Process Management Auditing
for ISO 9001 :2008
Process Management Auditing for ISO 9001 : 2 008
Understanding ISO 9001 : 2 008 and Process-based Management Systems
Creating a Process-based Management System for ISO 9001 : 2 008 and beyond
Process Management Auditing
for ISO 9001 :2008
Rob Peddle and Ian Rosam
(The High Performance Organisation Group Ltd)
Process Management Auditing for ISO 9001 :2008
P ro cess M anagement Au diting
fo r
I SO 9 0 0 1 : 20 0 8
T his seco nd editio n p u b lished in the U K in 20 0 9
by
B SI
3 8 9 C hiswick High Ro ad
Lo ndo n W4 4AL
© B ritish Standards I nstitu tio n 20 0 9
F irst editio n p u b lished b y B SI in 20 0 3
I S BN 9 78 0 5 8 0 6 76 5 8 1
f
B SI re erence: B I P 20 1 5
A catalo gu e reco rd
fo r
this b o o k is availab le
fro m
the B ritish Lib rary.
C opyright subsists in all BSI publications. Except as permitted under the
C opyright, D esigns and Patents Act 1 9 88 no extract may be reproduced, stored
in a retrieval system or transmitted in any
form
or by any means – electronic,
photocopying, recording or otherwise – without prior written permission
I
f permission
from
BSI.
is granted, the terms may include royalty payments or a licensing
agreement. D etails and advice can be obtained
from
the Copyright Manager, British
Standards Institution, 3 89 Chiswick High Road, London W4 4AL.
G reat care has b een taken to ensu re accu racy in the co mp ilatio n and p rep aratio n
o
f
this p u b licatio n. Ho wever, since it is intended as a gu ide and no t a de
f
nitive
statement, the au tho rs and B SI canno t in any circu mstances accep t resp o nsib ility
fo r
the resu lts o
f
any actio n taken o n the b asis o
in the p u b licatio n no r
fo r
statu to ry rights.
Typ eset b y M o no lith – www. mo no lith. u k. co m
f
P rinted b y Ber o rts
f
f
the in o rmatio n co ntained
any erro rs o r o missio ns. T his do es no t a
ffect
yo u r
v
F o re wo rd: The au diting wo rld has change d –
Are yo u re ady?
The changes to ISO 9 0 0 1 : 20 0 0 no w co ntained in ISO 9 0 0 1 : 20 0 8 are relatively
mino r in natu re, bu t they have rein fo rced p ro cess management as a strategic
ap p ro ach to the management o f o rganizatio ns, bo th big and small. Ho wever,
maj o r events that hap p ened as the 20 0 8 versio n was b eing p u blished,
examp le, the
fnancial meltdo wn,
have rein fo rced so me key messages
ISO 9 0 0 1 . They have highlighted the
failure
fo r
fro m
o f traditio nal co mp liance based
auditing techniques to identi fy the risks being taken within management
systems and individual p ro cesses. These techniques were no t the o nly
bu t they co ntribu ted signi
which has been a bill
fo r
fcantly to the o verall o utco me,
failures,
the co nsequence o f
$ 1 , 0 0 0 , 0 0 0 , 0 0 0 , 0 0 0 o f aid p ump ed into the eco no my
by the main G 20 go vernments during late 20 0 8 and 20 0 9 . In terms o f co rrective
actio n that is so me co st!
O f co urse, j u st like third p arty registratio n o rganizatio ns, the large
co mp anies that
failed
had emp lo yed co mp etent and kno wledgeable p eo p le to
carry o u t the audits, to rep o rt
fndings to
the highest level, and who had the
backing o f p eo p le that co unted. They had senio r management, no n-execu tive
and executive directo rs who were very exp erienced. So what went wro ng? Why
was it that altho ugh the au dits were being carried o u t, they didn’t highlight the
risks that p eo p le were taking and get the message to tho se who needed to kno w
to allo w them to do so mething ab o ut it?
In sho rt, the au dito rs were p rimarily
fo cused
o n co mp liance and altho ugh
systems and p ro cesses co mp lied, it did no t make them e ffective. It was their
level o f e ffectiveness that
failed.
