Third-party registrars' audits-for better or for worse?

Abstract

Reviews the potential impact of third-party standards audits on a software organization's ability to respond to changing requirements. The authors focus on the responsibility of the auditee's management to ensure that the registrar's audit presents a balanced view of the auditee's position with respect to a standard. Ineffective audits and undeserved certification waste time and money. An ineffective audit has the potential to undermine carefully nurtured cultural attitudes about quality, standards, procedures and audits. At worst, an ineffective audit can obscure problems and divert a software organization from addressing real problems that adversely affect customer satisfaction, the quality of products and services, the efficiency of processes and the business viability of the organization. Drawing on their experience with ISO 9000 in software engineering, the authors discuss actual problems encountered and suggest techniques for ensuring that third-party audits are effective for ensuring that major nonconformities identify serious problems. One of the most prevalent examples is the apparent over-emphasis on document control. Lack of document control is a legitimate major problem. Up to 70% of ISO registrations are initially denied because of document control problems. It would, however, be of substantially more value to the auditee for a skilled auditor to discover that, for example, the process for creating and maintaining requirements documents is missing. While the authors' examples are drawn from ISO 9001 registration audits, the principles, problems and remedies they recommend translate into any standards environment.