How To Prepare for an ISO audit at the last minute

Last-minute hints for preparing for your audit.

This is a scenario I see all the time: The quality manager in a place leaves, and a replacement is hired right before the audit, (this may be you). There is a last minute panic about how to prepare for the audit. Quite often, not always, the new quality manager is less experienced and there are high expectations. This is a chance for the replacement to be the hero or heroine.

Prepare for an ISO audit

So if you are in that situation, and even if you are not, you need to know what the auditor is going to look for. So you may be at a bit of a loss as to what to prioritize as you prepare for an ISO audit.

So, as a public service, I am going to give you the short list, given that you have a limited time, that you can use to prepare for the audit before your certificate is suspended.

Know the Repercussions

You are doing the ISO thing for a reason. Chances are one or more of your important customers have required it.  The “penalty” for not being in conformance with the standard may be up to and including suspension or termination of your certificate.  If and when the customers get wind of that, it could cause some serious problems such as you being dropped as a supplier.

How does this happen? Your auditor shows up, and his or her job is to make a recommendation, based on what the audit findings are. If he or she finds out that you haven’t been maintaining the system he or she will make the recommendation to your registrar to suspend or terminate your certificate. This gets reported on the registrar’s web portal, and your customers find out.

Since your company invested substantial amounts of money into getting and maintaining the registration, you probably don’t want that to happen.

A second possibility is that of one or more “Major Non-conformances”,. These are issued due to lapses in the system, failure to address the handful of core requirements, or failure to address a non conformance issued in a previous audit. The repercussion is that you will have to pay for a follow-up audit, and that means auditor expenses,  enduring another audit, and general nuisance factor for everybody  involved, including the auditor who quite often loses revenue because of it.

So, the main repercussion is: a lot of people are unhappy.

Fix the findings from previous audits

This is the type of thing that drives your auditor nuts. You had a minor non-conformance in your previous audit, you don’t address it, and that condition still exists when he or she comes in a year later.

This demonstrates that your corrective action system is ineffective.

So your first  course of action is to try to find a copy of the last audit that was done at your place. Do not hesitate to call the registrar and explain the situation, and have them send a copy to you (it may be easier for them to find).  That way you know if any findings were issued.

Then, in whatever way is required by your system, address the non-conformance situation.

Your corrective action procedure (which you should look up) may require you to issue a corrective action or 8D or other formal process for any areas of non conformity that were identified by the auditor.  If that is the case, confirm that this was  done, and if not, take action.

In any case, fix the problem and maintain records of what you did, because the standard does require you to maintain “documented information” about the actions taken.

McCaig’s Law

I used to work with a guy that said that nothing happens in isolation, and that clearly applies to this case. Quality managers, being the kind of people they are,  hardly ever leave a job suddenly without good reason. That being the case,  you may have already figured out that there are a lot of other problems including problems with the quality of the product. They may have known for a long time that they were going to leave and did not maintain the system properly.

So it is quite possible that in addition to not responding to the NC from last year, there are some other things missing from your system.

Make sure your internal audit is done

It is a requirement of the standard that the organization conduct internal audits. Absence of the records for this is usually grounds for a major non-conformance.

 That being the case,  your next  priority is to locate the records from your last internal audit, which are required, including any corrections or corrective actions you may have generated, and confirm that it got done.

You may also want to locate your internal audit procedure, and see what you required yourself to do regarding the audit program. (The standard requires you to have one, but leaves it up to you to develop an internal audit plan, and specify the frequency).  Most companies require a full system audit annually, and probably about half of the companies I work with have some sort of “partial system audits” throughout the year.  One of the possible failure modes of this is they get done for a few months and then they stopped.  You need objective evidence (records) of all of this.

If this is the case, you need to complete the internal audit as required.

A good way to do this is to hire an outside auditor to come in and finish it for you. It saves you from having to do it yourself, it is done professionally, and it will give you the chance to observe an audit in case you choose to do it yourself next year.

Do I know one? Yes I do.

Complete the Management Review if needed

The internal audit and management review processes are the key drivers of change and improvement in a business, and if your management did not get around to completing your management review, this needs to be done.

In this case you once again need to consult your management review procedure if you have one. The words “annual” and “meeting” do not appear in the ISO standard anywhere, but in most cases, the clients require themselves to do an “annual meeting” of some kind.

What is required is “documented information” on the results of the management review.  It is also a requirement that you have objective evidence that you reviewed internal and external issues, the needs and requirements of “interested parties”, risks and opportunities, and a whole list of other items that are found in clause 9.3.1 of the ISO standard.

This is not exactly the same as the “weekly management meetings” which happen in some companies.  Some or all of the requirements of the standard may be discussed and if so that is fine. The most common failure mode is “yeah we have these weekly meetings, but nobody takes notes.” So you need the notes, at least as objective evidence that the items required in the standard, especially the metrics and customer complaints, were “reviewed”.

Check your corrective action system

Most companies have a formal system of corrective actions so that when non-conformities happen, such as screw-ups of a given magnitude or a customer complaint, a process is followed to determine the cause, and do something to fix it. This is a requirement of clause 10.2 of the standard.

Note, by the way, that a “corrective action” in the ISO sense is different from a “corrective action” in the military sense, which is better known as a “butt chewing”.  A future post will cover the difference between a correction and a corrective action in ISO terminology.

The most common cause of failure of a corrective action system to function is that the corrective action is issued, and assigned to someone in management (such as a supervisor) and it does not get done in the required time frame.  The second most common failure is the corrective action is addressed, but there is no required follow-up later on to see if it “worked”.

All of these things require buy-in by the employee that the corrective action was assigned to, and in organizations where the quality manager is about to leave, those people also often realize what is going to happen beforehand and stop doing formal corrective actions.

So if your corrective action system has a lot of loose ends, as determined by your procedure, then by all means fix the situation, and complete the documentation.

Check your process objectives

Clause 6.2 of the ISO standard requires you to have measurable quality objectives to determine whether your processes are effective. These are required to measure “product conformity”, that is, whether or not you produced your product or service according to requirements (the most common of these in manufacturing is scrap rate), and “customer satisfaction” which may be complaints, returns, the results of a customer survey, or any of a dozen things.

You would be surprised (maybe not) how often organizations don’t reflexively do this. The reason, especially in some startups and entrepreneurial organizations, is that the boss doesn’t see the need. 

At one point, however, if you are already ISO registered, you  developed a system of metrics, and if that is the case, it is quite likely that the departed quality manager was in charge of the calculation, and may have stopped doing them at some point.

So the next course of action is to revive that data if necessary, and if the process objectives are not being met, issue corrective actions or otherwise take some actions such as improvement projects to address the issues.

Summary

It is actually fairly common for there to be a rough transition from one quality manager to another, and this often happens in organizations that have a lot of other issues over and above that.  If that has happened, and a hot potato lands in your lap, I hope this brief summary gives you a short-term course of action and a to-do list.

Did I say that I know someone who can do contract auditing?

• Corrective Action
• internal audit
• ISO audit
• ISO auditor
• ISO system
• last minute audit prep
• management review