Evolution
of Third Party Auditing
The high visibility of quality audits to
standards such as ISO9000 may lead to a perception that quality audits are very
much a 1990s phenomena (Russell and Regel, 1996). However, quality audits have
been popular tools to improve quality, productivity and profit for several
decades (Thresh, 1982; Mills, 1976; Palmer, 1977; Van Dine, 1978). In fact, quality auditing and ‘approved
supplier status’ (certification or registration) as we know it today can be
traced back as far as the1920s in the UK to the Aeronautical Inspection
Directorate (Drew, 1969; Souch, 1976).
Later, during the 1950s the North Atlantic Treaty Organization (NATO)
standardized an agreement (STANAG 4107) whereby a National Quality Assurance
Authority in a manufacturing country could undertake evaluations of the
competence of the supplier organization on behalf of the purchasing country.
The experience of the defense industries with quality audits to ensure
assurance and quality control subsequently provided a model for the wider
business community. This was due in part
to the work of the Raby Committee in 1968 and to the Industry Consultative Body
set up in 1971 to ensure that the Raby recommendations for pre-contract
evaluations of supplier systems and rationalization of defense quality
assurance standards were ‘equitable, practical, economic and acceptable to both
parties’ (Souch, 1976; Allaway, 1977).
Private sector companies initially implemented quality control systems
based on standards to gain or maintain contracts with government agencies (Ho,
1995; Johnson, 1970; Mills, 1989).
During the late 1960s and throughout the
1970s, auditing of supplier capability to standards specified by the customer
became accepted practice outside the defense industry. Company-wide quality assurance schemes thus
became firmly ensconced in the corporate landscape (Thresh, 1982). In the absence of domestic standards, private
sector organizations used the available military standards to establish the
status of supplier quality systems (e.g. MIL-Q-9858AQuality Program
Requirements for Industry in USA; 05-21 MOD series in the UK; and also NATO
documents such as AQAP-1 NATO Quality Control System Requirements for
Industry). Each of these bodies also
provided other standards and documents to guide the evaluator or auditor as to
the process of quality systems auditing, including typical questions to
address. The military standards had a
far-reaching impact on the subsequent national domestic standards for quality
system requirements and auditor guidance standards (such as British Standards
BS4891 (1972 Guide to Quality Assurance); BS5719 (1974 Guide to the Evaluation
of Quality Assurance Systems); BS5750 (1979); Australian Standard AS1821-1823
(1978); Australian Standards Series AS3900 (1987); Canadian Standards,
CAN-CSA-Z299.1 through CAN-CSA- Z299.4, 1981; India too, had quality systems
standards by the mid-1970s). This brief
review of standardization demonstrates that quality auditing has a longer and
more coherent history than most texts on quality assurance would lead one to
believe (for a comprehensive comparison of the elements of early British
quality system standards, see MacDonald, 1977 and Periera, 1987). Arrangements
to undertake a quality audit were generally agreed between the two parties to
the contract, customer and supplier.
Impact
of ISO 9001 in Third Party Auditing
Quality auditors from purchasing (customer)
organizations would audit their supplier organizations, first to establish
capability in respect of a contract, and then to conduct surveillance audits as
the term of the contract progressed.
There was always scope for third-party assessment (i.e. external
verification, or audit, of the supplier’s stated quality specifications by a
party not subject to the contract – in effect a second party proxy), although
this did not become a common practice in industry until the mid-1980s. With many customers and suppliers
interacting, the resource implications of multiple audits or assessments and
the compatibility or suitability of national quality standards was a challenge
for quality assurance (audit) departments.
There was a veritable audit explosion in the late 1970s (Sayle, 1981) and
calls were made for more uniform/standardized measurement of supplier
capability and a reduction of multiple customer audits of a single supplier
(Hearn, 1987). To encourage cross
national trade and improve standardization for the supplier assessment/quality
audit process, the International Organization for Standardization (ISO)
commissioned a Technical Committee (TC176) to develop and agree a common set of
criteria. This resulted in the ISO 9000
series of standards being issued in1987, which subsumed most of the
requirements of previously independent national standards such as BS5750.3.
Although the intent of the ISO 9000 series was the same as its predecessors (to
enable verification of the applicability of the implemented quality program and
its ongoing effectiveness), the ISO 9000 series claimed to be a generic “model
for quality assurance.”
The international standardization of
quality system standards (ISO 9000) resulted in a dramatic rise in the scale of
external, third-party assessment and certification. External certification
bodies (such as SGS Yarsley ICS, Lloyds Register Quality Assurance, Bureau
Veritas Quality Assurance, Det Norske Veritas, British Standards Institution)
are increasingly used by organizations seeking ISO 9000 audit and certification. These bodies are themselves accredited by
regulatory agencies (such as the UK Accreditation Service (UKAS) and the Joint
Accreditation Scheme of Australia and New Zealand, JASANZ) to conduct external
quality audits. They audit organizations’ management systems to assess whether
they satisfy the requirements of a particular standard.
