The Most
Important Audit Questions for ISO 9001:2015
By Craig
Cochran
If
you’re preparing to start auditing against ISO 9001:2015, you’ve probably
already asked yourself the timeless question: What the heck am I going to ask
these people? There’s no worse feeling in the world than being in the middle of
an audit and realizing that you don’t have anything to say in the way of
questions. Preparation and planning can remedy this, of course, but the fact
remains that ISO 9001:2015 includes a lot of new requirements that have never
been part of most audits. In order to expedite your thinking, these are what I
believe to be the most important audit questions for ISO 9001:2015:
1. What can you tell me
about the context of your organization? This question is the starting point of ISO
9001:2015, appearing in section 4.1. The standard uses the clunky term
"context," but this could easily be substituted by asking about the
organization’s internal and external success factors. Questions about context are
usually directed at top management or the person leading the QMS (formerly
known as the management representative). As an auditor, you’re looking for a
clear examination of forces at work within and around the organization. Does
this sound broad and a little vague? It is. Thankfully the standard provides
some guidance, saying that context must include internal and external issues
that are relevant to your organizations’ purpose, strategy, and goals of the
QMS. Many organizations will probably use SWOT analysis (strengths, weaknesses,
opportunities, and threats) to help get their arms around context, but it’s not
a requirement. What the organization learns with this will be a key input to
risk analysis. (NOTE: Not everybody will understand the term ‘context.’ Be prepared
to discuss the concept and describe what ISO 9001:2015 is asking for.)
2. Who are your interested
parties and what are their requirements? The natural follow-up to context is interested
parties, found in section 4.2. The term "interested parties" has a
bizarre, stalker-like ring to it, so smart auditors might want to replace it
with "stakeholders." Remember, effective auditors try to translate
the arcane language of ISO 9001:2015 into understandable terms that auditees
can grasp. Typical interested parties are employees, customers, supplier,
business owners, debt holders, neighbors, and regulators. As an auditor you’re
making sure that a reasonable range of interested parties has been identified,
along with their corresponding requirements. The best way to audit this is as
an exploratory discussion. Ask questions about the interested parties, and
probe what they’re interested in. If you’ve done some preparation in advance of
the audit, then you’ll know whether their examination of interested parties is
adequate. That brings up an important planning issue: You will have to do a bit
more preparation before an ISO 9001:2015 audit. Why? So you’ll have a grasp of
context and interested parties. How can you evaluate their responses if you
don’t know what the responses should be?
3. What risks and
opportunities have been identified, and what are you doing about them? Risks and opportunities
could accurately be called the foundation of ISO 9001:2015. No fewer than 13
other clauses refer directly to risks and opportunities, making them the most
“connected” section of the standard. If an organization does a poor job of
identifying risks and opportunities, then the QMS cannot be effective, period.
Auditors should verify that risks and opportunities include issues that focus
on desired outcomes, prevent problems, and drive improvement. Once risks and
opportunities are identified, actions must be planned to address them. ISO
9001:2015 does not specifically mention prioritizing risks and opportunities,
though it would be wise for organizations to do this. Risks and opportunities
are limitless, but resources are not.
4. What plans have been put
in place to achieve quality objectives? Measurable quality objectives have long been a
part of ISO 9001. What is new is the requirement to plan actions to make them
happen. The plans are intended to be specific and actionable, addressing
actions, resources, responsibilities, timeframes, and evaluation of results.
Auditors should closely examine how the plans have been implemented throughout
the organization, and who has knowledge of them. Just as employees should be
aware of how they contribute to objectives, they should be familiar with the
action plans.
5. How has the QMS been
integrated into the organization’s business processes? In other words, how are
you using ISO 9001:2015 to help you run the company? This is asked directly of
top management (see section 5.1.1c) and is a very revealing question. The point
is that ISO 9001 is moving away from being a quality management system standard
and becoming a strategic management system. It’s not just about making sure
products or services meet requirements anymore. The standard is about managing
every aspect of the business. Remember sections 4.1 and 4.2 of ISO 9001:2015?
There we examined the key topics of context and interested parties. These
concepts touch every corner of the organization, and this is exactly how ISO
9001:2015 is intended to be used. Top management should be able to describe how
the QMS is used to run the company, not just pass an audit.
6. How do you manage
change?
This topic comes up multiple times in ISO 9001:2015. The first and biggest
clause on the topic comes up in section 6.3. Here we identify changes that we
know are coming, and develop plan for their implementation. What kind of
changes? Nearly anything, but the following changes come to mind as candidates:
new or modified products, processes, equipment, tools, employees, regulations.
The list is endless. An auditor should review changes that took place, and seek
evidence that the change was identified and planned proactively. Change that
happens in a less planned manner is addressed in section 8.5.6. Here the
auditor will seek records that the changes met requirements, the results of
reviewing changes, who authorized them, and subsequent actions that were
necessary.
7. How do you capture and
use knowledge? ISO 9001:2015 wants organizations to learn from their experiences, both
good and bad. This could be handled by a variety of means: project debriefs,
job close-outs, staff meetings, customer reviews, examination of data, customer
feedback. How the organization captures knowledge is up to them, but the
process should be clear and functional. The knowledge should also be maintained
and accessible. This almost sounds like it will be “documented” in some way,
doesn’t it? That’s exactly right. One way to audit this would be to inquire
about recent failures or successes. How did the organization learn from these
events in a way that will help make them more successful? It’s the conversion
of raw information to true knowledge, and it just happens to be one of the most
difficult things an organization can achieve.
These
are by no means the only questions you’ll want to ask. They’re just the
starting point. We didn’t even mention management review, corrective action, or
improvement—all of which are crucial to an effective QMS. The seven topics discussed here are the
biggest new requirements that auditors will need to probe.
About the Author
Craig
Cochran has assisted over 5,000 companies since 1999 in QMS implementation,
problem solving, auditing, and performance improvement. His most recent book is
ISO 9001:2015 in Plain English, available from Paton Professional: http://www.patonprofessional.com/iso-9001-2015-in-plain-english/
Also
on Amazon:
No comments:
Post a Comment