The Right Approach

An effective QMS audit requires a process-based strategy

by Sandford Liebesman

The process approach is at the heart of a quality management system (QMS) defined by ISO 9001. And, as everyone knows, it’s necessary to have the old ticker checked out from time to time. That’s where the plan-do-check-act (PDCA) cycle can be useful as the primary tool employed during a process audit.

But what is a process? In this context, it is a transformation of inputs to outputs that is constrained by controls and limited resources (see Figure 1).

Figure 1

Consider the manufacture of printed circuit boards. The process transforms raw materials, such as components and raw circuit boards, into printed circuit boards. The process is constrained by controls, such as temperature of the solder bath, speed of the manufacturing line, testing sequence, component insertion and resources that include components, circuit boards, trained personnel and manufacturing equipment.

ISO 9001 contains eight clauses, the last five of which define an effective QMS:

  • Clause 4, Quality Management System: describes the basic structure of an effective QMS.
  • Clause 5, Management Responsibility: indicates the management and oversight of the QMS.
  • Clause 6, Resource Management: describes the control of resources and includes competence, awareness and training of personnel.
  • Clause 7, Product Realization: identifies inputs to the product realization process, such as customer requirements, and the outputs, which are the end results of the product realization process.
  • Clause 8, Measurement Analysis and Improvement: contains the method for turning data into information and actions. As part of clause 8, the improvement process includes preventive and corrective actions and concludes with management review in clause 5.

The process approach is defined in subclause 0.2 of ISO 9001 and is expanded in subclause 4.1, which requires identification of all processes and their applications; determination of their sequences and interactions; identification of criteria and methods to ensure their effectiveness; provision of supporting resources and information; monitoring, measurement and analysis of each process; and implementation of actions to achieve results and improvement.

In my experiences, a QMS has eight basic processes:

  1. Management of the quality system.
  2. Top management involvement.
  3. Customer focus.
  4. The improvement process.
  5. Design and development.
  6. Supplier management.
  7. Product provision (including control of outsourced processes).
  8. Resource management.

Auditing a process-based QMS

What is different about auditing a process-based QMS? In the past, the audit scope was determined by the elements or clauses of the standard, and audits tended to center around yes-or-no checklists. ISO 9001:1994 was checklist-oriented and included 20 elements.

When I used ISO 9001:1994 to audit in the 1990s, however, I used a process-based method because it was closer to the way an organization operated. With the release of ISO 9001:2000, the orientation was officially changed to a process approach.

Several preliminary steps should be taken prior to auditing the processes. Start by developing a business process overview, understanding the organization’s goals and business objectives, and conducting a detailed audit of the quality manual.

Then, accomplish the following process-oriented activities: identify the organization’s major quality-affecting processes, examine links between processes, determine whether processes are integrated to form a system, establish whether the eight basic processes are covered and perform a preliminary analysis of the system’s processes.

Analyzing the processes consists of: identifying an owner for each process; defining the inputs, outputs and constraints (controls and resource limitations) of each process; determining the activities of each process in terms of PDCA; and developing a checklist for each process.

This information is needed to understand the operation of the system. It’s best to use open-ended questions or directions; for example, "Describe the activities of the management review."

The final preliminary step is to develop the three-year audit schedule. Many of the basic processes contain sub-processes that can be audited separately or included in the audit of the basic process.

Tables 1 and 2 are examples of a three-year audit schedule for a company that manufactures communications equipment. "R" indicates a process audit conducted during each visit, while the "S" followed by a number indicates an audit conducted during the visit indicated by the number.

Table 1

Table 2

Auditor’s role

Process auditing starts by looking at how the processes function and how they link elements of various clauses. Many processes are cross-functional or involve several departments. The auditor should use PDCA to identify the parts of the standard necessary for the function of each process and should build the audit around open-ended questions, which reveal more about each process.

The interviews should start with the process owner—the person who can provide the best information about the operation of the process. Other key personnel should be interviewed to get a complete picture. If questions arise, start the discussion with the appropriate clauses of the standard. Always refer to the exact wording, and clarify if necessary.

The auditor should obtain objective evidence by performing a walkthrough review of the steps of each process. When a finding is identified, the auditor should sit down with the process owner and other implementers to describe the finding. Always refer to the wording of the standard.

The auditor can also identify opportunities for improvement. These are not findings—they are suggestions for improvement based on the standard. For example, I’ve suggested that the management review should include financial management personnel. This is not a requirement of the standard, but it will reveal links to the financial aspects of the organization.

Step by step

The following is an example of a process audit in which the PDCA cycle is employed to outline the audit procedure used for an improvement process. The numbers in parentheses are the associated clauses of ISO 9001:2008.

