All Internal Audits Are Process-based? Er, No...

Since ISO 9001:2000, it’s become increasingly common to consider that an organization’s Internal Quality Audits be performed using the so-called “Process Approach”. At the time of publication, that particular version of the International Standard for Management Systems contained no description of what the process approach was. The recently introduced 2015 version makes the “Process Approach” a lot clearer by describing what is envisaged, in section 0.3 of the Introduction to the Standard – and how it applies to the quality management system development, implementation and improvement. Reading further, the text goes on to describe the Process Approach involving the “systematic definition and management of processes, and their interactions, so as to achieve the intended results.” There’s no mention of anything to do with conducting internal audits in any particular fashion.

Perhaps the Internal Audit requirements, found in clause 9.2, will reveal something…

This particular clause states that “the organization shall:

a)       Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the process concerned, changes affecting the organization, and the results of previous audits;”

Interestingly, even this statement, which deals with the actual planning and implementation of the internal audits, doesn’t require that those audits shall (or even should) be conducted using the “process approach”.  In basic terms, it simply states that the audit programme has to consider the importance of the (quality management system) process concerned. Nothing requires an actual audit of a process! So, why has the mantra of “Process-based Internal Audits” become so pervasive?

Maybe “mission creep” has occurred from the influence of the Certification Body auditors who were required to change their approach to one of auditing process(es), around the time ISO/TS 16949 was published. This era ushered in the use (by CB auditors) of the “turtle” diagram for audit planning, which has become wide spread throughout their client base, too.

Although not advocating against the internal audits of (only) processes, a risk-based approach to the considerations of what to audit and when can be very useful. Empirically, we know that risks occur in business and they don’t always occur within a process. Traditionally, risks are associated with something new and/or changed or activities affecting an organization:

·         Product designs & specifications

·         Sources of supply

·         Personnel

·         Technology

By reference to the diagram below, adapted from James Reason’s “Managing the Risks of Organizational Accidents”, (ISBN-10: 1840141050), it can be seen that risks occur throughout an Operation.

Clearly, the selection of a specific process may help when considering what part(s) of the management system to audit, however, further planning may reveal that it’s not always the whole process which should fall under the audit spotlight… It may be a relatively simple activity contained within the process; Perhaps a review of a requirement (customer order) and a subsequent change to that requirement may mean that a second review isn’t as robust. In such a case, auditing the entire process may be unnecessary in determining where the change “slipped through the cracks”. Experience also shows that it can be the interaction between processes where issues manifest themselves – at the interface of 2 (or more) processes.

It follows then, that without a clear, specific requirement to audit (only) processes, an organization is free to choose a specific audit “scope” and “criteria” if those define something within the quality management system which represents risk to effectiveness in achieving intended results. In addition to considering a process as the scope of an audit, the following may also be used:

A customer or regulatory requirement - which might be implemented in select parts over one or more process;

A physical area or location - a warehouse, for example

A specific requirement of ISO 9001 - if it is new or changed

A project: improvement, product design, new technology etc

A specific activity as part of a bigger process.

It's quite reasonable - if there's a clear justification - for choosing any focus for your internal audit programme. After all, ISO 9001 does say process MUST be audited and external auditors can't dictate requirements. Try it! You might just like it and find it useful!