One of the most frequent concerns raised by auditors about ISO 9001:2015 is how to audit a quality management system (QMS) that has little or no documentation. ISO 9001:2015 doesn’t include specific requirements for documented procedures and doesn’t require a quality manual. However, it does require “documented information” related to a number of requirements. Several of the new requirements: context of the organization (clause 4.1), actions to address risks and opportunities (clause 6.1), and organizational knowledge (subclause 7.1.6), have no such reference. So how can these “documentless” processes be audited?
ISO 9001:2015 defines an audit as a “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The standard defines audit criteria as a “set of policies, procedures or requirements used as a reference against which objective evidence is compared.” Finally, ISO 9001:2015 defines audit evidence as “records, statements of fact or other information, which are relevant to the audit criteria and verifiable.”
It may appear from these definitions that audit evidence and audit criteria must be documented. However, the key questions that come to mind when limited or no QMS documentation is available are:
- How are audit criteria established?
- What audit evidence is available to evaluate conformance?
The answer to these questions is found in understanding the QMS from the process approach and applying essential auditing skills.
Consider that every activity within an organization is a process that—by definition—takes inputs and converts them to an output typically of greater value through defined steps. Thus, the basic audit criteria for any process can then be derived through a set of process questions:
- What is the desired output?
- What input triggers action toward the desired output?
- What steps are taken to transform the input to the output?
Every process must have a process owner who’s responsible for managing the process and its related outputs. Specifically, a process owner is responsible for:
- Clearly identifying process output requirements
- Determining process interfaces, including input triggers
- Defining how the process is to be executed (process sequence and actions)
- Establishing process performance goals
- Evaluating potential process risks in achieving output requirements and process performance goals
- Determining appropriate process and output controls
- Identifying, obtaining, qualifying, and maintaining process resources
- Monitoring ongoing process performance (process execution and outputs, both internal and external)
- Changing/improving the process as necessary
Recognizing the process owner’s role makes it clear that audit criteria can be determined by interviewing the process owner. The process owner’s responses to the questions then become the basis for gathering the objective evidence to verify conformance to the stated audit criteria. This approach requires auditors to exercise several critical auditing skills:
- Initiating the audit by interviewing the process owner to establish the audit criteria. This will challenge auditors to carefully listen to the process owner’s responses to audit questions and quickly organize this information into a process framework.
- Be able to quickly develop open-ended audit questions based on the process owner’s response to the questions and gather relevant audit evidence from personnel working in the QMS process, including the process owner. This technique for gathering objective evidence is often referred to as corroboration.
- Be capable of synthesizing auditee responses to determine alignment with audit criteria as described by the process owner and recognize relevant audit trails for exploring the sequence and interaction of QMS processes.
While this approach to auditing certainly depends heavily on auditors’ listening skills and ability to organize information, it also offers greater flexibility in the depth of questioning that can be pursued during an audit. The auditor is no longer limited to questions related to whatever is stated in QMS documentation.
This does mean a bit more work for the auditor—especially during the audit—and perhaps auditees will be nervous not having a script to follow when responding to auditors’ questions. However, the potential for exploring potential risks and opportunities related to QMS processes is much greater. These benefits will increase the value of audits and the information they can provide to process owners and the organization’s leadership in better utilizing their QMS for increased customer satisfaction and improved business performance.
About the author
Cathy Fisher is founder and president of Quistem LLC, which provides online and onsite management systems implementation, update, and assessment services for manufacturers and other industry sectors. Cathy has more than 30 years of respected auditing expertise, having led internal audit programs at many manufacturing organizations during her career. Cathy also has extensive experience conducting management system registration audits, as well as establishing supplier evaluation and development programs.
She has held numerous auditor certifications including ASQ CQA, RAB-Certified Quality Systems Auditor, and ISO/TS 16949 IATF-recognized auditor. She has conducted internal and external audits that total more than 1,000 audit days and trained hundreds of management systems professionals as auditors. Cathy is passionate about the value auditing can bring to organizations and enjoys mentoring the next generation of technical professionals to develop their auditor excellence.