The Most Important Audit Questions for ISO 9001:2015

If you’re preparing to start auditing against ISO 9001:2015, you’ve probably
already asked yourself the timeless question:

What the heck am I going to ask these people?

There’s no worse feeling in the world than being in the middle of an audit and realizing that you don’t have anything to say in the way of questions.
Preparation and planning can remedy this, of course, but the fact remains that
ISO 9001:2015 includes a lot of new requirements that have never been part of most audits. In order to expedite your thinking, these are what is believed to be the most important audit questions for ISO 9001:2015:

  • What can you tell me about the context of your organization?

This question is the starting point of ISO 9001:2015, appearing in section 4.1. The standard uses the clunky term “context,” but this could easily be substituted by asking about the organization’s internal and external success factors. Questions about context are usually directed at top management or the person leading the QMS (formerly known as the management representative).

As an auditor, you’re looking for a clear examination of forces at work within and around the organization. Does this sound broad and a little vague? It is.

Thankfully the standard provides some guidance, saying that context must include internal and external issues that are relevant to your organizations’ purpose, strategy, and goals of the QMS. Many organizations will probably use SWOT analysis (strengths, weaknesses, opportunities, and threats) to help get their arms around context, but it’s not a requirement. What the organization learns with this will be a key input to risk analysis.

NOTE: Not everybody will understand the term ‘context.’ Be prepared to discuss the concept and describe what ISO 9001:2015 is asking for.

  • Who are your interested parties and what are their requirements?

The natural follow‐up to context is interested parties, found in section 4.2. The term “interested parties” has a bizarre, stalker‐like ring to it, so smart auditors might want to replace it with “stakeholders.”

Remember, effective auditors try to translate the arcane language of ISO 9001:2015 into understandable terms that auditees can grasp.

Typical interested parties are employees, customers, suppliers, business owners, debt holders, neighbors, and regulators. As an auditor you’re
making sure that a reasonable range of interested parties has been identified,
along with their corresponding requirements. The best way to audit this is as an exploratory discussion. Ask questions about the interested parties, and probe what they’re interested in. If you’ve done some preparation in advance of the audit, then you’ll know whether their examination of interested parties is adequate.

That brings up an important planning issue: You will have to do a bit more preparation before an ISO 9001:2015 audit. Why? So you’ll have a grasp of
context and interested parties. How can you evaluate their responses if you don’t know what the responses should be?

  • What risks and opportunities have been identified, and what are you doing
    about them?

Risks and opportunities could accurately be called the foundation of
ISO 9001:2015. No fewer than 13 other clauses refer directly to risks and
opportunities, making them the most “connected” section of the standard. If an organization does a poor job of identifying risks and opportunities, then the QMS cannot be effective, period.

Auditors should verify that risks and opportunities include issues that focus on desired outcomes, prevent problems, and drive improvement. Once risks and opportunities are identified, actions must be planned to address them. ISO 9001:2015 does not specifically mention prioritizing risks and opportunities, though it would be wise for organizations to do this. Risks and opportunities are limitless, but resources are not.

  • What plans have been put in place to achieve quality objectives?

Measurable quality objectives have long been a part of ISO 9001. What is new is the requirement to plan actions to make them happen. The plans are intended to be specific and actionable, addressing actions, resources, responsibilities, timeframes, and evaluation of results.

Auditors should closely examine how the plans have been implemented throughout the organization, and who has knowledge of them. Just as employees should be aware of how they contribute to objectives, they should be familiar with the action plans.

  • How has the QMS been integrated into the organization’s business processes?

In other words, how are you using ISO 9001:2015 to help you run the company? This is asked directly of top management (see section 5.1.1c) and is a very revealing question. The point is that ISO 9001 is moving away from being a quality management system standard and becoming a strategic management system. It’s not just about making sure products or services meet requirements anymore. The standard is about managing every aspect of the business.

Remember sections 4.1 and 4.2 of ISO 9001:2015? There we examined the key topics of context and interested parties. These concepts touch every corner of the organization, and this is exactly how ISO 9001:2015 is intended to be used. Top management should be able to describe how the QMS is used to run the company, not just pass an audit.

 

  • How do you manage change?

This topic comes up multiple times in ISO 9001:2015. The first and biggest clause on the topic comes up in section 6.3. Here we identify changes that we know are coming, and develop a plan for their implementation.

What kind of changes? Nearly anything, but the following changes come to mind as candidates: new or modified products, processes, equipment, tools, employees, regulations. The list is endless.

An auditor should review changes that took place, and seek evidence that the change was identified and planned proactively. Change that happens in a less planned manner is addressed in section 8.5.6. Here the auditor will seek records that the changes met requirements, the results of reviewing changes, who authorized them, and subsequent actions that were necessary.

  • How do you capture and use knowledge?

ISO 9001:2015 wants organizations to learn from their experiences, both good and bad. This could be handled by a variety of means: project debriefs, job close‐outs, staff meetings, customer reviews, examination of data, customer feedback. How the organization captures knowledge is up to them, but the process should be clear and functional.

The knowledge should also be maintained and accessible. This almost sounds like it will be “documented” in some way, doesn’t it? That’s exactly right. One way to audit this would be to inquire about recent failures or successes. How did the organization learn from these events in a way that will help make them more successful? It’s the conversion of raw information to true knowledge, and it just happens to be one of the most difficult things an organization can achieve.