It’s the level o f e ffectiveness that we see and
exp erience and that p ro duces the o utco mes
In the end, o rganizatio ns are resp o nsible
fo r
fro m
what o rganizatio ns are do ing.
their o utco mes and the e ffect they
Process Management Auditing for ISO 9001 :2008
vi
have o n the wo rld aro u nd them, and their au diting sho u ld help them manage
the risks su rro u nding this.
So what do es this mean
fo r
u s as au dito rs? F o r o ne thing, it means
that we canno t j u st rely o n co mp liance and the checking o
f
reco rds. M o re
imp o rtantly, we have to u nderstand ho w p eo p le wo rk to gether to deliver these
o u tco mes, their b ehavio u r and the cu ltu re, as it is p eo p le who create risk no t
p ap er and co mp u ters. B u t ho w do we au dit b ehavio u r and aren’t we already
do ing this? O ne o
o
f
f
the key
fallacies
with the au diting indu stry is the nu mb er
o rganizatio ns and au dito rs that p ro mo te themselves and b elieve that they
are already assessing e
ffectiveness
– their marketing material is
fu ll
o
f
it. I n
f
reality this o ten o nly amo u nts to go o d co mp liance au diting rather than a real
assessment o
f e ffectiveness.
This is desp ite the b est intentio ns o
f
the au dito rs
co ncerned and an indu stry trying to mo ve b eyo nd co mp liance. I t is no t their
fau lt.
failed
I t is the au diting p ro cess that has b een
and so
far
very
few
fo llo wed fo r
so many years that has
have really addressed this p ro b lem, b u t tried to b ase
new metho ds o n what has limitatio ns – co mp liance au diting.
I t is against this b ackgro u nd that this b o o k has b een u p dated. I t has b een
written to help au dito rs ado p t so u nd au diting p ractices that wo rk and to help
them au dit e
ffectiveness
as well as co mp liance. Au diting b ehavio u rs and cu ltu re,
which is u ltimately where we b elieve au diting will end u p , requ ires advanced
au diting skills that are o u tside the sco p e o
create the gro u ndwo rk
fo r
f
this b o o k. This b o o k will, ho wever,
them, as the p rincip les co vered here are the b asis o
these mo re advanced techniqu es. I
f
yo u
feel
f
yo u wo u ld like to kno w ho w to
au dit b ehavio u rs then p lease email the au tho rs who can p ro vide case stu dies and
examp les o
f
o rganizatio ns that are already ado p ting the ap p ro ach at:
I an. ro sam@the-hp o . co m
Ro b . p eddle@the- hp o . co m
C ontents
Introduction
1
•
We
introduce
the
challenge
that
auditors
face
to
develop
the
co mp etences requ ired to e
ffectively
au dit against the new
I SO 9 0 0 1 : 20 0 8 S tandard and the ever increasing demands o
b u siness
fo r
au diting activity to add mo re valu e. We examine the
o p p o rtu nities availab le
1.
f
fo r
the
fo rward
thinking au dito r.
Putting the p rocess ap p roach into context
5
•
A
quick
overview
of
the
process
approach
to
ensur that
we
have a co mmo n u nderstanding o
f
f
the b asic termino lo gy b e o re
develo p ing o u r au diting skills, kno wledge and co mp etences.
2.
The requirements o f IS O 9 0 01 : 2 008 – An auditor’s p ersp ective
9
•
T he
eight
key
principles
of
ISO
9001:2008
and
the an,
do,
check, act metho do lo gy are the basic techniqu es that
fo u ndatio n
o
f the
e
ffective
fo rm
the
audito r. A clear u nderstanding o
f
these
and ho w they can be ap p lied to a business will help the audito r
stru cture their au diting ap p ro ach bo th at system and p ro cess level.
3.
The system-p rocess-p rocedure relationship
17
•
T he
primary
role
of
a
process
management
auditor to
discover
to what extent the p ro cess is b eing managed and what e
this has o n the achievement o
f
ffect
f
b u siness o b j ectives. B e o re we
can u ndertake any p ro cess management au dit we mu st
f
rst
ap p reciate ho w a management system wo rks and the interactio ns
that go o n b etween the o verall system, p ro cesses and p ro cedu res.
