hygiene zone
quality tools
quality techniques
human issues
quality awards
quality extra
visitor tools


Stay Informed
Sign up below to receive our Occasional Newsletter.

We Respect Your Privacy!

Web SaferPak
SaferPak: Food Packaging Safety, Food Safety, Business Improvement and Quality Management
       Home     About     Contact

Internal audits and pastures new?
By Allan J. Sayle, President Allan Sayle Associates

Does the idea of process review comply with ISO 9001:2000?
Might process review as a surrogate for internal audits accord with my publicly expressed views?
If the precedent becomes the norm – will we visit fresh woods and pastures new?
Self certification
Effects on the registration industry
What should be the ISO position and that of the TC committee?
Appendix 1
Appendix 2 - My publicly expressed views over the years

2. Might process review as a surrogate for internal audits accord with my publicly expressed views?

Some of my thinking is presented in Appendix 2 and I summarize key points as follows:

I developed and have always advocated the “Process (Task Element) Approach” to quality programs and auditing.
I believe in the performance of management auditing by someone independent of the process audited.
Auditing is a fact-finding exercise that provides management information.
I believe in self-auditing and self-checking prior to work being started using the process model.
The fundamental product of anyone’s process is a “decision”.
I consider verification being any of a check, inspection, test or review according to circumstances.
The customer is the final arbiter of what is and is not acceptable.

Those published thoughts are the yardstick for my analysis of the developments described by Mr. Wade. I will consider the first four in that list.

The Process Approach

As is well known I developed the Process Approach back in the 1970s and it has served well my employers, my clients and my own needs as a quality professional over the many intervening years. Both Yell and NKUK are claiming to follow the Process Approach and presumably believe in its ability to serve their business needs. From my experience I am not surprised. Whether or not they really understand it and apply it in the manner I would advise, I am unable to say, but I would like to see for myself.

Management auditing, self auditing

a) In the case of NKUK

It seems to me from what Mr. Wade has reported, it is a case of a “rose by any other name…” etc. Though the PR may not bear the title of “internal audit”, in light of the participation of the customer, an audit is happening, to some extent or other.

The efficacy of the customer’s effort depends, of course, on the calibre of its representative, the nature of his/ her inquiries when on site, (which depends on the training received) and the time taken for those inquiries. Those and other matters (as I mentioned earlier) are things I would wish to assess for myself. But, as all business is a matter between customer and supplier, if that satisfies the customer – fine and caveat emptor.
In that the customer is independent of the process being reviewed, PR would be consistent with that aspect of my definition of a management audit, stated in Appendix 2.
In that the “process” may be of a macro nature, that is, it encompasses its own systems linking together its own micro processes that together deliver the processes’ product, it would then also be looking at the processes’ systems.
The customer is well positioned to determine whether or not the supplier is meeting its contractual obligations, a component of my “audit” definition.
By virtue of its presence and that one can reasonably presume the supplier will show the customer objective evidence of what it is doing, one can conclude the PR is, for the customer, a fact-finding exercise: that would satisfy another part of my audit definition.
As to the “legal obligations”, another part of that same definition, the possibility of risk and liability is an important issue for each organization’s top management and legal advisers to thrash-out. Such issues were never of concern to registrars or ISO 9K promoters anyway: after all, how many of them proudly (or foolishly?) claimed a QMS has nothing to do with the product or that a QMS does not guarantee product quality! That being the case, they would now be hoisted on their own petard if they raised any concern about them. Or perhaps they would be hoisting themselves on their own petard? Whatever may be the case, I care not about any dilemma now confronting them. One’s concern must remain, as ever, that any QMS/ quality program/ management controls et al are efficacious. That is a concern expressed in a 1979 paper of mine, mentioned in Appendix 2.
A matter of concern is that I regard management audits as being future focused: that is, being done to best effect before an activity (process, project, whatever) actually starts. Depending on the timing of the NKUK’s PR activity, that preventive role, so important in avoiding avoidable costs may not be present. If so, the customer is ill served in the long term as is NKUK itself.
Since by its nature PR occurs after the process that is being reviewed, the supplier is conducting a type of self-audit which I have stated is a type of internal audit. The weakness is that in being conducted after the process, it is not a truly preventive action.

Overall, though one might play word-smithing games, I am unconvinced NKUK is performing management audits because the actual conduct et al are unknown. I would wish to personally assess how they go about their PRs.

b) In the case of Yell

When I read Mr. Wade’s initial report, I was not actually concerned about the Yell circumstance, for reasons I explain below: of greater concern is the possibility of general abandonment of internal auditing that may be sanctioned in firms where matters of health and safety could be paramount. And, I would still be concerned unless equivalent controls, as outlined above, for NKUK, were instituted in those firms.

