I’m working on ISO 9001:2015 FAQ Book, which is part of our Future of Quality: Risk® series of books.
Our conclusion is that the new ISO revision is going to be a shocker to many companies, consultants, and certification bodies. So, let’s look at some of the critical questions perplexing the larger certification bodies about the ISO 9001:2015 auditability.
We’re going to have a lot of discussions over the next year and longer on ISO 9001:2015 audibility. But more importantly, we’re going to have this discussion on the auditing of ALL ISO management systems.
WHAT IS AUDITABILITY?
There is no accepted definition of ISO auditability? I’ll try to lend some clarity to this question. Auditiabiity is the ability to use ISO 19011 as a guide to plan, conduct, and report audit results against adherence to ISO 9001:2015 requirements. The goal is consistent interpretation of the standards (ISO 19011 and ISO 9001:2015), standard application, uniform auditor abilities, and consistent audit results.
So lets start with ISO 19011: ISO 19011:2011 is the audit reference and guidance document for auditing all ISO quality management system standards. BUT, the issue of auditability rears up. ISO 19011 does not address many clauses and elements of ISO 9001:2015. ISO 9001:2015 has a number of new requirements, such as risk and how will these be scoped in an engagement?
CRITICAL CB QUESTIONS
The global registrars, such as DNV, SGS, etc, now have lots of questions on how to audit the new management systems that will be interpretive, have different scopes, new clauses and new requirements such as risk. Below are a few questions we’ve posed to quality experts and CBs:
- How will global accreditors ensure and even assure consistency among the certification bodies (CBs) against ISO 9001:2015?
- How will ISO 19011:2011 be used to conduct ISO 9001:2015 audits?
- What type of additional ISO 19011 auditing guidance is required?
- How will the CB’s ensure audit and auditor consistency when ISO 9001:2015 is more interpretive than other revisions?
- How will CB auditors conduct effectiveness and process audits?
- How will CB auditors conduct risk audits?
- How will auditors evaluate processes, QMS objectives, and risk control effectiveness?
- How will CB auditors determine conformance to the broader scope of some of the ISO 9001:2015 clauses?
- How will the CB auditors scope the audits?
- How will they do all this with the strict audit timelines they have?
- How will CB auditors conduct integrated audits of multiple management systems when the audit criteria becomes more discretionary?
- How will CB auditors be trained to conduct ISO 9001:2015 audits?
- Why are some CB’s already evaluating clients agains ISO 9001:2015?
- How will quality management system audit be integrated into ERM, GRC, and internal auditing?
- What will CB’s do if registered companies request higher levels of assurance?
ISO 9001 BLACK SWAN
In a larger sense, auditability is the relevance and importance of ISO audits. What’s the problem? Many/most publicly held or listed organizations have a board level risk committee. Internal audits often go to this level. ISO reporting does not have this level of reporting or visibility. ISO audits in many organizations go to second level or third level manager.
Supplier risks are material and reportable. One association we’re familiar with intends to conduct supplier risk audits and provide board level reports. If this occurs, ISO 9001 may be @ risk.
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below:
