Have you ever been audited and felt like the auditor’s findings were almost irrelevant in the context of your organization’s major challenges and goals? Did you sometimes feel like you've been handed a Mickey Mouse nonconformity given the issues your organization is confronting? But what is one to do, when maintaining registration to standards such as ISO 9001 is necessary, and therefore complying with the appointed auditor’s findings is part of the process? Let me provide some insights that might help you turn an audit into a win-win situation.
ADVERTISEMENT |
Why do we need surveillance audits in the first place?
Many standards, such as ISO 9001 and the Sarbanes-Oxley Act, which protects investors by improving the accuracy and reliability of corporate disclosures, require that organizations be audited periodically to ensure that the management or financial system (whichever is being audited) has been effectively implemented, and that it continues to meet the standard’s requirements. In essence the audit ensures that the organization is brought back to the path of compliance if there has been any deviation from the norm.
…
Comments
Just say NO! (to Mickey Mouse Nonconformities)
Respectfully I must disagree with this article. An auditor (either internal or external) who provides management with information that is irrelevant in the context of an organizations challenges and goals should find a new career.
First off, auditors should be reviewing processes in a management system to establish conformance and effectiveness. Every process, just like your bike rider analogy, will have variation. The challenge that auditors have is that they need to examine the objective evidence far enough to determine if the variation is statistically significant (special cause). If auditors did this then the Mickey Mouse Nonconformities would disappear because the findings would naturally become relevant to their customers' major challenges and goals.
If auditors are to be considered competent in the industries and standards they are auditing, then not only should they be able to point out the shall, they should point out the case for management (the why)...far too few auditors have the ability to do this effectively.
Certification and survelliance audits are expensive enough without the added burden of a "Kwality Kop" approach to auditing. Auditors must provide relevant and actionable information to management.
Otherwise the entire certification process continues to come across as a ponzi scheme.
Focus on QMS effectiveness
I must agree with the Brunnetta statement. Based on the requirements of AS9100:2009 and ISO9001:2008 the auditor focus shall be in processes effectivenes. Therefore, Mickey Mouse nonconformities shouldn't occur in the first place. For more information, visit us at http://l2bc.com/
Brunetta, I respectfully
Brunetta, I respectfully disagree that "The challenge that auditors have is that they need to examine the objective evidence far enough to determine if the variation is statistically significant (special cause)."
Companies bring in an auditor to point out the instances where what you SAY doesn't match what you DO. It's an objective assessment that you want, not some subjective decision based on whether the auditor might decide that your particular straying from the course is or isn't significant enough to warrant mention. It's merely a gap they point out, and then you decide whether you change your behavior or adjust the procedure. As Miriam pointed out, even seemingly small nonconformances can turn into big problems later if everyone looks the other way long enough.
Mickey Mouse Audit Points
I'm an auditor, CISA and CISSP. Most of my work is with Sarbanes Oxley and I would like to point out the following. The auditor, that is the guy/gal who is actually poring over the volumes of minute details of your operation is a low level employee of his/her company. The auditor's job is actually quite simple and goes like this.
For Sarbanes, the business that is being audited has had their Management team address all of their business processes and has written a control (roadmap) for each of these processes. The Company all the way up to the CEO and Board of Directors has agreed that these controls describe the minimum acceptable behavior of their Employees, Products and/or services. The low level auditor must document and report whenever they find one of the processes that does not meet their standards. It is the job of the auditee's management to determine if their processes need to be improved or their process specifications are wrong and should be adjusted.
I spent a lot of years in the field, headquarters, and district offices of major oil companies before I became their auditor and I understand the frustration of the employees and their managers who have to donate valuable time and resources to audits. The situation is much like a machinist who is given a part that he/she knows is 1/1000 too big (i.e. out of spec). The machinist knows and will not accept such a part because they recognize that non-conformance to specifications will make the part perform poorly to the end user. Very few people really want their work to be considered sub standard.
Don Nemec
Katy, TX
Great check on reality!
Thank you so much to all for reading the article. I'm glad we can recognize that irrelevant nonconconformities are not value added. But a lot has to be said for what is irrelevant to us, to ANAB, UKAS, to the organizations, etc. etc. Great points made by all!
Miriam Boudreaux
www.mireauxms.com
Consulting - Training - Auditing - Web QMS
Hmmm, how about a follow
Hmmm, how about a follow up article about Mickey Mouse responses to audit observations (not taking the auditors' findings seriously).
Fran, ISO 9001 adopted the process approach in 2000
Fran,
The "Say what you do/Do what you say" approach to Quality Managment Systems changed when ISO 9001:2000 was released and the Process Approach was adopted.
I still maintain that there are no value in Mickey Mouse nonconformity findings, It appears we will have to agree to disagree.
Mickey Mouse NC
Fred Hermann
In my opinion, Mickey Mouse NC are evidence of the auditor´s insufficient competence. I believe that an auditor has to demonstrate to his/her auditee that he/she has a management problem, and the consequences of that problem will eventually bite him/her in the behind, and probably will cost a lot of money or trouble to the organization.
So, How could an auditor acomplish this?
FIRST, by understanding that ALL requirements are essencially GOOD MANAGEMENT PRACTICES, and should understand why and how they should provide benefits to the organization. If an auditor can´t answer the question WHY THIS REQUIREMENT IS A GOOD PRACTICE, then the auditor should go back to studying the standard.
SECOND, by analyzing the objective evidence to determine if it is enough to demonstrate a relevant deviation from the requirement (AKA good business management practice).
THIRD, by answering, together with the auditee, this question WHY IS THIS DEVIATION A PROBLEM FOR THE ORGANIZATION? WHAT COULD THE CONSEQUENCES BE?
By answering this crucial question:
THAT, estimed auditor colleagues, is in my opinion THE ESSENCE of an auditor´s job.
Please heck the link
http://isotc.iso.org/livelink/livelink/3814280/APG-InternalCommunicatio…
Best regards
Fred Hermann, Caracas, Venezuela
Add new comment