Documente Academic
Documente Profesional
Documente Cultură
Process Management Auditing for ISO 9001:2000 Understanding ISO 9001:2000 and Process-based Management Systems Creating a Process-based Management System
British Standards Institution Process Management Auditing for ISO 9001:2000 First published 2003 The HPO Ltd 2003 ISBN 0 580 41547 3 BSI reference: BIP 2015 A catalogue record for this book is available from the British Library. Copyright subsists in all BSI publications. Except as permitted under the Copyright, Designs and Patents Act 1988 no extract may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, photocopying, recording or otherwise without prior written permission from BSI. If permission is granted, the terms may include royalty payments or a licensing agreement. Details and advice can be obtained from the Copyright Manager, British Standards Institution, 389 Chiswick High Road, London W4 4AL.
Contents
0. Introduction We introduce the challenge that auditors face to develop the competences required to effectively audit against the new ISO 9001:2000 standard and the ever increasing demands of business for auditing activity to add more value. We examine the opportunities available for the forward thinking auditor. 1. Putting the process approach into context A quick overview of the process approach to ensure that we have a common understanding of the basic terminology before developing our auditing skills, knowledge and competences. 2. The requirements of ISO 9001:2000 an auditors perspective The eight key principles of ISO 9001:2000 and the Plan-DoCheck-Act methodology are the basic techniques that form the foundation of the effective auditor. A clear understanding of these and how they can be applied to a business will help the auditor structure their auditing approach both at system and process level. 3. The system-process-procedure relationship The primary role of a process management auditor is to discover to what extent the process is being managed and what effect this has on the achievement of business objectives. Before we can undertake any process management audit we must first appreciate how a management system works and the interactions that go on between the overall system, processes and procedures. 16 8 4 1
viii
4. Auditing tools and techniques With the fundamentals that make up a management system understood, we now turn our attention to the detail of how you should actually conduct an audit starting with the tools and techniques that can be employed. 5. Planning and preparing a process audit Auditing is 80 per cent preparation and 20 per cent actual auditing, which sounds like a bit of an old wives tale until you actually carry out an audit and then you realize just how true it is! 6. Carrying out a process audit compliance vs. effectiveness Starting with the Managing Director will help put the process and system into the context of the business that you are auditing. Once this often daunting step is completed it will feed the auditing of the process owners and teams in order to assess the effectiveness of the management system in relation to the business objectives. 7. Identifying and reporting findings moving beyond compliance What are the objectives of your audit report? A straightforward enough question, but how many auditors actually ask themselves this before they write and present their report? 8. Assessing improvements The auditors role is not to identify how improvements should take place or what the organization should do. It is to provide information to Management on areas of risk or where opportunities for improvement exist with an explanation that outlines the potential impact on the organization if these are addressed. 9. What personal attributes do auditors need? Auditing is a skill and like any other skill needs practice to hone it. It involves an ability to evaluate or learn from the experience, subsequently changing the auditing style or approach to add more value to the activity. 52 49 43 37 30 20
Contents
ix
10. Conclusion and the way forward In this book we cover the basic principles of auditing, and these need time and practice to be effective for the reader to truly understand the principles involved. In other words reading the book without the practice will not build competence. We outline ways in which auditors can further build their competence in order to add more value to organizations. App.1 Example auditor questions This appendix seeks to provide some example questions based on the approaches used. The examples are grouped by the relevant ISO 9001:2000 clause for ease of reference, together with questions that could be asked to demonstrate compliance along with those which seek to test effectiveness. 64 62
0. Introduction
Has something changed?
December 2000 saw the release of the new ISO 9001:2000 standard and started the clock ticking for organizations already registered to its 1994 predecessor to make the transition to the new standard by 15 December 2003. At the same time the clock also started ticking for auditors to become competent to audit against this new standard. There has been a mixed response since the issue of ISO 9001:2000 from both businesses and auditors alike. Businesses have welcomed the new standard and as a result have questioned the role internal and external auditors should play in auditing to the new standard and stressed the need for more added value to the service auditors generally provide. Auditors on the other hand have also welcomed the new standard but many have not noticeably changed their approach to the audits they conduct. The result of this is a virtual stand off between auditors and business which has left people feeling confused and in many cases extremely frustrated. This book is aimed at people who wish to cut through this confusion and gain a better understanding of the overall approach required for process management auditing using ISO 9001:2000. This book attempts to explain: what business should expect from auditors; what auditors should expect from business; the actual role of an auditor in todays process driven business environment; the key competences required to audit process management.
If either of these two factors are missing then the value of auditing to the business is significantly reduced (see Figure 0.1).
Introduction
What is a management system? A framework of business processes working together to achieve the stated business objectives, and customer and other stakeholder needs.
The example in Figure 1.1 is taken from a real organization and describes, at a high level, the processes that go to make up its overall business management system. It is pertinent to the organization itself and uses a language and layout that can be easily understood by customers and staff alike. Typically this would be described in the organizations quality manual.
The process, a definition: An activity or series of activities that convert(s) an input into an output (adding value through the process).
M anaging projects
Supplying parts
M anaging service support
Process management, a definition: The effective control of a series of activities that converts inputs into outputs whilst both adding value and continually improving its performance.
Put another way, if we are to manage a process effectively we need to plan and implement its delivery using the appropriate equipment, knowledge, etc and measure its performance against targets. These performance measures are based on the purpose of the process and by measuring against these we can identify gaps in performance, which can form the basis for improvement activity. The aim is to analyse the actual results achieved (compared against the target), to
6
learn from the information and trends created and to use information as a basis for actions for change or improvement. More details on process management and indeed systems thinking can be found in books 1 and 2 of this series (for details on these, see the References chapter at the end of this book). As a process management auditor we need to test how effectively this is taking place!
No
Approve?
Yes
Directors
Operations Director
Operations Manager
7
develop its business plan and/or objectives; define and implement its core and support processes; establish its key performance indicators or measures; analyse its performance and make improvements in order to achieve its business plan and/or objectives.
As an auditor you have to understand these principles in order to carry out a successful audit and maximize the value of your audit report to the organization. The principles above relate to a system and are tested by carrying out a systems management audit. In this book we are concerned with process management audits and therefore the principles are at a lower level but still follow the same general approach, to: understand the purpose of the process; understand inputs and outputs and the objectives of the process; define the steps or activities of the process; establish process efficiency and effectiveness measures; analyse process performance and make improvements based on this.
The audit report is for Management use as information to help highlight improvement opportunities and to identify risks to the business. The Management are more likely to respond positively to your report if it is business focused, as they can clearly see the benefits to the business on making any improvements recommended.
Principle Systems approach to management Continual improvement Factual approach to decision making Mutually beneficial supplier relationships
What it means Identifying the individual business processes and ordering them so that they deliver results and objectives efficiently and effectively Improving business performance should be the objective of any organisation it must improve and change over time Effective decisions are based on information that has been analysed and not purely on a feeling of what needs to be done Enhanced value is created by working closely with suppliers that can affect your deliverables and not against them it is really a case of 1 + 1 = 3!
10
the detail of ISO 9001:2000 seems obvious, but experience to date highlights the fact that the majority of auditors do not grasp these basic principles. As a result, there are huge variations in the perception business has of what ISO 9001:2000 is about and the value that effective auditing can bring to them.
Plan 1
Plan 2
The future
Act 1
Do 1
Act 2
Do 2
Check 1
Check 2
11
improvement activities; people involved in the process.
