Volume 7 · Issue 4 · April 2002
Contents
US SubTAGs for ISO/FDIS 19011 Approval, US Supplement
US TAGs Support "Yes" on ISO EMS/QMS Auditing Standard
Regarding the ISO environmental/quality auditing guidelines
standard, you can expect it to be published by the end of
summer 2002 and for it to be adopted in the United States
as an American National Standard. In addition, you can expect
a US guidance document on internal and second-party auditing
to be issued thereafter to supplement the ISO standard, which
is viewed by many US standards experts as geared to third-party
auditing situations at a time when internal processes need
strengthening.
When the US Technical Advisory Groups (TAGs) to ISO Technical
Committees (TCs) 176 (ISO 9000) and 207 (ISO 14000) met concurrently
March 12-15, 2002, they shared a common interest in the recent
Final Draft International Standard (FDIS) elevation of one
standard: ISO 19011, Guidelines for quality and/or environmental
management systems auditing. The subgroups responsible
for environmental management system (EMS) auditing standards
(US SubTAG 2) and quality management system (QMS) auditing
standards (US TG 19011) held meetings to review the FDIS and
determine the US course of action.
ISO/FDIS 19011 represents the first joint EMS and QMS standardization
effort and is the product of the Joint Working Group on Quality
and Environmental Auditing (JWG), which consists of auditing
experts who are participants on the auditing subcommittees
(SCs) of TC 176 and TC 207. However, as has been reported
during the past six months in THE OUTLOOK, both US
TAGs voted to disapprove of the Draft International Standard
(DIS) of ISO 19011 in November 2001 due to concerns about
its lack of guidance on internal and less complex external
audits. The US delegates to the JWG have sought improvements
to ISO 19011’s content and were prepared for a possible
US vote of disapproval after it was elevated to FDIS status
in January 2002.
Although ISO/FDIS 19011 was not expected to circulate for
a 2-month up-or-down vote of approval until at least April
2002, members of both auditing groups received unofficial
"drafts" in early March to allow them to evaluate
the FDIS at their meetings. Based on their reviews of the
changes made since the DIS stage, both auditing groups reached
consensus on recommending US approval of the FDIS as an ISO
standard and as an American National Standard. US adoption
involves a parallel vote by the Z1 Committee of the American
National Standards Institution (ANSI). However, reservations
with the auditing guidelines remain and a US supplement is
to be pursued.
US Approval and Additional Guidance Lay Ahead
By the time the US TAG to TC 176 had concluded its meeting
on March 15, 2002, two documents were to be drafted:
- A joint letter to both TAGs recommending a vote of approval
on the FDIS from John H. Stratton, Chair of both US TG 19011
and the US delegation to the JWG, and Cornelius C. ("Bud")
Smith, Managing Director of Clayton Environmental Consulting
and Chair of US SubTAG 2. "We have not drafted the
recommendation yet and will wait to see what information
is circulated with the final FDIS and the ballot,"
acknowledged Stratton. The letter will likely propose that
the United States submit its substantive comments with its
FDIS ballot "so the US expectations for future revisions
to ISO 19011 will be preserved," said Stratton to the
US TAG to TC 176. Substantive comments submitted with votes
of approval on FDIS ballots are not considered, but submitting
them would in effect put them on record.
- A draft proposal from US SubTAG 2 and US TG 19011 for
the establishment of a working group, probably through the
American National Standards Institute (ANSI) Z-1 Committee,
to develop a document providing guidance on the design and
implementation of internal and second-party QMS and EMS
audit programs that would supplement ISO 19011. Gary L.
Johnson, Environmental Engineer at the US Environmental
Protection Agency, a representative of the US TAG to TC
207 and a US delegate to the JWG, and Randy Garrison of
US SubTAG 2 were asked to represent US SubTAG 2 in the drafting
of a proposal to be sent to the membership of both auditing
groups for review and comment. Stratton and Smith expected
that both groups will be involved in drafting the proposal
to help assure the proposal and text will be acceptable
in both audit communities.
"We would have liked ISO 19011 to contain more guidance
for internal auditors and smaller organizations, but the consensus
in both auditing group meetings was that the US delegates
achieved many improvements the SubTAGs wanted and it would
be best to approve of the FDIS," remarked Johnson, who
added, "We would not accomplish anything by voting against
a standard headed for overwhelming approval. Our best shot
is to develop a supplement that will serve the needs of US
audit program managers and auditors and perhaps users worldwide."
