Académique Documents
Professionnel Documents
Culture Documents
A catalogue record for this book is available from the British Library.
They also help organizations of all sizes, and from all sectors, to improve
their business performance by the effective management of their business
processes. With or without ISO 9001:2000, they have a deep-seated and long-
held belief that the management of business processes is fundamental to an
organizations success. They are passionate in communicating this central theme
to decision-makers within organizations to help them to drive their overall
business success.
The interpretations in this book are based on the real world experience
of facilitating the creation, implementation and improvement of process-based
management systems that meet the requirements of ISO 9001:2000. They are
interested primarily in practical application not just theoretical ideas.
Contents
0. Introduction 1
We introduce the challenge that auditors face to develop the
competences required to effectively audit against the new
ISO 9001:2000 standard and the ever increasing demands of
business for auditing activity to add more value. We examine the
opportunities available for the forward thinking auditor.
viii
8. Assessing improvements 49
The auditors role is not to identify how improvements should
take place or what the organization should do. It is to provide
information to Management on areas of risk or where opportunities
for improvement exist with an explanation that outlines the
potential impact on the organization if these are addressed.
ix
0. Introduction
There has been a mixed response since the issue of ISO 9001:2000 from
both businesses and auditors alike. Businesses have welcomed the new standard
and as a result have questioned the role internal and external auditors should
play in auditing to the new standard and stressed the need for more added
value to the service auditors generally provide. Auditors on the other hand have
also welcomed the new standard but many have not noticeably changed their
approach to the audits they conduct.
The result of this is a virtual stand off between auditors and business
which has left people feeling confused and in many cases extremely frustrated.
This book is aimed at people who wish to cut through this confusion
and gain a better understanding of the overall approach required for process
management auditing using ISO 9001:2000.
The two key factors for this win-win partnership to succeed are:
a competent auditor;
strong business leadership willing to learn and to improve the organization.
If either of these two factors are missing then the value of auditing to the
business is significantly reduced (see Figure 0.1).
The challenge for auditors to understand how businesses operate and how
they, as auditors, can add value, is one that auditors must rise to if they are to
continue to support businesses effectively. Many will have to set aside old values
and beliefs about auditing compliance based systems, change the way they look
and view objective evidence and look to learn new skills in order to become
competent process management auditors.
Introduction
Traditional auditor-
Standards and
business relationship
frameworks
Auditor focused on
compliance only
Business focused on
objectives
Customer and
stakeholder needs
Auditor-business
partnership approach
Auditor focused on the
Standards and business
frameworks Customer and
supporting the Business focused on stakeholder needs
business objectives
The example in Figure 1.1 is taken from a real organization and describes, at a
high level, the processes that go to make up its overall business management
system. It is pertinent to the organization itself and uses a language and layout
that can be easily understood by customers and staff alike. Typically this would
be described in the organizations quality manual.
Understand
stakeholder and
market needs
Measuring and
D eveloping Generate and win
evaluating our our staff business
performance
M anaging projects
Supplying parts
M anaging service
support
The effective control of a series of activities that converts inputs into outputs
whilst both adding value and continually improving its performance.
Put another way, if we are to manage a process effectively we need to plan and
implement its delivery using the appropriate equipment, knowledge, etc and
measure its performance against targets. These performance measures are based
on the purpose of the process and by measuring against these we can identify
gaps in performance, which can form the basis for improvement activity. The
aim is to analyse the actual results achieved (compared against the target), to
Process Management Auditing for ISO 9001:2000
learn from the information and trends created and to use information as a basis
for actions for change or improvement. More details on process management
and indeed systems thinking can be found in books 1 and 2 of this series (for
details on these, see the References chapter at the end of this book).
No
Directors
Identify an IT problem
and report
All staff
What the organization really wants is a report from the auditor describing
the impact on the organization of the findings in relation to compliance with
ISO 9001:2000. In other words the organizations viewpoint is that:
Customer focus Understanding what customers need and expect from the organization
as a whole and not just from an individual request or order
Involvement of Ensuring that all are involved in order that their abilities can be used
people and enhanced to maximum benefit for themselves and the
organization
Process approach Objectives are more likely to be achieved when activities are seen,
understood and managed through processes and resources aligned
accordingly
The requirements of ISO 9001:2000 an auditors perspective
Systems approach Identifying the individual business processes and ordering them so that
to management they deliver results and objectives efficiently and effectively
Factual approach to Effective decisions are based on information that has been analysed
decision making and not purely on a feeling of what needs to be done
Mutually beneficial Enhanced value is created by working closely with suppliers that can
supplier relationships affect your deliverables and not against them it is really a case of
1 + 1 = 3!
Plan Establish the objectives and processes necessary to deliver results in accordance
with customer requirements and business objectives and policies
Check Monitor and measure processes against objectives, policies and requirements and
report the results
10
the detail of ISO 9001:2000 seems obvious, but experience to date highlights the
fact that the majority of auditors do not grasp these basic principles. As a result,
there are huge variations in the perception business has of what ISO 9001:2000
is about and the value that effective auditing can bring to them.
Act 1
Do 1 Act 2 Do 2
Check 1 Check 2
When you read ISO 9001:2000 you read it clause by clause and as you read
it you soon realize one section runs into another and is linked to many more,
which is why, as an auditor, it is impossible to audit ISO 9001:2000 section by
section, it has to be audited almost in its entirety to make any sense.
11
improvement activities;
people involved in the process.
If you test those areas listed in the paragraph above then you are also going to be
testing the following clauses of ISO 9001:2000:
A question of compliance?
Compliance with what? Does it comply with:
12
control of documents;
control of records;
internal audit;
control of nonconforming product;
corrective action;
preventive action.
You must assume from this that ISO 9001:2000 is effectively allowing an
organization to decide for itself what, if any, activities it provides written
procedures to support.
Going back to our question of compliance, then yes, this is obviously very
easy to check as the evidence will be in the form of documented procedures for
the six areas identified above. We can check that they are being applied, thus
complying with the requirements of ISO 9001:2000.
Auditors have to come to terms with the fact that although they might
like to see evidence documented, as this gives them a sense of reassurance, the
likelihood is that much evidence may well not be documented and they will
have to assess the organization accordingly.
13
think how can I assess this? This is a question that is hopefully answered in
subsequent chapters of this book.
One of the greatest challenges facing auditors is the need to audit at all
levels in the organization, not just operational activities as in the past. This will
mean auditing senior management and indeed the most senior manager, the
Managing Director or Chief Executive Officer, as part of the audit.
Process Management Auditing for ISO 9001:2000
14
Subsequent sections of this book will cover in more detail how to prepare
for and carry out an interview with the Managing Director, but in the meantime
here are some things for you to think about.
As the evidence of compliance may not be documented and will almost certainly
be more subjective, so increasingly the auditor needs to test the communication
between senior managers and staff, in an effort to discover how focused the
organization really is on the eight principles and the PDCA cycle. This will be
the real test required to determine the level of compliance with ISO 9001:2000.
