Auditing for Control and Improvement

by JP Russell

Article Abstract: Understanding of control is central to successful implementation of almost all standards. In fact, a standard may be thought of as a collection of controls management must implement for systems such as safety, quality, environment, and accounting. A simple, yet powerful, method for testing the existence of controls is to use Walter Shewhart’s plan-do-check-act (PDCA) cycle. To test for improvement, we can use PDCA again, only backwards, as the ACDP (analyze-change-do-prosper) improvement cycle.

The organization shall determine criteria and methods needed to ensure that both the operation and control of these processes are effective (ISO 9001:2000:  4.1c).

The word control is used in the titles of ISO 9001 clauses such as “control of nonconforming product” and in sentences such as to carry out processes under controlled conditions. The word control is frequently used in standards, contracts, procedures and other documents. It is one of those familiar terms that everyone seems to understand, except that each person’s understanding is a little different.

There is no definition of the word control in the international vocabulary standard (ISO 9000:2000) because either the dictionary definition is believed to be sufficient or that the meaning of the word is so obvious that it would be silly to try to define it. Yet, understanding of control is central to successful implementation of most all standards. A standard may be thought of as a collection of controls management must implement for systems such as safety, quality, environment, and accounting.

As a manager, I would want to know there is control over the important systems and process of the organization. As an auditor, I want to be able to verify sufficient controls exist and be able to report any shortcomings. Both should agree on the criteria for control.

Control Criteria

Some have equated having a procedure with control: No procedure – No control.  Unfortunately, it is not that simple. Having a procedure does not mean there is management control over a process. I recall interviewing a truck driver of a transportation company. I asked him about the inspection process of his very expensive cargo. He responded by saying, “Do you want to know what is in the procedure or what we actually do?” Establishing a method is certainly an important process control tool but does not mean there is management control of the process.

Some standard clauses requiring control include a very prescriptive list of activities to be addressed. Control of documents is a good example of a prescriptive list of activities to ensure documents are controlled. There are two problems with relying on the standard to list everything needed for management control. First, it assumes the standard writers could anticipate every situation and second, that every clause will always contain a detailed list of prescriptive requirements. I don’t think the standard writers would claim they know everything and sometimes the requirements are open-ended without any specific prescriptive requirements. For example, a standard might require that the environment be controlled or that the conformity of the product be controlled without a prescriptive list associated with the requirement.

Another place to look for control criteria is ISO 9001:2000, clause 7.5.1: Control of production and service provision. This is a generic list of things to consider for control of processes to be applied as applicable. It is a good list and should be a reference, but it is a list, not a concept. The list may not be sufficient for all situations and does not address improvement criteria.

A simple, yet powerful method to test the existence of controls is to use the Shewhart’s PDCA (Plan-Do-Check-Act) cycle. The PDCA can be used as a process technique to test for control.

Process Technique to test Control

For management to control a process or activity, they must establish a predetermined method. Without it, there is no basis to adjust or improve the process. The predetermined method can be in any form and should reflect the level of process risk.
A predetermined method can manifest itself as a procedure, flowchart, outline, series of pictures, etc. In one of my first plant management jobs, operators used their knowledge and skills to operate the process. When we had problems and I attempted to improve the process, I found out that each operator’s skills and knowledge was different. I could not improve the operation because the operating method was a moving target. So, the first thing that had to be done was establish a consistent method (plan) for operating. This is the Plan part of the PDCA cycle, see Table 1.

Now, just because there is a plan, does not mean that people follow it. There must be some type of assurance that people follow the plan by auditing, monitoring, retrievable records or other means. This is the Do part of the test cycle. Just following a plan is not enough to establish management control since every process has at least two outcomes (good and bad, acceptable, and unacceptable).

Next, management must determine the criteria or objectives for success or acceptance.  The process must be measured and monitored against this criteria. As long as the process outputs match the predetermined acceptance criteria, the process does not need adjustment. This is the Check part of the test cycle (Table 1).

When the results do not match the acceptance criteria (output targets, goals), action must be taken. This is the Act part of the test cycle (Table 1). The action may be sorting good and bad or making adjustments to the process to bring it back in line.

Management control exists when the process or activity is planned, implemented, measured, and acted upon. Based on the above discussion, a possible definition for management control would be the following:

Management Control – When predetermined plans are followed, monitored against an acceptance criteria, and adjusted as needed to achieve objectives.

However, ISO 9001:2000 requires more that just effective control, there must be continual improvement too.

Continual Improvement

For there to be improvement, the system/ process must be changed. It is not a matter of working harder or being more careful. If there is no change in some aspect of a system/ process, the outcomes will always be the same.

As a tool for testing improvement we can use PDCA again, only backwards, as the ACDP improvement cycle. For there to be improvement, process data must be Analyzed.  Many of us are familiar with what happens to all the records and data collected… it is put in storage never to see the light of day again. For improvement, the data must be analyzed for trends and identification of weaknesses. This would be the Analyze step of the improvement cycle (Analyze – Change – Do – Prosper), ACDP in table 2. Process data must be analyzed to identify risks, inefficiencies, opportunities for improvement, negative trends by comparing results to goals and objectives.

A change could be a change in procedures, but also to other elements of the process such as changing the acceptance criteria or method of monitoring. Changes in equipment or technology may also be necessary for continual improvement. The merits of any change should be evaluated. This is the Change part of the improvement test cycle.

The Do step of the cycle is the implementation of the change. Auditors can verify changes actually took place by review of documents and interviews with area personnel.

Continual improvement should prosper the organization in some manner.  Improvement may be quantified as increased profitability, lower costs, lower exposure of the organization to risks, gain in market share, and other measures of improved effectiveness and efficiency. Sometimes organizations may group changes and assess the effectiveness of several changes to the process. The above represents the P or Prosper step of the improvement test cycle.

Auditing for control and improvement

When standards require control and improvement, both management and auditors need to know the components that must exist. It is management’s job to establish and implement controls and ensure there is continual improvement. It is the auditor’s job to gather audit evidence to verify conformance to requirements. In the absence of specific guidance in performance standards (required procedures, records, or schedules) it is essential that management be able to demonstrate conformance to requirements.

In summary, a process tool that can be used as guide to test for control and continual improvement is the PDCA-ACDP cycle. The first part of the cycle establishes control of a process. Control is required by standards and is a good business practice. The second part of the cycle should be used to test for improvement. The ISO 9001:2000 requires continual improvement. Improvement can only come from change.


About the author

J.P. Russell is an ASQ Fellow and a voting member of the American National Standards Institute/ASQ Z1 committee. He is a member of the U.S. Technical Advisory Group to Technical Committee 176, the body responsible for the ISO 9000 standard series. Russell is the managing director of the internationally accredited Quality Web-Based Training Center for Education,, an online auditing, standards, metrics, and quality tools training provider. A former RAB and IRCA lead auditor and an ASQ Certified Quality Auditor, Russell is author of several ASQ Quality Press bestselling books, including Process Auditing Techniques; Internal Auditing Basics; ISO Lesson Guide 2015: Pocket Guide to ISO 9001:2015; and he is the editor of the ASQ Auditing Handbook.

This article first appeared in Quality Progress Standards Outlook February 2002.