In the case of Yell, at the time of this writing, Mr. Wade does not report the involvement of the customer and I am therefore skeptical of Yell’s compliance with the standard and of its real implementation of the types of control, just mentioned. So, I would wish for more information and, preferably, to undertake my own assessment of their practice, policies and program. From the information contained in his Saferpak posting, I would not endorse the Yell controls as a precedent for companies whose products have health or safety implications.

That being said, on the basis of my adage, “Never lose sight off the product”, what does Yell sell? Telephone directories? Not to me; they seem to appear at my mailbox every now and again as free issue items. From my understanding of Yell’s business, it sells advertising to firms listed within the covers of its directories. What are the risks? A business has an incorrect set of contact information or description of its products or services, in which case an update can soon correct that unfortunate situation but the world will not end. And, if the size of the tome in my office is any guide, perhaps the risk of injury if it fell on my foot! Though I might utter an expletive in that circumstance, I will not then examine the section dealing with “Attorneys” to sue Yell!

Consistency with my 2005 keynote address

In my recent Keynote address to the ASQ’s Quality Audit Division 2005 Conference, I observed how I see a bifurcation developed in “quality”. One branch deals with process management, the other deals with management process and that firms facing the pressures of globalization can take advantage of that bifurcation. The implications for auditing were cited and I reproduce the following diagram used during that speech. (To view the entire text of the speech: 2005 keynote address.)

Branch Deals with Audit trend
Process management How processes must manage their work. Process auditing.
Self-auditing, (six sigma etc.)
Management processes What management processes the organization needs. Management auditing.
Value Assessing

For the normal purposes of meeting ISO 9001:2000 to the satisfaction of a registrar for certification purposes, the process management line should suffice. That is, a combination of self-auditing and process auditing should be sufficient. (Indeed, in that six sigma is not a requirement of ISO 9001:2000, any organization adopting it would exceed the standard’s “strictures”.) But, as mentioned, performing PR after the fact does not constitute self-auditing in the manner I have advocated. It would remain to be seen whether the process owners undertake that style of self-audit. And it is also not known whether or not the firms really understand the process approach such that in conducting a PR they would

Based on Mr. Wade’s posted information it seems to me the controls chosen by NKUK should meet the requirements of the first line for effective process management and my general views, already summarized. They also meet my test of independence only by virtue of the fact that the customer is involved in the process review. They should be sufficient to protect health and safety of products and persons provided they embrace the task elements. I am not so sure of Yell’s compliance but for reasons stated product safety is not an issue of magnitude similar to that in, say, the making of pharmaceuticals, of aircraft design or of pressure vessel fabrication.

For going to greater depth, the second line would apply in addition to the first. But, unless that second line is done, I would not be assured the firm was constantly trying to avoid avoidable costs at the level of the business model. The types of audit cited in that line extend beyond the limits of compliance audits, which are the prime concern of ISO 9001:2000.

My original concern

Based on the limited information contained in Mr. Wade’s first post my original concern was that regardless of what ISO 9001:2000 may stipulate, certification bodies may be waiving the need for internal audits and that health and safety might be at risk in some circumstances. My angst was not with what the standard itself might require but from the [horrifying] thought that a tried and tested tool (internal audits) that has been a pillar of effective quality programs and management systems was being wantonly discarded. Mr. Wade’s initial post provided no information concerning any alternative, effective control that might be instituted by Yell or other companies for whom a similar dispensation had been provided.

Though being concerned that a certifying body (registrar) had destroyed that pillar, I do not believe such folly was committed. If anything, for reasons explained in this article, future events and developments may show the registrar destroyed a pillar of the certifying industry and its own portfolio of services. Regardless of the eventual outcome, I must praise the registrar’s auditor involved for his/ her open mind and flexibility and for opening up these new possibilities. Future events may show it was, what the civil service and politicians would dub, a courageous act.

In any event, regardless of what may satisfy the flimsy requirements for “internal auditing” contained in ISO 9001:2000, an organization can still voluntarily conduct management audits as its strives to eliminate or prevent avoidable costs. And it can also choose to move towards Value Assessments for similar reasons. Though PR may seem a useful expedient, based on the limited information at hand concerning their use at NKUK, management may decide in the fullness of time it needs something more effective. Call the activity what you want, its contribution and efficacy are what matter.


Next: If the precedent becomes the norm – will we visit fresh woods and pastures new?



Back to previous page




















top of page

home :: about :: contact :: terms

© 2006 SaferPak Ltd.