Process Management Auditing
for ISO 9001 :2008


Process Management Auditing for ISO 9001 : 2 008
Understanding ISO 9001 : 2 008 and Process-based Management Systems
Creating a Process-based Management System for ISO 9001 : 2 008 and beyond


Process Management Auditing
for ISO 9001 :2008

Rob Peddle and Ian Rosam
(The High Performance Organisation Group Ltd)


Process Management Auditing for ISO 9001 :2008

P ro cess M anagement Au diting

fo r

I SO 9 0 0 1 : 20 0 8

T his seco nd editio n p u b lished in the U K in 20 0 9

by
B SI
3 8 9 C hiswick High Ro ad

Lo ndo n W4 4AL

© B ritish Standards I nstitu tio n 20 0 9

F irst editio n p u b lished b y B SI in 20 0 3

I S BN 9 78 0 5 8 0 6 76 5 8 1

f

B SI re erence: B I P 20 1 5

A catalo gu e reco rd

fo r

this b o o k is availab le

fro m

the B ritish Lib rary.

C opyright subsists in all BSI publications. Except as permitted under the
C opyright, D esigns and Patents Act 1 9 88 no extract may be reproduced, stored
in a retrieval system or transmitted in any

form

or by any means – electronic,


photocopying, recording or otherwise – without prior written permission
I

f permission

from

BSI.

is granted, the terms may include royalty payments or a licensing

agreement. D etails and advice can be obtained

from

the Copyright Manager, British

Standards Institution, 3 89 Chiswick High Road, London W4 4AL.

G reat care has b een taken to ensu re accu racy in the co mp ilatio n and p rep aratio n
o

f

this p u b licatio n. Ho wever, since it is intended as a gu ide and no t a de

f

nitive


statement, the au tho rs and B SI canno t in any circu mstances accep t resp o nsib ility

fo r

the resu lts o

f

any actio n taken o n the b asis o

in the p u b licatio n no r

fo r

statu to ry rights.

Typ eset b y M o no lith – www. mo no lith. u k. co m

f

P rinted b y Ber o rts

f

f

the in o rmatio n co ntained

any erro rs o r o missio ns. T his do es no t a


ffect

yo u r


v

F o re wo rd: The au diting wo rld has change d –
Are yo u re ady?

The changes to ISO 9 0 0 1 : 20 0 0 no w co ntained in ISO 9 0 0 1 : 20 0 8 are relatively
mino r in natu re, bu t they have rein fo rced p ro cess management as a strategic
ap p ro ach to the management o f o rganizatio ns, bo th big and small. Ho wever,
maj o r events that hap p ened as the 20 0 8 versio n was b eing p u blished,
examp le, the

fnancial meltdo wn,

have rein fo rced so me key messages

ISO 9 0 0 1 . They have highlighted the

failure

fo r
fro m

o f traditio nal co mp liance based

auditing techniques to identi fy the risks being taken within management

systems and individual p ro cesses. These techniques were no t the o nly
bu t they co ntribu ted signi
which has been a bill

fo r

fcantly to the o verall o utco me,

failures,

the co nsequence o f

$ 1 , 0 0 0 , 0 0 0 , 0 0 0 , 0 0 0 o f aid p ump ed into the eco no my

by the main G 20 go vernments during late 20 0 8 and 20 0 9 . In terms o f co rrective
actio n that is so me co st!

O f co urse, j u st like third p arty registratio n o rganizatio ns, the large
co mp anies that

failed

had emp lo yed co mp etent and kno wledgeable p eo p le to

carry o u t the audits, to rep o rt

fndings to

the highest level, and who had the


backing o f p eo p le that co unted. They had senio r management, no n-execu tive
and executive directo rs who were very exp erienced. So what went wro ng? Why
was it that altho ugh the au dits were being carried o u t, they didn’t highlight the
risks that p eo p le were taking and get the message to tho se who needed to kno w
to allo w them to do so mething ab o ut it?

In sho rt, the au dito rs were p rimarily

fo cused

o n co mp liance and altho ugh

systems and p ro cesses co mp lied, it did no t make them e ffective. It was their
level o f e ffectiveness that

failed.

