What do I Show the Auditor?
In running public courses this change prompts a common question – “if we don’t document a procedure or maintain records, what do I show the external auditor?“.
Before we answer this question, let’s revisit some of the basics.
Let’s have a look at some of the basics (quotation marks used when quoting ISO documents):
What is a “document”?
ISO defines documentation as the “information created in order for the organization to operate“
And records as “evidence of results achieved“.
What format can a document be in?
“any format and media and from any source” (paper, electronic, video, flowchart, photograph etc).
What is a procedure?
“specified way to carry out an activity or a process” (Note: “procedures may be documented or not“).
What is the purpose of a documented procedure?
To provide personnel responsible for an activity/ process/ task with guidance on how to perform the task.
Today’s quick quiz. ISO writes management standards to enable you to..?
Standards are not written to make life easy for an external auditor!
So why exactly is ISO reducing the amount of mandatory documentation? I’m not an ISO Committee member but here’s my view:
- ISO realise that documentation is one approach to control or facilitate consistent delivery of an activity or process. Those familiar with the hierarchy of risk control (often referred to in safety theory), would know documents are a less effective form of risk control (fitting in the administrative control category) (refer to the below diagram for a ranking of the most to the least effective risk control methods – PPE = personal protective equipment).
- ISO does not want the level of documentation to be burdensome, and hence a barrier to small to medium organisations seeking to implement a systematic approach.
- It’s a battle to get people to (a) read (b) remember (c) care and (d) follow the documented procedure.
In fact, the ISO Technical Committee responsible for ISO 9001:2015 make the following statement:
You need to consider:
- If the document or record is required by legislation (e.g. health monitoring records) or by your customers or contractual requirements (e.g. a safety plan).
- The value the documented information provides to your business (as instructional guidance, as a training tool, as an audit tool, to generate records you need, for consistent delivery of work tasks etc).
If not required or of value, then review whether you really need the document. In our experience, documents that no one has looked at for a couple of years are generally not needed.
But What do We Show the External Auditor?
So – you coordinate the external audits in your workplace and you want to make sure you have enough evidence to keep this guy happy?
So here is what we suggest:
- Remember that any stage of an activity or process that could affect quality, safety or environment performance still need to be addressed consistently, even if it is not mandated to document a procedure.
- Make sure you have a clear understanding of the steps involved in your system processes (internal audit, management review, needs and expectations of concerned parties etc).
- If the auditor needs to review operational processes (production, dispatch etc), make sure the responsible manager/person is available to take the auditor through the process.
- To demonstrate compliance, you will need to be able to provide objective evidence of the effectiveness of the system in place and (where relevant) operational processes.
- Objective evidence (“data supporting the existence or verity of something“) can include interviews and observations (in addition to documented information, such as records). At any step of an activity/ process, allow the auditor to interview one or more people and make as many observations as they need to determine compliance.
For example, Company X has determined the needs and expectations of interested parties (clause 4.1) and internal and external issues that could affect the intended performance of the system (clause 4.2) through discussions in a senior management meeting.
If you have minutes from the meeting – great – show the minutes as evidence.
If not (and it’s not mandatory):
- Allow the auditor to interview one or more of the managers involved.
- Show the auditor how the outputs of 4.1 and 4.2 (where relevant) have been considered in planning your system (Section 6, particularly “6.1 Action to Address Risks and Opportunities”).
- Demonstrate to the auditor how these items are reviewed during the management review process (where minutes are mandatory).
Note that most Certification bodies are currently up-skilling their auditors on how to audit to the new Standards. Where documented information is not required, they need to establish compliance through observation or interview.
It is also important to note that the ISO itself states: “Where the organisation has no specific documented information for a particular activity, and this is not required by the standard, it is acceptable for this activity to be conducted using as a basis the relevant clause of ISO 9001:2015. In these situations, both internal and external audits may use the text of ISO 9001:2015 for conformity assessment purposes”.
Source: Guidance on the requirements for Documented Information of ISO 9001:2015 (refer website above).
Keeping it Simple
In keeping with our theme of keeping it simple, in our next Blog we look at how internal auditors can approach auditing an activity that has no supporting documented procedure.