Pro ce s s M anage me nt Au diting
fo r
IS O 9 0 0 1 : 2 0 0 8
viii
4.
Auditing to o ls and te chnique s
21
•
With
the
fundamentals
that
make a
management
system
understo o d, we no w turn o ur attentio n to the detail o f ho w yo u
sho uld actually co ndu ct an au dit starting with the to o ls and
techniqu es that can be emp lo yed.
5.
Planning and p re p aring a p ro ce s s audit
31
•
Auditing
is
80
per
cent
preparation and
20
per
cent
actual
auditing, which so unds like a bit o f an o ld wives’ tale until yo u
actually carry o ut an audit and then yo u realize j ust ho w true it is!
6.
C arrying o ut a p ro ces s audit – C o mp liance vs e
ffe ctive ne s s
38
•
S tarting
with
the
managing
director will
help
put
the
process
and
system into the co ntext o f the bu siness that yo u are au diting.
O nce this o ften daunting step is co mp leted it will
feed
the
au diting o f the p ro cess’ o wners and teams in o rder to assess
the e ffectiveness o f the management system in relatio n to the
business o bj ectives.
7.
f
I de nti ying and re p o rting
f
ndings – M o ving b e yo nd co mp liance
44
•
What
are
the
objectives
of
your
audit report?
A
straightforward
eno ugh qu estio n, but ho w many audito rs actu ally ask themselves
this be fo re they write and p resent their rep o rt?
8.
As s e s s ing imp ro ve me nts
50
•
The
auditor’s
role
is
not
to
identify w
improvements
should
take place or what the organization should do. It is to provide
in formation to management on areas o f risk or where opportunities
for
improvement exist with an explanation that outlines the
potential impact on the organization if these are addressed.
9.
What p e rs o nal attrib u te s do audito rs ne ed?
53
•
Auditing
is
a
skill
and
like
any
other skill
needs
practice
to
hone
it. It invo lves an ability to evalu ate o r learn
fro m
the exp erience,
sub sequently changing the auditing style o r ap p ro ach to add
mo re valu e to the activity.
C o nte nts
ix
fo rward
1 0.
C o nclu s io n and the way
• I
n
this
book
we
cover
the
basic
principles
of
au diting,
and
these
need time and p ractice to b e e
63
ffective fo r
the reader to tru ly
u nderstand the p rincip les invo lved. I n o ther wo rds reading the
b o o k witho u t the p ractice will no t b u ild co mp etence. We o u tline
ways in which au dito rs can
fu rther
b u ild their co mp etence in
o rder to add mo re valu e to o rganizatio ns.
Ap p endix 1 .
E xamp le au dito r qu es tio ns
73
• T
his
appendix
seeks
to
provide
some
example
questions
based
o n the ap p ro aches u sed. The examp les are gro u p ed b y the
relevant I S O 9 0 0 1 : 20 0 8 clau se
fo r
ease o
f
f
re erence, to gether with
qu estio ns that co u ld b e asked to demo nstrate co mp liance alo ng
with tho se that seek to test e
f
Re e re nce s
ffectiveness.
95
1
Introduction
Has something changed?
2008 saw the release o
ticking
fo r
f the
new ISO 9 001 : 20 08 Standard and started the clo ck
o rganizatio ns already registered to its 200 0 p redecesso r to make the
transitio n to the new Standard. At the same time the clo ck also started ticking
fo r
audito rs to beco me co mpetent to audit against this new Standard. Altho ugh o nly a
relatively mino r change
and audito rs have no t
fro m
fully
the 200 0 versio n, the
fact
is that many o rganizatio ns
implemented the intentio n o
f the
20 00 versio n. This
f
new update there o re allo ws this to be reviewed, and any sho rtco mings to be
addressed witho ut the need to also address o ther signi
T here was a mixed resp o nse to the issu e o
f
f
cant changes.