The "plan" step starts by reviewing top management responsibilities in clause 5. The first questions are, "What is the quality policy?" (5.3) and "How was it transmitted throughout the organization?" Also, part of clause 5 is the determination of measurable quality objectives (5.4.1) and QMS planning (5.4.2).

Four related questions applicable during this stage are:

  • How are objectives set?
  • Have objectives been established for the various functions and levels throughout the organization?
  • Does each quality objective (5.4.1) align with the quality policy (5.3)?
  • Does the QMS planning meet the requirements of subclause 4.1?

This stage also contains planning of product realization (7.1) and planning of monitoring, analysis and improvement (8.1).

Planning of product realization includes determining quality objectives and requirements for the product; establishing the processes, documentation and records needed; and defining the elements of the realization process. Planning of measurement, analysis and improvement is meant to demonstrate conformity to product requirements, ensure conformity of the QMS and continually improve the effectiveness of the QMS.

Once the review of the planning is completed, the auditor can start looking at the "do" element. For the improvement process, this is centered on the improvement loop in subclause 8.5.1, which requires improvement of the effectiveness of the QMS through the use of quality policy (5.3), quality objectives (5.4.1), audit results (8.2.2), analysis of data (8.4), corrective actions (8.5.2), preventive actions (8.5.3) and management review (5.6).

The key to determining the effectiveness of the improvement loop is a review of the inputs and outputs of the management review function. What are the results of management review over time? How do they demonstrate the improved effectiveness of the QMS?

The "check" element looks at how data are gathered and turned into information. Data have no value until they become information. The data come from internal and external audits (8.2.2), monitoring and measuring of processes (8.2.3) and products (8.2.4), control of nonconforming product (8.3), customer satisfaction measurements (8.2.1) and supplier results (7.4). The analysis of the data, including trends, should lead to corrective (8.5.2) or preventive actions (8.5.3).

Finally, the "act" element describes the actions taken to improve the effectiveness of the QMS. The auditor should look at the corrective (8.5.2) and preventive (8.5.3) actions that were implemented. Were they effective? What improvements were observed?

The results should be documented as part of the management review (5.6). The result of the management review should be improvement of the QMS and its processes, improvement of product with respect to customer requirements and identification of added resources needed.

As part of the "act" stage, the auditor should audit top management by asking the following questions:

  • What are the results of the latest management review?
  • Does management examine measurements of customer satisfaction, product conformity and process performance?
  • Do the management-review minutes include a review of changes that could affect the quality policy and objectives?
  • What is the measure of the effectiveness of the QMS?
  • Does management make decisions and create actions to improve the effectiveness of the QMS?
  • How often do you or your direct reports attend the meetings?


An effective ending

Eleven clauses, including the improvement loop (8.5.1), require continual improvement of the effectiveness of the QMS. My experience is that most organizations do not define effectiveness well. One example of a satisfactory measurement of effectiveness is a balanced scorecard based on measurements of the key measurable objectives.

Because organizations operate via processes, the approach to internal audits has changed from element or clause-based to process-based. ISO 9001 defined the process approach (4.1) in response to this realization. The PDCA tool will help you reach the end of the audit, at which time a sound judgment can be made about the effectiveness of your QMS.


Hooper, Jeff, "The Process Approach to Quality Management Systems," The ASQ ISO 9000:2000 Handbook, ASQ Quality Press, 2002, pp. 11-16.

International Organization for Standardization, ISO 9001:2008 Quality Management Systems–Requirements, 2008.

Liebesman, Sandford, "Auditing a Process Based System," Quality Progress, August 2003, pp. 90-92.

Liebesman, Sandford, "Increase ISO 9001’s Value," Quality Progress, August 2006, pp. 84-85.

Palmes, Paul C., Process Driven Comprehensive Auditing: A New Way to Conduct ISO 9001:2008 Internal Audits, second edition, ASQ Quality Press, 2009.

Secretariat of ISO/TC 176/SC 2 15, ISO/TC 176/SC 2/N 544R3ISO 9000 Introduction and Support Package: Guidance on the Concept and Use of the Process Approach for Management Systems, October 2008.

Sandford Liebesman is president of Sandford Quality Consulting in Morristown, NJ, following more than 30 years of experience in quality at Bell Laboratories, Lucent Technologies and Bellcore (Telcordia). He is an author of TL 9000, Release 3.0: A Guide to Measuring Excellence in Telecommunications, second edition, and Using ISO 9000 to Improve Business Processes. Liebesman, a fellow of ASQ and chairman of the Electronics and Communications Division, is a member of ISO technical committee 176 and the ANSI Z-1 committee on quality assurance. He is an RABQSA-certified ISO 9000 and TL 9000 lead auditor.

Average Rating


Out of 0 Ratings
Rate this article

Add Comments

View comments
Comments FAQ

Featured advertisers