1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

How different will be CB audits against ISO 9001:2015?

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Sidney Vianna, Aug 26, 2015.

  1. Sidney Vianna

    Sidney Vianna Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    127
    Likes Received:
    172
    Trophy Points:
    42
    Certification Bodies will be assessed by Accreditation Bodies, before they are accredited to issue certificates to the 5th Edition of ISO 9001.

    What are Accreditation Bodies telling Certification Bodies about the nuances and difference of approach when their audit teams assess registrants QMS's to new revision?

    ISO and the IAF developed another paper titled Good Practices for AB’s and CAB’s in the Transition to ISO 9001:2015.

    People in the receiving end of the audits might gain an insight on what CB's are being told by AB's on this subject. The paper is available @ http://tinyurl.com/nm372uq.
     
  2. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    Thank you for the insight Sidney
     
  3. Somashekar

    Somashekar Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    114
    Likes Received:
    98
    Trophy Points:
    27
    Ability to audit the application of risk based thinking by the certified client.
    Ability to verify the identified risks and opportunities, as well as actions to mitigate risks;
    Ability to analyze whether a management system reflects the “context of the
    organization”;
    What typical questioning can be here as a part of the new training to build these abilities ... ?
    This will also be very much needed in the internal auditing.
     
  4. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    CB auditors will need to apply some imagination in order to recognize RBT as the client organization practices it, and resist the urge to see a documented procedure and/or FMEA for everything. I am happy to see SWOT in the guidance document.

    The fact is, I have seen these principles in templates and training materials for Business Plan for many years. It isn't new. It is just finally accepted as a valid approach to organizational definition. If auditors can learn to use terms MBAs understand (like Business Plan) instead of the standard's terms, I think we will have more success and better efficiency in the audit process.

    I agree this will be critically needed by internal auditors, it really "ups their game" so to speak.
     
    GStough likes this.
  5. Sidney Vianna

    Sidney Vianna Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    127
    Likes Received:
    172
    Trophy Points:
    42
    Unfortunately, as many of us know, internal auditors are, in many cases, poorly selected and developed, leading to totally ineffective internal audit results. The new revision of the ISO 9001 standard will just make life even harder for those internal auditors who are not properly made competent for the function, as it injects more subjectivity and less prescriptiveness.

    As always, CB auditors should also keep the internal auditing process expectation of being effective as part of their assessment. In my experience, CB auditors shy away from reporting findings (including nonconformities) for the internal audit process, including questions about the competence of internal auditors.
     
    Last edited: Aug 28, 2015
    GStough and Andy Nichols like this.
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    They do Sidney - often because they have no expectations (read experience) of doing them any differently! We all went to Lead Auditor course and drank the CoolAid. Sadly, until the training oversight grasp that there's fundamental differences and only superficial likenesses, things won't change, as you correctly state.
     
    GStough likes this.
  7. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Regarding competence of internal auditors: I am not sure how I would write that up based on a review of documents. I can certainly question why they have not seen the things I do, and often do. I save that process for the last day in order to give myself the ability to objectively compare/contrast the results from their 1st party audits and my 3rd party audit. Have you written nonconformances on internal auditor competency? If so, what evidence did you list?
     
  8. Sidney Vianna

    Sidney Vianna Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    127
    Likes Received:
    172
    Trophy Points:
    42
    Based on interviews with internal auditors after looking at records and notes of internal audits where clearly the person had stumbled on blatant nonconformities, and, for some reason, decided to report the finding as observations. In other words, the internal auditor was soft grading the findings.

    During the interview it was clear the individual had not been made competent for the function.

    Further, for QMS's certified under an ASRP PROGRAM, the CB auditor should actually witness an internal audit being performed. In those cases, if an internal auditor is not competent, it becomes easily visible, as the internal auditor has to perform while being assessed.
     
    MCW8888 likes this.
  9. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Oh, okay. I haven't had the opportunity to interview many internal auditors. I have, however noticed very little nuance in internal audit procedures. Most don't define the difference between NCs and OFIs with adequate clarity for me to decide it was a problem of competency. Internal auditors almost always have to witness and/or demonstrate before being sent out on their own, but competency is determined by the process owner (usually the Quality/Safety/Environmental Manager) who themselves often fall short of competencies I'd like to see. In addition, there are cases where the reports do not get a review by the Manager for the purpose of approving/agreeing with the findings.

    To put it more simply, I find it's weakness in process more often than auditor competency.
     