"SubTAG 2 and TG 19011 have agreed to develop what will
basically be an SME [small and medium-sized enterprise] and
internal audit guidance document through the ANSI Z-1 structure,"
confirmed Stratton, who noted that the document would most
likely take the form of an annex to the American National
Standard, a US Technical Report or another possibility.
"In general, the FDIS represents a significant improvement
and maturing of the auditing guidelines standard over what
the DIS contained, and what we develop as a US supplemental
guide might eventually be put forward to the JWG or to TC
207/SC 2 and TC 176/SC 3," advised Johnson.
Stratton, who led the US TG 19011 meeting, noted that he,
Johnson and Barton Solomon of Continuous Improvement &
Training Associates, who is a member of US TG 19011 and a
US delegate to the JWG, had succeeded in obtaining some changes
to the DIS that improved its applicability to a wide range
of auditing situations. Where the DIS had been geared to establishing
auditor criteria and providing audit management guidance suited
to complex third-party audit situations, the wording in the
FDIS de-emphasizes its focus on third-party auditing, but
not to the degree sought by the US auditing groups.
According to Stratton, US goals for the next few months include:
- Developing a proposal for additional guidance for smaller
organizations
- Keeping US issues visible for later improvement within
ISO
- Voting on the FDIS.
"The good news is that developing the US supplement
will not be too difficult or take too long, because much of
it already exists," concluded Stratton. He explained
that the US Environmental Auditing/Quality Auditing Liaison
Group, made up of members of SubTAG 2 and TG 19011, had already
developed guidance for internal and SME audits that was submitted
with the US comments on ISO/DIS 19011. "That guidance
needs only to be revised in light of what was changed in moving
to the FDIS, since the US sought to enhance the internal and
SME guidance in the DIS."
The proposal for the supplement will provide an indication
of how much revision and additional guidance will be involved.
William Harral of Arch Associates LLC and a member of the
US TAG to TC 176 and TG 19011, had a slightly different perspective
on two issues with ISO 19011. "My first concern is about
providing appropriate support for first-party (internal) and
second-party (customer) audits versus alignment with third-party
(system registration) audits," Harral told THE OUTLOOK.
"This issue is not based on the size of organization
involved, but on the type of audit.
"My second concern is with the size and complexity of
ISO 19011. ISO 10011–all three parts combined–was
short and fairly clear to most users in spite of its descriptive
nature. ISO/FDIS 19011’s size alone will discourage widespread
acceptance amongst many in the quality arena for internal
and customer audits. The increase in size was necessary due
to the broader scope, but voluntary use of the standard will
suffer. Since internal audits are most prevalent and are used
to support many types of management methodologies in the US,
the US will be most affected. In turn, the US public’s
impression of the value of ISO documents may suffer."
A Question of Audit Priorities
A debate that has been at the center of ISO 19011’s
development since the earliest drafts has not concerned the
difference between EMS and QMS audits, which was expected
to but did not produce significant challenges, but who ISO
19011 is intended to serve. Clearly, at least some of the
JWG members wanted ISO 19011’s development and progress
to suit the perceived need for a revised auditing standard
published as soon as possible after ISO 9001:2000 and geared
to registration transitioning. An examination of ISO/FDIS
19011 would leave one to believe that it is intended as a
guideline for third-party auditing and is meant to represent
a raising of the bar for third-party auditor competency and
experience.
The problem is that making improvements to third-party assessments
is unlikely to ever be as value-added or as critical to an
effective management system as making internal audits all
that they could be. There is a perception that a registration
assessment has greater value than an internal audit because
of the resulting certificate and the expectation that an external
auditor will be able to provide a far more objective and effective
audit. Indeed, an experienced, competent and effective registrar
auditor brings skills, knowledge and expertise to the auditing
of an organization from having conducted management system
assessments in a range of organizations, and that organization
will benefit from what that auditor finds and what he/she
provides.
However, the reality is that many third-party audits are
nothing more than sampling activities to determine whether
a management system is sound (i.e., it meets baseline requirements
of a standard) and to detect the symptoms of nonconformances.
For example, while a registrar auditor can identify in the
audit report continual improvement opportunities in the system
that an auditee could pursue (although there is a fine line
between auditing and consulting), most third-party auditors
focus on a "checklist approach" to systems assessment
for conformance to a standard. And there are many cases when
nonconformances have gone undetected by the auditors, often
to the relief of the organizations, which is another issue.
