I, for one, get really frustrated when I review some audit surveillance reports. ISO 9001 is a management standard, with a range of different requirements, all of which need to be sampled in order for a reliable decision on the degree of conformance to be made. But the thing that continually annoys (but doesn’t surprise) me is the weighting that certain auditors put on to different requirements. There is a common pattern of distorted priorities that make me wonder whether some auditors have any comprehension of what matters and what doesn’t

Over-audited clauses

5.3 Quality Policy

OK, it’s a requirement, part of the standard, so conformance needs to be assessed, but frankly this should take ten minutes flat, especially considereing the bulk of conformance matters should have been picked up at stage 1. In any case, even in the event of a non-conformance on this element, the impact, consequences and risk of that non-conformance are never going to be earth-shattering, there’s never any justification for audit ad nausiem and/or a lap of honour around any non-conformances found. Get a life!

7.6 Control of monitoring and measuring equipment

The calibration system in other words. Part of the system, yes, complicated, no. This should not consume an inordinate amount of audit time. Even if a decent sample is taken, assessment of conformance or otherwise should be a quick and straightforward matter

6.2.2 Competence Awareness and Training

In my experience this rarely goes beyond looking at training records. Why? Because it’s easy and you always find something. Sitting in HR, opening up a few files with a nice pot of tea etc etc … this is the life. But what about “competence and awareness”? How often do these aspects get an appropriate level of air-time? These harder, trickier issues that you can only assess by getting your head round the activities and getting out into the workplace, observing, questioning, triangulating the evidence (too much like hard work? – you’d think). Getting back to training records, here’s a tip that should reduce the volume of time that you’ll need to devote to this topic – leave it till last

In terms of technique, if we leave the assessment of training records till last, all we need do as the audit progresses is to make a note of all of those people we see driving FLTs, working at height, using abrasive wheels, etc etc and then hand our list in to HR towards the end of the audit with the simple request “get me those training records” – what could be simpler and, more to the point, more reliable?

8.2.2 Internal Audits

This is quite important, always gets audited, but often not that well. The auditor may check for a plan, check its up to date, check the ncrs are closed out, maybe check training records for the auditors, fair enough, but how often do they:

• check the quality, depth and rigour of the audits?
• check the appropriateness of the corrective actions or the efficiency of the implementation?
• check the strategic use of audit information as an aid to future planning?
• check to see whether the performance of processes is assessed in any way?

Never mind, so long as we can tick off the easy stuff, we have evidence of cosmetic conformance. that’s enough, right?

Under-audited clauses

There has to be yin and yang in every system, so there are always be some under audited elements that add balance to the audit plan. Here’s my list of classic under-audited areas of the standard

8.2.3 Monitoring and measurement of processes

When was the last time anyone actually witnessed a conscious and structured assessment of this requirement? Not only is it under-audited, in my experience, it is roundly ignored. Process measures are usually measures of efficiency. Efficiency is part of ISO 9001, don’t you know, as well as conformance. When is this ever assessed? EVER?

It does not happen

5.4.2 Quality Management System Planning

This is more than having a schedule for internal audits and management review. Take a look at clause 5.4.2a really carefully. Do you see it now? We need a plan to support the implementation of the quality objectives. How often does an auditor hold the organisation responsible for the “P” is PDCA? Well, sometimes – I’m being kind – certainly not often enough, with organisations being allowed to offer the wooliest and most aspirational objectives you could imagine, without ever being held accountable for managing them through to a tangible conclusion

8.5.1 Continual improvement

Fair enough we’ll often see a cosmetic walk through of the various elements of the clause 8.5.1 (audits, MR, corrective actions etc) but when are we ever held accountable for joining them all up into a cohesively managed CI process? Not often I’ll bet

8.5.3 Preventative Action

My personal favourite. In QMS terms it is equivalent to Risk Assessment in an OHS context. It is that fundamental. But beyond holding the organisation accounatble for producing something that can loosely be described as its “mandatory documented procedure” the audit rarely goes any deeper. Is that right? Well, take a look at ISO 9004 if you need guidance. ISO 9004 actually describes the intended direction and application of Preventative Action pretty well. Here’s an excerpt:

“To involve people, top management should create an environment where authority is delegated so that people are
empowered and accept responsibility to identify opportunities where the organization can improve its performance.
This can be achieved by activities such as:

– setting of objectives for people, projects and the organization,
– benchmarking competitor performance and best practice,
– recognition and reward for achievement of improvement, and
– suggestion schemes including timely reaction by management

To provide a structure for improvement activities, top management should define and implement a process for
continual improvement that can be applied to realization and support processes and activities. To ensure the
effectiveness and efficiency of the improvement process, consideration should be given to realization and support
processes in terms of:
– effectiveness(such as outputs meeting requirements),
– efficiency (such as resources per unit in terms of time and money),
– external effects (such as statutory and regulatory change),
– potential weakness (such as lack of capability and consistency),
– the opportunity to employ better methods,
– control of planned and unplanned change, and
– measurement of planned benefits”

Now I can’t say that I have ever witnessed a third party auditor assessing clause 8.5.3 in this way. Why? Who knows

Anyway, as a means of wrapping up this article and to form some sort of point, it may be that there is not too much actually wrong with the requirements of this standard, as such, but possibly plenty wrong with the way that it is used. We could do better than start doing things properly and then see how much added credibility the certification industry achieves. Just a thought