 |
Internal audits and pastures new?
By Allan J. Sayle, President Allan Sayle
Associates
1. Does the idea of process review comply with ISO 9001:2000?
Inevitably people will wonder whether or not the use of process
review, PR, as an alternate to “conventional” internal auditing
would satisfy the requirements of ISO 9001:2000. Those entrusted with
performing a “compliance audit” will certainly need to consider
that question.
In fact it has three distinct facets:
a) Terminologically could PR theoretically be an acceptable substitute
for internal auditing?
b) What does ISO 9001:2000 require about the actual conducting of an internal
audit?
c) In practice does PR equate to internal auditing?
a) Terminologically could PR theoretically be an acceptable substitute
for internal auditing?
To reach a decision, one must consider various “hinge” words
and expressions contained in that standard. Of course, ISO 9000:2000 offers
some definitions that one presumes represent the litmus test for their
meaning. My view is that one must therefore consider, as far as the standard,
is concerned:
| • |
What is a process? See 2.3 in which a “process”
can be a single or set of activities. That is, it may be of a micro
or macro nature. The actual definition (clause 3.4.1) refers to them
being a “set” of interacting or interrelated activities,
therefore appearing to exclude the possibility of a single activity
being treated as a “process”. (That does at least seem
to perpetuate a tradition of the ISO 9K series extant in the earlier
editions of being somewhat self-contradicting.) |
| • |
What is a system? See 3.2.1 whereby a system is a “set”
of interrelated or interacting elements. |
| • |
What is an audit? See 3.9.1 whereby this is also a process that
must be systematic, independent and documented, aiming to obtain objective
evidence that criteria are fulfilled. (The similarity of the actual
definition to my own work is patent. It is gratifying to know they
pay attention!) |
| • |
Is a “review” an audit? Perusing 3.8.7, one can see
it could indeed be. But, that clause does not mandate independence
on the part of the reviewer. |
| • |
Is the principle of independence required and, if so, is it explained?
Yes, in the case of an “audit”, 3.9.1 mandates “independence.” |
It would, therefore follow; a process “review” could be an
“audit” provided whosoever does the review is independent
of the “subject matter” (to use the standard’s own expression)
under consideration. If the customer performs the review, then the PR
would be an audit because the customer is independent of the supplier
and not responsible for the particular process.
It must then follow either:
| • |
The supplier must afford the customer the opportunity
to participate in the review as the “independent” element
of the review; or, |
| • |
If the customer will not or does not wish to be present, the supplier
must then ensure a reasonable person could regard the chosen reviewer
as sufficiently independent of the process concerned. A manager responsible
for the process may not meet that test. |
Those things being done, one would conclude replacing internal audits
with PRs would indeed meet the requirements of ISO 9001:2000.
Since it is common practice for a customer to include in the T’s
and C’s its desire to be involved in chosen aspects of the supplier’s
work, as a contract progresses, its participation in PRs may be assured,
within the usual limits of “communications’ breakdowns”.
But the customer’s diligent buyer (purchasing officer) is normally
responsible for ensuring participation as and when desired.
That particular scenario applies to purchases where a customer expressly
wants to be involved. Since it is not the case for all purchases, ISO
9K advocates will (rightly) express some concern about PR as a surrogate
“internal audit” in those situations. They may even use that
to justify the retention of conventional internal auditing and rejection
of PR as its surrogate.
The final arbiter on what is and is not acceptable is the customer. (One
of my long held views.) If the customer has mandated the supplier must
possess an ISO 9K certificate, issued by a registrar, it assumes the registrar
has verified the supplier meets AN interpretation of the standard. The
customer may even hope all registrars and all registrars’
auditors interpret the standard in the same way. (It does spring eternal!)
The question is, what does an ISO 9K certificate mean to the user? That
is discussed in a later section of that title.
b) What does ISO 9001:2000 require about the actual conducting of an
internal audit?
ISO 9001: 2000 has certain requirements, (8.2.2), of a rudimentary
nature for the planning, conduct, reporting etc of an internal audit that
could easily be accommodated under the title of PR.
Other standards such as the ISO 10011 family are not mandatory (they are
“for guidance”) therefore having no bearing on what is acceptable
conduct for an audit and, by extension, a PR.
ISO 9004:2000, containing a number of topics that might be covered during
an internal audit is cited in ISO 9001:2000 as a guide for organizations
wishing “to move beyond the requirements of ISO 9001”:
as a consequence it has neither weight nor bearing on what an internal
audit or PR must cover in order to meet the “requirements”
of ISO 9001:2000.
c) In practice does PR equate to internal auditing?
Regardless of what the “standard” may or may not require,
this is the key question that will determine what benefits, if any, may
derive from a PR as an internal audit surrogate.
The answer, of course, depends on how and when the organization conducts
its PRs. If the “reviewer” is independent of the process,
fully understands the process (task element) approach, fully understands
the process itself, works systematically, is properly prepared for the
PR, is able to find root causes of whatever problems might be discovered,
can demand effective corrective action, and will not allow work to proceed
further unless and until such action is taken and verified as effective
then, yes, equivalent practices are used.
It comes down to “who is the reviewer”, “how does the
reviewer operate” and “what authority does the reviewer have?”
In fact, when conducting an internal audit, using the process (task element)
approach, one has always effectively “reviewed” the process,
its inputs and outputs and applicable task elements. And for a “macro”
process, one follows its sequence of activities, i.e. follows the system
verifying the existence of a (audit) trail, to determine there are no
breakdowns.
Call an audit whatever you will, it is the practical conduct that determines
its efficacy.
My conclusions
| • |
Terminologically, considering the expressions used in
ISO 9000:2000, a PR could be regarded as equivalent to an internal
audit. |
| • |
In practice, ISO 9001:2000 has insufficient constraints that would
prevent someone considering a PR as equivalent to an internal audit. |
| • |
On the basis of the case(s) cited in Appendix 1, as the associated
registrar(s) subsequently issued the certificates, that act endorses
the auditor(s) decision creating important precedents of which others
should take swift advantage. It creates a precedent, a case example.
And this is where things get quite interesting and exciting, for the
registration and ISO 9K industries, as might be seen from the later
discussion “If the precedent becomes the norm”. |
| • |
In the real world, a PR may or may not equate to an internal audit
depending on how it is actually done. |
2.
Might process review as a surrogate for internal audits accord with my
publicly expressed views?
top of page |
 |
