Bsi bip 2015 2009

They had senior managemen non-exe ut ive and exe ut ive direct or who were very ex erienc d... At the same ti me the clock also started ti ck ing for aud i tor s to be ome competent to a

for ISO 9001:2008

Und e rsta nd in I SO 9 01:20 8 a nd Pr ce ss ba se d Ma na g e me nt S s e ms

Cre a tin a Pr ce ss ba se d Ma na g e me nt S s e m fo I SO 9 01:20 8 a nd be yon

for ISO 9001:2008

Rob Pe d d le a nd Ia n Rosa m

(The Hig h Pe rforma nce Org a nisa tion Gr up Ltd )

Proc s Management Au it ing for ISO 9 01:2 0

This se ond edit ion p blshed in t he UK in 2 0

b

BSI

38 Chiswick High R oad

Lond n W4 4AL

© Brit ish St andards Inst it ut ion 2 0

Fir t edit ion p bl shed b BSI in 2 03

ISBN 9 8 0 58 6 658 1

BSI referenc : BIP 2 1

A c t alo ue record for t his b ok is avai able from t he Brit ish L ibrary

Co yr i g h t su si sts i n al l BSI p bl i ca ti on s Ex ce pt a s pe r mi tted un d er th e

Co yr i g h t, Desi g n s an d Pate n ts Act 19 8 n o e x tr act ma y be reprod uc d , store d

i n a re tr i e v a l syste m or tr a n smi tted i n a n y for m or b an y me an s – el ectron i c,

ph otoco yi n g , re cord i n g or oth e r w i se – w i th out pr i or w r i tte n per mi ssi on fom BSI

Ifpe r mi ssi on i s g r an te d , th e ter ms ma y i n cl ud e roya l ty pa yme n ts or a l i ce n si n g

ag re eme n t De tai l s an d ad vi ce ca n be o tai n e d fom th e Co yr i g h t Ma n ag e r, Br i ti sh

Sta n d ard s In sti tuti on , 38 Ch i sw i ck Hi g h Road , Lon d on W 4 4AL

Great c re has be n t aken t o ensure a cura y in t he compiat ion and preparat ion

of t his p blc t ion Howev er, sinc it is int ended as a g ide and not a def it ive

st at emen t he aut hor and BSI c n ot in any circumst anc s a c pt resp nsibi t y

for t he result s of any a t ion t aken on t he basis of t he informat ion cont ained

in t he p blc t ion nor for any error or omis ions This d es not afe t y our

st at ut ory right s

Ty peset b Monolt h – www.monolt h.uk.com

For eword: The auditing world has chang ed –

The changes t o ISO 9 01:2 0 now cont ained in ISO 9 01:2 0 are relat ively

minor in nat ure, b t t hey have reinforc d proc s management as a st rat egic

ap roa h t o t he management of organiz t ions, b t h big and smal Howev er,

major ev ent s t hat hap ened as t he 2 0 ver ion was being p blshed, for

example, t he f ancial melt down, have reinforc d some key mes ages from

ISO 9 01 They hav e highlght ed t he faiure oft radit ional complanc based

au it i g t ech iq ues t o iden fy t he risks being t aken wit hin management

sy st ems and individ al proc s es These t ech iq ues were not t he only fai ures,

b t t hey cont rib t ed signifc n y t o t he o eral o t come, t he conseq uenc of

which has be n a bi for $ ,0 0,0 0,0 0,0 0 of aid p mped int o t he e onomy

b t he main G2 g vernment s d ring lat e 2 0 and 2 0 In t erms ofcorrect ive

a t ion t hat is some cost !

Of co r e, just lke t hird par t y regist rat ion organiz t ions, t he large

companies t hat fai ed had employ ed compet ent and k owled e ble peo le t o

c r y o t t he audit s, t o rep r t f dings t o t he highest level, and who had t he

ba king of peo le t hat co nt ed They had senior managemen non-exe ut ive

and exe ut ive direct or who were very ex erienc d So what went wrong? Why

was it t hat alt ho gh t he au it s were being c r ied o t , t hey didn’t highlght t he

risks t hat peo le were t aking and get t he mes age t o t hose who ne ded t o k ow

t o alow t hem t o d somet hing ab ut it ?

In shor t , t he audit or were primariy focused on complanc and alt ho gh

sy st ems and proc s es compled, it did not make t hem efe t ive I was t heir

level of efe t iv enes t hat faied It ’s t he level ofefe t ivenes t hat we se and

ex erienc and t hat prod c s t he o t comes from what organiz t ions are d ing

have on t he world around t hem, and t heir au it i g sho ld help t hem manage

t he risks surrounding t his

So what d es t his me n for us as au it or ? For one t hing, it me ns

t hat we c n ot just rely on complanc and t he che king ofrecords More

imp r t an y, we have t o under t and how peo le work t oget her t o delver t hese

o t comes, t heir behavio r and t he cult ure, as it is peo le who creat e risk not

paper and comp t er B t how d we au it behavio r and aren’t we alread

d ing t his One of t he key fala ies wit h t he au it ing ind st ry is t he number

of organiz t ions and au it or t hat promot e t hemselv es and bel ev e t hat t hey

are alread as es ing efe t ivenes – t heir market ing mat erial is ful of it In

realt y t his oft en only amo nt s t o g o complanc au it ing rat her t han a real

as es ment of efe t ivenes This is despit e t he best int en ons of t he audit or

conc rned and an ind st ry t ry ing t o mo e bey ond complanc I is not t heir

fault I is t he au it ing proc s t hat has be n folowed for so many y ear t hat has

faied and so far very few hav e realy ad res ed t his problem, b t t ried t o base

new met ho s on what has l mit at ions – complanc au it i g

I is against t his ba kground t hat t his b ok has be n u dat ed I has be n

writ t en t o help au it or ad pt so nd au it ing pra t ic s t hat work and t o help

t hem au it efe t ivenes as wel as complanc Au it ing behavio r and cult ure,

which is ult imat ely where we beleve au it ing wi end u , req uires adv anc d

au it ing ski s t hat are o t side t he sco e of t his b ok This b ok wi , however,

creat e t he groundwork for t hem, as t he principles co ered here are t he basis of

t hese more ad anc d t ech iq ues If y ou fe l y ou wo ld lke t o k ow how t o

au it behav io r t hen ple se emai t he aut hor who c n provide c se st udies and

examples of organiz t ions t hat are alread ad pt ing t he ap roa h at :

