The British Standards Institution
raising standards worldwide TM
Issue 1 December, 2008
QMS-030-01-EN-GX
© 2008 BSI Management Systems
ISO Internal Auditor
Compliance Management
Prepared &
Presented by
Yamin K Hajeej
Table of Content
1
Introduction to Auditing
2
The Process Approach and Process Auditing
3
Managing an Audit Program
4
Audit Activities
5
Auditor Competence and Responsibilities
6
Conclusion
Introduction
to
Auditing
Auditing
• What is an audit?
 Systematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to
determine the extent to which audit criteria are fulfilled
(ISO19011: 2002 clause 3.1)
• Why audit?
 Requirement of ISO 9001:2008
 Monitor and measure the management system
 Promote continuous improvement of the management
system
Principles of Auditing
• Principles relating to auditors:
 Ethical conduct
 Fair presentation
 Due professional care
• Principles relating to audit:
 Independence
 Evidence-based approach
4.0
Note: reference to
ISO 19011:2002
Clause number
Benefits of Auditing
• Verifies conformity to requirements
• Increases awareness and understanding
• Provides a measurement of effectiveness of the management
system to top management
• Reduces risk of management system failure
• Identifies improvement opportunities
• Continuous improvement if performed regularly
Types of Audit
•
•
•
•
•
•
Registration / Certification
Product
Customer contract
Gap assessment / Pre-assessment
Surveillance
Combined audit / joint audit
The Process
Approach
and Process
Auditing
Process Approach
The process approach emphasize the importance of:
•
•
•
•
Understanding and meeting requirements
Looking at processes in terms of added value
Obtaining results of process performance
Continual improvement of process
PDCA (Plan-Do-Check-Act)
The Plan-do-Check-Act (PDCA) methodology
applies to all processes
•
•
•
•
•
Activities
Controls
Documentation
Resources
Objectives
•
Plan
Deploy and conform with plan
Do
Continual
Improvement
Your
Process
•
•
•
Analyze/review
Decide/change
Improve effectiveness
Act
Check
•Measure and
monitor for
conformity and
effectiveness
Management System Standards and the
Process Approach
•
ISO 9001:2008:
 Is based upon the PDCA cycle which can be applied to
processes
 Applies
the
PDCA
cycle
to
implementing, operating, monitoring, exercising, maintaining
and improving the effectiveness of a QMS
• ISO 19011:2002 does not explicitly mention process audits, but
is written for application to all management system audits
Applying the Process Approach to Auditing
Auditors can apply the process approach to auditing by ensuring
the auditee:
• Can define the objectives, inputs, outputs, activities, and
resources for its processes
• Analyzes, monitors, measures, and improves its processes
• Understands the sequence and interaction of its processes
Process Auditing Approaches
Individual Process:
• Input / Output / Value-added Activity
• Plan-Do-Check-Act
• Resources
Relationship with other processes:
• Flow / Sequence / Linkage / Combination
• Interaction / Communication
• Evidence
• Customer and supplier contract(s)
Process Auditing “Turtle Diagram”
With what?
Resources
Inputs
From
Whom/
Where
With who?
Personnel
Process
(specific value-added
activities)
How done?
Methods/
Documentation
Outputs
To
Whom/
Where
What results?
Performance
indicators
Process Auditing Example
With what?
•
With who?
Order processing
system
•
•
Customers
Competent sales and
processing staff
Inputs
•
•
Contract
Review
Customer
requirements
Sales staff
Outputs
Production/Service
Delivery
What results?
How done?
