by Gayle Norman
Most organizations are operating pretty lean today (pun intended!) and doing it quite well, using both lean principles and a minimum number of employees to effectively accomplish their mission and goals. Mature organizations don’t need to prepare as much for an upcoming audit as a newly certified organization or one that is about to go through the registration process for the first time. These organizations have moved toward incorporating quality processes into their normal work routines and don’t need the rigorous preparations that a yet-to-be certified or newly certified organization might need.
It’s imperative in today’s competitive environment that organizations make the best use of their resources—time and people—by choosing effective methods to prepare for International Organization for Standardization (ISO) audits, whether they’re internal, third-party, or regulatory. An organization I will describe in this article has implemented three changes to improve its efficiency and provide value to its internal customers:
- Use a checklist that includes items asked on surveillance audits.
- Use risk-based audits and include coaching and/or training in the audit.
- Hold training sessions to address a particular quality topic.
Use a checklist that includes items asked on the surveillance audits
To assist with preparation for an upcoming ISO surveillance audit, the organization’s internal audits mimic the ISO registrar’s third-party audit as much as possible. Three standardized checklists (A, B, C) are used, dividing the ISO system requirements so that each year one-third of the systems are audited. Thus, every three years when re-certification is due, all sections have been covered. However, there are a number of sections that are covered for each internal audit every year. These sections are asked by the third-party auditor each year, regardless of the sections covered on the annual surveillance audit. This helps the employees to prepare for the annual surveillance audit. In addition, the checklists are customized using the organization’s jargon for its in-house systems and are made available in the document management system so that employees can see what the different audits will address. Checklists are intentionally designed with “show me” requests, which stimulate open-ended responses about the processes used. Expected proof or evidence of effective systems can also be found on the customized checklist under a “Things to Look For” column. This helps both the auditee and the auditor.
A breakdown of the checklists and the areas addressed are shown below:
Audit Checklist A
- Clauses 4, 5, 6, 8.2.2, 8.5
Audit Checklist B
- Clauses 4, 5.3, 5.4.1, 5.5, 5.6.2, 5.6.3, 7, 8.2.2, 8.5
Audit Checklist C
- Clauses 4, 5.3, 5.4.1, 5.5, 5.6.2, 5.6.3, 8
Regardless of the checklist used, each internal audit covers the following areas. Sample items are noted.
Clause 4—Quality management system
4.2.2—Quality manual
- Show me your quality manual.
4.2.3—Document control
- Show me the document control procedure used in your area.
- Explain the document control process used for identified documents in your area.
- Show me the procedures under document control that are available in your area.
- Show me any documents of external origin used in your area.
4.2.4—Records control
- Show me your quality records procedure.
- What are some of the quality records with which you are personally involved?
Clause 5—Management responsibility
5.3—Quality policy
- What does the quality policy mean to you?
5.4.1—Quality objectives
- What are your quality objectives?
- Show me the measurement results of your quality objectives.
5.5—Responsibility, authority, and communications
- How has management identified your role to support the quality system? [Note: To assist with answering this question on internal and surveillance audits, the organization developed appendices for the following system processes: quality planning, raw materials, manufacturing, and shipping. Each appendix lists by title the employees’ key activities, roles, and responsibilities.]
- What is the role of the management representative?
5.6.2—Review input
- How are management reviews conducted? (What frequency? Who attends? What topics are covered?)
5.6.3—Review output
- What action items came out of the last review? [Note: The organization posts the minutes of the management review in its document management system so that all employees have access and the minutes are readily available to internal and third-party auditors.]
Clause 8—Measurement, analysis, and improvement
8.2.2—Internal audit
- Review the open audit findings from the last internal audit.
- Are any past due? [Note: This also provides an opportunity to determine both completeness and effectiveness on past internal audit observations which have been closed.]
8.5.1—Continual improvement
- What continual improvements were identified in the last management review?
8.5.2—Corrective action
- Review the corrective action system. Are there any past due actions?
- Randomly select action items (number depends on total) to determine if effectiveness was documented.
8.5.3—Preventive Action
- Review the preventive action system. Are there any past due actions?