Ian.rosam@t he-hp com

R ob.ped le@t he-hp com

Introd ction 1

• e int rod c t he chalenge t hat au it or fa e t o dev elo t he

compet enc s req uired t o efe t ively au it against t he new

ISO 9 01:2 0 St andard and t he ever increasing demands of

b sines for au it ing a t ivit y t o ad more value We examine t he

o p r t unit ies avaiable for t he forward t hin ing au it or

• A q uick ov erview of t he proc s ap roa h t o ensur t hat we

hav e a common under t anding of t he basic t erminolo y before

develo ing o r au it ing ski s, k owled e and compet enc s

2 The r eq ir ements of ISO 9 01:2 0 – An au itor’s per pe tive 9

• The eight key pr inciples of ISO 9 01:2 0 and the an, d ,

che k, a t met ho olo y are t he basic tech iques that form t he

fo ndation of t he efe tiv e au itor A cle r under t anding ofthese

and how they c n be ap led to a b sines wi help the au itor

st r uct ure their audit ing ap roa h b th at sy stem and proc s lev el

• The primary role of a proc s management au it or t o disco er

t o what ext ent t he proc s is being managed and what efe t

t his has on t he a hievement ofb sines o je t ives Before we

c n under t ake any proc s management au it we must fr t

ap reciat e how a management sy st em works and t he int era t ions

vi i

• it h t he fundament als t hat make a management sy st em

under t oo , we now t urn o r at t en on t o t he det ai of how y ou

sho ld a t ualy cond ct an au it st ar t ing wit h t he t ools and

t ech iq ues t hat c n be employ ed

• Au it ing is 8 per c nt preparationand 2 per c nt a t ual

au it ing, which so nds lk e a bit of an old wiv es’ t ale un l y ou

a tual y c r y o t an au it and then y ou re lz just how t rue it is!

6 Car ying out a proc s au it – Compl anc vs efe tivenes 3

• St ar t ing wit h t he managing direct orwi help p t t he proc s and

sy st em int o t he cont ext of t he b sines t hat y ou are au it i g

Onc t his oft en daun ng st ep is complet ed it wi fe d t he

au it ing of t he proc s ’ owner and t eams in order t o as es

t he efe t ivenes of t he management sy st em in relat ion t o t he

b sines o je t ives

7 Identifying an r eporting fn ing s – Mo ing bey n compl anc 4

• hat are t he o je t iv es of ur au itrep r t ? A st raight forward

eno gh q uest ion, b t how many au it or a t ualy ask t hemselves

t his before t hey writ e and present t heir rep r t ?

• The aud i tor ’s rol e i s not to i d enti fy w i mprov ements sho l d

tak e pl ac or w hat the org ani zati on sho l d d o I i s to prov i d e

i nfor mati on to manag ement on are s of r i sk or w here o p rtuni ti es

for i mprov ement ex i st w i th an ex pl anati on that o tl i nes the

p tenti al i mpa t on the org ani zati on i f these are ad d res ed

• Au it i g is a ski and lke any ot herski ne ds pra t ic t o hone

it I inv lves an abi t y t o evaluat e or le rn from t he ex erienc ,

su seq uen y changing t he au it ing st y le or ap roa h t o ad

more value t o t he a t ivit y

• In t his b ok we co er t he basic principles of au it ing, and t hese

ne d t ime and pra t ic t o be efe t ive for t he reader t o t ruly

under t and t he principles inv olved In ot her words reading t he

b ok wit ho t t he pra t ic wi not b id compet enc We o t line

way s in which audit or c n fur t her b id t heir compet enc in

order t o ad more value t o organiz t ions

• This ap endix se ks t o provide some example q uest ions based

on t he ap roa hes used The examples are grou ed b t he

relevant ISO 9 01:2 0 clause for e se of referenc , t oget her wit h

q uest ions t hat co ld be asked t o demonst rat e complanc along

wit h t hose t hat se k t o t est efe t iv enes

2 0 saw the rel ease of the new ISO 9 01:2 0 Standard and started the cl ock

ti ck ing for org aniz tions alre d y reg i stered to its 2 0 pred ec s or to mak e the

tr ansi ti on to the new Stand ard At the same ti me the clock also started ti ck ing for

aud i tor s to be ome competent to au i t ag ainst this new Stand ard Al tho g h only a

relativ el y mi nor chang e fom the 2 0 v er si on, the fa t i s that many org aniz ti ons

an aud itor s hav e not ful l y i mpl emented the i ntenti on ofthe 2 0 v er sion This

new u d ate therefore all ow s thi s to be rev i ew ed, an any shortcomi ng s to be

add res ed w itho t the ne d to al so ad d res other si g nifc nt chang es

There was a mixed resp nse t o t he is ue of ISO 9 01:2 0 from b t h

b sines es and au it or al ke B sines es welcomed t he new ver ion of t he

St andard and as a result q uest ioned t he role int ernal and ext ernal au it or

sho ld play The u dat e emphasiz d t he ne d for more ad ed v alue t o t he

servic au it or generaly provide Audit or on t he ot her hand also welcomed

t he new St andard b t unfor t unat ely many have not not ic ably changed t heir

ap roa h t o t he au it s t hey cond ct The 2 0 ver ion ad s more pres ure on

t hem t o d so

The result of t his diferenc bet we n ex e t at ion and pra t ic is a vir t ual

st and-of bet we n au it or and b sines t hat has left peo le fe lng confused

and in many c ses ext remely fust rat ed

This b ok is aimed at peo le who wish t o cut t hrough t his confusion

and gain a bet t er under t anding of t he o eral ap roa h req uired for proc s

This b ok at t empt s t o ex lain:

• what b sines sho ld ex e t from au it or ;

• what au it or sho ld ex e t from b sines ;