•
•
•
•
IT system
Processing system
Terms and conditions
Contract review procedure
•Order processing
time
•
•
•
Number or orders
Value of orders
Contract accuracy
Managing an
Audit
Program
Managing an Audit Program Process Flow
PLAN
DO
CHECK
ACT
AUTHORIZE
ESTABLISH
• OBJECTIVES
• EXTENT
• ROLES
• RESOURCES
• PROCEDURES
IMPLEMENT
• SCHEDULE AUDITS
• EVALUATE
• AUDITORS
• SELECT TEAMS
• DIRECT ACTIVITIES
• MAINTAIN RECORDS
AUDITOR
COMPETENCE
& EVALUZATION
MONITOR &
REVIEW
• MONITOR
• REVIEW
• IDENTIFY NEED
FOR CA/PA
• IDENTIFY
OPPORTUNITIES
TO IMPROVE
SPECIFIC AUDIT
ACTIVITIES
IMPROVE
5.1
Audit
Activities
Typical Audit Activities
PLAN
Initialing the Audit
Conducting Document Review
Preparing for On-site Activities
DO
Conducting for On-site Activities
Preparing, Approving, Distributing Audit Report
CHECK
ACT
Completing the Audit
Conducting Audit Follow-up
6.1
Audit Program
• Top management should authorize responsibility for program
management to:
 Establish, implement, review, and improve the audit
program
 Identify the necessary resources and ensure they are
provided
• Organization should develop audit program processes
• Program should be managed by a member of the organization
• Keep appropriate audit records to monitor and review the audit
program
Audit Program Responsibilities
• Top management should authorize responsibility for program
management
• Those assigned responsibility should:
 Establish, implement, review, and improve the audit
program
 Identify the necessary resources and ensure they are
provided
Initiating the Audit
Initiating the audit includes:
• Appointing the audit team leader
• Defining audit objectives, scope, criteria
• Determining feasibility of the audit
• Selecting the audit team
• Establishing initial contact with the auditee
6.2
Defining Audit Objectives, Scope, Criteria
Audit Objectives may include:
• Determining of the extent of conformity of auditee`s QMS with
audit criteria
• Evaluation of capability of QMS to ensure compliance with
statutory, regulatory, and contractual requirements
• Evaluation of effectiveness of the QMS to meet its objectives
• Identification of areas of improvement
6.2.2
Selecting the Audit Team
For Team size and competence, consider:
• Audit objectives, scope, criteria, and duration
• Whether audit is combined or joint
• Competence of team to meet objectives
• Statutory, regulatory, contractual and accreditation/certification
requirements
• Independence of the team
6.2.4
Auditor
Competence
and
Responsibilities
Auditor Competence
• Auditor competence is based on:
 Personal attributes
 Application of knowledge and skills
• Competence is to be developed, maintained, and improved
7.1
Auditor Competence
Personal Attributes
Ethical
Self-reliant
Personal
Attributes
Openminded
Decisive
Diplomatic
Tenacious
Observant
Versatile
Perceptive
7.2
Auditor Competence
Generic Knowledge and skills
Auditor skills and competence could include:
• Audit principles, procedures, and techniques
• Management system and reference documents
• Organizational situations
• Laws, regulations, and other requirements
7.3.1
Auditor Competence
Specific Knowledge and skills
Specific knowledge and skills for quality auditors could include:
• Quality methods and techniques
• Quality terminology
• Quality management tools and their application
• Processes and products/services specific to the sector being
audited
7.3.3
Auditor Responsibilities
•
•
•
•
•
•
•
•
•
•
Arrive on time
Maintain confidentiality
Be objective and ethical
Support the audit team and team leader
Plan and prepare work documents
Inform auditees of the audit process
Document and support all findings
Keep auditee informed
Safeguard all documents
Prepare the audit report
Audit
Activities
(Continued)
Audit Planning
•
•
•
•
•
•
•
•
Determine the objective of the audit
Identify specified requirements
Determine audit duration and resources needed
Select the team
Contact the auditee – agree the date(s)
Draw up audit plan
Brief the team
Prepare work documents
Conducting Document Review
A review of documentation:
• Should be conducted prior to on-site audit activities unless
deferring review is not detrimental to the effectiveness of the
audit
• May include relevant QMS documents, records, and previous
audit reports
• May include a preliminary site visit
6.3
Prepare Work Documents
• Prepare work documents
• Use as a reference and for recording audit proceedings
• Include checklists, sampling plans and forms, ISO 9001:2008
standard, etc.
• Keep checklists flexible to allow changes resulting from
information collected during the audit
• Safeguard any confidential and proprietary information
• Retain work documents and records
Checklists Preparation
One Approach is to:
• Identify audit scope and process(es) within scope
• Identify
applicable
(inputs, outputs, measures, resources, etc.)