I SO 9 0 0 1 : 20 0 0
fro m
b u sinesses and au dito rs alike. B u sinesses welco med the new versio n o
b o th
f
the
Standard and as a resu lt qu estio ned the ro le internal and external au dito rs
sho u ld p lay. The u p date emp hasized the need
fo r
mo re added valu e to the
service au dito rs generally p ro vide. Au dito rs o n the o ther hand also welco med
f
the new Standard b u t u n o rtu nately many have no t no ticeab ly changed their
ap p ro ach to the au dits they co ndu ct. The 20 0 8 versio n adds mo re p ressu re o n
them to do so .
T he resu lt o
stand-o
ff
f
this di
fference
b etween exp ectatio n and p ractice is a virtu al
f
b etween au dito rs and b u siness that has le t p eo p le
and in many cases extremely
feeling
f
co n u sed
fru strated.
f
T his b o o k is aimed at p eo p le who wish to cu t thro u gh this co n u sio n
and gain a b etter u nderstanding o
f
the o verall ap p ro ach requ ired
management au diting u sing I SO 9 0 0 1 : 2 0 0 8 .
fo r
p ro cess
Process Management Auditing for ISO 9001 :2008
2
This book attempts to explain:
• what business should expect from auditors;
• what auditors should expect from business;
• the actual role o f an auditor in today’s process driven business environment;
and
• the key competences required to audit process management.
For those who fully adopted the need to audit both compliance and
e ffectiveness, and the reporting o f business risk as a result o f it, this book will
hope fully give them some additional tips. For those who have not, this will be
the start o f a learning experience that should make them a much more valuable
resource to their organizations. It will also help them to secure their own future
as a valuable resource to support the e ffective delivery o f business goals.
Auditors and the business – A partnership?
So from what has been said so far, you can already see that the relationship
between auditor and business must really be seen as a partnership, i f the true
value to the business is to be realized. When this relationship is working
e ffectively there is the potential for the ‘auditor–business’ relationship to become
a powerful tool to drive the business towards the achievement o f its obj ectives.
It should not be about the auditors telling the business what it already knows.
The two key factors for this win–win partnership to succeed are:
• a competent auditor; and
• strong business leadership willing to learn and to improve the organization.
I f either o f these two factors are missing then the value o f auditing to the business
is signif cantly reduced (see Figure I. 1 ) .
Challenges facing auditors and businesses alike
ISO 9001 : 2000 and hence ISO 9001 : 2008 have radically changed, the implications
o f which have had signif cant impact on businesses and auditors alike.
The fundamental shi ft towards process management and away from
procedural compliance requires a completely di fferent approach when it comes
to auditing. It also requires a signi f cant change in the associated competences o f
an auditor i f they are to audit process management e ffectively.
Businesses need to understand the importance ISO 9001 : 2008 places on
the senior management to lead an organization from the front through obj ective
I ntro du ctio n
3
setting, key process identi f cation, allocation o f process ownership, performance
monitoring and improvement.
Auditors have to understand how a business operates and, if they are to
be effective as auditors in this ‘new world’, how to gather information about the
organization’s effectiveness and how their
fndings need to be reported to add value
to the business. O ften the failure o f auditors to understand this basic requirement
is the prime reason why they can fail to meet expectations (see Figure I. 1 ) .
The challenge for auditors to understand how businesses operate and how
they, as auditors, can add value, is one that auditors must rise to i f they are to
continue to support businesses e ffectively. Many will have to set aside old values
and belie fs about auditing compliance based systems, change the way they look
and view obj ective evidence and look to learn new skills in order to become
competent process management auditors.
Trad i ti on al au d i torbu si n ess rel ati on sh i p
Standards and
frameworks
Au d i tor focu sed on
com pl i an ce on l y
Bu si n ess focu sed on
obj ecti ves
Customer and
stakeholder needs
Au d i tor-bu si n ess
partn ersh i p approach
Standards and
frameworks
supporting the
business
F igu re I . 1
Au d i tor focu sed on
th e bu si n ess
Bu si n ess focu sed
Customer and
stakeholder needs
on obj ecti ves
T he audito r–b u s ines s relatio ns hip
5
1.
Putting the p ro ces s ap p ro ach into co ntext
What is a p ro ces s -b as ed management s ys tem?
This b o o k will no t make any attemp t to describ e in detail p ro cess-based
management systems as o ther bo o ks within this series co ver this in mo re dep th
than we co u ld ho p e o r want to do here. Ho wever, a qu ick o verview is ap p ro p riate
to ensu re that we have a co mmo n u nderstanding o
f the
b asic termino lo gy.
