June, 2003

Welcome to the Whittington & Associates e-Newsletter!
Visit and bookmark our web site today: http://www.WhittingtonAssociates.com

This e-Newsletter is in HTML format and may not be displayed properly by some email programs. Please click on our web site address above to see the e-Newsletter with its proper formatting.

Auditing with the Process Approach

ISO 9001:2000 promotes the process approach by its structure and requirements. Yet, many internal audit programs still conduct audits by clause instead of by process. A “process” is an activity that uses resources to transform inputs into outputs. The output of one process is often the input to another process. The “process approach” identifies the system of related processes, along with their interaction and management. 

Organizations must identify and manage numerous linked activities to function effectively. As a result, internal audits should examine these activities from a process perspective. An audit based on the process approach looks at more than just the tasks for a selected activity. It examines process inputs, resources, and outputs.

Audits are often scheduled and conducted on a specific clause of the standard. This isolated focus on judging conformity to a single set of requirements may result in the broader business process being inadequately assessed.

If an audit schedule is set up by clause, the schedule is dictating a limited audit scope. Even processes related to a unique clause usually involve multiple departments and should be followed into those other areas for complete coverage. 

When audits are scheduled by department, they usually stop at the department boundaries and don’t go into other areas to examine the inputs and outputs. In addition, these departmental audits may only review documentation to judge conformity and not focus on interviews and observations for a more balanced view.   

ISO 9001:2000 promotes the adoption of the process approach by the very nature of its structure and requirements. In fact, the quality manual must describe the interaction between the processes of the quality management system. Therefore, internal audits need to keep pace and make the transition to “process auditing” to avoid the limitations of clause and departmental auditing.

How do you schedule process audits?

Internal audits should be scheduled by key processes. Even if you stick to a department-based schedule, extending it to consider supplier and customer departments would be an improvement. 

Audits are to be planned based on the status and importance of the area to be audited, as well as, the results of previous audits. If an area has experienced many quality problems, then it deserves more audit scrutiny. Similarly, if an area is critical to product conformity, it should be audited more often. And, areas receiving most of the audit nonconformities should be scheduled to receive more frequent audits.    

Many organizations have described the interaction of their processes by including a process map in the quality manual. This flowchart can be used to arrange process audits. The process interface information can be placed in a supplier-customer relationship table for easier identification of the linkages.

Supplier-Customer Table

A supplier-customer table can be used to clearly identify the internal “supplier” processes and “customer” processes for a process. If Process 2 in the partial table below is to be audited, reading across the row shows that Process 1 is a supplier and Processes 3 and 4 are customers. 

When planning an audit, identify the audit criteria. The requirements include those from ISO 9001:2000, the organization, and its customers. Also, identify any applicable legal requirements. For ISO 9001:2000 requirements, keep in mind its “plan, do, check, act” structure. Therefore, one logical requirement may be addressed at several places in the standard.

Responsibility Table

A Responsibility Table can be used to identify process owners and users. It also identifies the applicable clauses to address when auditing a process or department. In the table below, Quality has Primary responsibility for document control (4.2.3). The other departments have a secondary role since they use the process.

Two versions of the table may be appropriate. One, as shown below, displays the relationship between departments and ISO 9001:2000 clauses. A second table could show the relationship between departments and processes.

After the table is completed, all the process owners (those responsible for the applicable clauses) will be identified. These process owners will approve their related documents and involve the Secondary areas in the reviews. In some cases, the area may not have any direct involvement in the process and will be shown with a hyphen. Of course, the sample table above may not reflect the responsibilities at your organization. 

When auditing an area, the auditor can look down a column to see the clauses of primary and secondary importance. The table cells with a hyphen can be skipped since they aren’t applicable for that area.  

Requirements Table

Another useful planning tool is the Requirements Table. After identifying the applicable requirements (standard, customer, company, and legal), place them in the first column of a table. Identify the processes that address these requirements in the other columns. Then show the process flow for each requirement as the rows of the table. This table will ensure the process audit is customer focused and deals with the full range of requirements. It can be used to create the process checklist. 

Are checklists used any differently?

Yes. A checklist is usually prepared to verify a documented process is in place and being followed. Unfortunately, checklists are limited by the content of the process documents and may not adequately address the process inputs, outputs, controls, and results (effectiveness). And, with defined, undocumented processes, checklists may not have been created due to the lack of source documents.     