These are by no means the only questions you’ll want to ask. They’re just the
starting point. We didn’t even mention management review, corrective action, or improvement—all of which are crucial to an effective QMS. The seven topics
discussed here are the biggest new requirements that auditors will need to probe.

By Craig Cochran

You Snooze, You Lose…

“Growing up in Namibia, I spent many of my holidays on my grandparents farm, which is in an arid area of the country. There was no electricity and every drop of water had to be pumped from a borehole. This didn’t worry my grandfather in the least.

Regardless of the season, he was up every morning before sunrise when the old cuckoo clock struck four, and was then in the kitchen making coffee. After this he headed out to attend the work of the day.

He didn’t press a “snooze” button. In fact, I doubt he ever set an alarm clock. His motto was:

“today, not tomorrow”.

He knew that when it was time to plough, that’s what had to be done, because the rains don’t have a snooze button. The same went for the cows. When they came into the kraal in the early morning, it was milking time. No hitting the snooze button.

The snooze button is an invention which encourages the poor habit of delaying unavoidable action.

Pressing the snooze button buys one a few extra minutes sleep, but doesn’t make a difference in the long run.

Instead of hitting the ground running, we fall prey to this folly of delayed action, which often results in things taking longer. Every time we choose “I-can-do-that-later”, we waste time picking up the thread and re-focusing.

In terms of safety, there are a number of examples. Two of these are OPPORTUNITY and RISK. Opportunity normally has a short time frame and if you press snooze, in most cases, you will lose out. The expression, “there will always be another opportunity”, is the language of losers.

The same goes for risk. Once it has been identified, it must be dealt with, because a risky situation cannot be put on hold. Actually, if swift action is not taken, an even bigger risk might be created by breeding complacency.”

Jurgen Tietz, diretor: eKhuluma and Disruptive Safety.
Source: SHEQ Management, Issue 1 2018.

ISO Systems and Procedures

As many might know, OHSAS 18001-2007 (Health and Safety Management System) is in the process of being established as an ISO standard.

The ISO 45001 standard as it will be known, will apply the same structure, definitions and core text being used for the present revisions of ISO 14001 ,Environmental management system, and ISO 9001, Quality management system. The set date for release seems to be October 2016 at present.

ISO9001 and ISO14001 are also in the process of upgrade and will be referred to as ISO9001-2015 and ISO14001-2015 respectively. In this regard it is important for any companies who are in their second surveillance phase to consider the required upgrades for all three standards as once these are published you will no longer be able to apply for certification to a previous standard, you have to apply the latest versions. This is a good opportunity to align all three and possibly reduce paperwork by means of addressing generic clauses in single documents.

There is much that can be done to develop your systems into effective management tools meeting all three standards in a well-structured management system. Remember to focus on developing policies and procedures that make sense to you and add value to your operation, don’t get hung up on ISO clauses or writing specific procedures to put in your system that are purely to satisfy an external auditor. Always remember this all important guideline:

SAY WHAT YOU DO, AND THEN ENSURE YOU DO WHAT YOU SAY.

  • Define the parameters of the procedure and see if you can document the process on one page. If not, consider developing two or three procedures rather. As an example, if you can write a procedure on stores management which will fit on one page then great, if not rather consider writing a procedure on goods receiving in the stores, packing product in the stores and say pulling stock in the stores. More is less in this case. Procedures that are to the point and have as little irrelevant detail for a staff member performing a specific function seems to work better. In other words the chap doing goods receiving only wants to read about, well, goods receiving! 🙂
  • Make the procedure heading BIG. Let it pop out, what is the procedure about? Stick to the logical place of having a header and document description at the top. Ensure the document description starts with the process explanation. In other words, if its a document for say, Storing fixtures, then call it as such. Do not call it Process for storing fixtures. Keep it simple. If someone is going to search a document electronically its always easier with less cluttered words. Try not to use useless defining words.
  • Keep it simple. Write a procedure in simple plain language. The key is getting a process owner to understand his procedure quick and easy. Refrain from using eloquent, illustrious, heavy handed words, keep those for the steamy novel you are writing at home.
  • Include the actual process owner as much as possible when writing up a procedure. Over the years I have learnt many little tricks on process management that are unwritten. Managers know what final product they want out in the end, operators make it happen. Include staff in the developing process documents, there will be a much better buy in.
  • Write a procedure that makes sense to you and your staff. Do not write a procedure according to an ISO clause, it means nothing to most staff and it’s not really possible to write an effective procedure covering all business aspects. For example 7.5.3 Identification and Traceability. Do not write a procedure for 7.5.3 as one. Rather include the requirements for identification and traceability in the actual procedure for that specific area. This way all requirements for a process is in one procedure, there will be less document control issues, and the procedure will be very specific. Procedures that are written around an ISO clause tend to be an overview generally, unless it’s a more specific clause like review meetings. Let the external auditor find the clauses he is looking for and make procedures easy for your staff to read.
  • A nice little touch which allows for good flow and quality consideration is; on the bottom of the procedures, define what the next process that follows on is and call it the internal customer. So basically in a warehouse, the ‘Goods receiving’ internal customer and next process is… ‘Binning stock’. It links the processes together simply and allows for the process owner to consider specifically where products and services are going to next.

REMEMBER…SAY WHAT YOU DO, AND DO WHAT YOU SAY!