Internal Auditor Training ISO 9001-2008
Internal Auditor Training ISO 9001-2008
Page 2
2002. This training material is reserved for use by Prism eSolutions, LLC and its customers. This material may not be copied, transmitted, or otherwise used without the explicit permission of Prism eSolutions, LLC. In order to obtain copies of this material or permission to use this material outside of the environment it was distributed to you in, please contact Prism eSolutions, LLC at 700 American Avenue, Suite 104, King of Prussia, PA 19406 or via the web at www.prismesolutions.com or via phone at (610) 491-6000. PN 230-200 revision 3.0
Internal Auditor Training ISO 9001-2008
Page 3
TABLE OF CONTENTS
This page intentionally left blank.Section 1: Introduction to Internal Auditing .......... 4
Section 1: Introduction to Internal Auditing ........................................................... 5
Introduction Exercise ........................................................................................ 5
Student Evaluation Criteria ................................................................................ 6
Audit Exercise ................................................................................................. 19
Section 2: ISO Standard Requirements ................................................................ 33
Open Book Quiz - Sections 4, 5 & 6 ................................................................. 58
Open Book Quiz - Section 7 ............................................................................ 80
Open Book Quiz – Section 8 .......................................................................... 102
Procedures and Records Exercise ................................................................... 109
Clause Identification Exercise ........................................................................ 111
Section 3: Phases of Internal Auditing ............................................................... 113
Develop an Audit Matrix Exercise ................................................................... 119
Identification of Nonconformities Exercise ...................................................... 137
Section 4: Appendices ...................................................................................... 145
Ten Commandments of Internal Auditing ....................................................... 145
Sample Audit Checklist .................................................................................. 147
Internal Auditor Training ISO 9001-2008
Page 4
This page intentionally left blank.
Internal Auditor Training ISO 9001-2008
Page 5
Section 1: Introduction to Internal Auditing
Introduction Exercise
Name: Years with your organization: Description of job responsibilities: Class expectations: Key question you want answered: “Where would you rather be?”
Internal Auditor Training ISO 9001-2008
Page 6
Student Evaluation Criteria
Contribution to course discussions
Attitude toward material
Clarity of written assignments
Verbal / presentation skills
Team participation
Student Evaluation Criteria
Contribution to course discussions Positive Indicators
+ Effectively able to conduct an audit interview + Willingness to ask questions + Willingness to contribute personal experience + Responding to questions + Listening
Negative Indicators
- Dominate discussions or group activities - Unable to effectively conduct an audit interview - Lack of involvement or interest - Not responding to questions - Distracting the class
Internal Auditor Training ISO 9001-2008
Page 7
Attitude toward material
Positive Indicators
+ Probing questions + Positive attitude toward material
Negative indicators
- Cynical attitude - Inappropriate questions
Clarity of written assignments Positive Indicators
+ Clear, concise points + Understandable + Legible
Negative Indicators
- Unclear
Verbal / Presentation skills Positive Indicators
+ Clear voice + Correct language
Negative Indicators
- Unclear
Team participation Positive Indicators
+ Work as part of the team + Cooperate and contribute
Negative Indicators - Monopolizes the group - No participation in the group
Internal Auditor Training ISO 9001-2008
Page 8
Course Purpose & Objectives
Purpose: To provide you with theory and practical experience to
become an effective quality management system auditor
Process: Class interaction, exercises, discussion, participant
presentations, student evaluation, and when all else fails, lecture
Objectives: Provide participants with a basic understanding of the
quality management system auditing requirements as well as the tools and techniques used in auditing
NOTES:
Internal Auditor Training ISO 9001-2008
Page 9
Terminology and Definitions
Quality System The organizational structure, procedures,
processes, and resources needed to implement the quality management system (includes all departments, documents, & the entire standard)
Quality Policy The overall intentions and direction of an
organization with regard to quality as formally expressed by top management
Terminology and Definitions
Quality Management All activities of overall management used to determine the
quality policy, objectives, responsibilities, and processes of the QMS and to ensure adequate implementation and maintenance (includes internal auditors)
Quality Manual A formal and authorized document setting out the quality
policies, systems, procedures, and practices of an organization; a bridge between the standard and the QMS
Internal Auditor Training ISO 9001-2008
Page 10
NOTES:
Internal Auditor Training ISO 9001-2008
Page 11
Terminology and Definitions
Procedure or Process A specific way to perform an activity such that it
achieves uniformly acceptable results
Corrective Action Action taken to eliminate the causes of an existing
nonconformity, defect, or other undesirable situation in order to prevent recurrence
Certification The process by a duly authorized body of determining,
verifying, and attesting in writing to the qualifications of a QMS in accordance with applicable requirements
Quality Management System Documentation
Internal Auditor Training ISO 9001-2008
Page 12
NOTES:
Internal Auditor Training ISO 9001-2008
Page 13
ISO Hierarchy and Background
What is ISO?
