O
ousgg
As Howste says, you need to understand precisely what your business processes are, and document them before you audit them. His process map is no less complicated than all that would be needed in a relatively large company. ISO 9001 says your processes, their outputs and how they interact must be clearly defined. If they are not, you cannot audit them, and you must make this point emphatically to Top Management as it will result in a raft of nonconformities.
Then, rather than concentrating on the standard, audit the processes. Are they producing their stated outputs? Do they meet the goals of the business? Do they have proper objectives and measures, and are they meeting them? If not, what are they doing to approve?
This business of process-based auditing is supposed to be universally acknowledged as good practice, but is still stomped all over by clunky wording in ISO 9001 which insists you audit against the requirements of the standard. There is no way of doing this other than checking that your audit programme has touched on all clauses of the standard, and by doing so, you risk being an old-fashioned 'clause/tickbox' auditor rather than a modern, groovy 'process' auditor. Incidentally, I believe that - philosophically speaking - some clauses of the standard CANNOT be effectively audited internally: the sections on Leadership and Internal Audits most notably.
Anyway, rant over. You'll notice that the aformentioned process map has little references to the standard. I take this a step further and build into a Correlation Manual which - at no more than one page per process - defines the requirements as they apply to my business. This has many purpose: it gives every process owner a summary of how they need to comply to the standard, and it helps inform Interested Party analysis and Process Diagrams. Relevantly in this case, I define - in our Internal Audit procedure - the scope of the audit to be the relevant section of the Correlation Manual. This ensures that each Internal Audit plan is guaranteed to cover all the requirements of the standard.
Then, rather than concentrating on the standard, audit the processes. Are they producing their stated outputs? Do they meet the goals of the business? Do they have proper objectives and measures, and are they meeting them? If not, what are they doing to approve?
This business of process-based auditing is supposed to be universally acknowledged as good practice, but is still stomped all over by clunky wording in ISO 9001 which insists you audit against the requirements of the standard. There is no way of doing this other than checking that your audit programme has touched on all clauses of the standard, and by doing so, you risk being an old-fashioned 'clause/tickbox' auditor rather than a modern, groovy 'process' auditor. Incidentally, I believe that - philosophically speaking - some clauses of the standard CANNOT be effectively audited internally: the sections on Leadership and Internal Audits most notably.
Anyway, rant over. You'll notice that the aformentioned process map has little references to the standard. I take this a step further and build into a Correlation Manual which - at no more than one page per process - defines the requirements as they apply to my business. This has many purpose: it gives every process owner a summary of how they need to comply to the standard, and it helps inform Interested Party analysis and Process Diagrams. Relevantly in this case, I define - in our Internal Audit procedure - the scope of the audit to be the relevant section of the Correlation Manual. This ensures that each Internal Audit plan is guaranteed to cover all the requirements of the standard.