If you test those areas listed in the paragraph above then you are also going to be testing the following clauses of ISO 9001:2000: 4.2 4.2.1 4.2.3 4.2.4 5 5.1 5.2 5.3 5.4.1 5.4.2 5.5.1 5.5.2 5.6 6.1 6.2 6.3 6.4 7 8 Documentation requirements; General; Control of documents; Control of records; Management responsibility; Management commitment; Customer focus; Quality policy; Quality objectives; Quality management system planning; Responsibility and authority; Internal communication; Management review; Provision of resources; Human resources; Infrastructure; Work environment; Product realization; Measurement, analysis and improvement.
Put it another way, a business does not operate as a series of unconnected sections so therefore it must follow that you cannot audit it as a series of separate sections. Understanding the key principles of ISO 9001:2000 allows you to be more relaxed in your audit approach. Instead of worrying about the detailed compliance to every single section in ISO 9001:2000 you should be looking for the application of the principles. You are then able to assess the effectiveness of these linkages and the effect they have on the performance of the process, ie what they are designed to deliver.
A question of compliance?
Compliance with what? Does it comply with: the six mandatory procedures (see the next list)? the eight principles? the PDCA cycle?
12
The meaning of the word compliance conjures up images of rigid procedures that must be worked to by the letter. However, when you read ISO 9001:2000 it refers to the need for documented procedures in only six places. These are for: control of documents; control of records; internal audit; control of nonconforming product; corrective action; preventive action.
You must assume from this that ISO 9001:2000 is effectively allowing an organization to decide for itself what, if any, activities it provides written procedures to support. Going back to our question of compliance, then yes, this is obviously very easy to check as the evidence will be in the form of documented procedures for the six areas identified above. We can check that they are being applied, thus complying with the requirements of ISO 9001:2000. So what happens if the organization decides not to document any other procedures to support its process activities, can it still comply with ISO 9001:2000? The answer is very clearly yes, provided it can also demonstrate compliance with the eight principles and the PDCA cycle.
13
think how can I assess this? This is a question that is hopefully answered in subsequent chapters of this book. Examples of documented objective evidence: signed purchase order; up-to-date customer account file; log of approved orders; delivery note; customer complaint letter and corrective action plan; audit report.
Examples of non-documented objective evidence: process staff members knowing how they contribute to the achievement of a maximum 30 second customer waiting time; process owner knowing the current performance of their process; process staff knowing the current performance of their process; an improvement project that contributed to increasing on-time delivery; process performance indicators that relate to purpose of the process and/or business objectives; management and staff both being able to identify who the customer is and what their requirements are; people at all levels having the ability to contribute to business improvement.
The intent of ISO 9001:2000 is not to force an organization to simply comply with its requirements but to do it in a manner that adds value to the business, thus this is the approach you as an auditor need to take. Not just trying to put a tick by all the clause headings of ISO 9001:2000, but investigating how they work to benefit the organization.
14
Subsequent sections of this book will cover in more detail how to prepare for and carry out an interview with the Managing Director, but in the meantime here are some things for you to think about. How will you cope with this challenge? What questions will you ask the Managing Director? Why will they be interested in talking to you? Can you audit them in just 15-30 minutes?
As the evidence of compliance may not be documented and will almost certainly be more subjective, so increasingly the auditor needs to test the communication between senior managers and staff, in an effort to discover how focused the organization really is on the eight principles and the PDCA cycle. This will be the real test required to determine the level of compliance with ISO 9001:2000.
As an auditor, you will not be able to answer these questions without knowledge of the business. That knowledge can come from either working for the organization in question or from the responses you get during the course of the actual audit. Either way you have to make certain judgements about how you will audit and what you will ultimately report back to the organization. ISO 9001:2000 is unique in this way, it can take account of the maturity of the management system and allow an auditor the ability to use their judgement to determine not only whether the basic principles are being applied, but also to what extent the business is using them to drive itself forward. No two organizations are alike, and indeed, organizations will mature over time. An audit therefore needs to take account of its maturity if it is to help it to keep improving over time.
15
ISO 9004
8 principles
PDCA cycle
ISO 9001
Maturity
16
Management system
The management system defines the overall scope of the business, which is in turn supported by any number of processes that require management, which in turn are supported, where appropriate, by procedures, as shown in Figure 3.1. Defined by Senior Management and owned by the head of scope, typically the Managing Director, the management system is a visual representation of an organizations processes needed to deliver the business performance at the highest level and contains everything from business planning through to developing staff.
17
Management system
Overall management system organigram owned by head of scope, typically the Managing Director (MD)/Chief Executive Officer (CEO) Measures overall business performance
Process
The what we do level Owned by Process Owner Measures overall process performance
Procedures
Procedures Procedures
Process management
Related directly to the management system are the processes themselves, which exist to convert input requirements into customer output requirements through a series of value adding activities. In other words they provide the mechanism that allows the organization to achieve its objectives, with a focus on how the different departments within the organization work together towards this aim. Just by having processes does not ensure that the business will achieve its objectives. They need effective management and it is this process management that you need to focus on when auditing. To be able to do this effectively you
18
first need to understand how processes should be managed in a manner that supports the business in the achievement of its stated objectives. Too many auditors audit processes in isolation, failing to make the vital connections between business objectives and process outputs and measures. Failure to make these connections will result in an incomplete, inadequate and non value adding audit. Its rather like checking a route map without knowing where you are trying to get to all a bit pointless. You need to be thinking about asking the process owner the following questions. What is the purpose of this process? How does it contribute to the organization achieving its business objectives? Are there process performance measures? Do the measures relate to the objectives/are we measuring the right things? Is the performance known and are effective improvement actions in place?
There are many more questions related to assessing process management but hopefully you can begin to appreciate that to be a successful auditor requires considerable skill and competence. These skills and competences need to be in different areas than have been required in the past in order to make the required connections and identify issues worthy of reporting.
Procedures
This is often a very difficult concept for many people to come to terms with. ISO 9001:2000 allows organizations the freedom to decide for themselves to what extent they have documented procedures, whereas the 1994 version of the standard required virtually all operational activities to be documented. There is a certain reassurance one gets from having things documented and there is no doubt that having documented procedures does make compliance auditing possible. In themselves, however, procedures do not help us to carry out an effective process management audit. So when you are auditing the activities within a process itself you should be thinking about asking the following questions. What risks to the process are there by not having procedures documented? If the risks are high, has the organization considered them and chosen an alternative way to reduce them, such as training? If there are procedures are they adequate for the risks they are controlling? Do the procedures add value or just increase bureaucracy?
19
The process owner should have considered what, if any, procedures are required to support process activities. Your role is to help the process owner by confirming they have got it right or identifying any potential risks they may have overlooked. You will be working in partnership with them to improve both the potential and actual performance of the process.
System level
Process level
Procedures
Compliance level
20
21
Auditor tools
There are basically two tools that should be used in both preparing for and carrying out a process management audit (see Figure 4.1, Figure 4.2 and Table 4.1). Neither of them is complicated and in fact they are just plain common sense. Both, however, require the auditor to understand how a business works through its processes in order to use them effectively. This is one of the key competences of a successful process management auditor. Once you understand them, they are so powerful that you can apply them to any process within any business, regardless of industry sector.
Monitor performance
22
and needs to be based on the needs of the auditee not the auditor. It needs to be in the language used by the people within the organization itself.
Consequently the evidence provided by people being interviewed will also be appropriate for the level within the process and will almost certainly be mainly non-documented and subjective. Auditor tool 2 follows a similar theme but extends to include those things that support the process in terms of: the competence of those working within the process to effectively carry out their tasks; the resources needed for process activities to be performed adequately; the knowledge and information needed to effectively carry out activities within the process; the budget for the process that takes account of the likely future demands on the process.
