Process Management Auditing

Process Management Auditing for ISO 9001:2000
Process Management Auditing for ISO 9001:2000 Understanding ISO 9001:2000 and Process-based Management Systems Creating a Process-based Management System
Carl Ford and Ian Rosam (The High Performance Organisation)
British Standards Institution Process Management Auditing for ISO 9001:2000 First published 2003 The HPO Ltd 2003 ISBN 0 580 41547 3 BSI reference: BIP 2015 A catalogue record for this book is available from the British Library. Copyright subsists in all BSI publications. Except as permitted under the Copyright, Designs and Patents Act 1988 no extract may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, photocopying, recording or otherwise without prior written permission from BSI. If permission is granted, the terms may include royalty payments or a licensing agreement. Details and advice can be obtained from the Copyright Manager, British Standards Institution, 389 Chiswick High Road, London W4 4AL.
Typeset by Monolith www.monolith.uk.com Printed by PIMS Digital, Essex
About the authors

Carl Ford and Ian Rosam work with the HPO (High Performance Organisation) and between them they have a wealth of management experience. They have used this to develop new and innovative approaches to management by process and consequently the methods needed for effective auditing. They also help organizations of all sizes, and from all sectors, to improve their business performance by the effective management of their business processes. With or without ISO 9001:2000, they have a deep-seated and longheld belief that the management of business processes is fundamental to an organizations success. They are passionate in communicating this central theme to decision-makers within organizations to help them to drive their overall business success. The interpretations in this book are based on the real world experience of facilitating the creation, implementation and improvement of process-based management systems that meet the requirements of ISO 9001:2000. They are interested primarily in practical application not just theoretical ideas.
Contents
0. Introduction We introduce the challenge that auditors face to develop the competences required to effectively audit against the new ISO 9001:2000 standard and the ever increasing demands of business for auditing activity to add more value. We examine the opportunities available for the forward thinking auditor. 1. Putting the process approach into context A quick overview of the process approach to ensure that we have a common understanding of the basic terminology before developing our auditing skills, knowledge and competences. 2. The requirements of ISO 9001:2000 an auditors perspective The eight key principles of ISO 9001:2000 and the Plan-DoCheck-Act methodology are the basic techniques that form the foundation of the effective auditor. A clear understanding of these and how they can be applied to a business will help the auditor structure their auditing approach both at system and process level. 3. The system-process-procedure relationship The primary role of a process management auditor is to discover to what extent the process is being managed and what effect this has on the achievement of business objectives. Before we can undertake any process management audit we must first appreciate how a management system works and the interactions that go on between the overall system, processes and procedures. 16 8 4 1
viii
4. Auditing tools and techniques With the fundamentals that make up a management system understood, we now turn our attention to the detail of how you should actually conduct an audit starting with the tools and techniques that can be employed. 5. Planning and preparing a process audit Auditing is 80 per cent preparation and 20 per cent actual auditing, which sounds like a bit of an old wives tale until you actually carry out an audit and then you realize just how true it is! 6. Carrying out a process audit compliance vs. effectiveness Starting with the Managing Director will help put the process and system into the context of the business that you are auditing. Once this often daunting step is completed it will feed the auditing of the process owners and teams in order to assess the effectiveness of the management system in relation to the business objectives. 7. Identifying and reporting findings moving beyond compliance What are the objectives of your audit report? A straightforward enough question, but how many auditors actually ask themselves this before they write and present their report? 8. Assessing improvements The auditors role is not to identify how improvements should take place or what the organization should do. It is to provide information to Management on areas of risk or where opportunities for improvement exist with an explanation that outlines the potential impact on the organization if these are addressed. 9. What personal attributes do auditors need? Auditing is a skill and like any other skill needs practice to hone it. It involves an ability to evaluate or learn from the experience, subsequently changing the auditing style or approach to add more value to the activity. 52 49 43 37 30 20
Contents
ix
10. Conclusion and the way forward In this book we cover the basic principles of auditing, and these need time and practice to be effective for the reader to truly understand the principles involved. In other words reading the book without the practice will not build competence. We outline ways in which auditors can further build their competence in order to add more value to organizations. App.1 Example auditor questions This appendix seeks to provide some example questions based on the approaches used. The examples are grouped by the relevant ISO 9001:2000 clause for ease of reference, together with questions that could be asked to demonstrate compliance along with those which seek to test effectiveness. 64 62
0. Introduction
Has something changed?
December 2000 saw the release of the new ISO 9001:2000 standard and started the clock ticking for organizations already registered to its 1994 predecessor to make the transition to the new standard by 15 December 2003. At the same time the clock also started ticking for auditors to become competent to audit against this new standard. There has been a mixed response since the issue of ISO 9001:2000 from both businesses and auditors alike. Businesses have welcomed the new standard and as a result have questioned the role internal and external auditors should play in auditing to the new standard and stressed the need for more added value to the service auditors generally provide. Auditors on the other hand have also welcomed the new standard but many have not noticeably changed their approach to the audits they conduct. The result of this is a virtual stand off between auditors and business which has left people feeling confused and in many cases extremely frustrated. This book is aimed at people who wish to cut through this confusion and gain a better understanding of the overall approach required for process management auditing using ISO 9001:2000. This book attempts to explain: what business should expect from auditors; what auditors should expect from business; the actual role of an auditor in todays process driven business environment; the key competences required to audit process management.
Auditors and the business a partnership?

So from what has been said so far, you can already see that the relationship between auditor and business must really be seen as a partnership, if the true value to the business is to be realized. When this relationship is working effectively there is the potential for the auditor-business relationship to become a powerful tool to drive the business towards the achievement of its objectives. It should not be about the auditors telling the business what it already knows. The two key factors for this win-win partnership to succeed are: a competent auditor; strong business leadership willing to learn and to improve the organization.
If either of these two factors are missing then the value of auditing to the business is significantly reduced (see Figure 0.1).
Challenges facing auditors and businesses alike

ISO 9001:2000 has radically changed, the implications of which have had significant impact on businesses and auditors alike. The fundamental shift towards process management and away from procedural compliance requires a completely different approach when it comes to auditing. It also requires a significant change in the associated competences of an auditor if they are to audit process management effectively. Businesses need to understand the importance ISO 9001:2000 places on the senior management to lead an organization from the front through objective setting, key process identification, allocation of process ownership, performance monitoring and improvement. Auditors have to understand how a business operates and, if they are to be effective as auditors in this new world, how to gather information about the organizations effectiveness and how their findings need to be reported to add value to the business. Often the failure of auditors to understand this basic requirement is the prime reason why they can fail to meet expectations (see Figure 0.1). The challenge for auditors to understand how businesses operate and how they, as auditors, can add value, is one that auditors must rise to if they are to continue to support businesses effectively. Many will have to set aside old values and beliefs about auditing compliance based systems, change the way they look and view objective evidence and look to learn new skills in order to become competent process management auditors.
Introduction
Traditional auditorbusiness relationship
Standards and frameworks

Auditor focused on compliance only
Business focused on objectives

Customer and stakeholder needs
Auditor-business partnership approach
Standards and frameworks supporting the business
Auditor focused on the business
Business focused on objectives
Customer and stakeholder needs
Figure 0.1 The auditor-business relationship
1 Putting the process approach into context

What is a process-based management system?
This book will not make any attempt to describe in detail process-based management systems as other books within this series cover this in more depth than I could hope or want to do here. However, a quick overview is appropriate to ensure that we have a common understanding of the basic terminology.
What is a management system? A framework of business processes working together to achieve the stated business objectives, and customer and other stakeholder needs.
The example in Figure 1.1 is taken from a real organization and describes, at a high level, the processes that go to make up its overall business management system. It is pertinent to the organization itself and uses a language and layout that can be easily understood by customers and staff alike. Typically this would be described in the organizations quality manual.
The process, a definition: An activity or series of activities that convert(s) an input into an output (adding value through the process).
Putting the process approach into context
Understand stakeholder and market needs
Improving our performance
Managing our finances
Developing our business objectives
Measuring and evaluating our performance
D eveloping our staff
Generate and win business
M anaging projects
Supplying parts
M anaging service support
Figure 1.1 Example management system

If the business management system identifies what processes the organization needs, then process definitions or process maps define the mechanism/activities the organization is required to complete in order to achieve its stated objectives to fulfil customer and stakeholder needs. See Figure 1.2 for an example of a process map.
Process management, a definition: The effective control of a series of activities that converts inputs into outputs whilst both adding value and continually improving its performance.
Put another way, if we are to manage a process effectively we need to plan and implement its delivery using the appropriate equipment, knowledge, etc and measure its performance against targets. These performance measures are based on the purpose of the process and by measuring against these we can identify gaps in performance, which can form the basis for improvement activity. The aim is to analyse the actual results achieved (compared against the target), to
6
learn from the information and trends created and to use information as a basis for actions for change or improvement. More details on process management and indeed systems thinking can be found in books 1 and 2 of this series (for details on these, see the References chapter at the end of this book). As a process management auditor we need to test how effectively this is taking place!
No
Identify website enhancement
Approve?
Yes
Directors
Brief website supplier, obtain spec and costs
Monitor development against spec
Operations Director
Operations Manager
User test update and report findings to Operations Director
Arrange any problems to be resolved, test and advise everyone affected
Back up PC weekly and arrange back up of website
Identify an IT problem and report

All staff
Figure 1.2 Example process map
Auditing a process-based management system

Prior to any attempt to carry out a process management audit you must first understand the principles of the process-based management system and the context in which processes are managed. Processes do not operate in isolation, they are linked together to form an overall management system. This management system provides the framework for the organization to: understand customer and stakeholder needs; understand the constraints, regulations and other influences placed on the business;
Putting the process approach into context
7
develop its business plan and/or objectives; define and implement its core and support processes; establish its key performance indicators or measures; analyse its performance and make improvements in order to achieve its business plan and/or objectives.
As an auditor you have to understand these principles in order to carry out a successful audit and maximize the value of your audit report to the organization. The principles above relate to a system and are tested by carrying out a systems management audit. In this book we are concerned with process management audits and therefore the principles are at a lower level but still follow the same general approach, to: understand the purpose of the process; understand inputs and outputs and the objectives of the process; define the steps or activities of the process; establish process efficiency and effectiveness measures; analyse process performance and make improvements based on this.
What the organization wants

An auditor should not be under any illusions that the organization is looking for an audit report containing detailed findings on the organizations compliance to ISO 9001:2000. They are most certainly not. What the organization really wants is a report from the auditor describing the impact on the organization of the findings in relation to compliance with ISO 9001:2000. In other words the organizations viewpoint is that: business comes first and the standard second; the auditor is using ISO 9001:2000 as a management tool, a guidance document that describes activity; findings against the standard need to be interpreted into organizational language and their impact highlighted.
The audit report is for Management use as information to help highlight improvement opportunities and to identify risks to the business. The Management are more likely to respond positively to your report if it is business focused, as they can clearly see the benefits to the business on making any improvements recommended.
2 The requirements of ISO 9001:2000 an auditors perspective

The principles of ISO 9001:2000
Do you know the eight key principles of ISO 9001:2000 and what the PDCA methodology is? If the answer is no, then you need to learn them quickly and thoroughly if you are going to be a competent auditor (see Table 2.1). These are the basic principles that will form the foundation of your auditing technique.
Table 2.1 The eight principles of ISO 9001:2000

Principle Customer focus What it means Understanding what customers need and expect from the organization as a whole and not just from an individual request or order Leadership Management (anyone responsible for the activity of others) at all levels creating and maintaining an environment aimed at achieving the business objectives in which others can operate Involvement of people Ensuring that all are involved in order that their abilities can be used and enhanced to maximum benefit for themselves and the organization Process approach Objectives are more likely to be achieved when activities are seen, understood and managed through processes and resources aligned accordingly
The requirements of ISO 9001:2000 an auditors perspective
Principle Systems approach to management Continual improvement Factual approach to decision making Mutually beneficial supplier relationships
What it means Identifying the individual business processes and ordering them so that they deliver results and objectives efficiently and effectively Improving business performance should be the objective of any organisation it must improve and change over time Effective decisions are based on information that has been analysed and not purely on a feeling of what needs to be done Enhanced value is created by working closely with suppliers that can affect your deliverables and not against them it is really a case of 1 + 1 = 3!
The Plan-Do-Check-Act methodology (PDCA)

The PDCA methodology or cycle is the other key principle of ISO 9001:2000 and its application must be evident within the organization at both system level and within individual processes. It can be described as in Table 2.2, and visualized as in Figure 2.1.
Table 2.2 PDCA methodology

Plan Establish the objectives and processes necessary to deliver results in accordance with customer requirements and business objectives and policies Do Check Implement the processes Monitor and measure processes against objectives, policies and requirements and report the results Act Take action to continually improve process performance
Making sense of ISO 9001:2000

