Internal Audits and Third Party Audits

Analysis, Statistics, Control Charts, Statistical Methods, Audit, Auditing

Question

Shouldn’t a company audit its own processes and procedures to ensure compliance before a third-party audit is scheduled?

Answer

Thanks for contacting ASQ’s Ask the Experts Program.  In response to your inquiry, yes, it would be a good idea for the organization to conduct an internal audit before a third party audit is performed, especially if no previous internal audit has been completed.  It’s important to remember that the primary purpose of conducting an internal audit is to assess the continued implementation and effectiveness of the quality management system and its processes.  Not conducting internal audits on a scheduled basis could jeopardize the organization’s ability to maintain its ISO 9001 certification as well as increase the probability of the occurrence of nonconformances and customer complaints.  An internal audit process is an indispensable tool required for the assessment of the QMS, its processes as well as to identify opportunities for improvement.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Website: www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

Unsigned Audit Report

ISO documentation practices, requirements

Question

Is it acceptable for an auditor to submit an UNSIGNED audit report in Word version? I’m QA director at a pharmaceutical CRO. We were recently audited by one of our clients. They refuse to provide a signed audit report because they say it is not their policy to do so. This seems wrong to me on many levels. Is this acceptable?

Answer

Thank you for submitting this question to ASQ’s Ask the Experts Program.

I’m not aware of any requirement that states that the auditor must sign the audit report. In situations, where an audit organization is involved, the audit organization’s management or representative signs the audit report cover letter. The name of the lead or principal auditor, as well as the names of all audit team members, should be included in the audit report. The actual audit report may or may not include a signature sign-off from the auditor or audit team members.

If an audit organization is not involved, then it would be the responsibility of the lead or principal auditor to sign the cover letter or audit report to approve its content. As you’re aware, the audit report serves as a record to document the audit results. For this reason, the signature of the auditor or audit organization is essential since it confirms the content of the audit report. This sign-off may appear on the cover letter or the report.

If your organization requires sign-off on the audit report in addition to the cover letter, then this requirement should be identified and agreed upon by all parties prior to conducting the audit. In the future, if no audit organization is involved, consider requiring independent auditors to provide copies of their qualifications and auditor certifications (ASQ CQA, Exemplar Global, IRCA, PECB or other) before the start of the audit. Aforementioned could minimize a recurrence of this or a similar concern.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Website: www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

ISO 9001: 2015 Tools for Auditors and Risk Based Thinking

Mr. Pareto Head and ISO 9001 audit

Question

In addressing clause 4 of ISO 9001:2015 regarding organization context and interested parties, what type of tool (spreadsheet, diagram, flowchart, etc), would you recommend to use to simplify the practice and to give a proper  understanding for auditors ?  I understand that risk evaluation (ISO 9001:2015) should be accomplished not only at a high level of establishing and planning objectives, but also at the processes level. If this is right, could organization use some criteria to select processes to be evaluated?

Answer

Thanks for contacting ASQ’s Ask the Experts program.  Regarding your inquiry, your selection of tools such as spreadsheets, diagrams, flowcharts and etc., should be driven by whatever best fits your organization’s context, QMS scope and requirements of interested parties.  However, before proceeding with tool selection to “simplify” practices as mentioned in your inquiry, it is essential that the changes and new requirements of ISO 9001:2015 are fully understood and communicated throughout the organization.  As you know, transitioning from ISO 9001:2008 to ISO 9001:2015 will require much more than providing understanding to Auditors.  The transition process should begin with top management and then flow down to the process owners and others throughout the organization.  If a gap analysis hasn’t already been completed, consider doing so to identify those processes that must be improved to meet ISO 9001:2015 certification requirements.

As you know, risk based thinking (RBT) must be a part of an every organization’s process approach, to ensure risks and opportunities are identified and addressed.  Although RBT is not new, it is a changed approach.  ISO 9001:2015 supports the scalability of quality management systems which allows them to be specific to an organization’s  processes, products, and services.  The landscape of today’s quality management systems has changed.  It’s not a “one size fits all” situation.  For this reason, it’s essential for top management, process owners as well as the QMS Auditors to develop a thorough understanding of ISO 9001:2015 and its requirements.  Also of equal importance is the familiarization of top management, process owners, and Auditors with the principals of risk assessment, management and related terminologies (i.e., ISO 31000:2009).

The effectiveness of future QMS audits will depend upon Auditors that can apply their collective knowledge of ISO 9001:2015, risk assessment, and management requirements, as well as their in-depth knowledge of the industries, processes, products, and systems, audited.  Exemplar Global and other accredited ISO 17024 personnel certification bodies have developed online training courses for the purpose of explaining the requirements of ISO 9001:2015.  Other information about transitioning to ISO 9001:2015 is available on the International Accreditation Form’s (IAF) website at www.iaf.nu.  Click this link to read about the recent publication of ISO 9001:2015 http://www.iaf.nu/articles/Publication_of_ISO_90012015/443

About the second part of your inquiry (item b.), it’s important to be aware that RBT applies to every process that comprises your organization’s quality management system.  RBT should be integrated into your organization’s QMS and product planning processes to ensure risks and opportunities are identified and addressed.