As an auditor, you will not be able to answer these questions without knowledge
of the business. That knowledge can come from either working for the
organization in question or from the responses you get during the course of the
actual audit. Either way you have to make certain judgements about how you
will audit and what you will ultimately report back to the organization.
ISO 9001:2000 is unique in this way, it can take account of the maturity of
the management system and allow an auditor the ability to use their judgement
to determine not only whether the basic principles are being applied, but
also to what extent the business is using them to drive itself forward. No two
organizations are alike, and indeed, organizations will mature over time. An
audit therefore needs to take account of its maturity if it is to help it to keep
improving over time.
The requirements of ISO 9001:2000 an auditors perspective
15
Corporate
governance/
Corporate social
responsibility
Business
excellence model
ISO 9004
8 principles
PDCA cycle
ISO 9001
Maturity
Before you can undertake any process management audit you must first
appreciate how a management system works and the interactions that go on
between the overall system, processes and procedures.
Section one of this book gave a brief overview of the management system
and processes with examples for each, and it is being able to make the connections
between these and supporting procedures that you need to focus on.
Management system
The management system defines the overall scope of the business, which is in
turn supported by any number of processes that require management, which in
turn are supported, where appropriate, by procedures, as shown in Figure 3.1.
17
Management system
Process
Procedures
Procedures
Procedures The how we do it level
Supports process activity
Typically eight to fifteen high level processes are identified and they in turn link
or are delivered through any number of operational processes containing the
detail of what activities are performed.
Process management
Related directly to the management system are the processes themselves, which
exist to convert input requirements into customer output requirements through
a series of value adding activities. In other words they provide the mechanism
that allows the organization to achieve its objectives, with a focus on how the
different departments within the organization work together towards this aim.
Just by having processes does not ensure that the business will achieve its
objectives. They need effective management and it is this process management
that you need to focus on when auditing. To be able to do this effectively you
Process Management Auditing for ISO 9001:2000
18
Too many auditors audit processes in isolation, failing to make the vital
connections between business objectives and process outputs and measures.
Failure to make these connections will result in an incomplete, inadequate and
non value adding audit. Its rather like checking a route map without knowing
where you are trying to get to all a bit pointless.
You need to be thinking about asking the process owner the following
questions.
There are many more questions related to assessing process management but
hopefully you can begin to appreciate that to be a successful auditor requires
considerable skill and competence. These skills and competences need to be in
different areas than have been required in the past in order to make the required
connections and identify issues worthy of reporting.
Procedures
This is often a very difficult concept for many people to come to terms with.
ISO 9001:2000 allows organizations the freedom to decide for themselves to
what extent they have documented procedures, whereas the 1994 version of the
standard required virtually all operational activities to be documented. There
is a certain reassurance one gets from having things documented and there is
no doubt that having documented procedures does make compliance auditing
possible. In themselves, however, procedures do not help us to carry out an
effective process management audit.
So when you are auditing the activities within a process itself you should
be thinking about asking the following questions.
What risks to the process are there by not having procedures documented?
If the risks are high, has the organization considered them and chosen an
alternative way to reduce them, such as training?
If there are procedures are they adequate for the risks they are controlling?
Do the procedures add value or just increase bureaucracy?
The system-process-procedure relationship
19
The process owner should have considered what, if any, procedures are required
to support process activities. Your role is to help the process owner by confirming
they have got it right or identifying any potential risks they may have overlooked.
You will be working in partnership with them to improve both the potential and
actual performance of the process.
System
level
Process
level
Procedures Compliance
level
For years, auditor training has had a constant theme to it with one
message in particular being driven home time and again: Show me the evidence!
Above all else auditors have been trained to assess what an organization does
against what it said it does, basing any decision as to how well they did it on the
documented evidence they have been shown.
For the remainder of this book, the focus will be on auditing the
effectiveness of process management, also required by ISO 9001:2000. This
requires different tools and techniques to those required for both system and
compliance auditing, and we need to recognize these differences.
Auditing tools and techniques
21
Auditor tools
There are basically two tools that should be used in both preparing for and
carrying out a process management audit (see Figure 4.1, Figure 4.2 and Table
4.1). Neither of them is complicated and in fact they are just plain common
sense. Both, however, require the auditor to understand how a business works
through its processes in order to use them effectively. This is one of the key
competences of a successful process management auditor.
Once you understand them, they are so powerful that you can apply them
to any process within any business, regardless of industry sector.
Purpose of the
process
Improve Process objectives
and targets
In process management auditing you are testing every one of the boxes in each
process you audit at every level within each process ie you go round this cycle
with everyone you interview. The questions you use to test each one of the
boxes will be phrased slightly differently and will be in a manner suitable to the
person being interviewed, but nonetheless they will follow the same cycle. This
aspect is critical for successful auditing. It is no good asking a member of staff a
question that they do not understand, or using management style or standard
language that they cannot relate to what they do. For example asking someone
what resources they use may not be understood, asking what equipment they
use might be. There is no right or wrong, but the language you use is important
Process Management Auditing for ISO 9001:2000
22
and needs to be based on the needs of the auditee not the auditor. It needs to be
in the language used by the people within the organization itself.
Purpose of the process Why the process exists supplier inputs and customer outputs
Process objectives Specifically the objectives and targets for this process that must relate
and targets to the overall business objectives and targets
Key performance Measures directly related to the process itself and overall business
process measures objectives, in the way customers measure the process
Improvement Activities that are designed to close the gap between current
performance and the target performance level required
Auditor tool 2 follows a similar theme but extends to include those things
that support the process in terms of:
the competence of those working within the process to effectively carry out
their tasks;
the resources needed for process activities to be performed adequately;
the knowledge and information needed to effectively carry out activities
within the process;
the budget for the process that takes account of the likely future demands on
the process.
23
Competence Knowledge
Risk
Resources Budget
Inputs Outputs
Measure
Auditing techniques
Questioning
Taking each box of auditor tool 1 lets look at each one in turn and try to work
out the most appropriate question to ask. As we go through each box we will, in
addition, include all the elements from auditor tool 2.
The end result will be an audit checklist you will be able to use to prepare
for and to audit most processes. You may well be able to come up with other
areas and issues to raise, whatever they are they need to test the effectiveness
of the process. As you go through the steps in the cycle you may well be able
to identify areas where you need to dig a bit deeper, asking more questions and
testing any compliance issues that may become apparent. Inexperienced process
management auditors tend to stay in the detail of compliance once they are in
it. The art is to keep the cycle in mind as you carry out the audit and dip into
the detail as required, coming out of it to move on to other parts of the cycle
in order to build the links. It is not easy at first to make this change, but once
youve done it a few times it will become much more second nature.
Process Management Auditing for ISO 9001:2000
24
Purpose of the process How does the process support the business strategy and
objectives?
What are the process supplier inputs and customer outputs?
How do you determine what the customer requirements are; is
this the ultimate customer?
Where do you get your work from?
