All posts by Sal

30 years in the Quality field including experience as QA Manager for a Fortune 100 company and as a Quality System Certification auditor for the top Registrars in the field - plus over 10 years of Information Technology Management in dual roles. Specialties:ISO 9001 Quality, ISO 14001 Environmental, OHSAS 18001 Safety, ISO/IEC 27001 Information Security, RAB QSA Certified Assessor,
Audit Preparation, Certification, Registration

Audit Preparation

Leave a comment

So, you’ve got an audit coming up – your registrar is sending out someone you know is out to ruin your whole day. I’d like to help save you.

One important key to success is self confidence. An important key to self confidence is preparation
– Arthur Ashe

First off, some context  – what are you preparing for? In order to be Certified (or Registered), at some point there needs to be troops on the ground to evaluate your company against your standard of choice. Sure, they are friendly troops – probably even likable in their doltish, uncomplicated way; but they aren’t your troops, and you’re really not sure what side they’re on.

Fact is that they probably are on your side, and they don’t want to make your life more complicated – or theirs, but you have to meet them at least half-way. The trick is to start off on the right foot by making their job easier. Why not? And let them know you understand they are only there to make the system stronger.

So we’re all on the same page, let’s review the process of getting and staying Registered (or Certified – let’s pretend it’s the same thing, okay?).

The Certification Cycle

There is a sequence of events to getting Registered. Part of it is a continuous loop. Once you’ve gotten your system mostly installed and have a minimal amount of records from it, typically you will begin the path that includes several stages.

Certification Loop - audit preparation

Stage 1” audit: Also known as a “Readiness Review” this is where you want to show the skeletons in the closet; reveal as much as you can. It is more of a “check off the boxes” type of audit; does the piece exist or not? Registrars vary in the depth of auditing on Stage 1’s and generally more is better. Ideally you’ll want a deeper audit, but time is a factor. If you’re confident in an area, best to encourage the auditor to move on. Don’t forget that this is mostly for your benefit (the auditor is using it to get a feel for the territory and help in his planning process). It is a good idea to have your Registrar describe the depth of their version of a Stage 1. Even within a Registrar there is variation between auditors in just how deep they’ll go on a Stage 1 – letting your program manager know you are concerned with depth will help ensure you get what you want.

There will typically be an action list from this exercise – no non-conformances (there may be several dozen; more is better). Use this to help you determine if you are ready for the next stage. Two months is typical, sometimes it means six; depends on the issues and your resources.

The “Stage 2” or Registration/Certification Audit is the actual game time. You’ll want to limit your answers (and the answers of all employees) to what is being asked. Part of this is because time will be relatively tight, and side-trips are exactly that. There will be interviews, paperwork and records reviewed – an audit. They are as fun as they sound. In all actuality they are often quite pleasant, the key is to remember that everyone is really on the same team, and the goal is improvement. It is not unusual to have a small training session so folks know what to expect and how to act.

Action items become non-conformances in two flavors; minors and majors. Definitions vary, but essentially a minor represents a single or a few occurrences or deviations to an established procedure. Majors would be a large numbers of minors in one area, or a missing key process; such as no or shoddy Internal Audits, lack of an effective Management Review, or evidence of bad product escaping to a customer. Majors may require either a submission of documents, or a physical re-audit of the impacted section of the standard.

You can expect, and should not feel sheepish about, a small number of minors. The only real difference between majors and minors is the amount of time allowed to respond and correct them before Certification will be recommended.

Once Recommendation occurs – this, by the way, is the most an Auditor can grant you, the audit package is submitted. Usually there are two levels of post-audit review; an administrative review, and a technical review. Administrative means checking for the correct forms – were all the right things done. Technical review means a more detailed review by someone who knows about auditing and has knowledge of the applicable standard. It is for checking if the right things were done right.

It is seldom that a recommendation is overturned, but not terribly unusual for there to be small clerical errors in need of repair or clarifications needed.