These influences or constraints shown are only examples and in reality there may well be others. What you are looking for is anything that affects performance of the process, and can come from any management discipline. Process management auditors therefore need a basic foundation in a range of business activities and disciplines. For example how can an auditor assess or make judgements on someones competence if they have no understanding of human resource management principles?
23
Competence
Knowledge
Resources
Budget
Risk
Outputs
Inputs
Activity
Activity
Activity
Activity
Measure
Procedures Procedures
Improve
Monitor
Auditing techniques
Questioning
Taking each box of auditor tool 1 lets look at each one in turn and try to work out the most appropriate question to ask. As we go through each box we will, in addition, include all the elements from auditor tool 2. The end result will be an audit checklist you will be able to use to prepare for and to audit most processes. You may well be able to come up with other areas and issues to raise, whatever they are they need to test the effectiveness of the process. As you go through the steps in the cycle you may well be able to identify areas where you need to dig a bit deeper, asking more questions and testing any compliance issues that may become apparent. Inexperienced process management auditors tend to stay in the detail of compliance once they are in it. The art is to keep the cycle in mind as you carry out the audit and dip into the detail as required, coming out of it to move on to other parts of the cycle in order to build the links. It is not easy at first to make this change, but once youve done it a few times it will become much more second nature.
24
25
Questioning techniques
The questions detailed above need to be thought about and tailored to suit the individual being interviewed and the level at which they support the process. For instance, asking an operator carrying out a process activity if they know what the organizations business objectives are would often be pointless in many organizations as the operator would more than likely think you were talking a foreign language! But beware that this is not always the case and, importantly, use your own knowledge of your own organization to get the language right. As an auditor you have to consider what is the most appropriate question to ask and in this case it might be asking the operator who they consider is their customer and how they know they are meeting their customers requirements.
Managers
Staff
26
Objective evidence
If we have established that the questions and questioning techniques you use as an auditor vary according to the person being interviewed and the level they are working at within the process, then it must also follow that the objective evidence you obtain will also vary accordingly. In section 2 we looked at examples of documented and non-documented objective evidence, so let us now consider what types of objective evidence we might find at different levels in the business, depending upon who we are auditing and what questions we are asking. Taking some of the questions from the Table 4.2, Table 4.3 outlines the likely objective evidence you might expect to find.
27
Question Can you describe the process? How do any procedures support the process? How does this process interact with other processes in the management system? How do you determine the competencies required for those responsible for process activities? How do you decide what key performance indicators to use? How does your customer measure the performance of the process? How do you know what the current performance of the process is? How often is process performance measured? How is performance data communicated to the process team? How do you identify improvement issues? How do process team members contribute to improving process performance? How to you evaluate the success of improvement activities?
Evidence from process owner Tells/shows you Tells/shows you links to process activity Tells you what the links are and how the communication between them works Understands roles and competencies in context of process activities, linked to objectives
Evidence from process staff Tells/shows you Tells/shows you when used and how Understands there are links to other processes and knows how they work Knows own competency and has been appraised/ reviewed in last year
Tells/shows you the indicators and which link to objectives Demonstrates customer communication by linkage of their needs to process measures Shows you performance information Tells you Tells/shows you
Tells/shows you process measures being used Understands process performance in relation to the customer
Able to link performance data to improvement action Tells you and can give examples from team
Talks through methods/ ideas and links to process owner Knows how and who to suggest improvements to
28
You will notice that the responses you are likely to get in terms of evidence are likely to be verbal rather than documented, which means you have to determine fact from fiction just by listening to what people are saying. But how can you do this? Lets take just one of the questions and use it as an example.
Question: How do you know what the current performance of the process is? The process owners response is to tell you that they have two process measures, products delivered on time as a percentage and number of product stock turns in a year. The targets are 99 per cent on time delivery and 12 stock turns per year respectively. They also tell you that since the measures were introduced six months ago they have achieved an average of 97.5 per cent deliveries on time and are on schedule for six stock turns for the first half of the year.
You just listen to what they say and make a note of the information on your checklist.
The process staff members response is to tell you that the process owner meets with all the process staff once a month in the canteen where they talk through various items of interest including performance statistics. They tell you that a lot of what the process owner says is not of much interest to them apart from the delivery and stock turn measures as this has a direct bearing on the amount of bonus they receive each quarter. They tell you that delivery performance of only 97.5 per cent has meant a reduced bonus for the last two quarters, but the achievement of six stock turns so far this year has at least given them a bonus payment albeit small.
You listen and compare their responses to those of the process owner, making any notes on your checklist. You then ask yourself Have I enough evidence to demonstrate that the question has been answered adequately and am I satisfied that the performance of the process is known at all levels in the process and by the people who need to know? What is your conclusion based on the two responses above?
29
I hope you concluded that yes, the performance of the process was known at all levels in the process and by the people who needed to know. All this despite the fact you did not see a single piece of paper! Congratulations! You have just audited subclauses 5.1, 5.2, 5.4.1, 5.5.3, 7.1, 8.1, 8.2.3, 8.4 of ISO 9001:2000.
Methods of auditing
Quite rightly most methods of auditing involve face-to-face interviews/ discussions with people in order to gain information and an understanding of how effectively something is being done. However, this is not always practical to do because of geographical locations, the high number of people needed to be seen or constraints on cost or time. Auditors should be flexible in their approach and be prepared to consider alternative methods of auditing which do not rely on just face-to-face interviews. These could include: groups a number of process staff, suppliers, customers or stakeholders can be interviewed within a group environment to save the time and expense of travelling to them individually; questionnaire could be used to assess a variety of issues, can be done confidentially to improve the honesty of the responses; email again, any number of process staff, suppliers, customers or stakeholders can be interviewed remotely, as a group, to save the time and expense of travelling to them individually; telephone this can be usually a very quick and simply way to confirm information; video conference planned well in advance, this method can be a really effective way of interviewing people working miles apart or even in different countries.
Organizations that have multiple sites spread over a large geographic area, including different countries, and those with large numbers of home or field based employees are probably best suited to alternative methods of auditing other than face-to-face.
30
31
Please refer to Table 5.1 for an example of an audit plan. By far and away the most important parts of any audit plan are the details concerning the people who will be seen and the specific meeting times that have been agreed. Auditors cannot expect to turn up and have people sat around all day or over many days, waiting for the auditor to audit them. As an auditor you should assume that no one is going to see you unless you have prearranged the meeting. Apart from anything else, it is just bad manners, and it will lead to a poor relationship with the auditees, so it is critical if the audit is to be successful. I have lost count of the times auditors turn up at an organization and commence the audit expecting people to automatically be available. They then wonder what they are going to do for the remainder of the day when they discover all the people they need to speak to are either on a course, on holiday or have other meetings! Its all in the planning. In preparing your audit plan you will need to take into consideration the overall time available to you to carry out the audit and then work backwards ensuring that you allocate the most appropriate amount of time to each of the people you need to interview.
32
28th June 2004 9.00 am 10.30 am 12.00 noon 1.00 pm 2.00 pm 3.00 pm 4.00 pm Production Director Production staff members 8 Production Manager Lunch Production Manager Finance Director Gather information and close audit Telephone Face-to-face Face-to-face Face-to-face as a group Video conference London London Paris Canteen Nairobi London
33
One of the major issues facing you is the time available, as this impacts on your ability to test the responses you get with the greatest range of people possible, thus assuring yourself that the evidence you are finding is a true reflection of what is happening. This is not something new and auditing has never pretended to be anything else other than a sample, but you must be satisfied that the sample size is large enough. Whatever you decide you should always start and end with the process owner. Start off with them: to gather information, that you can go on and test throughout the process; to understand if they have any particular areas they themselves may want you to assess or review and provide feedback on.
Finally, conclude the audit with them so that you can confirm your findings and provide overall feedback on what you found.
