Content provided by Dan Nelson of Cavendish Scott (www.cavendishscott.com).

Although professional management system auditors often boast credentials demonstrating competence, one particular situation offers a clear indication of the quality of an auditor. It is a commonplace situation, one that unfortunately demonstrates a problem with the consistency and quality of third party registration audits. Meanwhile, audit recordssome dating back decadesreveal just how prevalent the problem is.

Heres the situation: an organization under audit is operating a quality management system ostensibly consisting of documentation based upon, and structured according to, the generic requirements of the standard. The usual procedural suspects: Product Identification and Traceability, Inspection and Test, or Inspection and Test Status.

While standards such as ISO 9001:2000 present requirements using section titles, those standards also instruct organizations to implement the standards using an approach based on the organizations processes. That may sound simple, but there is a big distinction between the two approaches. The standard-based approach results in procedures that are designed to answer the requirements as they appear in the standard, thereby bearing a one-to-one resemblance to those requirements. These procedures do not describe processes, and are therefore not really procedures at all. These procedures are not useful to anyone, really, except to the consultant or author who supplied them, for whom it was a very simple cut-and-paste exercise. In the long term, the organization is left with a dysfunctional, yet compliant, set of documentation headaches to contend with ad infinitum. Such procedures also often make sense to auditors who do not or cannot distinguish between meeting the letter of the requirements and meeting their intent. Standard-based procedures certainly are not useful to management in managing the real organizational process that go unrecognized by an improperly defined, yet compliant quality management system.

Conversely, the process approach results in real procedures describing the management of real processes, processes that operate every day, so the procedures have a one-to-one correspondence to the processes or departments of the organization. These procedures make good sense to personnel managing and operating processes affecting quality, because they describe the processes in which they are experts. They describe what starts a process, how the process is performed and controlled, how the process ends, and how the results of processing are verified. Such procedures delight auditors who understand the process approach and effective quality assurance, while they confuse auditors who dont understand.

Although a smattering of documents designed to meet the standards requirements can be confirmed to comply with (the letter) of the standard, which seems to be a good thing, they simultaneously and clearly demonstrate a departure from the intent of the standard, which is clearly a bad thing.

Its About the Process

When it comes to ISO 9001, the very first requirements are: (4.1 General requirements): The organization shall . . . [a] identify the processes needed for the quality management system . . . The intent of this requirement is that the organization determine which operational processes affect quality. To meet the intent, the organization would look to its own processes or departmentsspecifically, the ones whose operations directly impact the quality of products or services offered to customers. Although identifying these processes is seldom difficult, failure to do this properly will result in misapplying many subsequent requirements. One sure way to do this wrong is to look to the standard to determine the organizational processes affecting quality. This is the mistake of the standard-based proponents. The remainder of the general requirements beneath 4.1 is all about managing, controlling, and improving processes. This is difficult to achieve if the processes were misidentified in the first place. (How does one measure and improve an Inspection and Test Status process?) Good auditors understand this point, and how crucial it is to an understanding of quality assurance through the application of standards such as ISO 9001.

A good auditor is competent enough to understand and appreciate the difference between the standard-based approach and the process approach. If an organization is operating a standard-based system, despite the niceties offered to auditors and customers about how fantastic management system standards are, the resulting system is not helpful. Its a paper-chase hassle that never really offers much value, and perhaps negatively impacts operations. No consultant or auditor ever had a client organization that wanted or required poorly written quality management system documentation, yet that is exactly what many have been supplied. A good auditor is an organizations best hope to identify how the management system may make more sense to top managementthereby providing maximum benefit.

Bearing in mind that auditors are paid, in part, to identify weaknesses in the management systemand the per diem fees for their services rival those of a good lawyeran effective auditor would identify procedures are structured around the standard, not the organizations processes as a weakness. A good auditor, seeking to add value, would point out to management that the quality management system has been improperly implemented, it exhibits a common mistake, and it fails to meet the intent of the standard (according to the standard itself), and it adds little value. To a good auditor, its a no-brainera finding that would add value if the auditee organization were made aware of it and decided to act upon it.

For whatever reason, poor auditors overlook this silent elephant who attends so many closing meetings. They might even review findings written against the Product Identification procedure, yet fail to point out that the procedure itself suggests a poor understanding of the standards intent. Whats worse, they might even go on to imply, good job addressing the standard.

Standard-based documentation simply pays lip service to the standards requirements. The intent of the standard is for management to view and manage processes affecting quality in a logical, transparent, systemic fashion in order to ensure the quality of the product or service provided. The standard-based approach is awkward, opaque, and confusingnot at all transparent. Its not a good job. It is a poor approach.

Competent Auditing is the Key

It is appropriate to ask why auditors often fail to identify procedures do not represent the organizations processes, as a weakness in situations when the standard-based approach is evident. A review of audit records of an organization employing the standard-based approach will most likely reveal professional, third-party auditors did not identify the standard-based approach as a weakness.

The problem boils down to a problem with auditor competence. Despite being a professional, the auditor doesnt understand the basic distinction between the standard-based approach and the process approach. This suggests a problem with competence, since the standard clearly requires the quality management system be based on the organizations processes, not the structure of the standard.

An equally troublesome scenario is when the auditor understands the difference, but fails to bring it to the attention of the client as a weakness. This might be due to several factors: perhaps the auditor has been ardently promoting the standard-based approach for years and is stuck in his ways; maybe the registrar organization has been passing standard-based management systems for years, with flying colors, and is trying to save face for all the clients money spent on auditors who havent accurately audited to the requirements; perhaps the registrar is aware that the client is no longer interested in being registered to a management system standard, and a suggestion to modify the system would cause the client to withdraw certification or seek it elsewhere (this explanation was offered by an actual registration auditor); or, maybe the registrar organization is happy to collect money from sleeping dogs who dont mind being fleeced in their sleep. Any of these would suggest a problem with the integrity of the auditor and the registrar they represent.

Whether a competence problem or an integrity problemand its unclear which is worsethe result is the same: many organizations would benefit from understanding that their management system headaches are due to the fact that they are doing it wrong, yet nobody tells them! Auditors who do not bring this to their customers attention (when warranted) are remiss in their professional duties.