And then – CONGRATULATIONS! You’ve got yourself a Certificate – probably even a framed one (some Registrars actually provide an engraved plaque…)

Then the “Surveillance Audit” cycle begins. Usually it is in one year’s time, though some Registrars allow, and customers request, that these occur twice per year. This will depend on the culture and resources of the company, and typically a twice-annual process works when higher external supervision or validation is desired.

These audits look always at the core clauses; Internal Audits, Management Reviews, Corrective and Preventive Actions, Improvements – along with some portion of the remainder. After another year, there is another Surveillance. This one, again, looks at those core clauses plus whatever was not looked at in the previous audit. There is often overlap regarding manufacturing.

Completing the loop, after two yearly surveillances have occurred, is a “reCertification” audit. This looks at the full system, though with less depth than the original audit and more focus on improvement capabilities.

I’ll close with a short list of what you should have ready for the auditor to look at on your Surveillance audits.

Surveillance Audit Preparation

This list is made specifically for Surveillance audits, but should work well as a start for Certification audits as well. Have available the following documents and records:

Minimum Documents

  1. Quality Manual (1 printed copy for each auditor).
  2. Procedures, if you have them, for:
    • Management review,
    • internal audits,
    • corrective and preventive action and
    • non-conforming product. Ensure they are easily accessible.
  3. These can be either printed, put onto a USB stick for auditor use, or easily accessible via some on-line interface. Allow the auditor time and space to “drive”.
  4. The above is the minimum they’ll need; if you’ve got a binder with all of the procedures then all the better. Also, a master list of all documents is handy – I know this is not a requirement in many cases (unless your dated system has made it one), but if you have one – this would be a good time to have it there for the auditors.

Minimum Records

  1. Last two Management Reviews; the “minutes and materials” with any action items and progress to them if those are not contained in the record.
  2. Internal audit reports and notes, including the full schedule [<- how to make one].
  3. Recent corrective, preventive and improvement actions. Sometimes this is a database, sometimes it is a log with references to completed forms; have them available or a plan for how the auditor may access them.
  4. If Training is on the agenda, having a list of recent hires is useful (past 6 months should be fine).

vs donutsSome other “nice to haves”

  1. Internet access; wired or wireless.
  2. Bottled water and juice (juice boxes … tempting).
  3. Snacks and the like are completely optional – auditors eat enough junk food on the road. But if you and your crew want an excuse to get bagels or donuts, or bagels and donuts – or muffins, or bagels and donuts and muffins then I’m sure the auditor will be happy to join you. Let’s call coffee and tea (hot water) a given.
  4. A provision for lunch – typically this should be brought-in to save time. A selection of menus is usually good. Please, keep in mind that some of us are vegetarians – and the house salad shouldn’t be the only option. Do you really want a grumpy, hungry auditor?

So there’s a few things you should know as you prepare for an audit. A little background, what to expect, and how you can get off on the right foot with the audit team.

Keep it positive and non-contentious, and you’ll do just fine.

 

Good luck and, I know you will with pride – go forth, and calibrate thyself.

Thank you,

Sal

 

Events, ISO

ISO General Assembly

Leave a comment

The ISO General Assembly is a Big Deal in the world of standardization (our world, as luck would have it) and it is being held this week. This year, the 36th anniversary, is hosted by the Russian Federal Agency on Technical Regulating and Metrology (GOST R) in St. Petersburg, Russia and will run until the 21 September. This is not the first time the meeting has been held in Russia, by the way,  the members met in Moscow back in 1967.

The General Assembly is an opportunity for ISO members to meet and exchange ideas, eat food and dance. Well, I made up the dancing part to see if anyone was paying attention. Come to think of it, maybe there is some dancing – who knows? Representatives from over 130 countries will be there – maybe some of us can attend next year? Anyone??

There are two good places to get information on it at the moment:

  • Twitter, under the hashtag #ISOGA, and
  • on ISO.org – they have a dedicated page for it (of course) – it updates frequently.

