Conducting a Document Review
Compare management system records to requirements
by J.P. Russell
Clause 6.3 of the International Organization for Standardization’s (ISO) auditing standard provides guidelines for conducting a review of documents (also called a desk audit) by comparing them to audit criteria.
ANSI/ISO/ASQ QE19011S, Guidelines for Quality and/or Environmental Management Systems Auditing,1 says an auditee’s documents should be reviewed prior to on-site activities to determine conformity of the management system (MS) documentation to audit criteria. The specific MS documentation should be reviewed prior to the performance phase of an external or internal audit.
The performance phase normally starts with the opening meeting. Review of elements of the audit criteria might verify the existing MS documentation is conforming, potentially nonconforming or nonconforming (see Figure 1). Overall, I believe the most important outcome of a review is verification there is a system ready to be audited.
All relevant MS documents, records and previous audit reports—in fact, all MS documentation related to the audit criteria—should be included in the review (see the input box in Figure 1).
Examples include the MS manual, operations manual, procedures, flowcharts and checksheets. The physical existence of documentation may verify specific elements of the audit criteria. Audit criteria could require documents such as a procedure, manual or specific records that can be verified as physically existing during the document review.
Verifying that documentation addresses specific audit criteria requirements goes a level beyond the verification of the physical existence of documents, procedures or records. For example, if the audit criteria require causes of nonconformities to be identified, an auditor could verify that the procedure includes a step to identify causes of nonconformities. What you learn here, however, is inconclusive. Even if the specific requirement is addressed in the documentation, the organization might not be practicing it.
Even if a specific requirement is not addressed in documentation, it does not mean the organization’s personnel are not meeting the intent of the requirement. If your industry sector requires MS documents to incorporate text to address all requirements, there will be a nonconformity if a procedure does not address specific elements in the audit criteria. Some industry sectors require documentation that has word-for-word traceability between the MS documentation and audit criteria.
The ISO 19011S text lists the MS documents that can be reviewed for first and second-party audits. The list includes:
- Requirements of the standards and regulations related to the processes and products being audited.
- Sections of the MS manual that relate to the processes being audited.
- Any procedures that relate to the audit.
- Process models or other documentation describing the processes being audited and their interaction with other processes.
- Work instructions, forms and records pertinent to the audit.
Additionally, document reviews for second-party audits may include purchasing documents, such as a contract, specifications, purchase order requirements and other agreed-on forms or records.
Next, ISO 19011 says the review should take into account the size, nature and complexity of the organization, as well as the objectives and scope of the audit (see the logistics box in Figure 1). The objectives of the audit are paramount. The documents reviewed should be consistent with the scope, such as physical location or area, and audit criteria.
The size, nature and complexity of the organization might have a major effect on time needed to conduct a document review. The larger and more complex the organization and processes, the longer the review. There is a minimum time needed to conduct a document review, however, regardless of the size or complexity of an organization because the same audit criterion has the same elements that must be verified.
ISO 19011 says that in some situations, the document review may be deferred until the on-site activities start if this will not be detrimental to the effectiveness of the audit. It is perfectly acceptable to make the document review a prerequisite before the opening meeting.
For external audits, there are several reasons for conducting the document review at the auditee location, such as:
- Intranet access security issues.
- An extremely large or small amount of documentation.
- The confidential information issues.
Usually, however, the auditee can provide the documents or access ahead of time. For internal audits, document reviews can be part of a routine audit of an area, rather than a separate document review.
Along the same lines of guidance, the standard says that in other situations, a preliminary site visit can be conducted to get a suitable overview of available information. A preliminary site visit is an added expense that should be cost-benefit justified.
The ISO 19011 U.S. supplement, ISO 19011S, says that once the initial documentation is verified as conforming, it may be necessary to review only changes to documents if the audit criteria changes (see “audit criteria” in Figure 1).
Examples of changes to the audit criteria are the differences between ISO 9001:2000 and ISO 9001:2008. Because of the limited number of changes to ISO 9001 with no new documentation requirements, the time to complete a review of documents for conformity to ISO 9001:2008’s new amendments should be short for most organizations.