The International Organization for Standardization
ISO is a “United Nations” – to create common sets of standards for trade and communication
ANSI – American National Standards Institute -represents the United States
ANAB – ANSI/ASQ National Accreditation Board – administers ISO in the United States
ISO Hierarchy and Background
ISO 9000 “Quality Management Systems –Fundamentals & Vocabulary”
ISO 9001 “Quality Management Systems –Requirements”
ISO 9004 “Quality Management Systems –Guideline for Performance Improvements”
Internal Auditor Training ISO 9001-2008
Page 14
NOTES:
Internal Auditor Training ISO 9001-2008
Page 15
ISO 9001 May Be Required
Regulatory Requirements Regulations, laws, or agreements
Industry standards (chemical, transportation, automotive, etc.)
Product requirements (high pressure containers, scales, implantable medical devices, etc.)
National or local regulations
Customer Requirements Organizations may decide ISO certification will benefit
them when purchasing from a certified supplierThe practice has proven successful in dealing with suppliers
Generally accepted practice within industry and country
Time or distance make supplier visits an expensive option
Quality Management System Definition
ISO 8402 defines Internal Quality Auditing as:
“…a systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives.”
Internal Auditor Training ISO 9001-2008
Page 16
NOTES:
Internal Auditor Training ISO 9001-2008
Page 17
Types of Quality Audits
Quality Management System
Process
Product or Service
Compliance – registration and surveillance
1st party – internal
2nd party – internal or external
3rd party – external
Quality Management System Audit Goals
Verify documents address all requirements
Manual, Procedures, Instructions, Records
Verify activities are consistent with documents
Verify process effectiveness
Identify opportunities for improvement
Provide value-added feedback to auditees
Internal Auditor Training ISO 9001-2008
Page 18
Audit Performance Relies on Objectivity
Gathering information Read (applicable documents)
Listen (ask questions)
Observe (watch activities)
Comparing information Objective evidence to known requirements
Drawing conclusions Does a “gap” exist?
Is there an “inconsistency”?
NOTES:
Internal Auditor Training ISO 9001-2008
Page 19
Audit Exercise
While performing an audit of the Management Review process, the auditor observed that in the meeting minutes of the most recent Management Review Meeting the VP of Operations did not attend while an Operations Director did. The procedure, which the auditor had reviewed during preparation, stated that required attendees included the VP of Operations. Further, all previous minutes of Management Review reviewed indicated she was in attendance. The auditor asked the quality system Management Representative, the Process Leader, if he was aware of the required attendees. The Management Representative responded correctly and explained that the VP was absent because she had another meeting to attend. He also informed the auditor that he had made out a deviation form to allow a substitute and showed the auditor where the deviation form was filed. 1. Can you identify the three methods used by the auditor to gather information?
2. Are the activities observed consistent with the documents?
3. Is the Management Representative in compliance with the documented quality
management system?
4. Why did the auditor ask the Management Representative of his awareness of the
procedure?
