I received an audit plan from a client recently, sent to them by their AS9100 certification body prior to their upcoming audit. (What I’m writing about is equally relevant to ISO 9001, so stick with me.) This is a typical audit schedule sent to the client prior to a given audit event; in this case, it’s for a routine surveillance audit.
Now recall that audit duration is determined by certain rules defined in various standards. These include IAF MD5 for ISO 9001 and, in the case of AS9100 audits, document AS9104-1. The client in question has 12 employees, and does design. So per the tables, the required audit duration would be 1.5 days:
Now here is where the theatrics come in. The client makes dowels; it’s not a particularly complicated part, and not particularly sexy. Auditing such a company means spending a lot of time looking at the same thing over and over. Compare that to a company with 12 employees making landing gear assemblies or cable harnesses, and you can start to sense a difference.
So the CB auditor has a challenge: how to spend an entire day-and-a-half auditing a company that makes dowels.
But let’s throw in another factor. Between the required three-year recertification audits, there are two surveillance audits. Rules say that the entire standard must be audited over the course of the two surveillance events combined, so each surveillance audit only assesses half the standard.
So now the poor auditor not only has to burn a day-and-a-half auditing a dowel-maker, but he only can audit half the ISO 9001/AS9100 standard!
Creativity, the Father of Invention
So let’s look at what he came up with:
Off the bat, we see he’s auditing “Continuous Improvement” three times over the 1.5 days. One hour for management review, one hour for internal audits, and another two hours for corrective actions. That’s four hours spent on continual improvement, out of a total audit time of 11 hours.
But if it’s a day-and-a-half, shouldn’t it be 12 hours total? Probably, but the auditor scheduled only 7.5 hours for the first day, and then scheduled a half-hour lunch. So he lopped off an entire hour already. Now ABs are supposed to watch for these kinds of shenanigans, but because lunch is involved, though, you’d have a hard time getting them to enforce it.
And that second day isn’t really four hours. In fact, he’s only scheduled two hours of actual auditing, even though the mandatory duration requires four.But then he padded the rest of the time by adding a full 90 minutes for report writing.
The problem is, this isn’t allowed. Let’s take a look: notice how he writes “Prepare for Closing Meeting (time beyond AS9104-1 Table 2 for completion of reports” and then adds “AS9101F” in the notes section. This means he is taking 90 minutes to complete the audit form. But AS910-1 specifically says using audit time to complete audit forms, like AS9101F, is prohibited. Here are the rules:
Now, someone at the CB home office should have seen this, and of course, ANAB should pick these things up during their alleged “witness audits.” But this is routine, it’s done during every audit, and no one ever notices. Or, more likely, they look the other way because the CB sends a check to ANAB.
Going back, then, we see that another hour was scheduled for “QMS Administration.” This is essentially the audit of the process approach — which, ironically, the auditor has ignored entirely since he didn’t schedule the audits around the client’s processes at all. Add a token chinwag with the boss to cover the “Leadership” clause, and you’ve padded your day even more.
So in the end, only 4 hours of the 11-hour audit are actually spent on the core activities of the company: 2.5 hours for Production, and 1.5 hours for Purchasing. This is doubly odd for AS9100, which claims to put so much emphasis on the production-related processes, rather than the management-level processes. If AS9100 doesn’t really care enough about continual improvement and QMS administration to demand they be scored via audit PEARs, why is the bulk of the audit time dedicated to them?
Street Performers in Cheap Suits
The answer is that this is a drive-by audit, dressed up to look like a legitimate and oh-so-sober activity by padding the audit plan. It’s performance art.
To be fair, the amount of time dedicated to the actual work processes comes close to what I do as an internal auditor for this particular client. I checked my records, and I spent 3 hours on Production, and 2 hours on Purchasing. In my case, that doesn’t include report writing time, but I’m fast, so that never amounts to much anyway. But I’m also doing remote audits, which are always faster, since there is zero time for bullshitting around the coffee pot or dragging me out to the rib joint.
But I also only spent 2 hours on QMS Administration and Improvement, not a whopping seven. That’s insane for a company with only 12 employees.
It’s not a one-to-0ne alignment, because my audits are done using a process approach, and the CB here is scheduling them by AS9100 clauses. But you get the idea: this CB has padded his audit days to hit the required minimum audit duration, knowing that — in reality — he probably didn’t need that much time since the client makes a relatively simple part in bulk, with highly repetitive process steps.
The auditor even put in the CB’s boilerplate caveats, none of which ever appear on the final certificate:
So if the problem is that audit tables are largely bullshit, and auditors know this so they pad their audit schedules, what’s the solution?
Well, for one, Oxebridge Q001 fixes much of this. But since no one has ever heard of it, Q001 isn’t ready to take over for AS9100 or ISO 9001.
Instead, the ABs like ANAB need to do their one job, and verify audit schedules as a part of verifying if CBs are following the rules. Then, they need to de-accredit repeat offenders, since what they are doing is essentially B2B theft. You’re paying for an audit, you should get an actual audit.
Next, the IAF and IAQG have to re-examine their ludicrous rules on audit day durations, and account for companies that make simple widgets. The best solution here is to do away with the annual surveillance audits entirely, and move to a Q001-style full audit every two years. That simultaneously reduces overall costs while improving audit coverage.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.