But how do you decide what you should include in your checklist? Well, how detailed you make your checklist is a very personal thing and is likely to depend upon several factors not least how experienced you are and your ability to read it during the audit itself. Before you can begin to prepare your audit checklist you first have to design it or, should you find it useful, copy my example, shown in Table 5.2. Your design will no doubt evolve over time to reflect your own personal style and needs. Having decided on what your checklist will look like you now have to populate it with all the questions you are going to need to ask in order to complete your audit. These are the questions that will test:
34
the eight principles of ISO 9001:2000; the effective implementation of the Plan-Do-Check-Act methodology; auditor tool 1; auditor tool 2; actual process activities.
This means all of the things we covered when looking at the auditor tools and objective evidence in the previous section. In addition, your checklist should include questions or areas to look at that are specific to the process or processes you are auditing. In order for you to do this you will have to undertake some research and make requests for information from relevant people. This is a relatively straightforward task if the audit is going to be carried out internally as you will know the organization and will be able to acquire the appropriate information. However, this can prove to be more of a challenge when you have no prior knowledge of the company. Typically your research should focus on trying to obtain information on: what the organization does and who its customers are; its mission, vision, policies and business objectives; organization structure and process ownership; the management system structure and links between processes; copies of process maps; company and process performance data.
You should allow yourself plenty of time in advance of the audit to gather the information and compile your checklist. Remember the audit starts from the moment you start compiling information and preparing your checklist, not from the moment you ask your first question of the process owner, it is much too late by then to get it right if you have not planned thoroughly. If you are not able to carry out the background research or obtain the information you would like in order to prepare thoroughly for the audit, then you must allow yourself more time to carry out the audit itself and to collect this as you proceed. This is certainly not the most efficient way to carry out an audit, but sometimes you will have no choice. Without this information your audit will be flawed, so you must obtain it early on if you are to be effective. As I said right at the outset of this section preparation is 80 per cent of the audit and you have to ensure you have prepared adequately to avoid being led by people rather than you leading the audit. Remember that you are there to control the audit, not them.
35
36
To summarize the preparation required: make sure you fully understand the eight principles and the PDCA cycle; be clear on the objective of the audit; plan the audit carefully making sure you allocate the appropriate time to each element and sample enough people; book meetings with people well in advance, dont expect them to just be waiting for you! understand the management system and process connections; know the business objectives and customer requirements and make the connections to process outputs; always use a checklist!
37
If you are not put off by this then lets get on with the audit, starting with the Managing Director, who will put the process and system in context.
38
They call you in and immediately inform you that they have to leave for another meeting in 30 minutes so you will have to be quick. Your mind goes blank, your mouth goes dry, your heart beats a little faster and you begin to wonder what you are doing here. You glance down and, to your relief, see the checklist you so carefully prepared. Referring to the first question you inquire How is business? You have started the audit. Does this sound familiar? Feeling intimidated by someone like the Managing Director is nothing new, but when you have to audit that same person in an effort to extract information from them, it can be even more daunting (particularly so if they have never been great supporters of ISO 9001:2000). This interview is critical. Why? Because if you do not succeed in gathering information to help you gain a clear understanding of the business objectives, measures, current performance etc you will not be able to test the subsequent effectiveness of process management and the connections to the overall business needs. As a general rule you will only have a limited amount of time with these people, so you have to make the little time you do get as productive as possible. Being completely clear about the objectives of the interview and the outcomes you require is essential and will prevent you becoming sidetracked and coming away wishing you had asked a particular question. Remember again that it is your meeting and you are in control of it. You will gain real respect if you do but if you dont A good approach is to start with a general question like How is business? With any luck the Managing Director will discuss the current state of the market, customers needs and how the organization is working hard to develop sales and improve margins. Within this discussion you should begin to draw out what the business objectives are and how they plan to move the organization forward to achieve them. This information is key and you need to be making detailed notes of it on your checklist as you go, so that you can refer to them later on as a memory jogger and to help with subsequent meetings. Be conscious of time, stay focused on the objectives of the interview and the questions you need to ask and you can usually get through it within 30 minutes. I tend to find that most Managing Directors, once they get talking, forget about their next meeting and end up chatting for up to an hour, usually because they never realized the audit was actually going to be about the business itself, rather than ISO 9001:2000! Once they start doing this, then you know that you are part of the way to having a convert. The rest of the journey will be made once they see the business value of your report and findings.
39
Before you conclude the meeting have a quick look at your checklist to ensure you have everything you need for the next part of the audit and then ask, Is there anything you would like from my audit, are there any areas you would like me to look at in addition? Note any response you get and then thank them for their time and leave.
40
Has the process owner related them to their process? Has the process owner communicated the objectives down to the process team? Has the process owner established process performance measures? Do the measures relate to the objectives? Does the process owner know the current performance of the process against the objectives and targets? Has the process owner communicated the performance results to the process team? What actions are the process owner and process team taking when there is a gap in the performance against the stated objective or target? How do process team members contribute to improvement activities? How does the process owner know improvement action is effective?
Refer to Table 4.2 for more questions and Table 4.3 for the likely objective evidence you could find and can therefore make a note of on your checklist. Just as with the interview with the Managing Director, you should treat the interview with the process owner as an information gathering exercise, so ensure you record as much of the information you are given as possible. You will need it to complete the main part of the audit. Again, before you conclude the meeting have a quick look at your checklist to ensure you have everything you need for the next part of the audit and then ask, Is there anything you would like from my audit, are there any areas you would like me to look at in addition? Note any response you get and then thank them for their time and leave.
41
Are the objectives/outputs of the process understood and are they linked to what the process owner said? Is the process measured and are they the same as what the process owner said? Do process staff know what the current performance of the process is? How is information communicated to people working within the process and is this as described by the process owner? Do process staff know how they can contribute to improving process performance?
Refer to Table 4.2 for more questions and Table 4.3 for the likely objective evidence you will find and can make a note of on your checklist. In addition, you are also testing: how effectively the connections to other processes are operating; that process activities are being implemented effectively; that any procedures, standards or regulatory requirements are being worked to; how competent people are/feel they are to perform their assigned tasks.
Give me a break!
There are a lot of pressures on auditors and you should never be afraid to take a break during the audit in order to give yourself an opportunity to collect your thoughts, put the information you have gathered into context and to generally satisfy yourself that you are progressing as planned. As you review any information, notes and outstanding questions it will help to focus your mind on the audit objective. If, for whatever reason, you find yourself not being able to confirm what is actually happening within the organization, and up to this point in the audit you are not a position to report how effectively the process is being managed, then the break is essential. It
42
affords you the opportunity to determine the specific further questions you need to ask in order to complete the audit and compile your report adequately. Should you find that you do not have sufficient evidence to make a judgement as you proceed, never be afraid to add items to your checklist.
43
44
I appreciate that auditors and, in particular, third party auditors, have a difficult job in striking the right balance between reporting compliance with ISO 9001:2000 whilst trying to encourage improvement based on the maturity of the organizations management system. However, that said, this does not stop auditors trying to achieve this balance in order to add value to the organization. After all, they are a supplier to the organization that is in turn the auditors customer. What they want from your audit report must surely be considered important?
What to report
The ultimate design of your audit report may be constrained by the need to adopt a standard template or format used by your organization, which is almost certain to apply to third party auditors. If you have no such constraints then you are free to choose a format that allows you to report your findings in the most appropriate way, which could be anything from an A4 template to a software-based computer presentation. The choice is yours. Table 7.1 provides an example of an internal audit report template that I have used and you are welcome to copy and modify in order to come up with a version you feel comfortable using. We have talked of the need to make your audit report as positive as possible to encourage the organization to address the issues raised with the ultimate aim of improving their business performance. But how can you achieve this? The best way to demonstrate what I mean is to show you some extracts of actual audit reports, clearly showing both positive and negative reporting styles. You can then see for yourself what I mean.