• t he a t ual role of an audit or in t oday ’s proc s driven b sines env ironmen

and

• t he key compet enc s req uired t o au it proc s management

For t hose who fuly ad pt ed t he ne d t o au it b t h complanc and

efe t iv enes , and t he rep r t ing of b sines risk as a result of it , t his b ok wi

ho efuly give t hem some ad it ional t ips For t hose who have not , t his wi l be

t he st ar t of a le rning ex erienc t hat sho ld make t hem a much more v aluable

reso rc t o t heir organiz t ions I wi also help t hem t o se ure t heir own fut ure

as a valuable reso rc t o su p r t t he efe t iv e delvery of b sines g als

So from what has be n said so far, y ou c n alread se t hat t he relat ionship

bet we n au it or and b sines must real y be se n as a par t ner hip, if t he t rue

value t o t he b sines is t o be realz d When t his relat ionship is working

efe t ively t here is t he p t en al for t he ‘audit or– busines ’ relat ionship t o be ome

a p wer ful t ool t o drive t he b sines t owards t he a hievement of it s o je t ives

I sho ld not be ab ut t he au it or t el ng t he b sines what it alread k ows

The t wo key fa t or for t his win– win par t ner hip t o suc e d are:

• a compet ent audit or; and

• st rong b sines le der hip wi ing t o le rn and t o improve t he organiz t ion

Ifeither of these tw o fa tor s are mis i ng then the v alue of au iting to the b sines

is signifc n y red c d ( e Fig ure I.1)

ISO 9 01:2 0 and henc ISO 9 01:2 0 hav e r adi cal ly chang ed, the impli cati ons

ofw hi ch hav e had si g nifc nt i mpa t on b si nes es an aud i tor s al ik e

The fundament al shift t owards proc s management and away from

proc d ral complanc req uires a complet ely diferent ap roa h when it comes

t o au it ing I also req uires a signifc nt change in t he as ociat ed compet enc s of

an audit or if t hey are t o au it proc s management efe t iv ely

B sines es ne d t o under t and t he imp r t anc ISO 9 01:2 0 pla es on

set t ing, key proc s iden fc t ion, al oc t ion of proc s owner hip, per formanc

monit oring and improvement

Aud i tor s hav e to un d er stan h ow a b si nes o er ates and , i f they are to

be efe ti v e as aud i tor s i n thi s ‘n ew w or l d ’, how to g ather i nfor mati on ab ut the

org ani zati on’s efe ti v en es an d how th ei r fn d i ng s ne d to be rep rted to ad d v al ue

to the b si nes Often th e fai l ure of aud i tor s to und er stan thi s basi c requi rement

i s th e pr i me re son w h y th ey c n fai l to me t ex pe tati on s ( e Fi g ure I.1)

The chalenge for audit or t o under t and how b sines es o erat e and how

t hey, as au it or , c n ad value, is one t hat au it or must rise t o if t hey are t o

con nue t o su p r t b sines es efe t iv ely Many wi have t o set aside old values

and belef ab ut au it ing complanc based sy st ems, change t he way t hey lo k

and view o je t ive evidenc and lo k t o le rn new ski s in order t o be ome

compet ent proc s management au it or

1 Put ing the process approach into context

This b ok wi l not mak e any att empt t o describe in det ai proc s -based

management sy st ems as ot her b oks within t his series co er this in more dept h

t han we co ld ho e or want t o d here However, a quick ov erv iew is ap ro riat e

t o ensure that we hav e a common under tanding of t he basic t erminolo y

What is a manag ement system?

A d ef ed fra mework o ke b sines pr ces es workin togethe to a chie e

the sta ted b sines objectiv s, a nd custome a nd othe sta kehold er ne d s

The example in Fig re 1.1 is t aken from a real organiz t ion and describes, at a

high lev el, t he proc s es t hat g t o make u it s o eral b sines management

sy st em I is per t inent t o t he organiz t ion it self and uses a lang age and lay out

t hat c n be e siy under t oo b cust omer and st af alke Ty pic ly t his wo ld

be described in t he organiz t ion’s q ualt y manual

The proc s , a defnition:

An a ctivity o series o joined -u a ctivities tha t conv rt( ) a n in ut into a n

Fig ur e 1.1 Example manag ement system

If t he b sines management sy st em iden fes what proc s es t he organiz t ion

ne ds, t hen proc s def it ions or proc s maps def e t he me hanism/a t iv it ies

t he organiz t ion is req uired t o complet e in order t o a hieve it s st at ed o je t iv es

t o fulfl cust omer and st akeholder ne ds S e Fig re 1.2 for an example of a

proc s map

Proc s manag ement, a defnition:

The efctiv contr l o a series o a ctivities tha t conv rts in uts into outp ts

whist both a d d in va lue a nd contin a lly impr vin its per forma nce r la ted

to the outcomes r q ir d

P t anot her way, if we are t o manage a proc s efe t ively we ne d t o plan and

implement it s delvery using t he ap ropriat e eq uipmen k owled e, et c and

me sure it s per formanc against t arget s These per formanc me sures are based

on t he p rp se of t he proc s and b me suring against t hese we c n iden fy

aim is t o analy se t he a t ual result s a hiev ed (compared against t he t arget ), t o

le rn from t he informat ion and t rends creat ed and t o use informat ion as a basis

for a t ions for change or improvement More det ais on proc s management

and inde d sy st ems t hin ing c n be fo nd in b oks 1 and 2 oft his series (or

det ai s on t hese, se t he R eferenc s chapt er at t he end of t his b ok)

As a proc s management audit or we ne d t o t est how efe t ively t his is

t aking pla e!

Prior t o any at t empt t o c r y o t a proc s management audit y ou must fr t

under t and t he principles of t he proc s -based management sy st em and t he

cont ext in which proc s es are managed

Proc s es d not o erat e in isolat ion, t hey are l n ed t oget her t o form an

o eral management sy st em This management sy st em prov ides t he famework

for t he organiz t ion t o:

• under t and cust omer and st akeholder ne ds;

• under t and t he const raint s, reg lat ions and ot her infuenc s pla ed on

• develo it s b sines plan and/or o je t ives;

• def e and implement it s core and su p r t proc s es;

• est ablsh it s key per formanc indic t or or me sures; and

• analy se it s per formanc and make improvement s in order t o a hieve it s

b sines plan and/or o je t ives

As an au it or y ou have t o under t and t hese principles in order t o c r y o t a

suc es ful au it and maximiz t he value of y our au it rep r t t o t he organiz t ion

The principles ab ve relat e t o a sy st em and are t est ed b c r y ing o t a ‘sy st ems

management au it ’ In t his b ok we are conc rned wit h ‘proc s management

au it s’ and t herefore t he principles are at a lower level b t st il folow t he same

general ap roa h, t o:

