The management systems auditing community has recently engaged in a lot of talk about how to audit a quality management system (QMS) when there are minimal requirements for documentation in the ISO 9001:2015 standard. When we consider that an audit is a “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled” (ISO 9000:2015), the need for some type of audit criteria seems essential.

There are really two concerns being expressed here:

ISO 9001:2015 no longer requires formal QMS documentation, and what qualifies as “audit criteria” when there is limited QMS documentation?

Let’s take a look at each of these concerns in turn to dispel the myths around this idea of auditing with limited documentation.

First, there seems to be a misunderstanding about documentation requirements in ISO 9001:2015. While it is true that the specific requirements for a quality manual and documented procedures have been removed from the previous versions of this international QMS standard (please don’t throw your organization’s quality manual and procedures away if they are working for your QMS), requirements still exist for what is now called “documented information,” defined as “information required to be controlled and maintained by an organization and the medium on which it is contained” (ISO 9000:2015).

In fact, there are ten mentions of maintaining documented information and 24 references to retaining documented information found throughout the ISO 9001:2015 standard. The use of the term “documented information” provides your organization with flexibility as to how this information will be made available in your QMS.
For auditors worried about auditing a QMS where no or limited documentation is available, take heart: indeed, some type of “documented information” must be available for your organization to define your QMS to address ISO 9001:2015 requirements. However, the format of this “documented information” may vary between and possibly even within organizations, so as auditors, we need to be flexible in our approach to auditing.

A great place to start during your audit planning is to ask process owners what “documented information” about the QMS is available and in what formats this can be found. This “documented information” can then serve as the audit criteria for developing your audit plan and audit checklist.

You likely recognize that not all ISO 9001:2015 requirements specify “documented information,” so what should be used as the audit criteria when auditing those processes of your QMS where “documented information” is not specified? The key is to realize that the requirements in ISO 9001:2015 are always fulfilled by processes found within your organization. Therefore, one question to start your audit planning would be to ask, “What process is in place to . . .?” For example, “What process is in place to identify and maintain organizational knowledge?” or “What process is in place to determine people needed for effective QMS operation?”

We tend to think of processes as formalized and/or written down in documentation. However, a process exists when its output is identifiable, its input and steps to achieve the output are recognized, and ownership of that output and process has been assigned.

Even without formally defined and documented processes, the activities that occur within your organization can address one or more ISO 9001:2015 requirements. As auditors, we must be on the lookout to recognize these processes within our organization and their relationship to the ISO 9001:2015 requirements. Each requirement in ISO 9001:2015 promotes particular outputs demonstrating a well-established QMS. The standard allows flexibility in how your organization defines these outputs relevant to your unique business.

If we approach the auditing of the ISO 9001:2015 requirements less from the standpoint of what documentation is available and more from the perspective of what processes exist, we can adapt a standard set of process-focused questions to any auditing situation. 

When an auditor applies the “starter” set of process audit questions for a QMS process with limited or no documentation, the audit criteria, defined as a “set of policies, procedures or requirements used as a reference against which objective evidence is compared” (ISO 9000:2015), would be “statements of fact” from the owner of the process being audited.

In this case, the process owner’s response establishes the basis for the audit (audit criteria) and prompts us as auditors to ask additional audit questions to identify the objective evidence relevant to the QMS process being audited. This approach will require auditors to be agile at developing appropriate audit questions on the spot versus following a prescribed audit checklist for gathering audit evidence.

One additional concern raised by auditors about this situation of limited QMS documentation is the audit evidence will only be “word of mouth” from the auditee and, therefore, not verifiable. Since audit evidence includes “records, statements of fact or other information which are relevant to the audit criteria and verifiable” (ISO 9000:2015), by definition, audit evidence must be verifiable; otherwise, how can it be considered objective? This is where audit technique becomes critically important from the standpoint of mainly asking open-ended questions during the audit interview, really listening to the auditee’s response; the clues to the audit evidence can always be found in the auditee’s answers, and following audit trails (asking the next appropriate question), which will eventually lead to the audit evidence, whether that evidence is tangible, an observation or a statement of fact which can be corroborated.

No doubt the changes to the ISO 9001:2015 standard are challenging us as auditors to up our game when it comes to evaluating our QMS without specified documentation requirements. However, with the consistent application of the process approach to audit planning, employing our best active listening skills during the audit interview then following relevant audit trails, audit results will provide your organization with accurate, objective insight into your QMS performance and effectiveness.