Process objectives and How do you determine your objectives and targets?
targets What are your objectives and targets?
How do they link to and support the overall business objectives?
How do you plan for future customer demands and the likely
resources required to support them?
Key performance How do you decide what key performance indicators to use?
process measures How are the process measures linked to business objectives
and measures?
How does your customer measure the performance of the
process?
Performance monitoring How do you know what the current performance of the
process is?
How often is process performance measured?
How is performance data communicated to the process team?
25
Questioning techniques
The questions detailed above need to be thought about and tailored to suit the
individual being interviewed and the level at which they support the process.
For instance, asking an operator carrying out a process activity if they know
what the organizations business objectives are would often be pointless in many
organizations as the operator would more than likely think you were talking a
foreign language! But beware that this is not always the case and, importantly,
use your own knowledge of your own organization to get the language right.
Managers
Auditors that understand this dynamic and use it effectively in conjunction with
both of the auditor tools will gather the greatest amount of information relevant
to how effectively the business is managing its processes. The more information
an auditor has on the companys performance the more valuable the audit report
they can generate from it becomes.
Process Management Auditing for ISO 9001:2000
26
Objective evidence
If we have established that the questions and questioning techniques you use
as an auditor vary according to the person being interviewed and the level they
are working at within the process, then it must also follow that the objective
evidence you obtain will also vary accordingly.
Taking some of the questions from the Table 4.2, Table 4.3 outlines the
likely objective evidence you might expect to find.
27
28
You will notice that the responses you are likely to get in terms of evidence are
likely to be verbal rather than documented, which means you have to determine
fact from fiction just by listening to what people are saying.
But how can you do this? Lets take just one of the questions and use it as
an example.
The process owners response is to tell you that they have two process
measures, products delivered on time as a percentage and number of product
stock turns in a year. The targets are 99 per cent on time delivery and 12
stock turns per year respectively.
They also tell you that since the measures were introduced six months ago
they have achieved an average of 97.5 per cent deliveries on time and are on
schedule for six stock turns for the first half of the year.
You just listen to what they say and make a note of the information on your
checklist.
The process staff members response is to tell you that the process owner
meets with all the process staff once a month in the canteen where they talk
through various items of interest including performance statistics. They tell
you that a lot of what the process owner says is not of much interest to them
apart from the delivery and stock turn measures as this has a direct bearing
on the amount of bonus they receive each quarter.
They tell you that delivery performance of only 97.5 per cent has meant a
reduced bonus for the last two quarters, but the achievement of six stock
turns so far this year has at least given them a bonus payment albeit small.
You listen and compare their responses to those of the process owner, making
any notes on your checklist. You then ask yourself Have I enough evidence to
demonstrate that the question has been answered adequately and am I satisfied
that the performance of the process is known at all levels in the process and
by the people who need to know? What is your conclusion based on the two
responses above?
Auditing tools and techniques
29
I hope you concluded that yes, the performance of the process was known
at all levels in the process and by the people who needed to know. All this
despite the fact you did not see a single piece of paper!
Congratulations! You have just audited subclauses 5.1, 5.2, 5.4.1, 5.5.3,
7.1, 8.1, 8.2.3, 8.4 of ISO 9001:2000.
Methods of auditing
Quite rightly most methods of auditing involve face-to-face interviews/
discussions with people in order to gain information and an understanding of
how effectively something is being done. However, this is not always practical to
do because of geographical locations, the high number of people needed to be
seen or constraints on cost or time.
Organizations that have multiple sites spread over a large geographic area,
including different countries, and those with large numbers of home or field
based employees are probably best suited to alternative methods of auditing
other than face-to-face.
30
People who regularly carry out audits do become blas as they become
increasingly relaxed about the style they have adopted and their knowledge
of ISO 9001:2000. In doing so they show a certain contempt by rarely using
checklists or feeling the need to effectively plan ahead.
Even though I have carried out hundreds of audits over many years I still
prepare and use an audit plan and checklist every time I am asked to conduct an
audit, and so should you.
Planning and preparing a process audit
31
By far and away the most important parts of any audit plan are the
details concerning the people who will be seen and the specific meeting times
that have been agreed. Auditors cannot expect to turn up and have people sat
around all day or over many days, waiting for the auditor to audit them. As
an auditor you should assume that no one is going to see you unless you have
prearranged the meeting. Apart from anything else, it is just bad manners, and it
will lead to a poor relationship with the auditees, so it is critical if the audit is to
be successful.
In preparing your audit plan you will need to take into consideration the
overall time available to you to carry out the audit and then work backwards
ensuring that you allocate the most appropriate amount of time to each of the
people you need to interview.
Process Management Auditing for ISO 9001:2000
32
Objective of the audit To assess the maturity of the process in order to identify any
gaps in current performance against the audit criteria detailed
below
Criteria/standard to be used ISO 9001:2000 and the organisations stated business objectives
Date audit report to be issued 7th July 2004 to the Finance Director and Managing Director
Meeting room for the two days with power, telephone and video conference facilities.
No need to organise lunch, the staff canteen will be fine.
33
One of the major issues facing you is the time available, as this impacts on your
ability to test the responses you get with the greatest range of people possible,
thus assuring yourself that the evidence you are finding is a true reflection of
what is happening. This is not something new and auditing has never pretended
to be anything else other than a sample, but you must be satisfied that the
sample size is large enough.
Whatever you decide you should always start and end with the process
owner. Start off with them:
to gather information, that you can go on and test throughout the process;
to understand if they have any particular areas they themselves may want
you to assess or review and provide feedback on.
Finally, conclude the audit with them so that you can confirm your findings and
provide overall feedback on what you found.
ensure you cover all the questions/areas required to meet the audit objectives;
act as a focal point for the audit, as it is easy to become distracted as you
follow the audit trail;
allow you to record notes against specific questions as you go, so you can
easily reference them when talking to different people;
ensure you can easily compile the audit report from the notes you have made
without relying on just your memory.
But how do you decide what you should include in your checklist? Well, how
detailed you make your checklist is a very personal thing and is likely to depend
upon several factors not least how experienced you are and your ability to read
it during the audit itself.
Before you can begin to prepare your audit checklist you first have to
design it or, should you find it useful, copy my example, shown in Table 5.2.
Your design will no doubt evolve over time to reflect your own personal style
and needs.
Having decided on what your checklist will look like you now have
to populate it with all the questions you are going to need to ask in order to
complete your audit. These are the questions that will test:
Process Management Auditing for ISO 9001:2000
34
This means all of the things we covered when looking at the auditor tools and
objective evidence in the previous section.
You should allow yourself plenty of time in advance of the audit to gather the
information and compile your checklist. Remember the audit starts from the
moment you start compiling information and preparing your checklist, not from
the moment you ask your first question of the process owner, it is much too late
by then to get it right if you have not planned thoroughly.