There is a danger that if auditors fail to grasp the fundamental principles of ISO 9001:2000 they will undermine what they are trying to achieve, and increase the possibility of reducing the added value they can bring to the business. This basic requirement for auditors to understand the principles behind it, not just
10
the detail of ISO 9001:2000 seems obvious, but experience to date highlights the fact that the majority of auditors do not grasp these basic principles. As a result, there are huge variations in the perception business has of what ISO 9001:2000 is about and the value that effective auditing can bring to them.
Plan 1
Plan 2
The future
Act 1
Do 1
Act 2
Do 2
Check 1
Check 2
Continual business improvement
Figure 2.1 Visual representation of PDCA cycle

When you read ISO 9001:2000 you read it clause by clause and as you read it you soon realize one section runs into another and is linked to many more, which is why, as an auditor, it is impossible to audit ISO 9001:2000 section by section, it has to be audited almost in its entirety to make any sense. Let me give you an example when trying to establish how a process owner manages and monitors the performance of their process you need to test: links to the overall business objectives; process inputs; process outputs; the process itself; links to other processes; information/procedures required to support process activities; current process performance;
11
improvement activities; people involved in the process.
If you test those areas listed in the paragraph above then you are also going to be testing the following clauses of ISO 9001:2000: 4.2 4.2.1 4.2.3 4.2.4 5 5.1 5.2 5.3 5.4.1 5.4.2 5.5.1 5.5.2 5.6 6.1 6.2 6.3 6.4 7 8 Documentation requirements; General; Control of documents; Control of records; Management responsibility; Management commitment; Customer focus; Quality policy; Quality objectives; Quality management system planning; Responsibility and authority; Internal communication; Management review; Provision of resources; Human resources; Infrastructure; Work environment; Product realization; Measurement, analysis and improvement.
Put it another way, a business does not operate as a series of unconnected sections so therefore it must follow that you cannot audit it as a series of separate sections. Understanding the key principles of ISO 9001:2000 allows you to be more relaxed in your audit approach. Instead of worrying about the detailed compliance to every single section in ISO 9001:2000 you should be looking for the application of the principles. You are then able to assess the effectiveness of these linkages and the effect they have on the performance of the process, ie what they are designed to deliver.
A question of compliance?
Compliance with what? Does it comply with: the six mandatory procedures (see the next list)? the eight principles? the PDCA cycle?
12
The meaning of the word compliance conjures up images of rigid procedures that must be worked to by the letter. However, when you read ISO 9001:2000 it refers to the need for documented procedures in only six places. These are for: control of documents; control of records; internal audit; control of nonconforming product; corrective action; preventive action.
You must assume from this that ISO 9001:2000 is effectively allowing an organization to decide for itself what, if any, activities it provides written procedures to support. Going back to our question of compliance, then yes, this is obviously very easy to check as the evidence will be in the form of documented procedures for the six areas identified above. We can check that they are being applied, thus complying with the requirements of ISO 9001:2000. So what happens if the organization decides not to document any other procedures to support its process activities, can it still comply with ISO 9001:2000? The answer is very clearly yes, provided it can also demonstrate compliance with the eight principles and the PDCA cycle.
What is objective evidence?

Compliance to the eight principles and the PDCA cycle is unlikely to be demonstrated through the evidence found in documented procedures, but more than likely from subjective evidence drawn from interviews with Management and staff alike. We must therefore conclude that objective evidence can be in both documented and non-documented format. Auditors have to come to terms with the fact that although they might like to see evidence documented, as this gives them a sense of reassurance, the likelihood is that much evidence may well not be documented and they will have to assess the organization accordingly. To help you understand what is meant by these two terms documented and non-documented I have listed below examples of both. The examples of documented evidence will probably look very familiar to those used to traditional auditing as it is all black and white, right or wrong. Conversely the examples for non-documented evidence will no doubt make you stop and
13
think how can I assess this? This is a question that is hopefully answered in subsequent chapters of this book. Examples of documented objective evidence: signed purchase order; up-to-date customer account file; log of approved orders; delivery note; customer complaint letter and corrective action plan; audit report.
Examples of non-documented objective evidence: process staff members knowing how they contribute to the achievement of a maximum 30 second customer waiting time; process owner knowing the current performance of their process; process staff knowing the current performance of their process; an improvement project that contributed to increasing on-time delivery; process performance indicators that relate to purpose of the process and/or business objectives; management and staff both being able to identify who the customer is and what their requirements are; people at all levels having the ability to contribute to business improvement.
The intent of ISO 9001:2000 is not to force an organization to simply comply with its requirements but to do it in a manner that adds value to the business, thus this is the approach you as an auditor need to take. Not just trying to put a tick by all the clause headings of ISO 9001:2000, but investigating how they work to benefit the organization.
New territory interviewing the Managing Director!

Even at this stage in reading this book you should be beginning to realize that both the skills and competences of a process management auditor are a level above anything that has gone before and that those auditors who have little or no appreciation of how a business operates and the principles of ISO 9001:2000 will find it difficult to carry out a process management audit. One of the greatest challenges facing auditors is the need to audit at all levels in the organization, not just operational activities as in the past. This will mean auditing senior management and indeed the most senior manager, the Managing Director or Chief Executive Officer, as part of the audit.
14
Subsequent sections of this book will cover in more detail how to prepare for and carry out an interview with the Managing Director, but in the meantime here are some things for you to think about. How will you cope with this challenge? What questions will you ask the Managing Director? Why will they be interested in talking to you? Can you audit them in just 15-30 minutes?
As the evidence of compliance may not be documented and will almost certainly be more subjective, so increasingly the auditor needs to test the communication between senior managers and staff, in an effort to discover how focused the organization really is on the eight principles and the PDCA cycle. This will be the real test required to determine the level of compliance with ISO 9001:2000.
Be gentle with me, Im not mature!

There is one last factor that auditors must consider when they carry out an audit and that is the question of system and organizational maturity. Management system maturity questions should be asked such as: How long has the organization been developing its process-based management system? What can I reasonably expect to find at this stage in its development? What should I put in my audit report that would help the organization, by adding value at this stage of their maturity?
As an auditor, you will not be able to answer these questions without knowledge of the business. That knowledge can come from either working for the organization in question or from the responses you get during the course of the actual audit. Either way you have to make certain judgements about how you will audit and what you will ultimately report back to the organization. ISO 9001:2000 is unique in this way, it can take account of the maturity of the management system and allow an auditor the ability to use their judgement to determine not only whether the basic principles are being applied, but also to what extent the business is using them to drive itself forward. No two organizations are alike, and indeed, organizations will mature over time. An audit therefore needs to take account of its maturity if it is to help it to keep improving over time.
15
Corporate governance/ Corporate social responsibility
Business excellence model
ISO 9004
8 principles
PDCA cycle
ISO 9001
Maturity
Figure 2.2 Diagram showing organization maturity
16
3. The system-process-procedure relationship

System, process and procedures in context
The primary role of a process management auditor is to discover to what extent the process is being managed and what effect this has on the achievement of business objectives. In order to do this successfully, as we have already discovered, this may or may not involve documented procedures. Before you can undertake any process management audit you must first appreciate how a management system works and the interactions that go on between the overall system, processes and procedures. Section one of this book gave a brief overview of the management system and processes with examples for each, and it is being able to make the connections between these and supporting procedures that you need to focus on.
Management system
The management system defines the overall scope of the business, which is in turn supported by any number of processes that require management, which in turn are supported, where appropriate, by procedures, as shown in Figure 3.1. Defined by Senior Management and owned by the head of scope, typically the Managing Director, the management system is a visual representation of an organizations processes needed to deliver the business performance at the highest level and contains everything from business planning through to developing staff.
The system-process-procedure relationship
17
Management system
Overall management system organigram owned by head of scope, typically the Managing Director (MD)/Chief Executive Officer (CEO) Measures overall business performance
Process
The what we do level Owned by Process Owner Measures overall process performance
Procedures
Procedures Procedures
The how we do it level Supports process activity
Figure 3.1 The management system in context

Typically eight to fifteen high level processes are identified and they in turn link or are delivered through any number of operational processes containing the detail of what activities are performed.
Process management
Related directly to the management system are the processes themselves, which exist to convert input requirements into customer output requirements through a series of value adding activities. In other words they provide the mechanism that allows the organization to achieve its objectives, with a focus on how the different departments within the organization work together towards this aim. Just by having processes does not ensure that the business will achieve its objectives. They need effective management and it is this process management that you need to focus on when auditing. To be able to do this effectively you
18
first need to understand how processes should be managed in a manner that supports the business in the achievement of its stated objectives. Too many auditors audit processes in isolation, failing to make the vital connections between business objectives and process outputs and measures. Failure to make these connections will result in an incomplete, inadequate and non value adding audit. Its rather like checking a route map without knowing where you are trying to get to all a bit pointless. You need to be thinking about asking the process owner the following questions. What is the purpose of this process? How does it contribute to the organization achieving its business objectives? Are there process performance measures? Do the measures relate to the objectives/are we measuring the right things? Is the performance known and are effective improvement actions in place?
There are many more questions related to assessing process management but hopefully you can begin to appreciate that to be a successful auditor requires considerable skill and competence. These skills and competences need to be in different areas than have been required in the past in order to make the required connections and identify issues worthy of reporting.
Procedures
This is often a very difficult concept for many people to come to terms with. ISO 9001:2000 allows organizations the freedom to decide for themselves to what extent they have documented procedures, whereas the 1994 version of the standard required virtually all operational activities to be documented. There is a certain reassurance one gets from having things documented and there is no doubt that having documented procedures does make compliance auditing possible. In themselves, however, procedures do not help us to carry out an effective process management audit. So when you are auditing the activities within a process itself you should be thinking about asking the following questions. What risks to the process are there by not having procedures documented? If the risks are high, has the organization considered them and chosen an alternative way to reduce them, such as training? If there are procedures are they adequate for the risks they are controlling? Do the procedures add value or just increase bureaucracy?
The system-process-procedure relationship
19
The process owner should have considered what, if any, procedures are required to support process activities. Your role is to help the process owner by confirming they have got it right or identifying any potential risks they may have overlooked. You will be working in partnership with them to improve both the potential and actual performance of the process.
Auditing the system, process and procedures

The focus of this book is process management auditing but in order to set this in context you need to recognize that processes do not operate in isolation. Hopefully this section of the book has gone someway to clarify this for you. Figure 3.2 summarizes types of audits depending upon the level you are looking at in the organization and as an auditor you need to remain conscious of these connections throughout your audit.
System level
Process level
Procedures
Compliance level
Figure 3.2 Summary of auditing levels
20
4. Auditing tools and techniques

Show me what you do!
So far we have looked at some of the fundamentals that make up a management system and the basic understanding that an auditor needs to have in order to carry out a process management audit. We now turn our attention to the detail of how you should actually conduct an audit starting with the tools and techniques that you should adopt. For years, auditor training has had a constant theme to it with one message in particular being driven home time and again: Show me the evidence! Above all else auditors have been trained to assess what an organization does against what it said it does, basing any decision as to how well they did it on the documented evidence they have been shown. This technique of auditing is only relevant for assessing process management, when compliance auditing to a specific regulatory standard is required, such as those used in the medical or pharmaceutical industries, or against a standard such as ISO 9001:2000. This style of auditing may then be relevant to check that specific detailed requirements are being met and effectively applied. For the remainder of this book, the focus will be on auditing the effectiveness of process management, also required by ISO 9001:2000. This requires different tools and techniques to those required for both system and compliance auditing, and we need to recognize these differences.
Auditing tools and techniques
21
Auditor tools
There are basically two tools that should be used in both preparing for and carrying out a process management audit (see Figure 4.1, Figure 4.2 and Table 4.1). Neither of them is complicated and in fact they are just plain common sense. Both, however, require the auditor to understand how a business works through its processes in order to use them effectively. This is one of the key competences of a successful process management auditor. Once you understand them, they are so powerful that you can apply them to any process within any business, regardless of industry sector.
Purpose of the process

Improve
Process objectives and targets
Monitor performance
The process itself

Key performance process measures
Figure 4.1 Auditor tool 1

In process management auditing you are testing every one of the boxes in each process you audit at every level within each process ie you go round this cycle with everyone you interview. The questions you use to test each one of the boxes will be phrased slightly differently and will be in a manner suitable to the person being interviewed, but nonetheless they will follow the same cycle. This aspect is critical for successful auditing. It is no good asking a member of staff a question that they do not understand, or using management style or standard language that they cannot relate to what they do. For example asking someone what resources they use may not be understood, asking what equipment they use might be. There is no right or wrong, but the language you use is important
22
and needs to be based on the needs of the auditee not the auditor. It needs to be in the language used by the people within the organization itself.
Table 4.1 Definitions of the elements of auditor tool 1

