Process Management Auditing

Process Management Auditing
for ISO 9001:2000

Process Management Auditing for ISO 9001:2000
Understanding ISO 9001:2000 and Process-based Management Systems
Creating a Process-based Management System

Process Management Auditing
for ISO 9001:2000
Carl Ford and Ian Rosam

(The High Performance Organisation)
British Standards Institution
First published 2003
The HPO Ltd 2003
ISBN 0 580 41547 3
BSI reference: BIP 2015
A catalogue record for this book is available from the British Library.
Copyright subsists in all BSI publications. Except as permitted under the

Copyright, Designs and Patents Act 1988 no extract may be reproduced, stored
in a retrieval system or transmitted in any form or by any means electronic,
photocopying, recording or otherwise without prior written permission from BSI.
If permission is granted, the terms may include royalty payments or a licensing
agreement. Details and advice can be obtained from the Copyright Manager, British
Standards Institution, 389 Chiswick High Road, London W4 4AL.
Typeset by Monolith www.monolith.uk.com
Printed by PIMS Digital, Essex

About the authors
Carl Ford and Ian Rosam work with the HPO (High Performance Organisation)
and between them they have a wealth of management experience. They have
used this to develop new and innovative approaches to management by process
and consequently the methods needed for effective auditing.
They also help organizations of all sizes, and from all sectors, to improve
their business performance by the effective management of their business
processes. With or without ISO 9001:2000, they have a deep-seated and long-
held belief that the management of business processes is fundamental to an
organizations success. They are passionate in communicating this central theme
to decision-makers within organizations to help them to drive their overall
business success.
The interpretations in this book are based on the real world experience
of facilitating the creation, implementation and improvement of process-based
management systems that meet the requirements of ISO 9001:2000. They are
interested primarily in practical application not just theoretical ideas.
Contents
0. Introduction 1
We introduce the challenge that auditors face to develop the
competences required to effectively audit against the new
ISO 9001:2000 standard and the ever increasing demands of
business for auditing activity to add more value. We examine the
opportunities available for the forward thinking auditor.
1. Putting the process approach into context 4

A quick overview of the process approach to ensure that we
have a common understanding of the basic terminology before
developing our auditing skills, knowledge and competences.
2. The requirements of ISO 9001:2000 an auditors perspective 8

The eight key principles of ISO 9001:2000 and the Plan-Do-
Check-Act methodology are the basic techniques that form the
foundation of the effective auditor. A clear understanding of these
and how they can be applied to a business will help the auditor
structure their auditing approach both at system and process level.
3. The system-process-procedure relationship 16

The primary role of a process management auditor is to discover
to what extent the process is being managed and what effect
this has on the achievement of business objectives. Before we
can undertake any process management audit we must first
appreciate how a management system works and the interactions
that go on between the overall system, processes and procedures.
viii
4. Auditing tools and techniques 20

With the fundamentals that make up a management system
understood, we now turn our attention to the detail of how you
should actually conduct an audit starting with the tools and
techniques that can be employed.
5. Planning and preparing a process audit 30

Auditing is 80 per cent preparation and 20 per cent actual
auditing, which sounds like a bit of an old wives tale until you
actually carry out an audit and then you realize just how true it is!
6. Carrying out a process audit compliance vs. effectiveness 37

Starting with the Managing Director will help put the process
and system into the context of the business that you are auditing.
Once this often daunting step is completed it will feed the
auditing of the process owners and teams in order to assess
the effectiveness of the management system in relation to the
business objectives.
7. Identifying and reporting findings moving beyond compliance 43

What are the objectives of your audit report? A straightforward
enough question, but how many auditors actually ask themselves
this before they write and present their report?
8. Assessing improvements 49
The auditors role is not to identify how improvements should
take place or what the organization should do. It is to provide
information to Management on areas of risk or where opportunities
for improvement exist with an explanation that outlines the
potential impact on the organization if these are addressed.
9. What personal attributes do auditors need? 52

Auditing is a skill and like any other skill needs practice to hone
it. It involves an ability to evaluate or learn from the experience,
subsequently changing the auditing style or approach to add
more value to the activity.
Contents
ix
10. Conclusion and the way forward 62

In this book we cover the basic principles of auditing, and these
need time and practice to be effective for the reader to truly
understand the principles involved. In other words reading the
book without the practice will not build competence. We outline
ways in which auditors can further build their competence in
order to add more value to organizations.
App.1 Example auditor questions 64

This appendix seeks to provide some example questions based
on the approaches used. The examples are grouped by the
relevant ISO 9001:2000 clause for ease of reference, together with
questions that could be asked to demonstrate compliance along
with those which seek to test effectiveness.
1
0. Introduction
Has something changed?

December 2000 saw the release of the new ISO 9001:2000 standard and started
the clock ticking for organizations already registered to its 1994 predecessor to
make the transition to the new standard by 15 December 2003. At the same time
the clock also started ticking for auditors to become competent to audit against
this new standard.
There has been a mixed response since the issue of ISO 9001:2000 from
both businesses and auditors alike. Businesses have welcomed the new standard
and as a result have questioned the role internal and external auditors should
play in auditing to the new standard and stressed the need for more added
value to the service auditors generally provide. Auditors on the other hand have
also welcomed the new standard but many have not noticeably changed their
approach to the audits they conduct.
The result of this is a virtual stand off between auditors and business
which has left people feeling confused and in many cases extremely frustrated.
This book is aimed at people who wish to cut through this confusion
and gain a better understanding of the overall approach required for process
management auditing using ISO 9001:2000.
This book attempts to explain:
what business should expect from auditors;

what auditors should expect from business;
the actual role of an auditor in todays process driven business environment;
the key competences required to audit process management.
Auditors and the business a partnership?

So from what has been said so far, you can already see that the relationship
between auditor and business must really be seen as a partnership, if the true
value to the business is to be realized. When this relationship is working
effectively there is the potential for the auditor-business relationship to become
a powerful tool to drive the business towards the achievement of its objectives.
It should not be about the auditors telling the business what it already knows.
The two key factors for this win-win partnership to succeed are:
a competent auditor;
strong business leadership willing to learn and to improve the organization.
If either of these two factors are missing then the value of auditing to the
business is significantly reduced (see Figure 0.1).
Challenges facing auditors and businesses alike

ISO 9001:2000 has radically changed, the implications of which have had
significant impact on businesses and auditors alike.
The fundamental shift towards process management and away from

procedural compliance requires a completely different approach when it comes
to auditing. It also requires a significant change in the associated competences of
an auditor if they are to audit process management effectively.
Businesses need to understand the importance ISO 9001:2000 places on

the senior management to lead an organization from the front through objective
setting, key process identification, allocation of process ownership, performance
monitoring and improvement.
Auditors have to understand how a business operates and, if they are to

be effective as auditors in this new world, how to gather information about
the organizations effectiveness and how their findings need to be reported to
add value to the business. Often the failure of auditors to understand this basic
requirement is the prime reason why they can fail to meet expectations (see
Figure 0.1).
The challenge for auditors to understand how businesses operate and how
they, as auditors, can add value, is one that auditors must rise to if they are to
continue to support businesses effectively. Many will have to set aside old values
and beliefs about auditing compliance based systems, change the way they look
and view objective evidence and look to learn new skills in order to become
competent process management auditors.
Introduction
Traditional auditor-
Standards and
business relationship
frameworks
Auditor focused on
compliance only
Business focused on
objectives
Customer and
stakeholder needs
Auditor-business
partnership approach
Auditor focused on the
Standards and business
frameworks Customer and
supporting the Business focused on stakeholder needs
business objectives
Figure 0.1 The auditor-business relationship

4
1 Putting the process approach into context
What is a process-based management system?

This book will not make any attempt to describe in detail process-based
management systems as other books within this series cover this in more depth
than I could hope or want to do here. However, a quick overview is appropriate
to ensure that we have a common understanding of the basic terminology.
What is a management system?
A framework of business processes working together to achieve the stated

business objectives, and customer and other stakeholder needs.
The example in Figure 1.1 is taken from a real organization and describes, at a
high level, the processes that go to make up its overall business management
system. It is pertinent to the organization itself and uses a language and layout
that can be easily understood by customers and staff alike. Typically this would
be described in the organizations quality manual.
The process, a definition:
An activity or series of activities that convert(s) an input into an output

(adding value through the process).
Putting the process approach into context
Understand
stakeholder and
market needs
Improving our Developing our

performance business objectives
Managing our
finances
Measuring and
D eveloping Generate and win
evaluating our our staff business
performance
M anaging projects
Supplying parts
M anaging service
support
Figure 1.1 Example management system
If the business management system identifies what processes the organization

needs, then process definitions or process maps define the mechanism/activities
the organization is required to complete in order to achieve its stated objectives
to fulfil customer and stakeholder needs. See Figure 1.2 for an example of a
process map.
Process management, a definition:
The effective control of a series of activities that converts inputs into outputs
whilst both adding value and continually improving its performance.
Put another way, if we are to manage a process effectively we need to plan and
implement its delivery using the appropriate equipment, knowledge, etc and
measure its performance against targets. These performance measures are based
on the purpose of the process and by measuring against these we can identify
gaps in performance, which can form the basis for improvement activity. The
aim is to analyse the actual results achieved (compared against the target), to
learn from the information and trends created and to use information as a basis
for actions for change or improvement. More details on process management
and indeed systems thinking can be found in books 1 and 2 of this series (for
details on these, see the References chapter at the end of this book).
As a process management auditor we need to test how effectively this is

taking place!
No
Identify website Approve?

enhancement Yes
Directors
Brief website supplier, Monitor development

obtain spec and costs against spec
Operations Director
Arrange any problems

User test update and Back up PC weekly and
to be resolved, test and
report findings to arrange back up of
advise everyone
Operations Director website
affected
Operations Manager
Identify an IT problem
and report
All staff
Figure 1.2 Example process map
Auditing a process-based management system

Prior to any attempt to carry out a process management audit you must first
understand the principles of the process-based management system and the
context in which processes are managed.
Processes do not operate in isolation, they are linked together to form an

overall management system. This management system provides the framework
for the organization to:
understand customer and stakeholder needs;

understand the constraints, regulations and other influences placed on the
business;
Putting the process approach into context
develop its business plan and/or objectives;

define and implement its core and support processes;
establish its key performance indicators or measures;
analyse its performance and make improvements in order to achieve its
business plan and/or objectives.
As an auditor you have to understand these principles in order to carry out a

successful audit and maximize the value of your audit report to the organization.
The principles above relate to a system and are tested by carrying out a systems
management audit. In this book we are concerned with process management
audits and therefore the principles are at a lower level but still follow the same
general approach, to:
understand the purpose of the process;

understand inputs and outputs and the objectives of the process;
define the steps or activities of the process;
establish process efficiency and effectiveness measures;
analyse process performance and make improvements based on this.
What the organization wants

An auditor should not be under any illusions that the organization is looking for
an audit report containing detailed findings on the organizations compliance to
ISO 9001:2000. They are most certainly not.
What the organization really wants is a report from the auditor describing
the impact on the organization of the findings in relation to compliance with
ISO 9001:2000. In other words the organizations viewpoint is that:
business comes first and the standard second;

the auditor is using ISO 9001:2000 as a management tool, a guidance
document that describes activity;
findings against the standard need to be interpreted into organizational
language and their impact highlighted.
The audit report is for Management use as information to help highlight

improvement opportunities and to identify risks to the business. The
Management are more likely to respond positively to your report if it is business
focused, as they can clearly see the benefits to the business on making any
improvements recommended.
8
2 The requirements of ISO 9001:2000 an

auditors perspective
The principles of ISO 9001:2000

Do you know the eight key principles of ISO 9001:2000 and what the PDCA
methodology is? If the answer is no, then you need to learn them quickly and
thoroughly if you are going to be a competent auditor (see Table 2.1). These are
the basic principles that will form the foundation of your auditing technique.
Table 2.1 The eight principles of ISO 9001:2000
Principle What it means
Customer focus Understanding what customers need and expect from the organization
as a whole and not just from an individual request or order
Leadership Management (anyone responsible for the activity of others) at all

levels creating and maintaining an environment aimed at achieving the
business objectives in which others can operate
Involvement of Ensuring that all are involved in order that their abilities can be used
people and enhanced to maximum benefit for themselves and the
organization
Process approach Objectives are more likely to be achieved when activities are seen,
understood and managed through processes and resources aligned
accordingly
The requirements of ISO 9001:2000 an auditors perspective
Principle What it means
Systems approach Identifying the individual business processes and ordering them so that
to management they deliver results and objectives efficiently and effectively
Continual Improving business performance should be the objective of any

improvement organisation it must improve and change over time
Factual approach to Effective decisions are based on information that has been analysed
decision making and not purely on a feeling of what needs to be done
Mutually beneficial Enhanced value is created by working closely with suppliers that can
supplier relationships affect your deliverables and not against them it is really a case of
1 + 1 = 3!
The Plan-Do-Check-Act methodology (PDCA)

The PDCA methodology or cycle is the other key principle of ISO 9001:2000
and its application must be evident within the organization at both system
level and within individual processes. It can be described as in Table 2.2, and
visualized as in Figure 2.1.
Table 2.2 PDCA methodology
Plan Establish the objectives and processes necessary to deliver results in accordance
with customer requirements and business objectives and policies
Do Implement the processes
Check Monitor and measure processes against objectives, policies and requirements and
report the results
Act Take action to continually improve process performance
Making sense of ISO 9001:2000