What is a management s ys tem?
A defned framework o f key business processes working together to achieve
the stated business objectives, and customer and other stakeholder needs.
T he examp le in F igu re 1 . 1 is taken
fro m
a real o rganizatio n and describ es, at a
high level, the p ro cesses that go to make u p its o verall b u siness management
system. I t is p ertinent to the o rganizatio n itsel
f
and u ses a langu age and layo u t
that can b e easily u ndersto o d b y cu sto mers and sta
ff
alike. Typ ically this wo u ld
b e describ ed in the o rganizatio n’s qu ality manu al.
The p ro ces s , a de
f
nitio n:
An activity or series o f joined-up activities that convert(s) an input into an
output (adding value through the process).
Pro ces s M anageme nt Auditing
fo r
IS O 9 0 0 1 : 2 0 0 8
6
Understand
stakeholder and
market needs
Improving our
performance
Developing our
business objectives
Managing our
finances
Developing
our staff
Measuring and
evaluating our
performance
Generate and win
business
Managing projects
Supplying parts
Managing service
support
F igure 1 . 1
I
f
E xamp le management s ys tem
the b u siness management system identi
needs, then p ro cess de
f
f
es what p ro cesses the o rganizatio n
nitio ns o r p ro cess map s de
f
ne the mechanism/activities
the o rganizatio n is requ ired to co mp lete in o rder to achieve its stated o b j ectives
to
fu l f l
cu sto mer and stakeho lder needs. See F igu re 1 . 2
fo r
an examp le o
f
a
p ro cess map .
Pro ces s management, a de
The e
ff
ectiv e co ntro l o
f
f
nitio n:
a s eries
o
f
activ ities
that co nv erts
w hils t b o th adding v alue and co ntinually imp ro v ing its
inp uts into o utp uts
p er
f
o rmance related
to the o utco mes req uired.
P u t ano ther way, i
f
we are to manage a p ro cess e
ffectively
we need to p lan and
imp lement its delivery u sing the ap p ro p riate equ ip ment, kno wledge, etc. and
f
f
measu re its p er o rmance against targets. T hese p er o rmance measu res are b ased
o n the p u rp o se o
f
f
f
the p ro cess and b y measu ring against these we can identi y
gap s in p er o rmance, which can
fo rm
the b asis
fo r
imp ro vement activity. T he
Putting the p rocess ap p roach into context
7
Approva l of i ssu e
aim is to analyse the actual results achieved (compared against the target), to
learn from the information and trends created and to use information as a basis
for actions for change or improvement. More details on process management
and indeed systems thinking can be found in books 1 and 2 o f this series ( for
details on these, see the References chapter at the end o f this book).
As a process management auditor we need to test how effectively this is
taking place!
No
D i re c to rs
I d e n ti fy we b s i te
Ap pro ve ?
Ye s
e n h an ce m e n t
B ri e f websi te s u ppl i e r,
O p e rat i o n s D i re c to r
o btai n s pec an d co s ts
M o n i to r d e ve l o p m e n t
ag ai n s t s p e c
U s e r tes t u pd ate a n d
Arran g e a n y p ro b l e m s
B ack u p P C we e kl y
to b e reso l ved , te s t
re po rt fi n d i n g s to
O p e rat i o n s M an ag e r
O p e rati o n s D i re c to r
an d
an d
arran g e b ac k u p
ad vi s e e ve ryo n e
o f we bs i te
M odi fi ca ti on s:
a ffe ct e d
I d e n ti fy a n I T pro bl em
an d re p o rt
F igure 1 . 2
Examp le p rocess map
Auditing a p rocess-based management system
Prior to any attempt to carry out a process management audit you must frst
understand the principles o f the process-based management system and the
context in which processes are managed.