Checklists should move from specific questions to an outline format to encourage more thinking by the auditors, as well as, help them spot audit trails and evaluate effectiveness. Detailed questions in a checklist often result in auditors strictly adhering to those questions and not being flexible enough to follow audit trails.

The notes on the checklist should identify not only evidence of any nonconformities, but also process strengths (for compliments) and weaknesses (for improvements).

Process Checklist Example

Audits must consider four types of requirements: standard, customer, company, and legal. Many of these requirements are documented and the reference number can be listed in the first column of the checklist. If a requirement is defined, but not documented, the source should still be identified.

The second column lists the requirements to be "looked at" and the third column lists the evidence to "look for" to judge conformity. Also, identify the objectives for the process in the requirements column. You can only determine the process effectiveness by looking at the quality objectives and the process results. 

Some auditors enjoy talking to people and observing the work, but may shy away from closely examining documents and records. Other auditors may be less outgoing and prefer to focus on auditing the "books". For a balanced audit, you must collect objective evidence from all four sources: documents, interviews, observations, and records.

Documents must be reviewed to prepare for the audit. People must be interviewed to learn about the process and evaluate their understanding. If possible, the activities are observed to compare practices to the defined process. Documents in use are evaluated for proper document control. Records must be examined to assess past practices. Only through sampling all four sources can you confidently determine conformity and judge effectiveness.

How is auditing by process any different than auditing by department?

Department audits may assess portions of multiple processes, but not fully cover a single process. A process audit may span multiple departments to examine the full process, including the sources of its inputs and the recipients of its outputs. So, a process audit is really quite different than a department audit. Process audits look at the sequence and interaction of the processes and aren't limited by the artificial boundaries of an organizational structure.  

Auditors must be trained to look for more than just conformity. Auditors should have a business perspective. They need knowledge of the process and its measurable objectives, so they can identify and follow audit trails. The auditors must also examine process effectiveness and identify any opportunities for improvement. 

The key processes and linkages of the system will have been identified (since required by ISO 9001:2000). Using this process description, auditors can follow the flow from orders to shipping. Of course, the processes for the infrastructure won’t be in the direct process flow for the product, but even those processes have inputs, outputs, and controls.  

Process auditing is really auditing of a process-based system. It goes beyond limited auditing (by clause or department) to look at process interactions. Process auditing involves making value-added judgments about the process and its effectiveness. When auditors go upstream (to look at inputs) and downstream (to follow outputs), they are performing process audits that allow them to examine the process interactions.

I have found that the more significant problems exist at the interfaces between processes, not within a process. The handoffs between processes are typically ignored in audits conducted by clause or even department. You need to look at the inputs to the process and the outputs from the process.   

To judge effectiveness, auditors can evaluate how well the process is being performed by looking at its quality objectives and measurements. In some cases, the auditor may have to go downstream to see how well the process output is meeting the needs of the next process. Look beyond the requirements, determine what process outcomes are expected by management.   

How do you audit the department interfaces without jumping all over the place?

When auditors follow an audit trail upstream and downstream, they may be undecided about how far to continue on that path. Carried to its extreme, one process audit could end up looking at every process in the system. Well, that is what should happen over time, just not all at once.       

Start with the inputs from the “supplier” processes and follow them into the activities of the selected process. Then follow the outputs to the “customer” processes to ensure they have been transferred or communicated as required.

Don’t start and end the audit at the boundaries of the process. You need to begin with the outputs of the preceding processes (inputs to the selected process) and continue auditing through the delivery of the outputs to the succeeding processes (which are their inputs).

You need to see if there are any gaps or overlaps between the selected process and the “supplier” and “customer” processes. This assessment will allow you to make judgments on the conformity and effectiveness of the selected process. 

Depending on the audit scope, team size, and allocated time, you could audit a collection of processes that make up a sub-system.

What is the difference between "system" audits, "process" audits, and "product" audits?

A “system” audit is an assessment of the overall quality management system. When the system is further divided into unique processes, the system audit has become, in effect, multiple “process” audits. 

A “process” audit is an assessment of a single process or group of linked processes. It should address the process inputs, resources, activities, outputs, controls, and measurements. 

In some circles, a “product” audit is an assessment of products that have passed final inspection. For example, a dock audit typically checks for correct packaging, labeling, and paperwork, and may even test the product again before shipment.

