Background
Eight years ago, the International Standards Organization (ISO) issued the 19011 standard for quality and environmental management system auditing. It combined the separate quality and environmental management system audit standards into one. Good step. Unfortunately, the pressure to do this was coming from the conformity assessment community (sometimes called registration or certification) and the big multinational firms. The first 19011 standard reflected this bias and the USA delegation voted “no.” It passed anyway. About three years later, the USA released a supplement to the international version, giving additional guidance on how to apply these principles to small and medium enterprises (SMEs) and internal (first-party) audits. The ANSI version of 19011, with the supplement, was a market success and outsold the international version by a wide margin.
Shortly after the ANSI version came out, the international committee started its required review of the original 19011. ISO procedures require this every five years, although it is often stretched out longer. The choices are revise, reissue, or reject. It was pretty obvious that the 19011 needed revision. Unfortunately, the international committee was upset with the Americans for making the standard better, so we were ignored for several years. The work stalled until a couple years ago, when some fresh faces joined the group, and USA participation was once more welcomed.
In the mean time, the Conformity Assessment committee decided to take over audit standard development for third-party registration/certification. A new committee (17021) was assigned the task. So the 19011 standard revisions will now cover internal audits and supplier audits. Hurray!
Major Strengths
* The auditing standard now covers all management system auditing: quality, environment, safety, security, etc. This fits right in with the trend of organizations integrating their management approaches. The revision is coming closer to other audit standards, such as the yellow book (US Government Accountability Office – GAO) and the red book (Institute of Internal Auditors – IIA).
* As mentioned above, third-party conformity assessment (registration/certification) audits will have their own new standard: ISO 17021. Publication of the new 17021 will probably occur quite soon, as the people writing it have a common focus and the intended audience is smaller.
* For the first time, the concept of risk appears. This is the risk of performing a bad audit, having incorrect conclusions, and not the risks taken by the auditee. For several decades, the IIA has included the concept of audit risk under their banner called quality assurance. While the concept is only briefly discussed in this 19011 revision, it is a good start for a long journey.
* Guidance on training, competency and evaluation of auditors is greatly improved. Gone are the tables of degree requirements, years of service, audits observed or performed, etc. The discussion is quite rational on what competencies are desired, how to achieve them, and how to measure them. Specific examples for various management systems and business sectors are given in an informative annex. The thoroughness of this information will overwhelm many users who just want to get or maintain their registration certificate.
* Sampling strategy is presented in an informative annex. It covers both statistical and judgment sampling in a non-technical manner.
* Most of the “practical Help” information from the earlier USA additions was transferred to this revision. While the additional material makes the document nearly 70 pages long, it significantly increases the understanding. It should result in better internal and supplier audits.
Major Weakness
* The standard continues to use the term client without clear definition. To say that the audit client is the “organization or person requesting an audit” is unsatisfactory. A clarifying note says, “The audit client may be the auditee organization or any other organization which has the regulatory or contractual right to request an audit.” This makes it sound like the majority of internal or supplier audits are requested by the group about to get audited. My experience says it is just the opposite. We should remove this debris for conformity assessment days and be truthful. Either remove the term or define the client as the person(s) in charge of the audit program.
Next Steps
The international committee has recommended the revision as a Draft International Standard (DIS), meaning all of the heavy lifting is done and the proposal is ready for release to the user community for comment. Our USA delegation meets in November to prepare the USA vote on this advancement to DIS. Unfortunately, the committee team leaders feel the revisions are not ready for the DIS stage. They suggest this draft contains too many new concepts, which may not be accepted by the user community, without stating what might be objectionable. This puts us in a very weak position to affect change. The strengths identified above are needed in today’s world of economic uncertainty, advancing technologies, and ecosystem challenges. Promoting sound management system audits, as described in the draft 19011, will make the world a better place to live and work.
The international working group plans to meet in Guadalajara, Mexico, in early March 2010. Comments will be collected, discussed, and another draft prepared. Once it achieves the DIS (draft international standard) level, ISO rules require it be made available to the public for comment. (Available does not mean free, however.) I am optimistic that the new and improved standard will be released a year from now.
Source : http://auditguy.blogspot.com/2009_10_01_archive.html
Friday, December 10, 2010
Subscribe to:
Posts (Atom)
