by Andy Hofmann
Recently, I had the opportunity to take over a registration issued by another registrar. Not ten minutes into my opening meeting, the client started to drop hints about the past registrar even though I make it a policy not to discuss the past. As I described the process that we would go through to assume the certificate, the client indicated that my approach to the audit was very different from that of my predecessor. Because consistency of registration is an important objective of the audit profession, I thought we might explore this further.
First, some context surrounding takeover audits. For many reasons, a registered organization may decide to switch certification bodies (CBs). Reasons may include: the CB has been bought or closed, price, a dispute with the auditor’s approach, or service issues such as report and certificate production. Whatever the reason, the CB assuming the registration must work through a defined process to issue a replacement certificate.
First, the CB must ensure that the existing registration is in good standing. That means there should be no open major or minor nonconformities. There should be no notice of suspension or withdrawal registered against the certificate. The organization shouldn’t be engaged in significant product quality issues, such as a wholesale rejection of shipments. And finally, the certified organization should have the ability to pay its bills.
To assess all the foregoing criteria, the CB will request the previous audit report and closure actions from the certified organization. The auditor performing the takeover audit will be provided this information so that he or she can create an audit plan that addresses the processes that were involved in the previous nonconformities. It’s here that things can start to get interesting.
In the recent takeover that was sent to me for review, there were nonconformities related to a lack of a signature on certain forms and revision levels on documents. Neither of the nonconformities indicated what the context was surrounding these observations. They simply stated that Record 1234 was missing a review signature and Document 5678 was found in a binder at Revision 3 when the released version was Revision 4. No further information had been provided in either the report or the nonconformities.
To prepare for the audit, I needed to complete an audit plan. I dug into the scope of the audit and the activities of the organization, which provided engineering services to large utilities. As such, its management system was structured to address the modus operandi: project management. In support of each project, there were statements of design intent, schedules, design reviews, design approvals, file/drawing delivery, and project finalization. The certified organization also had a testing capability to qualify some of the materials installed in the projects. Because I didn’t know the precise context of the nonconformities, I planned some time in the design review process as well as the document approval process.
Upon arrival on site, the introductions were barely complete when I got the sense that the split from the last registrar was less than amicable. This came up as a result of mentioning the follow up of the issues originating from the last audit. The entire senior team seemed to cringe whenever these issues were mentioned.
After the opening meeting, I asked to see what action was taken with respect to the missing signatures on the record mentioned during the previous audit. The record in question was produced and I looked it over. It was a request for vacation. The process for such requests was that they would be in the project file to demonstrate the number of engineering hours available each week of the project. The form required the person requesting vacation to sign it, pass it to the supervisor for review, and then to the project manager for approval. The “review” signature had been missing because the supervisor was on vacation when the request was submitted. The manager had approved the request and the vacation hours were noted in accordance with the applicable procedures.
Think about this. It just took me 130 words to describe the foregoing situation. If there is anyone out there reading it, it took somewhere around two minutes to do so. In the client in question, as in many organizations, all external audit observations go to the senior management team. There are eight people on this team for this client. That is 16 minutes of time at an average of $10 per minute or $160 for the senior team to understand the issue. Was there $160 in value in this observation? Given the reaction of the client changing registrars, one would conclude not.
Every auditor can have a bad day. So, on to the second issue. Document 5678 was actually a drawing, so I thought this issue would be significant. I followed the trail back to the binder in question. The binder was the working copy of the project file. This client’s internal procedures required that the official copy of all documents be kept on the server as multiple engineers can be working on a system and its drawings at the same time. The binder in question was being held by the project manager to track progress.
At the time of the previous audit, the auditor asked the project manager to see the project schedule. The schedule was in the binder in question and the auditor reviewed it. While flipping through the various tabs, the auditor stopped at the tab for Drawing 5678 and noted the revision as Revision 3. The auditor asked the project manager to pull up the drawing from the system, as it had been updated and released to Revision 4 two days prior to the audit. The engineering change notice for this change was in the binder, but not the approved updated drawing. The auditor generated a nonconformity report as a result.
Now I began to understand the discontent that the organization had felt. Given the size and complexity of the projects and the challenges in meeting schedule, cost, and quality, these issues were just not on the same level of complexity.
At the time of the previous audit, there were 12 projects underway consuming time from more than 100 engineers. There were projects that were behind schedule, projects that were on schedule, and projects that were ahead of schedule. The clients had written feedback that was both strong and weak. Some clients had threatened to pull their projects while others were looking to provide more work. The auditor had not reviewed any of this information during the audit.
It struck me at that moment that the organization was experiencing significant performance variation. At the time of the previous audit, management hadn’t recognized this as an issue and consequently wasn’t doing anything about it. Had the external audit recognized this and made observations on it under customer perception and data analysis, the senior management team would have been grateful. That obviously didn’t happen because the auditor was consumed by detail.
Don’t get me wrong; I’m not saying that auditors don’t have to pay attention to detail. However, the details that we pay attention to should seek to demonstrate how the overall management system is functioning. To raise nonconformities on docu-trivia while missing real performance issues that the system hadn’t identified was, in my view, a missed audit opportunity. Had the auditor picked up on the system issues, I wouldn’t have had the opportunity to perform a takeover audit.
Like the organization in the foregoing example, we as the audit community have a lesson to learn from such a scenario. Some auditors have a deep understanding of their craft and how it fits strategically into the businesses being assessed. Others are satisfied to work on the details of forms and the information contained in them. The organizations that hire us are free to vote with their business.
There is a danger, however. If too many clients have too many bad experiences with third-party assessments, the gig will disappear. Remember that registration is often voluntary. Organizations are paying CBs and their auditors to provide value to their businesses beyond a simple piece of paper. If there is no value, there are other ways for companies to demonstrate to their customers that they are good performers. If they do this, certification opportunities will be diminished, reducing the number of auditors needed.
My challenge to you is about forests and trees. Auditing needs to be strategic. It must address the key objectives of the organization and determine if its systems adequately support them. Where the systems do support the objectives and the customers/clients receive value for their money—this shows ISO 9001 compliance. Where there is a significant distribution of satisfaction, the system is struggling with its consistency and the auditor has to look deeper as to why.
I wish I could say that my auditing skills contributed to improvement in the example client’s system. Between the audit by the former CB and my audit, management had figured out that it had a consistency problem on its own. It created action plans to address this and saw improvement and consistency in satisfaction levels. Although things weren’t perfect, there was sufficient training and reinforcement by management to move performance objectives in a positive direction. As a result, I concluded that the management system was in place and functioning. Therefore, the organization will receive an ISO 9001:2008 certificate from my CB.
The next time you perform an audit, ask yourself about the performance objectives of the organization. What is it trying to achieve with respect to customer satisfaction? Does its management system support or detract from these efforts? Audit evidence should be gathered that shows overwhelmingly that the system is working to support customer-facing objectives. Where you cannot find such evidence, you’re right to point it out. That kind of information will be well received by the senior management, much more so than improperly approved vacation requests.
About the author
Andy Hofmann has been involved with management systems for more than 30 years. He has audited more than 2,500 systems, giving him a unique opportunity view of organizations that are performing well and those that struggle. A regular contributor to American Society for Quality management systems conferences and publications, Hofmann’s intellectual property has received wide acceptance. Currently the president of ICS Certification Services, Hofmann continues to work with management systems professionals throughout North America. He has an MBA from the University of Toronto and is a Certified Engineering Technologist.