2. • Describe the responsibilities of an Internal Auditor
• Describe the role of internal audits within a management
system including the audit management process
• Explain, the model of a process-based Quality
Management System, including the purpose and structure
of ISO 9001:2015
• Plan and prepare an internal audit
• Gather objective evidence through observation, interview
and sampling of documents and records
• Write factual audit findings and reports that help to
improve the effectiveness of the management system
• Define and describe ways in which the effectiveness of
corrective action might be verified
Course Aims and Objectives
3. Session 1 Objectives
• Understand the purpose and typical structure of
management systems and ISO 9001:2015
• Understand the ISO 9001:2015 requirements
relating to Internal Audits
• Understand the Plan Do Check Act (PDCA)
Cycle
• Understand what is a process, key terminology,
and the different types of processes and their
significance for internal auditors
4. Purpose of a Quality Management
System
• ISO 9001:2015 is used if you are seeking to
establish a management system that provides
confidence in the conformance of your
product to meet customer and applicable
statutory & regulatory requirements
• In addition, ISO 9001:2015 seeks to enhance
customer satisfaction by improving your Quality
Management System
5. 4
3
2
1 Introduction to Auditing
The Process Approach and Process Auditing
Managing an Audit Program
Audit Activities
Table of Content
5 Auditor Competence and Responsibilities
6 Conclusion
7. Auditing
• What is an audit?
Systematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to
determine the extent to which audit criteria are fulfilled
(ISO19011: 2002 clause 3.1)
• Why audit?
Requirement of ISO 9001:2015
Monitor and measure the management system
Promote continuous improvement of the management
system
8. Principles of Auditing
• Principles relating to auditors:
Ethical conduct
Fair presentation
Due professional care
• Principles relating to audit:
Independence
Evidence-based approach
4.0
Note: reference to
ISO 19011:2002
Clause number
9. Benefits of Auditing
• Verifies conformity to requirements
• Increases awareness and understanding
• Provides a measurement of effectiveness of the management
system to top management
• Reduces risk of management system failure
• Identifies improvement opportunities
• Continuous improvement if performed regularly
12. Process Approach
The process approach emphasize the importance of:
• Understanding and meeting requirements
• Looking at processes in terms of added value
• Obtaining results of process performance
• Continual improvement of process
14. Management System Standards and the
Process Approach
• ISO 9001:2015:
Is based upon the PDCA cycle which can be applied to
processes
Applies the PDCA cycle to implementing, operating,
monitoring, exercising, maintaining and improving the
effectiveness of a QMS
• ISO 19011:2002 does not explicitly mention process audits, but
is written for application to all management system audits
15. Applying the Process Approach to Auditing
Auditors can apply the process approach to auditing by ensuring
the auditee:
• Can define the objectives, inputs, outputs, activities, and
resources for its processes
• Analyzes, monitors, measures, and improves its processes
• Understands the sequence and interaction of its processes
16. Process Auditing Approaches
Individual Process:
• Input / Output / Value-added Activity
• Plan-Do-Check-Act
• Resources
Relationship with other processes:
• Flow / Sequence / Linkage / Combination
• Interaction / Communication
• Evidence
• Customer and supplier contract(s)
17. Process Auditing “Turtle Diagram”
With what?
Resources With who?
Personnel
What results?
Performance
indicators
Outputs
To
Whom/
Where
Inputs
From
Whom/
Where
How done?
Methods/
Documentation
Process
(specific value-added
activities)
18. Process Auditing Example
With what?
• Order processing
system
With who?
• Customers
• Competent sales and
processing staff
What results?
• Order processing
time
• Number or orders
• Value of orders
• Contract accuracy
Outputs
Production/Service
Delivery
Inputs
• Customer
requirements
• Sales staff
How done?
