How to Audit the Process-Based QMS

Preface

This book is intended to help those involved in managing and conducting audits to ISO 9001:2008. It can be used as a guide to establishing a new audit program or for revitalizing one that has been operational for some time. It focuses on achieving an audit program that produces value-adding results for the organization. To facilitate ease of use by the reader, this book consists of a general introduction followed by four parts:

• Part I Process-Based Auditing

• Part II Audit Program Management

• Part III The Process of Auditing

• Part IV Aids for Audit Program Implementation

USING THIS BOOK

First read the book in the order it is presented. As you read, refer to the items in Part IV to understand how the concepts may look on paper. This gives a complete understanding of how the concepts can be adapted to a specific set of circumstances. Icons in the margins direct the reader to the appropriate items in Part IV. The items presented in Part IV include:

Tools.ai Tools (forms or worksheets) that can aid in accomplishing a recommended activity

Checklist.ai Checklists that can be used to ensure that all activities have been considered.

Questions.ai Questions that should be considered when auditing processes, functions, or specific requirements of ISO 9001:2008.

We believe that the art and science of auditing quality management systems that have been designed and implemented following the process approach (the foundation of ISO 9001:2008) is more challenging and interesting than auditing discrete elements to determine whether documented procedures and records exist.

Auditing a process-based QMS, or even small elements of such a system, requires auditors to understand and integrate into an audit all aspects of organizational activities, from high-level planning through ensuring that customers are satisfied.

Indeed, the role of auditing is evolving, and the skills and competence required to do it well also must evolve. We believe that the contents of this book will help auditors understand their role in the organization and discharge their auditing duties in a way that is challenging to them and contributes to the success of the organization.

Part I–Process-Based Auditing

INTRODUCTION—THE BASICS OF PROCESS-BASED AUDITING

Part I provides a broad overview of the basic elements of auditing, and specifically auditing ISO 9001:2008-based quality management systems. It discusses the concepts behind auditing, reviews audit principles, describes the process approach to quality management systems, addresses how to audit a process-based system, and reviews the two basic purposes for conducting audits.

This section is divided into four chapters. Chapter 1 addresses audit concepts, principles, and requirements. It defines auditing and provides a practical explanation of the principles that audit programs and auditors should use as their basic guides. It also covers the audit requirements of ISO 9001:2008 and discusses how those requirements should be applied.

Chapter 2 is dedicated to a detailed explanation of the process approach. It discusses the eight quality management principles that were used as key input for the development of ISO 9001:2008. It explains how organizations should use the process approach in developing their quality management systems. A complete understanding of these concepts is essential for auditors who will audit systems to the requirements of ISO 9001:2008.

Chapter 3 addresses auditing the process-based quality management system. It provides insight into the audit processes that can be used, and gives strategies for auditing a process-based system.

Chapter 4 describes the distinction between auditing to ensure conformity to requirements and auditing for performance improvements.

1–Audit Concepts, Principles, and Requirements

Periodic evaluations are essential to ensure effective, ongoing imple­­mentation and improvement of any quality management system. Various evaluation techniques are used. Inspection, statis­­tical process control (SPC), and product auditing are commonly used for products and processes. For quality management systems, the most common techniques are auditing, management review, and self-assessment.

Auditing is a process in which an objective and impartial evaluation is made of all or part of a quality management system’s implementation against agreed-upon criteria. This chapter discusses the requirements for internal auditing as found in ISO 9001:2008, clause 8.2.2, Internal audit.

Internal quality audits are used to evaluate the adequacy of documents used to implement the quality management system, whether quality management system requirements are being met, and the effectiveness of system implementation. Audits can also be used to identify opportunities for improvement.

Audits are conducted by, or on behalf of, an organization for inter­nal purposes and can form the basis for the organization’s self-declaration of conformity. Supplier audits are conducted by customers of the organization or by others on behalf of a customer. Registration and government audits are conducted by external organizations outside of the typical customer–supplier relationship. All of these organizations can verify whether requirements, such as those of ISO 9001:2008, are being met.

Management review of the quality management system is a process by which top management conducts regular, systematic evaluations of the suitability, adequacy, effectiveness, and efficiency of the quality management system with respect to the quality policy and objectives. This review is the subject of ISO 9001:2008, clause 5.6, Management review. The review process also should verify that the quality policy and quality objectives are aligned with and support achieving overall business policy and objectives. It can include consideration of the need to modify the quality policy and objectives in response to changing needs and expectations of interested parties. The management review includes determination of the need for actions to improve products and processes. Audit reports are among the sources of information used for this review of the quality management system.