Purpose of the process Process objectives and targets The process itself Key performance process measures Monitoring performance Improvement Why the process exists supplier inputs and customer outputs Specifically the objectives and targets for this process that must relate to the overall business objectives and targets The activities involved in the process Measures directly related to the process itself and overall business objectives, in the way customers measure the process Systematic, regular monitoring of the measures in order to assess process performance Activities that are designed to close the gap between current performance and the target performance level required
Consequently the evidence provided by people being interviewed will also be appropriate for the level within the process and will almost certainly be mainly non-documented and subjective. Auditor tool 2 follows a similar theme but extends to include those things that support the process in terms of: the competence of those working within the process to effectively carry out their tasks; the resources needed for process activities to be performed adequately; the knowledge and information needed to effectively carry out activities within the process; the budget for the process that takes account of the likely future demands on the process.
These influences or constraints shown are only examples and in reality there may well be others. What you are looking for is anything that affects performance of the process, and can come from any management discipline. Process management auditors therefore need a basic foundation in a range of business activities and disciplines. For example how can an auditor assess or make judgements on someones competence if they have no understanding of human resource management principles?
23
Competence
Knowledge
Resources
Budget
Risk
Outputs
Inputs
Activity
Activity
Activity
Activity
Measure
Procedures Procedures
Improve
Monitor
Figure 4.2 Auditor tool 2
Auditing techniques
Questioning
Taking each box of auditor tool 1 lets look at each one in turn and try to work out the most appropriate question to ask. As we go through each box we will, in addition, include all the elements from auditor tool 2. The end result will be an audit checklist you will be able to use to prepare for and to audit most processes. You may well be able to come up with other areas and issues to raise, whatever they are they need to test the effectiveness of the process. As you go through the steps in the cycle you may well be able to identify areas where you need to dig a bit deeper, asking more questions and testing any compliance issues that may become apparent. Inexperienced process management auditors tend to stay in the detail of compliance once they are in it. The art is to keep the cycle in mind as you carry out the audit and dip into the detail as required, coming out of it to move on to other parts of the cycle in order to build the links. It is not easy at first to make this change, but once youve done it a few times it will become much more second nature.
24
Table 4.2 Auditor questions

Part of auditor tool one Purpose of the process Question How does the process support the business strategy and objectives? What are the process supplier inputs and customer outputs? How do you determine what the customer requirements are; is this the ultimate customer? Where do you get your work from? Process objectives and targets How do you determine your objectives and targets? What are your objectives and targets? How do they link to and support the overall business objectives? How do you plan for future customer demands and the likely resources required to support them? The process itself Can you describe the process? How do any procedures support the process? Who is your customer? How do you know what your customer requirements are? How does this process interact with other processes in the management system? Who do consider as your supplier? How does your supplier support you? How do you determine the competencies required for those responsible for process activities? Key performance process measures How do you decide what key performance indicators to use? How are the process measures linked to business objectives and measures? How does your customer measure the performance of the process? Performance monitoring How do you know what the current performance of the process is? How often is process performance measured? How is performance data communicated to the process team? Improvement How do you identify improvement issues? How do process team members contribute to improving process performance? How to you evaluate the success of improvement activities? How have improvement actions affected process performance? How are improvement actions communicated to the process team?
25
Questioning techniques
The questions detailed above need to be thought about and tailored to suit the individual being interviewed and the level at which they support the process. For instance, asking an operator carrying out a process activity if they know what the organizations business objectives are would often be pointless in many organizations as the operator would more than likely think you were talking a foreign language! But beware that this is not always the case and, importantly, use your own knowledge of your own organization to get the language right. As an auditor you have to consider what is the most appropriate question to ask and in this case it might be asking the operator who they consider is their customer and how they know they are meeting their customers requirements.
Auditors have to manage this dynamic

Directors
How do you? Explain to me how? Who do you?
Managers
Staff
Show me how Tell me how
Figure 4.3 Appropriate questioning techniques

Auditors that understand this dynamic and use it effectively in conjunction with both of the auditor tools will gather the greatest amount of information relevant to how effectively the business is managing its processes. The more information an auditor has on the companys performance the more valuable the audit report they can generate from it becomes.
26
Objective evidence
If we have established that the questions and questioning techniques you use as an auditor vary according to the person being interviewed and the level they are working at within the process, then it must also follow that the objective evidence you obtain will also vary accordingly. In section 2 we looked at examples of documented and non-documented objective evidence, so let us now consider what types of objective evidence we might find at different levels in the business, depending upon who we are auditing and what questions we are asking. Taking some of the questions from the Table 4.2, Table 4.3 outlines the likely objective evidence you might expect to find.
Table 4.3 Objective evidence

Question How does the process support the business strategy and objectives? What are the process supplier inputs and customer outputs? How do you determine what the customer requirements are; is this the ultimate customer? How do you determine your objectives and targets? What are your objectives and targets? How do they link to and support the overall business objectives? How do you plan for future customer demands and the likely resources required to support them? Clear understanding of overall company objectives and targets and can demonstrate linkage Tells/shows you plan, gives example of having done it previously In touch with process customers and makes suggestions to process owner Tells/shows you Understands process performance Understands companys aims Link to overall company objectives and targets Understands their role in the process Able to link to customer outside their process and describe requirements Able to link to next step in process and describe requirements Tells you what they are Tells you what they are Evidence from process owner Clear understanding of objectives Evidence from process staff Understands what the process is there to do
27
Question Can you describe the process? How do any procedures support the process? How does this process interact with other processes in the management system? How do you determine the competencies required for those responsible for process activities? How do you decide what key performance indicators to use? How does your customer measure the performance of the process? How do you know what the current performance of the process is? How often is process performance measured? How is performance data communicated to the process team? How do you identify improvement issues? How do process team members contribute to improving process performance? How to you evaluate the success of improvement activities?
Evidence from process owner Tells/shows you Tells/shows you links to process activity Tells you what the links are and how the communication between them works Understands roles and competencies in context of process activities, linked to objectives
Evidence from process staff Tells/shows you Tells/shows you when used and how Understands there are links to other processes and knows how they work Knows own competency and has been appraised/ reviewed in last year
Tells/shows you the indicators and which link to objectives Demonstrates customer communication by linkage of their needs to process measures Shows you performance information Tells you Tells/shows you
Tells/shows you process measures being used Understands process performance in relation to the customer
Tells/shows you performance information Tells you Tells you/shows you
Able to link performance data to improvement action Tells you and can give examples from team
Talks through methods/ ideas and links to process owner Knows how and who to suggest improvements to
Link back to performance data to demonstrate effectiveness
Communication from process owner
28
You will notice that the responses you are likely to get in terms of evidence are likely to be verbal rather than documented, which means you have to determine fact from fiction just by listening to what people are saying. But how can you do this? Lets take just one of the questions and use it as an example.
Question: How do you know what the current performance of the process is? The process owners response is to tell you that they have two process measures, products delivered on time as a percentage and number of product stock turns in a year. The targets are 99 per cent on time delivery and 12 stock turns per year respectively. They also tell you that since the measures were introduced six months ago they have achieved an average of 97.5 per cent deliveries on time and are on schedule for six stock turns for the first half of the year.
You just listen to what they say and make a note of the information on your checklist.
The process staff members response is to tell you that the process owner meets with all the process staff once a month in the canteen where they talk through various items of interest including performance statistics. They tell you that a lot of what the process owner says is not of much interest to them apart from the delivery and stock turn measures as this has a direct bearing on the amount of bonus they receive each quarter. They tell you that delivery performance of only 97.5 per cent has meant a reduced bonus for the last two quarters, but the achievement of six stock turns so far this year has at least given them a bonus payment albeit small.
You listen and compare their responses to those of the process owner, making any notes on your checklist. You then ask yourself Have I enough evidence to demonstrate that the question has been answered adequately and am I satisfied that the performance of the process is known at all levels in the process and by the people who need to know? What is your conclusion based on the two responses above?
29
I hope you concluded that yes, the performance of the process was known at all levels in the process and by the people who needed to know. All this despite the fact you did not see a single piece of paper! Congratulations! You have just audited subclauses 5.1, 5.2, 5.4.1, 5.5.3, 7.1, 8.1, 8.2.3, 8.4 of ISO 9001:2000.
Methods of auditing
Quite rightly most methods of auditing involve face-to-face interviews/ discussions with people in order to gain information and an understanding of how effectively something is being done. However, this is not always practical to do because of geographical locations, the high number of people needed to be seen or constraints on cost or time. Auditors should be flexible in their approach and be prepared to consider alternative methods of auditing which do not rely on just face-to-face interviews. These could include: groups a number of process staff, suppliers, customers or stakeholders can be interviewed within a group environment to save the time and expense of travelling to them individually; questionnaire could be used to assess a variety of issues, can be done confidentially to improve the honesty of the responses; email again, any number of process staff, suppliers, customers or stakeholders can be interviewed remotely, as a group, to save the time and expense of travelling to them individually; telephone this can be usually a very quick and simply way to confirm information; video conference planned well in advance, this method can be a really effective way of interviewing people working miles apart or even in different countries.
Organizations that have multiple sites spread over a large geographic area, including different countries, and those with large numbers of home or field based employees are probably best suited to alternative methods of auditing other than face-to-face.
30
5. Planning and preparing a process audit

Familiarity breeds contempt!
Somebody once told me that auditing is 80 per cent preparation and 20 per cent actual auditing, which sounds like a bit of an old wives tale until you actually carry out an audit and then you realize just how true it is! Preparation starts right back with a basic understanding of the principles of ISO 9001:2000 and the PDCA cycle and goes right through to familiarizing yourself with the organizations management system, specific processes and their outputs. Having been witness to numerous audits by both certification organizations and internal auditors over many years, I have rarely seen an auditor who has prepared adequately for an audit. Whether it is failing to arrange meetings in advance, losing sight of the audit objectives or not understanding the links of effective process management, auditors are normally simply not spending enough time preparing for their audits. People who regularly carry out audits do become blas as they become increasingly relaxed about the style they have adopted and their knowledge of ISO 9001:2000. In doing so they show a certain contempt by rarely using checklists or feeling the need to effectively plan ahead. Even though I have carried out hundreds of audits over many years I still prepare and use an audit plan and checklist every time I am asked to conduct an audit, and so should you.
Planning and preparing a process audit
31
Its all in the planning

An audit plan needs to consist of more than the audit date, start and finish times and the department name being audited, to be promptly put in a file and forgotten about. A good plan will be developed well in advance of the audit, by the auditor, and certainly not in isolation. They will confer with the appropriate members of the organization to ensure they agree to the timings. A good audit plan is likely to cover the following: objective of the audit; what standard(s) are being used as the audit criteria, eg ISO 9001; date the audit is to be carried out; who the auditor(s) will be; any special requirements the auditor may have, eg working lunch, desk, power supply for laptop computer; what processes/activities are going to be audited; what methods of auditing are to be used; the names of individuals to be seen during the audit with specific meeting times; date by when the report will be issued and who it will be distributed to.
Please refer to Table 5.1 for an example of an audit plan. By far and away the most important parts of any audit plan are the details concerning the people who will be seen and the specific meeting times that have been agreed. Auditors cannot expect to turn up and have people sat around all day or over many days, waiting for the auditor to audit them. As an auditor you should assume that no one is going to see you unless you have prearranged the meeting. Apart from anything else, it is just bad manners, and it will lead to a poor relationship with the auditees, so it is critical if the audit is to be successful. I have lost count of the times auditors turn up at an organization and commence the audit expecting people to automatically be available. They then wonder what they are going to do for the remainder of the day when they discover all the people they need to speak to are either on a course, on holiday or have other meetings! Its all in the planning. In preparing your audit plan you will need to take into consideration the overall time available to you to carry out the audit and then work backwards ensuring that you allocate the most appropriate amount of time to each of the people you need to interview.
32
Table 5.1 Example of an audit plan

PROCESS AUDIT PLAN Objective of the audit To assess the maturity of the process in order to identify any gaps in current performance against the audit criteria detailed below Date(s) audit to be carried out Criteria/standard to be used Process(es) to be audited 27th and 28th June 2004 ISO 9001:2000 and the organisations stated business objectives Managing our capital assets Purchasing plant and equipment Auditor(s) Date audit report to be issued Any special requirements: Meeting room for the two days with power, telephone and video conference facilities. No need to organise lunch, the staff canteen will be fine. People to be seen, when and how: 27th June 2004 9.00 am 10.00 am 11.00 am 12.00 noon 1.00 pm 2.00 pm 3.00 pm 4.00 pm 4.30 pm Finance Director (process owner) Finance Assistants 4 Finance Assistant Finance Assistant Lunch Finance Assistant Financial Controller Managing Director Consolidate information Video conference Telephone Face-to-face Face-to-face Face-to-face as a group Video conference Video conference London London Paris Frankfurt Canteen New York Nairobi London Meeting room, London Carl Ford 7th July 2004 to the Finance Director and Managing Director
28th June 2004 9.00 am 10.30 am 12.00 noon 1.00 pm 2.00 pm 3.00 pm 4.00 pm Production Director Production staff members 8 Production Manager Lunch Production Manager Finance Director Gather information and close audit Telephone Face-to-face Face-to-face Face-to-face as a group Video conference London London Paris Canteen Nairobi London
33
One of the major issues facing you is the time available, as this impacts on your ability to test the responses you get with the greatest range of people possible, thus assuring yourself that the evidence you are finding is a true reflection of what is happening. This is not something new and auditing has never pretended to be anything else other than a sample, but you must be satisfied that the sample size is large enough. Whatever you decide you should always start and end with the process owner. Start off with them: to gather information, that you can go on and test throughout the process; to understand if they have any particular areas they themselves may want you to assess or review and provide feedback on.
Finally, conclude the audit with them so that you can confirm your findings and provide overall feedback on what you found.
Preparing your audit checklist