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Tough to do, if they only do one or two internal audits a year...:rolleyes:
     
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'd suggest it's nothing to do with auditor competency. It's all to do with a grading system being installed when it's totally inappropriate to do so! Also, competency is often defined by passing some class or similar. If internal audits are only done by people who are from another department, once or twice a year, they'll never learn to be competent and then they'll be ambushed by a grading system which is nothing to do with internal audits...o_O
     
  12. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    There's a bit more creativity when the auditor is only subcontracted by a CB. Thanks Sidney.
     
  13. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Is there a problem with having a grading system such as major, minor and OFI? (I wouldn't have called it a grading system, but I've always recognized that not all issues are of the same severity or urgency.)

    I'm on board with your views of the part-time collateral duty auditor. Their poor performance could be incompetence, lack of practice, poor instructions and/or poor training, or time constraints. This is why my last corporate employer did away with the model and hired me to audit internally full time. The decision (and, I would like to think their hiring choice) worked out well. We had major/minor/OFI and that worked out well too. It was also clearly defined. My paper on Risk Based Auditing came from that.
     
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Yes, there is Jennifer. I'd suggest that it has absolutely no place in internal audits for multiple reasons, not least of which is that giving a non-conformity a "grade" feeds a game in many peoples' minds to mitigate the message of "big" problems. There are (many) other reason NOT to give a grade.

    I'd also suggest that your example is a significant outlier. They got lucky. You are the process owner and they look to you to guide them in all things audit. You work the system and they accept it. I doubt it would work for (very many) others.
     
    Pancho likes this.
  15. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    I feel like I just got complimented - if that is the case, thank you - but I would like to think I am not so special that other organizations can't also raise their game and stop viewing all issues in yes/no terms. It would require more status for the internal audit program than we're used to seeing, but I sometimes do see it in my clients.

    I suggest the same rules we adhere to as CB auditors can apply for "elevating" a NC to Major: direct repeats and immediate threats to customer receiving good product/personnel safety/environmental integrity can and should be recognized. Without this or another appropriate approach, how should the internal audit process demonstrate RBT for ISO 9001:2015?

    I'd like to add that I was not the process owner. I had a boss with whom audit results were reviewed, and sometimes edited before issuing. I left the organization a couple of years after this boss retired and was replaced by (instead of me) someone with zero education and experience in QA. :rolleyes:
     
  16. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    You were, Jennifer! So, a couple of things occur to me: YOU were the process owner. You boss wasn't. The fact that they edited stuff also concerns me, too.

    To answer your question about RBT, firstly, it was already in the requirements, carefully disguised as "status and importance" and was, firstly and foremostly a scheduling issue. This is where the vast majority of internal audit programmes fall flat on their faces. It's actually only in small part, due to the finding and reporting of internal audits, using risk as a consideration. I know I probably turn your world upside down, but risk and internal auditing starts not with a calendar or audits over a year, (what I refer to in my book as a "push" system, but by sitting down with management and looking at their viewpoint on risks and then doing a "rifleshot" audit of the process(es) etc which are related. This is a "pull" system of audit planning.
     
    Jennifer Kirley likes this.
  17. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    I agree with you. Even if our Internal Auditors have training on TS16949, their Internal Audit reports did not reflect the TS standards. The findings are very soft.
     
  18. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Training in a standard doesn't a) make people competent or b) make them better auditors. If they've got "soft" (whatever THAT is) findings, then you have to diagnose why. A new standard isn't going to make any difference to those internal auditors.
     
  19. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Thank you. :)

    I'm with you on the scheduling thing, which is something hardly anyone has been grasping. I had a client recently whose audits were being done by corporate on what has now become a once-in-three-year visit. It didn't take long to confirm that wasn't enough... I do have some clients that work hard at internal audit program effectiveness. Not enough though - I think that largely comes down to upper management support for the function.

    But should outcomes really be black and white only? What about repeats? When finding a repeat our process response was to call it a Major and elevate is ownership to the next higher management level. Is that not a worthwhile approach?

    I should add that NC owners didn't do any editing, but my boss and I would caucus on audit results and make minor changes at times. Yes I had near complete autonomy but also his backing as he knew what was going on through our meetings.
     
  20. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    Andy, I am part of the organization, so I sometimes lean towards the softness of my audit reports. I was told that if I want to see the end of my career with the organization, I can be as hard as I can when quoting the findings.
     
    Jennifer Kirley likes this.