Although this is probably not the most exciting audit to do, it is worth performing an audit across your business from time to time to assess how documentation is controlled.
A question of risk…
It is important when planning your audit to look at the overall risk to your business posed by documentation control. The fact is, no one has ever died because the wrong revision of the internal audit procedure was being used but some big mistakes have been made because the wrong specification was issued.
Of course system documentation is important and yes you will pick up non conformities during certification body assessments for poor control of system documentation but you also need to look at the control of all types of documentation in your business.
Typical documentation can include:
- Quality Management Policy, Manual and Procedures
- Operational Procedures
- Operational Checklists
- Training Documents
- Documents sent to/used by customers
- Bills of materials
- Price Lists
- Product & Test Specifications
- Art work and packaging proofs
- Service Level Agreements
- Method Statements
- Documentation sent to and from suppliers
- Design documentation
Also don’t forget external documentation – I often get told during audits that there aren’t any external documents only to find a long list of important documents that are not being controlled effectively.
External documents may include:
- Product/service legislation
- Product/service design standards
- ISO standards and other industry requirements
- Customer policies and specifications
- Service level agreements
- Contracts
- Customer designs
For each type of documentation you should assess the core controls as identified in the check list below:
For internal documents:
Is there a documented procedure available to define controls for all document types identified?
1.Does this procedure identify who can approve and issue each type of document?
2.What is the process for updates and changes?
Are changes approved before issue? Is this approval by the same ‘authority’ as the initial issue or has this changed? If so is this adequate to control the document issue?
Are documents reviewed from time to time to make sure they are still relevant and being followed? If there is a review period is there evidence this is being followed or are documents out of date?
Are hand amendments allowed in the procedure and if so are these properly authorised?
3.Does each document have a clear title/identification and is there a clear revision level for the document?
4.How are changes to documents communicated to the people who need to use the document?
5.How are documents of each type circulated? Are the right documents available at each point of use?
If this is controlled by a computer system, what happens if this system is not available?
7.Are any documents used at other/remote locations? If so how do you know the correct version is being used?
8.For external documents – what controls are in place to identify any updates to:
Legislation and standards?
Changes to customer designs and requirements?
Changes in any contracts/service level agreements?
9.What happens to obsolete documents?
When new documents are issued are you sure the old documents are removed from use? Is it obvious which documents are obsolete or is there a chance of confusion?
Are old documents retained for reference and if so are these identified?
Document control is a process that require auditing from time to time to ensure compliance and control business risk. Don’t forget, you can download the audit checklist below.