Magazines & Journals
Informed Outlook

Printer Friendly
I Want To
Volume 7 · Issue 4 · April 2002


US SubTAGs for ISO/FDIS 19011 Approval, US Supplement
US TAGs Support "Yes" on ISO EMS/QMS Auditing Standard

Regarding the ISO environmental/quality auditing guidelines standard, you can expect it to be published by the end of summer 2002 and for it to be adopted in the United States as an American National Standard. In addition, you can expect a US guidance document on internal and second-party auditing to be issued thereafter to supplement the ISO standard, which is viewed by many US standards experts as geared to third-party auditing situations at a time when internal processes need strengthening.

When the US Technical Advisory Groups (TAGs) to ISO Technical Committees (TCs) 176 (ISO 9000) and 207 (ISO 14000) met concurrently March 12-15, 2002, they shared a common interest in the recent Final Draft International Standard (FDIS) elevation of one standard: ISO 19011, Guidelines for quality and/or environmental management systems auditing. The subgroups responsible for environmental management system (EMS) auditing standards (US SubTAG 2) and quality management system (QMS) auditing standards (US TG 19011) held meetings to review the FDIS and determine the US course of action.

ISO/FDIS 19011 represents the first joint EMS and QMS standardization effort and is the product of the Joint Working Group on Quality and Environmental Auditing (JWG), which consists of auditing experts who are participants on the auditing subcommittees (SCs) of TC 176 and TC 207. However, as has been reported during the past six months in THE OUTLOOK, both US TAGs voted to disapprove of the Draft International Standard (DIS) of ISO 19011 in November 2001 due to concerns about its lack of guidance on internal and less complex external audits. The US delegates to the JWG have sought improvements to ISO 19011’s content and were prepared for a possible US vote of disapproval after it was elevated to FDIS status in January 2002.

Although ISO/FDIS 19011 was not expected to circulate for a 2-month up-or-down vote of approval until at least April 2002, members of both auditing groups received unofficial "drafts" in early March to allow them to evaluate the FDIS at their meetings. Based on their reviews of the changes made since the DIS stage, both auditing groups reached consensus on recommending US approval of the FDIS as an ISO standard and as an American National Standard. US adoption involves a parallel vote by the Z1 Committee of the American National Standards Institution (ANSI). However, reservations with the auditing guidelines remain and a US supplement is to be pursued.

US Approval and Additional Guidance Lay Ahead

By the time the US TAG to TC 176 had concluded its meeting on March 15, 2002, two documents were to be drafted:

  • A joint letter to both TAGs recommending a vote of approval on the FDIS from John H. Stratton, Chair of both US TG 19011 and the US delegation to the JWG, and Cornelius C. ("Bud") Smith, Managing Director of Clayton Environmental Consulting and Chair of US SubTAG 2. "We have not drafted the recommendation yet and will wait to see what information is circulated with the final FDIS and the ballot," acknowledged Stratton. The letter will likely propose that the United States submit its substantive comments with its FDIS ballot "so the US expectations for future revisions to ISO 19011 will be preserved," said Stratton to the US TAG to TC 176. Substantive comments submitted with votes of approval on FDIS ballots are not considered, but submitting them would in effect put them on record.
  • A draft proposal from US SubTAG 2 and US TG 19011 for the establishment of a working group, probably through the American National Standards Institute (ANSI) Z-1 Committee, to develop a document providing guidance on the design and implementation of internal and second-party QMS and EMS audit programs that would supplement ISO 19011. Gary L. Johnson, Environmental Engineer at the US Environmental Protection Agency, a representative of the US TAG to TC 207 and a US delegate to the JWG, and Randy Garrison of US SubTAG 2 were asked to represent US SubTAG 2 in the drafting of a proposal to be sent to the membership of both auditing groups for review and comment. Stratton and Smith expected that both groups will be involved in drafting the proposal to help assure the proposal and text will be acceptable in both audit communities.

"We would have liked ISO 19011 to contain more guidance for internal auditors and smaller organizations, but the consensus in both auditing group meetings was that the US delegates achieved many improvements the SubTAGs wanted and it would be best to approve of the FDIS," remarked Johnson, who added, "We would not accomplish anything by voting against a standard headed for overwhelming approval. Our best shot is to develop a supplement that will serve the needs of US audit program managers and auditors and perhaps users worldwide."