As an auditor you should never underestimate the usefulness of an audit checklist and just how important it will be to you. The purpose of the checklist is to: ensure you cover all the questions/areas required to meet the audit objectives; act as a focal point for the audit, as it is easy to become distracted as you follow the audit trail; allow you to record notes against specific questions as you go, so you can easily reference them when talking to different people; ensure you can easily compile the audit report from the notes you have made without relying on just your memory.
But how do you decide what you should include in your checklist? Well, how detailed you make your checklist is a very personal thing and is likely to depend upon several factors not least how experienced you are and your ability to read it during the audit itself. Before you can begin to prepare your audit checklist you first have to design it or, should you find it useful, copy my example, shown in Table 5.2. Your design will no doubt evolve over time to reflect your own personal style and needs. Having decided on what your checklist will look like you now have to populate it with all the questions you are going to need to ask in order to complete your audit. These are the questions that will test:
34
the eight principles of ISO 9001:2000; the effective implementation of the Plan-Do-Check-Act methodology; auditor tool 1; auditor tool 2; actual process activities.
This means all of the things we covered when looking at the auditor tools and objective evidence in the previous section. In addition, your checklist should include questions or areas to look at that are specific to the process or processes you are auditing. In order for you to do this you will have to undertake some research and make requests for information from relevant people. This is a relatively straightforward task if the audit is going to be carried out internally as you will know the organization and will be able to acquire the appropriate information. However, this can prove to be more of a challenge when you have no prior knowledge of the company. Typically your research should focus on trying to obtain information on: what the organization does and who its customers are; its mission, vision, policies and business objectives; organization structure and process ownership; the management system structure and links between processes; copies of process maps; company and process performance data.
You should allow yourself plenty of time in advance of the audit to gather the information and compile your checklist. Remember the audit starts from the moment you start compiling information and preparing your checklist, not from the moment you ask your first question of the process owner, it is much too late by then to get it right if you have not planned thoroughly. If you are not able to carry out the background research or obtain the information you would like in order to prepare thoroughly for the audit, then you must allow yourself more time to carry out the audit itself and to collect this as you proceed. This is certainly not the most efficient way to carry out an audit, but sometimes you will have no choice. Without this information your audit will be flawed, so you must obtain it early on if you are to be effective. As I said right at the outset of this section preparation is 80 per cent of the audit and you have to ensure you have prepared adequately to avoid being led by people rather than you leading the audit. Remember that you are there to control the audit, not them.
35
Table 5.2 Example audit checklist

PROCESS MANAGEMENT AUDIT CHECKLIST Subject: Auditor: Date: Audit No.:
Checklist Ref. No. Item Comments Report Ref.
36
To summarize the preparation required: make sure you fully understand the eight principles and the PDCA cycle; be clear on the objective of the audit; plan the audit carefully making sure you allocate the appropriate time to each element and sample enough people; book meetings with people well in advance, dont expect them to just be waiting for you! understand the management system and process connections; know the business objectives and customer requirements and make the connections to process outputs; always use a checklist!
37
6. Carrying out a process audit compliance vs. effectiveness

Bringing it together
Hopefully by the time you are about to start the audit you have fully prepared and have a clear understanding of how you will satisfy yourself that the process is being managed effectively. Here is a brief reminder of what you are about to do: test for the eight ISO 9001:2000 principles; test that the PDCA (Plan-Do-Check-Act) cycle is embedded; focus on outcomes in order to test for effectiveness; use auditor tools one and two to help you make the links to customers and suppliers and from system to process to people; ask the most appropriate questions based on the person you are auditings level within the organization; test whether process activities are effective; test compliance to procedures, standards and regulations, as appropriate; use your checklist to remain focused and to record information.
If you are not put off by this then lets get on with the audit, starting with the Managing Director, who will put the process and system in context.
Interviewing the Managing Director

You turn up at the Managing Directors office door at the agreed time, probably a bit nervous are they in a good mood? is the exchange rate favourable? did they win at golf yesterday?!
38
They call you in and immediately inform you that they have to leave for another meeting in 30 minutes so you will have to be quick. Your mind goes blank, your mouth goes dry, your heart beats a little faster and you begin to wonder what you are doing here. You glance down and, to your relief, see the checklist you so carefully prepared. Referring to the first question you inquire How is business? You have started the audit. Does this sound familiar? Feeling intimidated by someone like the Managing Director is nothing new, but when you have to audit that same person in an effort to extract information from them, it can be even more daunting (particularly so if they have never been great supporters of ISO 9001:2000). This interview is critical. Why? Because if you do not succeed in gathering information to help you gain a clear understanding of the business objectives, measures, current performance etc you will not be able to test the subsequent effectiveness of process management and the connections to the overall business needs. As a general rule you will only have a limited amount of time with these people, so you have to make the little time you do get as productive as possible. Being completely clear about the objectives of the interview and the outcomes you require is essential and will prevent you becoming sidetracked and coming away wishing you had asked a particular question. Remember again that it is your meeting and you are in control of it. You will gain real respect if you do but if you dont A good approach is to start with a general question like How is business? With any luck the Managing Director will discuss the current state of the market, customers needs and how the organization is working hard to develop sales and improve margins. Within this discussion you should begin to draw out what the business objectives are and how they plan to move the organization forward to achieve them. This information is key and you need to be making detailed notes of it on your checklist as you go, so that you can refer to them later on as a memory jogger and to help with subsequent meetings. Be conscious of time, stay focused on the objectives of the interview and the questions you need to ask and you can usually get through it within 30 minutes. I tend to find that most Managing Directors, once they get talking, forget about their next meeting and end up chatting for up to an hour, usually because they never realized the audit was actually going to be about the business itself, rather than ISO 9001:2000! Once they start doing this, then you know that you are part of the way to having a convert. The rest of the journey will be made once they see the business value of your report and findings.
Carrying out a process audit compliance vs. effectiveness
39
Before you conclude the meeting have a quick look at your checklist to ensure you have everything you need for the next part of the audit and then ask, Is there anything you would like from my audit, are there any areas you would like me to look at in addition? Note any response you get and then thank them for their time and leave.
Ill make a note of that!

It is all to easy to get carried away listening to people and forgetting to make a note of what they said or showed you, but it is such an important part of auditing that it is worthy of a further separate mention to remind you to do it. This is particularly important if the audit is to be spread over any length of time, when it would be difficult to keep track of all the responses and even harder to recall them at the right time. This is especially so if you are trying to test the effectiveness of communication and need to know exactly what other people have said.
Interviewing the process owner

Process owners can be just as formidable as the Managing Director so be prepared by following the same rules and opening the dialogue by asking them How is business? Check and confirm with the process owner that the audit plan is still alright and that the people you wish to speak to will be available. As with the Managing Director be quite clear about the objective of the interview. Your final report must be able to conclude how effectively the process was being managed, so make sure you keep focused on this and do not become distracted by other issues the process owner may wish to talk about. Refer to your checklist constantly. Provided you prepared it thoroughly it should include the questions you need to test the eight principles, PDCA and auditors tools 1 and 2. What you are testing is effectiveness, which includes the following. The link between what the Managing Director said and what you are now being told by the process owner are they saying the same things? Has the Managing Director communicated the business objectives adequately? Has the process owner interpreted them correctly?
40
Has the process owner related them to their process? Has the process owner communicated the objectives down to the process team? Has the process owner established process performance measures? Do the measures relate to the objectives? Does the process owner know the current performance of the process against the objectives and targets? Has the process owner communicated the performance results to the process team? What actions are the process owner and process team taking when there is a gap in the performance against the stated objective or target? How do process team members contribute to improvement activities? How does the process owner know improvement action is effective?
Refer to Table 4.2 for more questions and Table 4.3 for the likely objective evidence you could find and can therefore make a note of on your checklist. Just as with the interview with the Managing Director, you should treat the interview with the process owner as an information gathering exercise, so ensure you record as much of the information you are given as possible. You will need it to complete the main part of the audit. Again, before you conclude the meeting have a quick look at your checklist to ensure you have everything you need for the next part of the audit and then ask, Is there anything you would like from my audit, are there any areas you would like me to look at in addition? Note any response you get and then thank them for their time and leave.
Interviewing process staff

Having interviewed the process owner you are now in a position to move onto the main part of the audit and begin to audit process staff, together with looking at the various connections with other processes within the organization. Sticking to your audit plan begin to audit the process staff. Whereas the objectives of the interviews with the Managing Director and process owner were primarily information gathering, the audits of process staff are now about testing this information in order to determine how effectively the process is being managed. What you are testing is effectiveness, which includes checking process staff understanding of such issues as the following.
Carrying out a process audit compliance vs. effectiveness
41
Are the objectives/outputs of the process understood and are they linked to what the process owner said? Is the process measured and are they the same as what the process owner said? Do process staff know what the current performance of the process is? How is information communicated to people working within the process and is this as described by the process owner? Do process staff know how they can contribute to improving process performance?
Refer to Table 4.2 for more questions and Table 4.3 for the likely objective evidence you will find and can make a note of on your checklist. In addition, you are also testing: how effectively the connections to other processes are operating; that process activities are being implemented effectively; that any procedures, standards or regulatory requirements are being worked to; how competent people are/feel they are to perform their assigned tasks.
Remember the audit dynamic

As an auditor you have a duty to remain conscious of using the right questions at the right level in the process. To achieve this remember the questioning techniques diagram in Figure 4.3. So although I have suggested the items you should be testing during the audit, it is still very much up to you, the auditor, to phrase these in a manner that will ensure they are understood by your auditees and that will provide you with adequate evidence as an answer to your question.
Give me a break!
There are a lot of pressures on auditors and you should never be afraid to take a break during the audit in order to give yourself an opportunity to collect your thoughts, put the information you have gathered into context and to generally satisfy yourself that you are progressing as planned. As you review any information, notes and outstanding questions it will help to focus your mind on the audit objective. If, for whatever reason, you find yourself not being able to confirm what is actually happening within the organization, and up to this point in the audit you are not a position to report how effectively the process is being managed, then the break is essential. It
42
affords you the opportunity to determine the specific further questions you need to ask in order to complete the audit and compile your report adequately. Should you find that you do not have sufficient evidence to make a judgement as you proceed, never be afraid to add items to your checklist.
They think its all over

If you have stuck to the audit plan and not become too distracted the audit should finish on time, with everybody on your list having been audited and with you having a clear understanding of how effective the organization is at process management. Now is the time to begin to sift your way through all the information you have and to collect your thoughts ready to compile your report and report back to the process owner and/or Managing Director. You should discuss your findings with the process owner and/or Managing Director prior to generating your final audit report and indeed there may well be some items that require clarification. Please refer to the next section of this book where this will be explored in more detail.
43
7. Identifying and reporting findings moving beyond compliance

Report objectives
What are the objectives of your audit report? A straightforward enough question, but how many auditors actually ask themselves this before they write and present their report? A lot of the audit reports I read clearly demonstrate that the auditor did not ask themselves this question and if they did they drew the wrong conclusion from it. The most common misinterpretation of this question comes from ISO 9001:2000 auditors, be they internal or third party auditors. ISO 9001:2000 auditors typically consider the objective of their reports to be to record all the areas where the organization did not comply with ISO 9001:2000. Which is why when you read a report written from this objective they add virtually no value to the organization. The real objective surely has to be to record all the areas where the organization did not comply with ISO 9001:2000 that affect business performance. In other words the report findings will add value to the organization by highlighting issues that, if addressed, will improve the performance of the business. Your report should contain information that: recognizes good practice; identifies instances of non-compliance in the context of business performance; recognizes the maturity of the management system; encourages the organization to improve its performance.
44
I appreciate that auditors and, in particular, third party auditors, have a difficult job in striking the right balance between reporting compliance with ISO 9001:2000 whilst trying to encourage improvement based on the maturity of the organizations management system. However, that said, this does not stop auditors trying to achieve this balance in order to add value to the organization. After all, they are a supplier to the organization that is in turn the auditors customer. What they want from your audit report must surely be considered important?
When is a non-compliance a business opportunity?