• under t and t he p rp se of t he proc s ;

• under t and inp t s and o t put s and t he o je t ives of t he proc s ;

• def e t he st eps or a t ivit ies of t he proc s ;

• est ablsh proc s effciency and efe t ivenes me sures; and

• analy se proc s per formanc and make improvement s based on t his

An au it or sho ld not be under any i usions t hat t he organiz t ion is only

lo king for an au it rep r t cont aining det aied fndings on t he organiz t ion’s

complanc t o ISO 9 01:2 0 They are most c r t ainly not , as t here is much

more t hat t hey now ex e t

What t he organiz t ion realy want s is a rep r t from t he audit or describing

t he impa t on t he organiz t ion of t he f dings in relat ion t o complanc wit h

ISO 9 01:2 0 In ot her words t he organiz t ion’s viewp int is t hat :

• b sines comes fr t and t he St andard se ond;

• t he au it or is using ISO 9 01:2 0 as a management t ool, a g idanc

d cument t hat describes a t ivit y ; and

• f dings against t he St andard ne d t o be int erpret ed int o organiz t ional

lang age and t heir impa t highlght ed

The audit rep r t is for management use as informat ion t o help highlght

improvement o p r t unit ies and t o ident ify risks t o t he b sines The

management are more l kely t o resp nd p sit ively t o y our rep r t if it is b sines

focused, as t hey c n cle rly se t he beneft s t o t he b sines on making any

2 The r equir ements of ISO 9001:2008 – An

Do y ou k ow t he eight key principles at t he he r t of ISO 9 01:2 0 and

what t he ‘PDCA’ met ho olo y is If t he answer is no, t hen y ou ne d t o le rn

t hem q uickly and t horoughly if y ou are g ing t o be a compet ent au it or ( e

Table 2.1) These are t he basic principles t hat wi form t he fo ndat ion of

y our au it ing t ech iq ue, and are shown in S ct ion 0.2 in t he int rod ct ion t o

ISO 9 0 :2 0 They are what diferen at es a suc es ful organiz t ion from one

t hat is not , and form t he fo ndat ion of ISO 9 01:2 0

Ta le 2.1 The eig ht principles behind ISO 9001:2008

Cus omer focus Un ert an in wh t c st omer n e a d e pe t rom t he organiz t ion

as a whole a d not just rom a in ivid al re u st or ord r

L a ership Manag eme t ( anyon resp nsible for th activity of ot hers) at all

le els creatin and maintainin an e vironme t aime at achie in th

busin s o je tiv s in whic oth rs can o erat e

Involveme t of p o le Ensurin t hat al are in olv d in ord r t hat t heir abi t i s cn be use

Proces a pr oach Obje tiv s are more lkely to be achie e wh n activities are se n,

u d rsto d and manag ed throug h proc ses and resources alig ne

according ly

Systems a proa ch to

ma a geme t

Id ntifyin th in ivid al busin s proc ses and orderin th m so

that th y d lv r results and o je t i es eff ie tly and efe tiv ly

Co tin al

improveme t

Improvin busin s performa c should be th o je tiv of any

org anization – it must improv and c ang e ov r time

F ctu l a proa ch to

d cisio mak in

Efe tiv d cisions are base on information that has be n a alyse

and not purely on a fe ln of what n e s to be don

Mutu ly b n fcial

su pler relatio ships

En anc d valu is create by workin closely with sup ler that can

affe t your d lv rables and not ag ainst th m – it is really a ase of

1 +1 = 3!

The PDCA met ho olo y or cy cle is t he ot her key principle of ISO 9 01:2 0

and it s ap l c t ion must be evident wit hin t he organiz t ion at b t h sy st em

level and wit hin individ al proc s es I c n be described as in Table 2.2, and

visualz d as in Fig re 2.1

Ta le 2.2 PDCA methodolog y

Pla Establsh th o je tiv s and proc ses n c sary to d lv r results in accordanc

with c stomer req ireme ts and busin s o je tiv s and p lcies

Ch ck Monitor and measure proc ses ag ainst o je tiv s, p lcies and re uireme ts and

rep rt th results

There is a danger that if au itor s fai t o g rasp the fundament al principles of

ISO 9 01:2 0 they wi under mine what they are t ry ing to a hiev e, and incre se

the p s ibi t y of red cing t he ad ed v alue they c n bring to the b sines This

basic requirement for audit or s t o under st and t he principles behind it, not just

the detai of ISO 9 01:2 0 se ms o v io s, b t ex erienc t o date highlghts the

fa t t hat the majority ofau it or s d not g rasp these basic principles As a result,

there are hu e v ariat ions in t he perc ption b sines has of w hat ISO 9 01:2 0 is

ab ut and the v alue that efe tiv e au iti g c n bring t o them

Fig ur e 2.1 Visual r epr esentation of PDCA cycle

When y ou read ISO 9 01:2 0 y ou read it clause b clause and as y ou read

it y ou so n realz one se t ion runs int o anot her and is l n ed t o many more,

which is why, as an au it or, it is imp s ible t o au it SO 9 01:2 0 se t ion b

se t ion, it has t o be au it ed almost in it s en ret y t o make any sense

L et ’s give y ou an example When t ry ing t o est ablsh how a proc s owner

manages and monit or t he per formanc oft heir proc s y ou ne d t o t est :

• ln s t o t he ov eral b sines o je t ives;

• proc s inp t s;

• proc s o t put s;

• t he proc s it self;

• ln s t o ot her proc s es;

• informat ion/proc d res req uired t o su p r t proc s a t ivit ies;

• current proc s per formanc ;

• improvement a t ivit ies; and

• peo le inv lved in t he proc s

If y ou t est t hose areas lst ed in t he paragraph ab ve t hen y ou are also g ing t o be

t est ing t he folowing clauses of ISO 9 01:2 0 :

• 4.2 Document at ion req uirement s;

• 4.2.1 General;

• 4.2.3 Cont rol of d cument s;

• 4.2.4 Cont rol of records;

• 5 Management resp nsibi t y ;

• 5.1 Management commit men

• 5.2 Cust omer focus;

• 5.3 Qualt y p lcy ;

• 5.4.1 Qualt y o je t ives;

• 5.4.2 Qualt y management sy st em planning;

• 5.5.1 R esp nsibi t y and aut horit y ;

• 5.5.2 Int ernal communic t ion;

• 7 Prod ct realz t ion; and

• 8 Me surement , analy sis and improvement

Put it anot her way, a b sines d es not o erate as a series of uncon e t ed

se t ions so t herefore it must fol ow that y ou c n ot au it it as a series of separat e

se t ions Under standing t he key principles behind ISO 9 01:2 0 al ows y ou t o

be more relaxed in y our au it ap roa h Inst ead of wor y ing ab ut t he detaied

compl ianc t o ev ery single se tion in ISO 9 01:2 0 y ou sho ld be lo king for

t he ap lc t ion of t he principles Yo are t hen able t o as es t he efe t iv enes of

t hese ln ages and t he efe t t hey hav e on t he per formanc of t he proc s , i.e

Complanc wit h what ? Does it comply wit h:

• t he six mandat ory proc d res ( e t he next lst )?