Self-assessment is a process for comprehensive, systematic, and regular review of the organization’s activities and results. We use the term to mean an evaluation in which the organization’s activities and results are compared to performance improvement criteria such as ISO 9004:2009 or a model of excellence such as the criteria for the Malcolm Baldrige National Quality Award. Self-assessment methodology can provide an overall view of the performance of the organization, and the degree of maturity of the quality management system. It can also help to identify areas requiring improvement in the organization, and to determine priorities. Such self-assessments typically go beyond auditing against detailed requirements. In doing so, they look for opportunities for the organization to improve its efficiency and performance. Self-assessment is discussed in ISO 9004:2009, clause 8.3.4, Self-assessment, and a process for self-assessment is given in ISO 9004:2009, Annex A. Sometimes the term self-assessment is used differently to mean corporate audits (as practiced by operational or financial auditors) or assessment of personal values.

The U.S. Technical Advisory Group to ISO Technical Committee 176 (US TAG to TC 176) identified a need to improve the self-assessment approach and annex included in ISO 9004:2009 to make it easier for small and medium-sized organizations in the United States to conduct self-assessments. To meet this need the US TAG created a Technical Report to provide users with an alternative to the ISO 9004 self-assessment text and annex. This Technical Report has been registered with the American National Standards Institution (ANSI) and has been approved by and is available through the American Society for Quality.

Some have argued the merits of one approach over the others. Organizations may wish to use all three since each has its own advan­tages. By its very name we can assume that self-assessment is normally performed by and for the organization being evaluated. This means that those who have the most extensive knowledge of the processes conduct the evaluation. The insight gained by these insiders can form the basis for fundamental process changes. Self-assessments tend to be very detailed examinations using high-level criteria most pertinent to the organization, and involve judgments on the maturity of the quality management system. They are generally conducted less frequently than the other two types of evaluations. Management review, on the other hand, involves an organization’s top managers making determinations of their own system’s sufficiency, adequacy, and effectiveness. Management reviews can use the results of self-assessments and audits as well as other data such as process performance trends and customer feedback. Audits are somewhat different in that they are, by definition, independent activities conducted against fixed requirements such as ISO 9001:2008 and methods used for local implementation. Management review and self-assessment are characterized by direct involvement of those respon­sible for the processes being examined. Audit, on the other hand, is characterized by the concept of independence. While the topic covered in this book is auditing, the authors believe that organizations should employ a mix of all three techniques.

AUDIT DEFINED

The concept of audit is defined by ISO 19011:2011 and by ISO 9000:2005 as:

systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.

This is a flexible and useful definition, but it is general and does not mention quality. In other words, auditing is a process:

• For obtaining evidence (facts supported by credible data) related to the system, process, area, subject, or activity being audited

• For determining the extent to which the system, process, area, subject, or activity being audited meets some specified criteria

• That is conducted objectively and impartially

This definition provides a foundation for many of the concepts needed to manage and conduct audits.

AUDIT PRINCIPLES

Any quality management system audit program should be grounded in the principles that govern good auditing. A number of principles stated in ISO 19011:2011, Guidelines for auditing management systems, can be used to guide the audit program and the auditors (see Figure 1.1).

The principles deal with the overall integrity and operation of the audit program and the integrity of the program’s auditors, as well as with how audits are conducted.

Figure 1.1 Principles from ISO 19011:2011.

Source: ASQ/ANSI/ISO 19011:2011. Used by permission.

The audit program should be able to achieve consistent results regardless of which auditor conducts a specific audit. Audits are a key input into top management’s determination of the suitability and effectiveness of the quality management system. Management should be able to rely on the audit results to give a fair, accurate, and comprehensive picture of the quality management system. To ensure this consistency and reliability, the leaders of the audit program need to ensure that it evidences certain characteristics:

• Objectivity. The audit process should be set up so that personal feelings, opinions, or interests do not influence it. This means that the assignment of auditors must ensure that the individuals assigned to a particular audit can be objective. Naturally, this must be a key consideration in the determination of individuals who are suitable for inclusion in the pool of available auditors.

• Impartiality. The audit program must not favor one part of the organization, one manager, or one process over others. The audit process should treat each part of the organization impartially. This includes audit scheduling, audit frequency, assignment of auditors, conduct of audits, and reporting of audit results.

• Evidence-based focus. The audit process should be focused on determining the truth. As with the legal system, auditing should attempt to determine the truth, the whole truth, and nothing but the truth. But auditors are faced with limited time and resources, and truth can be elusive. To determine the absolute truth, it is necessary to consider all points of view. This just may not be possible given the constraints placed upon a particular audit. It means that auditors need to focus most of their effort on determining the facts. The definition of the term audit includes the idea of obtaining