By Denise Robitaille
There’s been a lot of buzz in the last couple of years about the changes in the field of auditing. ISO 9001:2015 de-emphasized the need for “document procedures.” It brought greater prominence to the importance of risk. (Risk was actually already mentioned in prior versions of the standard; see 0.1 of the introduction to ISO 9001:2008.) There’s the examination of the process approach and the context of the organization. Add to that the fact that ISO 19011 is currently being revised. And, finally, our world has evolved bringing us new technology that enables, among other things, remote auditing.
With all of these changes, many auditors have confused revisions in requirements and alterations in the environment in which they audit to suggest that the fundamentals of auditing have changed. Or, that remote auditing (and its close cousins virtual and e-auditing) constitutes a new type of audit.
The fundamentals of quality auditing remain unchanged and continue to be the bedrock of the profession.
Let’s look at some of the supposed changes. ISO 9001:2015 has less-prescriptive requirements for documented procedures, so there’s nothing to audit against, right? Wrong. The facile presentation of procedure 7.4.2 to the auditor for assessing purchasing controls may be obsolete, but the organization still has control of the process. The documented information is now probably embedded in the enterprise resource planning (ERP) system. In the past, an auditor would read text in a procedure that says, “The organization will execute a purchase order, using a qualified supplier, which includes product specifications and other QMS requirements.” After having reviewed the procedure, there would be a request for the ubiquitous approved supplier list and a minimum of three purchase orders so that conformance and effectiveness could be assessed. Now, the status of supplier qualification and periodic monitoring are controlled electronically through the ERP system. The product specifications are input by the engineering function. The inventory manager sets up the min/max levels in the ERP system that has incorporated in it an algorithm enabling real time manipulation of data based on forecasts, demand, inventory turns, and lead times. The purchase order is automatically generated and transmitted via electronic data interchange. No signatures, no printed (or PDF) copies. What the auditor needs to do is understand how this occurs, who has responsibility for it, how risk is mitigated—including how the integrity of the data is protected—and if the process conforms with requirements and is effective. The only change is that the “how it occurs” part isn’t presented to the auditor on a silver platter in the form of a documented procedure.
The migration away from “documented procedures” to “documented information” liberates organizations from having to author wordy and useless procedures and allows them to spend their energies on ensuring that their systems work. ISO 9001:2015 in 5.1 discusses the need to: “…ensure the integration of the quality management system requirements into the organization’s business processes.” In some cases NOT having a documented procedure is actually better aligned with this requirement.
Similarly, inspection status may be indicated by placement of inventory on designated shelves—a process that is instilled during training and periodically reinforced by a scrolling message on an electronic billboard. How does the auditor determine if the process is effective? Interview several operators and check the status of inventory at designated locations. Then check the data gathered for errors discovered at final inspection to see if there are trends that can be traced back to the practice. If there are no negative trends, if the inventory is all correctly located, and if all the interviewees provide similar responses, you can determine that the process is controlled, effective, and conforms.
Examples can be found for other processes. The scenario should always be the same: Assess what needs to be done, how it occurs, the risks, and determine effectiveness. This leads me to the second misconception: that the process approach has greater prominence in ISO 9001:2015. Meh. There’s probably more buzz around the term “process approach,” but it’s been around as long as quality auditing. Everything described above is emblematic of process approach auditing. The only thing absent are the quality speak “inputs and outputs.” Regardless of what you call them, they are integral to the fundamentals of auditing.
The takes me to the other big elephant in the room: that remote auditing is a new kind of auditing. Wrong again. Remote auditing (and virtual auditing) are just auditing methods that require the use of different tools and consideration of different constraints and opportunities. Fundamentals of auditing require addressing the resource requirements to ensure that the audit objectives can be achieved. For remote auditing, that might include a secure and reliable internet connection, the ability to observe a process (for example, through Skype), availability of personnel for interviewing who are located in a significantly different time zone, and access to secure records from several locations. It’s all variations on the same theme. We just need to use 21st century tools. The audit concepts of sampling, objectivity, and assessment of conformance and effectiveness of practices against requirements are unchanged.
We need to revisit our audit fundamentals and simply refresh the manner in which we will sustain the integrity of our profession in the midst of a changing environment.
About the author
Denise Robitaille is the author of numerous books on various quality topics. She is an internationally recognized speaker who brings years of experience in business and industry to her work in the quality profession. Denise is an active member of U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She is also an Exemplar Global-certified lead assessor, an ASQ Certified Quality Auditor, and a fellow of the ASQ. She is the author of numerous books, including The (Almost) Painless ISO 9001:2015 Transition, published by Paton Professional.