45
Process(es) audited:
Audit summary
46
What to say
The following are examples of what to say in an internal audit report. a) The organization does not currently monitor customer satisfaction. Monitoring the perception customers have will enable the organization to better understand how it can meet both their current needs and future expectations, allowing the organization to benefit from a more proactive approach to customer care. b) The organization does not currently have a documented procedure for the control of the records it produces. The documenting of a procedure for the control of the organizations key records will ensure that the responsibilities for record retention are known and that these important records are protected from damage or deterioration and only retained for the maximum specified period, allowing archive storage space to be kept to a minimum. c) The infrastructure of the organization appeared to be adequate for the services being provided; however, there was no process by which the infrastructure is reviewed on an ongoing basis, which could affect the organizations ability to meet future customer demands. Therefore the organization would benefit from linking together the review of market/customer needs and the infrastructure required to deliver them. d) The organization is to be congratulated on the decision it has made to introduce new computer terminals and office furniture in the call centre. The staff spoken to all commented on what a significant difference this has made to both their comfort and ability to read the new screens. This has undoubtedly contributed to the reduction in staff sickness time and number of customer complaints due to keying errors.
47
them to do something? Precisely, the second version, and this is the style you should be adopting in the writing of your audit reports. The report is all about the business and nothing about subclauses in ISO 9001:2000 because Managing Directors are not interested in the detail of what the standard says. As any good politician would tell you it is all in the spin. I am not suggesting we all need to become politicians, but, as auditors, we could all learn a trick or two from them and spin our reports positively. After all, we are trying to influence our customer to make the improvements we have identified.
the quality policy had not been signed by the Managing Director SO WHAT!
If an audit report is to add value to the organization it has to contain information that could help the organization improve its performance and ultimately make
48
money (or at least not overspend). Meeting financial targets is a prerequisite for the majority of organizations and often the key purpose of their existence.
Improvement action
The audit report should only contain the findings of the audit and not suggestions for the improvement action to be taken. This way the auditor can remain independent and the organization does not feel obliged to adopt any of the auditors suggestions for improvement, even if it does not agree with them. By doing this, the auditor is also passing the responsibility for taking improvement action back to the process owner. Improvement action should be left with the appropriate people within the organization itself to determine. What action is taken, by whom and within what timescales are all decisions that the organization should make for itself, based on what is appropriate for the business, how it will benefit and the other current priorities it has.
49
8. Assessing improvements
Putting the improvement in context
As we have seen from carrying out the audit of process management the auditors role is not to identify how improvements should take place or what the organization should do. It is to provide information to Management on areas of risk or where opportunities for improvement exist with an explanation that outlines the potential impact on the organization if these are addressed. Therefore what the organization does if it decides to address these issues is up to the Management balancing the other organizational needs and requirements with the audit findings. Dont forget that carrying out audits is only one source of information Management is receiving upon which decisions can be based. They will also be receiving information on customer satisfaction and business results etc which could mean that they may well ignore the audit findings and concentrate improvement activity in other areas where the greatest business benefit can be achieved. This being the case auditors should not be disheartened if, after carry out an audit recommending areas for improvement, Management do not appear to act on the information. The real test is to determine whether the system is improving but that is all about auditing the management of a system, a subject that is little understood, rather than auditing a process, which we have covered in this book. The basics of systems management auditing are similar to those of process management auditing, the main difference being one of level. Instead of looking at a single process the auditor is looking at the system as a whole. Many of the
50
same skills are required, but it needs a still wider business understanding for the auditor to be successful.
Assessing improvements
51
52
53
Equally the results should be a fair and honest reflection of the findings, reporting facts and not seeking to apportion blame or falling into the solutionism trap. Solutionism is where the auditor writes their report explaining how managers should actually carry out the improvements or resolve problems. No matter how well meaning it is often dangerous to make recommendations to managers on how they should manage their organization thats their job, not the auditors. Many books or guides on auditing often suggest that the auditor should make recommendations but this needs to be done with care. It is one thing to make a statement that something is blatantly incorrect or is not working as well as it could and provide the evidence to support this. It is quite another to go further than this and suggest how the improvement should be carried out. Very seldom does the auditor have as good a view of the organization as the manager. How the manager resolves problems or implements an improvement is up to them. Following the appropriate process, of course, is up to them. So, report the facts and leave any recommendations on what needs to be done or action that could be taken until after the audit. I have seen a number of internal and external auditors ruin a very good audit by making recommendations that are inappropriate and get a negative reaction from the manager so be aware. Auditing for effectiveness often involves understanding what is happening. How an organization manages its business, how people carry out their tasks, what equipment they use and how they comply with legislation for example is up to them and the auditor can expect to see or observe activity that is different between one organization and another and even between one department or site and another in the same organization. In other words there is not necessarily a right or wrong way. Auditors need to be open-minded as to the activities undertaken and willing to consider different views or interpretation. What is more important is how effective these actions are on the final result achieved. Adopting an open mind goes hand-in-hand with carrying out the audit in a tactful and diplomatic manner. Remember the easiest way to gather information is to ask people what is happening, what they do, how they could improve what they do etc. How the auditor handles this conversation, even if auditing using email and other non-traditional methods of auditing, is critical to success. If the auditor criticizes what someone is doing or how a manager is managing their part of the business then that person is likely to be more reluctant to provide the auditor with the information they need. Remember people are often not the problem, most of the time it is the system they are operating in, so identify where the system is failing rather than seeking to criticize, blame or expose the individual. The results will be far more welcome and of considerably more value to the organization.
54
When auditing there is often a sense of something being right or not quite right, its a feeling. You cant be certain because you might not have the evidence, but an instinct that there may be something that is taking place that is either incorrect or wrong or could be improved. This second-sight is all about perception, how the auditor sees, reads and understands situations. This perception may be drawn from looking at evidence from different sources an adding together of information that doesnt quite make sense and needs testing or examining further. Auditors need to develop and, more importantly, use this ability. Often the information an auditor needs wont stare them in the face or be straightforward and needs digging out based upon reading a given situation. Another area based upon perception is collecting perception-based information. This is often more valuable than fact-based or document-based evidence. The problem is that how people perceive situations, activities or events is often not evidenced by documents its often verbal or an interpretation. The auditor therefore needs to be able to turn this information into fact or objective evidence. This is achieved by using an appropriate sample size, testing the perception to get to the facts. This may mean that someone has perceived an event incorrectly or drawn the wrong conclusions. The auditors job is to work with these perceptions and draw conclusions separating the fact from the fiction. To do this requires persistence, the ability to keep going even though auditees may put obstacles in the way. You may not get exactly the information you need or you simply get frustrated knowing there is something to be identified but you simply cant find it. If you find yourself in this situation keep going, think about the objectives of the business and the scope of the audit. How important is it, will it put the business at risk? Perhaps a different approach is required to gather the information. Persistence is not about pursuing something for the sake of it, it is about making a judgement for the sake of the business, the audit and importance of the issue. Following on from persistence is the need to make decisions in a timely manner based on the evidence that has been gathered. These conclusions should be clear, unambiguous and understandable. This allows the auditee to be able to review the conclusion or finding using the evidence the auditor has provided. Poor conclusions based on poor analysis leads to the auditee not being able to understand what the conclusion is about or why the issue has been raised. Often poor analysis of the evidence results in confusion and inevitably findings that are lower level detail (mainly compliance related) rather than the identification of improvements or the need for change to enhance effectiveness. Often auditors find themselves working on their own, gathering information whilst they work with the auditees. This ability to work independently is an
55
attribute not to be underestimated. This requires the auditor to be a self-starter, self-reliant having the necessary equipment and motivation to see the audit through without the support from other auditors.