The word non-compliance has a very negative feeling about it, for example something is wrong, someone is to blame, there has been a failure, the system has broken down. If you report your audit findings in a series of non-compliances then your report will also have a very negative feeling about it. Let me suggest something revolutionary, do not use the word noncompliance in any audit report you write, think of a positive alternative instead. Just think for a moment about how you could change the language you currently use in this way. What effect would this have on your auditees?
What to report
The ultimate design of your audit report may be constrained by the need to adopt a standard template or format used by your organization, which is almost certain to apply to third party auditors. If you have no such constraints then you are free to choose a format that allows you to report your findings in the most appropriate way, which could be anything from an A4 template to a software-based computer presentation. The choice is yours. Table 7.1 provides an example of an internal audit report template that I have used and you are welcome to copy and modify in order to come up with a version you feel comfortable using. We have talked of the need to make your audit report as positive as possible to encourage the organization to address the issues raised with the ultimate aim of improving their business performance. But how can you achieve this? The best way to demonstrate what I mean is to show you some extracts of actual audit reports, clearly showing both positive and negative reporting styles. You can then see for yourself what I mean.
Identifying and reporting findings moving beyond compliance
45
Table 7.1 Example of internal audit report template

PROCESS MANAGEMENT AUDIT REPORT Audit objective: Auditor: Date(s) of audit:
Criteria for audit:
Process(es) audited:
Audit summary
Audit findings Ref. No.
46
What not to say

The following are examples of what not to say in an internal audit report. a) There was no evidence that the organization was monitoring customer satisfaction as required by ISO 9001:2000, subclause 8.2.1. b) There was no evidence of a documented procedure for the control of records as required by ISO 9001:2000, subclause 4.2.4. c) There was no evidence that the organization had reviewed its infrastructure as required by ISO 9001:2000, subclause 6.3.
What to say
The following are examples of what to say in an internal audit report. a) The organization does not currently monitor customer satisfaction. Monitoring the perception customers have will enable the organization to better understand how it can meet both their current needs and future expectations, allowing the organization to benefit from a more proactive approach to customer care. b) The organization does not currently have a documented procedure for the control of the records it produces. The documenting of a procedure for the control of the organizations key records will ensure that the responsibilities for record retention are known and that these important records are protected from damage or deterioration and only retained for the maximum specified period, allowing archive storage space to be kept to a minimum. c) The infrastructure of the organization appeared to be adequate for the services being provided; however, there was no process by which the infrastructure is reviewed on an ongoing basis, which could affect the organizations ability to meet future customer demands. Therefore the organization would benefit from linking together the review of market/customer needs and the infrastructure required to deliver them. d) The organization is to be congratulated on the decision it has made to introduce new computer terminals and office furniture in the call centre. The staff spoken to all commented on what a significant difference this has made to both their comfort and ability to read the new screens. This has undoubtedly contributed to the reduction in staff sickness time and number of customer complaints due to keying errors.
What turns you on?

Which version of the report findings did you prefer reading? Which version do you think the Managing Director would prefer to read and would encourage
Identifying and reporting findings moving beyond compliance
47
them to do something? Precisely, the second version, and this is the style you should be adopting in the writing of your audit reports. The report is all about the business and nothing about subclauses in ISO 9001:2000 because Managing Directors are not interested in the detail of what the standard says. As any good politician would tell you it is all in the spin. I am not suggesting we all need to become politicians, but, as auditors, we could all learn a trick or two from them and spin our reports positively. After all, we are trying to influence our customer to make the improvements we have identified.
Are you hiding behind ISO 9001:2000?

As an auditor you should ask yourself the question Am I hiding behind ISO 9001:2000 with my comments in the audit report? I tend to find that the more experience an auditor has of how businesses operate the greater the chance their audit report will add value. Conversely auditors who have a limited knowledge of how businesses operate tend to hide behind ISO 9001:2000 as this is all they know and feel comfortable with. There is no substitute for an in-depth knowledge of the workings of all business processes, not just the theory but the actual experience of how they work. This includes the processes such as business planning, asset management and managing marketing whatever title you may give them within your organization. Auditors who fail to get to grips with truly understanding these processes will spend their auditing life hiding behind ISO 9001:2000 rather than translating it into business improvement language. They will fail to provide added value to the organization.
The So What! test

The final check every auditor should perform on their audit report before they present it is the So What! test. Here is an example:
the quality policy had not been signed by the Managing Director SO WHAT!
If an audit report is to add value to the organization it has to contain information that could help the organization improve its performance and ultimately make
48
money (or at least not overspend). Meeting financial targets is a prerequisite for the majority of organizations and often the key purpose of their existence.
Improvement action
The audit report should only contain the findings of the audit and not suggestions for the improvement action to be taken. This way the auditor can remain independent and the organization does not feel obliged to adopt any of the auditors suggestions for improvement, even if it does not agree with them. By doing this, the auditor is also passing the responsibility for taking improvement action back to the process owner. Improvement action should be left with the appropriate people within the organization itself to determine. What action is taken, by whom and within what timescales are all decisions that the organization should make for itself, based on what is appropriate for the business, how it will benefit and the other current priorities it has.
49
8. Assessing improvements
Putting the improvement in context
As we have seen from carrying out the audit of process management the auditors role is not to identify how improvements should take place or what the organization should do. It is to provide information to Management on areas of risk or where opportunities for improvement exist with an explanation that outlines the potential impact on the organization if these are addressed. Therefore what the organization does if it decides to address these issues is up to the Management balancing the other organizational needs and requirements with the audit findings. Dont forget that carrying out audits is only one source of information Management is receiving upon which decisions can be based. They will also be receiving information on customer satisfaction and business results etc which could mean that they may well ignore the audit findings and concentrate improvement activity in other areas where the greatest business benefit can be achieved. This being the case auditors should not be disheartened if, after carry out an audit recommending areas for improvement, Management do not appear to act on the information. The real test is to determine whether the system is improving but that is all about auditing the management of a system, a subject that is little understood, rather than auditing a process, which we have covered in this book. The basics of systems management auditing are similar to those of process management auditing, the main difference being one of level. Instead of looking at a single process the auditor is looking at the system as a whole. Many of the
50
same skills are required, but it needs a still wider business understanding for the auditor to be successful.
Planning and carrying out a follow-up audit

As with any audit this needs to be scheduled and auditors appointed in exactly the same way as for a full audit. The main difference is associated with the scope of the audit which is generally limited to the scope of the previous audit report findings, rather than the entire process. In preparing for a follow-up audit the auditor needs to review the previous report and, in particular, to understand the business reasons for recommending the improvement and the business risks or impact associated with it. In terms of preparing your audit plan you should aim to discuss the improvements to establish what action has been taken and the purpose in taking the action. The same tools and techniques can be used to carry out a follow-up audit as have been described earlier for process management audits. So, in establishing the purpose and the aim of the action or improvement the auditor is identifying what the process owner is trying to achieve. It is not good enough just to determine whether the corrective action or improvement has taken place. What the auditor needs to establish is how effective the action has been ie has the aim of the improvement activity been met, has it worked/solved the problem etc. From establishing the aim the auditor can then review the actual improvement activity or corrective action taken, the results gained and identify any further improvement needed to meet the original intention or purpose. As described earlier the auditing tool shown in Figure 4.1 can be used in a similar way when carrying out follow-up audits: Consequently, after information has been gathered from the process owner, the technique can be used to gather information from other people either involved in the change/improvement or affected by it. Through a series of short information gathering activities following the assessing technique outlined earlier, the auditor will soon build up a view as to whether or not the action has been effective in resolving the issue highlighted in the original audit report and has been carried out in a timely manner. Timely in this sense being based on the size and impact of the change or improvement and the risk the organization faces in not carrying out the change quickly enough. The feedback of the audit findings is to the process owner, as before, in a format that you would typically use for all audits.
Assessing improvements
51
What happens if the improvement has not been carried out?

If an improvement has either not been fully completed or not even addressed in any way the auditor needs to make a judgement on the potential impact on the organization. If the judgement is that the organization is at risk then the matter should be referred to the system owner, ie a higher authority than the process owner, who should be asked to intervene to address the issue and advise the auditor accordingly. What the system owner does in resolving the issue is up to them with any outcome being used to determine whether or not a further follow-up audit is required. Every organization will need to be clear about the method of escalation they will use in such cases, and when it should be used. This will provide clarity to both the auditor and the process owner.
52
9. What personal attributes do auditors need?

Auditing as a skill
Auditing is a skill and like any other skill needs practice to hone it. It involves an ability to evaluate or learn from the experience, subsequently changing the auditing style or approach to add more value to the activity. Clearly competence to audit is a key requirement but to enable this competence to be built (something that is less easy to train) are the personal attributes, inherent in any good auditor. These attributes underpin the auditing activity and are the basis upon which competence is built. ISO 19011 describes these attributes and although not an exhaustive list, it does provide a useful insight into what is expected. Above all the auditor should be ethical; auditors are placed in a position of trust by Management to investigate how effectively the organization is being managed. As we have seen auditors need to assess effectiveness of actions taken as well as compliance. To assess effectiveness requires the auditor to expose areas of strength and weakness, identifying where the organization can make improvements or changes that will enhance performance. In talking to different people at different levels within the organization, often being party to sensitive information, the auditor should be careful to ensure that confidentiality is maintained at all times, whatever the pressure to disclose sources of information. This is not always easy and sometimes pressure is exerted, but those seeking the information should be made aware that its disclosure will break confidentiality which may result in auditees being reluctant to take part fully in later audits to the detriment of future audits and therefore the organization.
What personal attributes do auditors need?
53
Equally the results should be a fair and honest reflection of the findings, reporting facts and not seeking to apportion blame or falling into the solutionism trap. Solutionism is where the auditor writes their report explaining how managers should actually carry out the improvements or resolve problems. No matter how well meaning it is often dangerous to make recommendations to managers on how they should manage their organization thats their job, not the auditors. Many books or guides on auditing often suggest that the auditor should make recommendations but this needs to be done with care. It is one thing to make a statement that something is blatantly incorrect or is not working as well as it could and provide the evidence to support this. It is quite another to go further than this and suggest how the improvement should be carried out. Very seldom does the auditor have as good a view of the organization as the manager. How the manager resolves problems or implements an improvement is up to them. Following the appropriate process, of course, is up to them. So, report the facts and leave any recommendations on what needs to be done or action that could be taken until after the audit. I have seen a number of internal and external auditors ruin a very good audit by making recommendations that are inappropriate and get a negative reaction from the manager so be aware. Auditing for effectiveness often involves understanding what is happening. How an organization manages its business, how people carry out their tasks, what equipment they use and how they comply with legislation for example is up to them and the auditor can expect to see or observe activity that is different between one organization and another and even between one department or site and another in the same organization. In other words there is not necessarily a right or wrong way. Auditors need to be open-minded as to the activities undertaken and willing to consider different views or interpretation. What is more important is how effective these actions are on the final result achieved. Adopting an open mind goes hand-in-hand with carrying out the audit in a tactful and diplomatic manner. Remember the easiest way to gather information is to ask people what is happening, what they do, how they could improve what they do etc. How the auditor handles this conversation, even if auditing using email and other non-traditional methods of auditing, is critical to success. If the auditor criticizes what someone is doing or how a manager is managing their part of the business then that person is likely to be more reluctant to provide the auditor with the information they need. Remember people are often not the problem, most of the time it is the system they are operating in, so identify where the system is failing rather than seeking to criticize, blame or expose the individual. The results will be far more welcome and of considerably more value to the organization.
54
When auditing there is often a sense of something being right or not quite right, its a feeling. You cant be certain because you might not have the evidence, but an instinct that there may be something that is taking place that is either incorrect or wrong or could be improved. This second-sight is all about perception, how the auditor sees, reads and understands situations. This perception may be drawn from looking at evidence from different sources an adding together of information that doesnt quite make sense and needs testing or examining further. Auditors need to develop and, more importantly, use this ability. Often the information an auditor needs wont stare them in the face or be straightforward and needs digging out based upon reading a given situation. Another area based upon perception is collecting perception-based information. This is often more valuable than fact-based or document-based evidence. The problem is that how people perceive situations, activities or events is often not evidenced by documents its often verbal or an interpretation. The auditor therefore needs to be able to turn this information into fact or objective evidence. This is achieved by using an appropriate sample size, testing the perception to get to the facts. This may mean that someone has perceived an event incorrectly or drawn the wrong conclusions. The auditors job is to work with these perceptions and draw conclusions separating the fact from the fiction. To do this requires persistence, the ability to keep going even though auditees may put obstacles in the way. You may not get exactly the information you need or you simply get frustrated knowing there is something to be identified but you simply cant find it. If you find yourself in this situation keep going, think about the objectives of the business and the scope of the audit. How important is it, will it put the business at risk? Perhaps a different approach is required to gather the information. Persistence is not about pursuing something for the sake of it, it is about making a judgement for the sake of the business, the audit and importance of the issue. Following on from persistence is the need to make decisions in a timely manner based on the evidence that has been gathered. These conclusions should be clear, unambiguous and understandable. This allows the auditee to be able to review the conclusion or finding using the evidence the auditor has provided. Poor conclusions based on poor analysis leads to the auditee not being able to understand what the conclusion is about or why the issue has been raised. Often poor analysis of the evidence results in confusion and inevitably findings that are lower level detail (mainly compliance related) rather than the identification of improvements or the need for change to enhance effectiveness. Often auditors find themselves working on their own, gathering information whilst they work with the auditees. This ability to work independently is an
55
attribute not to be underestimated. This requires the auditor to be a self-starter, self-reliant having the necessary equipment and motivation to see the audit through without the support from other auditors.
How about knowledge and skill?

