ISO9001:2000 Internal Audit

[MadMango]

Hello all, I have an ISO9001:2000 auditing problem I would like to present here for discussion.

I moved away from the medical field that dealt with FDA, GMP and ISO9001:2000 to the manufacturing industry. This company has been ISO9001:1994 registered in the past, and has also been registered ISO9001:2000. I’ve been at this company for about 3 years now, and have been involved with their ISO program for about 2 years, and am now a lead internal auditor.

For the life of me, I can’t see how this company became registered at all. It seems that management does not take the registration seriously even though they continue to praise the system in allowing us to be competitive in the market place. Every time I try to schedule audits with various departments, the managers blow-off the need. Whenever I try to raise these issues to the QMR or others in top management the issues seem to stop in their tracks, not going anywhere.

As an example, I have completed an audit discrepancy report (ADR) about not being able to schedule for an audit, under Section 6.1 Resource Management, Provision of Resources in that I can’t get anyone to meet with me to conduct internal audits. After I submit the ADR, the QMR just signs it off, saying he’s spoke to that particular manager about having to support us, blah, blah, blah... I still haven't been able to schedule an internal audit.

I don’t want to “shaft” my employer by allowing them to loose their certification, but at the same time, if no one wants to take it seriously, I shouldn’t be wasting my time with it either. Now my question: have any of you internal auditors been in similar situations, and if so, what course of action did you take, and what was the final outcome?

PS- thanks for letting me vent a bit.

Ray Reynolds
"Computers in the future may weigh no more than 1.5 tons."
Popular Mechanics, forecasting the relentless march of science, 1949
Have you read faq731-376 to make the best use of Eng-Tips Forums?

 

[IRstuff]

I suspect that you SOL on this subject. I've seen similar behavior at other companies, so it's no surprise.

Approximately 1 month before an external audit, there's usually a big flurry of activity to get everyone into a refresher course, but the remaining 11 months is relatively free of any overt ISO related activities.

TTFN

 

[johnwm]

It sounds as if you have a classic case of Marketing-Driven ISO9000. 'You guys have to get certified to let us into this market/ reach this customer/ bid for this contract'

If your senior management doesn't 'get it' then ISO9000 will be seen as an unnecessary and annoying overhead to them. They will see it as something that Marketing (or maybe even Engineering) foisted on them, and will ignore (through not understanding) the benefits.

I have been (twice) tasked with driving ISO9000 implementation through a company, once as an employee and then as a consulatant. The first and hardest part of that task is to get board level understanding of the purpose of the project. Once they understand that the purpose of ISO9000 is to produce a more profitable company with more satisfied customers and more satisfied staff you can get their attention and, more importantly their commitment. Without board level commitment you will get the scenario you describe, as more and more of the company see it as a paperwork exercise. The whole process needs to be tackled in an evangelistic manner, first getting commitment at board level (generally by getting a 'champion' for the cause amongst the board members). Once started at high level, the understanding must be inculcated into all levels of staff, working down through the ranks.

The enthusiasm (and direct and real benefits) of the whole process must be communicated through the whole company if you are to really succeed.

The easy part is obtaining registration, because forcing through one lot of paperwork over a one year period is quite easy.

The hard part is to get the company as a whole to see the continuing benefits of the process, which include:

1. For the owners and directors, increased profits from improved working practices and lower direct costs. I have achieved payback periods on investment of under one year, with substantial increases in net profit in year two.

2. For middle managament, improved and simplified feedback, leading to simpler and more effective processes, less 'staff issues and less waste.

3. For staff, a 'no-blame, full responsibility' culture which can genuinely empower all levels of employee and build real job satisfaction.

4. For customers (and suppliers), a more responsive and controlled trading partner, who will match and exceed expectations.

To summarise, the only way that you will 'shaft' your employer is if you don't succeed in making it work, not as a rubber-stamping paperchase to be looked at once a year, but as a key driver of whole-company effectiveness in all their actions.

The process needs a CHAMPION, and it looks as if you've got the job! It's an awesome task, but very satisfying when you see the final system in place. Remember the auditor's job will eventually be simple monitoring and feedback, and when everyone is cooperating they will largely self-audit. Then the lead auditor will only be needed in a largely maintenance and administration role.

Good luck in your task - if you like a challenge then you'll really love the next couple of years. As you may guess from the above, I'm quite an enthusiast!

Good Luck
johnwm
________________________________________________________
To get the best from these forums read faq731-376 before posting

 

[MadMango]

[blue]johnwm[/blue], are you sure you haven’t worked here!? Your first paragraphs explain exactly the situation I am in. I'm glad but disheartened to see that this is somewhat common.

I believe that their ISO9000 certs were entirely driven by a need in Marketing, and it has almost been told to my face directly. As for “... increased profits from improved working practices and lower direct costs...” well, that is what Lean Manufacturing is for (insert sarcasm here). That’s another headache waiting in the wings, but I’ll reserve that for the proper board.

