With the auditing principles and techniques explained, this appendix seeks to provide some example questions based on the approaches used. As explained previously it is not easy to assess the effectiveness of a process or, indeed, a system, by simply following the clauses of the Standard – organizations simply do not always work that way. Nonetheless the examples are grouped by clause for ease of reference together with questions that could be asked to demonstrate compliance along with those that seek to test effectiveness. This is not an exhaustive list and all clauses are not covered in the detail needed, otherwise we would end up with a book of questions and that is not the point.
One common trend you will notice is that asking a compliance question gives a defnitive answer, asking a question on effectiveness provides information – the auditor’s job is then to add this information together to form the judgement on effectiveness. Also notice that ‘open’ and ‘closed’ questions can be used in both areas – simply asking the question starting with what, how, where etc. does not constitute skills associated with effectiveness testing.
74
Process Management Auditing for ISO 9001:2008
Table A.1 Example questions for Clause 4 of ISO 9001:2008
Clause no.
Requirement Question to whom Compliance question Effectiveness question
4.1 Identifcation of the processes
Senior management Show me the processes that make up the management system
How do you know the correct processes have been identifed?
Senior management What management information do you use to monitor the processes?
How do you know that the management information you use is the correct information to control a process?
Senior management What parts of your processes are outsourced?
How do you assess which parts of your process should or shouldn’t be outsourced?
How is this management decision made?
Management What parts of your processes are outsourced?
How do you know that the outsourced work is being effectively managed and controlled?
Staff member What jobs are given to other people outside the business to do?
How often, roughly, is work done by other people outside the organization completed wrongly or badly?
Staff member What is your job? What is the impact on the customer if you don’t get your job done correctly?
Staff member What part do you play in the process?
How do you know if or when you have done a good job?
Staff member What do you do? How often do you get work that is either wrong, incorrect, needs rework or is simply confusing?
4.2.1 General Senior management Are procedures documented?
Do you have a quality manual?
Is there a statement of quality and objectives?
How did you determine what method and approach is of most beneft to your organization?
Appendix 1
75
Clause no.
Requirement Question to whom Compliance question Effectiveness question
4.2.2 Quality manual Senior management/
management
Do you have a quality manual?
Show me your quality manual.
Does it contain the right information outlined in the Standard?
What is the purpose of the manual?
How is it used on a routine, regular basis?
How is its content translated into everyday activity?
Why is it written the way it is?
How does the manual support the objectives of the organization and its image with the customer?
Staff Do you know where to fnd
the manual?
Show me the quality manual.
What is this organization trying to achieve?
How does the organization work?
How do we all work together to deliver results?
How do we improve things in this organization?
4.2.3 Document control
Management/staff Do you approve documents prior to issue?
Do you have a procedure?
Show me how you control the version.
Etc.
How often do you fnd that you use the wrong information or documents in this organization?
(Ask many people to build up a picture.)
Do you ever think that you use out-of-date information?
How do you know you are using the most up-to-date information/documents?
76
Process Management Auditing for ISO 9001:2008
Table A.2 Example questions for Clause 5 of ISO 9001:2008
Clause no.
Requirement Question to whom Compliance question Effectiveness question
5.1 Management
commitment
Senior management How do you demonstrate that you are committed to the development and implementation of the management system?
How do you know that the approaches you use to demonstrate commitment are effective?
Staff member Are management committed to the management system?
Or:
How committed are management to the management system in this organization?
When was the last time you saw/heard your manager concerned with meeting the customer’s needs?
What was this?
What was the impact of these statements on you and your colleagues?
Compare the answers given by both management and staff and identify any inconsistencies.
5.2 Customer focus Senior management How do you focus on the needs of the customer?
How do you prioritize the needs of different customers and other stakeholders?
We can’t satisfy everyone 1 00 per cent of the time, so how do you manage this?
How is this information used to set business objectives?
How do you validate the information to ensure it is correct (otherwise your objectives could be incorrect)?
Senior management/
management
How do you identify customer needs?
How do you know that the process for identifying customer needs is effective?
Senior management/
management
What process do you have to identify what customers’
needs are?
What is your role in this process?
How are customers’ needs translated into objectives that are subsequently measured by customer satisfaction activity?
How does it all link together?
Senior management Who is responsible for this process?
How is this process managed, controlled and improved on a continual basis?
Appendix 1
77
Clause no.
Requirement Question to whom Compliance question Effectiveness question
5.3 Quality policy Senior management Show me your policy. What factors did you consider in determining the policy details?
Staff member Do you know what the quality policy is or where to fnd it?
What is important to this organization?
How important is it that you do a good job – to you, to the customer, to the organization?
If there was one thing that this organization had to achieve, what would it be?
Senior management Has the policy been communicated?
How?
How do you know that your employees understand the policy and what it means to them?
