The Role of an Observer During an Audit

Audit, audit by exception

Question

A customer of ours wants to participate as an observer in an upcoming audit. I’ve not been able to find much information about the role of observer – what they can and cannot do.

For instance, I assume that they cannot ask questions during the audit interview process. Does anyone have an appropriate checklist for an observation – list of dos and don’ts?

Answer

The auditors should be notified of a presence of the observer in advance. There are times where this may not be allowed depending on the type of the audit.

The customer should sign a confidentiality agreement on not disclosing any information outside the audit process. The rules should be established as part of this confidentiality agreement.

An observer (customer) may not engage in any part of the audit.

The observer may not interfere in any aspect of the audit (may not inject, provide opinions, argue a finding, speak for or against a finding, use the audit information for a future punitive measure).

If questioned during the audit, the observer should explain the role as observer. Ideally this should be brought to the attention of the auditor in advance.

These basic rules ensure that the audit is not compromised in any way and the customer’s request to witness the audit is conducted in a professional manner.

Dilip A Shah
ASQ Fellow, ASQ CQE, CQA, CCT
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services.
Past Chair, ASQ Measurement Quality Division (2012-2013)
Former Member of the A2LA Board of Directors (2006-2014)

For more on this topic, visit ASQ’s website.

ISO Standard Audit and Confidential Information

Reviewing confidential files, training records, human resources files

Q: During an external audit, what records are we allowed to keep confidential – e.g. human resources records? Certain records pertaining to new business leads or accounting matters? Specifically, my question is related to audits to the ISO 9001:2008 Quality management systems–Requirements and ISO 13485:2003: Medical devices — Quality management systems — Requirements for regulatory purposes standards.

 A: The “scope” of any audit is the quality management system (QMS) as found in the ISO standard for quality management. Areas such as finance, marketing plans, sales goals, and other business related topics are not part of a QMS audit.

It should be understood that during the audit, potential areas of conflict between the auditor and auditee might exist. The most common is when the auditor wants to see training records and the auditee claims them to be a confidential part of HR records. The auditor need to be a diplomat here and explain that only the training record is needed and not the entire HR record.

Also, it is not uncommon for the auditee to require the auditor to sign a non-disclosure agreement stating that the auditor(s) will keep everything observed during the audit confidential between the parties.

Again, the scope of the audit, usually agreed to ahead of time, is the QMS — not any business related matters.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

ISO 9001 Quality Manual

ISO documentation practices, requirements

Q: My small company is forcing me in the direction of using flowcharts to specify ISO standards. With their many branch statements, they are convoluted and confusing. I prefer plain, simple English. But my question is: is it ok to use flowcharts to specify ISO 9001 standards?

A: Actually, as long as you do not intend to become registered (also called certified), you can – and probably should – implement the ISO 9001:2008 Quality management systems–Requirements standard any way you want! I happen to like flowcharts, as long as they are limited to one page and fewer than a dozen boxes.

But if you intend to become registered, the registrar you choose will always require you to explain how you are implementing the concepts contained in ISO 9001.  Most firms choose to call this explanation document a quality manual. You do not repeat the words in the ISO 9001, rather you say how you intend to implement the concepts locally. A manual should be site-specific and about 50-60 pages. Some have written them in 20 pages.

Once you have the framework (manual) in place for the system, then you need to write procedures for the processes. Remember, procedures are job performance aids for an already-trained and qualified person. They should be about five to six pages, since the individual already knows how to perform the tasks.

The powers that be in your company want these procedures to be in the form of flowcharts. That’s OK, as long as you have explained this in your manual. The registration company accepts your manual before they ever send an auditor to your site. If they have accepted your description of flowcharts instead of procedures, then the auditor must accept that approach.

The whole point is to provide information to the person doing the job in a way that is useful. Written standard operating procedures (SOPs), or flowcharts, or pictures. It is the implementation that matters.

Dennis Arter
ASQ Fellow
The Audit Guy
Columbia Audit Resources
Kennewick, WA
http://auditguy.net

For more on this topic, please visit ASQ’s website.

Merging With a Non-ISO 9001 Certified Organization

Reporting, best practices, non-compliance reporting

Q: My federal agency is comprised of many different internal organizations. We have a scenario where a recently certified organization to the ISO 9001:2008 Quality management systems–Requirements is planned to be merged with a non-certified organization that has no type of management system. The certified organization’s certification runs for three years but it will be more closely integrated with the non-certified organizations. Will the merger affect the certified organization’s certification? Do you have any insights on how these types of occurrences typically affect the management system itself when an organization that is certified for 100% of its operations now becomes 50% of a larger organization? It’s quite likely that the certified organization’s name will change at least in part.

A: With regard to your question, if company “A” is already ISO 9001:2008 certified and is now being merged with a non-certified company here’s what should be considered.  First, the current ISO certification is only applicable to company “A” as defined in the scope of the quality manual as well as on the ISO 9001 certification issued by the ISO registrar.

Your ISO registrar needs to be immediately informed of changes effecting the company name, top management and/or processes.  The registrar may very likely require the newly merged companies to be reevaluated for ISO certification and listed under one ISO certification.

Most ISO registrars will not issue ISO certification for just a portion of a company.  All processes that comprise the quality system must be identified and included as a part of the QMS unless specific exclusion is stated in the quality manual as permitted by ISO 9001.  The management representative will need to ensure that top management is aware of how this merge may affect the current QMS so effective actions can be taken to bring company “B” in line with the established QMS procedures and other ISO requirements.  I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more on this topic, please visit ASQ’s website.