• t he eight principles

• t he PDCA cy cle?

The me ning of t he word ‘complanc ’ conjures up images of rigid proc d res

t hat must be worked t o b t he let t er However, when y ou read ISO 9 01:2 0 it

refer t o t he ne d for d cument ed proc d res in only six pla es These are for:

• cont rol of d cument s;

• cont rol of records;

• int ernal au it ;

• cont rol of non-conforming prod ct ;

• correct ive a t ion; and

• preven ve a t ion

Yo must as ume from t his t hat SO 9 01:2 0 is efe t ively alowing an

organiz t ion t o de ide for it self what , if any, a t ivit ies it prov ides writ t en

proc d res t o su p r t

Going ba k t o o r q uest ion of compl anc , t hen y es, t his is o vio sly very

e sy t o che k as t he evidenc wi l be in t he form of d cument ed proc d res for

t he six areas iden fed ab ve We c n che k t hat t hey are being ap led, t hus

comply ing wit h t he req uirement s of ISO 9 01:2 0

So w h at h ap e ns i f th e org ani zati on d e ci d es not to d ocumen t an y oth er

proc d ures to su p rt i ts proc s a ti v i ti e s, ca n i t sti l l compl y w i th ISO 9 01:2 0 ?

Th e an sw er i s v er y cl ear l y yes, prov i d ed i t c n al so d emonstr a te compl i anc w i th

th e ei g ht pr i nci pl es an d the PDCA cycl e

Complanc t o t he eight principles and t he PDCA cy cle is unlkely t o be

demonst rat ed t hrou h t he evidenc fo nd in d cument ed proc d res, b t more

t han lkely from subje t iv e evidenc drawn from int erviews wit h management

and st af alke We must t herefore conclu e t hat o je t ive evidenc c n be in

b t h d cument ed and non-d cument ed format

Au it or have t o come t o t erms wit h t he fa t t hat alt ho gh t hey might

lke t o se evidenc d cument ed, as t his gives t hem a sense of reas uranc , t he

lkelho d is t hat much evidenc may wel not be d cument ed and t hey wi

To help y ou under t and what is me nt b t hese t wo t erms, d cument ed

and non-d cument ed, we hav e lst ed below examples of b t h The examples

of d cument ed evidenc wi probably lo k v ery fami ar t o t hose used t o

t radit ional audit ing as it is al bla k and whit e, right or wrong Conver ely

t he examples for non-d cument ed evidenc wi no d u t make y ou st op and

t hin ‘how c n I as es t his ’ This is a q uest ion t hat is ho efuly answered in

su sequent chapt er of t his b ok

Examples of d cument ed o je t iv e evidenc :

• signed p rchase order;

• u -t o-dat e cust omer a co nt fle;

• lo of ap roved order ;

• delvery not e;

• cust omer complaint let t er and correct ive a t ion plan; and

• au it rep r t

Examples ofnon-d cument ed o je t ive evidenc :

• proc s st af member k owing how t hey cont rib t e t o t he a hievement of a

maximum 30 se ond cust omer wait ing t ime;

• proc s owner k owing t he current per formanc of t heir proc s ;

• proc s st af k owing t he current per formanc oft heir proc s ;

• an improvement proje t t hat cont rib t ed t o increasing on-t ime delv ery ;

• proc s per formanc indic t or t hat relat e t o p rp se of t he proc s and/or

b sines o je t ives;

• management and st af b t h being able t o iden fy who t he cust omer is and

what t heir req uirement s are; and

• peo le at al levels having t he abi t y t o cont rib t e t o b sines improvement

The int ent of ISO 9 01:2 0 is not t o forc an organiz t ion t o simply comply

wit h its req uirement s b t t o d it in a man er t hat ad s value t o t he b sines ,

t hus t his is t he ap roa h y ou as an au it or ne d t o t ake Not just t ry ing t o p t

a t ick b al t he clause he dings of ISO 9 01:2 0 , b t invest igat ing how t hey

work to beneft t he organiz t ion

New ter itory – Interviewing the manag ing dir ector!

Even at t his st age in reading t his b ok y ou sho ld be begin ing t o realz t hat

b t h t he ski ls and compet enc s ofa proc s management au it or are a level

ab ve any t hing t hat has g ne before and t hat t hose au it or who have lt t le or

no ap reciat ion of how a b sines o erat es and t he principles of ISO 9 01:2 0

One of t he great est chalenges fa ing au it or is t he ne d t o au it at al

levels in t he organiz t ion, not just o erat ional a t ivit ies as in t he past This wi l

me n au it ing senior management and inde d t he most senior manager, t he

managing direct or or chief exe ut ive offc r, as par t of t he au it

Su seq uent se t ions of t his b ok wi co er in more det ai how t o prepare

for and c r y o t an int erview wit h t he managing direct or, b t in t he me n me

here are some t hings for y ou t o t hin ab u

• How wi y ou co e wit h t his chalenge?

• What q uest ions wi y ou ask t he managing direct or

• Why wi l t hey be int erest ed in t alking t o y ou?

• Can y ou au it t hem in just 1 – 30 minut es

As t he evidenc of complanc may not be d cument ed and wi almost c r t ainly

be more su je t ive, so increasingly t he au it or ne ds t o t est t he communic t ion

bet we n senior manager and st af, in an efor t t o disco er how focused t he

organiz t ion realy is on t he eight principles and t he PDCA cy cle This wi be

t he real t est req uired t o det ermine t he level of complanc wit h ISO 9 01:2 0

Be gentle wit h me, I’m not matur e!

