Q: I‘m seeking clarity and advice on a recent incident I was informed about.
An organization I am very familiar with and is fully certified to ISO 9001:2008 Quality management systems–Requirements (with no exemptions) recently had a new external auditor come in to conduct a certification audit.
While continued certification was recommended, a number of small areas of concern were noted.
I understand that most of the recommendations will improve the system, but one recommendation has caused me some concern.
A bit of history of the QMS of this organization:
This company originally gained certification under ISO 9001:2000 and has transitioned to ISO 9001:2008. They have a very robust quality management system (QMS), have clearly identified their processes, and have mapped their procedures to these various processes. They have implemented a rigorous internal audit program which has targeted these procedures and their interrelationship with the various processes.
My problem is that the report for this recent certification audit stated that under 8.2.2 of the standard, in order to ‘gain’ full certification to ISO 9001:2008, they have to conduct process audits rather than procedural audits, or their certification could be at risk. This has caused some angst with senior management, as their previous certification body was happy with their implementation of the standard.
8.2.2 b: Internal audit
“An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited…”
I can see no mandatory requirement in 8.2.2 to support the statement that process audits have precedent over procedural audits as long as the status and importance of the processes are taken into consideration.
My understanding would be that the requirements of 8.2.2 would be met if the organization’s processes are clearly identified and its procedures and their interrelationships are mapped to the processes and it can be clearly identified during the audit that process requirements are being addressed with the procedures.
Obviously if it can be shown that the processes are not adequately covered, then that must be addressed. But I do not believe this is the case here.
Your advice would be greatly appreciated.
A: I hope to answer your questions about process vs. procedure in ISO 9001:2008. I will offer several different definitions. This is not to confuse you, but to help you see how different people deliver the same message while using different words.
We will begin by trying to recognize just what a procedure is. You can have any number of procedures within a process. That means, a process requires one or more procedures. You take actions to get results. The actions you take are your procedures.
I once read it this way on the internet: procedures / actions / activities / work instructions all describe the lowest level of decomposition, i.e.: the procedure cannot be broken down further.
A process is “something going on.” It is a continuing natural or biological activity or function.
A process is a series of actions or operations conducing to an end. It is a continuous operation or treatment, especially in manufacturing.
A procedure is a particular way of accomplishing something. This is also defined as a series of steps in a regular definite order; a traditional or established way of doing things.
While the two could sound similar, they are clearly not the same thing. A process refers to a series of actions, but does not place a particular order on those actions.
Procedures however, are focused on steps, order and instruction. As the author Mark McGregor once wrote, “We can see that while a process may contain order, it does not require order to be a process. If we take away the order from procedure, then we don’t have a procedure, but we may still have a process.”
You are not alone in your questioning of this. It is like the ongoing controversy over continual vs. continuous in the quality arena. However, the distinction between a process and a procedure should be more clear to you after reading above.
Now, let’s consider why. Why is 8.2.2 worded the way it is? I think the most simple way to put it is this: in the past, it was not uncommon for internal audit teams to concentrate on element auditing. That is, they audited the verbiage of the documented procedures to see if they complied with that of the standard.
Each individual company has their own processes. It is through those processes, those actions, that you would comply with the intent of the standard. The value of controlling and improving on those processes is reflected in your audits.
Input -> Process -> Output
So, it does not matter how you word things. The product audit (or service audit) determines if tangible characteristics and attributes of a thing are being met. A process audit determines whether process requirements are being met. During the process audit, the auditor will examine an activity or sequence of activities to verify that inputs, actions, and outputs are in accordance with an established procedure, plan or method.
By now, you have seen a pattern to all the words above. My intention was not to muddy the waters further, but to help you recognize why so much light has been shined on process activities. To “do what you say you do” requires having documented procedures and following what they say. Doing all of this in an efficient and a profitable manner requires process control.
Finally, if you haven’t already done so, I strongly suggest that you acquire a copy of The Process Auditing & Techniques Guide by J.P. Russell. This is a good guide you can order through ASQ and it can help with setting aside some of your concerns and answer questions.
I hope this has been helpful.
ASQ Senior Member, CQT,CQI