1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

How to Audit using "Process Approach" when not everything's a process?

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Jan 8, 2021.

  1. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'm preparing to do an internal audit and I'm struggling with how to ensure all the requirements of, say clause 5 are adequately addressed and how to apply the "process approach" when auditing. The Leadership requirements don't mention "inputs", "outputs" or "controls" etc. So, how can clause 5 be audited, using the (fabled) process approach. I'm "all ears"...
     
  2. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Great topic @Andy Nichols
    I also am interested to see what other here on QFO have to say.

    1- When I am heading in to perform an internal audit, I always ask the organization for their "determined processes and their sequence and interaction". Fortunately this is often in the form of a process map.
    2- To your point, often there are "processes" listed on their process map, which, of themselves, don't necessarily identify a process as intended by the standard. For example, I recently audited an organization which had a process map on which the "safety" was listed. I simply audited this to the requirements of the applicable standard which TOUCHED on safety (e.g. although not overtly, IATF 16949 does indeed make reference to environmental conditions of and for operator safety awareness), and then reviewed their own internal claims specific to safety.

    To emphasize your point and the LEVEL at which this topic is not well understood, allow me to give you an egregious example that I came across recently. I had a client who was struggling providing their pre-audit information (IATF 16949- rules 5th edition, 6.5.1). The CB had sent them a form to completed, on which was listed the 22 required "documented processes" identified in IATF 16949 and asked the organization to provide "inputs outputs and goals for each" .

    The CB was treating the required documented processes within IATF as the processes which the organization is required to "determine...".
    Imagine the organization's consternation over how to reply with "inputs-outputs-and goals" specific to "Engineering Specification (7.5.3.2.2)".

    If the CB,s do not understand and know how to apply this, well then.....

    Hope this helps.

    Be well.
     
    RoxaneB and Andy Nichols like this.
  3. Miner

    Miner Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    576
    Likes Received:
    492
    Trophy Points:
    62
    Location:
    Greater Milwaukee USA
    Look at it from an input/output perspective. There are a lot of individual processes rather than an overall process. For example, identifying and addressing risks is one process while Communicate importance is a different process. What inputs must leadership do (e.g., Communicate importance, determine and address risks, etc,). What outputs can be measured (e.g., quality policy, objectives, process improvements, risks mitigated, etc.)?
     
    RoxaneB likes this.
  4. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'm not sure it is, TBH. I'd suggest that identifying risks is a component of a number of processes.

    To throw another wrench into the mechanism, the "process approach" isn't a requirement of auditing, per se, either...;)
     
    pkfraser likes this.
  5. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    It's a matter of perspective. From one angle, "identifying risks" is a process that has multiple touch-points throughout an organization...from another perspective, multiple processes throughout an organization can have a common touch-point of identifying risks.
     
    Miner likes this.
  6. pkfraser

    pkfraser Active Member

    Joined:
    Aug 1, 2015
    Messages:
    93
    Likes Received:
    61
    Trophy Points:
    17
    Location:
    Aberdeen Scotland
    Roxanne
    Agreed, but I am not sure that the people who wrote 9001 realise this. They seem to want "a process" for this, but I am not sure that they recognise that the process is made up of tasks within a number of other processes (maybe they do, but I am not convinced...) The key to this is that any task may be part of more than one process. Same for "Communication", which is definitely part of a number of processes rather than one discrete process.
     
    Andy Nichols likes this.
  7. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    Oh, so ISO is now going to tell us how to structure our organizations? :cool:

    My background includes an organization where we had a basket weave of processes. We could, for a simple example, look at the process of manufacturing a steel billet to include everything identifying/communicating customer requirements, the tactical process of adding in the ingredients, and the process of pouring and shaping. We could also look at the process of identifying/communicating customer requirements to touch up the process of manufacturing a steel billet, rolling the correct shape at the correct time, shipping the correct product, ordering components for maintenance and stores, etc.

    I could also look at the process of manufacturing a steel billet and how they conform to the requirements for document control - OR - I can follow the document control process as it touches multiple departments - OR - I can do both (I usually took this option).

    I will not conform my organization to meet ISO requirements or make the auditors comfortable - I will, however, integrate the standard into our organization and if the auditors don't "get" it, I'll challenge them to show me where my interpretation is incorrect.

    PS - Please, Roxane with just one 'n'.
     
  8. pkfraser

    pkfraser Active Member

    Joined:
    Aug 1, 2015
    Messages:
    93
    Likes Received:
    61
    Trophy Points:
    17
    Location:
    Aberdeen Scotland
    Roxane - apologies! Unfortunately, I suspect that there aren't too many managers out there who think as sensibly as you do...
     
    RoxaneB likes this.
  9. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Clause 5, IMHO, is not structured as a process like some of the other clauses (e.g. 9.2, 9.3, 10.2). But you can audit the requirements of clause 5 from the various processes of the organization. There's no standard approach in auditing thru a "process approach". Depending on the auditor's understanding of the process approach, an auditor might employ a turtle diagram, Andy's football, PDCA, or just use the requirements within clause 4.4.1 as guidance. The auditor can combine these approaches and incorporate the requirements of clause 5 in auditing the organization's processes.

    So if I will audit a specific process, let's say: "Equipment Maintenance". I will need to check whether:

    PLAN:
    • maintenance personnel are aware of the outputs expected from their process (4.4.1a);
    • the outputs expected are relevant to the requirements of the interested parties (4.2);
    • indicators to determine whether the outputs are being achieved are established (4.4.1c);
    • objectives are set that are relevant to the requirements (6.2.1c, 4.2);
    • objectives are aligned with the quality policy and support the strategic direction of the organization (6.2.1a, 5.1.1b, 5.2.1);
    • risks and opportunities, including actions to address them are identified (4.4.1f, 6.1, 5.1.1d, 5.1.2b);
    • etc.
    DO:
    • activities and resources are in place to support the achievement of the objectives (4.4.1d, 6.2.2, 5.1.1e);
    • controls are incorporated and implemented to address risks/opportunities (4.4.1f, 8.1, 5.1.1d, 5.1.2b);
    • documented information are maintained and retained to support the operation (4.4.2, 7.5);
    • personnel are aware of their roles, responsibilities, impact to the organization, including quality objectives and quality policy (4.4.1e, 7.3, 6.2.1f, 5.3, 5.2.2, 5.1.1f);
    • controls are in place when nonconforming outputs (e.g. back job) are produced (8.7, 7.3d);
    • etc.
    CHECK:
    • performance in ensuring achievement of the expected outputs and the set objectives are being monitored (4.4.1c, 6.2.1e, 9.1.1, 5.1.1g);
    • actions to address risks and opportunities are evaluated for effectiveness (4.4.1f, 9.1.3e, 9.3.2e, 5.1.1d, 5.1.2b);
    • etc.
    ACT:
    • actions to address non-achievement of the objectives were taken (4.4.1g, 10.1c, 5.1.1g);
    • nonconformities, if there's any, are acted upon (4.4.1g, 10.2)
    • opportunities for improvement were identified and implemented (4.4.1h, 10.3, 5.1.1i);
    • etc.