1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Evidence, Level of Detail and Auditing Large Companies

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by jenks, Jul 19, 2016.

  1. jenks

    jenks Member

    Joined:
    Jul 19, 2016
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    2
    I'm completely new to the ISO 9001 world, and having a hard time wrapping my head around how to approach things for our company. I think understanding how auditing large companies and the evidence requirements and level of detail of the evidence will help me figure things out.

    So lets say we have a large company with 100 locations, but very compact in that it only provides 3 key services in the IT consulting realm. Each of those locations may or may not provide all 3 of the services. Also, while even though our services are the same across the locations, the deliverables and 'evidence' of the service could change based on the clients. This compared to a product seems to be more ambiguous and hard to nail down the right level of detail.

    In a very 10,000ft description, how would we be audited? I can't imagine you'd have to visit every location and get evidence of certain artifacts for each service at each location. Is there some sort of sampling rule that is used?

    Thanks in advance!
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Welcome! I think you're approaching this from the wrong end/perspective. You don't design product from the perspective of the chief QC inspector. You design to suit the user, taking into consideration, maybe, QC. If, as you say, you're having trouble "nailing down" deliverables, then your organization isn't in control of its processes and your "audit approach" to this will further confuse matters.

    I would say you need to go back to basics with your leadership and ask them what they wish to achieve - not just ISO certification - but as a business.

    The answer to the CB process (which appears to be what your asking) is that yes, there is a sampling methodology which can be applied, based on certain "rules" being applied.
     
  3. Glenn0004

    Glenn0004 Member

    Joined:
    Jan 7, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    2
    We have a head office and 30 regional offices. The head office is sales order processing, customer service and supply chain. The 30 regional offices are hot desk locations for sales and service. At the start of a 3 year cycle our CB identified a sample of the 30 regional offices to be visited per year (external audit), to the effect that over the 3 year cycle a sample of sales and service process has been taken from all areas of the UK as well as visiting the the head office functions each year. Internally, critical functions (head office) have a default audit cycle of every 12 months while the 30 regional offices are defaulted to an 18 months cycle, the default audit cycle is then reduced or extended dependent upon the audit results. This works for us and the CB.
     
  4. jenks

    jenks Member

    Joined:
    Jul 19, 2016
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    2
    Thanks for the information. Sorry, I've been out of pocket for the last week.

    Glenn, thanks so if I understand correctly, if we're auditing locations internally on a regular recurring basis and can show proof of that, they will be satisfied with that and perform their official audit based on some smaller sample of locations / services.

    Andy, I agree that no company should base their service / product from the auditor's perspective. But if a company already has a service / product, already made for the customer / user then want to become ISO compliant, would we not try and understand what exactly ISO 9001 is asking us to do? For me understanding what the auditor is looking for will help me understand what ISO is asking us to do.

    I don't quite get some of the clauses for example: 8.3 "Design and development of products and services" what does that mean for a company that's already designed their product or service? Does it mean we still create a process for *new* services even if we don't really have plans for any? Or do we go back and show how we designed and developed our current service?
     
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Here's a thought for you: "Which auditor do you mean?" There's the fictitious auditor everyone wants to do their audit - the one with the "down the middle" interpretations of ISO, and then there's reality - they are All Over The Map. Find a really experienced consultant who knows their stuff - from an actual design/implementation point of view and use their skills to answer these questions.
     
  6. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    I always believe that ISO tells us WHAT to do but does not tell HOW we must do it. Since this will result in organizations satisfying the requirements with different approaches, the auditor job is to understand and evaluate the organization's approach in satisfying the intentions of the standard. It is not the job of the auditor to tell how an organization will run its processes.

    Since you have a process for designing your products/services for your customers, you only need to make sure that the relevant requirements under clause 8.3 are being fulfilled. For example, with my limited knowledge on IT services, evidences that can be established for some 8.3 clauses can be presented during an external audit:
    • 8.3.2b - a gantt chart, timing chart or schedule of activities for developing a new system can be established, evidence of review for each activity should be retained (e.g. minutes of meeting, electronic communication, identified issues or changes, etc.);
    • 8.3.2c, 8.3.4, 8.3.5 - a beta version of a new software solution, or a new IT policy, or procedure as an output of you development activities should undergo tests, trial run, verification or review, records on verification activities should be maintained;
    • 8.3.2d - who are assigned in developing your new IT solutions, should be identified on records;
    • 8.3.2e, 8.3.3 - you may need to keep records of the necessary inputs in developing your new IT solution, a simple list of requirements and the equivalent measures that should be factored into your new IT solution can be presented;
    • 8.3.2f, 8.3.2g - usually your designers need to meet with your people assigned on site, your subcon (if there's any), and the customer's endusers to ensure that the users needs and expectations are addressed, records of such interactions should be maintained;
    • 8.3.6 - any deviation from the originally established specifications should undergo review and approval by relevant persons, any risks that will be introduced due to the changes should be appropriately addressed - keep records of these changes.
    These are some that comes to my mind. I'd assume that you can easily identify the things that your organization have been doing when developing a new IT solution since you're more knowledgeable in your products and services.
     
  7. jenks

    jenks Member

    Joined:
    Jul 19, 2016
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    2
    Thanks guys, definitely good to get some overarching insight.

    Tony you're right, I definitely have ideas for how we're covering these sections but was always worried that it's not covered 'good enough'. I'm definitely finding that your first statement is very crucial in my understanding of ISO "...ISO tells us WHAT to do but does not tell HOW we must do it"