So many are confused by process auditing, it’s become a virus in the industry. Let’s inoculate.

A process audit shifts the focus from the product to the process, and examines each process’ ability to produce a product that meets the requirements for that process. You are still looking at products, but not solely at them. Here’s how it’s done in ridiculously simple terms:

  1. Get a list of the processes. If this hasn’t been done, stop now. You can’t proceed.
  2. For each process determine the product. Experts like to call these “outputs” – don’t get confused. It’s the product of that process. Simple.
  3. Review the documentation for the process. Assess general compliance against ISO 9001 and internal requirements. Write up any findings as part of the document review.
  4. Go where the process is conducted (shop floor, office, etc.) Examine multiple products as they pass through the process. If only one product is running at that time, go back and look at records of other products done in recent history.
  5. Assess the end result of the process and compare against the expected end results. If they don’t match, the process isn’t working. Write a finding.
  6. Go back to step 3 and repeat for each remaining process.

Forget about “inputs” and “outputs” and “process owners” and those ridiculous Turtle Diagrams. They are not required. Assess each process to see if it can produce a product that meets the requirements.

Where it Gets Complicated – Only A Little

Here are the problems you can expect to find:

  • Processes are not identified. Too many companies have failed to identify their processes, because of unclear language in ISO 9001 since the 2000 revision. If the processes are not known, you cannot audit against them.
  • The “product” of a process is not clear.For manufacturing processes, the intended end result is simple: its a physical product. For other processes, or for service industry processes, this can get tricky. But it’s just an intellectual game once you get the hang of it. Here are some examples:
    • If the company has identified “Purchasing” as a process, then the “product” of that process might be purchase orders.
    • For a “Sales” process the product might be “signed contracts” or “customer orders.”
    • For a “QMS Management” process, the product might be a measurement, such as reduction in customer complaints.

But every process is done for a reason, and is done to generate something. Identify that “something” and you have the “product” for that process.

  • The product requirements are not clear.Every process generates a thing, and that thing must meet certain requirements. In our examples above:
    • Purchasing’s purchase orders must be complete, signed off, and accurate.
    • Sales’ contracts must be comprehensive, reviewed, approved and signed by both the customer and the company.
    • QMS Management’s reduction in customer complaints must be measurable, and actually measured.

If you encounter any of these problems, you must stop and issue a nonconformity against ISO 9001:2008 clause 4.1. You can’t go any further until these are addressed, and everything is properly defined.¬†

Another problem is when a process is not active at the time of audit; for example, a production line is temporarily down, or only processing one type of product. In this case, you must audit records of recent process activities, to ensure the product was measured and met requirements.


There are multiple aspects that can result in nonconformities:

  • The company hasn’t identified the process, the products of the processes, and/or the requirements for the process. Nonconformity against clause 4.1.
  • The company has identified everything, but isn’t measuring it. You have no way to ascertain if the process is effective.¬†Nonconformity against clause 4.1.
  • The company is measuring each process, but the evidence shows the process isn’t meeting the requirements. If the company has identified the problem, and is working on corrective action, then there is no nonconformity. If no corrective action is in the works, a nonconformity can be issued against 8.2.3.
When conducting process-based auditing, nearly all findings will be assigned to either 4.1 or 8.2.3. There may be other findings that emerge (out of control documents, lack of training records, etc.) but these are in addition to process-based findings, and not necessarily indicative of a process failure.

Where Auditors Screw Up

Because process auditing is not well defined, it’s left to auditors’ imaginations — and whatever they may have read on some forum somewhere. As a result, we have an entire generation of auditors who over-complicate process auditing and demand to see evidence of things that are not specifically called for in ISO 9001. This includes:

  • Demanding that process owners be defined. Nice, but not required.
  • Demanding that proper resources be allocated. Entirely subjective; an auditor cannot determine the resources, so therefore cannot determine if they are not fulfilled. Only in extreme cases (e.g., the company doesn’t have anyone on staff to run the machines) can a finding be written here.
  • Demanding process improvement. Entirely subjective; improvement can take months or decades, and an auditor cannot assign an arbitrary due date for process improvement.
  • Demanding process map. Not required.
  • Demanding Turtle Diagrams. No…. not required. Just stop. Go home. Switch to decaf.
  • Demanding procedures to support the process. Not required.
  • Jumping to root cause. When a process deficiency is identified, the auditor should usually stop and write the finding. Too many auditors jump to a pre-emptive, on the spot, knee-jerk root cause analysis and write the finding against that. (For example, jumping to a conclusion that training was insufficient.) Root cause is for the company to conduct after the audit is over, not for the auditor to do during the audit.

Auditors waste time looking for process-related aspects that are not required, when this time would be better spent obtaining a greater sample of process data to determine if the process can meet the requirements.

There you go. Process auditing in six easy steps.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO Benchmark