|
Greetings!
Welcome to the Whittington & Associates e-Newsletter! Visit and bookmark our web site.
Our newsletters provide guidance on ISO 9001, AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO 14001, ISO 27001, ISO 20000, and related ISO standards, as well as, Six Sigma and CMMI.
If you have any questions about the articles appearing in this issue, or you want to suggest topics for future issues, please let us know.
|
|
Quality, Industry, and Society Web Links |
 |
|
|
Auditing a Process that is Undocumented |
|
Some quality auditors struggle when auditing processes that are not documented. Unfortunately for them, ISO 9001:2000 only requires a few documents:
- Quality Policy, Quality Objectives, and Quality ManualDocument Control and Record Control ProceduresInternal Audit and Nonconformity Control Procedures
- Corrective Action and Preventive Action Procedures
ISO 9001:2000 also states that organizations should include any other documents they need for the effective planning, operation, and control of their processes. However, if an organization thinks their employees can perform a process well based on their training, skills, and experience, they can choose to go without a procedure or instruction.
So, how do you audit processes if their requirements aren't documented? Begin by talking to the process owners and ask them to describe their processes. In lieu of a procedure, you are basically documenting the process in your notes.
You can use a manager's statement about the process as the audit criteria for evaluating evidence for conformity. Watch carefully the process being performed, and examine its records, to see if the process operation matches the stated requirements.
If there is a discrepancy, then the nonconformity can be written as shown below:
Requirement: The design manager stated drawings are appproved by the engineer.
Evidence: Drawing EG101 was approved by a draftsman instead of the engineer.
As auditors, our job is to assess conformity, evaluate effectiveness, and identify opportunities for improvement ... not to establish the root cause and suggest corrective actions. Therefore, if an undocumented process is found to be nonconforming, we can't recommend it be documented as the solution.
Also, be careful during interviews not to tell someone a documented process isn't clear to you, and that it should be further documented. They would be within their rights to tell you it is perfectly clear to the employees trained on the job, and if they expand the document for you, it would just clutter it up for their employees.
To enroll in an auditing course, go to one of the Internal Auditor or Lead Auditor course descriptions below:
ISO 9001 Internal Auditor
ISO 13485 Internal Auditor
ISO 14001 Internal Auditor
ISO/TS 16949 Internal Auditor
AS9100 Internal Auditor
ISO 27001 Internal Auditor
ISO 9001 Lead Auditor
ISO 9001 Lead Auditor (with emphasis on ISO 13485)
ISO 9001 Lead Auditor (with emphasis on ISO/TS 16949)
ISO 14001 Lead Auditor
AS9100 Lead Auditor
ISO 27001 Lead Auditor
|
|
How to Audit Continual Improvement |
|
How do you audit the conformity of an organization to the continual improvement requirements of ISO 9001:2000? First, lets review the definition of continual improvement, "The recurring activity to increase the ability to fulfill requirements."
Clause 8.5.3 requires continual improvement of a quality management system through the use of:
- Quality PolicyQuality ObjectivesAudit ResultsData AnalysisCorrective ActionPreventive Action
- Management Review
In addition, clause 5.3 requires the Quality Policy to include a commitment to the continual improvement of the effectiveness of the quality management system.
Both these clauses refer to continually improving the "effectivessness" of the system. To fully understand continual improvement, we need to know that the term effectiveness means, "the extent to which planned activities are realized and planned results are achieved."
Continual improvement is more than just corrective action (based on a detected nonconformity) or preventive action (based on a potential nonconformity). An organization may identify a unique improvement activity based on their desire to become better and faster at what they do, instead of just reacting to actual or future nonconformities.
See if they are identifying specific improvement activities, especially at Management Review. And, how were the target rates of improvement determined? Are the plans being approved, resources being allocated, and progress being tracked?
Are the improvement projects keyed to increasing the level of conformity to requirements and better satisfying customers? See if performance trends indicate a continual improvement in results.
Remember, if they aren't meeting an improvement target, that doesn't make it a nonconformity ... they may have set an aggressive objective. However, if not met, they should be understanding why not and revising their plan.
|
|
How to Audit Preventive Action |
|
One of the difficulties in auditing a preventive action program is that some organizations don’t understand well the differences between corrective actions and preventive actions.
A corrective action is taken on a detected nonconformity to prevent it from happening again. An organization will first correct or contain the problem, and then determine its root cause so they can take corrective action to prevent its recurrence.
