Welcome to the Whittington & Associates e-Newsletter! Visit and bookmark our web site.
Our newsletters provide guidance on ISO 9001, AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO 14001, ISO 27001, ISO 20000, ISO 22000, and related ISO standards, as well as, Six Sigma.
If you have any questions about the articles appearing in this issue, or you want to suggest topics for future issues, please let us know.
Audit Checklist with Answers
A checklist is used to compensate for the weakness of our human memory when we want to ensure consistency and completeness in carrying out a task. For example, we use checklists to remind us of important actions or to even plan a trip to the grocery store.
As auditors, we use checklists to remind us of the audit criteria against which we are to compare the audit evidence. In other words, we compare evidence (statements, observations, documents, and records) to the applicable requirements (customer, organization, standard, and legal).
To guide novice auditors, a typical checklist contains a suggested set of questions to determine if an area is conforming to the requirements. Unfortunately, the auditors often rigidly adhere to the list of questions and are unlikely to develop their own questions based upon the evidence.
And, when they hear reasonable answers to the canned questions, they may accept the responses and not recognize nonconforming situations. The typical checklist gives them the questions to ask, but does not provide the expected answers.
If you are an instructor giving an exam, you need the answer key to grade the responses. Likewise, an audit checklist should provide the expected answers to judge conformity. So, rather than listing only questions, we should use audit checklists with no questions, only the requirements and the expected evidence.
Auditors, even new auditors, can develop the basic questions on the fly to ask regarding the applicable requirements. By not providing the questions, each audit is unique and does a better job of sampling the area under audit. Identifying the expected evidence on the checklist helps the auditor decide if the statements made, operations observed, documents reviewed, and records examined are conforming.
As an example of a traditional checklist for the document control process, it would contain a question like, "Are the documents approved before they are issued?" The response might be, "Yes, I receive an email note from the document owner approving the document before I make it available." That might sound like a reasonable response, especially if the auditee shows you records matching that practice.
However, with the proposed checklist, there would be no questions. Instead, under the Requirement column would be: "Approve documents before they are issued." Under the Evidence column might be something like: "Document owner and quality manager must sign approval form, DC-01.1."
Based upon the requirement listed, the auditor might ask, "How are documents approved?" If the same response was received, the auditor would see from the expected evidence that approval from the quality manager was missing and that the required form was not being used.
An audit checklist is a memory aid and confidence builder for an auditor. It helps the auditor stay focused on the audit objectives and scope. It helps ensure the audit criteria have been addressed. And, it is a repository for the auditor notes and becomes a record of the investigated areas
Interested in an auditing course? Click on the course title below to see the class schedule.
According to ISO 20000-1:2005, incident management and problem management are separate processes, although they are closely linked. Incident management deals with the restoration of service to users, whereas problem management is concerned with identifying and removing the causes of incidents.
The objective of incident management is to restore the agreed to service to the business as soon as possible or to respond to service requests. The objective of problem management is to minimize disruption to the business by proactive identification and analysis of the cause of incidents and by managing problems to closure.
ISO 20000-1, Clause 8, Resolution Processes, identifies the requirements for Incident Management in clause 8.2 and for Problem Management in clause 8.3. I have summarized those requirements below:
8.2 Incident Management
Record all incidents. Adopt procedures to manage the impact of incidents. Define in procedures the recording, prioritization, business impact, classification, updating, escalation, resolution, and formal closure of all incidents.
Keep the customer informed of the progress of their reported incident or service request and alerted in advance if their service levels cannot be met and an action agreed. Give access to all staff involved in incident management to relevant information such as known errors, problem resolutions, and the configuration management database. Classify and manage major incidents according to a process.
8.3 Problem Management
Adopt procedures to identify, minimize, or avoid the impact of incidents and problems. Define in procedures the recording, classification, updating, escalation, resolution, and closure of all problems. Take preventive actions to reduce potential problems, e.g., following trend analysis of incident volumes and types.
Pass to the change management process any changes required to correct the underlying cause of problems. Monitor, review, and report on effectiveness of problem resolution. Ensure problem management is responsible for making up-to-date information on known errors and corrected problems available to incident management. Record actions for improvement identified during this process and input to a plan for improving the service.
To see a full summary of the ISO 20000-1:2005 requirements, go the ISO 20000 Requirements page at our web site.
If you'd like to see how the clauses of ISO 20000-1:2005 relate to the clauses of ISO 9001:2000, you can go to the ISO 20000-ISO 9001 Cross-Reference page at our web site.
You can purchase a copy of ISO 20000-1:2005, Information Technology - Service Management - Part 1: Specification, or ISO 20000-2:2005, Information Technology - Service Management - Part 2: Code of Practice, at the ANSI e-Standards Store.