"SubTAG 2 and TG 19011 have agreed to develop what will basically be an SME [small and medium-sized enterprise] and internal audit guidance document through the ANSI Z-1 structure," confirmed Stratton, who noted that the document would most likely take the form of an annex to the American National Standard, a US Technical Report or another possibility.

"In general, the FDIS represents a significant improvement and maturing of the auditing guidelines standard over what the DIS contained, and what we develop as a US supplemental guide might eventually be put forward to the JWG or to TC 207/SC 2 and TC 176/SC 3," advised Johnson.

Stratton, who led the US TG 19011 meeting, noted that he, Johnson and Barton Solomon of Continuous Improvement & Training Associates, who is a member of US TG 19011 and a US delegate to the JWG, had succeeded in obtaining some changes to the DIS that improved its applicability to a wide range of auditing situations. Where the DIS had been geared to establishing auditor criteria and providing audit management guidance suited to complex third-party audit situations, the wording in the FDIS de-emphasizes its focus on third-party auditing, but not to the degree sought by the US auditing groups.

According to Stratton, US goals for the next few months include:

  • Developing a proposal for additional guidance for smaller organizations
  • Keeping US issues visible for later improvement within ISO
  • Voting on the FDIS.

"The good news is that developing the US supplement will not be too difficult or take too long, because much of it already exists," concluded Stratton. He explained that the US Environmental Auditing/Quality Auditing Liaison Group, made up of members of SubTAG 2 and TG 19011, had already developed guidance for internal and SME audits that was submitted with the US comments on ISO/DIS 19011. "That guidance needs only to be revised in light of what was changed in moving to the FDIS, since the US sought to enhance the internal and SME guidance in the DIS."

The proposal for the supplement will provide an indication of how much revision and additional guidance will be involved.

William Harral of Arch Associates LLC and a member of the US TAG to TC 176 and TG 19011, had a slightly different perspective on two issues with ISO 19011. "My first concern is about providing appropriate support for first-party (internal) and second-party (customer) audits versus alignment with third-party (system registration) audits," Harral told THE OUTLOOK. "This issue is not based on the size of organization involved, but on the type of audit.

"My second concern is with the size and complexity of ISO 19011. ISO 10011–all three parts combined–was short and fairly clear to most users in spite of its descriptive nature. ISO/FDIS 19011’s size alone will discourage widespread acceptance amongst many in the quality arena for internal and customer audits. The increase in size was necessary due to the broader scope, but voluntary use of the standard will suffer. Since internal audits are most prevalent and are used to support many types of management methodologies in the US, the US will be most affected. In turn, the US public’s impression of the value of ISO documents may suffer."

A Question of Audit Priorities

A debate that has been at the center of ISO 19011’s development since the earliest drafts has not concerned the difference between EMS and QMS audits, which was expected to but did not produce significant challenges, but who ISO 19011 is intended to serve. Clearly, at least some of the JWG members wanted ISO 19011’s development and progress to suit the perceived need for a revised auditing standard published as soon as possible after ISO 9001:2000 and geared to registration transitioning. An examination of ISO/FDIS 19011 would leave one to believe that it is intended as a guideline for third-party auditing and is meant to represent a raising of the bar for third-party auditor competency and experience.

The problem is that making improvements to third-party assessments is unlikely to ever be as value-added or as critical to an effective management system as making internal audits all that they could be. There is a perception that a registration assessment has greater value than an internal audit because of the resulting certificate and the expectation that an external auditor will be able to provide a far more objective and effective audit. Indeed, an experienced, competent and effective registrar auditor brings skills, knowledge and expertise to the auditing of an organization from having conducted management system assessments in a range of organizations, and that organization will benefit from what that auditor finds and what he/she provides.

However, the reality is that many third-party audits are nothing more than sampling activities to determine whether a management system is sound (i.e., it meets baseline requirements of a standard) and to detect the symptoms of nonconformances. For example, while a registrar auditor can identify in the audit report continual improvement opportunities in the system that an auditee could pursue (although there is a fine line between auditing and consulting), most third-party auditors focus on a "checklist approach" to systems assessment for conformance to a standard. And there are many cases when nonconformances have gone undetected by the auditors, often to the relief of the organizations, which is another issue.

