Over at that pasty clownhouse, there’s an article on remote auditing that misses the mark. It, like so many other articles on the subject, places on-site audits as the standard for “effective” ISO 9001 auditing, and then compares the COVID-era remote auditing practices against them.
This is wrong for a number of reasons, the most obvious of which is this: on-site audits are already wholly ineffective. We now live in an era where anyone who wants ISO 9001 certification will get it, even if they ship defective products that literally kill people. If you pay the certification body (CB) bill, you get the cert. The associated IAF accreditation scheme, with its members such as UKAS and ANAB, then exists as some sort of protection racket, to provide public relations cover for certified companies when things go sideways. See here for the latest example.
So anyone opening up their argument by comparing remote audits against on-site audits for “effectiveness” has been asleep for the past twenty years.
ISO Standards Aren’t Built for This
But the bigger hurdle to developing effective methods for remote auditing is the ISO standards themselves.
As I wrote in detail here, ISO 9001’s scope has changed dramatically since it was first published in 1987. First launched as a mere contractual tool, it then morphed into today’s “continual improvement” model, filled with largely meaningless rhetoric and feel-good platitudes.
At the same time, ISO was dumbing down its standards so it could sell them to the laziest possible reader, and boost its sales revenue. Whereas ISO 9001:1987 required about 18 documented procedures, the ISO 9001:2000 version reduced this to six. That wasn’t enough, and companies still complained. So for its 2015 edition, ISO 9001 removed nearly all documentation requirements, replacing them with requirements to “determine” or “identify” things, without any explanation of what the heck that actually means.
Because psychics don’t exist, auditors now find it’s impossible to gather objective evidence of mental exercises like “determining“. Without a hard requirement for documents or records, auditors are left with two choices: (a) invent requirements on the fly, and demand records anyway, risking having their nonconformities thrown out as a violation of auditing rules, or (b) make certification decisions based on casual, feel-good chinwags with management, without any attending proof.
Most auditors don’t like having their findings reversed since that affects their pay, so they opt for the latter. Is it any wonder, therefore, that ISO 9001 audits have become a joke, and so many companies both gain and retain their certifications no matter how many people they kill due to poor quality products?
On-site audits have already been reduced to a dilute soup of rhetorical blather, peppered with hours of an auditor sitting there telling you about his latest fishing trip or bowel infection. Now consider the plans to allow auditors to obtain low-cost qualification through “life experience” rather than actual competence. The audits were bad enough, but now you’re going to have untrained, underqualified morons audit a useless standard over a wobbly internet connection, all while sitting in their den at home.
The Solution
Mind you, remote auditing can work. But by only addressing the remote auditing methods, the powers-that-be are only attacking half the problem. And in the wrong order.
Before we can tackle how to perform remote audits, the standards themselves must be re-written to provide clearer descriptions of required evidence. This will then make both on-site and off-site auditing much more reliable and consistent. To do that we must return to the day when standards called out required documents and records, and didn’t kowtow to lazy companies who only want a certificate on the wall.
Putting requirements for documents and records back into ISO 9001 would have multiple benefits beyond making auditing easier, too:
- Writing down requirements for activities results in improved performance, consistent training, and reduction in variation. ISO’s shift to “tribal knowledge” and “training by oral history” was a massive step backward that has resulted in a dramatic reduction in quality and increased risk of product failures.
- Demanding records likewise helps reduce liability for standards users, whether they know it or not. When things go wrong, companies scramble to prove their case; without adequate records, that’s impossible. This can lead to claims by customers, liquidated damages, disbarment, or even prosecution.
And, seriously, we need to ask ourselves: if lazy companies want an ISO sticker on their website but aren’t willing to do work like documenting and recording things, should they really be certified at all? Maybe it’s time to kick the slackers out, if only for the sake of public health and safety.
Remember that standards are supposed to dictate “what” is done, but cannot tell the user “how.” That’s a key rule that ISO itself has since forgotten. (Look at ISO 9001:2015 clauses 6.2.2 or 7.4 to see that ISO has now surrendered telling companies “what” to do, letting them write in their own requirements.)
