TOC

Scroll Down

Scroll Down

Back To Quality Contents

Standards 101
Roderick A. Munro

Standards 101 | Roderick A. Munro

The internal team should be so robust that they make it very hard for the external auditor to find much.

Upgrading Your ISO Internal Audit Process

Roderick Munro

2024 continues to develop into an interesting year for auditing to the ISO Management System Standards (MSS). More organizations are now integrating their internal programs to include some combination of 9001, 14001 and/or 45001. This does make sense with these standards developing maturity in the markets, and subsequent customer demands or requirements. In Europe, many organizations are now combining ISO 14001 and ISO 50001 (Energy Management) to form the basis of Sustainability.

However, prior to the release of the ISO 9001:2015, I noted that it was becoming harder and harder to identify nonconformances at my clients. Today, we did get the ISO drop back in February 2024 for the Climate Change thing, but otherwise there have been no changes in the standards since 2015 or 2018 for the ISO 45001. (Please note the side bar on this topic.)

This year, I have had several cases where I have written seven to ten minor nonconformances against a client for mostly things that should have been preventable. Maybe this should not surprise me though, as it is very common for me to ask quality professionals who W. Edwards Deming or Joseph M. Juran were, and few people even know those names. I ask many lab technicians or inspectors if they have ever heard of Quality magazine. Mostly no! This also expands in the Environmental, Health & Safety (EHS) world as I ask people if they know what the EPA ECHO is (Enforcement and Compliance History Online - https://echo.epa.gov/) or who the American Society of Safety Professional (ASSP) is as they work with the American National Standards Institute (ANSI) on the ISO 45001. This even extends to the American Society for Quality (ASQ) as many individuals do not know that ANSI works with ASQ on the ISO 9001 and ISO 14001.

Is your organization’s internal audit performing in an effective manner? How many findings, observations and opportunities for improvement (OFI) are being generated in your process?

Therefore, the ongoing challenge for many companies is how to upgrade or integrate internal audit knowledge / competence and maybe cross train auditors for all the auditing schemes that your company is currently registered to or may be planning on expanding.

During a recent audit, the challenge of auditor competence, the climate change mandate and basic knowledge of OSHA & EPA came into full view and resultant writing of ten minor nonconformance in three days. And this is not the first time this year that I have had what I would call a high number of minor findings. The internal audit program should be so robust that it makes the chance for the registrar auditor findings to be very low. And to top things off, the top EHS Manager did not know where to find the regulations (that registrar auditors are not to cite in audit reports). So, this organization has a challenge and needs to update various personnel skills as it relates to the ISO registration process. Even the plant manager was not ready for the climate change question and struggled to find something to use in answering the question.

Is your organization’s internal audit performing in an effective manner? How many findings, observations and opportunities for improvement (OFI) are being generated in your process? Just as many companies are working hard at improving the near miss records for safety protocols, the internal audit process should be generating any number of ideas, opportunities and potential issues that could help prevent external findings. If your internal audit program is generally a few observations each year (quite common in my experience), then there are opportunities for you to improve your internal audit program.

The starting point for internal audit improvement process is probably doing a multi-year review of how many findings, observations and OFI have been generated by your internal team(s). This matrix should also be broken out by clauses in the various standards so you can compare your internal results with the registrar’s findings in the same time periods. This can tell you where the registrar may be seeing things that your internal team is missing and may need additional training in those areas.

After comparison against the registrar finding, it is then time to look at the results of your internal team. Here is a chance to take a lesson from the EHS area that uses the Safety Triangle. The Safety Triangle was first devised by William Herbert Heinrich in 1931 from over 75K safety investigation reports and he noticed a pattern of safety (first called the Heinrich Pyramid). This was not long after Walter Shewhart noticed the pattern in manufacturing that led to the control charts used in quality today. This was further refined in 1966 by Frank Bird after studying over 1.7 million safety reports. He called this the Bird’s Triangle. The triangle starts with unsafe habits at the bottom, followed by near misses, minor safety accident, major safety accident and then the death of an employee at the top of the pyramid.

