ISO 9000 series quality standards: worldwide implications for quality and professional...

The past five years have seen a significant increase in ISO 9000 registrations across the world. The ISO 9000 series of international standards on quality management and quality assurance have had an enormous worldwide impact since publication by ISO (International Organization for Standardization)

Quality - The Stakeholders' Interests in ISO 9000

There can be few stakeholders in any organization who do not associate quality with success. Any examiner of an organization's results must take into account the quality of its products and/or services - not just today's products and services, but those in the past and predictions for the future. Evidence of quality as a continuous process is important for the customer - and equally important for those who rely on an organization for their own well being. Such evidence is not always easy to find by outsiders, many of whom must rely on published financial and operating statements for their inspections, and sometimes these statements are issued only at irregular or even annual intervals. Many such statements have a bias, being issued by persons responsible for the quality being reported.

Independent verification of financial information is a requirement for most organizations. Independent verification of quality statements is equally important, but less common. Not so for those organizations with external ISO 9000 quality standard registrations. Independent inspections of the quality of products and services grew as a requirement in some industries many years ago. These audits are known as second-party audits, a type of audit associated with contracts for supplies. Today, many organizations design second-party audits into all their contracts for major supplies.

In the fifties and sixties, second-party audit standards developed in many industry sectors, establishing some comfort and security for organizations (first parties) and their stakeholders. This was the starting point for ISO 9000, the international standard for quality. Born in the seven ties and eighties out of second-party auditing, ISO 9000 establishes recognized standard requirements for all quality systems; links quality to business objectives and results; improves auditing in quality systems; provides a worldwide process for third-party audit registration of quality systems; and adds a new dimension for the coordination of all reviews of an organization's operations.

Not everyone agrees that all the above are achieved by ISO 9000, but evidence is growing of its impact in many organizations. Judgements of ISO 9000 are still mixed, despite its wide use in all industry sectors and the growing number of registered quality systems in countries across the world. This is partly because of the variety of interpretations placed on its quality requirements and partly because of the variety of motives for its use. However, the main reason for the mixed judgements is that ISO 9000 is still in its infancy.

The now titled BS EN ISO 9000 series of quality standards and guides was issued in 1987 and revised in 1994. The supporting ISO 10011 standards and guides for quality system auditing were issued and revised in 1991. Each is supported by 21st century visions and active international working parties reviewing how they will be developed to meet stakeholders needs in the future. Each is being interpreted by many national registration bodies and certified quality professionals. European organizations lead in their pursuit and maintenance of registered quality systems. But, there is now a growing interest in North America.

Supplier schemes based on a foundation of ISO 9000 are also being developed. A good example of these is QS 9000, developed and introduced by the U.S. automotive industry (Chrysler, Ford and General Motors) in 1994, to define their quality expectations. The goal of QS 9000 is to develop fundamental quality systems that provide for continuous improvement, emphasizing defect prevention and reduced waste in the supply chain. A program of requiring automotive suppliers to register to QS 9000 is established in North America. Impact of this registration scheme on suppliers outside the United States will grow as it becomes established across the automotive industry sector.

ISO 9000 as Part of Risk and Control in an Organization

In all organizations, responsibility for ensuring that goals and objectives are achieved and results are consistent with expectations, rests with management. To improve performance and ensure survival in today's competitive and regulated environments, risk must be managed economically, efficiently and effectively. To do this, management must establish reasonable controls.

The impact of ISO 9000 on control in an organization with systems registered to the standard is significant. Each of its quality requirements can influence all the elements in the Internal Control - Integrated Frame-work document produced by the Committee of Sponsoring Organiza-tions (COSO) of the Treadway Com-mission. This framework has become an accepted reference on control across the world. Its elements span all the control requirements for any type or size of organization. Comparison of the ISO 9000 quality requirements with the COSO control elments shows important links, each with the other. (See figure 1.)

It is not difficult to reference the quality requirements of ISO 9000 into the COSO control framework. Building a frame of reference between both can be an excellent learning exercise for those who review control in an organization.

The quality principles of customer focus, leadership, teamwork, analysis and continuous improvement can apply to each of the COSO elements. Quality, although not specifically mentioned, is also an important requirement of the objectives in COSO's definition of control categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.

Quality requirements are discussed in the control framework and criteria of control defined by the Canadian Institute of Chartered Accountants' Criteria of Control Board (CoCo) and published in 1995. These criteria define control as purpose, commitment, capability, monitoring and learning.