• IT system
• Processing system
• Terms and conditions
• Contract review procedure
Contract
Review
23. Audit Program
• Top management should authorize responsibility for program
management to:
Establish, implement, review, and improve the audit
program
Identify the necessary resources and ensure they are
provided
• Organization should develop audit program processes
• Program should be managed by a member of the organization
• Keep appropriate audit records to monitor and review the audit
program
24. Audit Program Responsibilities
• Top management should authorize responsibility for program
management
• Those assigned responsibility should:
Establish, implement, review, and improve the audit
program
Identify the necessary resources and ensure they are
provided
25. Initiating the Audit
Initiating the audit includes:
• Appointing the audit team leader
• Defining audit objectives, scope, criteria
• Determining feasibility of the audit
• Selecting the audit team
• Establishing initial contact with the auditee
6.2
26. Defining Audit Objectives, Scope, Criteria
Audit Objectives may include:
• Determining of the extent of conformity of auditee`s QMS with
audit criteria
• Evaluation of capability of QMS to ensure compliance with
statutory, regulatory, and contractual requirements
• Evaluation of effectiveness of the QMS to meet its objectives
• Identification of areas of improvement
6.2.2
27. Selecting the Audit Team
For Team size and competence, consider:
• Audit objectives, scope, criteria, and duration
• Whether audit is combined or joint
• Competence of team to meet objectives
• Statutory, regulatory, contractual and accreditation/certification
requirements
• Independence of the team
6.2.4
29. Auditor Competence
• Auditor competence is based on:
Personal attributes
Application of knowledge and skills
• Competence is to be developed, maintained, and improved
7.1
31. Auditor Competence
Generic Knowledge and skills
Auditor skills and competence could include:
• Audit principles, procedures, and techniques
• Management system and reference documents
• Organizational situations
• Laws, regulations, and other requirements
7.3.1
32. Auditor Competence
Specific Knowledge and skills
Specific knowledge and skills for quality auditors could include:
• Quality methods and techniques
• Quality terminology
• Quality management tools and their application
• Processes and products/services specific to the sector being
audited
7.3.3
33. Auditor Responsibilities
• Arrive on time
• Maintain confidentiality
• Be objective and ethical
• Support the audit team and team leader
• Plan and prepare work documents
• Inform auditees of the audit process
• Document and support all findings
• Keep auditee informed
• Safeguard all documents
• Prepare the audit report
35. Audit Planning
• Determine the objective of the audit
• Identify specified requirements
• Determine audit duration and resources needed
• Select the team
• Contact the auditee – agree the date(s)
• Draw up audit plan
• Brief the team
• Prepare work documents
36. Conducting Document Review
A review of documentation:
• Should be conducted prior to on-site audit activities unless
deferring review is not detrimental to the effectiveness of the
audit
• May include relevant QMS documents, records, and previous
audit reports
• May include a preliminary site visit
6.3
37. Prepare Work Documents
• Prepare work documents
• Use as a reference and for recording audit proceedings
• Include checklists, sampling plans and forms, ISO 9001:2015
standard, etc.
• Keep checklists flexible to allow changes resulting from
information collected during the audit
• Safeguard any confidential and proprietary information
• Retain work documents and records
38. Checklists Preparation
One Approach is to:
• Identify audit scope and process(es) within scope
• Identify applicable factors (inputs, outputs, measures,
resources, etc.)