- Randomly select action items (number depends on total) to determine if effectiveness was documented.
Use risk-based audits and include coaching/training in the audit
A chemical manufacturing organization that operates in shifts, 24 hours a day, seven days a week, has chosen to incorporate training (referred to as coaching) for an internal audit in its regular internal audit process. Employees are typically brought in on their off-days for training. Although they are compensated with overtime pay, they don’t always want to spend their days off in training. This results in both a cost savings and employee satisfaction with the internal audit process within the ISO system.
The organization recently re-evaluated the observations made during its internal audits. The checklists included many items that were good practices to follow but were not essential to manufacturing a quality product, or out of compliance with ISO standards. Questions are often developed to elicit answers that provide meaningful information about the organization’s specific processes. Not all employees will know the answers to all of the checklist questions, nor do they necessarily need to. However, when the auditees were found out of compliance with the checklist, they were written up with an audit finding, which in turn, resulted in time spent conducting root cause investigations, assignment of corrective/preventive actions, as well as handling the audit action item in the organization’s corrective and preventive action system. This meant less time to spend on more important problems.
To make this process more efficient and address the concerns of upper management, a risk-based audit process was implemented. The same checklists were used, but they were revised to denote items that would compromise quality or jeopardize the ISO certification. For all other items, observations would be noted as coaching opportunities. Internal auditors now conduct on-the-job training for individuals during the internal audit. However, the observations are noted as coaching opportunities in the internal audit report so they can be further evaluated in management Reviews to determine if additional measures for training or system improvements are warranted.
In addition to those common items noted for all internal audits above, an example of checklist B items, which could possibly compromise quality or jeopardize the ISO certification, follows.
Clause 7—Product realization
7.1—Planning of realization processes
- Show me product requirements/specifications developed for each product shipped from your area.
7.2—Customer-related processes
- How are changes in customer requirements communicated?
7.4.1—Purchasing process
- Explain the purchasing process for raw materials.
- How are suppliers qualified?
- Where is the list of approved suppliers?
- How are supplier problems communicated?
7.4.2—Purchasing information
- How are supplier requirements specified?
7.4.3—Verification of purchased product
- Explain the raw material receipt process for bulk materials.
- Explain the raw material receipt process for packaged materials.
- How do you ensure that purchased raw materials meet specifications?
- What part does the laboratory play in the raw materials receipt process? Provide evidence of laboratory approval.
- What happens when you receive an off-specification raw material?
An example of checklist items that could be used for coaching opportunities are shown below. Note that the absence of these activities could possibly be identified as findings but not knowing examples or locations provides an opportunity for coaching.
5.1—Management commitment
- How does management show commitment to development and implementation of QMS and continual improvement?
5.3—Quality policy
- Where is the quality policy located?
- When is the quality policy reviewed for suitability?
5.5.3—Quality information
- How is quality information and quality results communicated to you?
7.5.1— Control of product and service provision
- What is used to keep the process in control for operations?
7.5.4—Customer property
- What is customer property?
- What customer property is used in your area?
8.2.1—Customer satisfaction
- What is used to determine if your customer is satisfied?
8.5.1—Continual Improvement
- What facilitates the continual improvement of quality management system?
Hold training sessions for employees to address a particular quality topic
Under specific circumstances—such as newly hired employees, transferred employees who are new to the area, or ISO compliance problems—it may be necessary to prepare for ISO audits with employee training.
The organization’s training program for newly hired operators includes a two-hour segment of quality training. In earlier years, just after ISO certification, training included more in-depth information about ISO and its background. However, most employees coming into the work force today have the knowledge of basic background information on ISO; thus, only a brief explanation is provided.
One chemical manufacturing facility has found it beneficial for employees to focus the training on one particular quality topic. “What You Need to Know for an ISO Audit,” for example, introduces the organization’s quality system and then focuses on one of the required documented processes which directly involves, and provides assistance to, the employees.