• Use these points and other requirements
(ISO 9001-2008, system documentation, etc.) to:
 Plan what to look at
 Plan what to look for (audit evidence)
• Prepare checklist
factors
Checklists Structure
Audit checklist structure:
Process/Activity Audited:
Requirement
Source
Evidence
Notes
ISO 9001:2008
Clause # or other
requirement
What to
“look at”
What to
“look for”
Notes
Conduct on-Site Audit Activities
•
•
•
•
•
•
•
Conduct opening meeting
Communicate during the audit
Explain roles and responsibilities of participants
Collect and verify information
Generate audit findings
Prepare audit conclusions
Conduct closing meeting
6.5
Opening Meeting
•
Hold opening meeting with auditee top management and
those responsible for processes audited
•
•
•
•
Meeting may be informal
Chaired by team leader
Audit team present
Purpose is to confirm all prior arrangements
6.5.1
Collecting and Verifying Information
Sources of
information
Collect by
appropriate
sampling &
verification
Evaluate
against audit
criteria
Review
Audit
Conclusions
Auditing Process
Collect & Verify information
• Collect information relevant to:
 Audit objectives, scope, and criteria
 interfaces between functions, activities and processes
• Collect audit evidence by appropriate sampling and verify and
record it
• Be aware on sampling limitations, if acting on the audit
conclusion
• Use only information that is verifiable as audit evidence
6.5.4
Auditing Process
Techniques to Obtain Audit Evidence
• Interview:
 Personnel that manage, perform, and verify activities
 Also ensure they are responsible for the activity being
audited
 Listen carefully to responses
• Observe:
 Identity, status, condition, processes, equipment, activities,
environment, and people
6.5.4
Auditing Process
Audit Evidence
• Review documents that describe:
 Activities
 Plans
 Controls
 Strategies
 Exercises
 tests
• Review records for evidence of conformity to documents
• Review records, statements of fact, or other information which
are relevant to the audit criteria and verifiable
• Audit evidence may be qualitative or quantitative
Communication and interpersonal skills
• Put auditee at ease
• Ask short questions and listen
• Reflect right attitude, tone of voice, body language, and facial
expressions
• Smile and show eye contact
• Avoid interruptions
• Avoid off-cuff and condescending remarks
• Give praise when appropriate
Communication and interpersonal skills
•
•
•
•
•
•
Show interest
Be tactful and polite
Show patience and understanding
Remember to say please and thank you
Ask the right person
Don`t say you understand when you do not
Questioning Techniques
• Open question
 Using why, who, what, where, when, or how gets more than
a yes or no answer
• Expansive question
 Further elaborates the current point
• Opinion question
 Asks opinion about current point
• Non-verbal
 Uses body language, for example: raise eye-brow to elicit
further information
Questioning Techniques
• Repetitive question
 Repeats back response in form of a question
• Hypothetical question
 Uses what if, suppose that, etc.
• Closed question
 Gets yes or no answer
 Avoid using too often
 Used for confirmation
• Silence
 Draws more information
Note Taking
• Notes could be used as reference for:
 Immediate investigation
 Investigation later
 Use by a colleague
 Subsequent audits
• Notes taken during an audit are a record of:
 The audit sample taken
 What was reported
 What was observed
• Notes may be referenced by subsequent auditor
Sampling
• Samples should test the effectiveness of the system and should
be:
 Representative
 Structured
 Independently selected
• Sample size should be based on:
 Risk
 Importance
 Status
 Findings from the previous/current audit
Control of the Audit
• Checklist is an aid, not a requirement
• If potential audit trails appear, decide to:
 Disregard
 Note for later
 Follow up immediately
• Following audit trails may effect:
 Sample size
 Audit plan
Handling Difficult Situations
Volunteered
information
Diversionary
tactics
Interdepartmental
or personality
conflicts
Cannot find
document
Uncooperative
Noisy
environment
EXAMPLES
Unprepared
Language
Long
telephone
calls
Called away
Constant
interruptions
Long-winded
auditees
Provocation
Boastful
Establish the Facts
Judgment in the Audit Process
• Audit focus must be on conformity and effectiveness, NOT on
finding nonconformities
• The auditee must be given the benefit of any doubt where there
is insufficient audit evidence
Establish the Facts
• Discuss concerns
• Verify the findings
• Record all the evidence:
 Exact observation
 Where, what, etc.
• Establish why a nonconformity or otherwise
• State who (if relevant) – preferably by job title
• Obtain agreement with the facts
Generate Audit Findings
6.5.5
• Evaluate audit evidence against audit criteria to generate audit
findings
• Indicate if findings are conformities, nonconformities or
opportunities for improvement
• Meet (audit team) to review findings
• Specify (with supporting evidence) or summarize conformity by
location, function, or processes, as required by audit plan
Nonconformity
6.5.5
• Non-fulfillment of a specified requirement:
 Not doing it
 Partially doing it
 Doing it the wrong way
• Specified requirement:
 Conditions of the customer contract
 Quality standard (ISO 9001:2008)
 Quality management system
 Statutory or regulatory requirements
Generate Audit Findings
6.5.5
• Record nonconformity findings and supporting evidence
• Obtain auditee acknowledgement of nonconformities for
accuracy and understandability
• Try and resolve differences of opinion
• Keep a record of unresolved issues
Nonconformity - Minor
• Failure to comply with a requirement which (based on judgment
and experience) is not likely to result in QMS failure
• Single observed lapse or isolated incident
• Minimal risk of nonconforming product or service
• Examples:
 A two month lapse in the internal audit program
 A training record not available
 No actions taken to improve system based on previous
result findings
Nonconformity - Major
• Absence or total breakdown of a system to meet a requirement
• A number of minors related to the same clause or requirement
• A nonconformity that experience and judgment indicate will
likely result in QMS failure or significantly reduce its ability to
assure controlled processes and products
Nonconformity - Major
Examples:
• No documented procedure for a required documented ISO
9001:2008 process/activity
• Document changes routinely made without authorization
• No awareness program for the quality management system
• No future planned internal audits
• Insufficient scope
• Numerous minor nonconformities found in the production
process
Nonconformity
Classifying the Nonconformity
Consider the seriousness:
• What could go wrong if the nonconformity remains
uncorrected?
