Eight Steps for a Successful Audit

ISO standards such as ISO 9001, ISO 14001 and ISO 45001 provide the framework for management systems to function using a process-based approach, to achieve customer and other stakeholder’s requirements. Organizations, certified to ISO standards, strive to be compliant, efficient and remain certified. Successful systems have Top Management (TM) / Leadership that are committed to and engaged with the system. They ensure regular audits and conduct management reviews (MR) to assess the continuing suitability, adequacy and effectiveness of the system. They further ensure that their decision-making process uses the inputs from the MR to ensure objective resourcing and support for efficiency.

External third-party audits too add value to this system provided the auditors remain objective throughout the audit. Over the years QMII has come across instances where Non-Conformities (NC) were issued without the requirement being clearly stated or yet the evidence may not substantiate the requirement not met. However, these NCs are rarely challenged by organizations for “fear” of upsetting the auditors. Changes are further implemented to the system as a part of corrective action based on these findings. At times when the management is disconnected from the working system they often are surprised by the NCs presented at the jng the organization in the art of getting audited? In well-functioning systems the organization should never have to prepare for an audit. The systems are designed to drive success and not for auditors or to get through audits without any NCs. NCs are, after all, an opportunity for continual improvement of the system and should be embraced, provided they are objective and not subjective to an auditor’s experience or opinion. An organization can and must respect a good NC and use it to drive correction and corrective action (CA). After all CA is NC driven . The organization/ auditee should be happy to receive a NC for risk(s) not appreciated.

I do however think that there are steps an organization can take to build employee confidence in the system, including the confidence to challenge the auditor when a NC is not clear or incorrectly given.


Here are eight steps an organization can do to have its employees get that confidence:

  1. Conduct orientation on the process-based management system (PBMS) approach in general, and introduction to the highlights of the specific standard (e.g. ISO 9001:2015). This ensures that the basics of system approach and the internal management system are clear to all personnel.
  2. All TM must do a short training to be aware of the standard, the main clauses and the benefits of the management system. This awareness leaders workshop (ALW) brings the confidence in the system, its implementation and continual improvement. This leadership awareness further encourages engagement of all personnel to use the system and increases buy-in.
  3. On regular basis, in day to day work and meetings refer to the management system. Ensure Quality, environment, safety, security, social responsibility and compliance are topics of discussion at periodic intervals. Even the middle and lower management e.g. supervisors should be encouraged to use the system and engage others to do so. Management may have to support others in their roles of leadership at relevant levels.
  4. More than just following processes, all personnel must feel free and confident to challenge the process, make suggestions, raise NCs and submit innovative ideas. A participatory approach to system implementation is very cost effective. Let employees voice their concerns. Once they confident of their process and their system (with the fundamentals of the ISO Standard/other requirements built-in) the fear of audits will reduce.
  5. Put in place an aggressive internal audit program. When an outside (third party) auditor raises a NC, the organization does RCA (Root Cause Analysis) of the NC, but rarely does it challenge its Internal system and ask how the internal audit program missed the NC raised by the third party? Internal audits must be objective and strict and must raise all NCs.
  6. NCs must be tracked diligently and addressed within the time frame the organization has set for itself. TMs must stay involved by asking on the progress to the CA process. Overdue NCs must be investigated and TM must ask during the MR why the concerned department did not address it in time. Encourage PSW (Problem Solving Workshops) so teams can look at complex, inter-departmental NCs. Encourage use of tools as Causal Analysis and FMEA (Failure Mode Effect and Analysis).
  7. Creating a lesson learned data base has many advantages. It acts as a historic record for new joiners to learn of past occurrences. Additionally, it has great participatory value connecting each future task as a driver of improvement based on the past. The collective intelligence of the organization is available to the organization and does not vanish when individuals leave the organization.
  8. Some additional points for audit preparation:
  • Answer audit questions to the point. Do not volunteer information not sought.
  • Do not be reluctant to ask for your manager/ supervisor to support you if you are not clear on the question.
  • Have the confidence in your professionalism to ask the auditor for the requirement based on which the auditor is planning to raise a NC.
  • Be aware of risks associated with their process and actions taken to address them.
  • Explain the risks in the context of the organization and the context of what the employee does to them.