Processes do not operate in isolation, they are linked together to form an
overall management system. This management system provides the framework
for the organization to:
customer and stakeholder needs;
the constraints, regulations and other infuences placed on
the business;
BSI /PM : Si obh a n Fi tzgera ld
• understand
• understand
BI P 201 5
Da te: 04/08/2009
Al l s taff
Fi le n a m e: 2009-01 73 0_1 .2.eps
Process Management Auditing for ISO 9001 :2008
8
• develo p
• de f ne
its b u siness p lan and/o r o b j ectives;
and imp lement its co re and su p p o rt p ro cesses;
• estab lish
• analyse
f
its key p er o rmance indicato rs o r measu res; and
f
its p er o rmance and make imp ro vements in o rder to achieve its
b u siness p lan and/o r o b j ectives.
As an au dito r yo u have to u nderstand these p rincip les in o rder to carry o u t a
f
su ccess u l au dit and maximize the valu e o
f
yo u r au dit rep o rt to the o rganizatio n.
T he p rincip les ab o ve relate to a system and are tested b y carrying o u t a ‘systems
management au dit’ . I n this b o o k we are co ncerned with ‘p ro cess management
f
au dits’ and there o re the p rincip les are at a lo wer level b u t still
fo llo w
the same
general ap p ro ach, to :
• u nderstand
the p u rp o se o
• u nderstand
inp u ts and o u tp u ts and the o b j ectives o
• de f ne
f
the p ro cess;
the step s o r activities o
• estab lish
• analyse
p ro cess e
ff ciency
f
f
the p ro cess;
the p ro cess;
and e
ffectiveness
measu res; and
f
p ro cess p er o rmance and make imp ro vements b ased o n this.
What the organization wants
An au dito r sho u ld no t b e u nder any illu sio ns that the o rganizatio n is o nly
lo o king
fo r
an au dit rep o rt co ntaining detailed
f
ndings o n the o rganizatio n’s
co mp liance to I SO 9 0 0 1 : 20 0 8 . T hey are mo st certainly no t, as there is mu ch
mo re that they no w exp ect.
What the o rganizatio n really wants is a rep o rt
the imp act o n the o rganizatio n o
f
the
f
fro m
the au dito r describ ing
ndings in relatio n to co mp liance with
I S O 9 0 0 1 : 2 0 0 8 . I n o ther wo rds the o rganizatio n’s viewp o int is that:
• b u siness
• the
co mes
f
rst and the Standard seco nd;
au dito r is u sing I SO 9 0 0 1 : 20 0 8 as a management to o l, a gu idance
do cu ment that describ es activity; and
• f ndings
against the Standard need to b e interp reted into o rganizatio nal
langu age and their imp act highlighted.
T he au dit rep o rt is
fo r
f
management u se as in o rmatio n to help highlight
f
imp ro vement o p p o rtu nities and to identi y risks to the b u siness. The
management are mo re likely to resp o nd p o sitively to yo u r rep o rt i
fo cu sed,
as they can clearly see the b ene
imp ro vements reco mmended.
f
f
it is b u siness
ts to the b u siness o n making any
9
2.
T he requ irements o
f IS O
9 0 0 1 : 2 0 0 8 – An
au dito r’s p e rs p ective
T he p rincip le s b e hind I S O 9 0 0 1 : 2 0 0 8
Do you know the eight key principles at the heart o f ISO 9001 : 2008 and
what the ‘PDCA’ methodology is? I f the answer is no, then you need to learn
them quickly and thoroughly i f you are going to be a competent auditor (see
Table 2. 1 ) . These are the basic principles that will form the foundation o f
your auditing technique, and are shown in Section 0. 2 in the introduction to
ISO 9000: 2000. They are what di fferentiates a success ful organization from one
that is not, and form the foundation o f ISO 9001 : 2008.