As I said, there is no support from upper management, until a few months before our surveillance audit is due. Then as you have indicated, everyone jumps aboard, plays nice and makes happy. After we are ‘blessed’ things go right back to ‘normal’ within a few weeks.

Our company has 3 lead auditors and the QMR to drive the system, plus 8 other internal auditors. Out of the 12 there is only myself and another lead auditor that have any experience with ISO9000 and the desire to see it work. Everyone truly sees it as a burden. I’m not sure what to do, if I wanted to ‘play-compliance’ I would have been an actor.

Ray Reynolds
"Computers in the future may weigh no more than 1.5 tons."
Popular Mechanics, forecasting the relentless march of science, 1949
Have you read faq731-376 to make the best use of Eng-Tips Forums?

 

[fakhfakh]

MadMango,

This situation is found everywhere in the word!

I would recommend for this situation to try to program an audit by external auditor before your next audit survey (I would prefer that this audit will be conducted by a known organization as TUV, BVQI, LRQA...). You will inform all your management staff that this audit is necessary to pass the survey one. (You can show this external audit as your internal audit which is externalized and it will be accepted by auditors)

Very important, that during the audit you shall never defend the auditee. They shall reply to all questions of the auditor by them self. Also you shall never mask any finding.
All replies to non-conformities shall be performed by the auditee not by you. They made mistakes and they shall correct their mistakes! . Remember that your task is to coordinate the audit not act in the audit.

In this way, every body will know his responsibility against your system.

Goud Luck.

Fakhfakh

 

[rajivkrishen]

Dear MadMango,

I can suggest three remedies.

They are in ascending order of usage.

If handled with care and finesse, they yield desired results without heartburns else they may boomerang. But then all medicines are poisons if not handled with care.


One

Conduct an audit of the top management.

In the audit report, record management's assent to a schedule for audits of down-the-line-people in your organisation.
The schedule must have names of persons to be audited (besides audit dates) and the date of management review of those audit results.

Implement it in its entirety.


Two

I suppose you have a work process that permits you to take emergency actions (like putting the work on hold if work processes are not followed or if they are wantonly flouted or if the situation can cause quality management system breakdown).

Use it. Keep the management apprised before acting.


Three

Tell the external auditor to caution the management. He always has the ear of the management because his nuisance value is far greater than an employee of the organisation.



Now, I have kept the suggestions deliberately pithy because you need to mull over them, mould them to your specific situation and make a detailed plan, like one does in chess.

Good luck!

PS - Incidentally, I disagree with fakhfakh's suggestion of not defending the auditee during an external audit. People have to be taught, cajoled and for that they must trust you and look up to you as their messiah. That is the foundation for a long lasting solution to attitude problems so nicely elaborated by johnwm. But we can discuss that later.

 

[fakhfakh]

Dear MadMango,

I disagree with what is suggested by "rajivkrishen", because it is clear through your message that your top management blow-off the need of your programed audit as you said. So it is clear that the audit of the top management as proposed will not give solution.

In your situation it is very important to make what we say in management an "agitation" to drive peoples to give an interest to what you do and through that to you.

When you program the external audit as I proposed, peoples will ask for help and than you will be the helper than they will start to make estimation to what you do.

I've made audits for companies with similar situation and good results reached.

As an additional explanation to you and to the others, what I suggested in my foregoing reply is to not make the work (defend auditees, reply to non-conformties...) by your self but sure you will act as a helper and you will assist you colleague to do the work correctly. Sure that corrective actions will be issued and will include a review of procedures, training, awarness, corrections... All these actions will be assisted by you and will bring you closer to your colleague.

Don't make it long and I propose to do as I suggested. Any way and at least you will exploit the external audit as an internal audit in your next surveil audit.

Good luck!

 

[MadMango]

Thanks for the suggestions fakhfakh and rajivkrishen. Both seem to have been based on personal experiences with your company. I won't say either one is a right or wrong approach, as each company runs their ISO systems differently and have different cultures.

The situation has beed resolved. The internal auditors were able to get Top Management to talk with middle management, and they coordinated supprt for the audits.

[green]"But what... is it good for?"[/green]
Engineer at the Advanced Computing Systems Division of IBM, 1968, commenting on the microchip.
Have you read faq731-376 to make the best use of Eng-Tips Forums?

 

[johnwm]

Well done MadMango! Do you feel that you've got them to actually buy into the process yet? or will you only find that out at next audit time?

Good Luck
johnwm
________________________________________________________
To get the best from these forums read faq731-376 before posting

UK steam enthusiasts:

http://www.essexsteam.co.uk

 

[MadMango]

It’s cyclic support for the system at best. I requested to be removed from any ISO involvement beyond that of an auditee. The request was granted, and I’m sure many people were happy to quiet down this squeaky wheel. I’ll continue to fight the good fight, at least I’ll know my group will be in conformance.

[green]"But what... is it good for?"[/green]
Engineer at the Advanced Computing Systems Division of IBM, 1968, commenting on the microchip.
Have you read faq731-376 to make the best use of Eng-Tips Forums?