It’s the level o f e ffectiveness that we see and

exp erience and that p ro duces the o utco mes
In the end, o rganizatio ns are resp o nsible

fo r

fro m

what o rganizatio ns are do ing.

their o utco mes and the e ffect they



Process Management Auditing for ISO 9001 :2008

vi

have o n the wo rld aro u nd them, and their au diting sho u ld help them manage
the risks su rro u nding this.

So what do es this mean

fo r

u s as au dito rs? F o r o ne thing, it means

that we canno t j u st rely o n co mp liance and the checking o

f

reco rds. M o re

imp o rtantly, we have to u nderstand ho w p eo p le wo rk to gether to deliver these
o u tco mes, their b ehavio u r and the cu ltu re, as it is p eo p le who create risk no t
p ap er and co mp u ters. B u t ho w do we au dit b ehavio u r and aren’t we already
do ing this? O ne o
o

f

f


the key

fallacies

with the au diting indu stry is the nu mb er

o rganizatio ns and au dito rs that p ro mo te themselves and b elieve that they

are already assessing e

ffectiveness

– their marketing material is

fu ll

o

f

it. I n

f

reality this o ten o nly amo u nts to go o d co mp liance au diting rather than a real
assessment o

f e ffectiveness.

This is desp ite the b est intentio ns o


f

the au dito rs

co ncerned and an indu stry trying to mo ve b eyo nd co mp liance. I t is no t their

fau lt.
failed

I t is the au diting p ro cess that has b een
and so

far

very

few

fo llo wed fo r

so many years that has

have really addressed this p ro b lem, b u t tried to b ase

new metho ds o n what has limitatio ns – co mp liance au diting.

I t is against this b ackgro u nd that this b o o k has b een u p dated. I t has b een
written to help au dito rs ado p t so u nd au diting p ractices that wo rk and to help
them au dit e


ffectiveness

as well as co mp liance. Au diting b ehavio u rs and cu ltu re,

which is u ltimately where we b elieve au diting will end u p , requ ires advanced
au diting skills that are o u tside the sco p e o
create the gro u ndwo rk

fo r

f

this b o o k. This b o o k will, ho wever,

them, as the p rincip les co vered here are the b asis o

these mo re advanced techniqu es. I

f

yo u

feel

f

yo u wo u ld like to kno w ho w to

au dit b ehavio u rs then p lease email the au tho rs who can p ro vide case stu dies and

examp les o

f

o rganizatio ns that are already ado p ting the ap p ro ach at:

I an. ro sam@the-hp o . co m
Ro b . p eddle@the- hp o . co m


C ontents

Introduction

1

•
We
introduce
the
challenge
that
auditors
face
to
develop
the
co mp etences requ ired to e

ffectively


au dit against the new

I SO 9 0 0 1 : 20 0 8 S tandard and the ever increasing demands o
b u siness

fo r

au diting activity to add mo re valu e. We examine the

o p p o rtu nities availab le

1.

f

fo r

the

fo rward

thinking au dito r.

Putting the p rocess ap p roach into context

5

•
A

quick
overview
of
the
process
approach
to
ensur that
we
have a co mmo n u nderstanding o

f

f

the b asic termino lo gy b e o re

develo p ing o u r au diting skills, kno wledge and co mp etences.

2.

The requirements o f IS O 9 0 01 : 2 008 – An auditor’s p ersp ective

9

•
T he
eight
key
principles

of
ISO
9001:2008
and
the an,
do,
check, act metho do lo gy are the basic techniqu es that

fo u ndatio n

o

f the

e

ffective

fo rm

the

audito r. A clear u nderstanding o

f

these

and ho w they can be ap p lied to a business will help the audito r
stru cture their au diting ap p ro ach bo th at system and p ro cess level.


3.

The system-p rocess-p rocedure relationship

17

•
T he
primary
role
of
a
process
management
auditor to
discover
to what extent the p ro cess is b eing managed and what e
this has o n the achievement o

f

ffect

f

b u siness o b j ectives. B e o re we

can u ndertake any p ro cess management au dit we mu st


f

rst

ap p reciate ho w a management system wo rks and the interactio ns
that go o n b etween the o verall system, p ro cesses and p ro cedu res.