Tab le 2 . 1
T he e ight p rincip les b e hind I S O 9 0 0 1 : 2 0 0 8
Principle
Customer focus
What it means
Understanding what customers need and expect from the organization
as a whole and not just from an individual request or order
Leadership
M anagement (anyone responsible for the activity o f others) at all
levels creating and maintaining an environment aimed at achieving the
business objectives in which others can operate
Involvement of people
Ensuring that all are involved in order that their abilities can be used
and enhanced to maximum benef t for themselves and the organization
Process Management Auditing for IS O 9001 : 2008
10
Principle
Process approach
What it means
Obj ecti ves are m ore l i kel y to be ach i eved wh en acti vi ti es are seen ,
u n d erstood an d m an aged th rou gh processes an d resou rces al i gn ed
accord i n gl y
Systems approach to
I d en ti yi n g th e i n d i vi d u al bu si n ess processes an d ord eri n g th em so
management
th at th ey d el i ver resu l ts an d obj ecti ves e
f
ff ci en tl y
an d e
ffecti vel y
Continual
I m provi n g bu si n ess per orm an ce sh ou l d be th e obj ecti ve o
improvement
organ i zati on – i t m u st i m prove an d ch an ge over ti m e
Factual approach to
E
decision making
an d n ot pu rel y on a
f
ffecti ve
f
an y
f
d eci si on s are based on i n orm ati on th at h as been an al ysed
feel i n g
o
f
wh at n eed s to be d on e
Mutually benefcial
E n h an ced val u e i s created by worki n g cl osel y wi th su ppl i ers th at can
supplier relationships
a
ffect
1
+
1
you r d el i verabl es an d n ot agai n st th em – i t i s real l y a case o
=
f
3!
The Plan, Do, C heck, Act methodology (PDC A)
T he P D C A metho do lo gy o r cycle is the o ther key p rincip le o
f
I SO 9 0 0 1 : 20 0 8
and its ap p licatio n mu st b e evident within the o rganizatio n at b o th system
level and within individu al p ro cesses. I t can b e describ ed as in Tab le 2. 2, and
visu alized as in F igu re 2. 1 .
Table 2. 2 PDC A methodology
Plan
E stabl i sh th e obj ecti ves an d processes n ecessary to d el i ver resu l ts i n accord an ce
wi th cu stom er req u i rem en ts an d bu si n ess obj ecti ves an d pol i ci es
Do
I m pl em en t th e processes
Check
M on i tor an d m easu re processes agai n st obj ecti ves, pol i ci es an d req u i rem en ts an d
report th e resu l ts
Act
f
Take acti on to con ti n u al l y i m prove process per orm an ce
P 201 5
T he re qu ire me nts o
f IS O
9 0 0 1 : 2 0 0 8 – An au dito r’s p e rs p e ctive
f IS O
There is a danger that i
9001 : 2008
f audito rs fail
to grasp the
fu ndamental
p rincip les o
f
ISO 9 0 0 1 : 20 0 8 they will undermine what they are trying to achieve, and increase
the p o ssibility o
f reducing
basic requ irement
the detail o
fact
f I SO
fo r
the added value they can bring to the business. This
Si gn a tu re:
M aking s e ns e o
Approva l of i ssu e
11
audito rs to understand the p rincip les b ehind it, no t j ust
9 0 0 1 : 20 0 8 seems o bvio us, but exp erience to date highlights the
that the maj o rity o
f audito rs
do no t grasp these basic p rincip les. As a result,
there are huge variatio ns in the p ercep tio n business has o
ffective
ISO 9 0 0 1 : 20 0 8 is
auditing can bring to them.
D a te:
abo ut and the value that e
f what
Ch eck 1
Act 2
Do 2
Ch eck 2
cycle
When yo u read I S O 9 0 0 1 : 20 0 8 yo u read it clau se b y clau se and as yo u read
it yo u so o n realize o ne sectio n ru ns into ano ther and is linked to many mo re,
which is why, as an au dito r, it is imp o ssib le to au dit I SO 9 0 0 1 : 20 0 8 sectio n b y
Opera tor: N ora D a wson 77 69
f PD C A
D epa rtm ent:
Vis u al rep res e ntatio n o
Da te: 04/08/2009
F igure 2 . 1
BSI /PM : K PARKI N SON
Con ti n u al bu si n ess i m provem en t
M odi fi ca ti on s:
Do 1
M odi fi ca ti on s:
Act 1
Th e fu tu re
Pl an 2
Pl an 1
sectio n, it has to b e au dited almo st in its entirety to make any sense.