Internal Auditor Training ISO 9001-2008
Page 20
How to Implement an
Internal Audit Program
Understand internal audit requirements
Write internal audit procedure(s)
Select and train auditors
Prepare and publish a schedule
Conduct audits
Track results and take action
Report results to Management Review
NOTES:
Internal Auditor Training ISO 9001-2008
Page 21
Audit Schedule Sample #1
QM
S G
ene
ral re
quir
em
ents
QM
S D
ocum
ent
requir
em
ents
Ma
na
ge
me
nt
co
mm
itm
ent
Custo
me
r fo
cus
Qua
lity p
olic
y
Pla
nnin
g
Re
spo
nsib
ility
, a
uth
ori
ty &
co
mm
unic
atio
n
Ma
na
ge
me
nt
revie
w
Pro
vis
ion o
f re
so
urc
es
Hum
an r
eso
urc
es
Infr
astr
uctu
re
Wo
rk e
nvir
onm
ent
Pla
nnin
g o
f pro
duct
rea
liza
tio
n
Custo
me
r-re
late
d p
roce
sse
s
De
sig
n &
De
ve
lopm
ent
Purc
ha
sin
g
Pro
ductio
n a
nd s
erv
ice
pro
vis
ion
Co
ntr
ol o
f m
onito
ring &
me
asuri
ng e
quip
me
nt
Me
asure
me
nt,
ana
lysis
& im
pro
ve
me
nt
-G
ene
ral
Mo
nito
ring &
me
asuri
ng
Co
ntr
ol o
f no
nco
nfo
rmin
g p
roduct
Ana
lysis
of D
ata
Impro
ve
me
nt
4.1 4.2 5.1 5.2 5.3 5.4 5.5 5.6 6.1 6.2 6.3 6.4 7.1 7.2 7.3 7.4 7.5 7.6 8.1 8.2 8.3 8.4 8.5
January X X X X
February X X X X
March X X X X
April X X X X
May X X X X
June X X X
NOTES:
Internal Auditor Training ISO 9001-2008
Page 22
Audit Schedule Sample #2
Area JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
SalesTeam
2
EngineeringTeam
3
PurchasingTeam
1
ProductionTeam
4
ServicingTeam
5
ShippingTeam
1
Material Control
Team 2
QualityTeam
3
Human Resources
Team 4
NOTES:
Internal Auditor Training ISO 9001-2008
Page 23
Tracking Mechanism
Audit # Audit Date Responsible
Manager Response
Due Follow-up
Date Date Closed
2009-01 Jan. 5, 2009 J. Heely Feb. 12, 2009 April 1, 2009 April 7, 2009
2009-02 Feb. 17, 2009 M. Ropsen April 6, 2009 May, 1, 2009 May 5, 2009
2009-03 Mar. 11, 2009 P. Carrol May 1, 2009 July 1, 2009
2009-04 April 20, 2009 J. Hassing June 6, 2009
NOTES:
Internal Auditor Training ISO 9001-2008
Page 24
Auditor Qualifications
Common sense
Understand ISO 9001
Understand your organization’s quality management system
Understand auditing tools and techniques
Possess communication skills
NOTES:
Internal Auditor Training ISO 9001-2008
Page 25
Auditor Characteristics/ Aptitudes/ Attributes
The auditor must be able to work alone and in teams
The auditor must gather information, often from people who are nervous
The auditor will sometimes work in areas where they have little or no technical knowledge
The auditor will have to manage time well
Auditors should be:
Curious – inquisitive – observant
Independent – trained – good listeners
Unbiased – impartial – objective
Perceptive – focused – analytical
Thick skinned – non threatening – personable
Honest – professional – highest integrity
Auditor Characteristics/ Aptitudes/ Attributes
Internal Auditor Training ISO 9001-2008
Page 26
Auditors should not be:
Argumentative
Rash (jumping to conclusions)
Opinionated
Rigid
Poor communicator
Lazy
Auditor Characteristics/ Aptitudes/ Attributes
NOTES:
Internal Auditor Training ISO 9001-2008
Page 27
Roles and Responsibilities
Audit Administrator Coordinate/participate in internal audits
Maintain audit schedule and track results
Report findings to management review
Auditor Be independent of the process(es) to be audited
Prepare for assigned audits
Perform objective internal audits in accordance with training and procedures
Complete all required reports
Roles and Responsibilities
Lead Auditor The lead auditor is ultimately responsible for all phases
of the auditAssist in selection of auditors
Prepare audit plan
Submit the audit report / share with auditee
Audit Team The audit team may include experts, trainees,
observers, etc. who are acceptable to the lead auditor
Internal Auditor Training ISO 9001-2008
Page 28
Roles and Responsibilities
Others that may be included in an audit Observer
Learner
Witness Verifies audit activities
Expert Specialized background
Guide Escorts auditors, does not answer for auditee
NOTES:
Internal Auditor Training ISO 9001-2008
Page 29
Auditor Techniques and Skills
People skills Interviewing & listening
Politeness – please and thank you
Maintain eye contact at auditee eye level
Leadership skills You are a guest in their area
Manage interruptions
Special skills Talk to correct people
Be objective
NOTES:
Internal Auditor Training ISO 9001-2008
Page 30
An Overview of ISO 9001
ISO 9001 is written from the perspective of the customer
Conformance to customer requirements and continual improvement are methods to ensure customer satisfaction
NOTES:
Internal Auditor Training ISO 9001-2008
Page 31
What is a Quality Management System
NOTES:
Internal Auditor Training ISO 9001-2008
Page 32
Triangle of Commitment
MANAGEMENT REVIEWSEvaluate performance in relation to
purpose (Quality Policy)
INTERNAL AUDITS
Monitor processes for compliance with requirements
CORRECTIVE & PREVENTIVE ACTIONS
Prevent problems or fix problems if prevention didn’t work
NOTES:
Internal Auditor Training ISO 9001-2008
Page 33
Section 2: ISO Standard Requirements
Internal Auditor Training ISO 9001-2008
Page 34
Classification of Elements
Primary Elements
Have clear, auditable requirements that must be met