If you are not able to carry out the background research or obtain the
information you would like in order to prepare thoroughly for the audit, then
you must allow yourself more time to carry out the audit itself and to collect this
as you proceed. This is certainly not the most efficient way to carry out an audit,
but sometimes you will have no choice. Without this information your audit
will be flawed, so you must obtain it early on if you are to be effective.
35
Checklist
36
make sure you fully understand the eight principles and the PDCA cycle;
be clear on the objective of the audit;
plan the audit carefully making sure you allocate the appropriate time to
each element and sample enough people;
book meetings with people well in advance, dont expect them to just be
waiting for you!
understand the management system and process connections;
know the business objectives and customer requirements and make the
connections to process outputs;
always use a checklist!
37
Bringing it together
Hopefully by the time you are about to start the audit you have fully prepared
and have a clear understanding of how you will satisfy yourself that the process is
being managed effectively. Here is a brief reminder of what you are about to do:
If you are not put off by this then lets get on with the audit, starting with the
Managing Director, who will put the process and system in context.
38
They call you in and immediately inform you that they have to leave for
another meeting in 30 minutes so you will have to be quick. Your mind goes
blank, your mouth goes dry, your heart beats a little faster and you begin to
wonder what you are doing here. You glance down and, to your relief, see the
checklist you so carefully prepared. Referring to the first question you inquire
How is business? You have started the audit.
As a general rule you will only have a limited amount of time with these
people, so you have to make the little time you do get as productive as possible.
Being completely clear about the objectives of the interview and the outcomes
you require is essential and will prevent you becoming sidetracked and coming
away wishing you had asked a particular question. Remember again that it is your
meeting and you are in control of it. You will gain real respect if you do but if
you dont
39
Before you conclude the meeting have a quick look at your checklist to
ensure you have everything you need for the next part of the audit and then ask,
Is there anything you would like from my audit, are there any areas you would
like me to look at in addition? Note any response you get and then thank them
for their time and leave.
Check and confirm with the process owner that the audit plan is still
alright and that the people you wish to speak to will be available.
As with the Managing Director be quite clear about the objective of the
interview. Your final report must be able to conclude how effectively the process
was being managed, so make sure you keep focused on this and do not become
distracted by other issues the process owner may wish to talk about.
The link between what the Managing Director said and what you are now
being told by the process owner are they saying the same things?
Has the Managing Director communicated the business objectives
adequately?
Has the process owner interpreted them correctly?
Process Management Auditing for ISO 9001:2000
40
Refer to Table 4.2 for more questions and Table 4.3 for the likely objective
evidence you could find and can therefore make a note of on your checklist.
Just as with the interview with the Managing Director, you should treat
the interview with the process owner as an information gathering exercise, so
ensure you record as much of the information you are given as possible. You will
need it to complete the main part of the audit.
Again, before you conclude the meeting have a quick look at your checklist
to ensure you have everything you need for the next part of the audit and then
ask, Is there anything you would like from my audit, are there any areas you
would like me to look at in addition? Note any response you get and then thank
them for their time and leave.
Whereas the objectives of the interviews with the Managing Director and
process owner were primarily information gathering, the audits of process staff
are now about testing this information in order to determine how effectively the
process is being managed.
41
Are the objectives/outputs of the process understood and are they linked to
what the process owner said?
Is the process measured and are they the same as what the process owner
said?
Do process staff know what the current performance of the process is?
How is information communicated to people working within the process
and is this as described by the process owner?
Do process staff know how they can contribute to improving process
performance?
Refer to Table 4.2 for more questions and Table 4.3 for the likely objective
evidence you will find and can make a note of on your checklist.
Give me a break!
There are a lot of pressures on auditors and you should never be afraid to take
a break during the audit in order to give yourself an opportunity to collect your
thoughts, put the information you have gathered into context and to generally
satisfy yourself that you are progressing as planned.
42
affords you the opportunity to determine the specific further questions you need
to ask in order to complete the audit and compile your report adequately. Should
you find that you do not have sufficient evidence to make a judgement as you
proceed, never be afraid to add items to your checklist.
Now is the time to begin to sift your way through all the information you
have and to collect your thoughts ready to compile your report and report back
to the process owner and/or Managing Director.
You should discuss your findings with the process owner and/or Managing
Director prior to generating your final audit report and indeed there may well be
some items that require clarification. Please refer to the next section of this book
where this will be explored in more detail.
43
Report objectives
What are the objectives of your audit report? A straightforward enough question,
but how many auditors actually ask themselves this before they write and
present their report? A lot of the audit reports I read clearly demonstrate that the
auditor did not ask themselves this question and if they did they drew the wrong
conclusion from it. The most common misinterpretation of this question comes
from ISO 9001:2000 auditors, be they internal or third party auditors.
The real objective surely has to be to record all the areas where the
organization did not comply with ISO 9001:2000 that affect business performance.
In other words the report findings will add value to the organization by
highlighting issues that, if addressed, will improve the performance of the business.
44
What to report
The ultimate design of your audit report may be constrained by the need
to adopt a standard template or format used by your organization, which is
almost certain to apply to third party auditors. If you have no such constraints
then you are free to choose a format that allows you to report your findings in
the most appropriate way, which could be anything from an A4 template to a
software-based computer presentation. The choice is yours. Table 7.1 provides
an example of an internal audit report template that I have used and you are
welcome to copy and modify in order to come up with a version you feel
comfortable using.
45
Audit summary
Audit findings
Ref. No.
Process Management Auditing for ISO 9001:2000
46
What to say
The following are examples of what to say in an internal audit report.
47
them to do something? Precisely, the second version, and this is the style you
should be adopting in the writing of your audit reports. The report is all about
the business and nothing about subclauses in ISO 9001:2000 because Managing
Directors are not interested in the detail of what the standard says.
As any good politician would tell you it is all in the spin. I am not
suggesting we all need to become politicians, but, as auditors, we could all learn
a trick or two from them and spin our reports positively. After all, we are trying
to influence our customer to make the improvements we have identified.
the quality policy had not been signed by the Managing Director
SO WHAT!
48
money (or at least not overspend). Meeting financial targets is a prerequisite for
the majority of organizations and often the key purpose of their existence.
Improvement action
The audit report should only contain the findings of the audit and not
suggestions for the improvement action to be taken. This way the auditor can
remain independent and the organization does not feel obliged to adopt any
of the auditors suggestions for improvement, even if it does not agree with
them. By doing this, the auditor is also passing the responsibility for taking
improvement action back to the process owner.
8. Assessing improvements
50
same skills are required, but it needs a still wider business understanding for the
auditor to be successful.
In preparing for a follow-up audit the auditor needs to review the previous
report and, in particular, to understand the business reasons for recommending
the improvement and the business risks or impact associated with it.
