Standards – Clearly definded: Understanding the difference between system and process audits

by J.P. Russell

It seems that everyone knows the difference between a system and a process. We know processes and systems are related, but most of us aren’t sure when one begins and the other ends. ISO 9000 provides definitions, but they seem inadequate at times.

Understanding the differences between a process and a system is important for effective organization management and auditing programs. Understanding some of the dynamics will help in the development of value-added auditing strategies.

System check

One dictionary define a system as a coherent unification.1 The unification can be of activities, events, thoughts, information, code, materials, people, methods, measures and equipment.

This definition is quite eloquent considering the complexity of most systems. But it may be too vague when discussing business or organization management systems.

Management system standards define a system as a set of interrelated or interacting parts.2 ISO 9001 goes on to define a management system as a set of interrelated or interacting parts to establish policy and objectives, and to achieve those objectives.3

A management system is defined for high organizational control levels (policy and objectives) using all-inclusive, abstract terms. Most systems are so complex it would be impossible—if not impractical—to audit one in its entirety. An auditor could easily get lost in minutia and lose sight of the purpose of the audit.

That’s why the International Organization for Standardization has published management system standards. Audits conducted to verify conformity to the management system requirements are system audits. In that case, the auditor is verifying conformity to discrete elements or controls contained in the standard.

Some audit organizations use a process approach to audit the elements. This approach is a more meaningful and effective way to conduct system audits.

Figures 1 and 2 


Figure 1 is what many quality practitioners know as the document triangle, but I have converted it to a control-level triangle that shows the documents that define organizational requirements.

At the top two levels, there are documents that describe system requirements to achieve intended objectives. At the management system level—which includes quality, environmental, safety and business—it’s possible to break down a system into subsystems and functions so you can see distinct functions, such as purchasing, engineering, order entry and sales.

In one of my classes, I use a string exercise to describe a system. First, I ask five or six students to stand as points of a pentagon or hexagon, with each point representing a different department or management function. Then, we map the steps from an idea in the sales department to the installation of a new $100,000 piece of equipment in the shop that will improve the effectiveness and efficiency of the organization.

You end up with a complex web—sales to management to finance to engineering to purchasing to engineering to management. And this exercise doesn’t even consider labor scheduling, training, employee benefits and competing programs. This complex web or matrix is a depiction of your entire system and, to a casual observer, may look like chaos.

In process

Look at the control-level triangle in Figure 1 again. At the bottom of the triangle are documents that are used to control individual processes—such as work instructions, control plans and routing cards.

At this level, processes are conducted that include filling, washing, reacting, drilling, cutting, treating, sorting, transporting, informing, ordering and opening. This is the level at which work takes place. When you conduct an audit of any of these individual processes, it’s called a process audit.

I have always defined a process as a series of actions or steps that lead to a desired result.4 ISO 9000 defines a process as a set of interrelated or interacting activities that transforms inputs into outputs. This is similar to the definition for a system, except that processes transform inputs into outputs.

The only issue with this definition is that not all processes are transformations. For example, is the process of moving materials from the receiving dock to an area or function a transformation?

A process is a series of sequential steps that results in change. Processes are responsible for all changes or transformations within an organization. All processes are controlled or monitored by parameters that can be optimized.

When auditing processes, auditors should be familiar with the type of process they’re auditing and must follow process steps. The closest thing to a checklist would be a flow chart or work instruction. Using either of those tools, auditors can follow one process to the next until they are assured the process is effective.

Process audits are powerful because they can identify weaknesses and risks, while also identifying areas for improvement. Process audits go beyond the limited control elements defined in a standard.

One fallacy is that people assume the standards writers know everything that must be controlled and put it in management system standards. The truth is the conformity and compliance standards contain minimum controls. Auditing of processes allows you to look at all the necessary controls to ensure they are working to the benefit of an organization.

A process audit scope could be a singular process, part of a process or several processes either in series or parallel. Process audits can start at any level where work takes place. For example, you could audit the filing of public announcements in the president’s office or the the janitorial staff’s process for collecting metal filings.

Pick one

In the control-level triangle, systems reside at the top and processes at the bottom (Figure 2). But what is in the middle? When does a group of processes become a system?

If you are auditing a manufacturing process or operation, is it a system audit or process audit? If an auditor is using system requirements to audit a manufacturing process or operations, it’s a system audit. If an auditor is following the core process for a manufacturing or service organization—for example, following an order to the manufactured part or delivery of the service—it’s a process audit.

In my experience, it’s difficult to effectively perform both types of audits at the same time. For example, an auditor might be thinking about the system requirement to identify material while the operator is explaining how, for some jobs, he or she needs to move a lever only halfway.

As you move up the triangle, it becomes more difficult to test the process flow because the interconnected processes may occur at different times or locations, and process complexity increases. For example, the combined drilling, forming, stamping and finishing of a part may take place in different buildings during a week’s time.

Many materials are processed in batches or held in tanks while waiting for the next treatment. Hospital services for admitting, informing, treating, medicating and discharging patients do not take place at the same time. As you move up the triangle, the idea of a process audit becomes obtuse because of the multiple processes within processes that have differing constraints and objectives.

What’s the difference?

Looking at the revised control-level triangle in Figure 2, you can see that process audits can start at level four and go up to the top, while system audits start from the top at level one and go down.

So, to more clearly delineate between system and process from an auditing perspective:

  • A system audit is an audit of a system or subsystem against system requirements. It can reveal conformity or nonconformity to the system.
  • A process audit is an audit of individual processes against predetermined process steps or activities. It can reveal inefficiencies and areas for improvement.


  1. Webster’s Third New International Dictionary, Unabridged, Merriam-Webster, 2002.
  2. International Organization for Standardization, ISO 9000:2005—Quality management systems—Fundamentals and vocabulary, clause 3.2.1.
  3. International Organization for Standardization, ISO 9000:2005—Quality management systems—Fundamentals and vocabulary, clause 3.2.2.
  4. J.P. Russell, The Quality Master Plan, ASQ Quality Press, 1990, p. 14.

J.P. Russell is president of J.P. Russell & Associates in Gulf Breeze, FL. He is also managing director of and provides training for QualityWBT Center for Education. Russell is an ASQ fellow, ASQ-certified quality auditor, voting member of the American National Standards Institute/ASQ Z1 committee and member of the U.S. technical advisory group for International Organization for Standardization technical committee 176. He is the editor of The ASQ Auditing Handbook, and author of several ASQ Quality Press books, including The Process Auditing and Techniques Guide, second edition.

Print    Email   

^ Back to top

< Back to IANZ News