The auditor needs to have a mix of skills and knowledge to be effective. These are interdependent and should not be considered or developed in isolation of each other, ie no one area is more important than the other they complement each other.
56
audit is carried out as planned, keeping to the timescales as shown. Sometimes in an audit the auditor will discover areas that need more investigation than the time allocated will allow or, perhaps, someone else needs to be interviewed who wasnt on the original plan. In these circumstances the plan may need to be amended and this is the auditors responsibility. It is not good practice for the auditor to either start late or to end an interview after the time previously indicated on the plan. The auditee will be expecting the plan to be followed. If the plan needs to be amended then the auditor should discuss or communicate this to the process owner or the person showing the auditor round the organization, if one is being used, in order that a revised plan can be agreed and communicated. This may include going back to an auditee to check a particular issue or to gather more information. Planning an additional interview is preferable to ignoring the original plan, however tempting this may be. The auditor needs to maintain confidentiality. This not only applies to sensitive business or organizational information but also to personal feelings and views that may be expressed by an individual or group. Clearly the auditor may well be provided with sensitive business information as part of the audit which should not be shared either within the organization itself or externally it must remain confidential. There is a temptation to share information with work colleagues but the auditor doesnt necessarily know what has been communicated and what hasnt and the reasons for this. Therefore to avoid any situations it is best to simply say nothing and use the information for the purpose for which it was given ie for the audit. This approach will avoid and prevent any difficult situations or misunderstandings. The same applies to views expressed by auditees. To assess the effectiveness and to gather information required often requires the auditors to gather views and examples from people not directly carrying out the task involved. For example lets say you are auditing the manufacturing process, then you may gather information from the sales team ie the people who generate the orders and those who dispatch products and services as well to gain their views and the impact the production process has on them. Or perhaps you are auditing an improvement process as well as auditing the people involved in the actual process or improvement you could also interview the people affected by the change to determine how effective the change has been in improving performance. In gathering these views from people outside the process being audited but affected by its impact the auditor may well be gathering views and opinions from a number of different people to create the objective evidence and to form a conclusion regarding effectiveness. These views and opinions also need to be kept confidential and not shared either with other auditees eg I was speaking to X and he said or outside the audit. If the auditor breaches this confidentiality then it is likely that the auditee will be less forthcoming
57
with information the next time an audit takes place, thereby reducing the effectiveness of the audits taking place. Auditors should focus their attention on significant issues. This does not mean that areas of detail should be ignored but that the audit should focus on what is important to the success of the process and the organization rather than areas that have little impact or significance in the overall picture. Some auditors get a reputation for nit-picking ie identifying or making an issue of small areas that in themselves have little or limited impact on performance. If the auditor is in any doubt as to whether or not an issue should be raised then think about the manager who will be receiving the report, will they be interested? Is it important to them? Collecting information is the key requirement of the audit. The information often comes from a range of sources from across the organization. The various parts of information are then added together to form a view or finding. It is often not a case of taking one piece of information in isolation but adding different data together to form the picture. Therefore a key principle is to test or verify the different pieces of information to confirm their appropriateness and accuracy. Auditors need to develop a sixth-sense to help them with knowing how often and when additional information is needed to determine or verify a finding. It is not possible to review or look at every document or piece of information used or generated by a process. In addition it is very rare that the amount of time allowed for the audit would be sufficient to interview every manager or staff member involved in the process. This is compounded by the need to gather information from those outside the process. To manage this the auditor can use sampling techniques to help determine what information is required. Although these can be scientifically- and statistically-based the auditor can also apply common sense. For example if there are six projects to look at then perhaps two could be sampled; if there is sufficient difference in the two then perhaps a third could be reviewed to confirm the finding. Or if there are 250 employees who need to have objectives and understand how they fit into the process then perhaps 10 could be interviewed for five minutes (50 minutes in total) rather than two for 25 minutes (still 50 minutes in total) to allow the auditor to gain a wider view of what is happening.
58
the intention to revisit the principles of process management and its impact on organizational performance but auditors who do not understand the principles will not be able to audit effectively, often finding it difficult to move beyond compliance auditing. This extends to understanding how the various processes that makes up the system interact with each other and how support or reference documentation such as procedures and other information is positioned and used within the system. It would also include how resources, equipment, budgets, competence, team work, knowledge, other standards and frameworks, knowledge, environmental, health and safety and regulatory requirements, information technology, intellectual property, management ability and techniques, results, changes etc can impact on process performance. This does not have to be an in-depth understanding but should, at the very least, be an awareness of the possible impacts so that the auditor is able to form judgements on possible areas for improvement. In addition, as mentioned before, the auditor needs to have an appreciation of general business processes, what might make up such a process and how the organization has interpreted these business activities into the management system and therefore into its processes. Another impact on process performance that the auditor needs to be aware of and understand is that the organizational culture will affect both the audit and, potentially, process performance. The auditor needs to appreciate the organizational culture they are working in and work within this, modifying their auditing techniques and methods accordingly.
59
statistical control which could be used to assist the measurement of process performance; failure mode and effect analysis which could be used in a design and development process; cause and effect analysis which could be used in an improvement process.
Understanding these tools gives the auditor a wider and deeper appreciation of how traditional quality techniques can be used to improve and support process performance.
60
integration myth), but what about business planning principles or how an asset is managed or how people develop skills, ie management principles and disciplines that need to come together (be integrated) in a system and the processes that support it? It is often this area that is overlooked but is probably the most important in enabling the auditor to assess effectiveness. When auditing the effectiveness of the management of a process this area is probably more important than technical specialisms. At the time of writing the focus for appointing auditors is often based on their technical competence not on their management ability. As ISO 9001:2000 is based on the effectiveness of Management to manage their organization to deliver results and to ensure customer satisfaction, perhaps organizations should now consider appointing auditors on their management ability rather than their technical expertise. With different auditors having different interpersonal skills, different levels of understanding of management disciplines and of confidence as well as auditing processes that run across the business often it is easier and more appropriate to operate in audit teams. When operating in a team someone needs to lead it and take responsibility for its direction and activities. Leading an audit team is not about technical or specialist competence in the area concerned. If it was, then Lead Auditors would indeed be a rare animal. Leading a team requires leaderships skills associated with ensuring that the audit process is run efficiently and effectively. These skills fall into a number of areas as follows. Planning the audit as we have seen auditors have different skills and may even be in different locations so the available audit resource needs to be appointed accordingly based on the process to be audited. In addition the method or approach needs to be considered. Traditionally auditing has been completed face-to-face on a one-to-one basis. To audit effectively this does not have to be the case. The auditor can use many methods including email, telephone, short questionnaires, video-conference for example, as covered in previous sections. Representing the audit team as part of the audit this will probably mean discussing and planning the audit with the process owner or Management team member. This would include agreeing who is to be audited, the scope of the audit and any particular aspects of the process that need special attention. At the end of the audit the Lead Auditor will also present/report the audit findings back to the process owner or Managing Director and agree any follow up action required. Completing the audit report as the auditing is being conducted by a team, the Lead Auditor is responsible for bringing the different strands of the audit together in order to reach conclusions. Identifying non-compliances is normally straightforward, identifying areas for improvement that will
61
enhance performance can be more difficult to agree. This often requires the team to reach consensus on what the different strands mean when they are added together. How this is achieved can vary but on occasions individual team members may disagree with each other. At this point the Lead Auditor needs to have the skill to facilitate the team to reach a sensible conclusion that will make sense to the team, the process owner and support the improvement of the organization. Coupled with this is the ability to write an audit report that is effective in portraying the findings and conclusions of the audit. The findings need to be succinct, clear and easy to understand showing what objective evidence has been identified to support the conclusions. The Lead Auditor needs to be able to justify the statements made, if required, and to enter into discussions as to how the areas identified might be resolved. The Lead Auditor should, however, be careful not to recommend actions as part of the audit. Often when reporting areas for improvement there is often a temptation to recommend how a particular issue may be resolved or improved. There may well be many ways that a problem could be resolved, some unknown to the audit team or outside the scope of their understanding. Improvements are likely to be subject to the organizations improvement process (as required by ISO 9001:2000) and it is this activity that will identify the causes and recommend solutions. Lead Auditors need to be careful with recommendations, often it is best to report statements of fact and leave the actions and recommendations for improvement to the manager concerned thats their responsibility. Managing the audit as it is progressed the Lead Auditor is responsible for managing the audit as it is carried out. This may mean resolving issues, some of which may be confrontational in nature. This can often require tact and diplomacy (hence the attributes listed in this bullet list). It may also mean identifying potential problems that could occur and taking appropriate action to prevent them from happening. Developing the auditors by their nature Lead Auditors tend to be more experienced managers as well as auditors. This experience can be used to develop auditor competence, identifying training needs and taking part in training and development activity that will improve auditor performance.
