What to expect in an�Audit

2023-04-06

Michael Mills

Pragmatic Quality Blog (pragmatic-quality.blogspot.com)

What?

• Quality audits to ISO 9001:2015.
• Internal audits by our own personnel
• External audits by our external registrar
• These are part of our Quality program, and required for certification to ISO 9001.
• They assess how well our system of business processes complies with:
• ISO 9001:2015
• Corporate rules and directives
• Local policies and procedures
• Also look to find room for improvement.

2

What do I have to do ...?

• Before an audit?
• Understand your job:
• What do you do?
• Why do you do it?
• What inputs do you receive?
• From whom?
• What do you do to those inputs?
• What are the outputs you generate?
• Who are the customers for those outputs?
• What are your risks?
• How do you mitigate them?
• The things you do every day … are they working?
• How do you know?
• Know what policies and procedures govern your work, what they mean, and how you follow them.
• Prepare some examples of your current work and be able to explain them.

3

What do I have to do ...?

• During an audit?
• “Put the auditor to sleep” … that means, show that everything is being done the way it is supposed to be done.
• Answer the question the auditor asks, not what you wish he’d ask.
• Don’t describe what you think the process is supposed to be, or what it should be if only they’d listen to your advice. Describe what you really do.
• Tidy your area.
• Feel free to say, “I can’t find that now but I’ll get back to you.” Then do it.
• Make sure you understand any findings before the auditor leaves.
• Don’t argue.

​

​

• Don’t guess or bluff. Don’t criticize.
• Never lie.

4

“Arguing with an auditor is like wrestling with a pig in mud. After a while you realize the pig is enjoying himself.”

What‘s the output from an audit?

• There are four kinds of audit findings:
• Strengths: Things you are doing well, maybe best practices. Keep on!
• Opportunity for improvement: What the auditor saw complies with all the rules, but it could be better, easier, more efficient, more robust. These are suggestions.
• Minor nonconformity: The auditor saw an isolated violation of some rule or regulation, but it’s a one-off that doesn’t endanger the whole system.
• Major nonconformity: A violation which could make the system stop working,�… or could result in shipping bad product, �… or could result in a legal or safety violation, �… or a case where there is no system at all (and you need one),�… or where something is getting steadily worse and is being ignored,�… or where an earlier finding was closed in the paperwork but actually nothing was done.

[Your organization may use different criteria for Major nonconformities, but this is a good sample.]

5

What do I have to do ...?

• After an audit?
• You will get information from the Lead Auditor (or your local Quality contact) about your findings.
• For an OFI, think about it and decide if the suggestion makes sense.
• If yes, fill out the finding with a plan for how you’ll do it. Then do it.
• If no, fill out the finding with an explanation why not, and reject the OFI.
• For a Minor or Major Nonconformity, …
• (For a Major only: Define immediate containment actions.)
• Provide a Root Cause Analysis.
• Provide an Action Plan.
• Implement the plan.
• Prove the effectiveness of your implementation.
• Details on the next slides ….

[Your organization may have different specific rules, but these are a good general approach.]

6

Immediate containment actions

• Define these before the audit is over.
• Immediate steps to stop the problem from getting any worse.
• Containment isn’t the perfect solution.
• Containment doesn’t have to be sustainable in the long term.
• Containment doesn’t have to be scalable for the future.
• It just has to be good enough to stop the problem today!
• That gives us the time to work out a better solution ….

7

Root cause analysis (1/2)

• Use the 5-Why method.
• Identify technical root cause (“What made it happen?”) and managerial root cause (“What about our system or how we do business allowed it to happen?”) for two topics: Why did it happen? … and … Why didn’t we catch it before now?
• 5-Why means you ask “Why?” … and then you ask again … and again … until you get to something fundamental.
• You can string the answers together with “because”:
• The part was wrong BECAUSE the machine was out of alignment BECAUSE it was overdue for preventive maintenance BECAUSE it was never put on the preventive maintenance calendar BECAUSE we bought and installed it when the preventive maintenance guy was on vacation and he has no backup.
• Why does he have no backup? Oops!

8

Root cause analysis (2/2)

• If your 5-Why is correct, you can always run it backwards and replace “because” with “therefore”:
• We bought and installed that machine when the preventive maintenance guy was on vacation and he has no backup, THEREFORE it was never put on the preventive maintenance calendar, THEREFORE it was overdue for preventive maintenance, THEREFORE the machine was out of alignment, THEREFORE the part was wrong.
• If you try to do this and you get gibberish, your 5-Why is wrong.

9

Action plan

• Address all root causes.
• Define who will do the work … �and what they will do … �and when they will finish.
• If you are the Action Responsible, present your Action Plan to the Lead Auditor. [Your organization may have special procedures for this.]
• If the Lead Auditor rejects your Action Plan, you don’t get credit for submitting it on time.
• So if the Lead Auditor has concerns, talk them over and work them out.

10

Implement the plan

• Do the work.
• Provide some evidence that you did it.
• “Evidence” is whatever makes sense:
• If the plan was to write a document, submit the document.
• If the plan was to calibrate some equipment, submit the calibration certificate.
• If the plan was to attend a training class, submit the training certificate.
• If the plan was to paint your office with polka dots, submit a photo showing the polka dots. ☺
• And so on.
• Normally if you can’t submit objective evidence, you don’t get credit for implementing the plan.
• If you can’t decide what makes sense, talk to the Lead Auditor. �[Your organization may define a different first-level contact.]

11

Prove effectiveness

• This means that the problem isn’t recurring.
• Usually this takes a while to establish.
• Again, “evidence” means whatever makes sense:
• Suppose the finding was that your process metric was below its target value and you never took any corrective action. (This is a real example.)
• Then the Action Plan would be your proposal for how to make sure you monitor the metric more closely and react in time. You might also analyze why the numbers are so low.
• Implementing the plan would mean that you took all the steps you said you were going to take.
• And proving effectiveness would mean showing your records of that metric for the next three months (or six months, or a year) so you can prove that mostly it never dipped below its target; but when it did, you immediately intervened HERE and HERE to fix the problem and set it right again.

12

Any questions?

13

THANK YOU!

14