Typically addressed by a level 2 document (but not always)
Reference Elements
Reinforce requirements that are more clearly and exactly specified in another Primary element
Typically addressed only in the quality manual
When addressed in a level 2 document, usually in the level 2 for the Primary element they reinforce
Only one Reference Element adds a requirement, 4.2.1, “documented statements”
Classification of Elements
Internal Auditor Training ISO 9001-2008
Page 35
To facilitate understanding and application of the ISO-9001:2008 standard, elements are classified into two general types:
Reference (elements 4.1, 4.2.1, 5.1, 5.2, 5.4.2, 5.5.1, 5.5.3, 6.1, 8.1)
Primary (elements 4.2.2, 4.2.3, 4.2.4, 5.3, 5.4.1, 5.5.2, 5.6, 6.2, 6.3, 6.4, 7 (all), 8.2, 8.3, 8.4, 8.5)
Classification of Elements
NOTES:
Internal Auditor Training ISO 9001-2008
Page 36
4.2.2 Quality Manual(Primary Element)
A Quality Manual shall be established and maintained that includes the following:
a) The scope of the QMS including details of and justification for any exclusions
b) Documented procedures or reference to them
c) A description of the sequence and interaction of the processes included in the QMS
NOTES:
Internal Auditor Training ISO 9001-2008
Page 37
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 38
4.2.3 Control of Documents (Primary Element)
A documented procedure (#1) shall be established:a) To approve documents for adequacy prior to use
b) To review, update as necessary and re-approve documents
c) Identify the current revision status of documents
d) Documents remain legible, readily identifiable and retrievable
e) Relevant versions of documents are available at points of use
f) Documents of external origin are identified and distribution is controlled
g) To prevent the unintended use of obsolete documents and identified if they are retained for any purpose
Procedure Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 39
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 40
4.2.4 Control of Records(Primary Element)
A documented procedure (#2) shall be established for identification, storage, retrieval, protection, retention and disposition of records
Procedure Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 41
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 42
5.3 Quality Policy(Primary Element)
Appropriate to the purpose of the organization
Commitment to meeting requirements and to continual improvement
Provides a framework for establishing and reviewing quality objectives (i.e., the policy must be measurable)
Communicated and understood at appropriate levels in the organization
Is reviewed for continuing suitability
Documented statements of quality policy and quality objectives (ref. 4.2.1)
NOTES:
Internal Auditor Training ISO 9001-2008
Page 43
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 44
5.4.1 Quality Objectives(Primary Element)
Establish quality objectives at relevant functions and levels within the organization
Objectives must be measurable & consistent with quality policy & commitment to continual improvement
Documented statements of quality policy and quality objectives (ref. 4.2.1)
NOTES:
Internal Auditor Training ISO 9001-2008
Page 45
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 46
5.5.2 Management Representative(Primary Element)
Member of the management who has responsibility for:
a) Ensuring that processes of the QMS are established and maintained
b) Reporting on performance of QMS including needs for improvement
c) Promoting awareness of customer requirements throughout the organization
The Management Representative must be a member of the organization
NOTES:
Internal Auditor Training ISO 9001-2008
Page 47
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 48
5.6.1 Management Review(Primary Element)
Records Required
Review of the QMS by top management at planned intervals to:a) Ensure QMS suitability, adequacy &
effectiveness
b) Evaluate the need for changes to the QMS including policy & objectives
c) Assess opportunities for improvement
d) Retain records
NOTES:
Internal Auditor Training ISO 9001-2008
Page 49
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 50
5.6.2 Review Input(Primary Element)
Input to management review shall include: a) Results of audits
b) Customer feedback
c) Process performance and product/service conformance
d) Status of preventive & corrective action
e) Follow up actions from earlier reviews
f) Changes affecting the QMS
g) Recommendations for improvement
NOTES:
Internal Auditor Training ISO 9001-2008
Page 51
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 52
5.6.3 Review Output(Primary Element)
Output from management review shall include actions related to:
a) Improvement of the effectiveness of the
QMS and its processes
b) Improvement of products/services related to
customer requirements
c) Resource needs
NOTES:
Internal Auditor Training ISO 9001-2008
Page 53
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 54
6.2.1 Human Resources (General)6.2.2 Competence, Training & Awareness
(Primary Elements)
Those who have responsibilities defined in the QMS shall be competent on the basis of appropriate education, training, skills and experience
Determine competency needs
Provide required training