62
63
appreciation of these other areas in order to audit the joined up nature of both processes and systems and to help drive the need for them to improve and change.
64
Appendix 1
65
66
Requirement
Question to whom
Compliance question
Effectiveness question
Quality manual
Do you have a quality manual? Show me your quality manual? Does it contain the right information outlined in the standard?
What is the purpose of the manual? How is it used on a routine regular basis? How is its content translated into everyday activity? Why is it written the way it is? How does the manual support the objectives of the organization and its image with the customer?
Staff
Do you know where to find the manual? Show me the quality manual?
What is this organization trying to achieve? How does the organization work? How do we all work together to deliver results? How do we improve things in this organization?
4.2.3
Document control
Management/staff
Do you approve documents prior to issue? Do you have a procedure? Show me how you control the version Etc
How often do you find that you use the wrong information or documents in this organization? (ask many people to build up a picture) Do you ever think that you use out-of-date information? How do you know you are using the most up-to-date information/documents?
Appendix 1
67
Compare the answers given by both Management and staff and identify any inconsistencies. 5.2 Customer focus Senior Management How do you focus on the needs of the customer? How do you prioritize the needs of different customers and other stakeholders? We cant satisfy everyone 100 per cent of the time, so how do you manage this? How is this information used to set business objectives? How do you validate the information to ensure it is correct, (otherwise your objectives could be incorrect)? Senior Management/ Management How do you identify customer needs? How do you know that the process for identifying customer needs is effective? Senior Management/ Management What process do you have to identify what customers needs are? What is your role in this process? How are customers needs translated into objectives that are subsequently measured by customer satisfaction activity? How does it all link together?
68
Clause no.
Requirement
Compliance question
Effectiveness question
5.3
Quality policy
Senior Management
Staff member
What is important to this organization? How important is it that you do a good job to you, to the customer, to the organization? If there was one thing that this organization had to achieve, what would it be?
Senior Management
How do you know that your employees understand the policy and what it means to them?
5.4.1
Quality objectives
Senior Management
How do you know that the Management agree with the objectives set?
How were the measures selected? How do you know that these are actually achievable?
How do these objectives complement and support each other to move the organization forward? How do you know that they jointly deliver everything you need to do as a business?
Link the answers to these questions with those given in answer to subclause 5.2. Do the answers link? Do they make sense?
Appendix 1
69
Clause no.
Requirement
Compliance question
Effectiveness question
How do you know if your objectives link to those of the organization? How were the objectives created?
5.4.2
Senior Management
Is the management system designed to meet the objectives of the business? How do you maintain the integrity of the management system?
How do you know that the management system has been designed to meet the objectives set? How do you ensure that the integrity of the management system is maintained so that customers are not adversely affected during changes?
5.5.1
Senior Management
How are responsibilities communicated? How do you know if these responsibilities are being applied correctly? How do you reallocate/reduce responsibilities when needed?
5.5.2
Management representation
Who is the Management Representative? Show me what you do (to the Management Representative)
Who in the Management team champions the management system? How effective is the Management Representative in helping the organization to understand how it delivers results and improves business performance?
5.5.3
Internal communication
Senior Management
How do you know that the communication methods you use are effective?
70
Clause no.
Requirement
Compliance question
Effectiveness question
How do you translate the organizations results into information that directly applies to your staff rather than corporate/business speak? Does your manager provide you with information on business performance that directly applies to you?
Staff
How well is the organization performing? Do Management communicate to you on this subject?
Does the information you are provided with mean anything to you? Does the information relate directly to your job? How can you influence these results?
5.6
Management review
Do you hold a management review? What do you look at? What are the results of the review? How do you record the actions from the review?
How do management review the performance of the business? How effective are these methods? How do you know the actions agreed are aimed at delivering the organizations objectives? Are discussions at reviews based on improving results? What subject areas are discussed? How do they relate to the performance of the business and its objectives? What factors do you use to prioritize improvement activity?
Appendix 1
71
72
Clause no.
Requirement
Compliance question
Effectiveness question
Has the organization defined the competences you need to do your job? Do you understand how important your activities are?
Do you think the competences defined for your job are correct? How good are Management at reviewing your competence and identifying where you can improve? In your view is training delivered generally too late or too early on occasions? After you have received training does someone test or check to see that you can apply the training you have received? How do your activities help this business achieve its overall goals and objectives?
6.3
Infrastructure
Management
What equipment/assets do you have? How is this equipment managed and maintained? How is the equipment purchased? Do you back up IT systems? What processes do you have to manage all your resources? Does your process cover acquiring, commissioning and decommissioning an asset? What approvals are gathered for asset purchase?
How do you know that the equipment is capable of delivering the objectives? How do you know that you have purchased and commissioned the most appropriate equipment? How do you assess the effectiveness of your disaster recovery plans should your infrastructure fail? How do you optimize the performance of your infrastructure resource? How do you know that approvals for asset purchases follow the agreed governance rules for the business?
Staff
How efficient is the equipment you use? How quickly is it repaired should it breakdown? How often does equipment failure affect your production/ service delivery?
Appendix 1
73
Requirement
Question to whom
Compliance question
Effectiveness question
Work environment
Management
What do you consider to be your working environment? How is the working environment managed? What legal and regulatory requirements do you need to follow?
How do you know when to make a new investment in the working environment? How do you measure the impact of the working environment on peoples motivation to work here? How do you know that the working environment supports the delivery of process and product requirements?
Staff
What is it like working here? If the working environment could be improved how would it be? Do Management ever ask for your opinion on the acceptability of the environment to deliver what customers need? Does the environment you work in affect your performance and the quality of what is produced?
74
Appendix 1
75
Requirement
Question to whom
Compliance question
Effectiveness question
Management
How do you plan the design and/or development of a new product or service? What resources do you need?
How do you optimize the use of resources you have available to you? How do you prioritize different projects? How do you know that your limited resources are being used in such a way as to maximize the benefit to the organization and its customers?
Staff
Do you think that the organization knows which projects are more important than others? How often do you get torn between the needs of different projects and dont know which to do first?
7.3.2
Project Manager
What factors do you considered when designing/ developing a product or service? What legal and regulatory requirements are important?
How do you know the design inputs have been identified correctly? How often do you find, when testing a product or service, that the design inputs have not been identified correctly?