There is a danger that if auditors fail to grasp the fundamental principles of ISO
9001:2000 they will undermine what they are trying to achieve, and increase
the possibility of reducing the added value they can bring to the business. This
basic requirement for auditors to understand the principles behind it, not just
10
the detail of ISO 9001:2000 seems obvious, but experience to date highlights the
fact that the majority of auditors do not grasp these basic principles. As a result,
there are huge variations in the perception business has of what ISO 9001:2000
is about and the value that effective auditing can bring to them.
Plan 1 The future

Plan 2
Act 1
Do 1 Act 2 Do 2
Check 1 Check 2
Continual business improvement
Figure 2.1 Visual representation of PDCA cycle
When you read ISO 9001:2000 you read it clause by clause and as you read
it you soon realize one section runs into another and is linked to many more,
which is why, as an auditor, it is impossible to audit ISO 9001:2000 section by
section, it has to be audited almost in its entirety to make any sense.
Let me give you an example when trying to establish how a process

owner manages and monitors the performance of their process you need to test:
links to the overall business objectives;

process inputs;
process outputs;
the process itself;
links to other processes;
information/procedures required to support process activities;
current process performance;
11
improvement activities;
people involved in the process.
If you test those areas listed in the paragraph above then you are also going to be
testing the following clauses of ISO 9001:2000:
4.2 Documentation requirements;

4.2.1 General;
4.2.3 Control of documents;
4.2.4 Control of records;
5 Management responsibility;
5.1 Management commitment;
5.2 Customer focus;
5.3 Quality policy;
5.4.1 Quality objectives;
5.4.2 Quality management system planning;
5.5.1 Responsibility and authority;
5.5.2 Internal communication;
5.6 Management review;
6.1 Provision of resources;
6.2 Human resources;
6.3 Infrastructure;
6.4 Work environment;
7 Product realization;
8 Measurement, analysis and improvement.
Put it another way, a business does not operate as a series of unconnected

sections so therefore it must follow that you cannot audit it as a series of separate
sections. Understanding the key principles of ISO 9001:2000 allows you to be
more relaxed in your audit approach. Instead of worrying about the detailed
compliance to every single section in ISO 9001:2000 you should be looking for
the application of the principles. You are then able to assess the effectiveness of
these linkages and the effect they have on the performance of the process, ie what
they are designed to deliver.
A question of compliance?
Compliance with what? Does it comply with:
the six mandatory procedures (see the next list)?

the eight principles?
the PDCA cycle?
12
The meaning of the word compliance conjures up images of rigid procedures

that must be worked to by the letter. However, when you read ISO 9001:2000 it
refers to the need for documented procedures in only six places. These are for:
control of documents;
control of records;
internal audit;
control of nonconforming product;
corrective action;
preventive action.
You must assume from this that ISO 9001:2000 is effectively allowing an
organization to decide for itself what, if any, activities it provides written
procedures to support.
Going back to our question of compliance, then yes, this is obviously very
easy to check as the evidence will be in the form of documented procedures for
the six areas identified above. We can check that they are being applied, thus
complying with the requirements of ISO 9001:2000.
So what happens if the organization decides not to document any

other procedures to support its process activities, can it still comply with
ISO 9001:2000? The answer is very clearly yes, provided it can also
demonstrate compliance with the eight principles and the PDCA cycle.
What is objective evidence?

Compliance to the eight principles and the PDCA cycle is unlikely to be
demonstrated through the evidence found in documented procedures, but more
than likely from subjective evidence drawn from interviews with Management
and staff alike. We must therefore conclude that objective evidence can be in
both documented and non-documented format.
Auditors have to come to terms with the fact that although they might
like to see evidence documented, as this gives them a sense of reassurance, the
likelihood is that much evidence may well not be documented and they will
have to assess the organization accordingly.
To help you understand what is meant by these two terms documented

and non-documented I have listed below examples of both. The examples
of documented evidence will probably look very familiar to those used to
traditional auditing as it is all black and white, right or wrong. Conversely
the examples for non-documented evidence will no doubt make you stop and
13
think how can I assess this? This is a question that is hopefully answered in
subsequent chapters of this book.
Examples of documented objective evidence:
signed purchase order;

up-to-date customer account file;
log of approved orders;
delivery note;
customer complaint letter and corrective action plan;
audit report.
Examples of non-documented objective evidence:
process staff members knowing how they contribute to the achievement of a

maximum 30 second customer waiting time;
process owner knowing the current performance of their process;
process staff knowing the current performance of their process;
an improvement project that contributed to increasing on-time delivery;
process performance indicators that relate to purpose of the process and/or
business objectives;
management and staff both being able to identify who the customer is and
what their requirements are;
people at all levels having the ability to contribute to business improvement.
The intent of ISO 9001:2000 is not to force an organization to simply comply

with its requirements but to do it in a manner that adds value to the business,
thus this is the approach you as an auditor need to take. Not just trying to put
a tick by all the clause headings of ISO 9001:2000, but investigating how they
work to benefit the organization.
New territory interviewing the Managing Director!

Even at this stage in reading this book you should be beginning to realize that
both the skills and competences of a process management auditor are a level
above anything that has gone before and that those auditors who have little or
no appreciation of how a business operates and the principles of ISO 9001:2000
will find it difficult to carry out a process management audit.
One of the greatest challenges facing auditors is the need to audit at all
levels in the organization, not just operational activities as in the past. This will
mean auditing senior management and indeed the most senior manager, the
Managing Director or Chief Executive Officer, as part of the audit.
14
Subsequent sections of this book will cover in more detail how to prepare
for and carry out an interview with the Managing Director, but in the meantime
here are some things for you to think about.
How will you cope with this challenge?

What questions will you ask the Managing Director?
Why will they be interested in talking to you?
Can you audit them in just 15-30 minutes?
As the evidence of compliance may not be documented and will almost certainly
be more subjective, so increasingly the auditor needs to test the communication
between senior managers and staff, in an effort to discover how focused the
organization really is on the eight principles and the PDCA cycle. This will be
the real test required to determine the level of compliance with ISO 9001:2000.
Be gentle with me, Im not mature!

There is one last factor that auditors must consider when they carry out an audit
and that is the question of system and organizational maturity.
Management system maturity questions should be asked such as:
How long has the organization been developing its process-based

management system?
What can I reasonably expect to find at this stage in its development?
What should I put in my audit report that would help the organization, by
adding value at this stage of their maturity?
As an auditor, you will not be able to answer these questions without knowledge
of the business. That knowledge can come from either working for the
organization in question or from the responses you get during the course of the
actual audit. Either way you have to make certain judgements about how you
will audit and what you will ultimately report back to the organization.
ISO 9001:2000 is unique in this way, it can take account of the maturity of
the management system and allow an auditor the ability to use their judgement
to determine not only whether the basic principles are being applied, but
also to what extent the business is using them to drive itself forward. No two
organizations are alike, and indeed, organizations will mature over time. An
audit therefore needs to take account of its maturity if it is to help it to keep
improving over time.
15
Corporate
governance/
Corporate social
responsibility
Business
excellence model
ISO 9004
8 principles
PDCA cycle
ISO 9001
Maturity
Figure 2.2 Diagram showing organization maturity

16
3. The system-process-procedure relationship
System, process and procedures in context

The primary role of a process management auditor is to discover to what extent
the process is being managed and what effect this has on the achievement
of business objectives. In order to do this successfully, as we have already
discovered, this may or may not involve documented procedures.
Before you can undertake any process management audit you must first
appreciate how a management system works and the interactions that go on
between the overall system, processes and procedures.
Section one of this book gave a brief overview of the management system
and processes with examples for each, and it is being able to make the connections
between these and supporting procedures that you need to focus on.
Management system
The management system defines the overall scope of the business, which is in
turn supported by any number of processes that require management, which in
turn are supported, where appropriate, by procedures, as shown in Figure 3.1.
Defined by Senior Management and owned by the head of scope, typically

the Managing Director, the management system is a visual representation of
an organizations processes needed to deliver the business performance at
the highest level and contains everything from business planning through to
developing staff.
The system-process-procedure relationship
17
Management system
Overall management system organigram owned by head of

scope, typically the Managing Director (MD)/Chief Executive
Officer (CEO)
Measures overall business performance
Process
The what we do level

Owned by Process Owner
Measures overall process performance
Procedures
Procedures
Procedures The how we do it level
Supports process activity
Figure 3.1 The management system in context
Typically eight to fifteen high level processes are identified and they in turn link
or are delivered through any number of operational processes containing the
detail of what activities are performed.
Process management
Related directly to the management system are the processes themselves, which
exist to convert input requirements into customer output requirements through
a series of value adding activities. In other words they provide the mechanism
that allows the organization to achieve its objectives, with a focus on how the
different departments within the organization work together towards this aim.
Just by having processes does not ensure that the business will achieve its
objectives. They need effective management and it is this process management
that you need to focus on when auditing. To be able to do this effectively you
18
first need to understand how processes should be managed in a manner that

supports the business in the achievement of its stated objectives.
Too many auditors audit processes in isolation, failing to make the vital
connections between business objectives and process outputs and measures.
Failure to make these connections will result in an incomplete, inadequate and
non value adding audit. Its rather like checking a route map without knowing
where you are trying to get to all a bit pointless.
You need to be thinking about asking the process owner the following
questions.
What is the purpose of this process?

How does it contribute to the organization achieving its business objectives?
Are there process performance measures?
Do the measures relate to the objectives/are we measuring the right things?
Is the performance known and are effective improvement actions in place?
There are many more questions related to assessing process management but
hopefully you can begin to appreciate that to be a successful auditor requires
considerable skill and competence. These skills and competences need to be in
different areas than have been required in the past in order to make the required
connections and identify issues worthy of reporting.
Procedures
This is often a very difficult concept for many people to come to terms with.
ISO 9001:2000 allows organizations the freedom to decide for themselves to
what extent they have documented procedures, whereas the 1994 version of the
standard required virtually all operational activities to be documented. There
is a certain reassurance one gets from having things documented and there is
no doubt that having documented procedures does make compliance auditing
possible. In themselves, however, procedures do not help us to carry out an
effective process management audit.
So when you are auditing the activities within a process itself you should
be thinking about asking the following questions.
What risks to the process are there by not having procedures documented?
If the risks are high, has the organization considered them and chosen an
alternative way to reduce them, such as training?
If there are procedures are they adequate for the risks they are controlling?
Do the procedures add value or just increase bureaucracy?
The system-process-procedure relationship
19
The process owner should have considered what, if any, procedures are required
to support process activities. Your role is to help the process owner by confirming
they have got it right or identifying any potential risks they may have overlooked.
You will be working in partnership with them to improve both the potential and
actual performance of the process.
Auditing the system, process and procedures

The focus of this book is process management auditing but in order to set this
in context you need to recognize that processes do not operate in isolation.
Hopefully this section of the book has gone someway to clarify this for you.
Figure 3.2 summarizes types of audits depending upon the level you are looking
at in the organization and as an auditor you need to remain conscious of these
connections throughout your audit.
System
level
Process
level
Procedures Compliance
level
Figure 3.2 Summary of auditing levels

20
4. Auditing tools and techniques
Show me what you do!

So far we have looked at some of the fundamentals that make up a management
system and the basic understanding that an auditor needs to have in order
to carry out a process management audit. We now turn our attention to the
detail of how you should actually conduct an audit starting with the tools and
techniques that you should adopt.
For years, auditor training has had a constant theme to it with one
message in particular being driven home time and again: Show me the evidence!
Above all else auditors have been trained to assess what an organization does
against what it said it does, basing any decision as to how well they did it on the
documented evidence they have been shown.
This technique of auditing is only relevant for assessing process

management, when compliance auditing to a specific regulatory standard is
required, such as those used in the medical or pharmaceutical industries, or
against a standard such as ISO 9001:2000. This style of auditing may then
be relevant to check that specific detailed requirements are being met and
effectively applied.
For the remainder of this book, the focus will be on auditing the
effectiveness of process management, also required by ISO 9001:2000. This
requires different tools and techniques to those required for both system and
compliance auditing, and we need to recognize these differences.
Auditing tools and techniques
21
Auditor tools
There are basically two tools that should be used in both preparing for and
carrying out a process management audit (see Figure 4.1, Figure 4.2 and Table
4.1). Neither of them is complicated and in fact they are just plain common
sense. Both, however, require the auditor to understand how a business works
through its processes in order to use them effectively. This is one of the key
competences of a successful process management auditor.
Once you understand them, they are so powerful that you can apply them
to any process within any business, regardless of industry sector.
Purpose of the
process
Improve Process objectives
and targets
Monitor The process itself

performance
Key performance
process measures
Figure 4.1 Auditor tool 1
In process management auditing you are testing every one of the boxes in each
process you audit at every level within each process ie you go round this cycle
with everyone you interview. The questions you use to test each one of the
boxes will be phrased slightly differently and will be in a manner suitable to the
person being interviewed, but nonetheless they will follow the same cycle. This
aspect is critical for successful auditing. It is no good asking a member of staff a
question that they do not understand, or using management style or standard
language that they cannot relate to what they do. For example asking someone
what resources they use may not be understood, asking what equipment they
use might be. There is no right or wrong, but the language you use is important
22
and needs to be based on the needs of the auditee not the auditor. It needs to be
in the language used by the people within the organization itself.
Table 4.1 Definitions of the elements of auditor tool 1
Purpose of the process Why the process exists supplier inputs and customer outputs
Process objectives Specifically the objectives and targets for this process that must relate
and targets to the overall business objectives and targets
The process itself The activities involved in the process
Key performance Measures directly related to the process itself and overall business
process measures objectives, in the way customers measure the process
Monitoring Systematic, regular monitoring of the measures in order to assess

performance process performance
Improvement Activities that are designed to close the gap between current
performance and the target performance level required
Consequently the evidence provided by people being interviewed will also be

appropriate for the level within the process and will almost certainly be mainly
non-documented and subjective.
Auditor tool 2 follows a similar theme but extends to include those things
that support the process in terms of:
the competence of those working within the process to effectively carry out
their tasks;
the resources needed for process activities to be performed adequately;
the knowledge and information needed to effectively carry out activities
within the process;
the budget for the process that takes account of the likely future demands on
the process.
These influences or constraints shown are only examples and in reality

there may well be others. What you are looking for is anything that affects
performance of the process, and can come from any management discipline.
Process management auditors therefore need a basic foundation in a range of
business activities and disciplines. For example how can an auditor assess or
make judgements on someones competence if they have no understanding of
human resource management principles?
23
Competence Knowledge
Risk
Resources Budget
Inputs Outputs
Activity Activity Activity Activity
Measure
Procedures Improve Monitor