Pro ce s s M anage me nt Au diting

fo r

IS O 9 0 0 1 : 2 0 0 8

viii

4.

Auditing to o ls and te chnique s

21

•
With
the
fundamentals
that
make a
management
system

understo o d, we no w turn o ur attentio n to the detail o f ho w yo u
sho uld actually co ndu ct an au dit starting with the to o ls and
techniqu es that can be emp lo yed.

5.

Planning and p re p aring a p ro ce s s audit

31

•
Auditing
is
80
per
cent
preparation and
20
per
cent
actual
auditing, which so unds like a bit o f an o ld wives’ tale until yo u
actually carry o ut an audit and then yo u realize j ust ho w true it is!

6.

C arrying o ut a p ro ces s audit – C o mp liance vs e

ffe ctive ne s s


38

•
S tarting
with
the
managing
director will
help
put
the
process
and
system into the co ntext o f the bu siness that yo u are au diting.
O nce this o ften daunting step is co mp leted it will

feed

the

au diting o f the p ro cess’ o wners and teams in o rder to assess
the e ffectiveness o f the management system in relatio n to the
business o bj ectives.

7.

f

I de nti ying and re p o rting


f

ndings – M o ving b e yo nd co mp liance

44

•
What
are
the
objectives
of
your
audit report?
A
straightforward
eno ugh qu estio n, but ho w many audito rs actu ally ask themselves
this be fo re they write and p resent their rep o rt?

8.

As s e s s ing imp ro ve me nts

50

•
The
auditor’s
role
is

not
to
identify w
improvements
should
take place or what the organization should do. It is to provide
in formation to management on areas o f risk or where opportunities

for

improvement exist with an explanation that outlines the

potential impact on the organization if these are addressed.

9.

What p e rs o nal attrib u te s do audito rs ne ed?

53

•
Auditing
is
a
skill
and
like
any
other skill
needs

practice
to
hone
it. It invo lves an ability to evalu ate o r learn

fro m

the exp erience,

sub sequently changing the auditing style o r ap p ro ach to add
mo re valu e to the activity.


C o nte nts

ix

fo rward

1 0.

C o nclu s io n and the way



• I
n
this
book
we

cover
the
basic
principles
of
au diting,
and
these
need time and p ractice to b e e

63

ffective fo r

the reader to tru ly

u nderstand the p rincip les invo lved. I n o ther wo rds reading the
b o o k witho u t the p ractice will no t b u ild co mp etence. We o u tline
ways in which au dito rs can

fu rther

b u ild their co mp etence in

o rder to add mo re valu e to o rganizatio ns.

Ap p endix 1 .




E xamp le au dito r qu es tio ns

73

• T

his
appendix
seeks
to
provide
some
example
questions
based
o n the ap p ro aches u sed. The examp les are gro u p ed b y the
relevant I S O 9 0 0 1 : 20 0 8 clau se

fo r

ease o

f

f

re erence, to gether with

qu estio ns that co u ld b e asked to demo nstrate co mp liance alo ng
with tho se that seek to test e


f

Re e re nce s

ffectiveness.

95



1

Introduction
Has something changed?
2008 saw the release o
ticking

fo r

f the

new ISO 9 001 : 20 08 Standard and started the clo ck

o rganizatio ns already registered to its 200 0 p redecesso r to make the

transitio n to the new Standard. At the same time the clo ck also started ticking

fo r


audito rs to beco me co mpetent to audit against this new Standard. Altho ugh o nly a
relatively mino r change
and audito rs have no t

fro m

fully

the 200 0 versio n, the

fact

is that many o rganizatio ns

implemented the intentio n o

f the

20 00 versio n. This

f

new update there o re allo ws this to be reviewed, and any sho rtco mings to be
addressed witho ut the need to also address o ther signi

T here was a mixed resp o nse to the issu e o

f

f


cant changes.

