The ISO certification scheme is in a tailspin, already suffering from declining interest in ISO 9001 certifications, and increasing frustration with the ISO 9001:2015 standard itself. The coronavirus pandemic isn’t helping, of course, and is more likely to push companies to withdraw their certifications entirely as they will struggle to support audits and audit deadlines. The registrars, meanwhile, are pushing hard to scramble and get their houses in order to conduct “remote audits,” all while assuring their clients that everything will go on smoothly.
Most of them are lying.
Back in 2010 — ten years ago! — I fought with ANAB and a west coast certification body to have them conduct remote ISO 9001 audits of an IT consulting firm located in Maryland. Now, IT consulting firms are the easiest companies to audit remotely, since all the evidence can be presented via document share. There are no manufacturing floors to walk, no stockrooms to poke around in, and no MRB cages to check the locks on.
But neither the CB nor ANAB could get their act together to roll out remote audits, and for the next ten years demanded my client undergo physical, on-site audits. The problem was so bad, ANAB dropped its procedures for Computer Assisted Auditing Techniques (CAAT) altogether, saying they were “not popular” with CBs. That was untrue, too; ANAB gave poor guidance on how to conduct CAAT audits, and then threw up so much resistence and bureaucratic paperwork, the CBs just said, “screw it.”
Then, coronavirus. Now all of a sudden, faced with no option to do on-site audits, they want to dream up solutions. PReviously, when clients wanted remote auditing, everyone said, “no.” Now, as the CBs and ABs face utter collapse, they suddenly get creative.
But ISO 9001 audits don’t lend themselves to remote auditing. By requiring auditors to “free roam” during audits, they have to physically wander a facility looking for scraps of evidence. The selection process is random, dependent on the skill or abilities of the auditor as much as their whims, mood and physical fitness. A lazy auditor will always find less evidence than an energetic auditor. The antisocial auditor will find less evidence than the extrovert. These are fixed realities, built-in limitations by an aging audit model that was poorly designed from the start, and never once improved in the 70 years it’s been in use.
Q001 fixes this. By pre-defining the minimum evidence required to achieve compliance — documented in the supporting standard Q002 (“Minimum Audit Evidence Requirements“), there is no need to wander the shop floor aimlessly, hoping to find scraps. The lazy auditor and energetic auditors must both gather the same identical information; so, too, the introvert and extrovert. Anything less means the audit is rejected, and they have to go back, on their dime.
By dictating the minimum evidence, the client knows what they must prepare for the audit, as well. The bulk of the information can be readied for the auditor, ensuring a smooth audit process. Better yet, this is ideally suited for remote auditing via web conference. There’s no fumbling around in filing cabinets or boxes of paper records.
The concern to be raised would relate to whether a client could “fix” the audit by selecting only evidence that satisfies the clauses, and thus steer the auditor away from nonconformities. The Q001 scheme and training address this through a number of protocols, including dictating the samples to be selected (“just one” isn’t enough), and then confirming the veracity of the evidence once it’s presented.
ISO 9001 registrars currently claim that they can mimic the on-site portion of their audits using video. Essentially, they are asking that the client walk around the plant, holding a cell phone camera, while the auditor barks “turn left, no turn right!” There certainly could be some of that used in Q001 audits, but I understand its ungainly and unreliable.
Instead, the Q002 Minimum Audit Evidence standard dictates what will be looked at; as a result, the client can take photographic evidence — with time stamps, to verify the dates the photos were taken — and present those. A single photo of a cubicle or work area can yield a lot of evidence, and generate a multitude of audit questions.
ISO has grown terrified of requiring documents and records in its standards, thus making audits more difficult since it reduces potential evidence. It also pushes clients in the wrong direction, nudging them into relying more on “oral tradition” which is never good. Q001 puts those requirements back in, demanding companies build a backbone of their QMS supported by formal procedures that ensure everyone walks to the same beat. By re-establishing the primacy of documents and records — let’s face it, good companies have to keep these anyway — Q001 audits can rely primarily on these, and less on whatever an auditor may physically trip on while on the shop floor.
Finally, there’s Q017, the Oxebridge standard on Remote Auditing Methods. For the first time, auditors and clients are given the same set of rules on how to conduct remote audits, obviating the need for on-site audits altogether. The standard dictates what technology to use, how to use it, and how to ensure the audit evidence doesn’t fall into the wrong hands (I’m looking at you, China.) To put our money where our mouth is, Oxebridge has rolled out Q017-compliant audits using RegDOX, which ensures ITAR, EAR and NIST compliance for security and export control concerns. Meanwhile, ISO auditors are still having clients send them ITAR controlled drawings and manufacturing data to their old AOL email addresses. Sigh.
It’s just a matter of time for Q001 certification to achieve common uptake, given the benefits it provides over ISO 9001. The fact that a WQ001 company will automatically comply with ISO 9001 isn’t a bad thing, either. The driver will be getting large companies like Boeing and Honeywell and General Electric to start mandating Q001 as an alternative, or compliment, to ISO 9001.
But we’re ready. We’ve proven the Q001 system is more resilient than that of ISO 9001, costs less, and can result in a far more trusted certification.
For an introductory video on Q001, see this: