Many new requirements in ISO 9001:2015 challenge auditors to look beyond typically prescribed audit evidence and explore the interconnected nature of an organization’s quality management system (QMS) processes. In addition, these new ISO 9001:2015 requirements can be considered from multiple levels of an organization. Figure 1 shows that there are five levels an organization can directly control.
The ISO 9001:2015 requirements can be viewed from this business ladder structure relative to defining and auditing the QMS activities. The business itself weaves the horizontal layers in a kind of tapestry. As an example, let’s consider ISO 9001:2015 requirement section 4.1 Understanding the organization and its context, which requires organizations to “Determine external and internal issues relevant to its purpose and its strategic direction.”
At the system level, this requirement can be considered from the standpoint of initially defining the QMS and its activities. For example, in defining the scope of an organization’s QMS, consideration is given to such external and internal issues, (illustrated in ISO 9001:2015 section 4.1). The external issues could include markets served and products and services offered. From an internal perspective, the organization’s technical competencies, available equipment, and location, etc., affect the definition of the organization’s QMS scope. Auditors look to the scope of an organization’s QMS to determine what technical expertise is required in auditing that organization’s QMS, as well as in anticipating the types of processes that would be included.
ISO 9001:2015 requirements can also be viewed from a strategic perspective, where the influence changes to the QMS at the system level. Looking at the “Context of the Organization” requirement again, the organization’s leadership would consider external and internal issues when formulating its business plan, whether this is long term (more than five) or near term (one to three years).
Certainly, changes in external and internal issues (refer to ISO 9001:2015 subsection 9.3.2, Management Review Inputs), could shape an organization’s strategic direction going forward. For instance, if new technology alternatives are quickly absorbing market share, the organization would need to consider whether to adopt such new technology or identify an alternative business strategy that may in turn change the scope of the organization’s QMS. Likewise, organizations faced with an aging work force internally need to consider succession planning and retention of organizational knowledge (refer to ISO 9001:2015 subsection 7.1.6) as part of their strategic direction. Auditors will find evidence of consideration for these changing external and internal issues in strategic/business planning discussions, management review results, and even annual reports for publicly traded companies.
For the Planning level of the business ladder, specific customer requirements may also drive external and internal issues that affect the organization’s QMS. If a customer were to request a new product that require the organization to perform extensive development activity, feasibility and risk consideration would highlight potential internal issues. This could include limitations in existing resources (refer to ISO 9001:2015 subsection 7.1.1) and external issues, such as availability of technology and employee competency to support the organization’s development process. Thus, connections between context of the organization, (which is discussed in ISO 9001:2015 section 4.1), actions to address risks and opportunities, (ISO 9001:2015 section 6.1), and operational planning and control (ISO 9001:2015 section 8.1), are recognized. Audit evidence at this level may include results from gathering customer and other project requirements and review of these requirements relative to the organization’s capabilities.
Considering external and internal issues from the process level of the business ladder, organizations encounter daily issues in their ability to consistently control their processes needed for producing products and/or delivering services (refer to ISO 9001:2015 subsection 8.5.1). Daily internal issues could include attendance of the work force—especially during cold and flu season, unexpected equipment breakdowns, or even a workplace fire or other disaster. External issues that affect an organization’s operations could include availability of material/inputs, especially if there is a supply shortage or disruptions in utility services such as electricity. Auditors can look for evidence of how organizations identify these issues, (ISO 9001:2015 section 6.1), communicate them (ISO 9001:2015 section 7.4), and act upon them (ISO 9001:2015 subsection 8.5.1).This evidence might be found in production schedules, daily operations meetings, or shift changeover activities.
Finally, external and internal issues can exist at the the product level of the business ladder, as well. For example, external issues could include near-term changes in customer demand affecting operating schedules and inventory levels. Recalls or other field events of competitors could also affect the sales of an organization’s product. Internal issues at the product level could include processing errors that generate a large quantity of nonconforming outputs (ISO 9001:2015 section 8.7), or inventory inaccuracies that affect availability of product for shipment to customers. These events are excellent triggers for selecting appropriate audit samples to evaluate the effectiveness of an organization’s QMS in consistently fulfilling customer requirements.
To adequately define and audit an organization’s QMS, the application of each ISO 9001:2015 requirement at these different business ladder levels should be considered. In doing so, the interaction of ISO 9001:2015’s requirements—and therefore an organization’s QMS processes—becomes apparent.
In addition, each of these processes along the business ladder that address ISO 9001:2015 requirements should also be viewed from the Plan-Do-Check-Act perspective. This is the “wrap” that holds the tapestry of the organization’s business ladder together.
Rather than viewing ISO 9001:2015’s requirements linearly or only relative to one level of the business, auditors can assist organizations in recognizing the tapestry these requirements weave for defining, implementing, maintaining, and improving their QMS which optimally should function at all levels of the business.
Challenge: Select any ISO 9001:2015 requirement. Identify what processes in your organization’s QMS relate to that requirement at each of the business ladder levels. Also consider what audit evidence would be available in these processes to support the selected ISO 9001:2015 requirement. Remember audit evidence can be tangible, observation, or statement of fact. Share your ideas in the comments below.
The post Auditing the Tapestry of ISO 9001:2015 Requirements appeared first on The Auditor.