The training for this organization begins with an overview of the employee(s) responsible for managing quality, including an introduction of the quality management representative, who is typically the instructor for the course. An explanation is provided for the responsibilities (noted in the ISO standard) and the importance of this position in relation to the employees. The employees are invited to call upon the quality management representative for an unbiased and independent view, if there are quality-related problems, especially if employees are uncomfortable discussing these types of problems within their work environment. Employees are asked to identify the organization’s quality management representative on internal audits.
The ISO certificate and the organization’s quality policy are shown to provide an opportunity to give a brief explanation of ISO and the organization’s quality origin. The organization’s quality manual is also introduced to the employees. (On internal audits employees are quizzed on the content of the quality policy and what it means to them, as well as the location and content of the quality manual. Many of the checklist items can be answered from the quality manual. This provides the opportunity for employees to become familiar with the quality manual, when, otherwise, they may not have an interest or find ample time.)
The employees are then trained on how to answer common quality system questions asked on each internal audit. For example, to answer the auditor’s question about an employee’s contribution as a loader from the shipping area, to the raw material process, the individual may use appendix 2 (Roles and Responsibilities for Raw Materials Receipt Process) of the quality manual. For example, the loader operator’s responsibilities include:
- Quarantines raw material upon receipt.
- Initiates raw material inspection request.
- Catches sample (if required) and brings to lab.
- Unloads raw material when quality control lab approves.
- Provides information for supplier correction action reports.
As another example for auditor’s questions about an employee’s contribution as a loader from the shipping area to the product shipping process, the individual may use appendix 4 (Roles and Responsibilities for Product Shipping Process) of the quality manual. The bulleted items beneath the loader operator position include:
- Approve bulk trucks to enter site.
- Use approved procedures to load tank trucks, rail cars, sea containers.
- Make quality decisions to load containers or not.
- Enter rail car pre-load requests into transportation management system.
- Process tank truck orders in transportation management system.
- Ensure compliance of special order instructions.
- Log in and take samples to lab.
- Ensure orders are shipped correctly and on time.
- Copy necessary records and paperwork for records retention.
- Monitor and ensure safety in area.
- Monitor inventories and replace stock items.
The employee can then easily provide the evidence of records needed to support these activities (raw material receipt and request forms, sample results in the laboratory information management system, supplier correction action reports, purchase and delivery orders, certificates of analyses, loading checklists, and procedures).
Employees are asked on the audit about the quality goals that are being tracked in their areas of responsibility. They are asked how the results are communicated to them and to provide their current status. The results of the quality goals are posted in the document management system so that users can readily access the goals to see if they are meeting their targets or not.
Employees are asked about their involvement in the six required documented ISO processes, which can all be found in the document management system for easy access. Some common questions asked by the auditor regarding the document control process:
What are some of the documents for which you are involved in your area? Appendix 5 of the quality manual has been developed to indentify the controlled documents used in different areas of the organization. Operators may identify:
- Operating instructions
- Specifications: Raw material, product, customer
- Process flow diagrams
- Quality manual
- Quality procedures
- Document control procedure
- Records retention
- Nonconforming product control
Explain your document control process.
- How is the latest version made available to you?
- Electronic document management system
- How are documents identified as controlled? Stamps printed from the document management system designate the documents as uncontrolled.
- How are changes made to your documents?
- Who reviews and approves the changes made to the documents?
- Where are the approvals noted?
The organization has found the use of a checklist similar to that used on the surveillance audits, risk-based audits that include coaching during an audit, and holding training on specific quality topics also helps employees to better understand the intent of ISO standards through discussions with trained quality auditors about the their quality system. Whether intentional or not, incorporating these methodologies in an organization’s audit preparations not only increases efficiency and provides value, but also increases compliance that eventually leads to more successful internal and third-party audits.
About the author
Gayle Norman, BASF quality systems team leader, is responsible for BASF’s internal audit process and is the quality management representative at its Geismar, Louisiana facility. She leads a team of internal auditors from the site, four of whom are quality specialists trained as lead auditors.
Awesome explanation.
I like how you related the clauses numbers. This gives more clarification and understanding of the ISO requirements.
I would appreciate an example of centers that provide a service – say research center – biobanks – Teaching centers