• Is it likely the system would detect it before the customer is
affected?
• If you are not certain it is a nonconformity, it is not.
You must have:
 A requirement that has been broken
 Proof that it has been broken
Nonconformity
Good Report Examples
QMS
Nonconformity Report
Incident Number:1
Company under audit: XYZ, Inc.
Area under Review: Purchasing
Category:
Major
ISO 9001 Clause number 7.4
Minor
Requirement:
Clause 7.4.1 of ISO 9001:2008 requires that the organization establish criteria for evaluation and
re-evaluation of suppliers.
Nonconformity Findings:
Upon speaking with the purchasing Manager, it was found that no evaluation of ABC supplier had
taken place since the contract was signed and business begin with ABC supplier
Nonconformity
Poor Report Examples
The nonconformity statements below are inadequate due to the
lack of specified requirements and detailed evidence:
• Steering Group meeting minutes are not adequate
• The authority level for the Emergency Controller must be
documented for clarify purposes
Preparing Audit Conclusions
Audit team confer prior to the closing meeting:
• Scheduling of the audit plan
• To plan for closing meeting
• Purpose is to:
 Review audit findings and other information
 Agree on audit conclusions
• To prepare the audit report and recommendations
• If included in audit plan, to discuss audit follow-up
6.5.6
Audit Report
Prepare, Approve & Distribute
1.
2.
3.
4.
5.
6.
7.
8.
9.
Audit reference
Client and Auditee details
Audit team details
List of auditee representatives
Objectives, scope, and criteria
Audit plan – dates, places, areas audited and timing
Summary of audit process
Audit Summary
Uncertainty due to sampling
6.6.1
6.6.2
Audit Report
Prepare, Approve & Distribute
10.
11.
12.
13.
14.
15.
16.
17.
Nonconformity reports
Recommendation
Obstacles encountered
Any areas in audit scope not covered
Any unresolved issues between the auditee and team
Confirmation that audit objectives accomplished
Confidentiality statement
Distribution list
6.6.1
6.6.2
Audit Report
Distribution
•
•
•
•
•
•
Issue within agreed time period
If delayed, provide reasons and agree on new issue date
Report must be dated, reviewed, and approved as per
procedures
Distribute to recipients designated by audit client
Report is property of audit client
Recipients and audit team must respect the confidentiality of
the report
6.6.1
Completing the Audit
6.7
•
•
•
•
Audit is complete when all activities in audit plan have been
carried out and audit report is distributed
Maintain or dispose of audit documents based on
contractual, regulatory, and audit program procedures
Maintain confidentiality of audit documents, information, and
report
Notify audit client and auditee ASAP if disclosure of audit
information is required.
Closing Meeting
6.5.7
•
•
•
•
•
•
•
Hold closing meeting to present audit findings and conclusions
Cover situations encountered during audit that may decrease
reliance on audit conclusions
Discuss and resolve diverging audit findings and conclusions
Keep a record if not resolved
Provide recommendations for improvement where specified by
audit objectives
Keep minutes and attendance records
Will normally be informal for internal audits
Completing the Audit
Conducting the Follow-up
6.8
•
•
•
•
•
•
Audit conclusions may require corrective, preventive, or
improvement actions
Auditee decides and carries out these actions within agreed
timeframe
These actions are not part of the audit
Audit team number should verify completion and effectiveness
of actions taken
This verification may be part of a subsequent audit
Maintain independence in subsequent audit activities
Completing the Audit
Corrective the Follow-up
•
•
•
•
•
•
•
Auditee receives the nonconformity report
Auditee prepares and approves a corrective action plan
Auditee submits the plan to auditors
Auditors evaluate and approve the plan
Auditee implements the approved corrective action plan
Auditor verifies the implementation and effectiveness
Records of all actions taken by auditor and auditee
6.8
Conclusion
Typical Audit Activities
Initialing the Audit
Conducting Document Review
Preparing for On-site Activities
Conducting for On-site Activities
Preparing, Approving, Distributing Audit Report
Completing the Audit
Conducting Audit Follow-up
Final
Questions?
For you attendance and participation!
Prepared &
Presented by
Yamin K Hajeej