The Quality Hub Podcast
Listen Below. Learn More.
ISO Audits – What Registrars Look for Part 2
Episode 21 Part 2
ISO Audits – What Registrars Look for Part 2
In this episode of the Quality Hub podcast, host Xavier Francis interviews AJ Puylara from NQA to delve into what registers and auditors look for in an ISO audit. They discuss major and minor non-conformances, highlighting that major non-conformances represent total breaks in procedures while minors are lapses in procedures. Observations are also mentioned as opportunities for improvement. The podcast emphasizes the importance of documenting findings and implementing corrective actions, as well as the significance of continuous improvement and the flexibility offered by ISO standards.
Core Business Solutions publishes ISO Certification podcast episodes weekly. You can find more episodes here.
Episode 21 Part 2 Key Content
Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, and we have a treat for you today. I’m here with AJ Puylara, National Sales and Marketing Manager at NQA, which is a global certification body and will be continuing with part two of our series entitled Let’s Just Take a little Peek here where we’ll be expanding on what registrars and auditors look for in an audit. So last week we ended with the stages of an audit following each audit, a business may have audit findings and they can be major or minor non-conformance or observations. Could you tell us a little bit about what those are and how they all work?
I’ll start with Major because that’s the scariest. To put it simply, a major non-conformance is a total break in procedure. Now this could be a lack of documentation on a specific process and therefore it’s not communicated to the rest of the company. And so therefore no process may be required.
Another route to get a major non-conformity, which obviously wouldn’t be in the initial certification process, but let’s say after stage two, there were five minor non-conformances, and all right, we determined the root cause. We issued our corrective action response auditor signs off, yadda yadda, yadda. Well, first surveillance coming up, the auditors going to follow up on those minors. If they were not addressed, that could turn into a major as well.
So several miners could equal a major in the future.
If they’re not followed up on. Now, if there are 20 minors, right, in corrective actions, implement it, and they’re all addressing the auditor sees that following the next audit, then they would not turn into majors. But even if one or two minors were completely disregarded, that risk for being a major as well.
So majors more of an absence of a required procedure or total breakdown of it.
Yeah, exactly. And a minor non-conformance relates to a lapse in procedures. So to put that simply, we have a major break, minor elapse. Minors are going to happen, especially in the initial audits. If a CV doesn’t find a single minor you either had I’d say a lot of luck. Consultants I know have a lot of experience, especially Core. But I know things still come up because every company is unique depending on the length of time that a consultant has. Sometimes not everything can be addressed and maybe something slips into the cracks. Minors just happen.
Yeah. Yeah.
Once again, the steps to remedying those are identifying the root cause and implementing corrective action, and that’s right in the standard as well.
Okay, so what’s an observation?
Observation or as the acronym is its OFI or opportunity for improvement. What that is, it’s let’s say there is a process for how procurements conducted, and how invoices are processed. Let’s say that procedures are written out, the entire division is following that procedure. But the auditor says, wait for a second, I’ve seen this done at another company I’ve audited.
And they went from a system very similar to this. They changed a couple of things and it made them much more efficient. It’s not something that it’s not addressing a lapse in procedure. It’s just addressing, hey, I see something that you can improve on. It’s a suggestion, this isn’t consulting and we can’t consult. But I’ve seen it done this way. It’s up to you.
So it’s not telling them what to do or how to do it. They’re just, hey, you might. You might be able to improve on this.
Yep. So that’s all something that wouldn’t constitute a minor or be defined as a lapse in procedure, something that is being done effectively as it’s documented and designed. But maybe the system or process itself can be improved.
Okay. Well, then that’s very helpful because continual improvement is one of the biggest parts about this whole thing you’re continually improving and getting better. So we have a major non-conformity and that could be a set of minors in a subsequent audit and that has to be a breakdown. Now, a company has they have some non-conformity and they have a minor or maybe it is a major. You mentioned a little bit about corrective action, but could you go kind of through a little bit of what their next steps would be?
Yep. Yep. So all the findings need to be documented. It is a requirement that a corrective action response or corrective action plan detailing corrections and quote-unquote containment of the nonconforming root cause analysis and planned actions or procedures to prevent that from happening again. I would say this is probably in most cases, but up to the auditor, they may recommend that the organization submits objective evidence to support the closure of the findings.
So what is submitting objective evidence? What does that mean?