Procedures
Figure 4.2 Auditor tool 2
Auditing techniques
Questioning
Taking each box of auditor tool 1 lets look at each one in turn and try to work
out the most appropriate question to ask. As we go through each box we will, in
addition, include all the elements from auditor tool 2.
The end result will be an audit checklist you will be able to use to prepare
for and to audit most processes. You may well be able to come up with other
areas and issues to raise, whatever they are they need to test the effectiveness
of the process. As you go through the steps in the cycle you may well be able
to identify areas where you need to dig a bit deeper, asking more questions and
testing any compliance issues that may become apparent. Inexperienced process
management auditors tend to stay in the detail of compliance once they are in
it. The art is to keep the cycle in mind as you carry out the audit and dip into
the detail as required, coming out of it to move on to other parts of the cycle
in order to build the links. It is not easy at first to make this change, but once
youve done it a few times it will become much more second nature.
24
Table 4.2 Auditor questions
Part of auditor tool one Question
Purpose of the process How does the process support the business strategy and
objectives?
What are the process supplier inputs and customer outputs?
How do you determine what the customer requirements are; is
this the ultimate customer?
Where do you get your work from?
Process objectives and How do you determine your objectives and targets?
targets What are your objectives and targets?
How do they link to and support the overall business objectives?
How do you plan for future customer demands and the likely
resources required to support them?
The process itself Can you describe the process?

How do any procedures support the process?
Who is your customer?
How do you know what your customer requirements are?
How does this process interact with other processes in the
management system?
Who do consider as your supplier?
How does your supplier support you?
How do you determine the competencies required for those
responsible for process activities?
Key performance How do you decide what key performance indicators to use?
process measures How are the process measures linked to business objectives
and measures?
How does your customer measure the performance of the
process?
Performance monitoring How do you know what the current performance of the
process is?
How often is process performance measured?
How is performance data communicated to the process team?
Improvement How do you identify improvement issues?

How do process team members contribute to improving
process performance?
How to you evaluate the success of improvement activities?
How have improvement actions affected process performance?
How are improvement actions communicated to the process
team?
25
Questioning techniques
The questions detailed above need to be thought about and tailored to suit the
individual being interviewed and the level at which they support the process.
For instance, asking an operator carrying out a process activity if they know
what the organizations business objectives are would often be pointless in many
organizations as the operator would more than likely think you were talking a
foreign language! But beware that this is not always the case and, importantly,
use your own knowledge of your own organization to get the language right.
As an auditor you have to consider what is the most appropriate question

to ask and in this case it might be asking the operator who they consider is their
customer and how they know they are meeting their customers requirements.
Auditors have to manage How do you?

this dynamic Explain to me how?
Who do you?
Directors
Managers
Staff Show me how

Tell me how
Figure 4.3 Appropriate questioning techniques
Auditors that understand this dynamic and use it effectively in conjunction with
both of the auditor tools will gather the greatest amount of information relevant
to how effectively the business is managing its processes. The more information
an auditor has on the companys performance the more valuable the audit report
they can generate from it becomes.
26
Objective evidence
If we have established that the questions and questioning techniques you use
as an auditor vary according to the person being interviewed and the level they
are working at within the process, then it must also follow that the objective
evidence you obtain will also vary accordingly.
In section 2 we looked at examples of documented and non-documented

objective evidence, so let us now consider what types of objective evidence
we might find at different levels in the business, depending upon who we are
auditing and what questions we are asking.
Taking some of the questions from the Table 4.2, Table 4.3 outlines the
likely objective evidence you might expect to find.
Table 4.3 Objective evidence
Question Evidence from process owner Evidence from process staff
How does the process Clear understanding of Understands what the

support the business objectives process is there to do
strategy and objectives?
What are the process Tells you what they are Tells you what they are
supplier inputs and
customer outputs?
How do you determine Able to link to customer Able to link to next step in
what the customer outside their process and process and describe
requirements are; is this describe requirements requirements
the ultimate customer?
How do you determine Link to overall company Understands their role in

your objectives and objectives and targets the process
targets?
What are your Tells/shows you Understands process
objectives and targets? performance
How do they link to and Clear understanding of Understands companys
support the overall overall company objectives aims
business objectives? and targets and can
demonstrate linkage
How do you plan for Tells/shows you plan, gives In touch with process
future customer example of having done it customers and makes
demands and the likely previously suggestions to process
resources required to owner
support them?
27
Question Evidence from process owner Evidence from process staff
Can you describe the Tells/shows you Tells/shows you

process?
How do any procedures Tells/shows you links to Tells/shows you when used
support the process? process activity and how
How does this process Tells you what the links are Understands there are links
interact with other and how the communication to other processes and
processes in the between them works knows how they work
management system?
How do you determine Understands roles and Knows own competency
the competencies competencies in context of and has been appraised/
required for those process activities, linked to reviewed in last year
responsible for process objectives
activities?
How do you decide Tells/shows you the Tells/shows you process

what key performance indicators and which link measures being used
indicators to use? to objectives
How does your Demonstrates customer Understands process
customer measure the communication by linkage of performance in relation to
performance of the their needs to process the customer
process? measures
How do you know what Shows you performance Tells/shows you

the current performance information performance information
of the process is?
How often is process Tells you Tells you
performance measured?
How is performance Tells/shows you Tells you/shows you
data communicated to
the process team?
How do you identify Able to link performance Talks through methods/

improvement issues? data to improvement action ideas and links to process
owner
How do process team Tells you and can give Knows how and who to
members contribute to examples from team suggest improvements to
improving process
performance?
How to you evaluate the Link back to performance Communication from
success of improvement data to demonstrate process owner
activities? effectiveness
28
You will notice that the responses you are likely to get in terms of evidence are
likely to be verbal rather than documented, which means you have to determine
fact from fiction just by listening to what people are saying.
But how can you do this? Lets take just one of the questions and use it as
an example.
Question: How do you know what the current performance of the

process is?
The process owners response is to tell you that they have two process
measures, products delivered on time as a percentage and number of product
stock turns in a year. The targets are 99 per cent on time delivery and 12
stock turns per year respectively.
They also tell you that since the measures were introduced six months ago
they have achieved an average of 97.5 per cent deliveries on time and are on
schedule for six stock turns for the first half of the year.
You just listen to what they say and make a note of the information on your
checklist.
The process staff members response is to tell you that the process owner
meets with all the process staff once a month in the canteen where they talk
through various items of interest including performance statistics. They tell
you that a lot of what the process owner says is not of much interest to them
apart from the delivery and stock turn measures as this has a direct bearing
on the amount of bonus they receive each quarter.
They tell you that delivery performance of only 97.5 per cent has meant a
reduced bonus for the last two quarters, but the achievement of six stock
turns so far this year has at least given them a bonus payment albeit small.
You listen and compare their responses to those of the process owner, making
any notes on your checklist. You then ask yourself Have I enough evidence to
demonstrate that the question has been answered adequately and am I satisfied
that the performance of the process is known at all levels in the process and
by the people who need to know? What is your conclusion based on the two
responses above?
29
I hope you concluded that yes, the performance of the process was known
at all levels in the process and by the people who needed to know. All this
despite the fact you did not see a single piece of paper!
Congratulations! You have just audited subclauses 5.1, 5.2, 5.4.1, 5.5.3,
7.1, 8.1, 8.2.3, 8.4 of ISO 9001:2000.
Methods of auditing
Quite rightly most methods of auditing involve face-to-face interviews/
discussions with people in order to gain information and an understanding of
how effectively something is being done. However, this is not always practical to
do because of geographical locations, the high number of people needed to be
seen or constraints on cost or time.
Auditors should be flexible in their approach and be prepared to consider

alternative methods of auditing which do not rely on just face-to-face interviews.
These could include:
groups a number of process staff, suppliers, customers or stakeholders can

be interviewed within a group environment to save the time and expense of
travelling to them individually;
questionnaire could be used to assess a variety of issues, can be done
confidentially to improve the honesty of the responses;
email again, any number of process staff, suppliers, customers or
stakeholders can be interviewed remotely, as a group, to save the time and
expense of travelling to them individually;
telephone this can be usually a very quick and simply way to confirm
information;
video conference planned well in advance, this method can be a really
effective way of interviewing people working miles apart or even in different
countries.
Organizations that have multiple sites spread over a large geographic area,
including different countries, and those with large numbers of home or field
based employees are probably best suited to alternative methods of auditing
other than face-to-face.
30
5. Planning and preparing a process audit
Familiarity breeds contempt!

Somebody once told me that auditing is 80 per cent preparation and 20 per cent
actual auditing, which sounds like a bit of an old wives tale until you actually
carry out an audit and then you realize just how true it is!
Preparation starts right back with a basic understanding of the principles

of ISO 9001:2000 and the PDCA cycle and goes right through to familiarizing
yourself with the organizations management system, specific processes and
their outputs.
Having been witness to numerous audits by both certification organizations

and internal auditors over many years, I have rarely seen an auditor who has
prepared adequately for an audit. Whether it is failing to arrange meetings in
advance, losing sight of the audit objectives or not understanding the links of
effective process management, auditors are normally simply not spending enough
time preparing for their audits.
People who regularly carry out audits do become blas as they become
increasingly relaxed about the style they have adopted and their knowledge
of ISO 9001:2000. In doing so they show a certain contempt by rarely using
checklists or feeling the need to effectively plan ahead.
Even though I have carried out hundreds of audits over many years I still
prepare and use an audit plan and checklist every time I am asked to conduct an
audit, and so should you.
Planning and preparing a process audit
31
Its all in the planning

An audit plan needs to consist of more than the audit date, start and finish
times and the department name being audited, to be promptly put in a file and
forgotten about. A good plan will be developed well in advance of the audit, by
the auditor, and certainly not in isolation. They will confer with the appropriate
members of the organization to ensure they agree to the timings.
A good audit plan is likely to cover the following:
objective of the audit;

what standard(s) are being used as the audit criteria, eg ISO 9001;
date the audit is to be carried out;
who the auditor(s) will be;
any special requirements the auditor may have, eg working lunch, desk,
power supply for laptop computer;
what processes/activities are going to be audited;
what methods of auditing are to be used;
the names of individuals to be seen during the audit with specific meeting
times;
date by when the report will be issued and who it will be distributed to.
Please refer to Table 5.1 for an example of an audit plan.
By far and away the most important parts of any audit plan are the
details concerning the people who will be seen and the specific meeting times
that have been agreed. Auditors cannot expect to turn up and have people sat
around all day or over many days, waiting for the auditor to audit them. As
an auditor you should assume that no one is going to see you unless you have
prearranged the meeting. Apart from anything else, it is just bad manners, and it
will lead to a poor relationship with the auditees, so it is critical if the audit is to
be successful.
I have lost count of the times auditors turn up at an organization and

commence the audit expecting people to automatically be available. They then
wonder what they are going to do for the remainder of the day when they
discover all the people they need to speak to are either on a course, on holiday
or have other meetings! Its all in the planning.
In preparing your audit plan you will need to take into consideration the
overall time available to you to carry out the audit and then work backwards
ensuring that you allocate the most appropriate amount of time to each of the
people you need to interview.
32
Table 5.1 Example of an audit plan
PROCESS AUDIT PLAN
Objective of the audit To assess the maturity of the process in order to identify any
gaps in current performance against the audit criteria detailed
below
Date(s) audit to be carried out 27th and 28th June 2004
Criteria/standard to be used ISO 9001:2000 and the organisations stated business objectives
Process(es) to be audited Managing our capital assets

Purchasing plant and equipment
Auditor(s) Carl Ford
Date audit report to be issued 7th July 2004 to the Finance Director and Managing Director
Any special requirements:
Meeting room for the two days with power, telephone and video conference facilities.
No need to organise lunch, the staff canteen will be fine.
People to be seen, when and how:
27th June 2004

9.00 am Finance Director (process owner) Face-to-face London
10.00 am Finance Assistants 4 Face-to-face as a group London
11.00 am Finance Assistant Video conference Paris
12.00 noon Finance Assistant Video conference Frankfurt
1.00 pm Lunch Canteen
2.00 pm Finance Assistant Video conference New York
3.00 pm Financial Controller Telephone Nairobi
4.00 pm Managing Director Face-to-face London
4.30 pm Consolidate information Meeting room, London
28th June 2004

9.00 am Production Director Face-to-face London
10.30 am Production staff members 8 Face-to-face as a group London
12.00 noon Production Manager Video conference Paris
1.00 pm Lunch Canteen
2.00 pm Production Manager Telephone Nairobi
3.00 pm Finance Director Face-to-face London
4.00 pm Gather information and close audit
33
One of the major issues facing you is the time available, as this impacts on your
ability to test the responses you get with the greatest range of people possible,
thus assuring yourself that the evidence you are finding is a true reflection of
what is happening. This is not something new and auditing has never pretended
to be anything else other than a sample, but you must be satisfied that the
sample size is large enough.
Whatever you decide you should always start and end with the process
owner. Start off with them:
to gather information, that you can go on and test throughout the process;
to understand if they have any particular areas they themselves may want
you to assess or review and provide feedback on.
Finally, conclude the audit with them so that you can confirm your findings and
provide overall feedback on what you found.
Preparing your audit checklist

As an auditor you should never underestimate the usefulness of an audit checklist
and just how important it will be to you. The purpose of the checklist is to:
ensure you cover all the questions/areas required to meet the audit objectives;
act as a focal point for the audit, as it is easy to become distracted as you
follow the audit trail;
allow you to record notes against specific questions as you go, so you can
easily reference them when talking to different people;
ensure you can easily compile the audit report from the notes you have made
without relying on just your memory.
But how do you decide what you should include in your checklist? Well, how
detailed you make your checklist is a very personal thing and is likely to depend
upon several factors not least how experienced you are and your ability to read
it during the audit itself.
Before you can begin to prepare your audit checklist you first have to
design it or, should you find it useful, copy my example, shown in Table 5.2.
Your design will no doubt evolve over time to reflect your own personal style
and needs.
Having decided on what your checklist will look like you now have
to populate it with all the questions you are going to need to ask in order to
complete your audit. These are the questions that will test:
34
the eight principles of ISO 9001:2000;

the effective implementation of the Plan-Do-Check-Act methodology;
auditor tool 1;
auditor tool 2;
actual process activities.
This means all of the things we covered when looking at the auditor tools and
objective evidence in the previous section.
In addition, your checklist should include questions or areas to look at

that are specific to the process or processes you are auditing. In order for you
to do this you will have to undertake some research and make requests for
information from relevant people. This is a relatively straightforward task if the
audit is going to be carried out internally as you will know the organization and
will be able to acquire the appropriate information. However, this can prove to
be more of a challenge when you have no prior knowledge of the company.
Typically your research should focus on trying to obtain information on:
what the organization does and who its customers are;

its mission, vision, policies and business objectives;
organization structure and process ownership;
the management system structure and links between processes;
copies of process maps;
company and process performance data.
You should allow yourself plenty of time in advance of the audit to gather the
information and compile your checklist. Remember the audit starts from the
moment you start compiling information and preparing your checklist, not from
the moment you ask your first question of the process owner, it is much too late
by then to get it right if you have not planned thoroughly.
If you are not able to carry out the background research or obtain the
information you would like in order to prepare thoroughly for the audit, then
you must allow yourself more time to carry out the audit itself and to collect this
as you proceed. This is certainly not the most efficient way to carry out an audit,
but sometimes you will have no choice. Without this information your audit
will be flawed, so you must obtain it early on if you are to be effective.
As I said right at the outset of this section preparation is 80 per cent of

the audit and you have to ensure you have prepared adequately to avoid being
led by people rather than you leading the audit. Remember that you are there to
control the audit, not them.
35
Table 5.2 Example audit checklist
PROCESS MANAGEMENT AUDIT CHECKLIST
Subject: Auditor: Date: Audit No.:
Checklist
Ref. No. Item Comments Report Ref.

36
To summarize the preparation required:
make sure you fully understand the eight principles and the PDCA cycle;
be clear on the objective of the audit;
plan the audit carefully making sure you allocate the appropriate time to
each element and sample enough people;
book meetings with people well in advance, dont expect them to just be
waiting for you!
understand the management system and process connections;
know the business objectives and customer requirements and make the
connections to process outputs;
always use a checklist!
37
6. Carrying out a process audit compliance

vs. effectiveness
Bringing it together
Hopefully by the time you are about to start the audit you have fully prepared
and have a clear understanding of how you will satisfy yourself that the process is
being managed effectively. Here is a brief reminder of what you are about to do:
test for the eight ISO 9001:2000 principles;

test that the PDCA (Plan-Do-Check-Act) cycle is embedded;
focus on outcomes in order to test for effectiveness;
use auditor tools one and two to help you make the links to customers and
suppliers and from system to process to people;
ask the most appropriate questions based on the person you are auditings
level within the organization;
test whether process activities are effective;
test compliance to procedures, standards and regulations, as appropriate;
use your checklist to remain focused and to record information.
If you are not put off by this then lets get on with the audit, starting with the
Managing Director, who will put the process and system in context.
Interviewing the Managing Director

You turn up at the Managing Directors office door at the agreed time, probably a
bit nervous are they in a good mood? is the exchange rate favourable? did they
win at golf yesterday?!
38
They call you in and immediately inform you that they have to leave for
another meeting in 30 minutes so you will have to be quick. Your mind goes
blank, your mouth goes dry, your heart beats a little faster and you begin to
wonder what you are doing here. You glance down and, to your relief, see the
checklist you so carefully prepared. Referring to the first question you inquire
How is business? You have started the audit.
Does this sound familiar? Feeling intimidated by someone like the

Managing Director is nothing new, but when you have to audit that same person
in an effort to extract information from them, it can be even more daunting
(particularly so if they have never been great supporters of ISO 9001:2000).
This interview is critical. Why? Because if you do not succeed in

gathering information to help you gain a clear understanding of the business
objectives, measures, current performance etc you will not be able to test the
subsequent effectiveness of process management and the connections to the
overall business needs.
As a general rule you will only have a limited amount of time with these
people, so you have to make the little time you do get as productive as possible.
Being completely clear about the objectives of the interview and the outcomes
you require is essential and will prevent you becoming sidetracked and coming
away wishing you had asked a particular question. Remember again that it is your
meeting and you are in control of it. You will gain real respect if you do but if
you dont
A good approach is to start with a general question like How is business?

With any luck the Managing Director will discuss the current state of the
market, customers needs and how the organization is working hard to develop
sales and improve margins. Within this discussion you should begin to draw out
what the business objectives are and how they plan to move the organization
forward to achieve them. This information is key and you need to be making
detailed notes of it on your checklist as you go, so that you can refer to them
later on as a memory jogger and to help with subsequent meetings.
Be conscious of time, stay focused on the objectives of the interview and

the questions you need to ask and you can usually get through it within 30
minutes. I tend to find that most Managing Directors, once they get talking,
forget about their next meeting and end up chatting for up to an hour, usually
because they never realized the audit was actually going to be about the business
itself, rather than ISO 9001:2000! Once they start doing this, then you know
that you are part of the way to having a convert. The rest of the journey will be
made once they see the business value of your report and findings.
Carrying out a process audit compliance vs. effectiveness
39
Before you conclude the meeting have a quick look at your checklist to
ensure you have everything you need for the next part of the audit and then ask,
Is there anything you would like from my audit, are there any areas you would
like me to look at in addition? Note any response you get and then thank them
for their time and leave.
Ill make a note of that!

It is all to easy to get carried away listening to people and forgetting to make
a note of what they said or showed you, but it is such an important part of
auditing that it is worthy of a further separate mention to remind you to do it.
This is particularly important if the audit is to be spread over any length

of time, when it would be difficult to keep track of all the responses and even
harder to recall them at the right time. This is especially so if you are trying to
test the effectiveness of communication and need to know exactly what other
people have said.
Interviewing the process owner

Process owners can be just as formidable as the Managing Director so be
prepared by following the same rules and opening the dialogue by asking them
How is business?
Check and confirm with the process owner that the audit plan is still
alright and that the people you wish to speak to will be available.
As with the Managing Director be quite clear about the objective of the
interview. Your final report must be able to conclude how effectively the process
was being managed, so make sure you keep focused on this and do not become
distracted by other issues the process owner may wish to talk about.
Refer to your checklist constantly. Provided you prepared it thoroughly

it should include the questions you need to test the eight principles, PDCA and
auditors tools 1 and 2.
What you are testing is effectiveness, which includes the following.
The link between what the Managing Director said and what you are now
being told by the process owner are they saying the same things?
Has the Managing Director communicated the business objectives
adequately?
Has the process owner interpreted them correctly?
40
Has the process owner related them to their process?

Has the process owner communicated the objectives down to the
process team?
Has the process owner established process performance measures?
Do the measures relate to the objectives?
Does the process owner know the current performance of the process against
the objectives and targets?
Has the process owner communicated the performance results to the
process team?
What actions are the process owner and process team taking when there is a
gap in the performance against the stated objective or target?
How do process team members contribute to improvement activities?
How does the process owner know improvement action is effective?
Refer to Table 4.2 for more questions and Table 4.3 for the likely objective
evidence you could find and can therefore make a note of on your checklist.
Just as with the interview with the Managing Director, you should treat
the interview with the process owner as an information gathering exercise, so
ensure you record as much of the information you are given as possible. You will
need it to complete the main part of the audit.
Again, before you conclude the meeting have a quick look at your checklist
to ensure you have everything you need for the next part of the audit and then
ask, Is there anything you would like from my audit, are there any areas you
would like me to look at in addition? Note any response you get and then thank
them for their time and leave.
Interviewing process staff

Having interviewed the process owner you are now in a position to move onto
the main part of the audit and begin to audit process staff, together with looking
at the various connections with other processes within the organization. Sticking
to your audit plan begin to audit the process staff.
Whereas the objectives of the interviews with the Managing Director and
process owner were primarily information gathering, the audits of process staff
are now about testing this information in order to determine how effectively the
process is being managed.
What you are testing is effectiveness, which includes checking process

staff understanding of such issues as the following.
Carrying out a process audit compliance vs. effectiveness
41
Are the objectives/outputs of the process understood and are they linked to
what the process owner said?
Is the process measured and are they the same as what the process owner
said?
Do process staff know what the current performance of the process is?
How is information communicated to people working within the process
and is this as described by the process owner?
Do process staff know how they can contribute to improving process
performance?
Refer to Table 4.2 for more questions and Table 4.3 for the likely objective
evidence you will find and can make a note of on your checklist.
In addition, you are also testing:
how effectively the connections to other processes are operating;

that process activities are being implemented effectively;
that any procedures, standards or regulatory requirements are being
worked to;
how competent people are/feel they are to perform their assigned tasks.
Remember the audit dynamic

As an auditor you have a duty to remain conscious of using the right questions
at the right level in the process. To achieve this remember the questioning
techniques diagram in Figure 4.3. So although I have suggested the items you
should be testing during the audit, it is still very much up to you, the auditor, to
phrase these in a manner that will ensure they are understood by your auditees
and that will provide you with adequate evidence as an answer to your question.
Give me a break!
There are a lot of pressures on auditors and you should never be afraid to take
a break during the audit in order to give yourself an opportunity to collect your
thoughts, put the information you have gathered into context and to generally
satisfy yourself that you are progressing as planned.
As you review any information, notes and outstanding questions it will

help to focus your mind on the audit objective. If, for whatever reason, you
find yourself not being able to confirm what is actually happening within the
organization, and up to this point in the audit you are not a position to report
how effectively the process is being managed, then the break is essential. It
42
affords you the opportunity to determine the specific further questions you need
to ask in order to complete the audit and compile your report adequately. Should
you find that you do not have sufficient evidence to make a judgement as you
proceed, never be afraid to add items to your checklist.
They think its all over

If you have stuck to the audit plan and not become too distracted the audit
should finish on time, with everybody on your list having been audited and
with you having a clear understanding of how effective the organization is at
process management.
Now is the time to begin to sift your way through all the information you
have and to collect your thoughts ready to compile your report and report back
to the process owner and/or Managing Director.
You should discuss your findings with the process owner and/or Managing
Director prior to generating your final audit report and indeed there may well be
some items that require clarification. Please refer to the next section of this book
where this will be explored in more detail.
43
7. Identifying and reporting findings moving

beyond compliance
Report objectives
What are the objectives of your audit report? A straightforward enough question,
but how many auditors actually ask themselves this before they write and
present their report? A lot of the audit reports I read clearly demonstrate that the
auditor did not ask themselves this question and if they did they drew the wrong
conclusion from it. The most common misinterpretation of this question comes
from ISO 9001:2000 auditors, be they internal or third party auditors.
ISO 9001:2000 auditors typically consider the objective of their reports

to be to record all the areas where the organization did not comply with
ISO 9001:2000. Which is why when you read a report written from this objective
they add virtually no value to the organization.
The real objective surely has to be to record all the areas where the
organization did not comply with ISO 9001:2000 that affect business performance.
In other words the report findings will add value to the organization by
highlighting issues that, if addressed, will improve the performance of the business.
Your report should contain information that:
recognizes good practice;

identifies instances of non-compliance in the context of business performance;
recognizes the maturity of the management system;
encourages the organization to improve its performance.
44
I appreciate that auditors and, in particular, third party auditors, have a

difficult job in striking the right balance between reporting compliance with
ISO 9001:2000 whilst trying to encourage improvement based on the maturity
of the organizations management system. However, that said, this does not
stop auditors trying to achieve this balance in order to add value to the
organization. After all, they are a supplier to the organization that is in turn
the auditors customer. What they want from your audit report must surely be
considered important?
When is a non-compliance a business opportunity?