I SO 9 0 0 1 : 20 0 0

fro m

b u sinesses and au dito rs alike. B u sinesses welco med the new versio n o

b o th

f

the

Standard and as a resu lt qu estio ned the ro le internal and external au dito rs
sho u ld p lay. The u p date emp hasized the need

fo r

mo re added valu e to the

service au dito rs generally p ro vide. Au dito rs o n the o ther hand also welco med

f

the new Standard b u t u n o rtu nately many have no t no ticeab ly changed their
ap p ro ach to the au dits they co ndu ct. The 20 0 8 versio n adds mo re p ressu re o n
them to do so .


T he resu lt o
stand-o

ff

f

this di

fference

b etween exp ectatio n and p ractice is a virtu al

f

b etween au dito rs and b u siness that has le t p eo p le

and in many cases extremely

feeling

f

co n u sed

fru strated.
f

T his b o o k is aimed at p eo p le who wish to cu t thro u gh this co n u sio n
and gain a b etter u nderstanding o


f

the o verall ap p ro ach requ ired

management au diting u sing I SO 9 0 0 1 : 2 0 0 8 .

fo r

p ro cess


Process Management Auditing for ISO 9001 :2008

2
This book attempts to explain:

• what business should expect from auditors;
• what auditors should expect from business;
• the actual role o f an auditor in today’s process driven business environment;
and

• the key competences required to audit process management.
For those who fully adopted the need to audit both compliance and
e ffectiveness, and the reporting o f business risk as a result o f it, this book will
hope fully give them some additional tips. For those who have not, this will be
the start o f a learning experience that should make them a much more valuable
resource to their organizations. It will also help them to secure their own future
as a valuable resource to support the e ffective delivery o f business goals.


Auditors and the business – A partnership?
So from what has been said so far, you can already see that the relationship
between auditor and business must really be seen as a partnership, i f the true
value to the business is to be realized. When this relationship is working
e ffectively there is the potential for the ‘auditor–business’ relationship to become
a powerful tool to drive the business towards the achievement o f its obj ectives.
It should not be about the auditors telling the business what it already knows.
The two key factors for this win–win partnership to succeed are:

• a competent auditor; and
• strong business leadership willing to learn and to improve the organization.
I f either o f these two factors are missing then the value o f auditing to the business
is signif cantly reduced (see Figure I. 1 ) .

Challenges facing auditors and businesses alike
ISO 9001 : 2000 and hence ISO 9001 : 2008 have radically changed, the implications
o f which have had signif cant impact on businesses and auditors alike.
The fundamental shi ft towards process management and away from
procedural compliance requires a completely di fferent approach when it comes
to auditing. It also requires a signi f cant change in the associated competences o f
an auditor i f they are to audit process management e ffectively.
Businesses need to understand the importance ISO 9001 : 2008 places on
the senior management to lead an organization from the front through obj ective


I ntro du ctio n

3

setting, key process identi f cation, allocation o f process ownership, performance

monitoring and improvement.
Auditors have to understand how a business operates and, if they are to
be effective as auditors in this ‘new world’, how to gather information about the
organization’s effectiveness and how their

fndings need to be reported to add value

to the business. O ften the failure o f auditors to understand this basic requirement
is the prime reason why they can fail to meet expectations (see Figure I. 1 ) .
The challenge for auditors to understand how businesses operate and how
they, as auditors, can add value, is one that auditors must rise to i f they are to
continue to support businesses e ffectively. Many will have to set aside old values
and belie fs about auditing compliance based systems, change the way they look
and view obj ective evidence and look to learn new skills in order to become
competent process management auditors.

Trad i ti on al au d i torbu si n ess rel ati on sh i p

Standards and
frameworks
Au d i tor focu sed on
com pl i an ce on l y

Bu si n ess focu sed on
obj ecti ves

Customer and
stakeholder needs

Au d i tor-bu si n ess

partn ersh i p approach

Standards and
frameworks
supporting the
business

F igu re I . 1

Au d i tor focu sed on
th e bu si n ess
Bu si n ess focu sed

Customer and
stakeholder needs

on obj ecti ves

T he audito r–b u s ines s relatio ns hip



5

1.

Putting the p ro ces s ap p ro ach into co ntext

What is a p ro ces s -b as ed management s ys tem?


This b o o k will no t make any attemp t to describ e in detail p ro cess-based
management systems as o ther bo o ks within this series co ver this in mo re dep th
than we co u ld ho p e o r want to do here. Ho wever, a qu ick o verview is ap p ro p riate
to ensu re that we have a co mmo n u nderstanding o

f the

b asic termino lo gy.

