SCOPE OF ASSESSMENT

Do audit scopes allow companies to take advantage of the wording of standards or do auditors overstep the mark? Paul Simpson examines the importance of scope

Each of the ‘big three’ standards requires that an organization defines and documents the scope of its management system:

• ISO 9001:2000 - The organization shall establish and maintain a quality manual that includes a)the scope of the quality management system, including details of and justification for any exclusions
• ISO 14001:2004 - The organization shall define and document the scope of its environmental management system
• BS OHSAS 18001:2007 - The organization shall define and document the scope of its occupational health and safety management system

For each of these standards in turn, why is it important for an organization to accurately describe its scope?
if it wants to demonstrate it has the capability to satisfy customer requirements for its products and services, you would expect its system scope to cover that.
Similarly, if it wants to demonstrate environmental management then its system should cover the whole site and whole product lifecycle.
Finally, for OHS, an organization should look after all of its people with a system

Organization scope

We need to carefully consider scope when planning and conducting assessments. A restricted scope requires clear knowledge both within the organization marketing its capability and within the organization selecting its supplier on the basis of competence through certification. The indications are not good, however. You only have to look at the number of unaccredited or bogus certificates accepted as proof of competence by procurement functions to know that certification itself is not well understood, much less so the scope of certification.

As an example, as CEO of Megadeath Global Nuclear Processing and Dumping plc, I choose to put my paperclip-sorting department up for certification to all three standards and not take the risks associated with having an independent assessment of the company ’s full scope, as allowed under the definition of ‘organization’. What is more, any certification body operating a policy of open access is obliged to accept my application. Rarely would you see such blatant flaunting of the spirit of requirements.

Similarly, many certification bodies offer certification to management systems for a scope of registration where a significant proportion of work is carried out at customer premises. How would it be possible to do this without visiting a site?

Developing scopes

There may be genuine reasons why some scopes start narrow; many organizations will pilot a management system in one area with a plan to later implement and certify the full scope throughout the organization.

Scope creep - beware the over-enthusiastic auditor

The reverse can also be true when an auditor extends the bounds of their authority to include requirements outside agreed audit criteria, the standard, legal and customer requirements and the organization’s own documented system.

This can be shown when nonconformities are raised against requirements that don’t exist, perhaps by assessing outside scope or not covering the full scope. An example of each may help: nonconformities are raised for health and safety failings, typically against clause 6.3 or 6.4 of ISO 9001:2000. Now, unless the organization’s customer has placed additional requirements through their contract, the only justification for nonconformity against either clause is if you can show actual impact on quality of the finished product, not a potential impact.

Scope and assessment planning

There are time constraints on any assessment and it is a competitive market for certification bodies. Much pressure is put on reducing assessment time as a way of offering lower certification costs, but this should not be at the expense of quality of assessment.

Assessment remains a sampling activity, but samples should be selected by the audit team to cover the full scope of activity. Otherwise assessment is dumbed down to a commodity product able to be carried out as a document review in the boardroom or off site.

Scope is vital to assessment; it should cover all relevant areas, act as a contract for auditor and auditee and set the agreed boundaries.

(Source: IRCA)