In the UK the move to formal external audit
and certification of quality systems was instituted by the Government’s 1982
White Paper on ‘Standards, Quality and International Competitiveness.’ This
explicitly promoted independent audit and certification schemes and sought to
develop the necessary supporting infrastructure (including the creation of a
national accreditation body and the specification of rules/criteria to be
satisfied by ‘certification’ bodies and individual quality assessors). The
first certification bodies were accredited by NACCB (the National Accreditation
Council for Certification Bodies now the United Kingdom Accreditation Service,
UKAS) in March 1986 in the UK and there are now well in excess of 70 such
bodies in existence. The individual
auditors and assessors working for the certification bodies must be both
professionally qualified, operate within nominated industries, and undertake a
specified number of audit activities within a prescribed period (Hutchins, 1997).
ISO 9000 standards quickly gained
popularity, and registration bodies surfaced throughout the globe. Organizations
believed that ISO certification offered a competitive advantage over
non-certified suppliers while concurrently; customers began mandating ISO 9000
registration as a requirement for sourcing business. As a result, the late 80s
and early 90s realized a tremendous increase in third-party audits due to the
need for certification. The third-party audit increase influenced the growth of
the consulting industry, which in turn helped increase the urgency for
organizations to obtain ISO 9000 registration.
Oversight boards were implemented to oversee the registration bodies,
administer and set guidelines for third-party audits, and develop standards for
auditor competency and qualification. However,
after nearly a decade of this self-sustaining, expanding cycle, organizations
and individuals began to question the value of the process.
Constrains
Identified in Third Party Auditing
Thus third-party quality audits have been
an accepted practice within the manufacturing industry for several
decades. In the late 1980s and early
1990s, the audit process gained enormous momentum via the introduction of
international standards such as ISO 9001, ISO 14000, and industry-specific
standards such as QS 9000 (subsequently replaced by TS 16949). Each of these compliance standards requires a
third-party audit to evaluate the organization’s management system against the
requirements outlined in the standard.
In most situations, compliance to these management standards is required
by customers; therefore, the third-party audit is paid by the auditee (i.e.,
organization subject to the audit). The
intent of these standards and audit practices was to reduce the number of
audits bestowed upon an organization; however, it simply has not achieved its
goal.
Each individual industry sector such as
automotives, foods, electronics as well as software developed process-specific
assessments (sometimes executed as second-party audits) as a method to audit a
process against known best practices and not against a set of generic
requirements which are basically related to private label standards. Customers
are using such assessments to conduct audits of their supplier’s vital
processes, thus reducing the value of the third-party certificate which, in
principle, evaluates the effectiveness of all process at a registered facility. An organization with 400 employees will pay
approximately $15,000 for a complete audit cycle that typically consists of an
initial registration audit (full systems audit) followed by five surveillance
audits for bi annual audits or 2 surveillance audits for annual audits. An audit cycle begins with an extensive,
full-system registration audit followed by five or two subsequent surveillance
audits, based on the audit interval agreed.
In addition to hard dollars spent for maintaining certification, vast
resources are consumed to prepare and participate in the audit. According to
the International Organization for Standardization (ISO) (2015), approximately
1138155 organizations are ISO 9001 registered. On the other hand, 40,655
organizations are registered within North America and Europe 530,722 by 2010.
Based on this estimate, and using an employee count of 400, approximately
$7,713,589,500 is potentially spent every 3 years simply on audit fees and
administrative costs imposed by the register.
Additionally, this approximation estimates
the cost of organizations certified to ISO 9001; but if other standards such as
TS 16949–Quality Management System Guidelines for the Automotive Industry, ISO
14001–Environmental Management System Guidelines, and ISO 13485 Quality
Management System Guidelines for the Medical Device Industry, ISO 22000 for
Food and Feed Manufacturers in supply chain are considered, the total cost
spent for a 3-year audit cycle would be exorbitant. Placing a value on the use
of company resources is somewhat difficult. Nevertheless, it is hard to dispute
those managers, engineers, clericals, and team members participating in the
audit process devote significant time to it. For example, recent audit results
shared by a major automobile supplier (a facility approximately 400 employees)
indicate the total cost of resources for a successful registration audit is
conservatively estimated at $16,000. This estimate is based upon (a) audit
administration costs; (b) man-hours consumed preparing for the audit; (c) time
spent by management as guides for the auditors; (d) disruption of production
activities; and (e) resources dedicated to addressing and responding to the
audit findings. These costs are estimates for a facility with approximately 400
employees.
Regardless of organizational magnitude, all
companies subject to the third-party audit and registration process are subject
to the same cost and use of resources. Based on these costs, and the magnitude
of the potential organizational burden resulting from third-party audits, one
may contemplate how such a costly process became necessary and mandatory. The
answer to this question lies within the history of third-party audits. By
examining the evolution of third-party audits, it becomes evident that these
audits developed to fulfill an industry need. However, due to various
circumstances and events, such audits have become antiquated and non-effective.
(a) the third-party audit process is adequate
to assess an organization’s quality management system against the ISO standard,
(b) the third-party audit process fails to add tangible value for the
organization,
(c) the relationship between the auditor (registrar) and auditee
(organization) represents a significant conflict of interest,
(d) the continued
audit cycle is redundant and offers diminishing value, and
(e) mature
organizations fail to benefit from the third-party audit process.
Reference:
Kluse, Christopher, "Third-party Quality
Management Audits for Automotive Component Manufacturing: Perceptions and
Insights into a Necessary Yet Debatable Practice" (2012).