What is a management s ys tem?

A defned framework o f key business processes working together to achieve
the stated business objectives, and customer and other stakeholder needs.

T he examp le in F igu re 1 . 1 is taken

fro m

a real o rganizatio n and describ es, at a

high level, the p ro cesses that go to make u p its o verall b u siness management
system. I t is p ertinent to the o rganizatio n itsel

f

and u ses a langu age and layo u t

that can b e easily u ndersto o d b y cu sto mers and sta

ff


alike. Typ ically this wo u ld

b e describ ed in the o rganizatio n’s qu ality manu al.

The p ro ces s , a de

f

nitio n:

An activity or series o f joined-up activities that convert(s) an input into an
output (adding value through the process).


Pro ces s M anageme nt Auditing

fo r

IS O 9 0 0 1 : 2 0 0 8

6

Understand
stakeholder and
market needs
Improving our
performance

Developing our

business objectives

Managing our
finances
Developing
our staff

Measuring and
evaluating our
performance

Generate and win
business

Managing projects
Supplying parts
Managing service
support

F igure 1 . 1

I

f

E xamp le management s ys tem

the b u siness management system identi

needs, then p ro cess de


f

f

es what p ro cesses the o rganizatio n

nitio ns o r p ro cess map s de

f

ne the mechanism/activities

the o rganizatio n is requ ired to co mp lete in o rder to achieve its stated o b j ectives
to

fu l f l

cu sto mer and stakeho lder needs. See F igu re 1 . 2

fo r

an examp le o

f

a

p ro cess map .


Pro ces s management, a de

The e

ff

ectiv e co ntro l o

f

f

nitio n:

a s eries

o

f

activ ities

that co nv erts

w hils t b o th adding v alue and co ntinually imp ro v ing its

inp uts into o utp uts

p er


f

o rmance related

to the o utco mes req uired.

P u t ano ther way, i

f

we are to manage a p ro cess e

ffectively

we need to p lan and

imp lement its delivery u sing the ap p ro p riate equ ip ment, kno wledge, etc. and

f

f

measu re its p er o rmance against targets. T hese p er o rmance measu res are b ased
o n the p u rp o se o

f

f

f


the p ro cess and b y measu ring against these we can identi y

gap s in p er o rmance, which can

fo rm

the b asis

fo r

imp ro vement activity. T he


Putting the p rocess ap p roach into context

7

Approva l of i ssu e

aim is to analyse the actual results achieved (compared against the target), to
learn from the information and trends created and to use information as a basis
for actions for change or improvement. More details on process management
and indeed systems thinking can be found in books 1 and 2 o f this series ( for
details on these, see the References chapter at the end o f this book).
As a process management auditor we need to test how effectively this is
taking place!

No


D i re c to rs

I d e n ti fy we b s i te
Ap pro ve ?
Ye s

e n h an ce m e n t

B ri e f websi te s u ppl i e r,
O p e rat i o n s D i re c to r

o btai n s pec an d co s ts

M o n i to r d e ve l o p m e n t
ag ai n s t s p e c

U s e r tes t u pd ate a n d

Arran g e a n y p ro b l e m s
B ack u p P C we e kl y
to b e reso l ved , te s t

re po rt fi n d i n g s to

O p e rat i o n s M an ag e r

O p e rati o n s D i re c to r

an d
an d


arran g e b ac k u p

ad vi s e e ve ryo n e
o f we bs i te

M odi fi ca ti on s:

a ffe ct e d

I d e n ti fy a n I T pro bl em
an d re p o rt

F igure 1 . 2

Examp le p rocess map

Auditing a p rocess-based management system

Prior to any attempt to carry out a process management audit you must frst
understand the principles o f the process-based management system and the
context in which processes are managed.
Processes do not operate in isolation, they are linked together to form an
overall management system. This management system provides the framework
for the organization to:
customer and stakeholder needs;
the constraints, regulations and other infuences placed on
the business;

BSI /PM : Si obh a n Fi tzgera ld


• understand
• understand

BI P 201 5

Da te: 04/08/2009

Al l s taff

Fi le n a m e: 2009-01 73 0_1 .2.eps


Process Management Auditing for ISO 9001 :2008

8
• develo p
• de f ne

its b u siness p lan and/o r o b j ectives;

and imp lement its co re and su p p o rt p ro cesses;

• estab lish
• analyse

f

its key p er o rmance indicato rs o r measu res; and


f

its p er o rmance and make imp ro vements in o rder to achieve its

b u siness p lan and/o r o b j ectives.