ISO 28000 for Supply Chain Security
The ISO 28000 series of standards on supply chain security management systems have been upgraded from their status as Publicly Available Specifications to that of full International Standards. They are expected to help reduce risks to people and cargo by addressing potential security issues such as terrorism, fraud, and piracy.
The ISO 28000 standards specify the requirements for a security management system to ensure safety in the supply chain. They can be applied by organizations of all sizes involved in manufacturing, service, storage, or transportation by air, rail, road, and sea at any stage of the production or supply process. The standards include provisions to:
establish, implement, maintain, and improve a security management system;
assure conformity with security management policy;
demonstrate such conformity;
seek certification of conformity by an accredited third party organization; or
make a self-determination and self-declaration of conformity.
The ISO 28000 series consists of:
ISO 28000:2007, Specification for security management systems for the supply chain; ISO 28001:2007, Security management systems for the supply chain - Best practices for implementing supply chain security - Assessments and plans - Requirements and guidance; ISO 28003:2007, Security management systems for the supply chain - Requirements for bodies providing audit and certification of supply chain security management systems; ISO 28004:2007, Security management systems for the supply chain - Guidelines for the implementation of ISO 28000. ISO 28005:200x, Ships and marine technology - Computer applications - Electronic port clearance is being developed as the latest addition to the series.
The ISO 28000 series will facilitate trade and the transport of goods across borders. The standards will increase the ability of organizations in the supply chain to effectively implement mechanisms that address security vulnerabilities at strategic and operational levels, as well as, to establish preventive actions plans.
Organizations can then continually assess their security measures to protect their business interests and ensure compliance with international regulatory requirements. By encouraging the implementation of these standards by the various organizations in the supply chains, countries will be able to maximize the use of government's resources, while maintaining a level of optimal security.
The ISO 28000 series will also assist in implementing governmental and international customs agency security initiatives, including the World Customs Organization's Framework of Standards to Secure and Facilitate Global Trade, the EU Authorized Economic Operators Program, the US Customs Trade Partnership against Terrorism, and the International Maritime Organization's International Ship and Port Facility Security Code.
ISO 28000, ISO 28001, ISO 28003 and ISO 28004 are available from the ANSI Web Store.
Are e-Audits in Your Future?
With the increasing use of electronic media for the operation and control of management systems, auditors need to consider new ways to efficiently and effectively verify conformity to audit criteria.
For multi-site organizations, this could include remote access to electronic documents and records to save travel time and dollars. And, the remote access can be carried out without taking the time of anyone at the remote location.
As a result, some organizations are already conducting remote audits using collaboration tools like MS SharePoint. However, the companies relying on e-Audits to assess remote sites are typically software or services firms with professional staff where the loss of physical observation is less of an impact.
To evaluate how an e-Audit might work, let's examine how a remote audit would examine the four primary types of evidence (DOoRS): Documents, Observations, Records, and Statements:
Documents: With the proper authorization, auditors could review the remote location's electronic documents while planning the audit and also see them during the execution of the audit. However, use of a collaboration tool and/or a teleconference will not allow the auditors to see if any uncontrolled or obsolete documents are in use.
Observations: Since the audit is remote and video cameras will not be available for full viewing of the facility, the auditors will not be able to see if the work is being done per planned arrangements. So, evaluating conformity will be limited to what can be judged through interviews and electronic records. Auditors will not see poor housekeeping at the site or observe body language during interviews.
Records: If an organization creates electronic records and scans hardcopy records into electronic format, these records will be available for remote access by the auditors. However, some companies may have a significant number of completed forms that are kept as hardcopy records. Even if the auditors request some of these hardcopy records be scanned for viewing, the auditors would not be physically selecting the sampled records.
Statements: In a traditional audit, the person being interviewed is reluctant to have their responses captured on a recording device. As a result, auditors write an abbreviated version of the comments in their notes. If an auditee wanted to, they could later say it was a case of miscommunication.
With remote audits, the auditor keys the questions into the collaboration tool and the auditee types in the responses. A concern is that a more experienced employee could be coaching the interviewee and the auditor wouldn't know it. Also, with a typed response, you don't hear the tone and inflection of the voice to aid you during the interview.
Although the answers are recorded, they will not become a direct part of the audit report. And, the auditee should be made aware of this fact to alleviate any fear they may have about their responses being captured verbatim.
If a teleconference is being held, the auditor captures the responses in their notes, as with a traditional audit. However, they won't be able to observe the body language during the interview. Even if a video feed is available, what can be gained through observation will be limited.
Auditor Competence
The selected auditors must have the necessary competence to carry out an e-Audit. They will need time allocated to familiarize themselves with the electronic management system and collaboration tool. The auditors must be given the access instructions and security clearances needed to view the relevant documents and records. And, the auditors must be reminded of the need to protect the confidentiality of the electronic data during and after the audit.