• Use these points and other requirements
(ISO 9001-2015, system documentation, etc.) to:
Plan what to look at
Plan what to look for (audit evidence)
• Prepare checklist
39. Checklists Structure
Audit checklist structure:
Process/Activity Audited:
Requirement Source Evidence Notes
ISO 9001:2015
Clause # or other
requirement
What to
“look at”
What to
“look for”
Notes
40. Conduct on-Site Audit Activities
• Conduct opening meeting
• Communicate during the audit
• Explain roles and responsibilities of participants
• Collect and verify information
• Generate audit findings
• Prepare audit conclusions
• Conduct closing meeting
6.5
41. Opening Meeting
• Hold opening meeting with auditee top management and
those responsible for processes audited
• Meeting may be informal
• Chaired by team leader
• Audit team present
• Purpose is to confirm all prior arrangements
6.5.1
43. Auditing Process
Collect & Verify information
• Collect information relevant to:
Audit objectives, scope, and criteria
interfaces between functions, activities and processes
• Collect audit evidence by appropriate sampling and verify and
record it
• Be aware on sampling limitations, if acting on the audit
conclusion
• Use only information that is verifiable as audit evidence
6.5.4
44. Auditing Process
Techniques to Obtain Audit Evidence
• Interview:
Personnel that manage, perform, and verify activities
Also ensure they are responsible for the activity being
audited
Listen carefully to responses
• Observe:
Identity, status, condition, processes, equipment, activities,
environment, and people
6.5.4
45. Auditing Process
Audit Evidence
• Review documents that describe:
Activities
Plans
Controls
Strategies
Exercises
tests
• Review records for evidence of conformity to documents
• Review records, statements of fact, or other information which
are relevant to the audit criteria and verifiable
• Audit evidence may be qualitative or quantitative
46. Communication and interpersonal skills
• Put auditee at ease
• Ask short questions and listen
• Reflect right attitude, tone of voice, body language, and facial
expressions
• Smile and show eye contact
• Avoid interruptions
• Avoid off-cuff and condescending remarks
• Give praise when appropriate
47. Communication and interpersonal skills
• Show interest
• Be tactful and polite
• Show patience and understanding
• Remember to say please and thank you
• Ask the right person
• Don`t say you understand when you do not
48. Questioning Techniques
• Open question
Using why, who, what, where, when, or how gets more than
a yes or no answer
• Expansive question
Further elaborates the current point
• Opinion question
Asks opinion about current point
• Non-verbal
Uses body language, for example: raise eye-brow to elicit
further information
49. Questioning Techniques
• Repetitive question
Repeats back response in form of a question
• Hypothetical question
Uses what if, suppose that, etc.
• Closed question
Gets yes or no answer
Avoid using too often
Used for confirmation
• Silence
Draws more information
50. Note Taking
• Notes could be used as reference for:
Immediate investigation
Investigation later
Use by a colleague
Subsequent audits
• Notes taken during an audit are a record of:
The audit sample taken
What was reported
What was observed
• Notes may be referenced by subsequent auditor
51. Sampling
• Samples should test the effectiveness of the system and should
be:
Representative
Structured
Independently selected
• Sample size should be based on:
Risk
Importance
Status
Findings from the previous/current audit
52. Control of the Audit
• Checklist is an aid, not a requirement
• If potential audit trails appear, decide to:
Disregard
Note for later
Follow up immediately
• Following audit trails may effect:
Sample size
Audit plan
54. Establish the Facts
Judgment in the Audit Process
• Audit focus must be on conformity and effectiveness, NOT on
finding nonconformities
• The auditee must be given the benefit of any doubt where there
is insufficient audit evidence
55. Establish the Facts
• Discuss concerns
• Verify the findings
• Record all the evidence:
Exact observation
Where, what, etc.
• Establish why a nonconformity or otherwise
• State who (if relevant) – preferably by job title
• Obtain agreement with the facts
56. Generate Audit Findings
• Evaluate audit evidence against audit criteria to generate audit
findings
• Indicate if findings are conformities, nonconformities or
opportunities for improvement
• Meet (audit team) to review findings
• Specify (with supporting evidence) or summarize conformity by
location, function, or processes, as required by audit plan
6.5.5
57. Nonconformity
• Non-fulfillment of a specified requirement:
Not doing it
Partially doing it
Doing it the wrong way
• Specified requirement:
Conditions of the customer contract
Quality standard (ISO 9001:2015)
Quality management system
Statutory or regulatory requirements
6.5.5
58. Generate Audit Findings
• Record nonconformity findings and supporting evidence
• Obtain auditee acknowledgement of nonconformities for
accuracy and understandability
• Try and resolve differences of opinion
• Keep a record of unresolved issues
6.5.5
59. Nonconformity - Minor
• Failure to comply with a requirement which (based on judgment
and experience) is not likely to result in QMS failure
• Single observed lapse or isolated incident
• Minimal risk of nonconforming product or service
• Examples:
A two month lapse in the internal audit program
A training record not available
No actions taken to improve system based on previous
result findings
60. Nonconformity - Major
• Absence or total breakdown of a system to meet a requirement
• A number of minors related to the same clause or requirement
• A nonconformity that experience and judgment indicate will
likely result in QMS failure or significantly reduce its ability to
assure controlled processes and products
61. Nonconformity - Major
Examples:
• No documented procedure for a required documented ISO
9001:2015 process/activity
• Document changes routinely made without authorization
• No awareness program for the quality management system
• No future planned internal audits
• Insufficient scope
• Numerous minor nonconformities found in the production
process
62. Nonconformity
Classifying the Nonconformity
Consider the seriousness:
• What could go wrong if the nonconformity remains
uncorrected?
