This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.
Salman Raziq <firstname.lastname@example.org> writes from Muscat, Oman: “Clause 7.4 speaks of communication. It says all the communication regarding QMS should be recorded and I have a communication register with me. </email@example.com>How do I record all the communication happening in the organization in the register? Is it really possible”.
My answer: Clause 7.4 merely asks for determination of internal and external communications relevant to QMS and details thereon. It does not ask for recording all the communications taking place across the organization. Probably you want to create a communications register to use it as an evidence for the auditors, which in my opinion, is not the right approach. Let us do our business as usual without bothering about audits. Usual channels of communications in any organization are emails, town-hall meets, posters, danglers and internet/ intranet sites etc. Most of these are already pieces of recorded evidence. Meeting minutes of management addresses or speeches are also records. Even if a number of sampled employees in an organization tell the auditors about a speech or meeting with relevant details, it is a piece of evidence. Creating a separate register for recording communications is not a good idea.
Hope this explanation satisfies you…
Today I concluded conducting an IRCA authorized QMS Lead Auditors Course. During the mock audits conducted as part of the course curriculum, the participants’ ability to identify most appropriate clause of ISO 9001:2015 against an NC remained a challenge. In real life first/second/third party audits, even experienced auditors find it challenging to map a given NC to the right clause of the standard. For example, an NC about product delivery with known defects is mapped not only to clause 8.6 of ISO 9001 but also to 8.5.2 (Identification and tractability), 8.7 (control of NC outputs), 9.1 (monitoring and measurements etc) and 7.3 (competence). Needless to say, by doing this the focus on right correction and corrective action is lost, leading to vague responses from auditees.
My advice to auditors is to think for a few moments on the NC or the situation on hand and then mentally map it to ‘most appropriate clause’. Only if necessary, start going through the clauses of the standard for such mapping, To the extent possible, map the situation to one clause only, unless off-course when there is a genuine need to refer to two clauses.
In no case, more than two clauses should be mapped.
My friend AKM Desai (firstname.lastname@example.org ) wants me to comment on this topic.
ISO 9000:2005 defines the term risk as ‘effect of uncertainty’, i.e. any potential deviation from expected results which may be positive or negative…
ISO 19011:2011 introduced the concept of risk in auditing. It included both, the risk of the audit process not achieving its objectives and the risk of the audit to interfere with the auditee’s activities and processes. However, it does not provide specific guidance on the
organization’s risk management process.
Specific requirements for managing an effective risk management is provided in Annex SL standards like ISO 9001:2015 (QMS Requirements), ISO 27001:2013 (ISMS Requirements) and ISO 27002:2013 (Implementation guidance to ISMS) etc. Internal and external audits conforming to ISO 19001:2011 guidelines and clause 9.2 of requirements standards like ISO 9001:2015 and ISO 27001:2013 can be defined as ‘Risk based auditing’. Such internal and external audits should be conducted in a seemliness manner to achieve stated audit objectives, without interfering with organisational operations to the extent possible and with full conformance to the requirements in clause 4, 6 and 8 of above requirements standards.
Teresita Cirelos wrote this query to me:
Can you please advise me if it is mandatory to have a trained first-aider and a fire marshal for a company with less than 5 employees? If yes, kindly mention in which standard/ requirement / guideline should I refer to.
A building administrator is having one qualified first aider and one qualified fire marshal. This building is occupied by more than 50 small offices. One of the offices furnish a copy of the training certificates (first aider and fire marshal) from the building administrator (with consent) and claim during audit that these trained personnel will be in-charged with their emergency preparedness as well. Is this case conforming to the requirements?
And, this was my response:
Requirements for first aider and fire marshal are imposed by local regulators. For example, in India each factory establishment has to have trained first aid male and female employees at each location as mandated by our Factories Act. The act also mandates which all organizations are authorised to provide such certificate. Similar laws I have witnessed in Singapore and Indonesia. I don’t know what is the legal requirements in UAE. In China, building administrators used to train people for fire precautions and that meets their legal requirements too.