There is one last fa t or t hat au it or must consider when t hey c r y o t an au it

and t hat is t he q uest ion of sy st em and organiz t ional mat urit y

Management sy st em mat urit y q uest ions sho ld be asked such as:

• How long has t he organiz t ion be n develo ing it s proc s -based

management sy st em?

• What c n I reasonably ex e t t o f d at t his st age in it s develo ment ?

• What sho ld I p t in my audit rep r t t hat wo ld help t he organiz t ion, b

ad ing v alue at t his st age of t heir mat urit y ?

As an a ud i tor, you w i l l n ot be a bl e to a n sw e r th e se q e sti on s w i th out kn ow l ed g e of

th e b si n es Th a t kn ow l e d g e c n come fom e i th e r w or ki n g for th e org a n i za ti on i n

q e sti on or fom th e re sp n ses you g et d ur i n g th e co r se ofth e a ctua l aud i t E h e r

w a y you h ave to ma ke ce rta i n jud g e men ts a bo t h ow you w i l l a ud i t an d w h a t you

w i l l ul ti ma tel y rep rt ba ck to th e org a n i zati on

ISO 9 01:2 0 i s uni que i n thi s w ay, i t c n take a co n t of the matur i ty of

the manag ement sy stem an al l ow an aud i tor the abi l i ty to use thei r jud g ement to

d eter mi ne not onl y w hether the basi c pr i nci pl es are bei ng ap l i ed , b t al so to w hat

ex tent th e b si nes i s usi ng them to d r i v e i tself forw ard No tw o org ani zati ons are

al i k e and , i nd eed , org ani zati on s w i l l mature ov er ti me An aud i t therefore ne d s to

3 The system- process- procedur e r elationship

The pr i mary role of a proc s management aud itor is to d iscov er to w hat extent

the proc s is bei ng manag ed and w hat efe t this has on the a hi ev ement of

b si nes o je tiv es In ord er to d o this suc es full y, as w e hav e al re d y d i scov ered ,

this may or may not inv ol v e d cumented proc d ures

Before y ou c n under t ake any proc s management au it y ou must fr t

ap reciat e how a management sy st em works and t he int era t ions t hat g on

bet we n t he o eral sy st em, proc s es and proc d res

Chapter 1 of thi s b ok g av e a br i ef ov erv i ew of the manag ement sy stem and

proc s es w i th ex ampl es for e ch, an i t i s bei ng abl e to mak e the con e ti ons

betw een these an su p rti ng proc d ures that you ne d to focus on

The management sy st em def es t he o eral sco e of t he b sines , which is in

t urn su p r t ed b any number of proc s es t hat req uire management , which in

t urn are su p r t ed, where ap ropriat e, b proc d res, as shown in Fig re 3.1

Def ed b senior management and owned b t he he d of sco e, t y pic ly

t he managing direct or, t he management sy st em is a v isual represent at ion of

an organiz t ion’s proc s es ne ded t o delver t he b sines per formanc at

t he highest level and cont ains every t hing from b sines plan ing t hrou h t o

Ty pic ly 8 t o 1 high level proc s es are iden fed and t hey in t urn l n or are

del vered t hrou h any number of o erat ional proc s es cont aining t he det ai of

what a t ivit ies are per formed

R elat ed direct ly t o t he management sy st em are t he proc s es t hemselves, which

exist t o conver t inp t req uirement s int o cust omer o t put req uirement s t hrou h

a series of value ad ing a t ivit ies In ot her words t hey provide t he me hanism

t hat alows t he organiz t ion t o a hieve it s o je t ives, wit h a focus on how t he

diferent depar t ment s wit hin t he organiz t ion work t oget her t owards t his aim

Just b hav ing proc s es d es not ensure t hat t he b sines wi a hieve it s

o je t iv es They ne d efe t ive management and it is t his ‘proc s management ’

t hat y ou ne d t o focus on when au it ing To be able t o d t his efe t ively y ou

fr t ne d t o under t and how proc s es sho ld be managed in a man er t hat

Ma a eme t s stem

Proc s

Th ‘wh t’ w e d le el

Own d by Proces Own r

Me s res o eral proces p r forma ce

Sup or ts pr oces activity

Fig ur e 3.1 The manag ement system in context

To many au it or au it proc s es in isolat ion, fai ing t o make t he vit al

con e t ions bet we n b sines o je t ives and proc s o t put s and me sures

Faiure t o make t hese con e t ions wi result in an incomplet e, inadeq uat e and

non-value-ad ing au it It ’s rat her lke che king a rout e map wit ho t k owing

where y ou are t ry ing t o get t o – al a bit p in es

Yo ne d t o be t hin ing ab ut asking t he proc s owner t he folowing

q uest ions

• What is t he p rp se oft his proc s ?

• How d es it cont rib t e t o t he organiz t ion a hieving it s b sines o je t ives

• Are t here proc s per formanc me sures

• Do t he me sures relat e t o t he o je t ives/are we me suring t he right t hings

• Is the per formanc k own and are efe t iv e improvement a t ions in pla e?

There are many more q uest ions relat ed t o as es ing proc s management b t

ho efuly y ou c n begin t o ap reciat e t hat t o be a suc es ful au it or req uires

considerable ski l and compet enc These ski ls and compet enc s ne d t o be

in diferent areas t han have be n req uired in t he past in order t o make t he

ne es ary conne t ions and iden fy is ues wor t hy of rep r t ing

Procedur es

This is oft en a v ery diffcult conc pt for many peo le t o come t o t erms wit h

ISO 9 01:2 0 alows organiz t ions t he freed m t o de ide for t hemselves t o

what ext ent t hey have d cument ed proc d res, whereas t he 19 4 ver ion of t he

St andard req uired vir t ualy al o erat ional a t ivit ies t o be d cument ed There

is a c r t ain reas uranc one get s from having t hings d cument ed and t here is

no d u t t hat having d cument ed proc d res d es make complanc au it i g

p s ible In t hemselves, however, proc d res d not help us t o c r y o t an

efe t ive proc s management au it

So when y ou are au it ing t he a t ivit ies wit hin a proc s it self y ou sho ld

be t hin ing ab ut asking t he folowing q uest ions

• What risks t o t he proc s are t here b not having proc d res d cument ed?