The word non-compliance has a very negative feeling about it, for example
something is wrong, someone is to blame, there has been a failure, the system has
broken down. If you report your audit findings in a series of non-compliances
then your report will also have a very negative feeling about it.
Let me suggest something revolutionary, do not use the word non-

compliance in any audit report you write, think of a positive alternative instead.
Just think for a moment about how you could change the language you currently
use in this way. What effect would this have on your auditees?
What to report
The ultimate design of your audit report may be constrained by the need
to adopt a standard template or format used by your organization, which is
almost certain to apply to third party auditors. If you have no such constraints
then you are free to choose a format that allows you to report your findings in
the most appropriate way, which could be anything from an A4 template to a
software-based computer presentation. The choice is yours. Table 7.1 provides
an example of an internal audit report template that I have used and you are
welcome to copy and modify in order to come up with a version you feel
comfortable using.
We have talked of the need to make your audit report as positive as

possible to encourage the organization to address the issues raised with the
ultimate aim of improving their business performance. But how can you achieve
this? The best way to demonstrate what I mean is to show you some extracts of
actual audit reports, clearly showing both positive and negative reporting styles.
You can then see for yourself what I mean.
Identifying and reporting findings moving beyond compliance
45
Table 7.1 Example of internal audit report template
PROCESS MANAGEMENT AUDIT REPORT
Audit objective: Auditor: Date(s) of audit:
Criteria for audit: Process(es) audited:
Audit summary
Audit findings
Ref. No.
46
What not to say

The following are examples of what not to say in an internal audit report.
a) There was no evidence that the organization was monitoring customer

satisfaction as required by ISO 9001:2000, subclause 8.2.1.
b) There was no evidence of a documented procedure for the control of records as
required by ISO 9001:2000, subclause 4.2.4.
c) There was no evidence that the organization had reviewed its infrastructure as
required by ISO 9001:2000, subclause 6.3.
What to say
The following are examples of what to say in an internal audit report.
a) The organization does not currently monitor customer satisfaction. Monitoring

the perception customers have will enable the organization to better understand
how it can meet both their current needs and future expectations, allowing the
organization to benefit from a more proactive approach to customer care.
b) The organization does not currently have a documented procedure for the control
of the records it produces. The documenting of a procedure for the control of
the organizations key records will ensure that the responsibilities for record
retention are known and that these important records are protected from damage
or deterioration and only retained for the maximum specified period, allowing
archive storage space to be kept to a minimum.
c) The infrastructure of the organization appeared to be adequate for the services
being provided; however, there was no process by which the infrastructure is
reviewed on an ongoing basis, which could affect the organizations ability to
meet future customer demands. Therefore the organization would benefit from
linking together the review of market/customer needs and the infrastructure
required to deliver them.
d) The organization is to be congratulated on the decision it has made to introduce
new computer terminals and office furniture in the call centre. The staff spoken
to all commented on what a significant difference this has made to both their
comfort and ability to read the new screens. This has undoubtedly contributed
to the reduction in staff sickness time and number of customer complaints due to
keying errors.
What turns you on?

Which version of the report findings did you prefer reading? Which version do
you think the Managing Director would prefer to read and would encourage
Identifying and reporting findings moving beyond compliance
47
them to do something? Precisely, the second version, and this is the style you
should be adopting in the writing of your audit reports. The report is all about
the business and nothing about subclauses in ISO 9001:2000 because Managing
Directors are not interested in the detail of what the standard says.
As any good politician would tell you it is all in the spin. I am not
suggesting we all need to become politicians, but, as auditors, we could all learn
a trick or two from them and spin our reports positively. After all, we are trying
to influence our customer to make the improvements we have identified.
Are you hiding behind ISO 9001:2000?

As an auditor you should ask yourself the question Am I hiding behind
ISO 9001:2000 with my comments in the audit report? I tend to find that
the more experience an auditor has of how businesses operate the greater the
chance their audit report will add value. Conversely auditors who have a limited
knowledge of how businesses operate tend to hide behind ISO 9001:2000 as this
is all they know and feel comfortable with.
There is no substitute for an in-depth knowledge of the workings of all

business processes, not just the theory but the actual experience of how they
work. This includes the processes such as business planning, asset management
and managing marketing whatever title you may give them within your
organization. Auditors who fail to get to grips with truly understanding these
processes will spend their auditing life hiding behind ISO 9001:2000 rather
than translating it into business improvement language. They will fail to provide
added value to the organization.
The So What! test

The final check every auditor should perform on their audit report before they
present it is the So What! test. Here is an example:
the quality policy had not been signed by the Managing Director
SO WHAT!
If an audit report is to add value to the organization it has to contain information

that could help the organization improve its performance and ultimately make
48
money (or at least not overspend). Meeting financial targets is a prerequisite for
the majority of organizations and often the key purpose of their existence.
Improvement action
The audit report should only contain the findings of the audit and not
suggestions for the improvement action to be taken. This way the auditor can
remain independent and the organization does not feel obliged to adopt any
of the auditors suggestions for improvement, even if it does not agree with
them. By doing this, the auditor is also passing the responsibility for taking
improvement action back to the process owner.
Improvement action should be left with the appropriate people within

the organization itself to determine. What action is taken, by whom and within
what timescales are all decisions that the organization should make for itself,
based on what is appropriate for the business, how it will benefit and the other
current priorities it has.
49
8. Assessing improvements
Putting the improvement in context

As we have seen from carrying out the audit of process management the
auditors role is not to identify how improvements should take place or what the
organization should do. It is to provide information to Management on areas
of risk or where opportunities for improvement exist with an explanation that
outlines the potential impact on the organization if these are addressed.
Therefore what the organization does if it decides to address these

issues is up to the Management balancing the other organizational needs and
requirements with the audit findings. Dont forget that carrying out audits is
only one source of information Management is receiving upon which decisions
can be based. They will also be receiving information on customer satisfaction
and business results etc which could mean that they may well ignore the audit
findings and concentrate improvement activity in other areas where the greatest
business benefit can be achieved. This being the case auditors should not be
disheartened if, after carry out an audit recommending areas for improvement,
Management do not appear to act on the information.
The real test is to determine whether the system is improving but

that is all about auditing the management of a system, a subject that is little
understood, rather than auditing a process, which we have covered in this book.
The basics of systems management auditing are similar to those of process
management auditing, the main difference being one of level. Instead of looking
at a single process the auditor is looking at the system as a whole. Many of the
50
same skills are required, but it needs a still wider business understanding for the
auditor to be successful.
Planning and carrying out a follow-up audit

As with any audit this needs to be scheduled and auditors appointed in exactly
the same way as for a full audit. The main difference is associated with the scope
of the audit which is generally limited to the scope of the previous audit report
findings, rather than the entire process.
In preparing for a follow-up audit the auditor needs to review the previous
report and, in particular, to understand the business reasons for recommending
the improvement and the business risks or impact associated with it.
In terms of preparing your audit plan you should aim to discuss the
improvements to establish what action has been taken and the purpose in taking
the action. The same tools and techniques can be used to carry out a follow-up
audit as have been described earlier for process management audits. So, in
establishing the purpose and the aim of the action or improvement the auditor
is identifying what the process owner is trying to achieve. It is not good enough
just to determine whether the corrective action or improvement has taken
place. What the auditor needs to establish is how effective the action has been
ie has the aim of the improvement activity been met, has it worked/solved the
problem etc. From establishing the aim the auditor can then review the actual
improvement activity or corrective action taken, the results gained and identify
any further improvement needed to meet the original intention or purpose.
As described earlier the auditing tool shown in Figure 4.1 can be used in a
similar way when carrying out follow-up audits:
Consequently, after information has been gathered from the process

owner, the technique can be used to gather information from other people either
involved in the change/improvement or affected by it.
Through a series of short information gathering activities following the

assessing technique outlined earlier, the auditor will soon build up a view as to
whether or not the action has been effective in resolving the issue highlighted in
the original audit report and has been carried out in a timely manner. Timely in
this sense being based on the size and impact of the change or improvement and
the risk the organization faces in not carrying out the change quickly enough.
The feedback of the audit findings is to the process owner, as before, in a

format that you would typically use for all audits.
Assessing improvements
51
What happens if the improvement has not

been carried out?
If an improvement has either not been fully completed or not even addressed
in any way the auditor needs to make a judgement on the potential impact on
the organization. If the judgement is that the organization is at risk then the
matter should be referred to the system owner, ie a higher authority than the
process owner, who should be asked to intervene to address the issue and advise
the auditor accordingly. What the system owner does in resolving the issue is
up to them with any outcome being used to determine whether or not a further
follow-up audit is required. Every organization will need to be clear about the
method of escalation they will use in such cases, and when it should be used.
This will provide clarity to both the auditor and the process owner.
52
9. What personal attributes do auditors need?
Auditing as a skill
Auditing is a skill and like any other skill needs practice to hone it. It involves
an ability to evaluate or learn from the experience, subsequently changing the
auditing style or approach to add more value to the activity. Clearly competence
to audit is a key requirement but to enable this competence to be built (something
that is less easy to train) are the personal attributes, inherent in any good auditor.
These attributes underpin the auditing activity and are the basis upon which
competence is built.
ISO 19011 describes these attributes and although not an exhaustive list,
it does provide a useful insight into what is expected. Above all the auditor
should be ethical; auditors are placed in a position of trust by Management to
investigate how effectively the organization is being managed. As we have seen
auditors need to assess effectiveness of actions taken as well as compliance.
To assess effectiveness requires the auditor to expose areas of strength and
weakness, identifying where the organization can make improvements or
changes that will enhance performance. In talking to different people at different
levels within the organization, often being party to sensitive information, the
auditor should be careful to ensure that confidentiality is maintained at all times,
whatever the pressure to disclose sources of information. This is not always easy
and sometimes pressure is exerted, but those seeking the information should
be made aware that its disclosure will break confidentiality which may result
in auditees being reluctant to take part fully in later audits to the detriment of
future audits and therefore the organization.
What personal attributes do auditors need?
53
Equally the results should be a fair and honest reflection of the

findings, reporting facts and not seeking to apportion blame or falling into
the solutionism trap. Solutionism is where the auditor writes their report
explaining how managers should actually carry out the improvements or
resolve problems. No matter how well meaning it is often dangerous to make
recommendations to managers on how they should manage their organization
thats their job, not the auditors. Many books or guides on auditing often suggest
that the auditor should make recommendations but this needs to be done with
care. It is one thing to make a statement that something is blatantly incorrect
or is not working as well as it could and provide the evidence to support this.
It is quite another to go further than this and suggest how the improvement
should be carried out. Very seldom does the auditor have as good a view of the
organization as the manager. How the manager resolves problems or implements
an improvement is up to them. Following the appropriate process, of course,
is up to them. So, report the facts and leave any recommendations on what
needs to be done or action that could be taken until after the audit. I have seen
a number of internal and external auditors ruin a very good audit by making
recommendations that are inappropriate and get a negative reaction from the
manager so be aware.
Auditing for effectiveness often involves understanding what is happening.

How an organization manages its business, how people carry out their tasks,
what equipment they use and how they comply with legislation for example is
up to them and the auditor can expect to see or observe activity that is different
between one organization and another and even between one department or site
and another in the same organization. In other words there is not necessarily
a right or wrong way. Auditors need to be open-minded as to the activities
undertaken and willing to consider different views or interpretation. What is
more important is how effective these actions are on the final result achieved.
Adopting an open mind goes hand-in-hand with carrying out the audit
in a tactful and diplomatic manner. Remember the easiest way to gather
information is to ask people what is happening, what they do, how they could
improve what they do etc. How the auditor handles this conversation, even if
auditing using email and other non-traditional methods of auditing, is critical
to success. If the auditor criticizes what someone is doing or how a manager
is managing their part of the business then that person is likely to be more
reluctant to provide the auditor with the information they need. Remember
people are often not the problem, most of the time it is the system they are
operating in, so identify where the system is failing rather than seeking to
criticize, blame or expose the individual. The results will be far more welcome
and of considerably more value to the organization.
54
When auditing there is often a sense of something being right or not

quite right, its a feeling. You cant be certain because you might not have the
evidence, but an instinct that there may be something that is taking place that
is either incorrect or wrong or could be improved. This second-sight is all
about perception, how the auditor sees, reads and understands situations. This
perception may be drawn from looking at evidence from different sources an
adding together of information that doesnt quite make sense and needs testing
or examining further. Auditors need to develop and, more importantly, use this
ability. Often the information an auditor needs wont stare them in the face or
be straightforward and needs digging out based upon reading a given situation.
Another area based upon perception is collecting perception-based information.
This is often more valuable than fact-based or document-based evidence. The
problem is that how people perceive situations, activities or events is often not
evidenced by documents its often verbal or an interpretation. The auditor
therefore needs to be able to turn this information into fact or objective
evidence. This is achieved by using an appropriate sample size, testing the
perception to get to the facts. This may mean that someone has perceived an
event incorrectly or drawn the wrong conclusions. The auditors job is to work
with these perceptions and draw conclusions separating the fact from the fiction.
To do this requires persistence, the ability to keep going even though

auditees may put obstacles in the way. You may not get exactly the information
you need or you simply get frustrated knowing there is something to be
identified but you simply cant find it. If you find yourself in this situation keep
going, think about the objectives of the business and the scope of the audit. How
important is it, will it put the business at risk? Perhaps a different approach is
required to gather the information. Persistence is not about pursuing something
for the sake of it, it is about making a judgement for the sake of the business, the
audit and importance of the issue.
Following on from persistence is the need to make decisions in a timely

manner based on the evidence that has been gathered. These conclusions should
be clear, unambiguous and understandable. This allows the auditee to be able to
review the conclusion or finding using the evidence the auditor has provided.
Poor conclusions based on poor analysis leads to the auditee not being able to
understand what the conclusion is about or why the issue has been raised. Often
poor analysis of the evidence results in confusion and inevitably findings that
are lower level detail (mainly compliance related) rather than the identification
of improvements or the need for change to enhance effectiveness.
Often auditors find themselves working on their own, gathering information

whilst they work with the auditees. This ability to work independently is an
55
attribute not to be underestimated. This requires the auditor to be a self-starter,

self-reliant having the necessary equipment and motivation to see the audit through
without the support from other auditors.
How about knowledge and skill?

