Published: 8 Jul 2021

In our latest dilemma, a small business is subjected to an inappropriate ISO 9001 certification audit.

A micro business, consisting of seven staff including the owner, required ISO 9001 as a contractual requirement for work with the Ministry of Defence (MoD).

Currently, the business has long-term secured contracts with a number of companies involved in underwater cabling and pipelines, with an evidenced record of 100 per cent customer satisfaction.

The business manufactures a range of highly technical bespoke components for underwater connection applications. This involves intricate machining and assembly, followed by detailed testing and special packaging. This process and the size of the company means that all staff must multitask. 

During the initial assessment, the auditor advised a non-conformance, and stated that the reason was the business did not have a hierarchical structure with defined departmental and personnel responsibilities.  

The certification company had allocated and quoted two days for the assessment of the micro business. As the accredited audit company had quoted for a two-day on site audit, the auditor felt obligated to satisfy this. The auditor filled the additional time by advising the owner that a requirement of the audit involved examining their product development plans and sales and marketing strategies.

The business was declined approval for certification, therefore seriously impacting their MoD contract. 

The quality management consultant employed by the business took the matter up with the certification body. The outcome of the enquiry established that the auditor had no experience or understanding of small businesses, having only been employed in large companies prior to becoming an auditor. Because large businesses have a hierarchical organisational structure, the auditor decided this was a non-conformance but did not understand that this is not practically possible in a small business. Following the investigation, it was accepted that the business met the standard and a certificate was issued allowing the securing of the MoD contract.

What should the auditor have done?

Response 

The objectives, scope and criteria of the audit should have been made known to the auditee prior to the audit with the presentation of a draft audit plan. The auditee could then review and, if needed, discuss to clarify and confirm the audit plan. At the opening meeting, the audit plan should also be confirmed on the day to ensure that scheduled requirements stipulated in the audit plan can be adhered to; any changes to the plan will have to be discussed and agreed mutually.  

Under clause 5.3 in ISO 9001:2015, there is no requirement that a business, large or small, is required to have a hierarchical structure.
Roland Tan

Audit durations are based on the criteria established by the accreditation body and the certification company is obligated to adhere to the duration of the audit. There should not be any need for the auditor to have “filled the additional time” by auditing outside the audit plan. The scenario presented did not indicate that the micro business was involved with product development, so that clause requirement of the ISO 9001:2015 should not have been reviewed; marketing activities are also not part of the standard specification.

At the opening meeting, the auditee should have been given the opportunity to query why product development plans and sales and marketing strategies were to be audited; apparently these clauses of the ISO 9001:2015 standard were unexpected by the micro business. 

Under clause 5.3 in ISO 9001:2015, there is no requirement that a business, large or small, is required to have a hierarchical structure. The requirement is that responsibilities and authorities for relevant roles are assigned, communicated and understood within the organisation.

With thanks to Mike Pearson for providing the scenario, and Roland Tan, IRCA Lead/Principal Auditor, for providing the response.