As an au dito r yo u have to u nderstand these p rincip les in o rder to carry o u t a

f

su ccess u l au dit and maximize the valu e o

f

yo u r au dit rep o rt to the o rganizatio n.

T he p rincip les ab o ve relate to a system and are tested b y carrying o u t a ‘systems
management au dit’ . I n this b o o k we are co ncerned with ‘p ro cess management

f

au dits’ and there o re the p rincip les are at a lo wer level b u t still

fo llo w

the same

general ap p ro ach, to :

• u nderstand


the p u rp o se o

• u nderstand

inp u ts and o u tp u ts and the o b j ectives o

• de f ne

f

the p ro cess;

the step s o r activities o

• estab lish
• analyse

p ro cess e

ff ciency

f

f

the p ro cess;

the p ro cess;


and e

ffectiveness

measu res; and

f

p ro cess p er o rmance and make imp ro vements b ased o n this.

What the organization wants
An au dito r sho u ld no t b e u nder any illu sio ns that the o rganizatio n is o nly
lo o king

fo r

an au dit rep o rt co ntaining detailed

f

ndings o n the o rganizatio n’s

co mp liance to I SO 9 0 0 1 : 20 0 8 . T hey are mo st certainly no t, as there is mu ch
mo re that they no w exp ect.

What the o rganizatio n really wants is a rep o rt
the imp act o n the o rganizatio n o

f


the

f

fro m

the au dito r describ ing

ndings in relatio n to co mp liance with

I S O 9 0 0 1 : 2 0 0 8 . I n o ther wo rds the o rganizatio n’s viewp o int is that:

• b u siness
• the

co mes

f

rst and the Standard seco nd;

au dito r is u sing I SO 9 0 0 1 : 20 0 8 as a management to o l, a gu idance

do cu ment that describ es activity; and

• f ndings

against the Standard need to b e interp reted into o rganizatio nal

langu age and their imp act highlighted.


T he au dit rep o rt is

fo r

f

management u se as in o rmatio n to help highlight

f

imp ro vement o p p o rtu nities and to identi y risks to the b u siness. The
management are mo re likely to resp o nd p o sitively to yo u r rep o rt i

fo cu sed,

as they can clearly see the b ene

imp ro vements reco mmended.

f

f

it is b u siness

ts to the b u siness o n making any


9


2.

T he requ irements o

f IS O

9 0 0 1 : 2 0 0 8 – An

au dito r’s p e rs p ective

T he p rincip le s b e hind I S O 9 0 0 1 : 2 0 0 8

Do you know the eight key principles at the heart o f ISO 9001 : 2008 and
what the ‘PDCA’ methodology is? I f the answer is no, then you need to learn
them quickly and thoroughly i f you are going to be a competent auditor (see
Table 2. 1 ) . These are the basic principles that will form the foundation o f
your auditing technique, and are shown in Section 0. 2 in the introduction to
ISO 9000: 2000. They are what di fferentiates a success ful organization from one
that is not, and form the foundation o f ISO 9001 : 2008.

Tab le 2 . 1

T he e ight p rincip les b e hind I S O 9 0 0 1 : 2 0 0 8

Principle
Customer focus

What it means
Understanding what customers need and expect from the organization

as a whole and not just from an individual request or order

Leadership

M anagement (anyone responsible for the activity o f others) at all
levels creating and maintaining an environment aimed at achieving the
business objectives in which others can operate

Involvement of people

Ensuring that all are involved in order that their abilities can be used
and enhanced to maximum benef t for themselves and the organization