A few key questions to consider include, how will your Registrar verify your organization’s conformance with ISO 9001:2015 requirements?  What is your Registrar’s timeline for transitioning existing clients to ISO 9001:2015 requirements?  What type of support will be provided to assist clients through the transition process?

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827)

For more information about this topic, please visit ASQ’s website.

Writing ISO 9001:2015 Procedures

architecture building city concrete

Question

I am in the process of implementing ISO 9001:2015 at a heavy civil construction company. I do not have any prior experience implementing but did work in an ISO environment for 13 years. I am looking for assistance on how to go about writing procedures to ensure that they incorporate the ISO requirements.

Answer

Thanks for contacting ASQ’s Ask the Experts program.  Concerning writing procedures, there are a few things to consider.  In general, a procedure should be structured to define its purpose or scope.  If the procedure is intended to address an identified risk or opportunity, it should be stated.  Likewise, consider including specific references to customer, industry standards, and internal requirements that are being addressed in the procedure.

Other key points to consider include structuring the procedure to be consistent with the flow of the process or activities controlled by the procedure.  Also, if appropriate, include reference to acceptance criteria, identify who, when, and how these activities will be conducted.  References to any required records to be maintained to provide evidence of conformance should also be a part of the procedure.  The importance of ensuring the participation of the process owner as well as others responsible for performing the activities identified in the procedure can’t be overstated.  If possible, the process owner and other interested parties should be involved in the development, review and approval of the procedure.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-2827

For more on this topic, please visit ASQ’s website.

Dual Certifications

Drill, oil, petroleum

Question

Our company currently holds dual certifications to API Q1 and ISO 9001:2008 that are not set to expire until November 2017. When making the transition to ISO 9001:2015 and re-certifying in November 2017, will we be able to do dual certifications or will we have to do API Q1 separate from ISO 9001:2015?

Answer

Hello,

Thank you for contacting ASQ’s Ask the Experts program.  In response to your inquiry, the timing for transitioning your existing QMS from ISO 9001:2008 to ISO 9001:2015 is dependent upon your Registrar’s timeline to begin issuing ISO 9001:2015 certifications.  I highly recommend that you discuss this subject with your Registrar to determine how and when this transition will take place.  In my professional opinion, this transition process may be similar to the recent move from API Q1, 8th edition to API Q1, 9th edition.

Since your current certification expires November 2017, transitioning sooner rather than later is recommended.  Especially since unlike API Q1, the ISO 9001 certification expiration date cannot be extended.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
800 Rockmead, Suite 170, Kingwood, TX 77339
Office: (281) 359-2827
Website: www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

Risk Based Thinking in ISO 9001:2015

Reporting, best practices, non-compliance reporting, analysis

Question

In 0.3.3 clause of the standard – it is said that “A positive deviation of the risk can provide an opportunity, but not all positive effects of risk result in opportunities.”  Can you please clarify this statement?

Answer

Thanks for contacting ASQ’s Ask the Experts program.  Good question! As mentioned, ISO FDIS 9001:2015, Clause 0.3.3, which states, “A positive deviation of the risk can provide an opportunity, but not all positive effects of risk result in opportunities”.

In my opinion, this highlights an important point.  That is, not every positive deviation or change of a risk will include opportunity.  Consider the recent changes that have occurred in the Oil and Gas industry.  When the demand for crude oil was high, the availability of various materials and services providers was low, and prices were high.  This situation (availability of materials, services providers and costs) may have been identified as a supply chain risk.

However, the oversupply of crude oil drove prices down.  Crude oil production has dropped to stabilize pricing at the pumps.  This positive deviation of risk has provided an opportunity to crude oil producers, which includes the improved availability of materials, greater selection of services providers as well as more competitive pricing.  So dependent upon where you sit, this deviation of risk may be considered a negative that has decreased product demand and lowered pricing or a positive that has lowered consumer pricing and increased availability.

Consider companies that are providers of upstream services to crude oil producers.  Their risk based thinking may have identified the supply of qualified personnel to perform upstream servicing as a risk.  The decrease in demand for upstream services has increased the pool of qualified personnel.  However, this positive deviation of risk does not represent an opportunity.  The scenarios mentioned above are basic and intended to highlight the point of ISO FDIS 9001:2015, Clause 0.3.3.  There are far more dynamics that should be considered when assessing the deviation of risk versus opportunity.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

Internal Audits

Employees, Training, Working, Learning, Duties, Tasks, DFSS, Innovation, Audit, Auditing

Question

Can the Management Representative be part of the internal auditor team?

Answer

Thank you for contacting ASQ’s Ask the Experts program.  Concerning your question, ISO 9001:2008, clause 8.2.2, only prohibits persons from auditing their own work.  So provided that the Management representative is assigned to audit processes that are outside his/her work responsibilities, there is no other restriction in with regard.   ISO 19011:2011,clause 4.0, “Principals of auditing” as well as clause 6.3.3, “Assigning work to the audit team”, should be reviewed for additional insight and understanding.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

Approved Supplier List

Mr. Pareto Head and Supply Chain comic strip

Question

I would like to know how supplier status in the Approved Supplier List (ASL) should be managed so that there is complete traceabilty.  For instance, a vendor status is changed from approved to not approved in the ASL for reasons other than substandard performance which is documented in an audit report, how should QA document such change to ensure that these changes are tracked. Could QA make changes in the ASL without notifying the Purchasing Department and without any documentation?

