Audit Traps and How to Avoid Them
There are nonconformities, and then there are nonconformities
Quality management system (QMS) audits rarely result in zero nonconformities. Usually, these findings point to real weaknesses whose resolution allows the auditee to increase process effectiveness.
In other words, finding and correcting nonconformities is part of a larger process that is ultimately productive.
This is the system working as intended. Nonconformity is the common enemy, and the auditor and auditee are on the same side, each contributing their own skills to the never-ending quest for continual improvement.
However, there is also another type of nonconformity, which good auditors find painful to document. Auditees can’t be faulted if they perceive findings this type to be mere technicalities, and their resolution as inefficient busywork.
I think of these as audit traps, and they are set by the auditees themselves, by imposing trivial requirements that go unmet, or unwittingly holding on to outdated requirements.
Allow me to share some real-life audit trap examples:
The complacent organization
Some companies excel at implementing a QMS that meets ISO 9001 requirements and simultaneously enhances process effectiveness (as intended). They sail through the certification process and generally run a smooth operation.
Sustained success, however, can lead to complacency. When key personnel do their job well without the need for documented information, the company may drift away from documented requirements without even noticing.
While auditing a medium-size distribution company, I asked for records of the two most recent management reviews, which were in good order. Both meetings had been held in July, but their procedure required management review to take place every June.
I was told the company’s fiscal year ends in June. By having management review in July, they were able to see all the data for one whole year. This made sense, but it was at odds with their procedure.
By gathering all relevant data, reviewing it periodically and making evidence-based decisions, the company brilliantly followed the spirit of the law, but also neglected the letter of the law.
Is this discrepancy purely a technicality? Arguably yes, but it is also a nonconformity.
Half-hearted implementation
Some go down the path of certification only when they feel they have no choice, perhaps because key customers impose a certification deadline, or other external reasons.
Seeing certification as a bureaucratic distraction, they subcontract the work to a consultant expecting to get a documentation package that gives them conformity to the standard. To them, the physical quality manual and the QMS are one and the same.
(In contrast, a management representative I once interviewed suddenly had an epiphany and exclaimed “The QMS is not the manual, it is the air we breathe!” He was right.)
Before auditing the production process at a small repair company, I asked if they had a documented procedure for control of nonconforming product (strictly speaking, this is not required by ISO 9001:2015). They had one and shared it with me.
It quickly became evident that their actual practice was completely different from the procedure. Both the procedure and the actual process seemed reasonable, so either would probably have worked well enough.
As I explained that this was a nonconformity, the management representative rolled his eyes and screamed “Are you really going to write me up for not following a procedure I am not even required to have?!” The answer, of course, was yes.
Lack of familiarity by process owners with documented information became a pattern during this audit.
As auditors always explain in the opening meeting, audits are performed against two criteria: The Standard and the organization’s own documented information. Failing to fulfill the requirements of either one is a nonconformity.
More is better (?)
Some organizations create detailed documents for almost everything they do. When weaknesses emerge, they respond by creating more documents, adding paragraphs, or making sentences longer.
At a small robotics company, I was auditing the receiving process. Their procedure stated that packing slips were filed in a cabinet belonging to the Purchasing department. In fact, they went into a Production filing cabinet.
Manufacturing floor space for a new product had expanded recently, displacing the Purchasing filing cabinet. Another nearby cabinet was being used out of convenience.
Excessive detail was a pattern in this company’s documentation. In a dynamic environment, keeping documentation synchronized with the actual practice can be more costly than it is worth. As a result, what is said and what is done become two different things, and nonconformities can easily result.
Are they really trivial?
By definition, audit traps involve discrepancies that can easily be perceived as trivial. Nevertheless, a conscientious auditor has a duty to document then as nonconformities.
Even so, the mere realization that these conditions were allowed to occur should lead management to ask, “What else in our QMS may be outdated, unnecessary or just incorrect?”
This is, essentially the expectation set by ISO 9001:2015 in clause 10.2.1.b.3: “…determining if similar nonconformities exist, or could potentially occur…”
It is said that when a fox falls in a trap, it will bite off the affected leg to free itself. While this may better than the alternative, not falling in the trap in the first place may be better still.
Seen in this light, the prevention or correction of even seemingly trivial nonconformities can give an organization the opportunity to become leaner and more effective.
Audit trap avoidance
So, how can organizations avoid audit traps altogether?
While each organization must find its own solutions, these basic tips are a good start:
- Ensure process owners know the documentation that pertains to their areas of responsibility. As much as possible, they should be directly involved in their creation and maintenance. This way, they can ensure that documentation is useful, used as intended and updated when necessary.
- Using a consultant to document the QMS is perfectly fine, but the organization cannot evade its responsibility to review the documentation critically. The consultant is likely to start off with a generic template, and it’s up to the organization to adapt it to ensure it makes sense for them specifically. There is no excuse for using documentation that nobody in the company has read.
- When creating documentation, two opposing needs need to be met: On the one hand, it is necessary to document everything that is important to obtaining planned results. On the other hand, excessive documentation can easily become unnecessarily onerous. The goal is to make the right tradeoffs between these elements, while keeping the system as simple as possible. Ensuring documentation is just specific enough to be useful, without creating unnecessary constraints, should be an ongoing effort.
Now go forth and prevent.