One of the most frequent concerns raised by auditors about ISO 9001:2015 is how to audit a quality management system (QMS) that has little or no documentation. ISO 9001:2015 doesn’t include specific requirements for documented procedures and doesn’t require a quality manual. However, it does require “documented information” related to a number of requirements. Several of the new requirements: context of the organization (clause 4.1), actions to address risks and opportunities (clause 6.1), and organizational knowledge (subclause 7.1.6), have no such reference. So how can these “documentless” processes be audited?
ISO 9001:2015 defines an audit as a “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The standard defines audit criteria as a “set of policies, procedures or requirements used as a reference against which objective evidence is compared.” Finally, ISO 9001:2015 defines audit evidence as “records, statements of fact or other information, which are relevant to the audit criteria and verifiable.”
It may appear from these definitions that audit evidence and audit criteria must be documented. However, the key questions that come to mind when limited or no QMS documentation is available are:
- How are audit criteria established?
- What audit evidence is available to evaluate conformance?
The answer to these questions is found in understanding the QMS from the process approach and applying essential auditing skills.
Consider that every activity within an organization is a process that—by definition—takes inputs and converts them to an output typically of greater value through defined steps. Thus, the basic audit criteria for any process can then be derived through a set of process questions:
- What is the desired output?
- What input triggers action toward the desired output?
- What steps are taken to transform the input to the output?
Every process must have a process owner who’s responsible for managing the process and its related outputs. Specifically, a process owner is responsible for:
- Clearly identifying process output requirements
- Determining process interfaces, including input triggers
- Defining how the process is to be executed (process sequence and actions)
- Establishing process performance goals
- Evaluating potential process risks in achieving output requirements and process performance goals
- Determining appropriate process and output controls
- Identifying, obtaining, qualifying, and maintaining process resources
- Monitoring ongoing process performance (process execution and outputs, both internal and external)
- Changing/improving the process as necessary
Recognizing the process owner’s role makes it clear that audit criteria can be determined by interviewing the process owner. The process owner’s responses to the questions then become the basis for gathering the objective evidence to verify conformance to the stated audit criteria. This approach requires auditors to exercise several critical auditing skills:
- Initiating the audit by interviewing the process owner to establish the audit criteria. This will challenge auditors to carefully listen to the process owner’s responses to audit questions and quickly organize this information into a process framework.
- Be able to quickly develop open-ended audit questions based on the process owner’s response to the questions and gather relevant audit evidence from personnel working in the QMS process, including the process owner. This technique for gathering objective evidence is often referred to as corroboration.
- Be capable of synthesizing auditee responses to determine alignment with audit criteria as described by the process owner and recognize relevant audit trails for exploring the sequence and interaction of QMS processes.
While this approach to auditing certainly depends heavily on auditors’ listening skills and ability to organize information, it also offers greater flexibility in the depth of questioning that can be pursued during an audit. The auditor is no longer limited to questions related to whatever is stated in QMS documentation.
This does mean a bit more work for the auditor—especially during the audit—and perhaps auditees will be nervous not having a script to follow when responding to auditors’ questions. However, the potential for exploring potential risks and opportunities related to QMS processes is much greater. These benefits will increase the value of audits and the information they can provide to process owners and the organization’s leadership in better utilizing their QMS for increased customer satisfaction and improved business performance.
About the author
Cathy Fisher is founder and president of Quistem LLC, which provides online and onsite management systems implementation, update, and assessment services for manufacturers and other industry sectors. Cathy has more than 30 years of respected auditing expertise, having led internal audit programs at many manufacturing organizations during her career. Cathy also has extensive experience conducting management system registration audits, as well as establishing supplier evaluation and development programs.
She has held numerous auditor certifications including ASQ CQA, RAB-Certified Quality Systems Auditor, and ISO/TS 16949 IATF-recognized auditor. She has conducted internal and external audits that total more than 1,000 audit days and trained hundreds of management systems professionals as auditors. Cathy is passionate about the value auditing can bring to organizations and enjoys mentoring the next generation of technical professionals to develop their auditor excellence.
ISO’s essential guide for small and medium enterprises (SME) wishing to implement a quality management system (QMS) has just been updated, providing practical advice and concrete examples tailored specifically for small businesses.
ISO 9001:2015 for Small Enterprises – What to do? has just been updated to align with the newly revised version of one of ISO’s most popular standards, ISO 9001, Quality management systems – Requirements, updated in 2015.
The handbook was written by a group of experts from ISO/TC 176/SC 2, the technical subcommittee that developed ISO 9001:2015, and features useful information on everything from how to get started right through to guidance for those who choose to seek certification. It includes practical advice on the different ways of approaching a QMS as well as detailed guidance on each element of ISO 9001:2015.
Click here to preview the handbook.
Nigel Croft, Chairman of ISO/TC 176/SC 2, said: “This handbook recognizes that small businesses have different needs and challenges compared to large organizations, with different ways of working and often with limited resources. This handbook offers tailored advice to help them implement a quality management system that can truly be useful, and help them to improve their overall business performance.”
“It includes a step-by-step guide to implementing a QMS, providing sector-specific examples for different types of small businesses, such as consultancies, manufacturers, and distributors.”
ISO 9001:2015 for Small Enterprises – What to do? also provides a clear explanation of what a QMS is and how it can help organizations improve the quality of the work they do and the products and services they deliver, thereby improving the confidence of their customers and other stakeholders.
ISO 9001 is one of the world’s most widely used QMS standards, with over one million organizations certified to it in over 170 countries around the world.
This article has been republished in full with permission from ISO.
The post Guidance for SMEs Using ISO 9001 for Quality Management Just Released appeared first on The Auditor.