For auditors, knowledge and skill can fall into a number of areas: knowledge and skills of auditing itself; the management system and its supporting processes that are being audited as well as the organization or business itself; professional knowledge around the subject of quality; specialist knowledge of supporting business processes such as business planning, human resources, finance, etc.
The auditor needs to have a mix of skills and knowledge to be effective. These are interdependent and should not be considered or developed in isolation of each other, ie no one area is more important than the other they complement each other.
Knowledge of the auditing principles

Knowledge of the auditing principles is aimed at ensuring that audits are carried out in a consistent manner following a defined approach. These principles are identified in ISO 19011 and should support any auditing procedures and approaches that the organization has in place. It goes without saying that the auditor should be able to follow the organizations auditing procedure and approaches. The auditor should be able to create an audit plan based on the scope of the audit. This should show who is going to be audited, how and when and be agreed by the process owner. The effective use of time is very important. Auditors should not forget that for most organizations auditing is an overhead, a cost to be borne by the organization. Therefore the organization needs to not only get value from the audit but also collect, collate and report information and other data efficiently and effectively. The audit plan should reflect this need and auditors should adopt approaches and methods that are appropriate. As mentioned early in the book these approaches may well be non-traditional in nature but will be more cost effective without distracting from the value of the audit. With the plan in place, agreed with the process owner and communicated to those being audited, it is the responsibility of the auditor to ensure that the
56
audit is carried out as planned, keeping to the timescales as shown. Sometimes in an audit the auditor will discover areas that need more investigation than the time allocated will allow or, perhaps, someone else needs to be interviewed who wasnt on the original plan. In these circumstances the plan may need to be amended and this is the auditors responsibility. It is not good practice for the auditor to either start late or to end an interview after the time previously indicated on the plan. The auditee will be expecting the plan to be followed. If the plan needs to be amended then the auditor should discuss or communicate this to the process owner or the person showing the auditor round the organization, if one is being used, in order that a revised plan can be agreed and communicated. This may include going back to an auditee to check a particular issue or to gather more information. Planning an additional interview is preferable to ignoring the original plan, however tempting this may be. The auditor needs to maintain confidentiality. This not only applies to sensitive business or organizational information but also to personal feelings and views that may be expressed by an individual or group. Clearly the auditor may well be provided with sensitive business information as part of the audit which should not be shared either within the organization itself or externally it must remain confidential. There is a temptation to share information with work colleagues but the auditor doesnt necessarily know what has been communicated and what hasnt and the reasons for this. Therefore to avoid any situations it is best to simply say nothing and use the information for the purpose for which it was given ie for the audit. This approach will avoid and prevent any difficult situations or misunderstandings. The same applies to views expressed by auditees. To assess the effectiveness and to gather information required often requires the auditors to gather views and examples from people not directly carrying out the task involved. For example lets say you are auditing the manufacturing process, then you may gather information from the sales team ie the people who generate the orders and those who dispatch products and services as well to gain their views and the impact the production process has on them. Or perhaps you are auditing an improvement process as well as auditing the people involved in the actual process or improvement you could also interview the people affected by the change to determine how effective the change has been in improving performance. In gathering these views from people outside the process being audited but affected by its impact the auditor may well be gathering views and opinions from a number of different people to create the objective evidence and to form a conclusion regarding effectiveness. These views and opinions also need to be kept confidential and not shared either with other auditees eg I was speaking to X and he said or outside the audit. If the auditor breaches this confidentiality then it is likely that the auditee will be less forthcoming
57
with information the next time an audit takes place, thereby reducing the effectiveness of the audits taking place. Auditors should focus their attention on significant issues. This does not mean that areas of detail should be ignored but that the audit should focus on what is important to the success of the process and the organization rather than areas that have little impact or significance in the overall picture. Some auditors get a reputation for nit-picking ie identifying or making an issue of small areas that in themselves have little or limited impact on performance. If the auditor is in any doubt as to whether or not an issue should be raised then think about the manager who will be receiving the report, will they be interested? Is it important to them? Collecting information is the key requirement of the audit. The information often comes from a range of sources from across the organization. The various parts of information are then added together to form a view or finding. It is often not a case of taking one piece of information in isolation but adding different data together to form the picture. Therefore a key principle is to test or verify the different pieces of information to confirm their appropriateness and accuracy. Auditors need to develop a sixth-sense to help them with knowing how often and when additional information is needed to determine or verify a finding. It is not possible to review or look at every document or piece of information used or generated by a process. In addition it is very rare that the amount of time allowed for the audit would be sufficient to interview every manager or staff member involved in the process. This is compounded by the need to gather information from those outside the process. To manage this the auditor can use sampling techniques to help determine what information is required. Although these can be scientifically- and statistically-based the auditor can also apply common sense. For example if there are six projects to look at then perhaps two could be sampled; if there is sufficient difference in the two then perhaps a third could be reviewed to confirm the finding. Or if there are 250 employees who need to have objectives and understand how they fit into the process then perhaps 10 could be interviewed for five minutes (50 minutes in total) rather than two for 25 minutes (still 50 minutes in total) to allow the auditor to gain a wider view of what is happening.
Understanding management systems and processes

As we have outlined earlier in this book and in others that make up this series, understanding what a process-based management system actually is and the principles of managing an organization by process is really important. It is not
58
the intention to revisit the principles of process management and its impact on organizational performance but auditors who do not understand the principles will not be able to audit effectively, often finding it difficult to move beyond compliance auditing. This extends to understanding how the various processes that makes up the system interact with each other and how support or reference documentation such as procedures and other information is positioned and used within the system. It would also include how resources, equipment, budgets, competence, team work, knowledge, other standards and frameworks, knowledge, environmental, health and safety and regulatory requirements, information technology, intellectual property, management ability and techniques, results, changes etc can impact on process performance. This does not have to be an in-depth understanding but should, at the very least, be an awareness of the possible impacts so that the auditor is able to form judgements on possible areas for improvement. In addition, as mentioned before, the auditor needs to have an appreciation of general business processes, what might make up such a process and how the organization has interpreted these business activities into the management system and therefore into its processes. Another impact on process performance that the auditor needs to be aware of and understand is that the organizational culture will affect both the audit and, potentially, process performance. The auditor needs to appreciate the organizational culture they are working in and work within this, modifying their auditing techniques and methods accordingly.
What professional knowledge does an auditor need?

The final area of knowledge is that relating to quality. Accepting that we have covered the business knowledge needed in other sections, this area relates to the quality-specific knowledge that needs to be understood. Quality terminology is, in effect, business terminology that we have already covered. This can be extended to include quality management principles, which are, in effect, business management principles. Where specific quality knowledge is of use is in understanding specific tools and techniques that have traditionally been used by quality professionals. Of course as the management system is process-based and as these processes cover a range of management disciplines, including quality disciplines, the auditor can expect these tools and techniques to be found or used in the appropriate processes. Examples of this could be:
59
statistical control which could be used to assist the measurement of process performance; failure mode and effect analysis which could be used in a design and development process; cause and effect analysis which could be used in an improvement process.
Understanding these tools gives the auditor a wider and deeper appreciation of how traditional quality techniques can be used to improve and support process performance.
What skills does the audit team leader need?

The need to audit processes and their management for effectiveness and compliance, particularly in larger organizations, may well mean that audit teams may be needed. In the past where compliance to procedures was the only real requirement, individuals working on their own were often sufficient to carry out an audit. This may well not be the case when auditing processes for a number of reasons as follows. Not all auditors have the same level of auditing competence. Different auditors will have different auditing experiences and skills. As processes run across the organization, inevitably auditees will occupy different positions within the business. They will have different responsibilities at differing levels with the business, different attitudes and experiences; the same auditor may not have sufficient skill to audit them all. A good compliance auditor does not necessarily have the competence to audit the effectiveness of a business planning process. Lack of confidence or experience. Although this is often caused largely by inexperience, nonetheless it is a critical factor if the audit is to be a success. A good example of this is an auditor with compliance auditing skills being asked to audit the Managing Director to determine how effective the management system is in meeting business objectives. Although in some organizations this may well be acceptable, even promoted in others, it may well place the auditor in a position where they are not going to do justice to themselves or the audit. This may simply be because they are not of the right grade, position or may not have the confidence or experience to audit a senior manager. Lack of understanding of the business and the process. To audit processes effectively auditors require an understanding of a wide range of business principles. This does not have to be an in-depth understanding but an awareness. For example it is often commented that auditors need an understanding of quality, health and safety, and environmental issues (the
60
integration myth), but what about business planning principles or how an asset is managed or how people develop skills, ie management principles and disciplines that need to come together (be integrated) in a system and the processes that support it? It is often this area that is overlooked but is probably the most important in enabling the auditor to assess effectiveness. When auditing the effectiveness of the management of a process this area is probably more important than technical specialisms. At the time of writing the focus for appointing auditors is often based on their technical competence not on their management ability. As ISO 9001:2000 is based on the effectiveness of Management to manage their organization to deliver results and to ensure customer satisfaction, perhaps organizations should now consider appointing auditors on their management ability rather than their technical expertise. With different auditors having different interpersonal skills, different levels of understanding of management disciplines and of confidence as well as auditing processes that run across the business often it is easier and more appropriate to operate in audit teams. When operating in a team someone needs to lead it and take responsibility for its direction and activities. Leading an audit team is not about technical or specialist competence in the area concerned. If it was, then Lead Auditors would indeed be a rare animal. Leading a team requires leaderships skills associated with ensuring that the audit process is run efficiently and effectively. These skills fall into a number of areas as follows. Planning the audit as we have seen auditors have different skills and may even be in different locations so the available audit resource needs to be appointed accordingly based on the process to be audited. In addition the method or approach needs to be considered. Traditionally auditing has been completed face-to-face on a one-to-one basis. To audit effectively this does not have to be the case. The auditor can use many methods including email, telephone, short questionnaires, video-conference for example, as covered in previous sections. Representing the audit team as part of the audit this will probably mean discussing and planning the audit with the process owner or Management team member. This would include agreeing who is to be audited, the scope of the audit and any particular aspects of the process that need special attention. At the end of the audit the Lead Auditor will also present/report the audit findings back to the process owner or Managing Director and agree any follow up action required. Completing the audit report as the auditing is being conducted by a team, the Lead Auditor is responsible for bringing the different strands of the audit together in order to reach conclusions. Identifying non-compliances is normally straightforward, identifying areas for improvement that will
61
enhance performance can be more difficult to agree. This often requires the team to reach consensus on what the different strands mean when they are added together. How this is achieved can vary but on occasions individual team members may disagree with each other. At this point the Lead Auditor needs to have the skill to facilitate the team to reach a sensible conclusion that will make sense to the team, the process owner and support the improvement of the organization. Coupled with this is the ability to write an audit report that is effective in portraying the findings and conclusions of the audit. The findings need to be succinct, clear and easy to understand showing what objective evidence has been identified to support the conclusions. The Lead Auditor needs to be able to justify the statements made, if required, and to enter into discussions as to how the areas identified might be resolved. The Lead Auditor should, however, be careful not to recommend actions as part of the audit. Often when reporting areas for improvement there is often a temptation to recommend how a particular issue may be resolved or improved. There may well be many ways that a problem could be resolved, some unknown to the audit team or outside the scope of their understanding. Improvements are likely to be subject to the organizations improvement process (as required by ISO 9001:2000) and it is this activity that will identify the causes and recommend solutions. Lead Auditors need to be careful with recommendations, often it is best to report statements of fact and leave the actions and recommendations for improvement to the manager concerned thats their responsibility. Managing the audit as it is progressed the Lead Auditor is responsible for managing the audit as it is carried out. This may mean resolving issues, some of which may be confrontational in nature. This can often require tact and diplomacy (hence the attributes listed in this bullet list). It may also mean identifying potential problems that could occur and taking appropriate action to prevent them from happening. Developing the auditors by their nature Lead Auditors tend to be more experienced managers as well as auditors. This experience can be used to develop auditor competence, identifying training needs and taking part in training and development activity that will improve auditor performance.
62
10. Conclusion and the way forward

What does the future hold for quality auditors?
There are many types of auditor. Auditors who are employed to audit compliance will still be required, as this approach will be needed to ensure requirements of specific detailed standards are being met. For those required to audit processes however, the future is bleak if appropriate auditing/assessment skills and techniques are not used and enhanced over time. In this book we have only covered the basic principles, and these need time and practice to be effective and for the reader to truly understand the principles involved. In other words reading the book without the practice will not build competence. Our experience shows that the development of these key skills takes time, and as competence builds so auditors create their own style and approach based on the techniques outlined. This approach has created a far more interactive and value adding approach to auditing. Auditors report that they not only find out more information quicker, but that they are also finding out value adding areas for improvement which would not have identified solely from compliance auditing. These are key skills that need to be mastered for the future. In addition auditors need to be much more business aware, with an understanding at least at an overview level of the different management skills and techniques used within an organization. This may include understanding finance, health and safety, new product development, improvement techniques, asset management and strategy and business planning for example, all of which affect either process or systems management auditing. This is not an exhaustive list and I am not saying you need to be an expert in all areas, which is impossible. But auditors will need an
Conclusion and the way forward
63
appreciation of these other areas in order to audit the joined up nature of both processes and systems and to help drive the need for them to improve and change.
Why do organizations want or need this?