By CEO and President, Captain Inderjit Arora

To Err is Human- React or Correct?

The only bad nonconformity it the one we do not know about. Understanding this fact is the key for leaders and their managers being careful not to create a culture that hides nonconformity.

Even so it is common for managers to demand no mistakes and to react badly to errors.

Leading organizations provide employees with management systems that help them to understand and fulfill the requirements. And servant leaders provide a management system to help their employees to eliminate the causes of nonconformity. They do this gradually, according to the 80:20 (or 50:4) rule, so they always start with the vital few nonconformities that cost the most.

Zero Defects (zero nonconformity actually) has to come with humble managers who take responsibility for their management system causing the nonconformity. Care and respect remain to most powerful parts of such management systems. It should not require courage for employees to talk about problems in doing the right work right.

These organizations welcome nonconformity reports to show where the management system needs further improvement to prevent failures to fulfill requirements. They know the only bad nonconformity is the one that remains hidden.


Some processes may be proactively designed and updated, but many just evolve.  In either case, when leaders allow the systems (in which the processes operate) not to deliver the necessary direction, information, resources and controls, these “starved” processes fail to add value. This article examines how process failure impacts quality management systems.

Process Failure = Leadership Failure

The modes of a quality management system’s process failure are many, but we should start with leadership. Authority figures may (implicitly or explicitly) undermine requirements. Consequently, employees are not incentivized to help each other to understand and meet the requirements of their quality management systems. Employees are essentially let down by their organization when faced with a system that may be confusing, boring or expose them to unsafe or unproductive working situations. All work is a process, and process failure benefits no one involved. In fact, many do not ascribe often common problems to poor process implementation such as:

  • Improper recruiting and training processes result in employees being ill-suited or ill-prepared for their work.
  • Individuals in work teams may not be coordinated, resulting in misaligned work priorities and self-serving behavior
  • Incoming items (to which the intended work adds value) are unavailable, nonconforming or late
  • Late or inaccurate information would also undermine processes directly or indirectly controlled by the organization’s quality management systems
  • Incapable, unavailable equipment, software or tools are indications of larger process failure, even if the problems may seem unrelated or sporadic

Many processes fail because they are not monitored and corrected as necessary. Process failure an also be the result if documented procedures required by quality management systems are ignored, inaccurate, too detailed or too vague, or not based on the facts that would fulfill the needs of stakeholders. The result? the now “uncontrolled” procedures may be forgotten or remembered in critically different ways. There are countless ways that organizations may fail to provide the required support effective processes, but they all result in the same failed state, primarily because none had a workable process, supported by management and implemented by their workforce.

An Improved Model for Creating Processes that Work

As an antidote to process failure, our clients and other organizations have used the QMII Process Model (QMP) for nearly thirty years in order to enhance their quality management systems. QMP helps them quickly determine the root causes of system, process and product failure. This facilitates removal of the root causes of failures from the quality management systems for more successful processes.

Our whitepaper describing the QMP is available here for download. It explains key points of failure that often occur in less balanced (or absent) processes including:

  • Learn the critical importance of analyzing and defining key business processes from an external auditor’s point of view
  • Save time and lower risk by formalizing “as-is procedures” first before designing new ones to fill gaps in the system
  • Learn and apply new skills (auditing, environmental management, quality management techniques, etc.) with total organizational buy in and support
  • Avoid the often-made error of confusing corrective and preventive actions by controlling key processes first before widening preventive actions
  • Audit and manage to initiate corrective actions and prove system integrity by correctly managing continual improvement

By CEO and President, Captain Inderjit Arora