Outsources Processes, ISO 9001:2000

Questions concerning outsourced processes and the requirements that will be audited both internally and by external parties

Many clients and friends have had questions concerning outsourced processes and the requirements that will be audited both internally and by external parties. This link, http://www.4iqc.com/N630.pdf, written by ISO/TC 176, clearly explains that an organization must demonstrate how it controls the process (per clause 4.1). The process for selecting and evaluating an outsourced process is contained in Purchasing, 7.4. No where in the document does it state that an auditor can substitute his/her judgment on the qualifications of the process provider. Nor does the document, or the Standard, require that the "control of outsourced processes" be documented. It would be enough to show the process as a component of the Master Process Flow (for those of you who have one) or describe it in a written Quality Manual. The requirement for evaluation of a supplier (of an outsourced process) is in ISO 9001:2000, 7.4.1.

If you have any questions regarding this issue, please email me, george@4iqc.com .

Regards,

-- George

ISO 9000:2005, NEW!

New Definitions and Notes in ISO 9000:2005

ISO 9000:2005 is the third edition of the Fundamentals and Vocabulary standard and replaces ISO 9000:2000. Some of its new definitions and notes are:

1. Competence is now included twice in the definitions section. At section 3.1.6 under the Quality-related terms it is defined as the "demonstrated ability to apply knowledge and skills". At section 3.9.14 under Audit-related terms it is defined as "(audit) demonstrated personal attributes and demonstrated ability to apply knowledge and skills".

2. Contract is added at 3.3.8 under Organization-related terms and defined as a "binding agreement".

3. The Note under 3.9.1 for Audit has been expanded to state "Internal audits, sometimes called first-party audits are conducted by, or on the behalf of, the organization itself for management review and other internal purposes, and may form the basis for an organization's declaration of conformity. In many cases, particularly in small organizations, independence can be demonstrated by the freedom from responsibility for the activity being performed.

4. A Note has been added for Audit Program that states "An audit program includes all activities necessary for planning, organizing, and conducting audits".

5. A Note has been added for Audit Criteria that states "Audit criteria are used as a reference against which audit evidence is compared."

6. A Note has been added for Audit Client that states "The audit client may be the auditee or any other organization that has the regulatory or contractual right to request an audit."

7. A Note has been added for Auditor that states "The relevant personal attributes for an auditor are described in ISO 19011."

8. The definition of Audit Team has been expanded to state "... supported if needed by technical experts."

9. The definition for Audit Plan has been added: "description of the activities and arrangements for an audit".

10. The definition for Audit Scope has been added: "extent and boundaries of an audit".

11. The Measurement Control System entry was changed to Measurement Management System. The definition remained the same.

ISO Guide 62, How can it save my company money?

Advanced Surveillance and Reassessment Procedure

Would you like to reduce by up to 30% the number of auditor days spent by your registrar at your site? Then consistently meet your performance targets and talk to your certification body.

The International Accreditation Forum (IAF) provides a guidance document on the application of ISO Guide 62 for registrars (certification bodies). Issue 4 of this guidance document describes how registrars can design an individualized surveillance and reassessment program for organizations that have consistently demonstrated an effective quality management system. The result is, the registrars can develop an audit program that reduces the required auditor days based on the organization consistently meeting performance targets.

To qualify for the advanced program, the organization must demonstrate it has been operating in conformity for one complete certification cycle (including initial, surveillance, and reassessment audits). Any noncomformities raised during that certification cycle must have been successfully resolved. And, the registrar must agree with the organization on the performance indicators for judging the ongoing effectiveness of the system, as well as, ensure the organization is consistently meeting the performance targets. The performance indicators must address, at a minimum, that the organization is consistently providing product that meets customer and applicable regulatory requirements.

To apply this advanced audit procedure, the registrar must have enforceable arrangements for access to all customer satisfaction data. The registrar must verfy the organization's internal audit process is managed in accordance with the guidance of ISO 19011, with particular reference to auditor competence. The registrar must also have enforceable arrangements that enable it to increase the scope, frequency, and duration of its audits in case of a deterioration of the organization's ability to meet the agreed performance targets.

The registrar can reduce the overall audit days by up to 30% without gaining further approval from their accrediting body. However, at a minimum, each registrar visit must include:

1. interviews of top mamagement and the management representative
2. evaluations of management review inputs and outputs
3. verification of the organization's ability to meet the agreed performance targets
4. review of internal audit procedures, audit records, and auditor competence review of
5. corrective and preventive actions and verification of effective implementation

The design of the advanced audit program must include the extent that the registrar will use the organization's internal audit and management review processes to complement their activities. It must also include the criteria for witnessing the organization's internal audits, including a sampling of both auditors and the processes to be audited.

Additional criteria must be established for accepting and monitoring the competence of the internal auditors and the method for reporting internal audit results. Ongoing adjustments to the assessment program must take into account the organization's demonstrated ability over time to meet the agreed performance targets. The compoenents that will be assessed at each surveillance and reassessment visit must be included in the design output.

This guidance was issued December 15, 2005 and has an application date of December 15, 2006. For full details, see section G.3.6.8 and Annex 5 of the IAF Guidance Document at the IAF web site: (http://www.iaf.nu/).