how to know what is a process and what is not?
Good morning, I have been performing internal audits for our company for about 4 years now. Every time I think I know what needs an internal audit I find that I am still missing things when our auditor from SAI Global shows up. Our written QMS (ISO 9001:2015) which was  written before I started states that I need to perform Process audits of our 5 major processes at least once per year. This year I did just that and the auditor from SAI Global questioned why i did not perform individual audits of all the sub processes. We are a manufacturing business (machine shop) for civilian, government and military products. I have to perform many different types of work here from maintenance to running machines to international compliance. If I really had to audit every process each year I would never have enough time to complete them. Any suggestions on how determine what needs to be audited and what does not. I took an internal auditor class but it went so fast and the group I was with had vastly more experience than me. In the group section of the class, every time I made a suggestion they just shot me down and ignored everything I said. I feel like I do a good job as in our past 3 audits from SAI Global, the report has listed no non-conformances. Our auditor Richard Piro of SAI Global suggested that I ask for help from myASQ. I am always looking for ways to continue learning since I like to be challenged. The other challenge I have is, this company has been successful for the past 50 years. It is very hard to change how things are done since their methods have worked just fine to make this a very profitable business.  Let me know what thoughts you have.
Matthew Miller
4 Replies
Oh well, I was hoping a membership with ASQ would help me as our auditor from SAI Global suggested, but I guess not.
Hi Matt, 
First, what did you answer when the auditor asked you why you hadn't audited sub-processes?  I thought your rationale included here was acceptable--there are so many it would be unreasonable to review them all.  Perhaps though, a sampling from one of the five main processes would be appropriate.  The choice of process for which a lower-level sampling would be reviewed might change periodically, or every x audits, or based on some other indicator of priority.  In support of the auditor's perspective, if you never get to the lower-level processes how do you know they are conforming?  It is often the case, especially in older, more established operations, that gaps exist between what is written and what is actually being done.  Thus, even when the output is conforming--suggesting that the process itself must be conforming--there might still be hidden efforts being made to make it so. Also, and in the spirit of continuous improvement, if you don't dive into the details how will you know what needs to improve?  I appreciate your position.  Keep the faith. 
Will Leonard
Duke Okes
161 Posts
Use a risk-based approach to decide what sub-processes to audit and how frequently.

1. Sit down with the process owner of each of the five major processes and ask them which would have the most impact on performance (customers, product, cost, etc.) if they failed.

2. Look at performance data (e.g., customer feedback, complaints, nonconforming material, delivery performance, equipment downtime, ...) to identify which processes may be having most difficulties.  Review corrective actions to see what processes were involved in the nonconformity.

Also, consider that you can also not just audit for compliance, but also to look for opportunities to improve.  You could have process owners/subowners participate in these audits as observers and discuss what you see.  Can use a lean perspective, quality defect perspective, ...
 
I'm four months in at my current co. And I'm trying to audit every process this year. I've got a list of about 60 of them. It's good for me this year, since I'm learning about my company. But no way I will be able to do so every year. Luckily, when I checked with my registrar, he confirmed they don't require every process every year. Some registrar's do. He gave me a list of critical ones to do annually. ( Although I really don't know how to audit myself for the internal audit process.) The rest are to be chosen based on company request, performance, and risk factors. Basically, what the standard says.
oh, and next year I hope to not include any managers in my internal audits so I can hear from the people in the trenches. (Except when I audit leadership / mgmt review.)
and note, Some auditors just like to be painful.
Does your company have an SOP with a little more clarity on how you determine your audit plan for the year. Maybe that would help in your external audit, as you can show him you're meeting the standard and your procedures.