• If t he risks are high, has t he organiz t ion considered t hem and chosen an

alt ernat ive way t o red c t hem, such as t raining?

• If t here are proc d res are t hey adeq uat e for t he risks t hey are cont rol ng?

• Do t he proc d res ad value or just increase b reaucra y ?

The proc s owner sho ld hav e considered what, if any, proc d res are required

to su p r t proc s a tiv ities Yo r role is to help the proc s owner b con r ming

Yo w il be wor k ing in par tner ship with them to improv e b th the p ten al and

a t ual per for manc of t he proc s

The focus of t his b ok is proc s management au it ing b t in order t o set t his

in cont ext y ou ne d t o reco niz t hat proc s es d not o erat e in isolat ion

Ho efuly t his se t ion oft he b ok has g ne someway t o clarify t his for y ou

Fig re 3.2 summariz s t y pes of audit s depending u on t he lev el y ou are lo king

at in t he organiz t ion and as an audit or y ou ne d t o remain conscio s of t hese

con e t ions t hrou ho t y our au it

4 Auditing tools and techniq ues

So far we have lo ked at some of t he fundament als t hat make u a management

sy st em and t he basic under t anding t hat an au it or ne ds t o hav e in order

t o c r y o t a proc s management au it We now t urn o r at t en on t o t he

det ai of how y ou sho ld a t ualy cond ct an au it st ar t ing wit h t he t ools and

t ech iq ues t hat y ou sho ld ad p

For y ear s, au itor training has had a constant t heme t o it wit h one

mes age in par ticular being driv en home t ime and again: ‘Show me t he ev idenc !’

Ab v e al else au it or s hav e be n t rained to as es what an organiz t ion d es

against what it said it d es, basing any de ision as t o how wel t hey did it on the

d cument ed ev idenc t hey have be n shown

Th i s te ch n i que of a ud i ti n g i s on l y re l e va n t for a sse ssi n g proce ss ma n a g e m en t

w h e n com pl i a n ce a ud i ti n g to a spe i fc re g ul a tor y sta n d a rd i s re qui re d , such a s

th ose use d i n th e me d i ca l or ph arma ce uti ca l i n d ustr i e s, or a g a i n st a stan d a rd such

a s ISO 9 01:2 0 Th i s styl e ofa ud i ti n g ma y th en be re l e v a n t to ch e ck th a t spe ci fc

d e ta i l e d re qui re me n ts a re be i n g me t a n d efe cti v e l y a ppl i e d

For t he remainder of t his b ok, t he focus wi be on audit ing t he

efe t ivenes ofproc s managemen also req uired b ISO 9 01:2 0 This

req uires diferent t ools and t ech iq ues t o t hose req uired for b t h sy st em and

complanc au it ing, and we ne d t o reco niz t hese diferenc s

There are basic ly t wo tools that sho ld be used in b th prepar ing for and

c r ry ing o t a proc s management au it ( e Fig re 4.1, Fig re 4.2 and

Table 4.1) Neit her of t hem is complc ted and in fa t they are just plain common

sense B th, howev er, require the au it or to under tand how a b sines wor ks

t hro gh its proc s es in order t o use them efe tiv ely This is one of t he k ey

competenc s ofa suc es ful proc s management au it or

Onc y ou under t and t hem, t hey are so p wer ful t hat y ou c n ap ly t hem

t o any proc s wit hin any b sines , regardles of ind st ry se t or

In proc s management audit ing y ou are t est ing every one of t he b xes in e ch

proc s y ou au it at ev ery level wit hin e ch proc s , i.e y ou g round t his cy cle

wit h ev ery one y ou int erview The q uest ions y ou use t o t est e ch one of t he

b xes wi be phrased slgh y diferen y and wi l be in a man er suit able t o t he

per on being int erviewed, b t nonet heles t hey wi fol ow t he same cy cle This

aspe t is crit ic l for suc es ful au it i g I is no g o asking a member of st af a

q uest ion t hat t hey d not under t and, or using ‘management st y le’ or ‘st andard’

lang age t hat t hey c n ot relat e t o what t hey d For example asking someone

what ‘reso rc s’ t hey use may not be under t oo , asking what ‘eq uipment ’ t hey

and ne ds t o be based on t he ne ds of t he au it ee not t he audit or I ne ds t o be

in t he lang age used b t he peo le wit hin t he organiz t ion it self

Ta le 4.1 Defnitions of the elements of auditor tool 1

Purpose of th proces W hy th proces exis s – su pler in ut a d cus omer o tp t

Proces o jectives

a nd ta rget

Spe if aly th o je tiv s a d targ ets for this proc s that must

relate to th ov ral busin s o je tiv s and targ ets

Th proces itelf T he activities in olv d in th proc s

Key p rforma ce

pr oces mea sures

Measures dire tly relate to th proc s it self and ov rall busin s

o je tiv s, in th way c stomer measure th proc s

Mo itorin

p rforma ce

S stematic, reg ular monito n of th measures in order to asses

proc s performanc

Improveme t Activities that are d sig ne to close th g ap betwe n c rre t

performanc and th targ et performanc le el re uire

Conseq uen y t he evidenc provided b peo le being int erviewed wi also be

ap ropriat e for t heir level wit hin t he proc s and wi almost c r t ainly be mainly

non-d cument ed and su je t ive

Au it or t ool 2 folows a simiar t heme b t ext ends t o inclu e t hose t hings

t hat sup or t t he proc s in t erms of:

• t he compet enc of t hose working wit hin t he proc s t o efe t iv ely c r y o t

t heir t asks;

• t he reso rc s ne ded for proc s a t ivit ies t o be per formed adeq uat ely ;

• t he k owled e and informat ion ne ded t o efe t ively c r y o t a t iv it ies

wit hin t he proc s ;

• t he b d et for t he proc s t hat t akes a co nt of t he lkely fut ure demands on

t he proc s

These in uenc s or constr aints are only examples and in re lty there may wel

be other s W hat y ou are lo k ing for is any thing that afe ts per for manc of the

proc s , and it c n come fom any manag ement disciplne Proc s manag ement

au itor therefore ne d a basic fo ndation in a r ang e ofb sines a tiv ities

and disciplnes For example how c n an au itor as es or mak e ju gements

on someone’s competenc if they hav e no under standing of human reso rc

Taking e ch b x of ‘au it or t ool 1’ le s lo k at e ch one in t urn and t ry t o work

o t t he most ap ropriat e q uest ion t o ask, and t he pla e t o lo k for answer

