By IJ Arora, Ph.D.

When it comes to outsourced processes, the question (to paraphrase William Shakespeare) is, “To audit or not to audit?”

Take, for example, the requirements from the primary process-based management system standard, ISO 9001:2015. One might consider the system approach as provided in clauses 4.4.1a through 4.4.1h and conclude that monitoring and control are needed to appreciate the risks of the inputs and ensure continual improvement. The standard is meant to be interpreted, and so nothing prescriptive is expected. Yet, the question remains as to how organizations might control the processes and confirm they are meeting objectives. Clause 5.2, “Policy,” leading to clause 6.2, “Objectives,” provides a hint that evidence should be gathered of measurable objectives being met. Yet, how do we get the inputs to draw a conclusion? The inputs are necessary, and therefore there is a need to determine the available methods to gather and control information.

Perhaps the answer can be found in the auditing function. By implementing a robust supplier evaluation process, including audits as needed, organizations can strengthen the quality management system and build strong, reliable relationships with suppliers. Note that standards such as ISO 9001:2015 don’t specifically mandate audits, yet the intent of registration to a standard is to control the organization’s processes. if not auditing, then what other mechanisms can organizations use to control an outsourced process and minimize risks to their end customers?

Exerting control

Clause 8.4.2 of ISO 9001:2015 deals with the type and extent of controls that an organization must apply to externally provided processes, products, and services. The key aspects in this discussion include ensuring conformity, the types of controls needed, and the extent of these controls. Conformity has at its core the principle to ensure that these external provisions do not negatively affect the organization’s ability to consistently deliver conforming products and services to its customers. This means the organization must have mechanisms in place to ensure that the quality of the external inputs meet the organization’s requirements and ultimately satisfy customer requirements.

Types of controls could be interpreted as performing some extent of control, perhaps by auditing, even though auditing is not a specific requirement. The selection and evaluation of the controls would be based on establishing criteria for selecting and evaluating external providers (e.g., a robust quality management system of their own, past performance, registration, etc.) and/or conducting thorough assessments of potential suppliers (e.g., audits, questionnaires, site visits, etc.). In addition, it is important to put in place strong contractual agreements with external suppliers that include clear and measurable requirements, specific key performance indicators (KPIs), and acceptance criteria for the purposes of monitoring and measurement. This could include tracking supplier performance against agreed-upon KPIs, analyzing data to identify trends and areas for improvement, conducting regular performance reviews and feedback sessions, performing root cause analysis and corrective and preventive actions when issues are identified, and appreciating risks by being proactive and using preventive measures.

The extent of this control would depend on the criticality of the externally provided process, product, or service to the organization’s overall quality. For high-risk items, more stringent controls (e.g., more frequent audits or more rigorous inspections) might be necessary as, for example, in the aerospace industry. In essence, clause 8.4.2 emphasizes the importance of proactive measures to ensure that external inputs do not compromise the organization’s ability to deliver quality products and services to its customers.

Auditing provides all these inputs if the audit is correctly planned and executed. For example, with approval, this level of control could be achieved by remote cameras or the presence of the organization’s inspectors at the supplier’s facilities. The point is to maintain the customer focus (clause 5.1.2) and embrace a risk-based approach. The extent of control should be proportionate to the associated risks. Continual improvement entails that the organization should continuously review and improve its processes for external controls.

Therefore, although clause 8.4 (specifically subclauses 8.4.1, 8.4.2, and 8.4.3) does not explicitly mandate supplier audits, it strongly implies their importance. Therefore, a strong focus on control must be interpreted. Clause 8.4 emphasizes the need to control externally provided processes, products, and services. Auditing is a crucial tool for evaluating a supplier’s ability to meet quality requirements and maintain control over their processes.

Mitigating risk

To ensure adequate risk management, one must consider if the supplier’s performance directly affects the organization’s ability to deliver quality products or services. Audits help identify and mitigate potential risks associated with using external providers. Continual improvement is an important outcome of auditing and provides valuable feedback on supplier performance. This enables the organization to identify areas for improvement in their processes and their practices around supplier selection and supplier management. Therefore, although not strictly mandated, supplier audits are highly recommended for organizations seeking to effectively implement ISO 9001 and ensure the quality of their products and services. The key considerations would be:

• Risk-based approach. Auditing efforts should be focused on suppliers that pose the highest risk to the organization’s quality objectives.
• Variety of evaluation methods. Audits are just one method of supplier evaluation. Other methods include performance monitoring, feedback analysis, and site visits.
• Documentation. Maintain clear documentation of all supplier evaluation activities, including audit findings, corrective actions, and improvement plans.

When considering the outsourcing of a process, the organization must assess and determine the criteria by which suppliers are selected. Through systematic evaluation, an organization can implement a rigorous supplier selection process that includes:

• Detailed questionnaires to gather information on the supplier’s quality management system, processes, and capabilities
• Reference checks made by contacting previous customers to assess the supplier’s performance and reliability
• On-site visits to observe the supplier’s operations and assess their facilities, equipment, and personnel
• A risk-based approach matrix to prioritize suppliers based on the potential effect on the organization’s quality objectives

In planning bids, creating contractual agreements, or other processes involving outsourcing, the following should be considered:

• Clear specifications. Define clear and measurable requirements for the outsourced product or service.
• Performance metrics. Establish KPIs to track supplier performance, such as on-time delivery, defect rates, and customer satisfaction.
• Contractual penalties. Include clauses for non-compliance with contractual obligations, such as late deliveries or subpar quality.

The procedures for monitoring and measuring outsourced processes must be well thought out and should be done when tendering a contract. Remember, adding requirements subsequently is often difficult. Consider the following:

• Regular performance review. Conduct regular performance reviews with suppliers to track their performance against agreed-upon KPIs.
• Data analysis. Analyze data on supplier performance, such as defect rates, delivery times, and customer complaints to identify trends and areas for improvement.
• Feedback mechanisms. Establish a system for collecting and analyzing feedback from internal and external customers regarding supplier performance.

Whether an organization prefers to audit or use other means of controlling the outsourced process, a well-thought-out collaboration and communication plan should be made, considering:

• Open communication channels. Maintain open and regular communication channels with suppliers to address concerns, share information, and collaborate on improvement initiatives.
• Joint problem solving. Work collaboratively with suppliers to identify and resolve issues related to quality, delivery, or other performance concerns.

Continual improvement is integral to any good management system. As a summary I would suggest the following:

• Regular reviews and updates. Regularly review and update your supplier management processes to ensure they remain effective and aligned with changing business needs.
• Supplier development. Implement programs to help suppliers improve their quality management systems and performance.

By implementing a combination of these mechanisms, organizations can effectively control outsourced processes, minimize risks, and ensure that they receive high-quality products and services from their suppliers.

Clause 9.2.1 of ISO 9001 does indeed suggest that auditing outsourced processes is good practice. This clause states that organizations should conduct internal audits to evaluate the effectiveness of the quality management system. The scope of internal audits typically includes all relevant processes and activities within the organization. How this relates to outsourced processes is where the requirement becomes open to interpretation. Although it does not explicitly state “supplier audits,” the clause implies that evaluating the effectiveness of processes that are outsourced is part of assessing the overall effectiveness of the QMS. If the outsourced processes significantly affect the organization’s ability to meet customer requirements, then those processes should be included in the scope of internal audits.

About the author

Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 34-year record of achievement in the military, mercantile marine, and civilian industry.