Evaluate the effectiveness of the training provided
Ensure staff are aware of the relevance and importance of their activities and contribution to achieving objectives
Maintain appropriate records of education, training, qualifications and experience
Records Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 55
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 56
6.3 Infrastructure6.4 Work Environment
(Primary Elements)
The organization shall identify, provide and maintain the infrastructure it needs to achieve the conformity of product and/or service, for examplea) Workspace & associated facilities
b) Equipment (hardware & software)
c) Supporting services (transport, communications, information systems)
The organization shall identify and manage the work environment needed to achieve conformity of product and/or service
NOTES:
Internal Auditor Training ISO 9001-2008
Page 57
NOTES:
Internal Auditor Training ISO 9001-2008
Page 58
Open Book Quiz - Sections 4, 5 & 6
Statement: Answer:
1. Top management must meet periodically to review the adequacy of the QMS. Records of these meetings shall be maintained.
2. Where personnel perform work that affects conformity to requirements the
required competence of those personnel is determined.
3. Wherever the term “documented procedure” appears in the standard, this means a written procedure must be created and maintained.
4. Computers and information systems must be adequately maintained.
5. When processes are outsourced these processes are controlled by the
organization and the method of control is defined.
6. When documents that are created outside the organization are used in a way
that affects products, these documents need to be controlled.
7. The environment in which personnel perform their work shall be conducive to product conformity.
8. The quality policy and quality objectives must be written down someplace.
9. The management representative must be selected from the organization’s
management staff.
10. Objective evidence that the quality system is implemented and effective is maintained such that it is easily identified and retrieved.
Internal Auditor Training ISO 9001-2008
Page 59
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 60
7.1 Planning of Product Realization(Primary Element)
Determine quality objectives & requirements
Determine the processes & documents, and provide resources needed
Determine required verification, validation, monitoring, measuring, inspection & test activities for the product
Determine records needed for evidence of meeting product requirements Records
Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 61
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 62
7.2.1 Determination of Product Requirements(Primary Element)
Organization shall determine customer requirements including:
a) Specified customer’s requirement’s for product and/or service including availability, delivery & support
b) Requirements not specified by the customer but necessary for intended or specified use
c) Regulatory and legal requirements
d) Any additional requirements considered necessary by the organization
NOTES:
Internal Auditor Training ISO 9001-2008
Page 63
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 64
7.2.2 Review of Requirements of Product(Primary Element)
Review identified requirements and ensure before commitment to supply product and/or service that:a) Requirements are defined
b) Differences between tender & contract are resolved
c) Organization has ability to meet the requirements
Confirm verbal orders
Where the customer provides no documented requirements, requirements must be confirmed prior to acceptance of the order
Documentation to be amended in case of changes & personnel made aware
Records Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 65
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 66
7.2.3 Customer Communication(Primary Element)
Implement arrangements for communication with customers relating to:
a) Product and/or service information
b) Inquiry & order handling including amendments
c) Customer feedback including customer complaints
NOTES:
Internal Auditor Training ISO 9001-2008
Page 67
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 68
7.3 Design and Development(Primary Element)
7.3.1 Design & development planning
7.3.2 Design & development input
7.3.3 Design & development output
7.3.4 Design & development review
7.3.5 Design & development verification
7.3.6 Design & development validation
7.3.7 Control of changesRecords Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 69
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 70
7.4 Purchasing Information(Primary Element)
7.4.1 Purchasing Process Ensure purchased product conforms
Supplier selection, evaluation & re-evaluation
7.4.2 Purchasing information Describe the product purchased
Verify specified purchase requirements
7.4.3 Verification of purchased product Receiving/inspection activities
Records Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 71
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 72
7.5 Production and Service Provision(Primary Element)
7.5.1 Production & service provision control
Work instructions, equipment, measurement, etc.
