ISO Audit: Five Not-So-Easy Questions

1 of 5

about:reader?url=http://www.qualitydigest.com/inside/quality-insider-a...

qualitydigest.com

Miriam Boudreaux | 04/22/2013

Have you ever been through an audit to an ISO standard? If you

have, then you probably know about a set of questions that are
frequently asked during audits against various ISO standards. No
one can predict all of the questions that an auditor will ask, but you
can bet that that following five will be among them.

What is your quality (or environmental, safety,

information security) policy?
This is a basic question and one that is very likely to take center
stage during the audit. The focus on this question subsides during
periodic audits, primarily because the organizations management
system matures, and the same auditor often assesses one company
multiple times.
Intent behind the question
First: Ascertain whether the organization has done a good enough

3/31/2016 5:42 PM

ISO Audit: Five Not-So-Easy Questions

2 of 5

about:reader?url=http://www.qualitydigest.com/inside/quality-insider-a...

job communicating the policy to its employees, and that they have
internalized the organizations perspective regarding quality.
Second: Ensure that employees understand the quality policy.
Third: Check that there is indeed a quality policy.
Possible responses
Best: Employees know where to find the quality policy and are able
to articulate in their own words what the policy means to them and
how it affects their work, as well as their appreciation and
understanding of quality.
Better: Employees know where to find the quality policy and can
read it without feeling nervous.
Good: Employees know where to find the quality policy.
What are your objectives?
This is a question that applies to everyone, not just managers. It is
expected that objectives are represented with data and charts, but
not absolutely required.
Intent behind the question
First: Ascertain whether the company has goals it wants to achieve
and that it measures and tracks process or product performance, as
a whole or individually by department or employee.
Second: Ensure that employees understand the quality objectives
and how their performance greatly affects the outcome of those
objectives.
Third: Check that there are indeed quality objectives.
Possible responses
Best: Employees know where to find the quality objectives, and
they understand exactly why they have been established and what
their purpose is. They know what the desired goal is and how to tell
whether it has been achieved. They know how to initiate corrective
action when the desired state is not achieved.
Better: Employees know where to find the quality objectives that
apply to their position or department, and can show if they are
doing well or not in working toward an objective.
Good: Employees know where to find the quality objectives.

3/31/2016 5:42 PM

ISO Audit: Five Not-So-Easy Questions

3 of 5

about:reader?url=http://www.qualitydigest.com/inside/quality-insider-a...

Where do you get your procedures from?

Procedures or documents in general are an integral part of
ISO-compliant management systems; you need them to ensure
processes are in control. Therefore, questions regarding documents
are definitely going to appear throughout the audit.
Intent behind the question
First: Ascertain whether employees follow standard processes
frequently as part of their jobs, regardless of whether those
processes are documented in a formal, written procedure or not. If
there are written procedures or other documents, it is also
important to determine whether employees can easily find any
documents related to their jobs.
Second: Ensure that the company has determined which
procedures are needed and documented those processes that are
integral to its core operations.
Third: Check whether the employee knows of the existence of any
documented procedures.
Possible responses
Best: Employees know where to find the procedures that apply to
their jobs, can obtain them quickly, can speak about them, and feel
invested in the procedure as well as the process.
Better: Employees know where to find the procedures that are
applicable to them.
Good: Employees know procedures exist.
What do you do if you find a nonconformance or a
potential improvement?
The whole concept of continual improvement is paramount to ISO
standards, and the auditor will try to assess it over and over. The
auditor will ask for at least the basic concepts of continual
improvement.
Intent behind the question
First: Ascertain whether employees understand the concepts of
nonconformance, continual improvement, and corrective and
preventive actions, and whether they understand the systems that

3/31/2016 5:42 PM

ISO Audit: Five Not-So-Easy Questions

4 of 5

about:reader?url=http://www.qualitydigest.com/inside/quality-insider-a...

have been put in place to handle them.

Second: Determine if the company encourages use of continual
improvement tools and has communicated those to all employees.
Third: Check if there is a system in place for handling
nonconforming product or service, and corrective and preventive
actions.
Possible responses
Best: Employees know when to use a nonconformance report and
when to use a corrective action or preventive action. They actually
have issued some in the past, have been assigned nonconformance
reports to disposition, or have been tasked with conducting root
cause analyses for corrective or preventive actions.
Better: Employees know there are systems in place for handling
nonconformances and corrective or preventive actions, and can
point to them.
Good: Employees know there are improvement systems in place.
What are your responsibilities?
This is a broad question and can lead to many answers. Employees
may refer to procedures, job descriptions, objectives, etc.
Intent behind the question
First: Ascertain whether employees are aware of their
responsibilities and their roles in the overall success of the quality
(or environmental, safety, information security) management
system.
Second: Ensure that the organization has defined responsibilities
for all positions, and that each employee has a good understanding
of what his responsibilities are.
Third: Check that responsibilities have indeed been defined.
Possible responses
Best: Employees know what their responsibilities are and
understand their importance to the success of the management
system. They know where their responsibilities have been defined
and documented, and have agreed to them in writing.
Better: Employees are aware of their responsibilities and grasp

3/31/2016 5:42 PM

ISO Audit: Five Not-So-Easy Questions

5 of 5

about:reader?url=http://www.qualitydigest.com/inside/quality-insider-a...

their importance to the success of the management system.

Good: Employees know the tasks for which they are responsible.

3/31/2016 5:42 PM