Document reviews should be conducted any time the audit criteria or MS change. It may also be prudent to review MS documents when processes are changed to ensure the process changes are reflected in the documentation. For organizations, internal document review may avoid nonconformities from certification bodies and customer audits.
I observed a situation where a company would not change its processes to avoid needing to change its approved documents, thus avoiding potential nonconformities. Keeping processes the same, however, means no improvement in organizational effectiveness—just compliance.
For internal audits, ISO 19011S says a less comprehensive review might be all that is necessary. Instead of “less comprehensive,” however, I prefer to use the words, “less formal.” To some, “less comprehensive” may mean less thorough or less complete. Internal auditors should be just as thorough as external auditors.
When the documentation is found to be inadequate, the audit client, those assigned responsibility for managing the audit program, and the auditee should be notified (see “people” in Figure 1). ISO 19011 puts this responsibility directly on the shoulders of the lead auditor or audit team leader. In reality, however, it may not always be the audit team leader doing the communicating. The informing should be done in accordance with audit program procedures (see “methods” in Figure 1).
There is no specific guidance about what constitutes inadequate documentation. For example, do several typos, misspelled words and grammatical errors constitute inadequate documentation?
From my perspective, the documentation would always be considered inadequate if the organization is missing an element, such as a required procedure or control. It would be inadequate, because regardless of the remaining audit investigation results, no certificate, license, approval or qualification can be issued until the missing procedure or control is created, implemented and audited.
As soon as the auditor reports the MS documentation is inadequate, a decision should be made on whether the audit should be continued or suspended until documentation concerns are resolved (see output in Figure 1).
If there is a possibility the audit objectives cannot be achieved given the inadequacy of the documentation, I suggest delaying or rescheduling. If you choose to continue with the audit, everyone should be informed of the potential consequences.
When second-party audits are conducted prior to a decision to purchase from a specific supplier, the audit client may or may not notify the auditee of the audit findings.
If the document review is part of the supplier approval process and it is decided not to purchase product or services from that particular supplier, no additional communication may be necessary or desired. The client, such as the purchasing manager or director, will decide if additional communication with the supplier is desired and whether a response and follow-up is required by the supplier.
The supplemental guidance in ISO 19011S says that for internal document reviews, if any documents are found to be inadequate, the situation is normally identified through the corrective action system. My experience is that most document review nonconformities are addressed by simple correction or remedial action.
The review of documents is to determine conformity to the audit criteria. The review is an act of inspecting or examining to determine the adequacy of the documentation. An auditor could also determine the suitability and effectiveness of the documentation to achieve established objectives. This can only be done in combination with information gathered during the on-site performance phase of the audit. Lack of suitability or effectiveness could result in nonconformity.
An improvement opportunity might be identified if documents are unclear, redundant, not presented in the most effective medium or designed in a way that does not meet the needs of the organization. Perhaps the auditor observes that the documentation was developed from a generic template and is confusing.
Document review is an important step in the audit process that indicates that the MS to be audited is ready to be audited against the audit criteria used for the document review. It is possible the documentation is adequate but has not been effectively implemented. The conformity of the MS will be determined during the on-site audit’s performance phase.
- ANSI/ISO/ASQ QE19011S, Guidelines for Quality and/or Environmental Management Systems Auditing, ASQ Quality Press, 2004.
J.P. Russell is president of J.P. Russell & Associates in Gulf Breeze, FL, and managing director for the Quality WBT Center for Education at www.QualityWBT.com. He is a fellow of ASQ, ASQ Certified Quality Auditor, voting member of the American National Standards Institute/ASQ Z1 committee and member of the U.S. technical advisory group for International Organization for Standardization technical committee 176. Russell is the author of several ASQ Quality Press books, including Internal Auditing Basics (second edition) and Process Auditing Techniques, and is the editor of the ASQ Audit Handbook (third edition).