Fi le n a m e: 2009-01 7 30_2.1 .eps
Process Management Auditing for ISO 9001 :2008
12
Let’s give yo u an examp le. When trying to estab lish ho w a p ro cess o wner
f
manages and mo nito rs the p er o rmance o
• links
inp u ts;
• p ro cess
o u tp u ts;
f
p ro cess itsel ;
• links
to o ther p ro cesses;
• in fo rmatio n/p ro cedu res
• cu rrent
• p eo p le
f
requ ired to su p p o rt p ro cess activities;
f
p ro cess p er o rmance;
• imp ro vement
I
their p ro cess yo u need to test:
to the o verall b u siness o b j ectives;
• p ro cess
• the
f
activities; and
invo lved in the p ro cess.
yo u test tho se areas listed in the p aragrap h ab o ve then yo u are also go ing to b e
testing the
fo llo wing
• 4. 2
D o cu mentatio n requ irements;
• 4. 2. 1
G eneral;
• 4. 2. 3
C o ntro l o
f
do cu ments;
f
reco rds;
clau ses o
f
I SO 9 0 0 1 : 20 0 8 :
• 4. 2. 4
C o ntro l o
•5
M anagement resp o nsib ility;
• 5.1
M anagement co mmitment;
• 5.2
C u sto mer
• 5.3
Qu ality p o licy;
• 5 . 4. 1
Qu ality o b j ectives;
• 5 . 4. 2
Qu ality management system p lanning;
• 5. 5. 1
Resp o nsib ility and au tho rity;
• 5. 5. 2
I nternal co mmu nicatio n;
• 5.6
M anagement review;
• 6. 1
P ro visio n o
• 6. 2
Hu man reso u rces;
• 6. 3
I n rastru ctu re;
• 6. 4
Wo rk enviro nment;
•7
P ro du ct realizatio n; and
•8
M easu rement, analysis and imp ro vement.
fo cu s;
f
reso u rces;
f
P u t it ano ther way, a b usiness do es no t o p erate as a series o
f
sectio ns so there o re it mu st
fo llo w
f
u nco nnected
that yo u canno t au dit it as a series o
f
sep arate
sectio ns. U nderstanding the key p rincip les b ehind I SO 9 0 0 1 : 20 0 8 allo ws yo u to
b e mo re relaxed in yo u r audit ap p ro ach. Instead o
f
wo rrying ab o u t the detailed
co mp liance to every single sectio n in I SO 9 0 0 1 : 20 0 8 yo u sho u ld b e lo o king
the ap plicatio n o
f
the p rincip les. Yo u are then ab le to assess the e
these linkages and the e
ffect
f
they have o n the p er o rmance o
what they are designed to deliver.
f
fo r
ffectiveness
o
the p ro cess, i. e.
f
The requirements o f ISO 9001 :2008 – An auditor’s perspective
13
A question o f compliance?
Compliance with what? Does it comply with:
• the six mandatory procedures (see the next list) ?
• the eight principles?
• the PDCA cycle?
The meaning o f the word ‘compliance’ conj ures up images o f rigid procedures
that must be worked to by the letter. However, when you read ISO 9001 : 2008 it
re fers to the need for documented procedures in only six places. These are for:
• control o f documents;
• control o f records;
• internal audit;
• control o f non-con forming product;
• corrective action; and
• preventive action.
You must assume from this that ISO 9001 : 2008 is e ffectively allowing an
organization to decide for itsel f what, i f any, activities it provides written
procedures to support.
Going back to our question o f compliance, then yes, this is obviously very
easy to check as the evidence will be in the form o f documented procedures for
the six areas identi f ed above. We can check that they are being applied, thus
complying with the requirements o f ISO 9001 : 2008.
So what happens if the organization decides not to document any other
procedures to support its process activities, can it still comply with ISO 9001 : 2008?
The answer is very clearly yes, provided it can also demonstrate compliance with
the eight principles and the PDCA cycle.
What is obj ective evidence?
Compliance to the eight principles and the PDCA cycle is unlikely to be
demonstrated through the evidence found in documented procedures, but more
than likely from subj ective evidence drawn from interviews with management
and sta ff alike. We must there fore conclude that obj ective evidence can be in
both documented and non-documented format.
Auditors have to come to terms with the fact that although they might
like to see evidence documented, as this gives them a sense o f reassurance, the
likelihood is that much evidence may well not be documented and they will
have to assess the organization accordingly.