So it’s completely feasible for ISO 9001 to require that, say, a company “shall record a list of its interested parties” for clause 4 on Context of the Organization. As that clause is written now, it requires no documents, no records, and no actual actions other than “determining,” which cannot be proved (or disproved) during an audit. Take a look:
Due to their effect or potential effect on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, the organization shall determine the interested parties that are relevant to the quality management system
By telling the user to “make a list“, ISO could clarify what it really wants, while still dictating “what” but not “how”. The user can make the list in any format or means it wants, but it must have something it can prove to both its internal auditors as well as any certification bodies later. Problem solved.
This is the exact approach we took with the Oxebridge Q001 standard. When trying to come up with a way to improve remote auditing, we knew we had to re-write the standard to match. That’s why Q001 increased the records and documentation back to where they were in the 1990s. Coincidentally, for those of us old enough to remember, back then you had fewer undeserving companies getting ISO 9001 certified and — believe it or not — companies could actually fail their audit. Imagine that happening now!
So if the clause on “purchasing” requires the user to develop a procedure, then a third-party auditor has something to bite into. He or she can ask to see the procedure, and then audit the client to the language inside that procedure. If the procedure says that certain records must be produced, the auditor can demand to see those records. This has the added benefit of ensuring everyone in the company has an internal standard (the procedure) telling them how they are expected to do their job.
Shop Floor Auditing is Overrated
The weakest part of remote auditing, then, is the inability to properly “walk the shop floor.” But — and make sure you’re up to date on your heart meds, as I say this next thing — walking the shop floor is overrated. It is kabuki theater, designed to make you feel like something is happening. It’s a performance, done in order to justify an auditor’s day rate.
Again, if shop floor auditing worked, would we have this plague of companies routinely pumping out defective products while holding ISO 900-1 or AS9100 certificates? Instead, when challenged, the CBs and IAF claim that shop floor auditing “can’t uncover every possible problem.” Then why bother?
ISO and IAF can’t have it both ways. They can’t insist that on-site auditing is effective, and then claim later that it can’t possibly uncover all the required evidence when we find certified companies are in total violation of the standard.
Here’s a fun trick. During your next CB audit, watch what the auditor actually does during the floor walk. Compare that to the findings they uncover and, better yet, the ones you know they missed entirely. You’ll notice that the findings come down to (a) uncontrolled documents found in use, (b) expired Loc-Tite bottles, (c) employees who couldn’t parrot the Quality Policy sufficiently.
None of those are meaningful. None of those prevent defective product from shipping. Using a highly technical term, they are “bullshit.”
Meanwhile, you likely know that your problems are related to things that require a much more thoughtful, deeper dive than what someone can find by aimlessly shambling about and cherry-picking one or two travelers to look at.
Here again, records come to the rescue. An examination of records — and I mean a lot of them — can prove or disprove that things on the shop floor are going as planned. Even companies that falsify records rarely can falsify all of them, and you’ll begin to notice patterns. In a given hour, one might be able to examine the records of 50 different jobs, performed by multiple people. Meanwhile, during a “shop floor” audit one might be lucky to talk to three people about three jobs in that same amount of time. You tell me which is better.
To examine things like expired chemicals and tools overdue for calibration, Oxebridge utilizes a “photomapping” method that is miles ahead of having someone walk around with a blurry camera. It’s also far less intimidating to shop floor workers, who may not like having someone pop into their area with a camera pointed at them. (And less likely to raise objections about personal privacy.)
Still want to talk to shop floor workers? That’s easy, you invite them to participate in the teleconference interviews that you use for any other staffer. It does not matter whether they answer the questions sitting at a conference room chair, or standing in front of their machine.
Will fraudulent companies still be able to play tricks? Sure, but with these methods — and an increased reliance on records — they have a lot more work to do. Under a shop floor audit, the fraudsters need only pull old tricks like:
- the long lunch at a restaurant miles away;
- steering the auditor towards the department with the best performance, and away from the problems;
- closing doors so the auditor can’t see the problem areas, to begin with;
- playing loud music or running noisy equipment to ensure the auditor doesn’t linger;
- taking the auditor to those Spanish-speaking guys, and having an interpreter answer everything correctly, for them;
- etc.
I realize I won’t win over hardcore, old-school auditors on this, and I’m not really trying to. Old-school audits have failed with spectacular reliability, and something needs to change. This means improving auditor training, sure, but also retooling standards like ISO 9001 to put back in requirements for documents and records. Then, after that’s completed, developing reliable methods for remote auditing.
(I urge ISO and IAF to look at our standard, Oxebridge Q017, for an example of a standard on remote auditing methods.)
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