Process Management Auditing for IS O 9001 : 2008

10

Principle
Process approach

What it means
Obj ecti ves are m ore l i kel y to be ach i eved wh en acti vi ti es are seen ,

u n d erstood an d m an aged th rou gh processes an d resou rces al i gn ed

accord i n gl y

Systems approach to


I d en ti yi n g th e i n d i vi d u al bu si n ess processes an d ord eri n g th em so

management

th at th ey d el i ver resu l ts an d obj ecti ves e

f

ff ci en tl y

an d e

ffecti vel y

Continual

I m provi n g bu si n ess per orm an ce sh ou l d be th e obj ecti ve o

improvement

organ i zati on – i t m u st i m prove an d ch an ge over ti m e

Factual approach to

E

decision making

an d n ot pu rel y on a


f

ffecti ve

f

an y

f

d eci si on s are based on i n orm ati on th at h as been an al ysed

feel i n g

o

f

wh at n eed s to be d on e

Mutually benefcial

E n h an ced val u e i s created by worki n g cl osel y wi th su ppl i ers th at can

supplier relationships

a

ffect


1

+

1

you r d el i verabl es an d n ot agai n st th em – i t i s real l y a case o

=

f

3!

The Plan, Do, C heck, Act methodology (PDC A)
T he P D C A metho do lo gy o r cycle is the o ther key p rincip le o

f

I SO 9 0 0 1 : 20 0 8

and its ap p licatio n mu st b e evident within the o rganizatio n at b o th system
level and within individu al p ro cesses. I t can b e describ ed as in Tab le 2. 2, and
visu alized as in F igu re 2. 1 .

Table 2. 2 PDC A methodology

Plan

E stabl i sh th e obj ecti ves an d processes n ecessary to d el i ver resu l ts i n accord an ce


wi th cu stom er req u i rem en ts an d bu si n ess obj ecti ves an d pol i ci es

Do

I m pl em en t th e processes

Check

M on i tor an d m easu re processes agai n st obj ecti ves, pol i ci es an d req u i rem en ts an d

report th e resu l ts

Act

f

Take acti on to con ti n u al l y i m prove process per orm an ce


P 201 5

T he re qu ire me nts o

f IS O

9 0 0 1 : 2 0 0 8 – An au dito r’s p e rs p e ctive

f IS O


There is a danger that i

9001 : 2008

f audito rs fail

to grasp the

fu ndamental

p rincip les o

f

ISO 9 0 0 1 : 20 0 8 they will undermine what they are trying to achieve, and increase
the p o ssibility o

f reducing

basic requ irement
the detail o

fact

f I SO

fo r

the added value they can bring to the business. This


Si gn a tu re:

M aking s e ns e o

Approva l of i ssu e

11

audito rs to understand the p rincip les b ehind it, no t j ust

9 0 0 1 : 20 0 8 seems o bvio us, but exp erience to date highlights the

that the maj o rity o

f audito rs

do no t grasp these basic p rincip les. As a result,

there are huge variatio ns in the p ercep tio n business has o

ffective

ISO 9 0 0 1 : 20 0 8 is

auditing can bring to them.

D a te:

abo ut and the value that e


f what

Ch eck 1

Act 2

Do 2

Ch eck 2

cycle

When yo u read I S O 9 0 0 1 : 20 0 8 yo u read it clau se b y clau se and as yo u read
it yo u so o n realize o ne sectio n ru ns into ano ther and is linked to many mo re,
which is why, as an au dito r, it is imp o ssib le to au dit I SO 9 0 0 1 : 20 0 8 sectio n b y

Opera tor: N ora D a wson 77 69

f PD C A

D epa rtm ent:

Vis u al rep res e ntatio n o

Da te: 04/08/2009

F igure 2 . 1

BSI /PM : K PARKI N SON


Con ti n u al bu si n ess i m provem en t

M odi fi ca ti on s:

Do 1

M odi fi ca ti on s:

Act 1

Th e fu tu re

Pl an 2

Pl an 1

sectio n, it has to b e au dited almo st in its entirety to make any sense.

Fi le n a m e: 2009-01 7 30_2.1 .eps


Process Management Auditing for ISO 9001 :2008

12

Let’s give yo u an examp le. When trying to estab lish ho w a p ro cess o wner

f

manages and mo nito rs the p er o rmance o


• links

inp u ts;

• p ro cess

o u tp u ts;

f

p ro cess itsel ;

• links

to o ther p ro cesses;

• in fo rmatio n/p ro cedu res
• cu rrent
• p eo p le
f

requ ired to su p p o rt p ro cess activities;

f

p ro cess p er o rmance;

• imp ro vement


I

their p ro cess yo u need to test:

to the o verall b u siness o b j ectives;

• p ro cess
• the

f

activities; and

invo lved in the p ro cess.

yo u test tho se areas listed in the p aragrap h ab o ve then yo u are also go ing to b e

testing the

fo llo wing

• 4. 2

D o cu mentatio n requ irements;

• 4. 2. 1

G eneral;

• 4. 2. 3


C o ntro l o

f

do cu ments;

f

reco rds;

clau ses o

f

I SO 9 0 0 1 : 20 0 8 :

• 4. 2. 4

C o ntro l o

•5

M anagement resp o nsib ility;

• 5.1

M anagement co mmitment;

• 5.2


C u sto mer

• 5.3

Qu ality p o licy;

• 5 . 4. 1

Qu ality o b j ectives;

• 5 . 4. 2

Qu ality management system p lanning;

• 5. 5. 1

Resp o nsib ility and au tho rity;

• 5. 5. 2

I nternal co mmu nicatio n;

• 5.6

M anagement review;

• 6. 1

P ro visio n o


• 6. 2

Hu man reso u rces;

• 6. 3

I n rastru ctu re;

• 6. 4

Wo rk enviro nment;

•7

P ro du ct realizatio n; and

•8

M easu rement, analysis and imp ro vement.

fo cu s;

f

reso u rces;

f

P u t it ano ther way, a b usiness do es no t o p erate as a series o


f

sectio ns so there o re it mu st

fo llo w

f

u nco nnected

that yo u canno t au dit it as a series o

f

sep arate

sectio ns. U nderstanding the key p rincip les b ehind I SO 9 0 0 1 : 20 0 8 allo ws yo u to
b e mo re relaxed in yo u r audit ap p ro ach. Instead o

f

wo rrying ab o u t the detailed

co mp liance to every single sectio n in I SO 9 0 0 1 : 20 0 8 yo u sho u ld b e lo o king
the ap plicatio n o

f

the p rincip les. Yo u are then ab le to assess the e


these linkages and the e

ffect

f

they have o n the p er o rmance o

what they are designed to deliver.

f

fo r

ffectiveness

o

the p ro cess, i. e.

f


The requirements o f ISO 9001 :2008 – An auditor’s perspective

13

A question o f compliance?
Compliance with what? Does it comply with:


• the six mandatory procedures (see the next list) ?
• the eight principles?
• the PDCA cycle?
The meaning o f the word ‘compliance’ conj ures up images o f rigid procedures
that must be worked to by the letter. However, when you read ISO 9001 : 2008 it
re fers to the need for documented procedures in only six places. These are for:

• control o f documents;
• control o f records;
• internal audit;
• control o f non-con forming product;
• corrective action; and
• preventive action.
You must assume from this that ISO 9001 : 2008 is e ffectively allowing an
organization to decide for itsel f what, i f any, activities it provides written
procedures to support.
Going back to our question o f compliance, then yes, this is obviously very
easy to check as the evidence will be in the form o f documented procedures for
the six areas identi f ed above. We can check that they are being applied, thus
complying with the requirements o f ISO 9001 : 2008.
So what happens if the organization decides not to document any other
procedures to support its process activities, can it still comply with ISO 9001 : 2008?
The answer is very clearly yes, provided it can also demonstrate compliance with
the eight principles and the PDCA cycle.

What is obj ective evidence?
Compliance to the eight principles and the PDCA cycle is unlikely to be
demonstrated through the evidence found in documented procedures, but more
than likely from subj ective evidence drawn from interviews with management

and sta ff alike. We must there fore conclude that obj ective evidence can be in
both documented and non-documented format.
Auditors have to come to terms with the fact that although they might
like to see evidence documented, as this gives them a sense o f reassurance, the
likelihood is that much evidence may well not be documented and they will
have to assess the organization accordingly.