See how auditing the requirement “4.4 Quality management system and its processes” is easier than it sounds!
Today we would like to talk about requirement 4.4 Quality management system and its processes. At the time of implementation, this item often causes confusion for many professionals, but during the text, we will see that it is actually the result of the implementation itself.
At the beginning of the requirement, we understand that it deals with the general set of actions and controls that involve Quality. Here, then, we find the deployment of the scope of quality.
In scope, we design which processes the company seeks to certify in the standard. And in 4.4 Quality management system and its processes, we need to understand if the company understands these processes and ramifications necessary for quality management.
Inputs, outputs, processes and interaction
Once the general concept is understood, we can deepen our analysis a bit. It may seem a bit complicated to audit this item, but if we read its specs carefully, things get simpler.
All we need to understand here is whether the company is clear about what its processes are and whether it takes them seriously. Thus, we need to understand if it knows what the “required inputs” and “expected outputs” of these processes are (Requirement 4.4.1, b).
For example, one of the vital processes for Quality is the handling of non-conformities. What are the inputs to this process? It is all information related to a non-compliance in the system. And what would be the expected outputs? Non-compliance treated and with a guarantee of non-recurrence, that is, the improvement of a company process.
Then, still thinking about this example, how will we make the learnings and improvements generated in the non-compliance management process spread throughout the company? For this, we need to plan the interaction and between these processes (Requirement 4.4.1, b). Otherwise, it is very easy for improvement to remain “hidden” in a process or sector.
Finally, we need, of course, to monitor and understand whether the operation of the quality management system is effective. That is, we need to determine and apply criteria and methods to ensure not only those things are working, but that we know they are (or are not) going according to plan.
Authority, responsibility and resources
Then, we can say that the item requests a piece of the 5W2H. After all, he asks us to define who is responsible for what. Including the authority required for such executions (Requirement 4.4.1, e).
It also asks us to determine the resources needed for the Quality Management System (Requirement 4.4.1, d). These resources may involve the amount of people needed for the processes, software or equipment needed, training, among many others.
Risks, opportunities and changes
Finally, the standard requires integration with risk management, so we need to understand if the company has correctly implemented the risk mindset in the processes. Here, we have in the standard itself a direct hook with requirement 6.1 and all we have to analyze is whether the company took it into account when designing the Quality Management System.
Likewise, we need to understand if the company, as a result of monitoring previously required by the standard, has implemented changes in the QMS. Very rarely, if it is possible, a system does not need changes over time, after all, everything changes and needs to be optimized.
If the company does not implement the necessary changes, then it does not act correctly to “ensure that these processes achieve their intended results” (Requirement 4.4.1, g) and thus does not continuously improve (Requirement 4.4.1, h).
How to identify each company’s need
Well, here, having interpreted the requirement and what it asks for, it’s time to analyze what really happens in the company’s routine and understand whether or not this is in accordance with ISO’s best practices.
There is ample evidence that these items were well implemented, but it is worth mentioning that the standard here requires documented information. Let’s see item 4.4.2:
4.4.2 To the extent necessary, the organization shall:
a) maintain documented information to support the operation of your processes;
b) retain documented information to have confidence that processes are carried out as planned.
So, in addition to the normal fact-finding with interviews and reports, you need to find documents that support the processes and demonstrate system improvement. It is worth noting, of course, that the norm itself says that they must exist: “in the necessary extent”. To run your processes, people need support, and the documents created to support them are a great source of information for us auditors.