by Denise Robitaille:
With the impending release of ISO 9001:2015, there’s been a lot of dialog around the subject of “auditability.” The questions on many lips are “How will we audit some of the new requirements?” and “What evidence will be required to demonstrate conformance?”
It’s a shame that, for some, concerns about proof that something has been done have supplanted actually getting things done. Worrying about auditing first is like training kids how to take standardized tests rather than teaching them how to think and learn.
Auditing can be a very beneficial component of an organization’s quality management system (QMS). However, for those benefits to be manifested, the organization must first implement processes and practices to effectively achieve its goals. So what needs to happen to address both of the questions in a manner that provides benefit?
First, individuals within organizations must read and understand the revised standards—both ISO 9000:2015 and ISO 9001:2015. It’s important to pay attention to ISO 9000:2015 because it is the normative reference for all the defined terms used in ISO 9001:2015. There are a lot of new terms and understanding their meanings and use is relevant to effective implementation.
Because ISO 9001:2015 has moved toward less prescriptive language, the onus rests with the organizations to understand how the requirements apply to them. For example, the much discussed concept of “risk-based thinking” has created consternation with some users. Instead of trying to prove that we engage in risk-based thinking, it would be more appropriate to ask, “What risks must we consider?” If you read the standard, it directs you to clause 4 where internal and external issues are mentioned along with understanding needs and expectations of interested parties.
Therefore, in order to consider risk, it’s important to understand the requirements of clause 4—which essentially means identifying and understanding the effect of factors such as people, infrastructure, climate, marketplace, suppliers, availability of resources, and regulatory policies. Obviously, not all factors will be applicable to all organizations. Once you’ve conducted the appropriate deliberations, the next step is to take action, if needed, to mitigate negative consequences related to the applicable factors—bearing in mind that circumstances are constantly changing.
Acknowledging the constancy of change, it’s interesting to note that these requirements are consistent with current requirements in ISO 9001:2008 subclause 5.6.2 relating to reviewing changes that could affect the QMS. This leads me to the evidence. Once you’ve taken care of the requirements, it would be valuable to include what you’ve done (deliberations, risk-assessment, action items, etc.) in your records of management review. The evidence falls into place. This isn’t the only way that an organization can provide the requisite evidence, but it’s a nifty practice.
What, then, must auditors do? Just like the organizations implementing ISO 9001:2015, they need to read and understand the requirements. Afterward, they need to use three resources to conduct their audits:
- Utilize fundamental audit practices and principles.
- Ensure full comprehension of both ISO 9000:2015 and ISO 9001:2015.
- Understand the auditees’ organizational scopes, their documented information, and their industries or sectors.
Utilizing these resources, auditors follow the audit trails that unfold as they employ the process approach to assess inputs, activities, outputs, and support processes. As they proceed through their audit activities, they determine the effectiveness of processes and the QMS based upon their technical expertise in the auditees’ fields.
Well-trained auditors have been doing this for years. There will be a learning curve for some auditors in terms of understanding the new and revised requirements—hence the advisability of training on ISO 9000:2015 and ISO 9001:2015. However, when all is said and done, most issues with auditability should resolve themselves through diligence, practice, and learning.
About the author
Denise Robitaille is a member of the U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She is committed to making your quality system meaningful. Through training, Robitaille helps you turn audits, corrective actions, management reviews, and processes of implementing ISO 9001 into value-added features of your company. She’s an Exemplar Global-certified lead assessor, ASQ Certified Quality Auditor, and ASQ Fellow. She’s the author of numerous articles and more than a dozen books, including The Corrective Action Handbook, The Preventive Action Handbook, and her latest book, 9 Keys to Successful Audits, all published by Paton Professional.