When we act to “prevent” a repeat of a detected nonconformity, that is full and complete corrective action, not preventive action.
Preventive action is when we anticipate a potential problem and take action to eliminate the possible causes and prevent the occurrence of the nonconformity.
Auditing a preventive action program begins with a review of the preventive action procedure required by ISO 9001:2000. Of course, an organization may choose to have corrective actions and preventive actions covered in the same documented procedure. This is acceptable as long as the requirements in both clause 8.5.2 and 8.5.3 are adequately addressed.
When a potential problem is identified, organizations must determine the action needed to eliminate the causes of the potential nonconformity and thereby prevent its occurrence. However, the action taken must be appropriate to the effects of the problem.
In other words, it would be acceptable to not take a preventive action if the anticipated problem is unlikely to happen, would have little impact, and would be easily detected. If a potential problem is low risk, the business decision may be to not attempt to prevent it.
However, if there is a need, the organization must determine and implement the appropriate preventive action. Records must be kept of the results. The action taken must be reviewed to assess its effectiveness in preventing the potential problem.
The best time to take preventive actions is early in the product cycle, e.g., performing Failure Mode Effects Analysis and conducting Design Reviews. However, these actions are integral to the process and won’t necessarily be captured on preventive action forms.
When auditing a preventive action program, find out how potential nonconformities are identified. If they aren’t analyzing trends and looking for warning signs, they may be ignoring possible problems that could be avoided if only they were considered.
Examine the preventive action records to see if the organization is following their procedure. Find out how they identify causes and determine the appropriate actions. Review the results to see if their actions were effective in preventing the problems.
Strange as it may sound, the goal of a preventive action program can be viewed as keeping the status quo. By avoiding future problems, we are keeping the quality system at its current level so it can be improved upon by eliminating actual problems through our corrective actions.
If you’d like to know more about preventive actions, consider ordering The Preventive Action Handbook.
|
|
Information Systems Security Study |
|
The International Information Systems Security Certification Consortium (ISC2) sponsored a study last year by the global analyst firm IDC. The Global Information Security Workforce Study noted that securing an organization’s information assets is a relentless battle.
The constant barrage of threats keeps information security professionals in a reactive mode. Cyber-criminals are generating attacks using a growing arsenal of weapons, including spam, phishing, malware, and spyware. However, the intent of malicious activity has clearly shifted away from notoriety toward profit.
The formulation of a security strategy also requires people and processes to be addressed as significant areas for exposure. If overlooked, intentional and unintentional behavior of users, social engineering, lack of business continuity planning, or insufficient separation of duties can all lead to serious consequences.
Organizations must evaluate all internal and external risks on both physical and logical levels to properly execute against their risk management objectives. The study reported that the top 5 security technologies in the Americas in 2006 were:
- BiometricsIntrusion PreventionWireless Security SolutionsIdentity and Access Management
- Security Event or Information Management
The most common applications for biometrics are physical access and an additional layer of strong authentication for IT systems access. In addition, biometrics is being leveraged as an additional credential that is linked to an individual’s identity for verification purposes, for example, e-passports and national identity cards.
Wireless security abounds as a security problem that needs to be locked down and controlled. The proliferation of mobile devices, users wanting broad access, and the increasing mobility of the global workforce, create a situation of risk and vulnerability whereby organizations are having a hard time controlling and managing their IT environments.
In Europe and Asia, one of the top 5 technologies is Forensics, effectively dealing with, mitigating, responding to, and prosecuting computer-related abuse and crimes. There is a growing need for decisive answers, quick responses, and evidence preservation to document attacks and system compromises that may cripple or completely disable any organization’s computer systems.
Although the person responsible for maintaining security in an organization is the cornerstone of protection, security is ultimately everyone’s duty. If any one individual fails to maintain and adhere to security policies, then all computing systems and the viability of the organization are at risk.
Information security is a global, organization-wide problem that cannot be addressed with technology solutions alone. It requires the unconditional commitment of an organization at the financial, management, and operational levels to proactively secure and protect the organization’s logical and physical assets.
Security management will always require the proper balance between people, policies, processes, and technology to effectively mitigate the risks associated with today’s digitally connected business environment.
People and processes are finally becoming recognized as the greater focal point for risk management efforts as technology is acknowledged to be an enabler for achieving organizational objectives, not the solution.
For more information, go to the International Information Systems Security Certification Consortium web site.
|
|
Class Schedule |
|
| Quick Links... |
|
|
