Since ISO 9001:2000, it’s become increasingly common to consider
that an organization’s Internal Quality Audits be performed using the so-called
“Process Approach”. At the time of publication, that particular version of the
International Standard for Management Systems contained no description of what
the process approach was. The recently introduced 2015 version makes the
“Process Approach” a lot clearer by describing what is envisaged, in section
0.3 of the Introduction to the Standard – and how it applies to the quality
management system development,
implementation and improvement. Reading further, the text goes on to
describe the Process Approach involving the “systematic
definition and management of processes, and their interactions, so as to
achieve the intended results.” There’s no mention of anything to do with
conducting internal audits in any particular fashion.
Perhaps the Internal Audit requirements, found in clause 9.2, will
reveal something…
This particular clause states that “the organization shall:
a)
Plan,
establish, implement and maintain an audit programme(s) including the
frequency, methods, responsibilities, planning requirements and reporting,
which shall take into consideration the importance of the process concerned,
changes affecting the organization, and the results of previous audits;”
Interestingly, even this statement, which deals with the actual
planning and implementation of the internal audits, doesn’t require that those
audits shall (or even should) be conducted using the “process approach”. In basic terms, it simply states that the
audit programme has to consider the importance of the (quality management
system) process concerned. Nothing
requires an actual audit of a process! So, why has the mantra of “Process-based
Internal Audits” become so pervasive?
Maybe “mission creep” has occurred from the influence of the Certification
Body auditors who were required to change their approach to one of auditing
process(es), around the time ISO/TS 16949 was published. This era ushered in
the use (by CB auditors) of the “turtle” diagram for audit planning, which has
become wide spread throughout their client base, too.
Although not advocating against the internal audits of (only)
processes, a risk-based approach to the considerations of what to audit and
when can be very useful. Empirically, we know that risks occur in business and
they don’t always occur within a process. Traditionally, risks are associated
with something new and/or changed or activities affecting an organization:
·
Product designs & specifications
·
Sources of supply
·
Personnel
·
Technology
By reference to the diagram below, adapted from James Reason’s
“Managing the Risks of Organizational Accidents”, (ISBN-10: 1840141050), it can be
seen that risks occur throughout an Operation.
It follows then, that without a clear, specific requirement
to audit (only) processes, an organization is free to choose a specific audit “scope”
and “criteria” if those define something within the quality management system
which represents risk to effectiveness in achieving intended results. In
addition to considering a process as the scope of an audit, the following may
also be used:
A customer or regulatory requirement - which might be implemented in select parts over one or more process;
A physical area or location - a warehouse, for example
A specific requirement of ISO 9001 - if it is new or changed
A project: improvement, product design, new technology etc
A specific activity as part of a bigger process.
It's quite reasonable - if there's a clear justification - for choosing any focus for your internal audit programme. After all, ISO 9001 does say process MUST be audited and external auditors can't dictate requirements. Try it! You might just like it and find it useful!
A customer or regulatory requirement - which might be implemented in select parts over one or more process;
A physical area or location - a warehouse, for example
A specific requirement of ISO 9001 - if it is new or changed
A project: improvement, product design, new technology etc
A specific activity as part of a bigger process.
It's quite reasonable - if there's a clear justification - for choosing any focus for your internal audit programme. After all, ISO 9001 does say process MUST be audited and external auditors can't dictate requirements. Try it! You might just like it and find it useful!