Third Party Audits
What about the use of e-Audits by certification bodies? Will the duration of third-party surveillance audits be reduced by, or in some cases be replaced by, remote audits? Let's look at what the ANAB accrediting body has to say on the subject.
ANAB Advisory 1
The ANSI-ASQ National Accreditation Board (ANAB) has issued an Advisory that states it supports a certification body (CB) applying the Advanced Surveillance and Reassessment Procedures (ASRP) and Computer-Assisted Audit Techniques (CAAT) described in the International Accreditation Forum (IAF) guidance documents.
The Advisory explains that the application of ASRP and/or CAAT will vary for each CB and for each client depending upon the capabilities of the CB and client, therefore, each application must be reviewed and approved by the Accreditation Committee of the Accreditation Council.
1. The CB must document its proposed ASRP or CAAT audit program for the client, consistent with the applicable IAF guidance.
2. The CB must document how the audit program varies because of ASRP or CAAT (i.e., how it varies from an audit program for the same client without ASRP or CAAT).
3. The proposal must be reviewed and accepted by the ANAB executive assessment team leader prior to its submission to an Accreditation Committee of the Accreditation Council.
4. The CB and its client must make a presentation to the Accreditation Committee at a face-to face meeting or by electronic means explaining the program and answering any questions.
5. Immediately following the presentation, the CB and its client will be dismissed, and the Accreditation Committee will make its decision, which may or may not include conditions, to accept or reject the ASRP and/or CAAT program for the CB's client.
The decision and any conditions will be promptly communicated to the CB. The ASRP and/or CAAT process must not be used for any industry sector program unless the industry group has specifically stated it may be used for its program.
So, ANAB supports e-Auditing, but certification bodies have a detailed process to follow to gain approval for its use. Let's see what the International Accreditation Forum (IAF) says on the subject.
IAF GD2:2005
According to the IAF guidance document GD2:2005, if remote auditing techniques such as interactive web-based collaboration, web meetings, teleconferences and/or electronic verification of the organization's processes are used to interface with the organization, these activities should be identified in the assessment plan, and may be considered as partially contributing to the total on-site auditor time.
If the certification body (CB) prepares an audit plan for which the remote auditing activities represent more than 30% of the planned on-site auditor time, the CB must justify the audit plan and obtain specific approval from their accreditation body prior to its implementation.
NOTE: On-site auditor time refers to the on-site auditor time allocated for individual sites. Electronic audits of remote sites are considered to be remote audits, even if the electronic audit is physically carried out on the organization's premises. Regardless of the remote auditing techniques used, the organization must be physically visited at least annually.
Audit Practices Group
The ISO 9001 Auditing Practices Group is an informal group of quality management system experts, auditors, and practitioners, drawn from ISO/TC 176 and the International Accreditation Forum (IAF).
The Auditing Practices Group website is an online source of papers and presentations on auditing quality management systems. See their article, "Auditing Electronic-Based Management Systems."
Audits and Cheat Sheets
A "cheat sheet" is a concise set of notes used for quick reference. In the academic world, cheat sheets are so named because they may be used by students without the instructor's knowledge to cheat on a test. However, in some educational settings, where rote memorization is not as important, the use of cheat sheets on exams may be sanctioned and even recommended by the instructor (and therefore not really cheating, despite the name).
In the business world, so called "cheat sheets" are popular in any setting where a quick reference is useful. New employees often make notes on how to perform their job, especially if written instructions aren't available, supplied instructions are incomplete or complex, or the job training was inadequate. These personal job notes may be also referred to as cheat sheets.
On the surface, use of cheat sheets would seem to be helpful and may even be encouraged. However, these job notes may not accurately describe the tasks, may be in conflict with written instructions, or be unapproved by management.
ISO 9001:2000, clause 4.2.3 states that "Documents required by the quality management system shall be controlled." So, if cheat sheets are needed by employees to carry out their activities, these cheat sheets would be viewed as documents that must be controlled.
To control a document means it must be approved prior to use, updated as necessary and re-approved, and identified with the current revision status. Cheat sheets become authorized documents if they are controlled. If not, auditors will write them up as nonconformities.
Employees do not like their cheat sheets being called nonconformities, especially if the corrective action is to just discard the cheat sheets. The existence of cheat sheets may indicate they are needed, so simply removing them might be a mistake.
Instead, find out why some employees need the cheat sheets and take the appropriate action, e.g., improve training, provide mentoring, add the cheat sheets as controlled documents, or include the reference information in existing documents.
Audits correctly spot the use of cheat sheets. Make sure your response supports the employees by providing alternative support.
Whittington & Associates provides training, consulting and auditing services for
quality systems based on
ISO 9001, ISO/TS16949, TL9000, AS9100, ISO 13485,
as well as, ISO 27001, ISO 20000, ISO 22000, and ISO 14001.