I’ve posted a variety of YouTube videos, as a play list, below. If your Spanish is rusty you may want to skip ahead on the first one, though there are subtitles. It is, after all, an international organization….

Enjoy – thanks!

(and keep up that whole self-calibration thing)

Sal

 

 

9001:2015, Internal Audit, Quality Tools, Risk Based Auditing

Internal Audit Schedule Part 3 – How To’sday!

Leave a comment

Risk Based Internal Audit Schedule

The past two “Toolsdays” have explored various options for generating an internal audit schedule. This week, I wanted to spend a little dedicated time on what is called a “Risk Based Audit Schedule”. There are versions of this found out in the Interwebs, and frankly – I think most of them are just too complicated for most companies. If you’re a multinational aerospace company or deal with medical device directives then yes, by all means, investigate and ensure you’re doing all you can to mitigate risk by every means necessary.

But for most of us, simply adding the concept of risk to their management system is a huge gain for very little effort. This is especially true for those who are ISO 9001 registered. Starting with the audit schedule; going through the process of determining risk, is a stepping stone to finding opportunities for improvement in every area.

While the concept of Risk has been in place for some of the other ISO standards, notably ISO 13485 for Medical and in the Aerospace standards (AS9100 et al) it is new to ISO 9001 – or will be, when the next version arrives in 2015.

Companies will likely be searching for ways to incorporate risk awareness into their management systems. The Internal Audit Schedule is a common-sense early target.

What is Risk?

Risk-based Internal Auditing is a method that considers the intersection of Likelihood and Consequence to help determine where, and sometimes, how – audit resources are put into play. Resources in terms or time, frequency and auditor expertise.

Risk DeterminationBasically if, in a given process, something catastrophic could result and it is likely to occur then it will be given a higher priority and prime resources over a process where catastrophe is unlikely.

Consider the process of welding support structures compared to stenciling the company logos on them .

The welding operation should receive more detailed, deep and frequent audits versus the logo-application process.

Sometimes, however, there may be a seemingly benign consequence – say a missing manual, but it is quite likely to occur. This should be given added attention (and a good investigation for process capability, as an aside).

Similarly, there may be an unlikely event with tragic consequences. Even though tight process controls and inspection steps nearly ensure detection of a weld error, because the consequence may be dire and tragic, then this too is worthy of heightened attention.

Scoring Risk

Part of the process in creating a Risk Based Audit Schedule is generating a relative score for risk. This can be calculated based on likelihood and consequence.

If you’re familiar with FMEAs then this concept is familiar as well, but it can be simplified for our purposes. If you aren’t familiar with FMEA then – well, another day, my friend – another [Tues]day (okay, I made you a link to the Wikipedia entry – just make sure you come back!).

Basically we need a few pieces of information – or, technically, data:

  1. Function or Process
  2. What could go wrong
  3. A rating (L) from 1-10 of our confidence in the controls in place to identify or prevent the occurrence (10 being no confidence in detection or prevention)
  4. What will happen if that went wrong
  5. A rating (C) from 1-10 of that Consequence (10 being tragic)

This may take some doing and require a knowledgeable cross-functional team, but it is a worthy exercise for creating an audit schedule – and quite useful beyond that.

For each auditable area simply take the L and multiply it by the C to get a number – let’s call it “Ra”.

The Risk Based Schedule

With each process, along with its Ra score identified we can lay down our risk based audit schedule. Should look something like this:

RBA basic sched

The higher the Ra score, the stronger the team and the more frequently it will be audited.

Naturally, yours will be fleshed out more, and you’ll define somewhere the compositions of the audit teams. “A” in this example would be your more experienced day shift auditors, “C” possibly an experience night shift auditor, and “B” is a team with some trainees.

Those are the basics of creating a risk based internal audit schedule, and I hope it’s enough for you to sink your teeth into and run with it. Feel free to message me with questions, or leave a comment below.

Thanks again for listening, and now – please – go forth, and calibrate thyself.

Sal