The process approach to audit – a unicorn? | CQI | IRCA Skip to main content
Process approach to audit

The process approach to audit – a unicorn?

Progress indicator

Process approach to audit
Published: 6 Dec 2024

A 'process approach' is mentioned in the guidance documents for several standards, but is not defined in terms of implementing an audit of a quality management system. Andy Nichols CQP FCQI takes a closer look at this apparent paradox.

When the ISO 9001 standard was first published, the texts were firmly rooted in the requirements that predated it – the US government’s ‘MIL Specs’ (Mil-Q-95858) and the UK’s ‘Def Stans’, which referenced the need for documented procedures.

Later, ISO 9001 was changed to reflect the need for the organisation to define the “sequence and interaction” of the quality management processes. In various texts in the standard and associated guidance documents, such as ISO/TS 9002 and ISO 19011, the ‘process approach’ is mentioned as applicable, both to the way the quality management system is supposed to be developed and implemented, as well as to auditing.

The apparent paradox of referencing the process approach when implementing an audit of the quality management system is that there is no description of what it is! If we take a look at section 3 of ISO 19011 – Terms and definitions, there is no entry that describes what might be included. We can infer that, when auditing a process, we can consider the very basics:

Process approach to auditing

Applying the simple example of making scrambled eggs, we can consider the input to be raw eggs and the output to be cooked (and scrambled) eggs. Is this sufficient to describe the process approach? Can the process be treated like a ‘black box’ or would it be necessary for the auditor to have access to what goes on ‘inside’ the process?

If, for the sake of discussion, we take this process further, the steps of preparing and cooking the eggs can be described in the following way:

  • Remove eggs from shells.
  • Place into bowl.
  • Whisk until combined.
  • Heat pan.
  • Add butter to pan.
  • Place eggs in pan.
  • Stir while cooking.
  • Plate when cooked.

An auditor might be able to observe someone making the scrambled eggs to verify that these steps were being followed. This can be reported to the management of the organisation, too – “The process is being followed”.

In the back of ISO 19011, in Annex A.2 Process approach to auditing, it is stated that the “auditors should understand that auditing a management system is auditing an organization’s processes and their interactions in relation to one or more management system standard(s)”.

If we understand the implications of taking other parts of ISO 9001 that might be applicable, as they ‘interact’, we get (in sequence):

• 4.0 Context.

• 4.1 Internal and external issues affecting the ability to achieve intended results.

• 4.2 Understanding needs and expectations of interested parties.

• 4.3 The scope of the quality management system.

• 4.4 Quality management systems and its processes…

WAIT! This can’t be appropriate, surely?

Let’s try another way:

Eggs come from an external provider (8.4). The organisation orders eggs from a farm. A total of 48 eggs are delivered each day. Does the auditor need to look at the PO with the farm, check the description of ‘4 x dozen medium eggs’? Does the auditor need to check that the farm always delivered 48 eggs? That they were packaged adequately to protect them from damage? No broken shells? Not duck or ostrich eggs – therefore, properly identified?

This audit would suffer from ‘scope creep’ – the assignment was to look at the scrambled-egg process and it now encompasses the supply chain. What would happen to the time allocation for a start?

Maybe we can consider another point of view, that of the customer:

Scrambled eggs would be ordered by a customer, often after reviewing the menu options or being asked for their preferences by a server. This is a requirement of ISO 9001 8.1, Requirements for products and services. Would the audit then consider the additional process(es) of communicating with the customer about their needs and expectations of scrambled eggs? Quantity, delivery, plus a record of their agreement because no documented request was received. Wouldn’t that be ‘scope creep’ too? And the question on who authored the menu – is that under document control?

If management wanted the process of producing scrambled eggs to be audited, that’s what the auditor should perform, isn’t it?

"The answer to the process approach seems to be that it is up to the audit programme manager to set the auditor up for success, by ensuring that the scope, criteria and objective(s) are clear."

Andy Nichols CQP FCQI, business adviser

Turning to ISO 19011 again, it is apparent that, despite it being guidance on auditing, the document never describes what happens as a process. There is no description, for example, of the inputs to the audit process. This could be because the activities of auditing comprise three discrete processes, each with their own inputs and resulting outputs:

  1. Audit preparation.
  2. Auditing.
  3. Audit reporting.

Considered as individual processes, they may be best presented in this manner:

Updated process approach table

A better way to understand the process approach to auditing may be to question what the leadership of the organisation wants to hear or learn from the auditor’s report. We can then work back to define the inputs. In our example, management may wish to confirm the scrambled eggs are being produced consistently, to the same process across all shifts. In which case:

  • Audit scope: The preparation of scrambled egg.
  • Audit Criteria: Scrambled egg process.
  • Audit Objective: Verify consistency across three shifts.

It doesn’t mean to say that, in preparing for their audit, the auditor will ignore other parts of the quality management system. Indeed, from the Annex 2 of ISO 19011, the auditor must be aware of the interactions of other processes, which might include:

  • control of documentation needed and generated;
  • items critical to quality, such as regulations that must be met – for instance, the storage temperature for the eggs (in the US, this is required);
  • changes affecting the quality management system, which might include, for example, personnel recently added to a shift;
  • controls on the equipment (maintenance) and in the event that the product is spoiled and fails inspection (nonconformity);
  • previous audit findings (if applicable).

Beyond these, a few additional parts of the quality management system may need to be observed in operation. The danger here is that time management becomes an issue, as does ‘scope creep’. If the assignment is to audit the scrambled-egg production process, what is likely to occur if the auditor starts inquiring about the operator’s competency and training, records of which reside down the road in the corporate HR office files?

This is not to say that an auditor who observes a symptom of another process, indicating an issue, should not be made actionable. There should be an avenue to report such things in reporting to management.

The answer to the process approach seems to be that it is up to the audit programme manager to set the auditor up for success, by ensuring that the scope, criteria and objective(s) are clear. They should also ensure the auditor is “aware of their surroundings” going into the audit, which most likely comes from being knowledgeable about the process being audited – without bias!

Read more great content from Andy Nichols

Are the time frames for responding to an audit nonconformity with a corrective action plan necessary – and perhaps more importantly, are they correct? 

Join IRCA

Gain global recognition and boost your career prospects with IRCA. 

Quality World

Get the latest news, interviews and features on quality in our industry leading magazine.

Quality Careers Hub

Exclusively for members, the CQI’s Quality Careers Hub is designed for every career stage. So whether you’re just starting out, ready to move on or up, or looking to build on your experience, there are many ways to progress.