This is not to say that registration assessments have little
value. Third-party auditing is important and, when done right,
provides an objective assessment and provides pressure on
an organization to "keep its house clean". An auditing
expert once said that 90% of the value of an audit is just
having the auditors show up, because employees in any organization
do not want to look bad in front of an outsider, particularly
when the outsider has come to examine how they do things.
Another critical role of registrar auditors is to evaluate
the internal audit program, although the experience of some
auditing experts has been that third-party auditors tend not
look at the internal program too critically unless a major
nonconformance or a pattern of minor nonconformances shows
up, making it critical to assess the procedures and performance
of the internal audit program. However, considering the limited
time registrar auditors spend on-site with most clients in
a year, the impact of third-party audits is going to be limited
as far as going beyond basic conformance verification.
"For some reason, there is the mistaken and unfortunate
impression that third-party audits, especially certification
or registration audits, are the exemplar or paragon for auditing
in general," remarked Douglas L. Berg, Engineering Group
Manager, Quality Methods and Systems, at General Motors Powertrain,
a long-time member of US TG 19011 and previous auditing TGs
led by Stratton and a member of the EA/QA Liaison Group. In
a discussion with THE OUTLOOK following the US TG 19011
meeting in Indianapolis, Berg stressed that third-party audits
"are, in fact, a very specialized, structured and constrained
type of audit that is focused expressly on compliance to a
set of agreed-upon requirements. In a sense, it is to auditing
what ballroom dancing is to dancing. While compliance is pertinent
at a certain stage of a system’s development, it is of
limited utility to the company itself in the longer term."
Solomon, who participated as a US delegate to the JWG and
worked for improvements to Section 7, Competence of Auditors,
prior to ISO 19011’s elevation to FDIS, agreed with Berg’s
assessment, but raised another concern. "I would add
that the intent of ISO 19011 may have been to raise the bar
for third-party auditors, but that will probably not be achieved
by this standard. The way to raise the bar is to hold registrars
truly accountable for evaluating and improving the competence
of their auditors. This concept is included in Section 7 but
will probably be lost in the setting of minimum education,
training and experience requirements for auditors at most
registrars."
"On the other hand, internal audits, if they are to
be effective and valuable themselves, will need to go beyond
mere compliance and focus on effectiveness of implementation,
overall effectiveness of the processes and systems and continual
improvement," emphasized Berg. "To do all this,
auditors in a first-party situation would require a much richer
knowledge base and skills set than those in the third-party
audit situation. Unfortunately, this preoccupation with third-party
auditing has affected training for internal auditors by making
them ‘mini’ third-party auditors in terms of the
material covered and audit principles advanced. It also perpetuates
the idea that it is a ‘subordinate’ form of auditing."
"I also agree with Doug’s comments concerning
internal auditing: it has the potential to really help an
organization, yet that potential is not realized very often,"
commented Solomon.
Berg also pointed out that there are far more internal and
even second-party audits of systems taking place than third-party
audits. "Think about it: each ISO 9001 or equivalent
compliant system will have a comprehensive program of internal
audits," declared Berg. "Many companies are still
performing some form of second-party audit of suppliers even
with the prevalence of third-party registration. There is
a much broader audience for a more general audit guidelines
document. ISO 19011 had the potential to address this much
broader audience, but certain interests in the process either
did not appreciate this, dismissed it or resisted it. That
is unfortunate."
A point one auditing expert raised is that internal audits
take on increased importance the older the system gets, since
the greatest impact of a registrar is at the initial registration
assessment, while it is up to internal auditors to maintain
the functioning of the management system over time. Both ISO
9001 and ISO 14001 require internal audits to determine continuing
system conformance with the standard and the planned arrangements.
ISO 14001 does not require internal auditors to provide input
to top management on continual improvement opportunities,
which ISO 9001:2000 explicitly does (audit reports are inputs
to continual improvement of the QMS), but that doesn’t
prevent internal audits of the EMS from providing input for
continual improvements.
However, a bad internal audit system will not "survive"
for five years, making that system’s improvement important
for many organizations using ISO 9001 or ISO 14001.
While efforts are underway to raise the bar of registrar
competency in certain sectors and in general, which is a value-adding
effort, the focus of any organization should be on ensuring
that its management system(s) is effective and that its internal
auditors have the training, experience and authority to effectively
audit the system(s).
THE OUTLOOK will be examining the internal audit issue
in coming issues to help organizations remain vigilant in
maintaining and improving their management systems, especially
as more organizations transition their QMSs to ISO 9001:2000
conformance and ISO 14001 implementation and registration
continue to occur in US industry.
If you liked this article, subscribe
now.
Return to top