In terms of preparing your audit plan you should aim to discuss the
improvements to establish what action has been taken and the purpose in taking
the action. The same tools and techniques can be used to carry out a follow-up
audit as have been described earlier for process management audits. So, in
establishing the purpose and the aim of the action or improvement the auditor
is identifying what the process owner is trying to achieve. It is not good enough
just to determine whether the corrective action or improvement has taken
place. What the auditor needs to establish is how effective the action has been
ie has the aim of the improvement activity been met, has it worked/solved the
problem etc. From establishing the aim the auditor can then review the actual
improvement activity or corrective action taken, the results gained and identify
any further improvement needed to meet the original intention or purpose.
As described earlier the auditing tool shown in Figure 4.1 can be used in a
similar way when carrying out follow-up audits:
51
Auditing as a skill
Auditing is a skill and like any other skill needs practice to hone it. It involves
an ability to evaluate or learn from the experience, subsequently changing the
auditing style or approach to add more value to the activity. Clearly competence
to audit is a key requirement but to enable this competence to be built (something
that is less easy to train) are the personal attributes, inherent in any good auditor.
These attributes underpin the auditing activity and are the basis upon which
competence is built.
ISO 19011 describes these attributes and although not an exhaustive list,
it does provide a useful insight into what is expected. Above all the auditor
should be ethical; auditors are placed in a position of trust by Management to
investigate how effectively the organization is being managed. As we have seen
auditors need to assess effectiveness of actions taken as well as compliance.
To assess effectiveness requires the auditor to expose areas of strength and
weakness, identifying where the organization can make improvements or
changes that will enhance performance. In talking to different people at different
levels within the organization, often being party to sensitive information, the
auditor should be careful to ensure that confidentiality is maintained at all times,
whatever the pressure to disclose sources of information. This is not always easy
and sometimes pressure is exerted, but those seeking the information should
be made aware that its disclosure will break confidentiality which may result
in auditees being reluctant to take part fully in later audits to the detriment of
future audits and therefore the organization.
What personal attributes do auditors need?
53
Adopting an open mind goes hand-in-hand with carrying out the audit
in a tactful and diplomatic manner. Remember the easiest way to gather
information is to ask people what is happening, what they do, how they could
improve what they do etc. How the auditor handles this conversation, even if
auditing using email and other non-traditional methods of auditing, is critical
to success. If the auditor criticizes what someone is doing or how a manager
is managing their part of the business then that person is likely to be more
reluctant to provide the auditor with the information they need. Remember
people are often not the problem, most of the time it is the system they are
operating in, so identify where the system is failing rather than seeking to
criticize, blame or expose the individual. The results will be far more welcome
and of considerably more value to the organization.
Process Management Auditing for ISO 9001:2000
54
55
The auditor needs to have a mix of skills and knowledge to be effective. These
are interdependent and should not be considered or developed in isolation of
each other, ie no one area is more important than the other they complement
each other.
It goes without saying that the auditor should be able to follow the
organizations auditing procedure and approaches.
The auditor should be able to create an audit plan based on the scope of
the audit. This should show who is going to be audited, how and when and be
agreed by the process owner. The effective use of time is very important. Auditors
should not forget that for most organizations auditing is an overhead, a cost to be
borne by the organization. Therefore the organization needs to not only get value
from the audit but also collect, collate and report information and other data
efficiently and effectively. The audit plan should reflect this need and auditors
should adopt approaches and methods that are appropriate. As mentioned early
in the book these approaches may well be non-traditional in nature but will be
more cost effective without distracting from the value of the audit.
With the plan in place, agreed with the process owner and communicated
to those being audited, it is the responsibility of the auditor to ensure that the
Process Management Auditing for ISO 9001:2000
56
57
with information the next time an audit takes place, thereby reducing the
effectiveness of the audits taking place.
Auditors should focus their attention on significant issues. This does not
mean that areas of detail should be ignored but that the audit should focus on
what is important to the success of the process and the organization rather than
areas that have little impact or significance in the overall picture. Some auditors
get a reputation for nit-picking ie identifying or making an issue of small areas
that in themselves have little or limited impact on performance. If the auditor is
in any doubt as to whether or not an issue should be raised then think about the
manager who will be receiving the report, will they be interested? Is it important
to them?
58
the intention to revisit the principles of process management and its impact on
organizational performance but auditors who do not understand the principles
will not be able to audit effectively, often finding it difficult to move beyond
compliance auditing.
This extends to understanding how the various processes that makes up the
system interact with each other and how support or reference documentation such
as procedures and other information is positioned and used within the system. It
would also include how resources, equipment, budgets, competence, team work,
knowledge, other standards and frameworks, knowledge, environmental, health
and safety and regulatory requirements, information technology, intellectual
property, management ability and techniques, results, changes etc can impact
on process performance. This does not have to be an in-depth understanding
but should, at the very least, be an awareness of the possible impacts so that the
auditor is able to form judgements on possible areas for improvement.
59
Understanding these tools gives the auditor a wider and deeper appreciation
of how traditional quality techniques can be used to improve and support
process performance.
Not all auditors have the same level of auditing competence. Different
auditors will have different auditing experiences and skills. As processes run
across the organization, inevitably auditees will occupy different positions
within the business. They will have different responsibilities at differing
levels with the business, different attitudes and experiences; the same
auditor may not have sufficient skill to audit them all. A good compliance
auditor does not necessarily have the competence to audit the effectiveness
of a business planning process.
Lack of confidence or experience. Although this is often caused largely by
inexperience, nonetheless it is a critical factor if the audit is to be a success.
A good example of this is an auditor with compliance auditing skills being
asked to audit the Managing Director to determine how effective the
management system is in meeting business objectives. Although in some
organizations this may well be acceptable, even promoted in others, it may
well place the auditor in a position where they are not going to do justice
to themselves or the audit. This may simply be because they are not of the
right grade, position or may not have the confidence or experience to audit a
senior manager.
Lack of understanding of the business and the process. To audit processes
effectively auditors require an understanding of a wide range of business
principles. This does not have to be an in-depth understanding but an
awareness. For example it is often commented that auditors need an
understanding of quality, health and safety, and environmental issues (the
Process Management Auditing for ISO 9001:2000
60
Planning the audit as we have seen auditors have different skills and may
even be in different locations so the available audit resource needs to be
appointed accordingly based on the process to be audited. In addition the
method or approach needs to be considered. Traditionally auditing has been
completed face-to-face on a one-to-one basis. To audit effectively this does
not have to be the case. The auditor can use many methods including email,
telephone, short questionnaires, video-conference for example, as covered in
previous sections.
Representing the audit team as part of the audit this will probably mean
discussing and planning the audit with the process owner or Management
team member. This would include agreeing who is to be audited, the scope
of the audit and any particular aspects of the process that need special
attention. At the end of the audit the Lead Auditor will also present/report
the audit findings back to the process owner or Managing Director and agree
any follow up action required.
Completing the audit report as the auditing is being conducted by a team,
the Lead Auditor is responsible for bringing the different strands of the
audit together in order to reach conclusions. Identifying non-compliances
is normally straightforward, identifying areas for improvement that will
What personal attributes do auditors need?
