Which is it a system or process audit? Understanding the differences between system, process audits

by JP Russell

It seems that everyone knows the difference between a system and a process. We know processes and
systems are related, but most of us aren’t sure when one begins and the other ends. ISO 9000 provides
definitions, but they seem inadequate at times.

Understanding the differences between a process and a system is important for effective organizational
management and auditing programs. Understanding some of the dynamics will help in the development
of value-added auditing strategies.

System check
One dictionary defines a system as a coherent unification.1 The unification can be of activities, events,
thoughts, information, code, materials, people, methods, measures, and equipment.
This definition is quite eloquent considering the complexity of most systems. But it may be too vague
when discussing business or organization management systems.
Management system standards define a system as a set of interrelated or interacting parts.2
ISO 9001 goes on to define a management system as a set of interrelated or interacting parts to establish policy
and objectives, and to achieve those objectives.3

A management system is defined for high organizational control levels (policy and objectives) using
all-inclusive, abstract terms. Most systems are so complex it would be impossible—if not impractical—
to audit one in its entirety. An auditor could easily get lost in the minutia and lose sight of the purpose of the
audit. That’s why the International Organization for Standardization has published management system
standards. Audits conducted to verify conformity to the management system requirements are system
audits. In that case, the auditor is verifying conformity to discrete elements or controls contained in the

Some audit organizations use a process approach to audit the elements. This approach is a more
meaningful and effective way to conduct system audits.


Figures 1 and 2

Figure 1 is what many quality practitioners know as the document triangle, but I have converted it
to a control-level triangle that shows the documents that define organizational requirements.
At the top two levels, there are documents that describe system requirements to achieve intended
objectives. At the management system level—which includes quality, environmental, safety and
business—it’s possible to break down a system into subsystems and functions so you can see distinct
functions such as purchasing, engineering, order entry, and sales.

In one of my classes, I use a string exercise to describe a system. First, I ask five or six students to stand
as points of a pentagon or hexagon with each point representing a different department or management
function. Then, we map the steps from an idea in the sales department to the installation of a new
$100,000 piece of equipment in the shop that will improve the effectiveness and efficiency of the

You end up with a complex web—sales to management to finance to engineering to purchasing
to engineering to management. And this exercise doesn’t even consider labor scheduling, training,
employee benefits, and competing programs. This complex web or matrix is a depiction of your entire
system and, to a casual observer, may look like chaos.

In process
Look at the control-level triangle Figure 1 again. At the bottom of the triangle are documents that are used
to control individual processes—such as work instructions, software menus, control plans, and routing

At this level, processes are conducted that include filling, washing, reacting, drilling, cutting, treating,
sorting, transporting, informing, ordering, and opening. This is the level at which work takes place. When
you conduct an audit of any of these individual processes, it’s called a process audit.

I have always defined a process as a series of actions or steps that lead to a desired result.4
ISO 9000 defines a process as a set of interrelated or interacting activities that use inputs to deliver an intended

A process is a series of sequential steps that results in change. Processes are responsible for all changes
or results within an organization. All processes are controlled or monitored by parameters that can be

When auditing processes, auditors should be familiar with the type of process they’re auditing and must
follow process steps. The closest thing to a checklist would be a flow chart or work instruction. Using
either of those tools, auditors can follow one process to the next until they are assured the process is

Process audits are powerful because they can identify weaknesses and risks while also identifying areas
for improvement. Process audits go beyond the limited control elements defined in a standard.
One fallacy is that people assume the standards writers know everything that must be controlled and put
it in management system standards. The truth is, the conformity and compliance standards contain
minimum controls. Auditing of processes allows you to look at all the necessary controls to ensure they
are working to the benefit of an organization.

A process audit scope could be a singular process, part of a process, or several processes either in
series or parallel. Process audits can start at any level where work takes place. For example, you could
audit the filing of public announcements in the president’s office or the janitorial staff’s process for
collecting metal filings.

Pick one
In the control-level triangle, Figure 2, systems reside at the top and processes at the bottom. But what’s
in the middle? When does a group of processes become a system?

If you are auditing a manufacturing process or operation, is it a system audit or process audit?
If an auditor is using system requirements to audit a manufacturing process or operations, it’s a system audit.
If an auditor is following the core process for a manufacturing or service organization—for example,
following an order to the manufactured part or delivery of the service—it’s a process audit.

In my experience, it’s difficult to effectively perform both types of audits at the same time. For example,
an auditor might be thinking about the system requirement to identify material while the operator is
explaining how, for some jobs, he or she needs to move a lever only halfway.
As you move up the triangle, it becomes more difficult to test the process flow because the
interconnected processes may occur at different times or locations and process complexity increases.
For example, the combined drilling, forming, stamping, and finishing of a part may take place in different
buildings during a week’s time.

Many materials are processed in batches or held in tanks while waiting for the next treatment. Hospital
services for admitting, informing, treating, medicating, and discharging patients do not take place at the
same time. As you move up the triangle, the idea of a process audit becomes obtuse because of the
multiple processes within processes that have differing constraints and objectives.

What’s the difference?
Looking at the revised control-level triangle in Figure 2, you can see that process audits can start at level
four and go up to the top while system audits start from the top at level one and go down.
So, to more clearly delineate between system and process from an auditing perspective:
• A system audit is an audit of a system or subsystem against system requirements. It can reveal
conformity or nonconformity to the system.
• A process audit is an audit of individual processes against predetermined process steps or activities.
It can reveal inefficiencies and areas for improvement.

1. Webster’s Third New International Dictionary, Unabridged, Merriam-Webster, 2002.
2. International Organization for Standardization, ISO 9000:2015—Quality management systems—Fundamentals and
vocabulary, J.P. Russell, The Quality Master Plan, ASQ Quality Press, 1990, p. 14.
3. International Organization for Standardization, ISO 9000:2005—Quality management systems—Fundamentals and vocabulary, clause 3.2.2.
4. J.P. Russell, The Quality Master Plan, ASQ Quality Press, 1990, p. 14.

About the author
J.P. Russell is an ASQ Fellow and a voting member of the American National Standards Institute/ASQ Z1
committee. He is a member of the U.S. Technical Advisory Group to Technical Committee 176, the body
responsible for the ISO 9000 standard series. Russell is the managing director of the internationally
accredited Quality Web-Based Training Center for Education, www.jprlearning.com, an online auditing,
standards, metrics, and quality tools training provider. A former RAB and IRCA lead auditor and an ASQ
Certified Quality Auditor, Russell is author of several ASQ Quality Press bestselling books, including
Process Auditing Techniques; Internal Auditing Basics; ISO Lesson Guide 2015: Pocket Guide to ISO
9001:2015; and he is the editor of the ASQ Auditing Handbook.

Note: This article was first published in the Standards Outlook column of ASQ Quality Progress, Jan 2012.
Some minor revisions from the original article were made.