from how to get started right through to guidance for those who choose to seek certification. It includes practical advice on the different ways of approaching a QMS as well as detailed guidance on each element of ISO 9001:2015.

Click here to preview the handbook.

Nigel Croft, Chairman of ISO/TC 176/SC 2, said: “This handbook recognizes that small businesses have different needs and challenges compared to large organizations, with different ways of working and often with limited resources. This handbook offers tailored advice to help them implement a quality management system that can truly be useful, and help them to improve their overall business performance.”

“It includes a step-by-step guide to implementing a QMS, providing sector-specific examples for different types of small businesses, such as consultancies, manufacturers, and distributors.”

ISO 9001:2015 for Small Enterprises  What to do? also provides a clear explanation of what a QMS is and how it can help organizations improve the quality of the work they do and the products and services they deliver, thereby improving the confidence of their customers and other stakeholders.

ISO 9001 is one of the world’s most widely used QMS standards, with over one million organizations certified to it in over 170 countries around the world.

ISO 9001:2015 and ISO 9001:2015 for Small Businesses  What to do? are available for purchase from your national ISO member and the ISO Store.

This article has been republished in full with permission from ISO.

The post Guidance for SMEs Using ISO 9001 for Quality Management Just Released appeared first on The Auditor.