hygiene zone
quality tools
quality techniques
human issues
quality awards
quality extra
visitor tools


Stay Informed
Sign up below to receive our Occasional Newsletter.

We Respect Your Privacy!

Web SaferPak
SaferPak: Food Packaging Safety, Food Safety, Business Improvement and Quality Management
       Home     About     Contact

Internal audits and pastures new?
By Allan J. Sayle, President Allan Sayle Associates

Does the idea of process review comply with ISO 9001:2000?
Might process review as a surrogate for internal audits accord with my publicly expressed views?
If the precedent becomes the norm – will we visit fresh woods and pastures new?
Self certification
Effects on the registration industry
What should be the ISO position and that of the TC committee?
Appendix 1
Appendix 2 - My publicly expressed views over the years

1. Does the idea of process review comply with ISO 9001:2000?

Inevitably people will wonder whether or not the use of process review, PR, as an alternate to “conventional” internal auditing would satisfy the requirements of ISO 9001:2000. Those entrusted with performing a “compliance audit” will certainly need to consider that question.

In fact it has three distinct facets:

a) Terminologically could PR theoretically be an acceptable substitute for internal auditing?
b) What does ISO 9001:2000 require about the actual conducting of an internal audit?
c) In practice does PR equate to internal auditing?

a) Terminologically could PR theoretically be an acceptable substitute for internal auditing?

To reach a decision, one must consider various “hinge” words and expressions contained in that standard. Of course, ISO 9000:2000 offers some definitions that one presumes represent the litmus test for their meaning. My view is that one must therefore consider, as far as the standard, is concerned:

What is a process? See 2.3 in which a “process” can be a single or set of activities. That is, it may be of a micro or macro nature. The actual definition (clause 3.4.1) refers to them being a “set” of interacting or interrelated activities, therefore appearing to exclude the possibility of a single activity being treated as a “process”. (That does at least seem to perpetuate a tradition of the ISO 9K series extant in the earlier editions of being somewhat self-contradicting.)
What is a system? See 3.2.1 whereby a system is a “set” of interrelated or interacting elements.
What is an audit? See 3.9.1 whereby this is also a process that must be systematic, independent and documented, aiming to obtain objective evidence that criteria are fulfilled. (The similarity of the actual definition to my own work is patent. It is gratifying to know they pay attention!)
Is a “review” an audit? Perusing 3.8.7, one can see it could indeed be. But, that clause does not mandate independence on the part of the reviewer.
Is the principle of independence required and, if so, is it explained? Yes, in the case of an “audit”, 3.9.1 mandates “independence.”

It would, therefore follow; a process “review” could be an “audit” provided whosoever does the review is independent of the “subject matter” (to use the standard’s own expression) under consideration. If the customer performs the review, then the PR would be an audit because the customer is independent of the supplier and not responsible for the particular process.

It must then follow either:

The supplier must afford the customer the opportunity to participate in the review as the “independent” element of the review; or,
If the customer will not or does not wish to be present, the supplier must then ensure a reasonable person could regard the chosen reviewer as sufficiently independent of the process concerned. A manager responsible for the process may not meet that test.

Those things being done, one would conclude replacing internal audits with PRs would indeed meet the requirements of ISO 9001:2000.

Since it is common practice for a customer to include in the T’s and C’s its desire to be involved in chosen aspects of the supplier’s work, as a contract progresses, its participation in PRs may be assured, within the usual limits of “communications’ breakdowns”. But the customer’s diligent buyer (purchasing officer) is normally responsible for ensuring participation as and when desired.

That particular scenario applies to purchases where a customer expressly wants to be involved. Since it is not the case for all purchases, ISO 9K advocates will (rightly) express some concern about PR as a surrogate “internal audit” in those situations. They may even use that to justify the retention of conventional internal auditing and rejection of PR as its surrogate.

The final arbiter on what is and is not acceptable is the customer. (One of my long held views.) If the customer has mandated the supplier must possess an ISO 9K certificate, issued by a registrar, it assumes the registrar has verified the supplier meets AN interpretation of the standard. The customer may even hope all registrars and all registrars’ auditors interpret the standard in the same way. (It does spring eternal!) The question is, what does an ISO 9K certificate mean to the user? That is discussed in a later section of that title.

b) What does ISO 9001:2000 require about the actual conducting of an internal audit?

ISO 9001: 2000 has certain requirements, (8.2.2), of a rudimentary nature for the planning, conduct, reporting etc of an internal audit that could easily be accommodated under the title of PR.

Other standards such as the ISO 10011 family are not mandatory (they are “for guidance”) therefore having no bearing on what is acceptable conduct for an audit and, by extension, a PR.

ISO 9004:2000, containing a number of topics that might be covered during an internal audit is cited in ISO 9001:2000 as a guide for organizations wishing “to move beyond the requirements of ISO 9001”: as a consequence it has neither weight nor bearing on what an internal audit or PR must cover in order to meet the “requirements” of ISO 9001:2000.

c) In practice does PR equate to internal auditing?

Regardless of what the “standard” may or may not require, this is the key question that will determine what benefits, if any, may derive from a PR as an internal audit surrogate.

The answer, of course, depends on how and when the organization conducts its PRs. If the “reviewer” is independent of the process, fully understands the process (task element) approach, fully understands the process itself, works systematically, is properly prepared for the PR, is able to find root causes of whatever problems might be discovered, can demand effective corrective action, and will not allow work to proceed further unless and until such action is taken and verified as effective then, yes, equivalent practices are used.

It comes down to “who is the reviewer”, “how does the reviewer operate” and “what authority does the reviewer have?”

In fact, when conducting an internal audit, using the process (task element) approach, one has always effectively “reviewed” the process, its inputs and outputs and applicable task elements. And for a “macro” process, one follows its sequence of activities, i.e. follows the system verifying the existence of a (audit) trail, to determine there are no breakdowns.

Call an audit whatever you will, it is the practical conduct that determines its efficacy.

My conclusions

Terminologically, considering the expressions used in ISO 9000:2000, a PR could be regarded as equivalent to an internal audit.
In practice, ISO 9001:2000 has insufficient constraints that would prevent someone considering a PR as equivalent to an internal audit.
On the basis of the case(s) cited in Appendix 1, as the associated registrar(s) subsequently issued the certificates, that act endorses the auditor(s) decision creating important precedents of which others should take swift advantage. It creates a precedent, a case example. And this is where things get quite interesting and exciting, for the registration and ISO 9K industries, as might be seen from the later discussion “If the precedent becomes the norm”.
In the real world, a PR may or may not equate to an internal audit depending on how it is actually done.


Next: 2. Might process review as a surrogate for internal audits accord with my publicly expressed views?




Back to previous page




















top of page

home :: about :: contact :: terms

© 2006 SaferPak Ltd.