TheMostImportantAuditQuestionsforISO9001:2015

ByCraigCochran

IfyourepreparingtostartauditingagainstISO9001:2015,youveprobably
alreadyaskedyourselfthetimelessquestion:WhattheheckamIgoingtoask
thesepeople?Theresnoworsefeelingintheworldthanbeinginthemiddleof
anauditandrealizingthatyoudonthaveanythingtosayinthewayofquestions.
Preparationandplanningcanremedythis,ofcourse,butthefactremainsthat
ISO9001:2015includesalotofnewrequirementsthathaveneverbeenpartof
mostaudits.Inordertoexpediteyourthinking,thesearewhatIbelievetobethe
mostimportantauditquestionsforISO9001:2015:

1.Whatcanyoutellmeaboutthecontextofyourorganization?Thisquestionis
thestartingpointofISO9001:2015,appearinginsection4.1.Thestandarduses
theclunkyterm"context,"butthiscouldeasilybesubstitutedbyaskingaboutthe
organizationsinternalandexternalsuccessfactors.Questionsaboutcontextare
usuallydirectedattopmanagementorthepersonleadingtheQMS(formerly
knownasthemanagementrepresentative).Asanauditor,yourelookingfora
clearexaminationofforcesatworkwithinandaroundtheorganization.Doesthis
soundbroadandalittlevague?Itis.Thankfullythestandardprovidessome

Copyright 2016 Craig Cochran Page 1

guidance,sayingthatcontextmustincludeinternalandexternalissuesthatare
relevanttoyourorganizationspurpose,strategy,andgoalsoftheQMS.Many
organizationswillprobablyuseSWOTanalysis(strengths,weaknesses,
opportunities,andthreats)tohelpgettheirarmsaroundcontext,butitsnota
requirement.Whattheorganizationlearnswiththiswillbeakeyinputtorisk
analysis.(NOTE:Noteverybodywillunderstandthetermcontext.Beprepared
todiscusstheconceptanddescribewhatISO9001:2015isaskingfor.)

2.Whoareyourinterestedpartiesandwhataretheirrequirements?The
naturalfollowuptocontextisinterestedparties,foundinsection4.2.Theterm
"interestedparties"hasabizarre,stalkerlikeringtoit,sosmartauditorsmight
wanttoreplaceitwith"stakeholders."Remember,effectiveauditorstryto
translatethearcanelanguageofISO9001:2015intounderstandabletermsthat
auditeescangrasp.Typicalinterestedpartiesareemployees,customers,supplier,
businessowners,debtholders,neighbors,andregulators.Asanauditoryoure
makingsurethatareasonablerangeofinterestedpartieshasbeenidentified,
alongwiththeircorrespondingrequirements.Thebestwaytoauditthisisasan
exploratorydiscussion.Askquestionsabouttheinterestedparties,andprobe
whattheyreinterestedin.Ifyouvedonesomepreparationinadvanceofthe
audit,thenyoullknowwhethertheirexaminationofinterestedpartiesis
adequate.Thatbringsupanimportantplanningissue:Youwillhavetodoabit
morepreparationbeforeanISO9001:2015audit.Why?Soyoullhaveagraspof
contextandinterestedparties.Howcanyouevaluatetheirresponsesifyoudont
knowwhattheresponsesshouldbe?

3.Whatrisksandopportunitieshavebeenidentified,andwhatareyoudoing
aboutthem?Risksandopportunitiescouldaccuratelybecalledthefoundationof
ISO9001:2015.Nofewerthan13otherclausesreferdirectlytorisksand
opportunities,makingthemthemostconnectedsectionofthestandard.Ifan
organizationdoesapoorjobofidentifyingrisksandopportunities,thentheQMS
cannotbeeffective,period.Auditorsshouldverifythatrisksandopportunities
includeissuesthatfocusondesiredoutcomes,preventproblems,anddrive
improvement.Oncerisksandopportunitiesareidentified,actionsmustbe
plannedtoaddressthem.ISO9001:2015doesnotspecificallymentionprioritizing
risksandopportunities,thoughitwouldbewisefororganizationstodothis.Risks
andopportunitiesarelimitless,butresourcesarenot.

