Blog

July 16, 2014

ISO and CPSRs

ISO and CPSRs

I don't know if this is good or bad news but ISO and CPSRs don't intersect directly at all during the review (e.g. being ISO compliant is not a checkbox on the DCMA list). This is because ISO is merely a quality management system (QMS) to maintain stability and control revisions to your internal processes and related documents; it's in no way a subject-matter driven review. ISO simply provides the structure (including tracking and internal audit) for configuration and document version management, tracks reasons for revision through a formal CAR then maintains updated versions of ISO-covered policies, procedures and forms for use. 

This is the main reason why ISO doesn't necessarily help you during a CPSR: ISO can (and often does) approve processes without respect to their substantive systemic effect(s). In other words, ISO can easily approve a process that prevents competition on million dollar procurements (seen it happen  so simply being ISO-compliant doesn't do much for DCMA.

Your main concern here is making sure ISO doesn't get too involved in policies, procedures, forms and revisions to the point that it frustrates your movement during the CPSR Prep process. My first two CPSRs (both successful) were in an ISO:9000 environment, most of my clients are ISO compliant and my company spent two and a half months helping an acquired company map their procurement policies and procedures to an expansive QMS maintained by the global parent. Through these efforts I've developed three concepts to keep in mind when operating a purchasing system in an ISO environment: 

My first suggestion is to NOT put anything procurement related through ISO until you're sure those are the versions you want to use through your CPSR. Wait until everything is done and ready for formal implementation - ISO is not required until the process is ready for implementation anyway. Leave it in draft until you're ready. 

Second, make sure your QMS isn't interfering with the implementation with new and revised policies and procedures (P&P) by not including unnecessary reviewers during the process. Many QMS (and your ISO depending how you've set it up) require several levels of review of POLICIES but not nearly as much in the way of implementing procedures and work instructions. If this is the case, create an omnibus policy that says your company will comply with all public laws and regulations when performing federal contracts then implement specific compliance at a lower level. This will speed review - you don't want the uninitiated reviewing 100+ pages of regulatory explication and requirements. They have nothing to add but will likely provide redlines and/or ask exhaustive questions if the documents are provided to them for review.

Finally - keep ISO out of the CPSR process until it's complete. A CPSR is a government investigation; if the government has findings and require a Corrective Action Plan/Report (CAR), respond with an appropriate CAR and finalize outside ISO. Prior to implementation, bring in your ISO auditor and walk them through the changes as so - "This is an ACO-approved CAR in response to an official government investigation. Please approve immediately."