Ten Tips for Selecting and Using a Consultant – 8. Know how to audit an undocumented process

You may have heard that ISO 9001:2000 specifically requires only six procedures. Those required procedures by clause are:

4.2.3 – Control of Documents
4.2.4 – Control of Records
8.2.2 – Internal Audit
8.3 – Control of Nonconforming Product
8.5.2 – Corrective Action
8.5.3 – Preventive Action

ISO 9001:2000 clause 4.2.1.d states that other documents needed for effective process planning, operation, and control must also be included. Therefore, organizations should only develop the level of documentation they need based on the process complexity, personnel competence, and organization size.

This means some processes may be defined and not documented. Auditors accustomed to relying upon a written procedure to use as the audit criteria may feel lost without them. However, ISO 9001 has never required every task to be documented. There have always been cases where an organization could depend on the training, skills, and experience of the persons carrying out a defined process instead of having it written in a document.

With the requirement for fewer documented procedures, auditors will have to improve upon their interviewing techniques to understand and take notes on the defined process. Ask the manager of the area if any documents exist to guide the people in their assigned activities. If not, ask the manager to explain the process. Confirm your understanding and use the manager’s defined process as the audit criteria.

Auditors should always substantiate the evidence before making conformity judgements. This is especially important with an undocumented process. Review how the process is planned, people are trained, practices are deployed, conditions are controlled, results are achieved, records are maintained, and the process is improved.