I’m going to use the procurement example again, but I’m going to turn that one into a minor. Let’s say that the organization receives a PO. Conducts the work and issues an invoice after the fact, as we do. Now, let’s say that we had a company of two sites, and both the invoices they wanted the invoices split up into two separate plants, and the organization sends them both to a central function or the main HQ. So that would probably be a finding because it’s against customer requests and there may be identified issues in the process.
Maybe because it’s automated, it automatically sends the sent the invoices to HQ of this company. So objective evidence would be that change either in the written process. So objective evidence would be the markup of here’s the before, the process before, and here’s the process after. So it could be that or if it’s an automated system and it required some backend work to remedy maybe some objective evidence showing the details of how that was corrected on the back end.
That is something specific on an invoice or it’ll notify a human being and say, hey, you know, you need to look at this versus just being automated and sent out. Okay.
Ideally, let’s say it wasn’t an automated issue, and corrective action was made in the backend process. Objective evidence also would include having the invoices sent out correctly. Here we go. These were sent out as a customer requested one at each site. So that’s that’s an example of objective evidence in that case.
Well, that is a ton to take in when it comes to how to be audited. What findings are? It’s certainly easy to see why a company may want and need some outside help so this can demonstrate adherence to what standard requires. How do you evaluate the effectiveness of a business’s quality management system?
There’s a couple of things. ISO 9001, I know we’re going to touch on this, but continuous improvement and the organization’s ability to meet customer requirements, and expectations, their ability to improve their processes on an ongoing basis, and achieving their objectives and some of the criteria objectives 100% need to be defined. You can achieve an objective if it’s not there in front of you. So there’s nothing to measure against.
Monitoring performance. Using key performance indicators. I know in the ISO world we’re heavy on KPIs, so they are your friend as well. This will include customer satisfaction through data taken from surveys on-time delivery, percentage defect rates, etc. With these KPIs, it doesn’t stop there. There needs to be an analysis of the data collected and what to do with that. And that kind of flows into internal audits and management reviews. You know, management is going to have a focus on these KPIs and maybe some findings on the internal audit and corrective action and preventative action responses from this internal audit.
And then as you know, after initial certification, when we have the annual audit management review is going to include those external corrective actions and preventative actions, root causes, and everything that’s come up during the audit. Documentation is your friend and the big thing. Continuous improvement. You can take OFIs or findings, improve each of the processes, and then we try to assign auditors with industry experience.
That way, when they start the audit, you don’t have to catch them up on your industry and what you do. They already are coming in with that knowledge. Not only that, they may find some best practices that the company wasn’t aware of and they can make suggestions from their optional suggestions, but they’re still best considered best practices.
That’s great. So basically, the difference when you get into the subsequent audits is more you’re looking for more than just adherence. You’re looking like that’s getting better.
Yep.
You mentioned continuous improvement before and that is a fundamental principle of ISO, how do you assess that in an organization’s commitment to continuously improve?
That way, when they start the audit, you don’t have to catch them up on your industry and what you do. They already are coming in with that knowledge. Not only that, they may find some best practices that the company wasn’t aware of and they can make suggestions from their optional suggestions, but they’re still best considered best practices.
That’s great. So basically, the difference when you get into the subsequent audits is more you’re looking for more than just adherence. You’re looking like that’s getting better.
Yep.
You mentioned continuous improvement before and that is a fundamental principle of ISO, how do you assess that in an organization’s commitment to continuously improve?
Following what I said earlier, the approach to the effectiveness of the QMS will ultimately lead to continuous improvement because just because of the discipline behind it following the standard and the expectation of improving the QMS will lead to continuous improvement. As I said, one of the key focus focuses of ISO 9001 is customer satisfaction.
So using knowledge evidence gathered through effective monitoring and measuring of processes, the next step is to make improvements to enhance customer satisfaction which could be to specific products or services relating to the customer experience, to the methods and resources used. Whether there’s a more efficient supplier to provide resources to manufacture a specific product, maybe the quality in their suppliers’ resources has declined and then source another, etc.
Right. Right. So all that’s going to show is that they’ve been effective and we see continuous improvement.
That continuous improvement plan simply could be just to the quality management system itself and then a review of internal audits. And during your management reviews, it’s key that companies are looking at monitoring the correct things. This is an opportunity to adjust the system as they see fit. It’s not a prescription. It’s more of a blueprint.
Let’s help you run your business to the best of your ability without changing the essence of how you run your business. So if current customer requirements are being met, are there amendments or things that need to be addressed for future requirements? Are there any areas where the company can be more efficient? You know, perhaps, you know, these have been brought up during the internal audits.