For many years auditing has often been seen to add little value, providing Management with predominantly low-level information on which to base decisions. This has mainly been provided by compliance based audits or audit reports which do not provide information to Management that either stimulates the need for change or identifies risks of which they were not previously aware. But this is precisely the information that Management need and want. Auditing, both third party and internal, is a cost to organizations, and by not providing the required information that adds value, auditors will be doing their employers and customers a disservice. As importantly, they are also giving people the opportunity to reduce the importance of auditing and auditors. In such a situation, organizations quite naturally look for other solutions to their problems and if that means not using auditors in the traditional manner then so be it. Very few organizations fail to understand the need for improvement and change to enhance their performance. Auditors have a vital role to play, but only if they adopt the techniques and approaches required. As business management systems evolve, so their complexity, scope and maturity change. This is quite natural and as the management system changes so the role of the auditor will also change and be enhanced over time. This changing state will provide further opportunity for auditors but they will also require enhanced auditing techniques, methods and approaches to give Management the information they need. Welcome to the new world of auditing effectiveness and performance:
LEARN CHALLENGE CHANGE RENEW.
64
Appendix 1. Example auditor questions

With the auditing principles and techniques explained, this section seeks to provide some example questions based on the approaches used. As explained previously it is not easy to assess the effectiveness of a process or, indeed, a system, by simply following the clauses of the standard organizations simply do not always work that way. Nonetheless the examples are grouped by clause for ease of reference together with questions that could be asked to demonstrate compliance along with those which seek to test effectiveness. This is not an exhaustive list and all clauses are not covered in the detail needed, otherwise we would end up with a book of questions that is not the point. One common trend you will notice is that asking a compliance question gives a definitive answer, asking a question on effectiveness provides information the auditors job is then to add this information together to form the judgement on effectiveness. Also notice that open and closed questions can be used in both areas simply asking the question starting with what, how, where etc does not constitute skills associated with effectiveness testing.
Appendix 1
65
Table A.1 Example questions for clause 4 of ISO 9001:2000

Clause no. 4.1 Identification of the processes Requirement Question to whom Senior Management Show me the processes that make up the management system Senior Management What management information do you use to monitor the processes? How do you know that the management information you use is the correct information to control a process? Senior Management What parts of your processes are outsourced? How do you assess which parts of your process should or shouldnt be outsourced? How is this management decision made? Management What parts of your processes are outsourced? How do you know that the outsourced work is being effectively managed and controlled? Staff member What jobs are given to other people outside the business to do? How often, roughly, is work done by other people outside the organization completed wrongly or badly? Staff member What is your job? What is the impact on the customer if you dont get your job done correctly? Staff member What part do you play in the process? Staff member What do you do? How do you know if or when you have done a good job? How often do you get work that is either wrong, incorrect, needs rework or is simply confusing? 4.2.1 General Senior Management Are procedures documented? Do you have a quality manual? Is there a statement of quality and objectives? How did you determine what method and approach is of most benefit to your organization? How do you know the correct processes have been identified? Compliance question Effectiveness question
66
Clause no. 4.2.2
Requirement
Question to whom
Compliance question
Effectiveness question
Quality manual
Senior Management/ Management
Do you have a quality manual? Show me your quality manual? Does it contain the right information outlined in the standard?
What is the purpose of the manual? How is it used on a routine regular basis? How is its content translated into everyday activity? Why is it written the way it is? How does the manual support the objectives of the organization and its image with the customer?
Staff
Do you know where to find the manual? Show me the quality manual?
What is this organization trying to achieve? How does the organization work? How do we all work together to deliver results? How do we improve things in this organization?
4.2.3
Document control
Management/staff
Do you approve documents prior to issue? Do you have a procedure? Show me how you control the version Etc
How often do you find that you use the wrong information or documents in this organization? (ask many people to build up a picture) Do you ever think that you use out-of-date information? How do you know you are using the most up-to-date information/documents?
Appendix 1
67

Clause no. 5.1 Management commitment Requirement Question to whom Senior Management How do you demonstrate that you are committed to the development and implementation of the management system? Staff member Are Management committed to the management system? Or: How committed are Management to the management system in this organization? When was the last time you saw/heard your Manager concerned with meeting the customers needs? What was this? What was the impact of these statements on you and your colleagues? How do you know that the approaches you use to demonstrate commitment are effective? Compliance question Effectiveness question
Compare the answers given by both Management and staff and identify any inconsistencies. 5.2 Customer focus Senior Management How do you focus on the needs of the customer? How do you prioritize the needs of different customers and other stakeholders? We cant satisfy everyone 100 per cent of the time, so how do you manage this? How is this information used to set business objectives? How do you validate the information to ensure it is correct, (otherwise your objectives could be incorrect)? Senior Management/ Management How do you identify customer needs? How do you know that the process for identifying customer needs is effective? Senior Management/ Management What process do you have to identify what customers needs are? What is your role in this process? How are customers needs translated into objectives that are subsequently measured by customer satisfaction activity? How does it all link together?
68
Clause no.
Requirement
Question to whom Senior Management
Compliance question
Who is responsible for this process?
How is this process managed, controlled and improved on a continual basis?
5.3
Quality policy
Senior Management
Show me your policy?
What factors did you consider in determining the policy details?
Staff member
Do you know what the quality policy is or where to find it?
What is important to this organization? How important is it that you do a good job to you, to the customer, to the organization? If there was one thing that this organization had to achieve, what would it be?
Senior Management
Has the policy been communicated? How?
How do you know that your employees understand the policy and what it means to them?
5.4.1
Quality objectives
Senior Management
Do you have quality objectives?
How do you know the objectives are correct?
Who created the objectives?
How do you know that the Management agree with the objectives set?
Are the objectives measurable?
How were the measures selected? How do you know that these are actually achievable?
How many objectives are there?
How do these objectives complement and support each other to move the organization forward? How do you know that they jointly deliver everything you need to do as a business?
Link the answers to these questions with those given in answer to subclause 5.2. Do the answers link? Do they make sense?
Appendix 1
69
Clause no.
Requirement
Question to whom Management
Compliance question
What are your objectives? Are they measurable?
How do you know if your objectives link to those of the organization? How were the objectives created?
5.4.2
Quality management system planning
Senior Management
Is the management system designed to meet the objectives of the business? How do you maintain the integrity of the management system?
How do you know that the management system has been designed to meet the objectives set? How do you ensure that the integrity of the management system is maintained so that customers are not adversely affected during changes?
5.5.1
Responsibility and authority
Senior Management
Are responsibilities and authorities defined?
How are responsibilities communicated? How do you know if these responsibilities are being applied correctly? How do you reallocate/reduce responsibilities when needed?
5.5.2
Management representation
Who is the Management Representative? Show me what you do (to the Management Representative)
Who in the Management team champions the management system? How effective is the Management Representative in helping the organization to understand how it delivers results and improves business performance?
5.5.3
Internal communication
Senior Management
How do you communicate results to the rest of the organization?
How do you know that the communication methods you use are effective?
70
Clause no.
Requirement
Compliance question
How do you communicate results to your staff?
How do you translate the organizations results into information that directly applies to your staff rather than corporate/business speak? Does your manager provide you with information on business performance that directly applies to you?
Staff
How well is the organization performing? Do Management communicate to you on this subject?
Does the information you are provided with mean anything to you? Does the information relate directly to your job? How can you influence these results?
5.6
Management review
Do you hold a management review? What do you look at? What are the results of the review? How do you record the actions from the review?
How do management review the performance of the business? How effective are these methods? How do you know the actions agreed are aimed at delivering the organizations objectives? Are discussions at reviews based on improving results? What subject areas are discussed? How do they relate to the performance of the business and its objectives? What factors do you use to prioritize improvement activity?
Appendix 1
71

Clause no. 6.1 Provision of resources Requirement Question to whom Senior Management/ Management Do you allocate resources? How do you manage resources? What resources do you need? How do you know the resources you use are aligned to the delivery of the business objectives? How do you know that the resources required contribute to satisfying customer needs/ requirements? 6.2.1 General Senior Management/ Management How do you recruit people who are competent? How do you manage peoples competences? How do you balance the need for procedures with peoples competences? How do you know the balance between training and competence and the need for procedures is correct and effective? How do you know your peoples competences are sufficient to deliver the business objectives? Staff What resources do you use? If there was one thing that would help you do your job better what would it be? 6.2.2 Competence, awareness and training Management Have competences been defined? Are training needs identified? Do you evaluate training interventions? Do you have training records? How do you communicate the importance of your staffs activities in meeting objectives? How do you make them understand this? How do you know the correct competences have been defined? What methods do you use to evaluate training and how do you know when to use each? How do you prioritize someones learning/training needs? What support do you give that allows staff to apply what they have learnt in the workplace? How do you know how effective this support is? How do you know that you have effectively communicated personal objectives to staff? Compliance question Effectiveness question
72
Clause no.
Requirement
Question to whom Staff
Compliance question
Has the organization defined the competences you need to do your job? Do you understand how important your activities are?
Do you think the competences defined for your job are correct? How good are Management at reviewing your competence and identifying where you can improve? In your view is training delivered generally too late or too early on occasions? After you have received training does someone test or check to see that you can apply the training you have received? How do your activities help this business achieve its overall goals and objectives?
6.3
Infrastructure
Management
What equipment/assets do you have? How is this equipment managed and maintained? How is the equipment purchased? Do you back up IT systems? What processes do you have to manage all your resources? Does your process cover acquiring, commissioning and decommissioning an asset? What approvals are gathered for asset purchase?
How do you know that the equipment is capable of delivering the objectives? How do you know that you have purchased and commissioned the most appropriate equipment? How do you assess the effectiveness of your disaster recovery plans should your infrastructure fail? How do you optimize the performance of your infrastructure resource? How do you know that approvals for asset purchases follow the agreed governance rules for the business?
Staff
What equipment do you use? How is the equipment maintained?
How efficient is the equipment you use? How quickly is it repaired should it breakdown? How often does equipment failure affect your production/ service delivery?
Appendix 1
73
Clause no. 6.4
Requirement
Question to whom
Compliance question
Work environment
Management
What do you consider to be your working environment? How is the working environment managed? What legal and regulatory requirements do you need to follow?
How do you know when to make a new investment in the working environment? How do you measure the impact of the working environment on peoples motivation to work here? How do you know that the working environment supports the delivery of process and product requirements?
Staff
What is it like working here? If the working environment could be improved how would it be? Do Management ever ask for your opinion on the acceptability of the environment to deliver what customers need? Does the environment you work in affect your performance and the quality of what is produced?
74

