Common sense when auditing a micro organisation

Auditors are certified when they can show that they have the expected knowledge, skills and experience needed to perform audits effectively. But are they required to have common sense? 

Most of the audit situations and case studies analysed during training, as well as most certified companies, are those that have a general manager, a human resources manager, production manager, sales manager, purchasing manager, and so on. Likely, they are organisations with 50 or more workers. 

When organisations are smaller (20-50 workers), the structure becomes more simplified. But what about when a company has fewer than five-seven workers – an operation usually called a micro organisation?    

Some may be tempted to say: “ISO 9001/14001/45001/etc are not meant to be applied to such small organisations.” However, they should remember that the definition of ‘organisation’ in all management system standards (MSS) starts with the words: “person or a group of persons…”   

Others may be tempted to say: “It is easy, out of the number of shalls in ISO 14001, surely 50% do not apply to them.” They should remember that in the Scope clause of all MSS, it is explicit that all the requirements apply to organisations of any size. 

A common sense approach

Common sense may help to overcome these two apparent obstacles. Let’s take a closer look at some examples of evidence that auditors may collect when auditing the quality management system (QMS) of TATTOO-X, a fictional, four-person tattoo parlour located in a shopping centre. 

Some may be tempted to say: ‘ISO 9001/14001/45001/etc. are not meant to be applied to such small organisations.’ However, they should remember that the definition of ‘organisation’ in all management system standards (MSS) starts with the words: ‘person or a group of persons…’ .

Scenario: TATTOO-X’s owner Indira, who has 20 years’ experience in tattooing, rented a small place, where two other tattooists work with her in their own spaces. Her husband, Manuel, is responsible for all administrative issues at reception.  

Answer to auditors on 4.2, 4.2, 6.1:  
We arranged with the shopping centre that it would not accept another tattoo parlour, so there is no risk of competitors.  
 
We are certified by the local health authority and our three tattooists are also certified individually; the certificates are shown on the desk at the entrance.  
 
Our main interested party is our customers. We look after them through the implementation of our QMS. we also have a first aid service, in case there is a customer in need of health assistance; the phone number is on a sticker on Manuel’s computer.     

Answer to auditors on 5.1/5.2/5.3:

The three tattooists are responsible for keeping tools and workplace clean and completing the tattoo selected by the customer.  Manuel is responsible for keeping the reception area clean. The quality policy is shown in the window, so customers, and anybody passing by, can read it.         

Answer to auditors on clause 7/8.1:

We have three spaces and three tattooists. Each tattooist cleans his/her space after completing each job, and also at the end of the day. On Fridays, they perform a more thorough cleaning of their own spaces. They are certified annually by the local health authority. After 10 years working together, they are fully aware of customer needs and expectations. All documentation is on Manuel’s computer. He mainly uses Excel sheets and documented information is also kept also on iCloud.

Answer to auditor related to 8.2/8.3:

The shop window shows an eye-catching tattoo as an example of our service and level of quality, as well as displaying business data such as opening hours, contact details for appointments and any enquiries. Also on display is a QR site to see the 150 tattoo designs that are offered, and the certificate issued by the local health authority, which includes a phone number available to customers for submitting complaints or requesting further information. TATTOO-X does accept any request for a tattoo that is not included in its catalogue. Manuel has an Excel file where he records the day and time of each appointment assigned to a customer, and the number of the tattoo he/she selected (Clause 8.2.3).  

Answer to auditors on 8.4:

Every Friday, Manuel monitors in his Excel file the stock of tinctures and tools available; when necessary, he buys tincture and tools from a large shop that is in the same shopping mall (8.4). He also buys materials from a nearby pharmacy.  

Answer to auditors on 8.5:

Every morning, Manuel prints a list of the confirmed appointments for each tattooist and, during the day, receives payment from each customer and provides them with a receipt. Before starting the process, the tattooists confirm the name and selected design of each customer and carry out the tattoo as shown in the catalogue. Every five minutes, the tattooist confirms with the customer that they are getting what they were expecting and make any correction, if possible.   

Answer to auditors on 9.1, 9.2, 9.3:

Manuel monitors all activities during the day and records on the Excel spreadsheet the work done, the corrections made during the process and the payment received. The company also asks every customer to provide an evaluation of the service received, giving a rating from 1 to 5 for the tattooist’s performance and 1 to 5 for the general look of the shop. The last Friday of each month, all four staff members get together to analyse the status of the business, the work done, the corrections made during tattooing, results of the customer surveys and complaints received, and additional resources needed for the following month. Manuel keeps a record of the decisions taken on an Excel file. Once every six months, fulfilment with all the requirements of ISO 9001 is also reviewed.  

If you had been the third-party auditor, would you have raised any nonconformances related to the answers given by TATTOO-X? 

ISO’s management system standards specify requirements to organisations under the format of ‘shall’, but no guidance is given on how to implement those requirements. Organisations can decide the ‘hows’, and in the case of micro organisations, the ‘hows’ may be selected by applying common sense to the intended result behind each ‘shall’.