As we g t hrou h e ch b x we wi , in ad it ion, inclu e al t he element s from

‘au it or t ool 2’ R emember, however, t hat ev idenc is not only gat hered t hrou h

q uest ioning, b t b a range of t ech iq ues

The end result wi be an au it che kl st y ou wi l be able t o use t o prepare

for and t o au it most proc s es Yo may wel be able t o come u wit h ot her

areas and is ues t o raise; what ev er t hey are t hey ne d t o t est t he efe t ivenes

of t he proc s As y ou g t hrou h t he st eps in t he cy cle y ou may wel be able

t o iden fy areas where y ou ne d t o dig a bit de per, ask more q uest ions and

t est any complanc is ues t hat may be ome ap arent Inex erienc d proc s

management au it or t end t o st ay in t he det ai ofcomplanc onc t hey are in

it The ‘ar t ’ is t o ke p t he cy cle in mind as y ou c r y o t t he au it and ‘dip’ int o

t he det ai as req uired, coming o t of it t o mo e on t o ot her par t s oft he cy cle

in order t o b id t he lnks I is not e sy at fr t t o make t his change, b t onc

• What are th proc s’sup ler inputs and c stomer outputs?

• How do you d termin what th c stomer req ireme ts are; is

this th ultimate c stomer?

• Wh re do you g et your work from?

Proces o jectiv es

a nd ta rget

• How do you d termin your o je tiv s and targ ets?

• What are your o je tiv s and targ ets?

• How do th y lnk to and sup ort th ov rall busin s o je t i es?

• How do you plan for future c stomer d mands and th lkely

resourc s req ire to sup ort th m?

Th proces itelf • Can you d scribe th proc s?

• How do any proc d res sup ort th proc s?

• Who is your c stomer?

• How do you know what your c stomer re uireme ts are?

• How does this proc s interact with oth r proc ses in th

manag eme t system?

• Who do consid r as your sup ler?

• How does your up ler sup ort you?

• How do you d termin th compete cies re uire for those

resp nsible for proc s activities?

Key p rforma ce

proces me sures

• How do you d cid what ke performanc in ic tor to use?

• How are th proc s measures lnke to busin s o je tiv s

• How ofe is proc s performanc measure ?

• How is performanc data commu icate t o th proc s team?

Impr oveme t • How do you id ntify improv me t is u s?

• How do proc s team members contribute to improvin

proc s performanc ?

• How to you e aluate th su c s of improv me t activities?

• How have improv me t actions affe te proc s performa c ?

• How are improv me t actions commu icat ed to th

The q uest ions det aied ab ve ne d t o be t ho ght ab ut and t aiored t o suit t he

individ al being int erviewed and t he level at which t hey su p r t t he proc s

For inst anc , asking an o erat or c r y ing o t a proc s a t ivit y if t hey k ow

what t he organiz t ion’s b sines o je t ives are wo ld oft en be p in es in many

organiz t ions as t he o erat or wo ld more t han lkely t hin y ou were t alking a

foreign lang age! B t beware t hat t his is not alway s t he c se and, imp r t ant ly,

use y our own k owled e of y our own organiz t ion t o get t he lang age right

As an au it or y ou have t o consider what is t he most ap ropriat e q uest ion

t o ask and in t his c se it might be asking t he o erat or who t hey consider is t heir

cust omer and how t hey k ow t hey are me t ing t heir cust omer’s req uirement s

Fig ur e 4.3 Appropriate questioning te hniques

Au it or t hat under t and t his dy namic and use it efe t ively in conjunct ion wit h

b t h oft he au it or t ools wi l gat her t he great est amo nt of informat ion relevant

t o how efe t iv ely t he b sines is managing it s proc s es The more informat ion

an audit or has on t he company ’s per formanc t he more valuable t he au it rep r t

If we have est ablshed t hat t he q uest ions and q uest ioning t ech iq ues y ou use

as an au it or v ary a cording t o t he per on being int erviewed and t he lev el t hey

are working at wit hin t he proc s , t hen it must also folow t hat t he o je t ive

evidenc y ou o t ain wi l also vary a cordingly

In Chapt er 2 we lo ked at examples of d cument ed and non-d cument ed

o je t iv e evidenc , so let us now consider what t y pes of o je t ive ev idenc

we might f d at diferent levels in t he b sines , depending u on who we are

au it i g and what q uest ions we are asking

Taking some of t he q uest ions from t he Table 4.2, Table 4.3 o t lines t he

lkely o je t iv e evidenc y ou might ex e t t o f d

Table 4.3 Obje tive evidenc

Qu s io Evid nce from proces ow ner Evid nce from pr oces s af

• How does th proc s

sup ort th busin s

strat eg y and o je tiv s?

• What are th proc s

sup ler inputs and

• How do you d termin

your o je tiv s and

targ ets?

• What are your o je tiv s

and targ ets?

• How do th y lnk to

and sup ort th ov rall

busin s o je tiv s?

• How do you pla for

fut ure c ust omer d ma ds

a d t he lkely resourc s

• L ink to ov rall company

o je tiv s and targ ets

• Tels/shows you

• Clear u d rstandin of

ov rall company o je tiv s

and targ ets and can

d monstrate lnkag e

• Tels/shows you plan, g iv s

example of havin don it

• In tou h with proc s

c stomers and makes

sug g estions t o proc s

Qu s io Evid nce from proces ow ner Evid nce from pr oces s af

• Can you d scribe th

proc s?

• How do any proc d res

sup ort th proc s?

• How does this proc s

interact with oth r

proc ses in th

manag eme t system?

• How do you d termin

th compete cies

req ire for those

resp nsible for proc s

lnks are and how th

commu icat ion betwe n

• Knows own compete c

and has be n appraise /

• Tels/shows you proc s

measures bein use

• Tels you/ shows you

• How do you id ntify

data to improv me t action

• Tels you and can g iv

examples from team

• L inks back to performanc

data to d monstrate

• T ks throug h methods/

id as and lnks to proc s

own r

• Knows how and who to

sug g est improv me ts to

• Commu ication from

proc s owner