5.4.1 Quality objectives
Senior management Do you have quality objectives? How do you know the objectives are correct?
Who created the objectives? How do you know that the management agree with the objectives set?
Are the objectives measurable? How were the measures selected?
How do you know that these are actually achievable?
How many objectives are there?
How do these objectives complement and support each other to move the organization forward?
How do you know that they jointly deliver everything you need to do as a business?
Link the answers to these questions with those given in answer to Subclause 5.2. Do the answers link? Do they make sense?
Management What are your objectives?
Are they measurable?
How do you know if your objectives link to those of the organization?
How were the objectives created?
78
Process Management Auditing for ISO 9001:2008
Clause no.
Requirement Question to whom Compliance question Effectiveness question
5.4.2 Quality management system planning
Senior management Is the management system designed to meet the objectives of the business?
How do you maintain the integrity of the management system?
How do you know that the management system has been designed to meet the objectives set?
How do you ensure that the integrity of the management system is maintained so that customers are not adversely affected during changes?
5.5.1 Responsibility and authority
Senior management Are responsibilities and authorities defned?
How are responsibilities communicated?
How do you know if these responsibilities are being applied correctly?
How do you reallocate/reduce responsibilities when needed?
5.5.2 Management representation
Senior management/
management
Who is the management representative?
Show me what you do (to the management representative)
Who in the management team
‘champions’ the management system?
How effective is the management representative in helping the organization to understand how it delivers results and improves business performance?
5.5.3 Internal communication
Senior management How do you communicate results to the rest of the organization?
How do you know that the communication methods you use are effective?
Management How do you communicate results to your staff?
How do you translate the organization’s results into information that directly applies to your staff rather than
‘corporate/business speak’?
Does your manager provide you with information on business performance that directly applies to you?
Appendix 1
79
Clause no.
Requirement Question to whom Compliance question Effectiveness question
Staff How well is the organization performing?
Do management communicate to you on this subject?
Does the information you are provided with mean anything to you?
Does the information relate directly to your job?
How can you infuence these results?
5.6 Management
review
Senior management/
management
Do you hold a management review?
What do you look at?
What are the results of the review?
How do you record the actions from the review?
How do management review the performance of the business?
How effective are these methods?
How do you know the actions agreed are aimed at delivering the organization’s objectives?
Are discussions at reviews based on improving results?
What subject areas are discussed?
How do they relate to the performance of the business and its objectives?
What factors do you use to prioritize improvement activity?
80
Process Management Auditing for ISO 9001:2008
Table A.3 Example questions for Clause 6 of ISO 9001:2008
Clause no.
Requirement Question to whom Compliance question Effectiveness question
6.1 Provision of resources
Senior management/
management
Do you allocate resources?
How do you manage resources?
What resources do you need?
How do you know the resources you use are aligned to the delivery of the business objectives?
How do you know that the resources required contribute to satisfying customer needs/
requirements?
6.2.1 General Senior management/
management
How do you recruit people who are competent?
How do you manage people’s competences?
How do you balance the need for procedures with people’s competences?
How do you know the balance between training and competence and the need for procedures is correct and effective?
How do you know your people’s competences are suffcient to deliver the business objectives?
Staff What resources do you use? If there was one thing that would help you do your job better what would it be?
6.2.2 Competence, awareness and training
Management Have competences been defned?
Are training needs identifed?
Do you evaluate training interventions?
Do you have training records?
How do you communicate the importance of your staff’s activities in meeting objectives?
How do you make them understand this?
How do you know the correct competences have been defned?
What methods do you use to evaluate training and how do you know when to use each one?
How do you prioritize someone’s learning/training needs?
What support do you give that allows staff to apply what they have learnt in the workplace?
How do you know how effective this support is?
How do you know that you have effectively communicated personal objectives to staff?
Appendix 1
81
Clause no.
Requirement Question to whom Compliance question Effectiveness question
Staff Has the organization defned the competences you need to do your job?
Do you understand how important your activities are?
Do you think the competences defned for your job are correct?
How good are management at reviewing your competence and identifying where you can improve?
In your view is training delivered generally too late or too early on occasions?
After you have received training does someone ‘test’ or check to see that you can apply the training you have received?
How do your activities help this business achieve its overall goals and objectives?
6.3 Infrastructure Management What equipment/assets do you have?
How is this equipment managed and maintained?
How is the equipment purchased?
Do you back up IT systems?
What processes do you have to manage all your resources?
Does your process cover acquiring, commissioning and decommissioning an asset?
What approvals are gathered for asset purchase?
How do you know that the equipment is capable of delivering the objectives?
How do you know that you have purchased and commissioned the most appropriate equipment?
How do you assess the effectiveness of your disaster recovery plans should your infrastructure fail?
How do you optimize the performance of your infra- structure resource?
How do you know that approvals for asset purchases follow the agreed governance rules for the business?
Staff What equipment do you use?