What factors do you considered when designing/ developing a product or service? What legal and regulatory requirements are important?
How much wasted effort do you think takes place on design and development work? Do you think you are careful enough when you design or develop products and services? How many changes are made to design/development outputs before they are correct and can be used? How do you know that the design/development outputs are relevant and appropriate to the needs of the rest of the business?
7.3.3
Project Manager
What design/development outputs do you have? Do they contain the required product acceptance criteria?
76
Clause no.
Requirement
Compliance question
Effectiveness question
What design/development outputs do you have? Do they contain the required product acceptance criteria?
Can you give me an example of when the design/development outputs have not been understandable? How relevant are the design/ development outputs to your job? Do they provide you with the information you need?
7.3.4
How often do you hold reviews? What is the purpose of these reviews? Who attends these reviews? What happens at these reviews?
How often are agreed deadlines for actions missed? Why is this? How are disagreements or concerns on the way forward resolved quickly and to the benefit of the business? Compared with your competitors how good are you at getting products to market?
7.3.5
How do you test products and services to check that you have designed what you were supposed to design? What records do you keep?
How often do you identify problems found with products and services after they are released? How do you balance the need and risks to get the product or service launched with making it perfect?
7.3.6
How do you test products and services to check that you have designed something that meets the original customer or market needs?
How do you know that customer requirements have been met when you are designing the product and services? How do you know that the changes to designs or developments will have the desired results?
7.3.7
Appendix 1
77
Requirement
Question to whom
Compliance question
Effectiveness question
Purchasing process
Purchasing Manager
What is the purchasing process? How does the process work? Show me the process working
How do you know that the suppliers you use continue to contribute to the delivery of business objectives? How do you know that you provide sufficient information to your suppliers, not too much but not too little? How do you know that your suppliers are managing their business in an efficient and effective manner? How do you assess this?
7.4.2
Purchasing information
Staff
What purchasing information do you include on purchase orders? What quality management system requirements do you insist upon?
7.4.3
Management
How do you ensure that the purchased product and services are what you ordered? What actions do you take to check that the goods you receive are OK?
How do you reduce the risk of bought in goods and service failures on what is provided to your customers?
7.5.1
Management
How do control operational activities to ensure consistency and conformity of the service or product? What work instructions, control plans or schedules do you use to control operational processes?
How do you plan the way in which operational activities are performed to provide sufficient controls? How do you control the risks of operational activities in meeting customer requirements?
Staff
What information do you have to help you do your job? Have you been trained to do your job? Have you got the right equipment to do your job?
How do you know that what you are doing meets your customers requirements? What are the greatest risks to not achieving your customers requirements and how do you control them? How do you know you have met your customers requirements?
78
Requirement
Question to whom
Compliance question
Effectiveness question
Management
Demonstrate the validation methods in place to control processes you cannot readily or economically verify? How often to revalidate the process controls?
How do you control any processes you cannot readily or economically verify? How do you know the validation methods you use are effective?
Staff
How do you test the process to ensure it meets customer/ product requirements? What are the criteria you use to measure process performance?
7.5.3
Management
How have you determined to what extent identification and traceability of the product is required? How do you know the controls for product identification and traceability are effective?
Staff
Show me how products are identified? Can you find this xyz product for me?
What problems does poor identification cause you and how do you control this?
7.5.4
Customer property
Management
Do you use customer property in the process? How are problems with customer property reported back to the customer?
How do you know when customer property is used in the process? How is customer property identified and protected? When problems arise with customer property how do you deal with them and ensure the problem does not arise in the future?
Staff
When do you use customer property? Show me how you protect customer property
How do you report problems with customer property? What happens when you report a problem?
Appendix 1
79
Requirement
Question to whom
Compliance question
Effectiveness question
Preservation of product
Management
How is conformity of the product to specified requirements maintained throughout the entire process?
Staff
Show me how the product is stored Show me how the product is identified Show me how the product is handled
How do you know that the product is adequately protected during all stages of the process?
7.6
Management
Have you identified all monitoring and measuring equipment? Has the equipment been calibrated to a recognized standard, eg NAMAS approved? Show me the records for monitoring and measuring equipment Is the product recalled and retested when a piece of monitoring or measuring equipment fails calibration?
How do you determine what monitoring and measurement is required? How do you know the results of the monitoring and measuring can be relied upon? How is monitoring and measuring equipment checked? What do you do when a piece of monitoring or measuring equipment fails calibration?
Staff
What equipment do you use to monitor and measure product or process performance to specified requirements?
How do you know the monitoring or measuring equipment you use is working correctly?
80
Appendix 1
81
Requirement
Question to whom
Compliance question
Effectiveness question
How do you know these are the correct measures? What is the information telling you?
Show me the trends in performance Show me the targets for each process
How do you know that the information is accurate? How do the measures link to the business objectives? How do you manage the process and identify cost and waste efficiencies? Give me an example.
Staff
What is this information telling you? How can you influence these results?
8.3
Management
Show me the procedure to control non-conforming product? How do you make sure non-conforming products do not get used accidentally? Do you keep records of non-conforming products?
How do you know that nonconforming products are not reaching the customer or being used? What is the impact on the business if they are released accidentally? Why do you need records? What do you do with them?
Staff
Show me the procedure to control non-conforming products How do you make sure non-conforming products do not get used accidentally? Do you keep records of non-conforming products?
How often do you release non-conforming products but dont record it for operational reasons? What is a non-conforming product? How do you know that you handle all non-conforming products the same way?
Then compare the answers from Management and staff to make a judgement.
82
Clause no.
Requirement
Compliance question
Effectiveness question
How do you know that any product recall would be handled to protect both the customer and the image of the organization?
8.4
Analysis of data
Management
Do you analyse performance? How do you analyse performance? Does the information include data on customer satisfaction? Does the information show trends in performance against targets?
How do you identify improvements that maximize the benefit to the business? How do you make recommendations for improvement based on the results achieved? How do you monitor the impact of improvements on the results achieved?
8.5.1
Continual improvement
How do you know that improvements made are managed and controlled? How are appropriate people involved in improvement activity? How do you know that an improvement doesnt have an adverse impact on other activity?
Staff
Have improvements made helped you do your job better/ made it easier? Does this organization learn from its mistakes to make things better next time?
Customers
8.5.2
Corrective action
Management
Have you got a procedure for corrective action that covers the areas of the standard? Do you keep records of corrective actions?
How do you know everyone deals with processing/product errors or mistakes in the same way to protect the organization and its customers?
Appendix 1
83
Clause no.
Requirement
Compliance question
Effectiveness question
How often does this take place? Do you think we make too many mistakes that are really unnecessary? How do you know the correct business risks have been identified and actions put in place to reduce these risks?
8.5.3
Preventive action
Management
Have you got a procedure for preventive action that covers the areas of the standard? Do you keep records of preventive actions?
84
2. Audit planning
Managment system documents ISO 9001:2000 ISO 14001 legal and statutory requirements
4. Record observations
8. Action taken
Yes
6. Action required?
No
9. Close audit
Figure A.1 Example of a typical internal audit process (flow diagram and procedure)
85
Table A.7 Example audit schedule for an organization with three locations
Jan W+T W+T W+T W+T T T T T T W+T W W C C T T W W C C T T Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Process
New Business
Client Service
Contact Centre
New Business
Contract Recruitment
Managing Finances
Managing Facilities
Marketing
NOTE This audit schedule example is taken from an organization operating over three sites in Warrington, Thame and Crawley, hence the W+T+C, which indicate the
87
References
International standards
ISO 9001:2000, Quality management systems Requirements ISO 19011, Guidelines for quality and/or environmental management systems auditing ISO 14001, Environmental management systems Specification with guidance for use
88