Copyright 2016 Craig Cochran Page 2

4.Whatplanshavebeenputinplacetoachievequalityobjectives?Measurable
qualityobjectiveshavelongbeenapartofISO9001.Whatisnewisthe
requirementtoplanactionstomakethemhappen.Theplansareintendedtobe
specificandactionable,addressingactions,resources,responsibilities,
timeframes,andevaluationofresults.Auditorsshouldcloselyexaminehowthe
planshavebeenimplementedthroughouttheorganization,andwhohas
knowledgeofthem.Justasemployeesshouldbeawareofhowtheycontributeto
objectives,theyshouldbefamiliarwiththeactionplans.

5.HowhastheQMSbeenintegratedintotheorganizationsbusinessprocesses?
Inotherwords,howareyouusingISO9001:2015tohelpyourunthecompany?
Thisisaskeddirectlyoftopmanagement(seesection5.1.1c)andisavery
revealingquestion.ThepointisthatISO9001ismovingawayfrombeingaquality
managementsystemstandardandbecomingastrategicmanagementsystem.Its
notjustaboutmakingsureproductsorservicesmeetrequirementsanymore.The
standardisaboutmanagingeveryaspectofthebusiness.Remembersections4.1
and4.2ofISO9001:2015?Thereweexaminedthekeytopicsofcontextand
interestedparties.Theseconceptstoucheverycorneroftheorganization,and
thisisexactlyhowISO9001:2015isintendedtobeused.Topmanagementshould
beabletodescribehowtheQMSisusedtorunthecompany,notjustpassan
audit.

6.Howdoyoumanagechange?ThistopiccomesupmultipletimesinISO
9001:2015.Thefirstandbiggestclauseonthetopiccomesupinsection6.3.Here
weidentifychangesthatweknowarecoming,anddevelopplanfortheir
implementation.Whatkindofchanges?Nearlyanything,butthefollowing
changescometomindascandidates:newormodifiedproducts,processes,
equipment,tools,employees,regulations.Thelistisendless.Anauditorshould
reviewchangesthattookplace,andseekevidencethatthechangewasidentified
andplannedproactively.Changethathappensinalessplannedmanneris
addressedinsection8.5.6.Heretheauditorwillseekrecordsthatthechanges
metrequirements,theresultsofreviewingchanges,whoauthorizedthem,and
subsequentactionsthatwerenecessary.

7.Howdoyoucaptureanduseknowledge?ISO9001:2015wantsorganizations
tolearnfromtheirexperiences,bothgoodandbad.Thiscouldbehandledbya
varietyofmeans:projectdebriefs,jobcloseouts,staffmeetings,customer

Copyright 2016 Craig Cochran Page 3

reviews,examinationofdata,customerfeedback.Howtheorganizationcaptures
knowledgeisuptothem,buttheprocessshouldbeclearandfunctional.The
knowledgeshouldalsobemaintainedandaccessible.Thisalmostsoundslikeit
willbedocumentedinsomeway,doesntit?Thatsexactlyright.Onewayto
auditthiswouldbetoinquireaboutrecentfailuresorsuccesses.Howdidthe
organizationlearnfromtheseeventsinawaythatwillhelpmakethemmore
successful?Itstheconversionofrawinformationtotrueknowledge,anditjust
happenstobeoneofthemostdifficultthingsanorganizationcanachieve.

Thesearebynomeanstheonlyquestionsyoullwanttoask.Theyrejustthe
startingpoint.Wedidntevenmentionmanagementreview,correctiveaction,or
improvementallofwhicharecrucialtoaneffectiveQMS.Theseventopics
discussedherearethebiggestnewrequirementsthatauditorswillneedtoprobe.

AbouttheAuthor

CraigCochranhasassistedover5,000companiessince1999inQMS
implementation,problemsolving,auditing,andperformanceimprovement.His
mostrecentbookisISO9001:2015inPlainEnglish,availablefromPaton
Professional:
http://www.amazon.com/ISO90012015PlainEnglish/dp/1932828729/

Copyright 2016 Craig Cochran Page 4