61
enhance performance can be more difficult to agree. This often requires the
team to reach consensus on what the different strands mean when they are
added together. How this is achieved can vary but on occasions individual
team members may disagree with each other. At this point the Lead Auditor
needs to have the skill to facilitate the team to reach a sensible conclusion
that will make sense to the team, the process owner and support the
improvement of the organization. Coupled with this is the ability to write an
audit report that is effective in portraying the findings and conclusions of the
audit. The findings need to be succinct, clear and easy to understand showing
what objective evidence has been identified to support the conclusions.
The Lead Auditor needs to be able to justify the statements made,
if required, and to enter into discussions as to how the areas identified
might be resolved. The Lead Auditor should, however, be careful not to
recommend actions as part of the audit. Often when reporting areas for
improvement there is often a temptation to recommend how a particular
issue may be resolved or improved. There may well be many ways that a
problem could be resolved, some unknown to the audit team or outside the
scope of their understanding. Improvements are likely to be subject to the
organizations improvement process (as required by ISO 9001:2000) and
it is this activity that will identify the causes and recommend solutions.
Lead Auditors need to be careful with recommendations, often it is best to
report statements of fact and leave the actions and recommendations for
improvement to the manager concerned thats their responsibility.
Managing the audit as it is progressed the Lead Auditor is responsible
for managing the audit as it is carried out. This may mean resolving issues,
some of which may be confrontational in nature. This can often require tact
and diplomacy (hence the attributes listed in this bullet list). It may also
mean identifying potential problems that could occur and taking appropriate
action to prevent them from happening.
Developing the auditors by their nature Lead Auditors tend to be more
experienced managers as well as auditors. This experience can be used to
develop auditor competence, identifying training needs and taking part in
training and development activity that will improve auditor performance.
62
Our experience shows that the development of these key skills takes
time, and as competence builds so auditors create their own style and approach
based on the techniques outlined. This approach has created a far more
interactive and value adding approach to auditing. Auditors report that they
not only find out more information quicker, but that they are also finding out
value adding areas for improvement which would not have identified solely from
compliance auditing.
These are key skills that need to be mastered for the future. In addition
auditors need to be much more business aware, with an understanding at least at
an overview level of the different management skills and techniques used within
an organization. This may include understanding finance, health and safety, new
product development, improvement techniques, asset management and strategy
and business planning for example, all of which affect either process or systems
management auditing. This is not an exhaustive list and I am not saying you
need to be an expert in all areas, which is impossible. But auditors will need an
Conclusion and the way forward
63
appreciation of these other areas in order to audit the joined up nature of both
processes and systems and to help drive the need for them to improve and change.
But this is precisely the information that Management need and want.
Auditing, both third party and internal, is a cost to organizations, and by not
providing the required information that adds value, auditors will be doing their
employers and customers a disservice. As importantly, they are also giving people
the opportunity to reduce the importance of auditing and auditors. In such a
situation, organizations quite naturally look for other solutions to their problems
and if that means not using auditors in the traditional manner then so be it.
Very few organizations fail to understand the need for improvement and
change to enhance their performance. Auditors have a vital role to play, but only
if they adopt the techniques and approaches required.
65
4.1 Identification of Senior Management Show me the processes that How do you know the correct
the processes make up the management processes have been identified?
system
Senior Management What parts of your processes How do you assess which parts
are outsourced? of your process should or
shouldnt be outsourced? How is
this management decision made?
Management What parts of your processes How do you know that the
are outsourced? outsourced work is being
effectively managed and
controlled?
Staff member What jobs are given to other How often, roughly, is work
people outside the business done by other people outside
to do? the organization completed
wrongly or badly?
Staff member What part do you play in the How do you know if or when
process? you have done a good job?
Staff member What do you do? How often do you get work that
is either wrong, incorrect, needs
rework or is simply confusing?
4.2.1 General Senior Management Are procedures documented? How did you determine what
Do you have a quality manual? method and approach is of most
Is there a statement of quality benefit to your organization?
and objectives?
Process Management Auditing for ISO 9001:2000
66
4.2.2 Quality manual Senior Management/ Do you have a quality manual? What is the purpose of the
Management Show me your quality manual? manual?
Does it contain the right How is it used on a routine
information outlined in the regular basis?
standard? How is its content translated
into everyday activity?
Why is it written the way it is?
How does the manual support
the objectives of the organization
and its image with the customer?
4.2.3 Document Management/staff Do you approve documents How often do you find that you
control prior to issue? use the wrong information or
Do you have a procedure? documents in this organization?
Show me how you control (ask many people to build up
the version a picture)
Etc Do you ever think that you use
out-of-date information?
How do you know you are
using the most up-to-date
information/documents?
Appendix 1
67
5.1 Management Senior Management How do you demonstrate that How do you know that the
commitment you are committed to the approaches you use to
development and demonstrate commitment
implementation of the are effective?
management system?
Staff member Are Management committed When was the last time you
to the management system? saw/heard your Manager
Or: concerned with meeting the
How committed are customers needs? What was
Management to the this? What was the impact of
management system in this these statements on you and
organization? your colleagues?
5.2 Customer focus Senior Management How do you focus on the How do you prioritize the needs
needs of the customer? of different customers and other
stakeholders?
We cant satisfy everyone 100
per cent of the time, so how do
you manage this?
How is this information used to
set business objectives?
How do you validate the
information to ensure it is
correct, (otherwise your
objectives could be incorrect)?
Senior Management/ How do you identify How do you know that the
Management customer needs? process for identifying customer
needs is effective?
Senior Management/ What process do you have to How are customers needs
Management identify what customers translated into objectives that
needs are? are subsequently measured by
What is your role in this customer satisfaction activity?
process? How does it all link together?
Process Management Auditing for ISO 9001:2000
68
Senior Management Who is responsible for this How is this process managed,
process? controlled and improved on a
continual basis?
5.3 Quality policy Senior Management Show me your policy? What factors did you consider in
determining the policy details?
Staff member Do you know what the quality What is important to this
policy is or where to find it? organization?
How important is it that you
do a good job to you, to the
customer, to the organization?
If there was one thing that this
organization had to achieve,
what would it be?
Senior Management Has the policy been How do you know that your
communicated? How? employees understand the policy
and what it means to them?
5.4.1 Quality Senior Management Do you have quality objectives? How do you know the
objectives objectives are correct?
69
5.4.2 Quality Senior Management Is the management system How do you know that the
management designed to meet the management system has been
system planning objectives of the business? designed to meet the
How do you maintain the objectives set?
integrity of the management How do you ensure that the
system? integrity of the management
system is maintained so that
customers are not adversely
affected during changes?
5.5.1 Responsibility Senior Management Are responsibilities and How are responsibilities
and authority authorities defined? communicated?
How do you know if these
responsibilities are being applied
correctly?
How do you reallocate/reduce
responsibilities when needed?
5.5.2 Management Senior Management/ Who is the Management Who in the Management team
representation Management Representative? champions the management
Show me what you do (to the system?