In my opinion, an “audit” that involves product inspections or tests isn’t really an audit. It is an inspection or test. Audits examine processes, including those that inspect or test the product, but do not verify the products directly.

Therefore, I define a “product” audit as just a process audit with a scope limited to a specific product (the subset of processes relating to that product). In a similar fashion, a process audit can be focused on a specific contract or project, giving rise to a “contract” audit or “project” audit.  

Summary

2. Registration Totals

As of March, 2003, the total number of registrations for ISO 9000 and related standards in the USA were:

ISO/TR 10017:2003 has been released to provide guidance on the use of statistical techniques for ISO 9001:2000. The technical report covers the selection of statistical techniques that may be useful in developing, implementing, maintaining, and improving an ISO 9001-based quality management system. This is done by examining the ISO 9001 requirements that involve the use of quantitative data, and then identifying and describing the statistical techniques that can be useful when applied to such data.

You can order a copy for $76.00 at the ANSI web store.

4. Class Schedule for June, 2003 - August, 2003

To enroll in these public classes, go to Class Schedule at our web site, or call us at 800-404-7585. The classes taught by Larry Whittington are shown in gold.

ISO 9001:2000 Lead Auditor (ANSI/RAB-NAP Accredited) - BSI Management Systems
Initial course version developed by Larry Whittington 

June	July	August
02-06  Orlando, FL	07-11  St. Louis, MO ????	04-08  Woodcliff Lakes, NJ
09-13  Atlanta, GA	14-18  San Jose, CA	04-08  San Diego, CA
09-13  Woodcliff Lakes, NJ	21-25  St. Louis, MO ????	11-15  Dallas, TX
09-13  Los Angeles, CA	28-01  Charlotte, NC	18-22  Reston, VA
16-20  Detroit, MI	- -	25-29  Atlanta, GA
23-27  Reston, VA	- -	25-29  San Jose, CA

ISO 9001:2000 Internal Auditor (ANSI/RAB-NAP Accredited) - BSI Management Systems

June	July	August
18-20  Reston, VA	09-11  San Jose, CA	06-08  Dallas, TX
- -	23-25  Atlanta, GA	26-28  Los Angeles, CA

ISO 9001:2000 Auditor Transition (RAB-Approved) - Course developed by Larry Whittington

June	July	August
12-13  Detroit, MI	14-15  San Jose, CA	14-15  Reston, VA
26-27  Orlando, FL	28-29  St. Louis, MO	28-29  San Diego, CA
26-27  Carlsbad, CA	- -	- -

Implementing ISO 9001:2000 (for New Systems) - Course developed by Larry Whittington

June	July	August
16-17  Reston, VA	17-18  Chicago, IL	19-20  San Diego, CA
- -	21-22  Atlanta, GA	- -

Understanding ISO 9001:2000

June	July	August
- -	25  Charlotte, NC	- -

Understanding ISO 9001:2000 Requirements (Atlanta Only - $295) - Course developed by Larry Whittington

July	August	September
- -	- -	17  Atlanta, GA

ISO 9001:2000 Conversion (for Existing Systems) - Course developed by Larry Whittington

June	July	August
09-11  Detroit, MI	16-18  San Jose, CA	11-13  Reston, VA
23-25  Orlando, FL	30-01  St. Louis, MO	25-27  San Diego, CA

Quality System Documentation (Revised for ISO 9001:2000) - Course developed by Larry Whittington

June	July	August
30-01  Orlando, FL	24-25  Reston, VA	21-22  San Diego, CA

The above public courses can be offered on-site at your facility. In addition, we offer these special courses:

• Internal Quality Auditing (2 Days) - Course developed by Larry Whittington (based on new ISO 19011)
• Understanding ISO/TS 16949:2002 Requirements (1 Day) - Course developed by Larry Whittington
  

To arrange an economical on-site class, please call us at 800-404-7585.

Copyright © 2000 - 2007  Whittington & Associates, LLC.
All Rights Reserved.
242 Highlands Drive, Woodstock, GA 30188
770-517-7944 or fax 770-517-7945

 
Whittington & Associates provides training, consulting and auditing services for quality systems based on
ISO 9001, ISO/TS16949, TL9000, AS9100, ISO 13485, as well as, ISO 27001, ISO 20000, ISO 22000, and ISO 14001.