The following CoCo description of these criteria could apply equally to a quality system: "A person performs a task, guided by an understanding of its purpose (the objective to be achieved) and supported by capability (information, resources, supplies and skills). The person will need a sense of commitment to perform the task well over time. The person will monitor his or her performance and the external environment to learn about how to do the task better and about changes to be made. The same is true of any team or work group. In any organization of people, the essence of control is purpose, commitment, capability, and monitoring and learning."

If it is not difficult to relate the COSO and CoCo control requirements to quality, why has this not happened more in practice? Any risk analysis focused on an organization's vision and mission must consider the risk of poor quality and not satisfying external customers and other stakeholders. Yet, there is still little evidence that strong quality and control are linked together as essential for success, or even survival. An appendage to the CoCo guide does relate its control criteria to the Malcolm Baldrige quality award criteria, demonstrating a clear link between each. But the control guide makes no reference to quality standards or ISO 9000!

Impact of ISO 9000 on Internal Auditing

In 1992, the first articles on ISO 9000 appeared in Internal Auditor, international journal of the Institute of Internal Auditors (IIA). Members had started to recognize that ISO 9000 impacts internal auditing. The IIA-UK's Total Quality Management: Implications for Internal Departments - Professional Briefing Note Number One, published in 1992, also discussed the impact of ISO 9000 on internal auditing. It recognizes the overlap of auditing activities in organizations with ISO 9000 registrations and the possibility of some internal auditing departments registering their services as ISO 9000 quality systems.

In 1993, the IIA Research Foundation (IIARF), sought bids for research into the implications of ISO 9000 on internal auditing. The South Bank Business School, London and British Standards Institution started this worldwide research early in 1994. The IIA published results of this research in July 96: International Quality Standards: Implications for Internal Auditing.

Results of IIA research indicate a growing interest in ISO 9000 within organizations across the world. Almost half the research respondents worldwide indicate their organizations achieved or are planning to achieve ISO 9000 registrations. [ILLUSTRATION FOR FIGURE 2 OMITTED]. Registrations span most of the geographic regions covered by the IIA worldwide membership, with Europe accounting for 52 registrations and North America accounting for 15. Most respondents indicate a medium or high interest in ISO 9000. More than three-quarters recognize links between ISO 9000 and Total Quality Management (TQM).

All respondents indicated their perception of benefits from nine organization attributes that might change through ISO 9000 registration. Respondents gave highest ratings to image, consistency, efficiency, teamwork and communication. Low rankings were given for training, risk and flexibility. This must be of concern, particularly the ranking given to risk. ISO 9000 has a significant impact on control levels across all its requirements for a quality system. As such, low importance attached to links between risk and quality should be of concern to both internal auditors and managers.

All respondents were asked how they see coordination and liaison with quality auditors developing during the next five years. They were given a [TABULAR DATA FOR FIGURE 2 OMITTED] selection of five opinions and a choice of adding others. Most believe there will be increased coordination and liaison: Only a low percentage believe there will be more joint auditing or that internal and quality auditing will become one function. Respondents with ISO 9000 registrations in their organizations were asked to indicate from a list of nine possible values, those they believe could be improved by coordination and liaison with quality auditing. Most indicated improved compliance auditing, half indicated improved operational auditing, and few saw any added value in their financial auditing. Surprisingly few saw reduced total audit costs as a value from increased coordination and liaison. Coordination and liaison links between all auditors will be essential if an organization is to achieve maximum benefit from its monitoring and total auditing costs.

Some internal auditing functions across the world have registered their services to ISO 9000, using its quality requirements to improve their audit work. Others will follow. Some of these registrations are part of a wider quality strategy in their organizations. Some are the organization's first registration. This lead by internal auditors into quality management and quality assurance will improve internal audit performance and strengthen the links among quality requirements, risk and control.

There are many opportunities for internal auditors in the quality environment. Seeking out these opportunities will set new challenges for all internal auditors in the future.

Figure 1

Comparison of ISO 9000 Quality Requirements COSO Control Elements

ISO 9000

Management Responsibility Quality System Contract Review Design Control Document and Data Control Purchasing Control of Customer-Supplied Product Product identification and Traceability Process Control Inspection and Testing Control of Inspection, Measuring and Test Equipment Inspection and Test Status Control of Nonconforming Product Corrective and Preventive Action Handling, Storage, Packaging, Preservation and Delivery Control of Quality Records Internal Quality Audits Training Servicing Statistical Techniques

COSO

Control Environment Risk Assessment Control Activities Monitoring Information Systems Communication

Jeffrey Ridley is Professor of Auditing, South Bank University, London.