How is the equipment maintained?
How effcient is the equipment you use?
How quickly is it repaired should it breakdown?
How often does equipment failure affect your production/
service delivery?
82
Process Management Auditing for ISO 9001:2008
Clause no.
Requirement Question to whom Compliance question Effectiveness question
6.4 Work
environment
Management What do you consider to be your working environment?
How is the working environment managed?
What legal and regulatory requirements do you need to follow?
How do you know when to make a new investment in the working environment?
How do you measure the impact of the working environment on people’s motivation to work here?
How do you know that the working environment supports the delivery of process and product requirements?
Staff What is it like working here?
If the working environment could be improved how would it be?
Do management ever ask for your opinion on the acceptability of the environment to deliver what customers need?
Does the environment you work in affect your performance and the quality of what is produced?
Appendix 1
83
Table A.4 Example questions for Clause 7 of ISO 9001:2001
Clause no.
Requirement Question to whom Compliance question Effectiveness question
7.1 Planning
of product realization
Management What are the processes for product realization?
How do these processes operate?
How do you know the correct processes have been identifed to meet the objectives set?
How do you know that the planning is an appropriate form for the business?
How has this been ‘tested’
to maximize the operational performance of the organization?
7.2.1 Determination of requirements related to the product
Management How do you determine what customers require?
What statutory and regulatory requirements relate to the product/service?
What non-stated requirements are there?
How do you know you have determined the customers’
requirements correctly?
How good do you think you are at identifying what your customers’ needs really are?
How effective is the business at ensuring you don’t fall short of regulatory requirements?
Staff How do you identify
customers’ needs/
requirements?
How good do you think you (the organization) are at identifying what your customers’ needs really are?
7.2.2 Review of requirements related to the product
Management How do you review the organization’s capability to deliver what the customer requires?
Show me the details.
How much wasted work is carried out in this organization as a result of you, or the customer, changing what is required?
Staff How do you know you are
capable of delivering what is required?
How often do you fnd that you can’t actually deliver what you have agreed to?
7.2.3 Customer communication
Management How do you communicate information to customers?
What provision have you made that allows customers to raise queries or provide you with feedback?
How do you know that customers know how to communicate with the organization effectively?
How has this type of communication from the customer affected what you have done in the past six months?
84
Process Management Auditing for ISO 9001:2008
Clause no.
Requirement Question to whom Compliance question Effectiveness question
7.3.1 Design and development planning
Management How do you plan the design and/or development of a new product or service?
What resources do you need?
How do you optimize the use of resources you have available to you?
How do you prioritize different projects?
How do you know that your limited resources are being used in such a way as to maximize the beneft to the organization and its customers?
Staff How are new designs/
developments carried out?
Do you think that the organization knows which projects are more important than others?
How often do you get ‘torn’
between the needs of different projects and don’t know which to do frst?
7.3.2 Design and development inputs
Project manager What factors do you considered when designing/
developing a product or service?
What legal and regulatory requirements are important?
How do you know the design inputs have been identifed correctly?
How often do you fnd, when testing a product or service, that the design inputs have not been identifed correctly?
Design/development team
What factors do you considered when designing/
developing a product or service?
What legal and regulatory requirements are important?
How much wasted effort do you think takes place on design and development work?
Do you think you are careful enough when you design or develop products and services?
7.3.3 Design and development outputs
Project manager What design/development outputs do you have?
Do they contain the required product acceptance criteria?
How many changes are made to design/development outputs before they are correct and can be used?
How do you know that the design/development outputs are relevant and appropriate to the needs of the rest of the business?
Appendix 1
85
Clause no.
Requirement Question to whom Compliance question Effectiveness question
Design/
development team
What design/development outputs do you have?
Do they contain the required product acceptance criteria?
Can you give me an example of when the design/development outputs have not been understandable?
How relevant are the design/
development outputs to your job?
Do they provide you with the information you need?
7.3.4 Design and development review
Project manager/
project team
How often do you hold reviews?
What is the purpose of these reviews?
Who attends these reviews?
What happens at these reviews?
How often are agreed deadlines for actions missed?
Why is this?
How are disagreements or concerns on the way forward resolved quickly and to the beneft of the business?
Compared with your
competitors how good are you at getting products to market?
7.3.5 Design and development verifcation
Project manager/
project team
How do you test products and services to check that you have designed what you were supposed to design?
What records do you keep?
How often do you identify problems found with products and services after they are released?
How do you balance the need and risks to get the product or service launched with making it perfect?
7.3.6 Design and development validation
Project manager/
project team
How do you test products and services to check that you have designed something that meets the original customer or market needs?
How do you know that customer requirements have been met when you are designing the products and services?
7.3.7 Control of design and development changes
Project manager/
project team
How are changes incorporated into designs/developments?
How do you know that the changes to designs or developments will have the desired results?