Management Representative) How effective is the
Management Representative
in helping the organization to
understand how it delivers
results and improves business
performance?
5.5.3 Internal Senior Management How do you communicate How do you know that the
communication results to the rest of the communication methods you
organization? use are effective?
Process Management Auditing for ISO 9001:2000
70
Staff How well is the organization Does the information you are
performing? provided with mean anything
Do Management to you?
communicate to you on Does the information relate
this subject? directly to your job?
How can you influence these
results?
5.6 Management Senior Management/ Do you hold a management How do management review
review Management review? the performance of the business?
What do you look at? How effective are these
What are the results of the methods?
review? How do you know the actions
How do you record the agreed are aimed at delivering
actions from the review? the organizations objectives?
Are discussions at reviews based
on improving results?
What subject areas are
discussed?
How do they relate to the
performance of the business and
its objectives?
What factors do you use to
prioritize improvement activity?
Appendix 1
71
6.1 Provision of Senior Management/ Do you allocate resources? How do you know the
resources Management How do you manage resources you use are aligned
resources? to the delivery of the business
What resources do you need? objectives?
How do you know that the
resources required contribute
to satisfying customer needs/
requirements?
6.2.1 General Senior Management/ How do you recruit people How do you know the balance
Management who are competent? between training and
How do you manage peoples competence and the need for
competences? procedures is correct and
How do you balance the effective?
need for procedures with How do you know your
peoples competences? peoples competences are
sufficient to deliver the business
objectives?
Staff What resources do you use? If there was one thing that
would help you do your job
better what would it be?
6.2.2 Competence, Management Have competences been How do you know the correct
awareness and defined? competences have been defined?
training Are training needs identified? What methods do you use to
Do you evaluate training evaluate training and how do
interventions? you know when to use each?
Do you have training records? How do you prioritize
How do you communicate someones learning/training
the importance of your staffs needs?
activities in meeting objectives? What support do you give that
How do you make them allows staff to apply what they
understand this? have learnt in the workplace?
How do you know how
effective this support is?
How do you know that you
have effectively communicated
personal objectives to staff?
Process Management Auditing for ISO 9001:2000
72
6.3 Infrastructure Management What equipment/assets do How do you know that the
you have? equipment is capable of
How is this equipment delivering the objectives?
managed and maintained? How do you know that you
How is the equipment have purchased and
purchased? commissioned the most
Do you back up IT systems? appropriate equipment?
What processes do you have How do you assess the
to manage all your resources? effectiveness of your disaster
Does your process cover recovery plans should your
acquiring, commissioning and infrastructure fail?
decommissioning an asset? How do you optimize the
What approvals are gathered performance of your infra-
for asset purchase? structure resource?
How do you know that
approvals for asset purchases
follow the agreed governance
rules for the business?
73
6.4 Work Management What do you consider to be How do you know when to
environment your working environment? make a new investment in the
How is the working working environment?
environment managed? How do you measure the
What legal and regulatory impact of the working
requirements do you need environment on peoples
to follow? motivation to work here?
How do you know that the
working environment supports
the delivery of process and
product requirements?
74
7.1 Planning of Management What are the processes for How do you know the correct
product product realization? processes have been identified
realization How do these processes to meet the objectives set?
operate? How do you know that the
planning is an appropriate form
for the business? How has this
been tested to maximize the
operational performance of the
organization?
7.2.1 Determination Management How do you determine what How do you know you have
of requirements customers require? determined the customers
related to the What statutory and regulatory requirements correctly?
product requirements relate to the How good do you think you are
product/service? at identifying what your
What non-stated customers needs really are?
requirements are there? How effective is the business at
ensuring you dont fall short of
regulatory requirements?
7.2.2 Review of Management How do you review the How much wasted work is
requirements organizations capability to carried out in this organization
related to the deliver what the customer as a result of you, or the
product requires? customer, changing what is
Show me the details. required?
Staff How do you know you are How often do you find that you
capable of delivering what is cant actually deliver what you
required? have agreed to?
7.2.3 Customer Management How do you communicate How do you know that
communication information to customers? customers know how to
What provision have you communicate with the
made that allows customers organization effectively?
to raise queries or provide How has this type of
you with feedback? communication from the
customer affected what you do
in the past six months?
Appendix 1
75
7.3.1 Design and Management How do you plan the design How do you optimize the use
development and/or development of a new of resources you have available
planning product or service? to you?
What resources do you need? How do you prioritize different
projects?
How do you know that your
limited resources are being used
in such a way as to maximize
the benefit to the organization
and its customers?
7.3.2 Design and Project Manager What factors do you How do you know the design
development considered when designing/ inputs have been identified
inputs developing a product or correctly?
service? How often do you find, when
What legal and regulatory testing a product or service,
requirements are important? that the design inputs have not
been identified correctly?
7.3.3 Design and Project Manager What design/development How many changes are made to
development outputs do you have? design/development outputs
outputs Do they contain the required before they are correct and can
product acceptance criteria? be used?
How do you know that the
design/development outputs are
relevant and appropriate to the
needs of the rest of the business?
Process Management Auditing for ISO 9001:2000
76
7.3.4 Design and Project Manager/ How often do you hold How often are agreed deadlines
development project team reviews? for actions missed? Why is this?
review What is the purpose of these How are disagreements or
reviews? concerns on the way forward
Who attends these reviews? resolved quickly and to the
What happens at these benefit of the business?
reviews? Compared with your
competitors how good are you
at getting products to market?
7.3.5 Design and Project Manager/ How do you test products How often do you identify
development project team and services to check that problems found with products
verification you have designed what you and services after they are
were supposed to design? released?
What records do you keep? How do you balance the need
and risks to get the product or
service launched with making it
perfect?
7.3.6 Design and Project Manager/ How do you test products How do you know that
development project team and services to check that customer requirements have
validation you have designed something been met when you are
that meets the original designing the product and
customer or market needs? services?
7.3.7 Control of Project Manager/ How are changes How do you know that the
design and project team incorporated into designs/ changes to designs or
development developments? developments will have the
changes desired results?
Appendix 1
77
7.4.1 Purchasing Purchasing Manager What is the purchasing How do you know that the
process process? suppliers you use continue to
How does the process work? contribute to the delivery of
Show me the process working business objectives?
7.4.2 Purchasing Staff What purchasing information How do you know that you
information do you include on purchase provide sufficient information
orders? to your suppliers, not too much
What quality management but not too little?
system requirements do you How do you know that your
insist upon? suppliers are managing their
business in an efficient and
effective manner? How do you
assess this?
7.4.3 Verification of Management How do you ensure that the How do you reduce the risk of
purchased purchased product and bought in goods and service
product services are what you ordered? failures on what is provided to
What actions do you take to your customers?
check that the goods you
receive are OK?
7.5.1 Control of Management How do control operational How do you plan the way in
production and activities to ensure consistency which operational activities are
service provision and conformity of the service performed to provide sufficient
or product? controls?
