ISO Audit – A Future Looking Process to Prevent Recurrence of Nonconformities

ISO Audit:

Having the right motivation and proactively identifying opportunities for improvement are key, says Jessen Yeoh CQP MCQI, IRCA Principal Auditor, and Principal Advisor at P Excel Advisory. 

Do your auditees feel that you, as the auditor, add value to their work? Do they request you to audit them again in the future, and value your findings?

According to ISO 9001:2015 Clause 9.2.1 (internal audit), the organisation shall conduct internal audits at planned intervals to provide information on whether the quality management system conforms to the organisation’s own requirements for its quality management system and the requirements of ISO 9001 and is effectively implemented and maintained.

Furthermore, an audit is defined as a “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled” (ISO 9000:2015 Clause 3.13.1).

So, the focus of an audit is on conformance and effectiveness instead of nonconformance and ineffectiveness. The auditor should concentrate on strengths rather than on the weaknesses, deficits and problems of a management system. Auditing should be a future-looking process to prevent recurrence of nonconformities, rather than focusing on what has gone wrong in the past.

With the right motivation to audit on conformance, instead of nonconformance, an auditor will be able to conduct a value-added audit for organisational governance, assurance and improvement. It is encouraged – and, indeed, good practice – to stimulate (but not require) the organisation to go beyond the requirements of the management system standards. The questions an auditor asks, and the way he or she asks those questions, can provide valuable insights to the auditees and organisation.

Strategic direction

An auditor should have a clear understanding of the organisation’s strategic direction and conduct the audit in accordance with the organisation’s context. The audit should focus more on the processes and less on procedures; more on process control rather than documents control. It should also be result-oriented instead of record-oriented. To conduct a value-added audit, a ‘holistic’ approach should be adopted to obtain evidence throughout the whole audit process, instead of focusing on individual clause, process or procedure.

The auditor should assess the adequacy of the organisation’s process controls, and to what extent they are effective in meeting the requirements. Positive findings should be emphasised and audit findings reported from business-risk perspectives. Moreover, audit findings should highlight impacts on the organisation’s ability to provide products or services that meet customers’ requirements and on its ability to achieve business objectives. The auditor should also ensure that organisational culture is taken into consideration when reporting audit findings.

In a nutshell, for an auditor to conduct a value-added audit, he or she needs to have the right motivation in obtaining audit evidence. The auditing process should shift from the negative approach of inspecting and looking for nonconformances to proactively identifying opportunities for improvement, prioritising and eliminating potential sources of failures in a management system.

Attribute to original publisher/ publishing organization: Jessen Yeoh CQP MCQI, IRCA Principal Auditor, and Principal Advisor at P Excel Advisory,