If we use this thinking on the internal audit process, we should be striving for a large number of opportunities for improvement through various meetings, employee suggestions or from the internal auditors asking people what could be better in their jobs. If actual gaps are found internally, we should be calling them internal minor nonconformances (or findings) versus the external registrar finding the gap. At the top of this pyramid would be the internal major findings or worse yet, the external auditor writing a major nonconformance. See graphic.

During the recent client audit, an internal global audit had been conducted about six weeks prior to my arrival. There were a number of internal observations written. However, at least one of those items was really a minor nonconformance written to appear as something less important. And the audit team missed important OSHA and EPA requirements around the property. Once the client saw the full list of my ten minor nonconformances, they requested if at least three of them could be downgraded to observations.

My answer to them went like this:

“Prior to the 2015 standards being released, the use of Observations was very common among registrars. However, with the release of the 2015 – 9001 & 14001 and subsequent standards, the IAF & ISO has mostly banned registrars from using “observations’ in any audit report. Inside my Registrar, the use of Observations is now banned.

Even the use of “Opportunity for Improvement (OFI)” by registrars has very strict wording that has to state that there is no violation of the standards, regulations or company policies.

The reasoning behind this is twofold:

ISO conducted global focus group meetings with executives from around the world prior to the 2015 releases and the executives state that the ISO 9001 was not worth much at the time because registrars were not writing many findings.

ISO conducted reviews of Registrars through government groups like ANAB, UKAS and others that were showing that many registrar auditors were using observations to downgrade what should have been minor findings. They also noted a number of times when minor findings were written when they should have been major findings.

  1. This is why in Minor Nonconformance (MNC) #3 of the report about the corporate internal audit, I commented that the corporate auditors wrote an observation that should have been a minor finding.

One of the methods that I do have available is to group similar items into findings, example of MNC #1. Since I have not worked with the my organization’s team out of your headquarters company before, the risk that I am taking is that my registrar’s senior lead coordinator for your company may feel that I went too far and put too many things into one minor finding group. They could consider breaking my finding number one into additional findings. This has not happened to me before, so I hope that things will go as written.”

So, any time a Registrar’s auditor sees a potential regulation violation, something against the audit standard, or some gap in a company policy/work instruction, we are required now to write minor findings. Even if it is a one-off, the companies then are required to look at their situations to see if the issue is a one-off or a more systemic issue that needs to be addressed. One example here is that those tires have been there for some time going back several site managers` and the current team was busy with other issues and did not notice that the pile was growing.

When reviewing your organization’s internal audit program, ensuring the effectiveness of the process is a key responsibility of the management team. When a registrar auditor writes as many findings in a year as the entire internal auditor team, there is a problem! The internal team should be so robust that they make it very hard for the external auditor to find much. By analyzing your internal audit process, you should be able to reduce the number of external findings from your registrar.

Side Note

Author unknown, but this list has come down through formal channels to registrars –

For ISO 9001 the anticipated date of release for the published version is proposed to be November 2025; however, there are on-going discussions taking place within the ISO Technical writing team on whether the changes constitute just an amendment or a full revision of the Standard. Depending upon the outcome, the transition timeline and release of a new version may be affected. We can expect that the proposed date of publication will drift back into 2026.

For ISO 14001 the related ISO Technical Committee has yet to decide whether there will be full revision or just an amendment issued. This also impacts timelines. Currently, if there is only an Amendment to the existing Revision then it is expected that this will be published in October 2025. Again, there is uncertainty at the moment as to whether the changes proposed are significant enough to require a revision update of the timelines for publication and the transition may then be affected.

For ISO 45001 the ISO Technical Committee started the process of revision in October 2024, which will take at least two to three years, as a minimum. This will be published as a newly updated version of the Standard and will facilitate a three-year transition process.

Opening Background and Pull Quote Image Source: gorodenkoff / iStock / Getty Images Plus via Getty Images.

Roderick A Munro, ASQ Fellow, CMQ/OE, CQE, CQA; Fellow CQI; IRCA QMS Lead Auditor, and business improvement coach – Integrated Management Systems: ISO 9001, 14001, 45001, at RAM Q Universe Inc. He can be reached at ISOauditguy@yahoo.com. Find him on LinkedIn at www.linkedin.com/in/roderickamunro or visit www.ramquniverse.com.

Munro is the 2006 Quality Professional of the Year.