For auditors, knowledge and skill can fall into a number of areas:
knowledge and skills of auditing itself;

the management system and its supporting processes that are being audited
as well as the organization or business itself;
professional knowledge around the subject of quality;
specialist knowledge of supporting business processes such as business
planning, human resources, finance, etc.
The auditor needs to have a mix of skills and knowledge to be effective. These
are interdependent and should not be considered or developed in isolation of
each other, ie no one area is more important than the other they complement
each other.
Knowledge of the auditing principles

Knowledge of the auditing principles is aimed at ensuring that audits are carried
out in a consistent manner following a defined approach. These principles
are identified in ISO 19011 and should support any auditing procedures and
approaches that the organization has in place.
It goes without saying that the auditor should be able to follow the
organizations auditing procedure and approaches.
The auditor should be able to create an audit plan based on the scope of
the audit. This should show who is going to be audited, how and when and be
agreed by the process owner. The effective use of time is very important. Auditors
should not forget that for most organizations auditing is an overhead, a cost to be
borne by the organization. Therefore the organization needs to not only get value
from the audit but also collect, collate and report information and other data
efficiently and effectively. The audit plan should reflect this need and auditors
should adopt approaches and methods that are appropriate. As mentioned early
in the book these approaches may well be non-traditional in nature but will be
more cost effective without distracting from the value of the audit.
With the plan in place, agreed with the process owner and communicated
to those being audited, it is the responsibility of the auditor to ensure that the
56
audit is carried out as planned, keeping to the timescales as shown. Sometimes

in an audit the auditor will discover areas that need more investigation than
the time allocated will allow or, perhaps, someone else needs to be interviewed
who wasnt on the original plan. In these circumstances the plan may need to
be amended and this is the auditors responsibility. It is not good practice for
the auditor to either start late or to end an interview after the time previously
indicated on the plan. The auditee will be expecting the plan to be followed. If
the plan needs to be amended then the auditor should discuss or communicate
this to the process owner or the person showing the auditor round the
organization, if one is being used, in order that a revised plan can be agreed
and communicated. This may include going back to an auditee to check a
particular issue or to gather more information. Planning an additional interview
is preferable to ignoring the original plan, however tempting this may be.
The auditor needs to maintain confidentiality. This not only applies to

sensitive business or organizational information but also to personal feelings
and views that may be expressed by an individual or group. Clearly the auditor
may well be provided with sensitive business information as part of the audit
which should not be shared either within the organization itself or externally
it must remain confidential. There is a temptation to share information
with work colleagues but the auditor doesnt necessarily know what has been
communicated and what hasnt and the reasons for this. Therefore to avoid
any situations it is best to simply say nothing and use the information for the
purpose for which it was given ie for the audit. This approach will avoid and
prevent any difficult situations or misunderstandings.
The same applies to views expressed by auditees. To assess the

effectiveness and to gather information required often requires the auditors
to gather views and examples from people not directly carrying out the task
involved. For example lets say you are auditing the manufacturing process, then
you may gather information from the sales team ie the people who generate
the orders and those who dispatch products and services as well to gain their
views and the impact the production process has on them. Or perhaps you are
auditing an improvement process as well as auditing the people involved in the
actual process or improvement you could also interview the people affected
by the change to determine how effective the change has been in improving
performance. In gathering these views from people outside the process being
audited but affected by its impact the auditor may well be gathering views and
opinions from a number of different people to create the objective evidence
and to form a conclusion regarding effectiveness. These views and opinions
also need to be kept confidential and not shared either with other auditees eg I
was speaking to X and he said or outside the audit. If the auditor breaches
this confidentiality then it is likely that the auditee will be less forthcoming
57
with information the next time an audit takes place, thereby reducing the
effectiveness of the audits taking place.
Auditors should focus their attention on significant issues. This does not
mean that areas of detail should be ignored but that the audit should focus on
what is important to the success of the process and the organization rather than
areas that have little impact or significance in the overall picture. Some auditors
get a reputation for nit-picking ie identifying or making an issue of small areas
that in themselves have little or limited impact on performance. If the auditor is
in any doubt as to whether or not an issue should be raised then think about the
manager who will be receiving the report, will they be interested? Is it important
to them?
Collecting information is the key requirement of the audit. The

information often comes from a range of sources from across the organization.
The various parts of information are then added together to form a view or
finding. It is often not a case of taking one piece of information in isolation
but adding different data together to form the picture. Therefore a key
principle is to test or verify the different pieces of information to confirm their
appropriateness and accuracy.
Auditors need to develop a sixth-sense to help them with knowing

how often and when additional information is needed to determine or verify
a finding. It is not possible to review or look at every document or piece of
information used or generated by a process. In addition it is very rare that the
amount of time allowed for the audit would be sufficient to interview every
manager or staff member involved in the process. This is compounded by the
need to gather information from those outside the process. To manage this the
auditor can use sampling techniques to help determine what information is
required. Although these can be scientifically- and statistically-based the auditor
can also apply common sense. For example if there are six projects to look at
then perhaps two could be sampled; if there is sufficient difference in the two
then perhaps a third could be reviewed to confirm the finding. Or if there are
250 employees who need to have objectives and understand how they fit into
the process then perhaps 10 could be interviewed for five minutes (50 minutes
in total) rather than two for 25 minutes (still 50 minutes in total) to allow the
auditor to gain a wider view of what is happening.
Understanding management systems and processes

As we have outlined earlier in this book and in others that make up this series,
understanding what a process-based management system actually is and the
principles of managing an organization by process is really important. It is not
58
the intention to revisit the principles of process management and its impact on
organizational performance but auditors who do not understand the principles
will not be able to audit effectively, often finding it difficult to move beyond
compliance auditing.
This extends to understanding how the various processes that makes up the
system interact with each other and how support or reference documentation such
as procedures and other information is positioned and used within the system. It
would also include how resources, equipment, budgets, competence, team work,
knowledge, other standards and frameworks, knowledge, environmental, health
and safety and regulatory requirements, information technology, intellectual
property, management ability and techniques, results, changes etc can impact
on process performance. This does not have to be an in-depth understanding
but should, at the very least, be an awareness of the possible impacts so that the
auditor is able to form judgements on possible areas for improvement.
In addition, as mentioned before, the auditor needs to have an appreciation

of general business processes, what might make up such a process and how
the organization has interpreted these business activities into the management
system and therefore into its processes.
Another impact on process performance that the auditor needs to be

aware of and understand is that the organizational culture will affect both the
audit and, potentially, process performance. The auditor needs to appreciate the
organizational culture they are working in and work within this, modifying their
auditing techniques and methods accordingly.
What professional knowledge does an auditor need?

The final area of knowledge is that relating to quality. Accepting that we have
covered the business knowledge needed in other sections, this area relates to the
quality-specific knowledge that needs to be understood. Quality terminology
is, in effect, business terminology that we have already covered. This can
be extended to include quality management principles, which are, in effect,
business management principles.
Where specific quality knowledge is of use is in understanding specific

tools and techniques that have traditionally been used by quality professionals. Of
course as the management system is process-based and as these processes cover
a range of management disciplines, including quality disciplines, the auditor
can expect these tools and techniques to be found or used in the appropriate
processes. Examples of this could be:
59
statistical control which could be used to assist the measurement of process

performance;
failure mode and effect analysis which could be used in a design and
development process;
cause and effect analysis which could be used in an improvement process.
Understanding these tools gives the auditor a wider and deeper appreciation
of how traditional quality techniques can be used to improve and support
process performance.
What skills does the audit team leader need?

The need to audit processes and their management for effectiveness and
compliance, particularly in larger organizations, may well mean that audit teams
may be needed. In the past where compliance to procedures was the only real
requirement, individuals working on their own were often sufficient to carry out
an audit. This may well not be the case when auditing processes for a number of
reasons as follows.
Not all auditors have the same level of auditing competence. Different
auditors will have different auditing experiences and skills. As processes run
across the organization, inevitably auditees will occupy different positions
within the business. They will have different responsibilities at differing
levels with the business, different attitudes and experiences; the same
auditor may not have sufficient skill to audit them all. A good compliance
auditor does not necessarily have the competence to audit the effectiveness
of a business planning process.
Lack of confidence or experience. Although this is often caused largely by
inexperience, nonetheless it is a critical factor if the audit is to be a success.
A good example of this is an auditor with compliance auditing skills being
asked to audit the Managing Director to determine how effective the
management system is in meeting business objectives. Although in some
organizations this may well be acceptable, even promoted in others, it may
well place the auditor in a position where they are not going to do justice
to themselves or the audit. This may simply be because they are not of the
right grade, position or may not have the confidence or experience to audit a
senior manager.
Lack of understanding of the business and the process. To audit processes
effectively auditors require an understanding of a wide range of business
principles. This does not have to be an in-depth understanding but an
awareness. For example it is often commented that auditors need an
understanding of quality, health and safety, and environmental issues (the
60
integration myth), but what about business planning principles or how an

asset is managed or how people develop skills, ie management principles
and disciplines that need to come together (be integrated) in a system and
the processes that support it? It is often this area that is overlooked but is
probably the most important in enabling the auditor to assess effectiveness.
When auditing the effectiveness of the management of a process this area
is probably more important than technical specialisms. At the time of
writing the focus for appointing auditors is often based on their technical
competence not on their management ability. As ISO 9001:2000 is based
on the effectiveness of Management to manage their organization to deliver
results and to ensure customer satisfaction, perhaps organizations should
now consider appointing auditors on their management ability rather than
their technical expertise.
With different auditors having different interpersonal skills, different levels of

understanding of management disciplines and of confidence as well as auditing
processes that run across the business often it is easier and more appropriate
to operate in audit teams. When operating in a team someone needs to lead
it and take responsibility for its direction and activities. Leading an audit
team is not about technical or specialist competence in the area concerned.
If it was, then Lead Auditors would indeed be a rare animal. Leading a team
requires leaderships skills associated with ensuring that the audit process is run
efficiently and effectively. These skills fall into a number of areas as follows.
Planning the audit as we have seen auditors have different skills and may
even be in different locations so the available audit resource needs to be
appointed accordingly based on the process to be audited. In addition the
method or approach needs to be considered. Traditionally auditing has been
completed face-to-face on a one-to-one basis. To audit effectively this does
not have to be the case. The auditor can use many methods including email,
telephone, short questionnaires, video-conference for example, as covered in
previous sections.
Representing the audit team as part of the audit this will probably mean
discussing and planning the audit with the process owner or Management
team member. This would include agreeing who is to be audited, the scope
of the audit and any particular aspects of the process that need special
attention. At the end of the audit the Lead Auditor will also present/report
the audit findings back to the process owner or Managing Director and agree
any follow up action required.
Completing the audit report as the auditing is being conducted by a team,
the Lead Auditor is responsible for bringing the different strands of the
audit together in order to reach conclusions. Identifying non-compliances
is normally straightforward, identifying areas for improvement that will
61
enhance performance can be more difficult to agree. This often requires the
team to reach consensus on what the different strands mean when they are
added together. How this is achieved can vary but on occasions individual
team members may disagree with each other. At this point the Lead Auditor
needs to have the skill to facilitate the team to reach a sensible conclusion
that will make sense to the team, the process owner and support the
improvement of the organization. Coupled with this is the ability to write an
audit report that is effective in portraying the findings and conclusions of the
audit. The findings need to be succinct, clear and easy to understand showing
what objective evidence has been identified to support the conclusions.
The Lead Auditor needs to be able to justify the statements made,
if required, and to enter into discussions as to how the areas identified
might be resolved. The Lead Auditor should, however, be careful not to
recommend actions as part of the audit. Often when reporting areas for
improvement there is often a temptation to recommend how a particular
issue may be resolved or improved. There may well be many ways that a
problem could be resolved, some unknown to the audit team or outside the
scope of their understanding. Improvements are likely to be subject to the
organizations improvement process (as required by ISO 9001:2000) and
it is this activity that will identify the causes and recommend solutions.
Lead Auditors need to be careful with recommendations, often it is best to
report statements of fact and leave the actions and recommendations for
improvement to the manager concerned thats their responsibility.
Managing the audit as it is progressed the Lead Auditor is responsible
for managing the audit as it is carried out. This may mean resolving issues,
some of which may be confrontational in nature. This can often require tact
and diplomacy (hence the attributes listed in this bullet list). It may also
mean identifying potential problems that could occur and taking appropriate
action to prevent them from happening.
Developing the auditors by their nature Lead Auditors tend to be more
experienced managers as well as auditors. This experience can be used to
develop auditor competence, identifying training needs and taking part in
training and development activity that will improve auditor performance.
62
10. Conclusion and the way forward
What does the future hold for quality auditors?

There are many types of auditor. Auditors who are employed to audit compliance
will still be required, as this approach will be needed to ensure requirements of
specific detailed standards are being met. For those required to audit processes
however, the future is bleak if appropriate auditing/assessment skills and
techniques are not used and enhanced over time. In this book we have only
covered the basic principles, and these need time and practice to be effective and
for the reader to truly understand the principles involved. In other words reading
the book without the practice will not build competence.
Our experience shows that the development of these key skills takes
time, and as competence builds so auditors create their own style and approach
based on the techniques outlined. This approach has created a far more
interactive and value adding approach to auditing. Auditors report that they
not only find out more information quicker, but that they are also finding out
value adding areas for improvement which would not have identified solely from
compliance auditing.
These are key skills that need to be mastered for the future. In addition
auditors need to be much more business aware, with an understanding at least at
an overview level of the different management skills and techniques used within
an organization. This may include understanding finance, health and safety, new
product development, improvement techniques, asset management and strategy
and business planning for example, all of which affect either process or systems
management auditing. This is not an exhaustive list and I am not saying you
need to be an expert in all areas, which is impossible. But auditors will need an
Conclusion and the way forward
63
appreciation of these other areas in order to audit the joined up nature of both
processes and systems and to help drive the need for them to improve and change.
Why do organizations want or need this?