This is not to say that registration assessments have little value. Third-party auditing is important and, when done right, provides an objective assessment and provides pressure on an organization to "keep its house clean". An auditing expert once said that 90% of the value of an audit is just having the auditors show up, because employees in any organization do not want to look bad in front of an outsider, particularly when the outsider has come to examine how they do things.

Another critical role of registrar auditors is to evaluate the internal audit program, although the experience of some auditing experts has been that third-party auditors tend not look at the internal program too critically unless a major nonconformance or a pattern of minor nonconformances shows up, making it critical to assess the procedures and performance of the internal audit program. However, considering the limited time registrar auditors spend on-site with most clients in a year, the impact of third-party audits is going to be limited as far as going beyond basic conformance verification.

"For some reason, there is the mistaken and unfortunate impression that third-party audits, especially certification or registration audits, are the exemplar or paragon for auditing in general," remarked Douglas L. Berg, Engineering Group Manager, Quality Methods and Systems, at General Motors Powertrain, a long-time member of US TG 19011 and previous auditing TGs led by Stratton and a member of the EA/QA Liaison Group. In a discussion with THE OUTLOOK following the US TG 19011 meeting in Indianapolis, Berg stressed that third-party audits "are, in fact, a very specialized, structured and constrained type of audit that is focused expressly on compliance to a set of agreed-upon requirements. In a sense, it is to auditing what ballroom dancing is to dancing. While compliance is pertinent at a certain stage of a system’s development, it is of limited utility to the company itself in the longer term."

Solomon, who participated as a US delegate to the JWG and worked for improvements to Section 7, Competence of Auditors, prior to ISO 19011’s elevation to FDIS, agreed with Berg’s assessment, but raised another concern. "I would add that the intent of ISO 19011 may have been to raise the bar for third-party auditors, but that will probably not be achieved by this standard. The way to raise the bar is to hold registrars truly accountable for evaluating and improving the competence of their auditors. This concept is included in Section 7 but will probably be lost in the setting of minimum education, training and experience requirements for auditors at most registrars."

"On the other hand, internal audits, if they are to be effective and valuable themselves, will need to go beyond mere compliance and focus on effectiveness of implementation, overall effectiveness of the processes and systems and continual improvement," emphasized Berg. "To do all this, auditors in a first-party situation would require a much richer knowledge base and skills set than those in the third-party audit situation. Unfortunately, this preoccupation with third-party auditing has affected training for internal auditors by making them ‘mini’ third-party auditors in terms of the material covered and audit principles advanced. It also perpetuates the idea that it is a ‘subordinate’ form of auditing."

"I also agree with Doug’s comments concerning internal auditing: it has the potential to really help an organization, yet that potential is not realized very often," commented Solomon.

Berg also pointed out that there are far more internal and even second-party audits of systems taking place than third-party audits. "Think about it: each ISO 9001 or equivalent compliant system will have a comprehensive program of internal audits," declared Berg. "Many companies are still performing some form of second-party audit of suppliers even with the prevalence of third-party registration. There is a much broader audience for a more general audit guidelines document. ISO 19011 had the potential to address this much broader audience, but certain interests in the process either did not appreciate this, dismissed it or resisted it. That is unfortunate."

A point one auditing expert raised is that internal audits take on increased importance the older the system gets, since the greatest impact of a registrar is at the initial registration assessment, while it is up to internal auditors to maintain the functioning of the management system over time. Both ISO 9001 and ISO 14001 require internal audits to determine continuing system conformance with the standard and the planned arrangements.

ISO 14001 does not require internal auditors to provide input to top management on continual improvement opportunities, which ISO 9001:2000 explicitly does (audit reports are inputs to continual improvement of the QMS), but that doesn’t prevent internal audits of the EMS from providing input for continual improvements.

However, a bad internal audit system will not "survive" for five years, making that system’s improvement important for many organizations using ISO 9001 or ISO 14001.

While efforts are underway to raise the bar of registrar competency in certain sectors and in general, which is a value-adding effort, the focus of any organization should be on ensuring that its management system(s) is effective and that its internal auditors have the training, experience and authority to effectively audit the system(s).

THE OUTLOOK will be examining the internal audit issue in coming issues to help organizations remain vigilant in maintaining and improving their management systems, especially as more organizations transition their QMSs to ISO 9001:2000 conformance and ISO 14001 implementation and registration continue to occur in US industry.

If you liked this article, subscribe now.

Return to top