ISO 9001:2015 - Why some auditors will find it difficult to audit.

Aothor: Koos Gouws

SHEQ Management Systems

It is the feeling of this author that some auditors, both internal and external, will struggle when auditing companies in accordance with ISO 9001:2015. The reason for this lies in the fact that the standard now seems to be much clearer regarding its intent to provide a business management system, based on measuring business performance. This has always been the intent of ISO 9001, but systems were in many cases developed and documented in a procedural format. This made the systems fairly easy to audit, because practice was compared to the documented quality management system, and not the business performance of the organization. There were the 6 mandatory documented procedures, and specific record requirements in the old standards, which contributed to making auditing fairly straight forward on most cases.

 In new standard the requirement for mandatory documented procedures have been removed, allowing organizations to become much more flexible in the way it chooses to document its quality management system. Is there still a requirement for things to be documented? Well, yes. I will publish a guidance document on documented information that was drafted by the ISO technical committee on the new document requirements soon. While the mandatory documented procedures have been removed, there are requirements for documented information throughout the standard. Most of these refer to what we now know as 'records'. There are currently 20 such requirements. Other documented information required refers to documents required for the purpose of establishing a quality management system. These are all high level transversal documents:
•Clause 4.3: Scope of the QMS
•Clause 4.4: Documented information necessary to support the operation of processes
•Clause 5.2: Quality policy
•Clause 6.2: Quality objectives
The requirement in clause 4.4 clearly leaves the creation of documented information at the discretion of the organization. Auditors may in many cases not agree with organizations regarding what can be seen as 'necessary' documented information.

Couple the documentation requirements to a few other clauses, and some auditors may really get lost in the process. The concept of risk based thinking will be unfamiliar to many quality practitioners. While the intent of ISO 9001 was always to address the business risks of the organization, it was never explicitly required. Most systems, as said before, were based on a documented procedural approach. If auditors do not fully understand the concept of business risk (those things that will cause organizations to not perform as well as they could), and managing those risks through strategic and tactical planning, it will be a cause of great frustration for those auditors. The whole quality management system must be based on managing the business risks of the organization, thus improving business performance and ultimately the profit margins of the organization. In other words, auditors will have to understand business principles to make a judgement on the effectiveness of the quality management system in the specific context of an individual organization.

Clause 4 is also going to be a problem for many auditors. This clause deals in 4.1 with 'Understanding the organization and its context'. The requirement is that the organization will understand all external and internal issues that are relevant to the purpose of the organization and its strategic direction, and that affect its ability to achieve the intended results of its quality management system. Auditors will have to know how this can be determined. They will have to be familiar with the business tools and methodologies that can be used in this regard. The intent is that we will be able to identify strengths and weaknesses (internal) of, as well opportunities and threats (external) to the organization. These must then be managed. The information is used to set the strategic direction of the organization. This direction forms the basis for the tactical planning, which will include many of the elements of the quality management system. The strategy tells us what we want to achieve, based on knowledge and information on what is feasible, and the tactical planning tells us how we are going to achieve this. Tactical planning includes all plans, processes, procedures and associated resources to achieve the vision of the organization in the longer term, and the quality objectives of the organization in the shorter term.

Clause 4.2 requires that we understand the needs and expectations of all interested parties. While the customer is still the primary focus, the organization now has to take into consideration other interested parties as well. The organization will have to identify the interested parties, as well as the specific requirements of these parties. Included here would be regulatory authorities, external providers of processes, products and services, employees, local community, pressure groups, unions, etc. This could become difficult to audit from the point of view that the auditor will have to establish if the organization is really complying with this requirement and whether the information has been used to help identify the requirements for the company quality management system.

The challenge for existing quality management system auditors is a big one. We will have to change the way we think. Auditing top management will be much more challenging, unless we can speak the language that they understand when they do strategic planning for the business. We will have to move away from auditing just procedures to auditing the organizational business performance (using ISO 9001:2015 to achieve the business objectives of the organization) based on the risks and opportunities that has been identified by the organization. 

For more information, training or consultation on the implementation of ISO 9001:2015, please feel free to contact us if your organization is interested in the workshop, and we will provide you with a quote. 

"Trying the Impossible,
Using the Remarkable
Obtain the Unobtainable"


Thanks for filling out form!

Somerset West
Cape Town. South Africa

Email: Koos
Phone: +27 (0) 83 306 1757

Thanks for filling out form!