Types of Audits

Despite the fact that there are many different types of audits, ISO 9001 & AS9100 registrars and consultants have been singing praises of “Process-based” audits for years. In fact, they've been promoted to the point that some ISO 9001 & AS9100 auditors have actually issued (unjustified) nonconformities to companies for having performed “clause/element-based” internal audits rather than the preferred “process-based” audits!

These nonconformities are based upon a highly subjective interpretation of ISO 9001 & AS9100.

ISO 9001:2015 & AS9100:2016:
9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system;
b. is EFFECTIVELY implemented and maintained.

Largely due to “indoctrination” (from the registrars) in how to think about ISO 9001 & AS9100, many auditors consider a “process-based” audit to be the ONLY way possible to determine “whether the quality management system is effectively implemented and maintained”. This was further supported by a “non-binding” opinion provided in the US TC 176 - TG22 - Interpretations (Read: Re-writing ISO 9001:2015... through Interpretation).

However, is this true?

What are the types of audits?

ISO 19011:2018 Annex A states:

A.12 Audit of supply chain
The audit of the supply chain to specific requirements can be required. The supplier audit programme should be developed with applicable audit criteria for the type of suppliers and external providers. The scope of the supply chain audit can differ, e.g. complete management system audit, single process audit, product audit, configuration audit.

While this is NOT a complete list of audit types, neither ISO 19011:2018 nor ISO 9000:2015 defines nor describes the difference between these audit types.

You may be thinking, ”Why not just take the ISO 9000:2015 definition for the word “audit” and expand it to include the other word (product, process, or system)“.

Let's see how that works…

Process Audit
A systematic, independent, and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled in a set of interrelated or interacting activities that use inputs to deliver an intended result. (Source: ISO 9000:2015, sec. 3.13.1 & 3.4.1)

Product Audit
A systematic, independent, and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled in the output of an organization that can be produced without any transaction taking place between the organization and the customer. (Source: ISO 9000:2015, sec. 3.13.1 & 3.7.6)

Management System Audit
A systematic, independent, and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled throughout the set of interrelated or interacting elements of an organization (that) establish policies and objectives, and processes to achieve those objectives. (Source: ISO 9000:2015, sec. 3.13.1 & 3.5.1)

While the above may be technically correct (I'm not actually sure of that statement), at the very least, it is “techno-babble” that is unsuited for use in the real world.

ASQ describes these types of audits

Alternatively, ASQ has an article titled ”What is Auditing“, which includes a section titled: ”The Three Different Types of Audits“. While not “official” definitions of the terms, this section describes these three types of audits in a way that is far more understandable.

Process audit
This type of audit verifies that processes are working within established limits. It evaluates an operation or method against predetermined instructions or standards to measure conformance to these standards and the effectiveness of the instructions. A process audit may:

  • Check conformance to defined requirements such as time, accuracy, temperature, pressure, composition, responsiveness, amperage, and component mixture.
  • Examine the resources (equipment, materials, people) applied to transform the inputs into outputs, the environment, the methods (procedures, instructions) followed, and the measures collected to determine process performance.
  • Check the adequacy and effectiveness of the process controls established by procedures, work instructions, flowcharts, and training and process specifications.

(Source: https://asq.org/quality-resources/auditing)

Product Audit
This type of audit is an examination of a particular product or service, such as hardware, processed material, or software, to evaluate whether it conforms to requirements (i.e., specifications, performance standards, and customer requirements). (Source: https://asq.org/quality-resources/auditing)

System Audit
An audit conducted on a management system. It can be described as a documented activity performed to verify, by examination and evaluation of objective evidence, that applicable elements of the system are appropriate and effective and have been developed, documented, and implemented in accordance and in conjunction with specified requirements. (Source: https://asq.org/quality-resources/auditing)

If you'd like to include a definition for these terms in your own QMS (or “Supplier Quality Requirements Manual”), simply reference the above ith the link to the ASQ article.

Configuration Audits

While ”configuration audit“ is also not defined by ISO (even in ISO 10007:2003, ”Quality management systems — Guidelines for configuration management“), the U.S. Federal Aviation Administration (FAA) has defined the term in Order1800.66 (Incl Chg 3), "Configuration Management Policy".

Configuration Audit
Product configuration verification accomplished by inspecting documents, products, and records; and reviewing procedures, processes, and systems of operation to verify that the product has achieved its required attributes (performance requirements and functional constraints), and the product’s design is accurately documented. Sometimes divided into separate functional and physical configuration audits.

Although it doesn't define the generic term “Configuration Audit”, the U.S. Defense Acquisition University - Glossary does define the specific terms “Functional Configuration Audit” & “Physical Configuration Audit” (PCA).

Functional Configuration Audit
The formal examination of functional characteristics of a configuration item, or system, to verify that the item has achieved the requirements specified in its functional and/or allocated configuration documentation. (Source: U.S. Defense Acquisition University - Glossary)

Physical Configuration Audit (PCA)
Physical examination of the actual configuration of the item being produced. It verifies that the related design documentation matches the item as specified in the contract. The system product baseline if finalized and validated at the PCA. (Source: U.S. Defense Acquisition University - Glossary)

Conclusion

Ultimately, despite the subjective interpretations/opinions of some external auditors, organizations should decide the type of internal audit that best provides ”information on whether the quality management system is effectively implemented and maintained“.

If faced with an external auditor who insists that you must perform “process-based” audits in order to ”provide information on whether the quality management system is effectively implemented and maintained“, then there are several ways to argue this.

1 - Neither ISO 9000:2015 nor AS 9100:2016 requires that a “process audit” or “process-based audit” be performed in order to ”provide information on whether the quality management system is effectively implemented and maintained“.

2 - No ISO document (including ISO 19011:2018 nor ISO 9000:2015) defines the term “process audit” or “process-based audit”.

3 - The ”ISO 9001 Auditing Practices Group Guidance on: Demonstrate conformity to the standard“ does not require “process-based” internal audits to demonstrate conformity with ISO 9001:2015.

4 - The ”ISO 9001 Auditing Practices Group Guidance on: Audit Planning“ states ”Develop the plan around the processes – not the clauses of the standard“ in a section titled “USEFUL TIPS TO AUDITORS” because this is NOT a requirement.

5 - The official ISO document ”The Process Approach in ISO 9001:2015“ describes the process approach toward the QMS WITHOUT requiring (or even mentioning) a “process-based” internal audit.

The above should be sufficient information to “appeal” this type of invalid nonconformity.

The point is that auditors should be there to verify compliance with “actual” requirements. Not imagine requirements where none exists.