As an auditor: I would like to examine if the law of the land has a requirement for first aiders and fire marshals and are there any numbers of them required per 100 employees. If there is no legal requirements, I would like to examine if the first aider and fire marshal are actually ‘competent’ and have past experience in such roles. If not, merely having a certificate from building administration may not be considered as ‘adequate’ for the purpose. Also, one fire marshal is not sufficient for the job which needs round clock the attention/ vigil. S/he must be going on leave, and who will be responsible during the leaves- remains an open issue. A person cannot be expected to remain on vigil on 24X7 basis- month after month. Same is true for the first aider. Another aspect is the demand of the process of the company. Since, auditors audit against the defined process of the company, you as an auditor need to examine the compliance from this angle too. A few probing questions to fire marshal and first aider by the auditor may expose them if they are really not competent for the job. Three such questions may be: a. What was the learning from last round of mock fire drills/ last 10 first aid incidents and where are they recorded? b. Are these people members of professional forums/ discussion groups/ societies to keep their knowledge up-to-date on subjects of fire fighting and first aid. c. How can a male first aider handle a pregnant lady in distress because of sickness or fire? Finally, you may take a lenient view as the organization is a tiny one as far as no. of employees is concerned.
As an auditee: Rather than depending on just a single first aider and single fire marshal, I would like to have more of them and also have an agreement with the building administration to come forward to assistance when needed.
Internet is full of best practices for fire fighters and first aid professionals. See this link for best practices in fire fighting: http://www.iaff.org/tech/ops/CurrentEvents.htm . The second article in this link says more fire fighters were found to be more effective in case of real fire incidents. You can go through articles on first aid and fire fighting on www.irca.org.
Can someone clarify on following issues:
1. There is no mention of ‘Management Representative’ in the draft standard. Why?
2. CAPA: I don’t see the clause on Preventive Action. Also, the no. of review inputs and outputs have been reduced. Why?
3. Whether the company remains responsible for the quality of outsourced product or service is not clear as before.
4. Internal audit: ‘Auditors will not assess their own work’ is missing. Why?
I have seen auditors being nervous while planning and conducting audits of top/ senior management executives. While auditing and reporting findings of such audits may be a sensitive issue, seasoned auditors get considerable professional satisfaction by adding value through this mechanism. If conducted in a planned and professional manner, the auditee also gets new insights into their organizational processes and appreciate time invested in auditing.
Confidentiality must be maintained at all costs during and after top management audits. ‘Non attribution’ of audit findings, specially the negative ones, to any person or department should be avoided to the extent possible.
Planning, based on organizational process maturity, cultural and social aspects plays a vital role in such audits. Rather than throwing closed and leading questions to senior people in the auditee organization, the auditor must ensure most of the questions are open ones (example: would you please tell me the highlights of the organizational policy on project management?). The duration of the audit, its venue and who all will participate from the auditee & auditor’s side must be worked out prior to the audit and communicated to all concerned. Some of the initial questions may be about organizational strengths, weaknesses, opportunities for improvement, current management concerns, and management goals in measurable terms. All the questions, follow-up questions and their responses should be recorded. Later on, audit trails should be used to corroborate the responses received from top management.
Auditors must ensure no one gets insulted while presenting the audit findings during closing meeting or otherwise, especially those in the top management. At the same time, nothing worth mentioning, positive or negative, should be avoided.
See this article from the ISO site: http://www.gsprogress.us/Resources/Auditingguidance/Annex_9_AuditTopManagement.pdf .
This article is the edited version of ‘Auditing continual improvement’ from the website of the ISO 9001 Auditing Practices Group and is reproduced courtesy of ISO and IAF. These papers were developed on current best practices and therefore have not been formally endorsed as IAF guidance or ISO/ TC 176 interpretations. Follow the link for further information about the Auditing Practices Group.
Reproduced from the Issue 31 of 2011 of InForm ezine of IRCA….. Certain interesting and informative portions have been highlighted by Ribhu. Read on…