For many years auditing has often been seen to add little value, providing
Management with predominantly low-level information on which to base
decisions. This has mainly been provided by compliance based audits or audit
reports which do not provide information to Management that either stimulates
the need for change or identifies risks of which they were not previously aware.
But this is precisely the information that Management need and want.
Auditing, both third party and internal, is a cost to organizations, and by not
providing the required information that adds value, auditors will be doing their
employers and customers a disservice. As importantly, they are also giving people
the opportunity to reduce the importance of auditing and auditors. In such a
situation, organizations quite naturally look for other solutions to their problems
and if that means not using auditors in the traditional manner then so be it.
Very few organizations fail to understand the need for improvement and
change to enhance their performance. Auditors have a vital role to play, but only
if they adopt the techniques and approaches required.
As business management systems evolve, so their complexity, scope

and maturity change. This is quite natural and as the management system
changes so the role of the auditor will also change and be enhanced over time.
This changing state will provide further opportunity for auditors but they will
also require enhanced auditing techniques, methods and approaches to give
Management the information they need.
Welcome to the new world of auditing effectiveness and performance:
LEARN CHALLENGE CHANGE RENEW.

64
Appendix 1. Example auditor questions

With the auditing principles and techniques explained, this section seeks to
provide some example questions based on the approaches used. As explained
previously it is not easy to assess the effectiveness of a process or, indeed, a
system, by simply following the clauses of the standard organizations simply
do not always work that way. Nonetheless the examples are grouped by clause
for ease of reference together with questions that could be asked to demonstrate
compliance along with those which seek to test effectiveness. This is not an
exhaustive list and all clauses are not covered in the detail needed, otherwise we
would end up with a book of questions that is not the point. One common trend
you will notice is that asking a compliance question gives a definitive answer,
asking a question on effectiveness provides information the auditors job is
then to add this information together to form the judgement on effectiveness.
Also notice that open and closed questions can be used in both areas simply
asking the question starting with what, how, where etc does not constitute skills
associated with effectiveness testing.
Appendix 1
65
Table A.1 Example questions for clause 4 of ISO 9001:2000
Clause Requirement Question to Compliance question Effectiveness question

no. whom
4.1 Identification of Senior Management Show me the processes that How do you know the correct
the processes make up the management processes have been identified?
system
Senior Management What management How do you know that the

information do you use to management information you
monitor the processes? use is the correct information
to control a process?
Senior Management What parts of your processes How do you assess which parts
are outsourced? of your process should or
shouldnt be outsourced? How is
this management decision made?
Management What parts of your processes How do you know that the
are outsourced? outsourced work is being
effectively managed and
controlled?
Staff member What jobs are given to other How often, roughly, is work
people outside the business done by other people outside
to do? the organization completed
wrongly or badly?
Staff member What is your job? What is the impact on the

customer if you dont get your
job done correctly?
Staff member What part do you play in the How do you know if or when
process? you have done a good job?
Staff member What do you do? How often do you get work that
is either wrong, incorrect, needs
rework or is simply confusing?
4.2.1 General Senior Management Are procedures documented? How did you determine what
Do you have a quality manual? method and approach is of most
Is there a statement of quality benefit to your organization?
and objectives?
66

no. whom
4.2.2 Quality manual Senior Management/ Do you have a quality manual? What is the purpose of the
Management Show me your quality manual? manual?
Does it contain the right How is it used on a routine
information outlined in the regular basis?
standard? How is its content translated
into everyday activity?
Why is it written the way it is?
How does the manual support
the objectives of the organization
and its image with the customer?
Staff Do you know where to find What is this organization trying

the manual? to achieve?
Show me the quality manual? How does the organization
work?
How do we all work together
to deliver results?
How do we improve things in
this organization?
4.2.3 Document Management/staff Do you approve documents How often do you find that you
control prior to issue? use the wrong information or
Do you have a procedure? documents in this organization?
Show me how you control (ask many people to build up
the version a picture)
Etc Do you ever think that you use
out-of-date information?
How do you know you are
using the most up-to-date
information/documents?
Appendix 1
67

no. whom
5.1 Management Senior Management How do you demonstrate that How do you know that the
commitment you are committed to the approaches you use to
development and demonstrate commitment
implementation of the are effective?
management system?
Staff member Are Management committed When was the last time you
to the management system? saw/heard your Manager
Or: concerned with meeting the
How committed are customers needs? What was
Management to the this? What was the impact of
management system in this these statements on you and
organization? your colleagues?
Compare the answers given by both Management and staff and

identify any inconsistencies.
5.2 Customer focus Senior Management How do you focus on the How do you prioritize the needs
needs of the customer? of different customers and other
stakeholders?
We cant satisfy everyone 100
per cent of the time, so how do
you manage this?
How is this information used to
set business objectives?
How do you validate the
information to ensure it is
correct, (otherwise your
objectives could be incorrect)?
Senior Management/ How do you identify How do you know that the
Management customer needs? process for identifying customer
needs is effective?
Senior Management/ What process do you have to How are customers needs
Management identify what customers translated into objectives that
needs are? are subsequently measured by
What is your role in this customer satisfaction activity?
process? How does it all link together?
68

no. whom
Senior Management Who is responsible for this How is this process managed,
process? controlled and improved on a
continual basis?
5.3 Quality policy Senior Management Show me your policy? What factors did you consider in
determining the policy details?
Staff member Do you know what the quality What is important to this
policy is or where to find it? organization?
How important is it that you
do a good job to you, to the
customer, to the organization?
If there was one thing that this
organization had to achieve,
what would it be?
Senior Management Has the policy been How do you know that your
communicated? How? employees understand the policy
and what it means to them?
5.4.1 Quality Senior Management Do you have quality objectives? How do you know the
objectives objectives are correct?
Who created the objectives? How do you know that the

Management agree with the
objectives set?
Are the objectives measurable? How were the measures

selected? How do you know that
these are actually achievable?
How many objectives are How do these objectives

there? complement and support each
other to move the organization
forward?
How do you know that they
jointly deliver everything you
need to do as a business?
Link the answers to these questions with those given in answer to

subclause 5.2. Do the answers link? Do they make sense?
Appendix 1
69

no. whom
Management What are your objectives? How do you know if your

Are they measurable? objectives link to those of the
organization?
How were the objectives
created?
5.4.2 Quality Senior Management Is the management system How do you know that the
management designed to meet the management system has been
system planning objectives of the business? designed to meet the
How do you maintain the objectives set?
integrity of the management How do you ensure that the
system? integrity of the management
system is maintained so that
customers are not adversely
affected during changes?
5.5.1 Responsibility Senior Management Are responsibilities and How are responsibilities
and authority authorities defined? communicated?
How do you know if these
responsibilities are being applied
correctly?
How do you reallocate/reduce
responsibilities when needed?
5.5.2 Management Senior Management/ Who is the Management Who in the Management team
representation Management Representative? champions the management
Show me what you do (to the system?
Management Representative) How effective is the
Management Representative
in helping the organization to
understand how it delivers
results and improves business
performance?
5.5.3 Internal Senior Management How do you communicate How do you know that the
communication results to the rest of the communication methods you
organization? use are effective?
70

no. whom
Management How do you communicate How do you translate the

results to your staff? organizations results into
information that directly applies
to your staff rather than
corporate/business speak?
Does your manager provide you
with information on business
performance that directly
applies to you?
Staff How well is the organization Does the information you are
performing? provided with mean anything
Do Management to you?
communicate to you on Does the information relate
this subject? directly to your job?
How can you influence these
results?
5.6 Management Senior Management/ Do you hold a management How do management review
review Management review? the performance of the business?
What do you look at? How effective are these
What are the results of the methods?
review? How do you know the actions
How do you record the agreed are aimed at delivering
actions from the review? the organizations objectives?
Are discussions at reviews based
on improving results?
What subject areas are
discussed?
How do they relate to the
performance of the business and
its objectives?
What factors do you use to
prioritize improvement activity?
Appendix 1
71

no. whom
6.1 Provision of Senior Management/ Do you allocate resources? How do you know the
resources Management How do you manage resources you use are aligned
resources? to the delivery of the business
What resources do you need? objectives?
How do you know that the
resources required contribute
to satisfying customer needs/
requirements?
6.2.1 General Senior Management/ How do you recruit people How do you know the balance
Management who are competent? between training and
How do you manage peoples competence and the need for
competences? procedures is correct and
How do you balance the effective?
need for procedures with How do you know your
peoples competences? peoples competences are
sufficient to deliver the business
objectives?
Staff What resources do you use? If there was one thing that
would help you do your job
better what would it be?
6.2.2 Competence, Management Have competences been How do you know the correct
awareness and defined? competences have been defined?
training Are training needs identified? What methods do you use to
Do you evaluate training evaluate training and how do
interventions? you know when to use each?
Do you have training records? How do you prioritize
How do you communicate someones learning/training
the importance of your staffs needs?
activities in meeting objectives? What support do you give that
How do you make them allows staff to apply what they
understand this? have learnt in the workplace?
How do you know how
effective this support is?
How do you know that you
have effectively communicated
personal objectives to staff?
72

no. whom
Staff Has the organization defined Do you think the competences

the competences you need to defined for your job are correct?
do your job? How good are Management at
Do you understand how reviewing your competence and
important your activities are? identifying where you can
improve?
In your view is training delivered
generally too late or too early
on occasions?
After you have received training
does someone test or check to
see that you can apply the
training you have received?
How do your activities help this
business achieve its overall goals
and objectives?
6.3 Infrastructure Management What equipment/assets do How do you know that the
you have? equipment is capable of
How is this equipment delivering the objectives?
managed and maintained? How do you know that you
How is the equipment have purchased and
purchased? commissioned the most
Do you back up IT systems? appropriate equipment?
What processes do you have How do you assess the
to manage all your resources? effectiveness of your disaster
Does your process cover recovery plans should your
acquiring, commissioning and infrastructure fail?
decommissioning an asset? How do you optimize the
What approvals are gathered performance of your infra-
for asset purchase? structure resource?
How do you know that
approvals for asset purchases
follow the agreed governance
rules for the business?
Staff What equipment do you use? How efficient is the equipment

How is the equipment you use?
maintained? How quickly is it repaired should
it breakdown?
How often does equipment
failure affect your production/
service delivery?
Appendix 1
73

no. whom
6.4 Work Management What do you consider to be How do you know when to
environment your working environment? make a new investment in the
How is the working working environment?
environment managed? How do you measure the
What legal and regulatory impact of the working
requirements do you need environment on peoples
to follow? motivation to work here?
working environment supports
the delivery of process and
product requirements?
Staff What is it like working here?

If the working environment
could be improved how would
it be?
Do Management ever ask for
your opinion on the acceptability
of the environment to deliver
what customers need?
Does the environment you work
in affect your performance and
the quality of what is produced?
74

no. whom
7.1 Planning of Management What are the processes for How do you know the correct
product product realization? processes have been identified
realization How do these processes to meet the objectives set?
operate? How do you know that the
planning is an appropriate form
for the business? How has this
been tested to maximize the
operational performance of the
organization?
7.2.1 Determination Management How do you determine what How do you know you have
of requirements customers require? determined the customers
related to the What statutory and regulatory requirements correctly?
product requirements relate to the How good do you think you are
product/service? at identifying what your
What non-stated customers needs really are?
requirements are there? How effective is the business at
ensuring you dont fall short of
regulatory requirements?
Staff How do you identify How good do you think you

customers needs/ (the organization) are at
requirements? identifying what your customers
needs really are?
7.2.2 Review of Management How do you review the How much wasted work is
requirements organizations capability to carried out in this organization
related to the deliver what the customer as a result of you, or the
product requires? customer, changing what is
Show me the details. required?
Staff How do you know you are How often do you find that you
capable of delivering what is cant actually deliver what you
required? have agreed to?
7.2.3 Customer Management How do you communicate How do you know that
communication information to customers? customers know how to
What provision have you communicate with the
made that allows customers organization effectively?
to raise queries or provide How has this type of
you with feedback? communication from the
customer affected what you do
in the past six months?
Appendix 1
75

no. whom
7.3.1 Design and Management How do you plan the design How do you optimize the use
development and/or development of a new of resources you have available
planning product or service? to you?
What resources do you need? How do you prioritize different
projects?
How do you know that your
limited resources are being used
in such a way as to maximize
the benefit to the organization
and its customers?
Staff How are new designs/ Do you think that the

developments carried out? organization knows which
projects are more important
than others?
How often do you get torn
between the needs of different
projects and dont know which
to do first?
7.3.2 Design and Project Manager What factors do you How do you know the design
development considered when designing/ inputs have been identified
inputs developing a product or correctly?
service? How often do you find, when
What legal and regulatory testing a product or service,
requirements are important? that the design inputs have not
been identified correctly?
Design/ What factors do you How much wasted effort do