Clause no. 7.1 Planning of product realization Requirement Question to whom Management What are the processes for product realization? How do these processes operate? How do you know the correct processes have been identified to meet the objectives set? How do you know that the planning is an appropriate form for the business? How has this been tested to maximize the operational performance of the organization? 7.2.1 Determination of requirements related to the product Management How do you determine what customers require? What statutory and regulatory requirements relate to the product/service? What non-stated requirements are there? How do you know you have determined the customers requirements correctly? How good do you think you are at identifying what your customers needs really are? How effective is the business at ensuring you dont fall short of regulatory requirements? Staff How do you identify customers needs/ requirements? How good do you think you (the organization) are at identifying what your customers needs really are? 7.2.2 Review of requirements related to the product Management How do you review the organizations capability to deliver what the customer requires? Show me the details. Staff How do you know you are capable of delivering what is required? 7.2.3 Customer communication Management How do you communicate information to customers? What provision have you made that allows customers to raise queries or provide you with feedback? How much wasted work is carried out in this organization as a result of you, or the customer, changing what is required? How often do you find that you cant actually deliver what you have agreed to? How do you know that customers know how to communicate with the organization effectively? How has this type of communication from the customer affected what you do in the past six months? Compliance question Effectiveness question
Appendix 1
75
Clause no. 7.3.1
Requirement
Question to whom
Compliance question
Design and development planning
Management
How do you plan the design and/or development of a new product or service? What resources do you need?
How do you optimize the use of resources you have available to you? How do you prioritize different projects? How do you know that your limited resources are being used in such a way as to maximize the benefit to the organization and its customers?
Staff
How are new designs/ developments carried out?
Do you think that the organization knows which projects are more important than others? How often do you get torn between the needs of different projects and dont know which to do first?
7.3.2
Design and development inputs
Project Manager
What factors do you considered when designing/ developing a product or service? What legal and regulatory requirements are important?
How do you know the design inputs have been identified correctly? How often do you find, when testing a product or service, that the design inputs have not been identified correctly?
Design/ Development Team
What factors do you considered when designing/ developing a product or service? What legal and regulatory requirements are important?
How much wasted effort do you think takes place on design and development work? Do you think you are careful enough when you design or develop products and services? How many changes are made to design/development outputs before they are correct and can be used? How do you know that the design/development outputs are relevant and appropriate to the needs of the rest of the business?
7.3.3
Design and development outputs
Project Manager
What design/development outputs do you have? Do they contain the required product acceptance criteria?
76
Clause no.
Requirement
Question to whom Design/ development team
Compliance question
What design/development outputs do you have? Do they contain the required product acceptance criteria?
Can you give me an example of when the design/development outputs have not been understandable? How relevant are the design/ development outputs to your job? Do they provide you with the information you need?
7.3.4
Design and development review
Project Manager/ project team
How often do you hold reviews? What is the purpose of these reviews? Who attends these reviews? What happens at these reviews?
How often are agreed deadlines for actions missed? Why is this? How are disagreements or concerns on the way forward resolved quickly and to the benefit of the business? Compared with your competitors how good are you at getting products to market?
7.3.5
Design and development verification
How do you test products and services to check that you have designed what you were supposed to design? What records do you keep?
How often do you identify problems found with products and services after they are released? How do you balance the need and risks to get the product or service launched with making it perfect?
7.3.6
Design and development validation
How do you test products and services to check that you have designed something that meets the original customer or market needs?
How do you know that customer requirements have been met when you are designing the product and services? How do you know that the changes to designs or developments will have the desired results?
7.3.7
Control of design and development changes
How are changes incorporated into designs/ developments?
Appendix 1
77
Clause no. 7.4.1
Requirement
Question to whom
Compliance question
Purchasing process
Purchasing Manager
What is the purchasing process? How does the process work? Show me the process working
How do you know that the suppliers you use continue to contribute to the delivery of business objectives? How do you know that you provide sufficient information to your suppliers, not too much but not too little? How do you know that your suppliers are managing their business in an efficient and effective manner? How do you assess this?
7.4.2
Purchasing information
Staff
What purchasing information do you include on purchase orders? What quality management system requirements do you insist upon?
7.4.3
Verification of purchased product
Management
How do you ensure that the purchased product and services are what you ordered? What actions do you take to check that the goods you receive are OK?
How do you reduce the risk of bought in goods and service failures on what is provided to your customers?
7.5.1
Control of production and service provision
Management
How do control operational activities to ensure consistency and conformity of the service or product? What work instructions, control plans or schedules do you use to control operational processes?
How do you plan the way in which operational activities are performed to provide sufficient controls? How do you control the risks of operational activities in meeting customer requirements?
Staff
What information do you have to help you do your job? Have you been trained to do your job? Have you got the right equipment to do your job?
How do you know that what you are doing meets your customers requirements? What are the greatest risks to not achieving your customers requirements and how do you control them? How do you know you have met your customers requirements?
78
Clause no. 7.5.2
Requirement
Question to whom
Compliance question
Validation of processes for production and service provision
Management
Demonstrate the validation methods in place to control processes you cannot readily or economically verify? How often to revalidate the process controls?
How do you control any processes you cannot readily or economically verify? How do you know the validation methods you use are effective?
Staff
How do you test the process?
How do you test the process to ensure it meets customer/ product requirements? What are the criteria you use to measure process performance?
7.5.3
Identification and traceability
Management
Do you identify products? How do you identify products?
How have you determined to what extent identification and traceability of the product is required? How do you know the controls for product identification and traceability are effective?
Staff
Show me how products are identified? Can you find this xyz product for me?
What problems does poor identification cause you and how do you control this?
7.5.4
Customer property
Management
Do you use customer property in the process? How are problems with customer property reported back to the customer?
How do you know when customer property is used in the process? How is customer property identified and protected? When problems arise with customer property how do you deal with them and ensure the problem does not arise in the future?
Staff
When do you use customer property? Show me how you protect customer property
How do you report problems with customer property? What happens when you report a problem?
Appendix 1
79
Clause no. 7.5.5
Requirement
Question to whom
Compliance question
Preservation of product
Management
Show me how the product is protected
How is conformity of the product to specified requirements maintained throughout the entire process?
Staff
Show me how the product is stored Show me how the product is identified Show me how the product is handled
How do you know that the product is adequately protected during all stages of the process?
7.6
Control of monitoring and measuring devices
Management
Have you identified all monitoring and measuring equipment? Has the equipment been calibrated to a recognized standard, eg NAMAS approved? Show me the records for monitoring and measuring equipment Is the product recalled and retested when a piece of monitoring or measuring equipment fails calibration?
How do you determine what monitoring and measurement is required? How do you know the results of the monitoring and measuring can be relied upon? How is monitoring and measuring equipment checked? What do you do when a piece of monitoring or measuring equipment fails calibration?
Staff
What equipment do you use to monitor and measure product or process performance to specified requirements?
How do you know the monitoring or measuring equipment you use is working correctly?
80

Clause no. 8.2.1 Customer satisfaction Requirement Question to whom Management Do you measure customer satisfaction? How do you measure customer satisfaction? What do you do with the information you get from measuring satisfaction? How do you know the methods you use are effective in gathering the information you need? How do you know that the questions you ask/information you seek is the right information? (Compare this to the answers from 5.2) 8.2.2 Internal audit Senior Management Show me your audit schedule/programme? How do you know when to audit each process given the business risks your organization faces? Management Are the auditors independent? Have you trained your auditors to audit effectively? Can I see your audit reports? Are non-compliances addressed in a timely fashion? How do you allocate auditors based on the purpose of the process and competence required? How do you train your auditors to understand other business management disciplines such as budget control, marketing, team working etc? How do you know the audit reports are providing you with the information you need to support the management of the business? How does the auditing add value to the business? How have you addressed the business impact of the noncompliance? Compliance question Effectiveness question
Appendix 1
81
Clause no. 8.2.3 and 8.2.4
Requirement
Question to whom
Compliance question
Monitoring and measurement of processes and product
Show me your measures
How do you know these are the correct measures? What is the information telling you?
Show me the trends in performance Show me the targets for each process
How do you know that the information is accurate? How do the measures link to the business objectives? How do you manage the process and identify cost and waste efficiencies? Give me an example.
Staff
Show me the results you achieve
What is this information telling you? How can you influence these results?
8.3
Control of non-conforming product
Management
Show me the procedure to control non-conforming product? How do you make sure non-conforming products do not get used accidentally? Do you keep records of non-conforming products?
How do you know that nonconforming products are not reaching the customer or being used? What is the impact on the business if they are released accidentally? Why do you need records? What do you do with them?
Staff
Show me the procedure to control non-conforming products How do you make sure non-conforming products do not get used accidentally? Do you keep records of non-conforming products?
How often do you release non-conforming products but dont record it for operational reasons? What is a non-conforming product? How do you know that you handle all non-conforming products the same way?
Then compare the answers from Management and staff to make a judgement.
82
Clause no.
Requirement
Compliance question
How do you handle product recalls?
How do you know that any product recall would be handled to protect both the customer and the image of the organization?
8.4
Analysis of data
Management
Do you analyse performance? How do you analyse performance? Does the information include data on customer satisfaction? Does the information show trends in performance against targets?
How do you identify improvements that maximize the benefit to the business? How do you make recommendations for improvement based on the results achieved? How do you monitor the impact of improvements on the results achieved?
8.5.1
Continual improvement
Is there a process for continual improvement?
How do you know that improvements made are managed and controlled? How are appropriate people involved in improvement activity? How do you know that an improvement doesnt have an adverse impact on other activity?
Staff
What improvements have taken place? Have you been involved?
Have improvements made helped you do your job better/ made it easier? Does this organization learn from its mistakes to make things better next time?
Customers
Has this organization improved?
How effective do you think the organization is in improving what it does?
8.5.2
Corrective action
Management
Have you got a procedure for corrective action that covers the areas of the standard? Do you keep records of corrective actions?
How do you know everyone deals with processing/product errors or mistakes in the same way to protect the organization and its customers?
Appendix 1
83
Clause no.
Requirement
Question to whom Staff
Compliance question
What is a corrective action? What do you do with a processing/product error or mistake?
How often does this take place? Do you think we make too many mistakes that are really unnecessary? How do you know the correct business risks have been identified and actions put in place to reduce these risks?
8.5.3
Preventive action
Management
Have you got a procedure for preventive action that covers the areas of the standard? Do you keep records of preventive actions?
84
1. Establish business objectives
2. Audit planning
Managment system documents ISO 9001:2000 ISO 14001 legal and statutory requirements
3. Carry out audit/ verify action
4. Record observations
5. Generate audit report
8. Action taken
Yes
6. Action required?
7. Responsibility and timescales agreed
No
9. Close audit
Figure A.1 Example of a typical internal audit process (flow diagram and procedure)
Business first/Standards second The context
85
Table A.6 Example procedure

1. 1.1 PURPOSE AND SCOPE The purpose of this procedure is to ensure the companys operational activities are being carried out in accordance with the requirements of the management system and to monitor compliance to external standards, including legal and statutory obligations. Where omissions are highlighted this procedure ensures that appropriate timely action is taken in order to correct the situation. 2. 2.1 AUDIT PLANNING With reference to the current business objectives, previous audit results, and the importance of the processes to be audited, the Management Representative is responsible for generating an annual audit plan covering all relevant elements of the management system. 3. 3.1 AUDITING Audits are carried out by the assigned auditor using the following documents as the criteria to audit against: current management system documents, externally originated standards (e.g. ISO 9001:2000, ISO 14001, etc), legal and statutory requirements, as appropriate. 3.2 During the audit the emphasis is placed on the witnessing of objective evidence to verify that the management system procedures meet the requirements of any appropriate externally originated standard and/or legal and statutory requirements and that they are being effectively implemented. 3.3 Any observations made during the course of the audit are recorded by the auditor in the form of notes or on the Audit Checklist document. 4. 4.1 REPORTING If an opportunity to improve or a problem is identified during the audit the auditor will endeavour to agree suitable action and timescales for its completion, with the most appropriate individual(s). 4.2 At the end of the audit the auditor completes an audit report detailing their observations and any action that may be necessary, including responsibility and timescales for completion. 4.3 The completed audit report is circulated to all staff responsible for taking the action. It is their responsibility to carry out the appropriate action by the agreed completion date. The Management Representative retains the original report. 5. 5.1 VERIFICATION OF ACTION The action is verified by the Management Representative as part of the ongoing audit plan for that activity or separately, as appropriate, to ensure that it has been completed effectively. 5.2 When satisfied that the action has been completed and is effective the Management Representative signs the audit report to close it.
Table A.7 Example audit schedule for an organization with three locations
Jan W+T W+T W+T W+T T T T T T W+T W W C C T T W W C C T T Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Process
Managing Contact Centres
New Business
Client Service
Client Service Operations
Contact Centre
Managing Contract Assignments
New Business
Client Service and Client Service Operations
Contract Recruitment
Managing Tactical Assignments
Managing Information Systems
Managing Land D Services
Managing and Developing People
Managing Finances
Managing Facilities
Marketing
NOTE This audit schedule example is taken from an organization operating over three sites in Warrington, Thame and Crawley, hence the W+T+C, which indicate the
specific location to be audited.
87
References
International standards
ISO 9001:2000, Quality management systems Requirements ISO 19011, Guidelines for quality and/or environmental management systems auditing ISO 14001, Environmental management systems Specification with guidance for use
Other books in the process management series

HPO (2003) Understanding ISO 9001:2000 and Process-based management systems, London, BSI HPO (2003) Creating a process-based management system for ISO 9001:2000, London, BSI
88

Process Management Auditing

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Process Management Auditing

Încărcat de

Drepturi de autor:

Formate disponibile

Process Management Auditing for ISO 9001:2000