The purpose of the registrar's audit is to assess the effectiveness of your Quality Management System (QMS) by evaluating evidence of its performance. Their goal is to determine conformance of your QMS to ISO 9001:2000 and your own internal requirements.
Some examples of evidence during an audit include:
- Documentation - what you say you do
- Records - what you say you did
- Interviews - how you explain what you do
- Observations - how you show what you do
The auditors will record all evidence of conformances and nonconformances found. During the audit, they are not looking for nonconformances per se but they will review evidence of nonconformance when it is found during the audit. If they find evidence of a nonconformance they will note the details and likely look more closely at the issue in question to ensure there is an actual nonconformance. If confirmed, this will result in a finding.
Audit findings can results in one of three levels of nonconformance, each requiring a different response:
- Major Nonconformance - a neglect to implement a significant requirement in the ISO standard (e.g. no working internal audit program). ISO certification cannot be granted until after the discrepancy is resolved and possibly re-audited.
- Minor Nonconformance - a single incident of nonconformance to ISO or internal requirements that does not indicate a complete breakdown of the system, but only an isolated occurrence (e.g. an incomplete management review). This will normally require submission of a corrective action plan to eliminate the nonconformance.
- Observation - an incidental discrepancy or an opportunity for improvement noted during the audit (e.g. a document numbering scheme that is confusing or overly complicated). This does not require a formal response to the audit but you may choose to implement the recommendation at your discretion.
Following the audit, you will be given a period of time to respond to nonconformances (typically 30 days). This usually requires completion of a Corrective Action form from the registrar and may require including an example of a corrected document or other appropriate evidence.
Preparing for the Registrar's Audit
- Any employee may be audited so every employee must be prepared.
- Notify all staff of the dates of the upcoming audit.
- All employees should be prepared to:
- Discuss the quality policy and quality objectives (not quoted verbatim but generally understood)
- Show procedures, work instructions and records that pertain to their job.
- Answer the auditors' questions if asked.
- Be sure that your internal audit and management review has been completed and that corrective actions have been issued for all nonconformances.
The Opening Meeting
- Invite several key staff to the opening meeting. This should include department heads and other key individuals. You may want to invite the same group to the closing meeting.
- The auditors will have a prepared introduction to the audit to review the audit scope and objectives.
- The top manager of your organization should offer a "welcome" and introduction stressing the organization's commitment to ISO and reminders to all staff to fully participate in the audit if called upon and that this is an opportunity to learn.
- Review the audit schedule and request changes to accommodate staff availability and other potential conflicts. Notify all departments of the audit schedule, keeping in mind that the schedule may change as the audit progresses.
- Discuss the time and arrangements for lunch. You would normally be expected to provide lunch and should plan to join the auditors for lunch. This is a good time to get to know your auditors and build the relationship.
- Ask questions on anything you don't understand.
During the Audit
- Accompany the auditors at all times. It is often best if this is the Management Representative or Internal Auditors.
- Take notes of all actual and potential nonconformances. Use these notes when the auditors are reviewing their findings at the end of the audit.
- Help the auditors determine who to speak to during the audit.
- Offer clarification for the auditors and auditees during the audit, as appropriate.
- Do not let the auditors look for documents or records on their own. The auditee should locate and present what is requested.
- If the audit spans more than one day, ask for a short debrief meeting at the end of each audit day to discuss what was seen that day. This will give you a chance to understand any concerns the auditors has with what was found and possibly give you a chance to explain further to avoid a nonconformance.
- If something is found that can be fixed quickly before the audit is complete, you can sometimes present the fix to the auditors and avoid a nonconformance.
- The auditors should not offer their own opinion about how you run your organization. Their findings and discussions should be limited to the documented requirements in ISO and your internal documentation. If you believe something is being suggested that is outside of the audit scope, you can ask, "Where does it say in the standard that your suggestion is required?"
- If you have not closed a corrective action from an internal audit finding before the registrar's audit and the same issue is found, you should produce the issued corrective action from your audit for review by the registrar. This might avoid a nonconformance finding by the registrar because you are showing that your internal process is working.
- It is normal for auditors to find nonconformances during an audit and rare that none are found. This is often because of the higher level of skill and experience they have in auditing and the "fresh set of eyes" they bring to the process.
The Closing Meeting
- The auditors will need an hour or two of private time to prepare for the closing meeting. You should provide a work area or room for them to work.
- The auditors will have a prepared summary of their findings to review during the closing meeting that will include positive things found as well as nonconformances.
- All nonconformances will be formally documented on a Corrective Action form.
- Follow your notes taken during the audit as the registrar's report is given. If there are details they overlooked or misunderstood, you can offer clarification during the meeting.
- If it is not clear what exactly is discrepant in your system vs. the ISO standard, ask for clarification.
If You Disagree with a Finding
- During the closing meeting, you should discuss any nonconformances reported by the auditors that you do not believe are accurate. This might include something that the auditors misunderstood during the audit or did not see all of the available evidence. Keep in mind that this is not your last chance to address a finding you do not agree with.
- You may discuss findings you do not agree with or understand, but avoid arguing with the auditors.
- Occasionally, auditors may include a "suggestion" as a nonconformance rather than an observation. A suggestion is something that might improve a process or simplify something, but is not out of compliance with a documented requirement, whether an ISO requirement or an internal requirement. In this case, you may be able to convince the auditors to change the nonconformance to an observation.
Following the Audit
- It is suggested that you communicate with all auditees and perhaps all employees the results of the audit, thanking everyone for their participation and reassuring them that nonconformances (if any) will be responded to appropriately.
- Keep in mind that a nonconformance, even if major, is not the end of the world. You will always be given a chance to correct anything that is found.
Responding to Corrective Action Requests
- Once the auditors leave you should review each Corrective Action request and determine the proper response. Evaluate each one based on its value and relevance to your organization.
- Keep in mind that the corrective action you take is up to you. You might decide to change a documented requirement (if it doesn't conflict with an ISO requirement) and avoid the discrepancy altogether. You might decide to retrain staff. You might need to rearrange a work area. But avoid actions that seem to only satisfy the audit but add no value to your organization.
- Call the registrar if questions arise while you are developing your response.
- Respond to the Corrective Action requests within the required deadline.
- Every registrar has an "appeal" process you can use if you simply do not agree with a finding and find it inappropriate.