• Is it likely the system would detect it before the customer is
affected?
• If you are not certain it is a nonconformity, it is not.
You must have:
A requirement that has been broken
Proof that it has been broken
63. Nonconformity
Good Report Examples
QMS Nonconformity Report Incident Number:1
Company under audit: XYZ, Inc.
Area under Review: Purchasing ISO 9001 Clause number 7.4
Category: Major Minor
Requirement:
Clause 7.4.1 of ISO 9001:2015 requires that the organization establish criteria for evaluation and
re-evaluation of suppliers.
Nonconformity Findings:
Upon speaking with the purchasing Manager, it was found that no evaluation of ABC supplier had
taken place since the contract was signed and business begin with ABC supplier
64. Nonconformity
Poor Report Examples
The nonconformity statements below are inadequate due to the
lack of specified requirements and detailed evidence:
• Steering Group meeting minutes are not adequate
• The authority level for the Emergency Controller must be
documented for clarify purposes
65. Preparing Audit Conclusions
Audit team confer prior to the closing meeting:
• Scheduling of the audit plan
• To plan for closing meeting
• Purpose is to:
Review audit findings and other information
Agree on audit conclusions
• To prepare the audit report and recommendations
• If included in audit plan, to discuss audit follow-up
6.5.6
66. Audit Report
Prepare, Approve & Distribute
1. Audit reference
2. Client and Auditee details
3. Audit team details
4. List of auditee representatives
5. Objectives, scope, and criteria
6. Audit plan – dates, places, areas audited and timing
7. Summary of audit process
8. Audit Summary
9. Uncertainty due to sampling
6.6.1
6.6.2
67. Audit Report
Prepare, Approve & Distribute
10. Nonconformity reports
11. Recommendation
12. Obstacles encountered
13. Any areas in audit scope not covered
14. Any unresolved issues between the auditee and team
15. Confirmation that audit objectives accomplished
16. Confidentiality statement
17. Distribution list
6.6.1
6.6.2
68. Audit Report
Distribution
• Issue within agreed time period
• If delayed, provide reasons and agree on new issue date
• Report must be dated, reviewed, and approved as per
procedures
• Distribute to recipients designated by audit client
• Report is property of audit client
• Recipients and audit team must respect the confidentiality of
the report
6.6.1
69. Completing the Audit
• Audit is complete when all activities in audit plan have been
carried out and audit report is distributed
• Maintain or dispose of audit documents based on contractual,
regulatory, and audit program procedures
• Maintain confidentiality of audit documents, information, and
report
• Notify audit client and auditee ASAP if disclosure of audit
information is required.
6.7
70. Closing Meeting
• Hold closing meeting to present audit findings and conclusions
• Cover situations encountered during audit that may decrease
reliance on audit conclusions
• Discuss and resolve diverging audit findings and conclusions
• Keep a record if not resolved
• Provide recommendations for improvement where specified by
audit objectives
• Keep minutes and attendance records
• Will normally be informal for internal audits
6.5.7
71. Completing the Audit
Conducting the Follow-up
• Audit conclusions may require corrective, preventive, or
improvement actions
• Auditee decides and carries out these actions within agreed
timeframe
• These actions are not part of the audit
• Audit team number should verify completion and effectiveness
of actions taken
• This verification may be part of a subsequent audit
• Maintain independence in subsequent audit activities
6.8
72. Completing the Audit
Corrective the Follow-up
• Auditee receives the nonconformity report
• Auditee prepares and approves a corrective action plan
• Auditee submits the plan to auditors
• Auditors evaluate and approve the plan
• Auditee implements the approved corrective action plan
• Auditor verifies the implementation and effectiveness
• Records of all actions taken by auditor and auditee
6.8