What work instructions, How do you control the risks
control plans or schedules do of operational activities in
you use to control operational meeting customer requirements?
processes?
78
7.5.2 Validation of Management Demonstrate the validation How do you control any
processes for methods in place to control processes you cannot readily or
production and processes you cannot readily economically verify?
service provision or economically verify? How do you know the validation
How often to revalidate the methods you use are effective?
process controls?
Staff How do you test the process? How do you test the process to
ensure it meets customer/
product requirements?
What are the criteria you use to
measure process performance?
7.5.3 Identification Management Do you identify products? How have you determined to
and traceability How do you identify products? what extent identification and
traceability of the product is
required?
How do you know the controls
for product identification and
traceability are effective?
7.5.4 Customer Management Do you use customer How do you know when
property property in the process? customer property is used in
How are problems with the process?
customer property reported How is customer property
back to the customer? identified and protected?
When problems arise with
customer property how do you
deal with them and ensure the
problem does not arise in the
future?
79
7.5.5 Preservation of Management Show me how the product is How is conformity of the
product protected product to specified
requirements maintained
throughout the entire process?
Staff Show me how the product is How do you know that the
stored product is adequately protected
Show me how the product is during all stages of the process?
identified
Show me how the product is
handled
7.6 Control of Management Have you identified all How do you determine what
monitoring and monitoring and measuring monitoring and measurement is
measuring equipment? required?
devices Has the equipment been How do you know the results
calibrated to a recognized of the monitoring and
standard, eg NAMAS measuring can be relied upon?
approved? How is monitoring and
Show me the records for measuring equipment checked?
monitoring and measuring What do you do when a piece
equipment of monitoring or measuring
Is the product recalled and equipment fails calibration?
retested when a piece of
monitoring or measuring
equipment fails calibration?
80
8.2.1 Customer Management Do you measure customer What do you do with the
satisfaction satisfaction? information you get from
How do you measure measuring satisfaction?
customer satisfaction? How do you know the methods
you use are effective in gathering
the information you need?
How do you know that the
questions you ask/information
you seek is the right information?
(Compare this to the answers
from 5.2)
8.2.2 Internal audit Senior Management Show me your audit How do you know when to
schedule/programme? audit each process given the
business risks your organization
faces?
81
8.2.3 Monitoring and Senior Management/ Show me your measures How do you know these are
and measurement Management the correct measures?
8.2.4 of processes What is the information telling
and product you?
Show me the trends in How do you know that the
performance information is accurate?
Show me the targets for How do the measures link to
each process the business objectives?
How do you manage the
process and identify cost and
waste efficiencies? Give me an
example.
8.3 Control of Management Show me the procedure to How do you know that non-
non-conforming control non-conforming conforming products are not
product product? reaching the customer or being
How do you make sure used?
non-conforming products do What is the impact on the
not get used accidentally? business if they are released
Do you keep records of accidentally?
non-conforming products? Why do you need records?
What do you do with them?
82
Management How do you handle product How do you know that any
recalls? product recall would be handled
to protect both the customer
and the image of the
organization?
8.4 Analysis of data Management Do you analyse performance? How do you identify
How do you analyse improvements that maximize
performance? the benefit to the business?
Does the information include How do you make
data on customer satisfaction? recommendations for
Does the information show improvement based on the
trends in performance against results achieved?
targets? How do you monitor the impact
of improvements on the results
achieved?
8.5.1 Continual Senior Management/ Is there a process for How do you know that
improvement Management continual improvement? improvements made are
managed and controlled?
How are appropriate people
involved in improvement activity?
How do you know that an
improvement doesnt have an
adverse impact on other activity?
8.5.2 Corrective Management Have you got a procedure for How do you know everyone
action corrective action that covers deals with processing/product
the areas of the standard? errors or mistakes in the same
Do you keep records of way to protect the organization
corrective actions? and its customers?
Appendix 1
83
Staff What is a corrective action? How often does this take place?
What do you do with a Do you think we make too
processing/product error many mistakes that are really
or mistake? unnecessary?
8.5.3 Preventive Management Have you got a procedure for How do you know the correct
action preventive action that covers business risks have been
the areas of the standard? identified and actions put in
Do you keep records of place to reduce these risks?
preventive actions?
Process Management Auditing for ISO 9001:2000
84
1. Establish
business objectives
2. Audit planning
Managment
system
documents
ISO 9001:2000 3. Carry out audit/
ISO 14001 verify action
legal and statutory
requirements
4. Record
observations
5. Generate audit
8. Action taken
report
Yes
6. Action 7. Responsibility and
required? timescales agreed
No
9. Close audit
85
1.1 The purpose of this procedure is to ensure the companys operational activities are
being carried out in accordance with the requirements of the management system and to
monitor compliance to external standards, including legal and statutory obligations. Where
omissions are highlighted this procedure ensures that appropriate timely action is taken in
order to correct the situation.
2. AUDIT PLANNING
2.1 With reference to the current business objectives, previous audit results, and the importance
of the processes to be audited, the Management Representative is responsible for generating
an annual audit plan covering all relevant elements of the management system.
3. AUDITING
3.1 Audits are carried out by the assigned auditor using the following documents as the criteria
to audit against: current management system documents, externally originated standards
(e.g. ISO 9001:2000, ISO 14001, etc), legal and statutory requirements, as appropriate.
3.2 During the audit the emphasis is placed on the witnessing of objective evidence to verify
that the management system procedures meet the requirements of any appropriate
externally originated standard and/or legal and statutory requirements and that they are
being effectively implemented.
3.3 Any observations made during the course of the audit are recorded by the auditor in the
form of notes or on the Audit Checklist document.
4. REPORTING
4.1 If an opportunity to improve or a problem is identified during the audit the auditor will
endeavour to agree suitable action and timescales for its completion, with the most
appropriate individual(s).
4.2 At the end of the audit the auditor completes an audit report detailing their observations
and any action that may be necessary, including responsibility and timescales for completion.
4.3 The completed audit report is circulated to all staff responsible for taking the action. It is
their responsibility to carry out the appropriate action by the agreed completion date.
The Management Representative retains the original report.
5. VERIFICATION OF ACTION
5.1 The action is verified by the Management Representative as part of the ongoing audit
plan for that activity or separately, as appropriate, to ensure that it has been completed
effectively.
5.2 When satisfied that the action has been completed and is effective the Management
Representative signs the audit report to close it.
Table A.7 Example audit schedule for an organization with three locations
Process Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Managing Contact Centres
New Business W+T
Client Service W+T
Client Service Operations W+T
Contact Centre W+T
Managing Finances T
Managing Facilities W C T
Marketing W C T
NOTE This audit schedule example is taken from an organization operating over three sites in Warrington, Thame and Crawley, hence the W+T+C, which indicate the
specific location to be audited.
87
References
International standards
ISO 9001:2000, Quality management systems Requirements
ISO 19011, Guidelines for quality and/or environmental management
systems auditing
ISO 14001, Environmental management systems Specification with
guidance for use
88