Development Team considered when designing/ you think takes place on design
developing a product or and development work?
service? Do you think you are careful
What legal and regulatory enough when you design or
requirements are important? develop products and services?
7.3.3 Design and Project Manager What design/development How many changes are made to
development outputs do you have? design/development outputs
outputs Do they contain the required before they are correct and can
product acceptance criteria? be used?
design/development outputs are
relevant and appropriate to the
needs of the rest of the business?
76

no. whom
Design/ What design/development Can you give me an example of

development team outputs do you have? when the design/development
Do they contain the required outputs have not been
product acceptance criteria? understandable?
How relevant are the design/
development outputs to your
job?
Do they provide you with the
information you need?
7.3.4 Design and Project Manager/ How often do you hold How often are agreed deadlines
development project team reviews? for actions missed? Why is this?
review What is the purpose of these How are disagreements or
reviews? concerns on the way forward
Who attends these reviews? resolved quickly and to the
What happens at these benefit of the business?
reviews? Compared with your
competitors how good are you
at getting products to market?
7.3.5 Design and Project Manager/ How do you test products How often do you identify
development project team and services to check that problems found with products
verification you have designed what you and services after they are
were supposed to design? released?
What records do you keep? How do you balance the need
and risks to get the product or
service launched with making it
perfect?
7.3.6 Design and Project Manager/ How do you test products How do you know that
development project team and services to check that customer requirements have
validation you have designed something been met when you are
that meets the original designing the product and
customer or market needs? services?
7.3.7 Control of Project Manager/ How are changes How do you know that the
design and project team incorporated into designs/ changes to designs or
development developments? developments will have the
changes desired results?
Appendix 1
77

no. whom
7.4.1 Purchasing Purchasing Manager What is the purchasing How do you know that the
process process? suppliers you use continue to
How does the process work? contribute to the delivery of
Show me the process working business objectives?
7.4.2 Purchasing Staff What purchasing information How do you know that you
information do you include on purchase provide sufficient information
orders? to your suppliers, not too much
What quality management but not too little?
system requirements do you How do you know that your
insist upon? suppliers are managing their
business in an efficient and
effective manner? How do you
assess this?
7.4.3 Verification of Management How do you ensure that the How do you reduce the risk of
purchased purchased product and bought in goods and service
product services are what you ordered? failures on what is provided to
What actions do you take to your customers?
check that the goods you
receive are OK?
7.5.1 Control of Management How do control operational How do you plan the way in
production and activities to ensure consistency which operational activities are
service provision and conformity of the service performed to provide sufficient
or product? controls?
What work instructions, How do you control the risks
control plans or schedules do of operational activities in
you use to control operational meeting customer requirements?
processes?
Staff What information do you How do you know that what

have to help you do your job? you are doing meets your
Have you been trained to do customers requirements?
your job? What are the greatest risks to
Have you got the right not achieving your customers
equipment to do your job? requirements and how do you
control them?
How do you know you have met
your customers requirements?
78

no. whom
7.5.2 Validation of Management Demonstrate the validation How do you control any
processes for methods in place to control processes you cannot readily or
production and processes you cannot readily economically verify?
service provision or economically verify? How do you know the validation
How often to revalidate the methods you use are effective?
process controls?
Staff How do you test the process? How do you test the process to
ensure it meets customer/
product requirements?
What are the criteria you use to
measure process performance?
7.5.3 Identification Management Do you identify products? How have you determined to
and traceability How do you identify products? what extent identification and
traceability of the product is
required?
How do you know the controls
for product identification and
traceability are effective?
Staff Show me how products are What problems does poor

identified? identification cause you and
Can you find this xyz product how do you control this?
for me?
7.5.4 Customer Management Do you use customer How do you know when
property property in the process? customer property is used in
How are problems with the process?
customer property reported How is customer property
back to the customer? identified and protected?
When problems arise with
customer property how do you
deal with them and ensure the
problem does not arise in the
future?
Staff When do you use customer How do you report problems

property? with customer property?
Show me how you protect What happens when you
customer property report a problem?
Appendix 1
79

no. whom
7.5.5 Preservation of Management Show me how the product is How is conformity of the
product protected product to specified
requirements maintained
throughout the entire process?
Staff Show me how the product is How do you know that the
stored product is adequately protected
Show me how the product is during all stages of the process?
identified
Show me how the product is
handled
7.6 Control of Management Have you identified all How do you determine what
monitoring and monitoring and measuring monitoring and measurement is
measuring equipment? required?
devices Has the equipment been How do you know the results
calibrated to a recognized of the monitoring and
standard, eg NAMAS measuring can be relied upon?
approved? How is monitoring and
Show me the records for measuring equipment checked?
monitoring and measuring What do you do when a piece
equipment of monitoring or measuring
Is the product recalled and equipment fails calibration?
retested when a piece of
monitoring or measuring
equipment fails calibration?
Staff What equipment do you use How do you know the

to monitor and measure monitoring or measuring
product or process equipment you use is working
performance to specified correctly?
requirements?
80

no. whom
8.2.1 Customer Management Do you measure customer What do you do with the
satisfaction satisfaction? information you get from
How do you measure measuring satisfaction?
customer satisfaction? How do you know the methods
you use are effective in gathering
the information you need?
questions you ask/information
you seek is the right information?
(Compare this to the answers
from 5.2)
8.2.2 Internal audit Senior Management Show me your audit How do you know when to
schedule/programme? audit each process given the
business risks your organization
faces?
Management Are the auditors independent? How do you allocate auditors

Have you trained your based on the purpose of the
auditors to audit effectively? process and competence
Can I see your audit reports? required?
Are non-compliances How do you train your auditors
addressed in a timely fashion? to understand other business
management disciplines such as
budget control, marketing, team
working etc?
How do you know the audit
reports are providing you with
the information you need to
support the management of
the business?
How does the auditing add value
to the business?
How have you addressed the
business impact of the non-
compliance?
Appendix 1
81

no. whom
8.2.3 Monitoring and Senior Management/ Show me your measures How do you know these are
and measurement Management the correct measures?
8.2.4 of processes What is the information telling
and product you?
Show me the trends in How do you know that the
performance information is accurate?
Show me the targets for How do the measures link to
each process the business objectives?
How do you manage the
process and identify cost and
waste efficiencies? Give me an
example.
Staff Show me the results you What is this information telling

achieve you?
How can you influence these
results?
8.3 Control of Management Show me the procedure to How do you know that non-
non-conforming control non-conforming conforming products are not
product product? reaching the customer or being
How do you make sure used?
non-conforming products do What is the impact on the
not get used accidentally? business if they are released
Do you keep records of accidentally?
non-conforming products? Why do you need records?
What do you do with them?
Staff Show me the procedure to How often do you release

control non-conforming non-conforming products but
products dont record it for operational
How do you make sure reasons?
non-conforming products do What is a non-conforming
not get used accidentally? product?
Do you keep records of How do you know that you
non-conforming products? handle all non-conforming
products the same way?
Then compare the answers from Management and staff to make

a judgement.
82

no. whom
Management How do you handle product How do you know that any
recalls? product recall would be handled
to protect both the customer
and the image of the
organization?
8.4 Analysis of data Management Do you analyse performance? How do you identify
How do you analyse improvements that maximize
performance? the benefit to the business?
Does the information include How do you make
data on customer satisfaction? recommendations for
Does the information show improvement based on the
trends in performance against results achieved?
targets? How do you monitor the impact
of improvements on the results
achieved?
8.5.1 Continual Senior Management/ Is there a process for How do you know that
improvement Management continual improvement? improvements made are
managed and controlled?
How are appropriate people
involved in improvement activity?
How do you know that an
improvement doesnt have an
adverse impact on other activity?
Staff What improvements have Have improvements made

taken place? helped you do your job better/
Have you been involved? made it easier?
Does this organization learn
from its mistakes to make things
better next time?
Customers Has this organization How effective do you think the

improved? organization is in improving
what it does?
8.5.2 Corrective Management Have you got a procedure for How do you know everyone
action corrective action that covers deals with processing/product
the areas of the standard? errors or mistakes in the same
Do you keep records of way to protect the organization
corrective actions? and its customers?
Appendix 1
83

no. whom
Staff What is a corrective action? How often does this take place?
What do you do with a Do you think we make too
processing/product error many mistakes that are really
or mistake? unnecessary?
8.5.3 Preventive Management Have you got a procedure for How do you know the correct
action preventive action that covers business risks have been
the areas of the standard? identified and actions put in
Do you keep records of place to reduce these risks?
preventive actions?
84
1. Establish
business objectives
2. Audit planning
Managment
system
documents
ISO 9001:2000 3. Carry out audit/
ISO 14001 verify action
legal and statutory
requirements
4. Record
observations
5. Generate audit
8. Action taken
report
Yes
6. Action 7. Responsibility and
required? timescales agreed
No
9. Close audit
Figure A.1 Example of a typical internal audit process

(flow diagram and procedure)
Business first/Standards second The context
85
Table A.6 Example procedure
1. PURPOSE AND SCOPE
1.1 The purpose of this procedure is to ensure the companys operational activities are
being carried out in accordance with the requirements of the management system and to
monitor compliance to external standards, including legal and statutory obligations. Where
omissions are highlighted this procedure ensures that appropriate timely action is taken in
order to correct the situation.
2. AUDIT PLANNING
2.1 With reference to the current business objectives, previous audit results, and the importance
of the processes to be audited, the Management Representative is responsible for generating
an annual audit plan covering all relevant elements of the management system.
3. AUDITING
3.1 Audits are carried out by the assigned auditor using the following documents as the criteria
to audit against: current management system documents, externally originated standards
(e.g. ISO 9001:2000, ISO 14001, etc), legal and statutory requirements, as appropriate.
3.2 During the audit the emphasis is placed on the witnessing of objective evidence to verify
that the management system procedures meet the requirements of any appropriate
externally originated standard and/or legal and statutory requirements and that they are
being effectively implemented.
3.3 Any observations made during the course of the audit are recorded by the auditor in the
form of notes or on the Audit Checklist document.
4. REPORTING
4.1 If an opportunity to improve or a problem is identified during the audit the auditor will
endeavour to agree suitable action and timescales for its completion, with the most
appropriate individual(s).
4.2 At the end of the audit the auditor completes an audit report detailing their observations
and any action that may be necessary, including responsibility and timescales for completion.
4.3 The completed audit report is circulated to all staff responsible for taking the action. It is
their responsibility to carry out the appropriate action by the agreed completion date.
The Management Representative retains the original report.
5. VERIFICATION OF ACTION
5.1 The action is verified by the Management Representative as part of the ongoing audit
plan for that activity or separately, as appropriate, to ensure that it has been completed
effectively.
5.2 When satisfied that the action has been completed and is effective the Management
Representative signs the audit report to close it.
Table A.7 Example audit schedule for an organization with three locations
Process Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Managing Contact Centres
New Business W+T
Client Service W+T
Client Service Operations W+T
Contact Centre W+T
Managing Contract Assignments T

New Business T
Client Service and Client Service T
Operations
Contract Recruitment T
Managing Tactical Assignments T
Managing Information Systems W+T
Managing Land D Services W C
Managing and Developing People W C T
Managing Finances T
Managing Facilities W C T
Marketing W C T
NOTE This audit schedule example is taken from an organization operating over three sites in Warrington, Thame and Crawley, hence the W+T+C, which indicate the
specific location to be audited.
87
References
International standards
ISO 9001:2000, Quality management systems Requirements
ISO 19011, Guidelines for quality and/or environmental management
systems auditing
ISO 14001, Environmental management systems Specification with
guidance for use
Other books in the process management series

HPO (2003) Understanding ISO 9001:2000 and Process-based management
systems, London, BSI
HPO (2003) Creating a process-based management system for ISO 9001:2000,
London, BSI
88

Process Management Auditing

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Process Management Auditing

Transféré par

Droits d'auteur :

Formats disponibles

Process Management Auditing

for ISO 9001:2000

Understanding ISO 9001:2000 and Process-based Management Systems

Creating a Process-based Management System

Carl Ford and Ian Rosam

British Standards Institution

Process Management Auditing for ISO 9001:2000

First published 2003

The HPO Ltd 2003

ISBN 0 580 41547 3

BSI reference: BIP 2015

Copyright subsists in all BSI publications. Except as permitted under the

Typeset by Monolith www.monolith.uk.com

Printed by PIMS Digital, Essex

1. Putting the process approach into context 4

2. The requirements of ISO 9001:2000 an auditors perspective 8

3. The system-process-procedure relationship 16

4. Auditing tools and techniques 20

5. Planning and preparing a process audit 30

6. Carrying out a process audit compliance vs. effectiveness 37

7. Identifying and reporting findings moving beyond compliance 43

9. What personal attributes do auditors need? 52

10. Conclusion and the way forward 62

App.1 Example auditor questions 64

Has something changed?

This book attempts to explain:

what business should expect from auditors;

Auditors and the business a partnership?

Challenges facing auditors and businesses alike

The fundamental shift towards process management and away from

Businesses need to understand the importance ISO 9001:2000 places on

Auditors have to understand how a business operates and, if they are to

Figure 0.1 The auditor-business relationship

1 Putting the process approach into context

What is a process-based management system?

What is a management system?

A framework of business processes working together to achieve the stated

The process, a definition:

An activity or series of activities that convert(s) an input into an output

Improving our Developing our

Figure 1.1 Example management system

If the business management system identifies what processes the organization

Process management, a definition:

As a process management auditor we need to test how effectively this is

Identify website Approve?

Brief website supplier, Monitor development

Arrange any problems

Figure 1.2 Example process map

Auditing a process-based management system

Processes do not operate in isolation, they are linked together to form an

understand customer and stakeholder needs;

develop its business plan and/or objectives;

As an auditor you have to understand these principles in order to carry out a

understand the purpose of the process;

What the organization wants

business comes first and the standard second;

The audit report is for Management use as information to help highlight

2 The requirements of ISO 9001:2000 an

The principles of ISO 9001:2000

Table 2.1 The eight principles of ISO 9001:2000

Principle What it means

Leadership Management (anyone responsible for the activity of others) at all

Principle What it means

Continual Improving business performance should be the objective of any