Answer

Thanks for contacting ASQ’s Ask the Experts program.  Concerning your questions, about supplier status traceability, and ASL management, the following response is provided.

Dependent on the number of suppliers involved and the availability resources, an organization may choose to utilize a single or combination of methods to monitor supplier performance and supplier status.  These methods may range from using an MS Word or Excel spreadsheet, Access database to a multi-user database.

As you are aware, ISO 9001:2008, Clause 7.4.1, requires the organization to establish criteria for selection, evaluation and re-evaluation of suppliers.  This clause also requires records of results of evaluations to be maintained.  This includes any necessary actions taken as a consequence of the evaluations conducted, such as the removal of a supplier from the ASL or changed approval status.

ISO 9001:2008 does not limit a company’s ability to remove a supplier from the ASL.  This is an internal decision based on the company’s established criteria.  So there could be various reasons for removing a supplier from the ASL.  Likewise, with changing a supplier’s status from pending, approved to not approved.  As mentioned, ISO 9001:2008, Clause 7.4.1, requires records of supplier evaluations to be maintained, and any actions taken as a result of the evaluation to be retained.

The a primary purpose of the ASL is to ensure the placement of purchase orders or contracts are limited to those suppliers that meet the company’s established criteria for supplier selection, evaluation, and re-evaluation.  For this reason, Purchasing must be included in any changes made that may affect their use of the ASL.

Generally speaking, Purchasing is responsible for maintaining and updating the ASL, which includes ensuring the current status of suppliers of products and services are identified.   The company’s internal audit process is typically used to assess Purchasing’s conformance with established criteria for supply chain management.

In summary, I would not recommend that changes be made to any QMS process without the involvement of the QMS process owner and management as applicable.  ISO 9001:2008, Clause 5.4.2, sub b., requires top management to ensure that the integrity of the QMS is maintained when changes are planned and implemented.  If changes are made to the ASL, Purchasing should certainly be involved.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

ISO 9001 Internal Audit and TQM

Audit, audit by exception

Question

In ISO 9001 internal audit process, can we include the TQM function? If so, then which clause of ISO 9001 refers to it?

Answer

With regard to the ISO 9001:2008 internal audit process and its relationship to total quality management (TQM), it should be noted that TQM was a concept used by many companies worldwide prior to the existence of ISO 9000 quality management systems.

A few of the commonalities that are shared between TQM and ISO 9001:2008 include their focus on:

  • Reducing costs
  • Increasing profits
  • Leadership’s involvement
  • Ensuring customer satisfaction
  • Ensuring employee competency and involvement
  • Resource management
  • Quality system planning
  • Development of mutually beneficial supplier relationships
  • Accomplishment of objectives that support the organization’s mission (i.e., quality policy)

The primary difference that sets ISO 9001:2008 apart from TQM is that ISO 9001 has defined requirements for the establishment of documented procedures and records to provide evidence of conformance.  The concepts of TQM permeate quality systems that are based upon ISO 9001:2008 requirements.  In my opinion, if your internal audit criteria is ISO 9001, you’re also verifying that TQM concepts are being utilized within the quality system.  More information regarding TQM is provided in Juran’s Quality Handbook, 5th Edition.  Also consider reviewing the eight (8) quality management principles provided in ISO 9000:2005, Introduction, subclause 0.2.  These principles are applicable to all ISO 9000 family of quality management system standards.

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
800 Rockmead, Suite 170, Kingwood, TX 77339
Office: (281) 359-ATCS (2827)
Website: www.astontechconsult.com

For more information on this topic, please visit ASQ’s website.

Using White Out on Controlled Documents

ISO documentation practices, requirements

Question

During our certification for AS9100C the auditor found some documents with correction liquid that we have used for years. We have prohibited the use of any type of correction on all processes company wide.

It is common that during the prototype stage we performed dozens of changes due to the differences between the calculating/design program (electrical) and what happens in real life. During those adjustments we change manually circuits, values, etc. from the original version, with white-out tapes (before was liquid paper) once the prototype works those changes are incorporated as “Initial release” in the package that goes out for manufacturing. Do you guys see any problem using white out tape / correction tape on the controlled copies during prototype stage? My point is that the original values are recorded on the originals that will be obsoleted and the new ones on the initial release, keeping the controlled copies marked as records of the prototype.

Response

Thanks for contacting ASQ’s Ask the Experts program.

With regard to your inquiry, changing the documented results of inspection or test activities should be avoided or at least strictly controlled.  This is of special importance if these records are intended to provide evidence of product or process conformance.

However, prototype test results which may be subject to frequent changes during preliminary inspection or test activities, doesn’t require the same level of control.  These results are usually intended for informational purposes only and not for final acceptance of a process or product.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
http://www.astontechconsult.com