So you’re continually refining the system. And I know that you just touched on this now. It’s great how ISO standards. They don’t tell you how to do it. They let you determine how you’re going to do some of these things, and what’s important to you and it keeps that essence of your company still there, even though you’re able to get better and continually improve.
Absolutely. If there are any issues, you know, companies can see if any corrective action taken was effective at preventing the problem from reoccurring. So that’s one question that needs to be asked. If a company went for a short-term fix, this is now the time to work on the long-term improvement to solve the issues. You know, you have the Band-Aid fix and then you have the really the long-term solution. When non-conformances occur, including complaints, companies need to keep a full record, including what happened, what actions were taken at the time, and the results of any further corrective actions implemented.
And an auditor is going to want to see that.
Yep. Yep. So everything needs to be documented. So that’s key in respect of a non-conformity as objective evidence for your external auditor. So tying back into objective evidence, being your friend. If there’s already a system in place for recording these things. There’s no need to create a new one, providing that all the necessary information is being captured as determined by ISO 9001. The existing records should be sufficient.
So basically, documentation seems paramount and proving you’ve made the appropriate responses needed for corrections and improvement. Now, many companies are multifaceted and they can have improvement needs in multiple areas. How can they handle all that? Continual improvement.
Continual improvement. We know it is a requirement of ISO 9001. However, it doesn’t mean that companies are just to make improvements just for the sake of doing it right. This is where management review is important, as well as the information from the internal audit. Having quality objectives aligned with strategic direction provides unity of purpose and ensures that actions throughout the organization are working together towards the same goal.
So you don’t have to necessarily work on everything at once. That’s why you’re not just certified once you can continually grow and once you’ve got something wrangled in, okay, we’re doing well. We’ve had good on-time delivery, We move on to something else that we can look at and improve on, correct?
100%. A lot of companies call, they’ll ask about it. They had a customer requirement and you know, they don’t know what it is or what it truly takes. And sometimes they have already done some of the legwork and they think they’re ready. But really, this isn’t just a checklist, right? It’s an evolution of the culture of the organization.
Yeah, we’ve talked about that in other podcasts. We’re a lot of people do it because they want what you guys provide, which is that piece of paper that says, yes, we’re certified, but they’re only going to find the true benefit of it when they change their culture and live into it.
Yeah, absolutely. And so, you know, you have data from the internal audit, the external audits, and then you from a product or service perspective, you know an analysis of customer feedback will kind of give a map of opportunities to find, you know, areas where there could be some improvement for these products and services. So. An analysis of process improvement provides evidence of areas where efficiency improvement may be made, and that’s as it touched earlier, the finding primarily internal audits.
And then process-based audits provide organizations with a spotlight on areas where processes and responsibilities can cross over. And these are often places where things can be missed, right? So whenever, you know, in communications, one of those things, right, whenever there’s a handoff of communication or data or documentation or feedback, that’s when things tend to slip through the cracks.
No matter what a third-party consultant or organization internally does during the implementation phase, things still slip through the cracks because there is a human error factor that comes into play. And you know, communication is one of those things, but it does slip through.
Yeah, and that’s a place for improvement. And I know we mentioned before, but that’s the nice thing about ISO. You get to choose what’s best for your business and you focus on working on those things, but ISO gives you that framework in place to make it effective.
Yep. 100%.
Well, that’s just great. I appreciate you being here AJ today. Is there anything else you wanted to mention from a registrar’s point of view or auditor’s point of view?
Nothing specifically or detail-oriented. But I just want to thank everybody for listening. The fact that you’re even listening to this podcast, just shows that you’re in the mindset and the proper mindset to not only enhance your business but do the right things. And maybe this is of interest to give yourself a competitive advantage versus competitors by being ISO certified. So regardless of how you got here, thanks for listening and you’re on the right path.
That’s great to hear. Thank you so much. It’s been great. And again, it’s really good to see a point of view from the auditing and registrar side of the table. I can’t thank you enough for being here and taking time out here today to do this podcast.
My pleasure. Any, any time. I’d be happy to do more in the future.
Well, we want to thank everyone who’s listened to our podcast today and we hope it’s been informative for you. And if you haven’t already followed us on your favorite podcast platform, be sure to do so so you won’t miss the next Quality Hub podcast when it’s released next week. Have a great day, everybody.