7.5.2 Validation of processes
“Special Processes”
7.5.3 Identification & traceability
Throughout product realization
Monitoring & measuring status
Records Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 73
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 74
7.5 Production and Service Provision(Primary Element)
7.5.4 Customer property
Identify, verify, protect and safeguard
7.5.5 Preservation of product
Identification, handling, packaging, storage & protection
NOTES:
Internal Auditor Training ISO 9001-2008
Page 75
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 76
7.6 Control of Monitoring & Measuring Equipment (MME) (Primary Element)
Determine measurements to be made & MME required
Use MME consistent with measurement requirements
Measuring and monitoring software must be validated
Calibrate and adjust MME at specified intervals or prior to use, (traceability to international or national standards; where no such standard exists, record the basis)
Records Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 77
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 78
7.6 Control of Monitoring & Measuring
Equipment (MME) (Primary Element)
Adjusted or readjusted as necessary
Identified
Safeguard from adjustments that would invalidate the measurement result
Safeguard from damage
Assess the validity of previous measuring results when equipment is found to be out of calibration
NOTES:
Internal Auditor Training ISO 9001-2008
Page 79
NOTES:
Internal Auditor Training ISO 9001-2008
Page 80
Open Book Quiz - Section 7
Statement: Answer:
1. Suppliers of materials and services affecting product conformity must be
evaluated and re-evaluated adequately to ensure conformance with the
requirements specified on the purchase order.
2. Where product conformance cannot be verified by inspection, the relevant
processes must be validated.
3. If the customer doesn’t provide documented requirements the organization must confirm the requirements with the customer prior to accepting the
order.
4. Design outputs must be verified against the design input and approved prior to release.
5. Materials are stored and preserved in a manner that prevents deterioration
and assures conformity to requirements.
6. Where necessary, prior to accepting an order, the organization shall consider
the documents, records, processes, etc. necessary to deliver the product to
the customer.
7. Production personnel must have the information, work instructions, and
process and product measuring equipment required to perform their jobs.
8. Customer property may include intellectual property such as proprietary designs.
9. Where test equipment incorporates computer software, this software is
verified, as needed, prior to first use and re-verified as necessary.
10. The results of tests, such as product inspection, must be clearly identified
throughout the organization.
11. Before quoting a job, the organization reviews all requirements and ensures it has the ability to deliver the product. Records of this review are
maintained.
12. Where required to prevent mistakes, materials used to produce the product are clearly identified from the receiving dock to the shipping dock.
Internal Auditor Training ISO 9001-2008
Page 81
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 82
8.2.1 Customer Satisfaction(Primary Element)
Organization shall monitor information on customer satisfaction and/or dissatisfaction as one of the measurements of performance of the QMS
The methods for obtaining and utilizing such information shall be determined
These methods may be both proactive and reactive
NOTES:
Internal Auditor Training ISO 9001-2008
Page 83
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 84
8.2.2 Internal Audit(Primary Element)
Conduct periodic internal audits to determine if the QMS conforms to the requirements of the standard & is effectively implemented and maintained
Plan the audit program considering:
Status & importance of the activity & results of previous audits
Independence of the personnel performing the audit
Impartiality and objectivity of the auditors
The documented procedure (#3) must cover:
Responsibilities & requirements for planning & conducting audits
Recording results
Reporting to management
Procedure Required
Records Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 85
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 86
8.2.2 Internal Audit(Primary Element)
Define audit scope, frequency & methodologies
Timely corrections and/or corrective actions by management
Follow up to verify & report implementation of
corrective actions
NOTES:
Internal Auditor Training ISO 9001-2008
Page 87
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 88
8.2.3 Monitoring and Measurement of Processes (Primary Element)
Apply suitable methods for measurement & monitoring of processes necessary to meet customers requirements
These shall confirm the continuing ability of each process to satisfy its intended purpose
When planned results are not achieved, take appropriate correction and/or corrective action without undue delay
NOTES:
Internal Auditor Training ISO 9001-2008
Page 89
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 90
8.2.4 Monitoring & Measurement of Product and/or Service (Primary Element)
Measure & monitor product/service characteristics to verify that the requirements of product are met, this shall be carried out at appropriate stages of the product/service realization
Evidence of conformance with the acceptance criteria to be documented. Records shall indicate the person(s) authorizing release of the product/service
Product/service release shall not occur until all specified
activities have been satisfactorily completed
Records Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 91
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 92
8.3 Control of Nonconforming Product(Primary Element)
Documented procedure (#4) for control of nonconforming product/ and/or service to prevent unintended use
Nonconforming product and/or service to be dispositioned
Re-verify after correction
If nonconformance detected after delivery take appropriate action
Where required by customer or regulatory body, concession for use must be obtained
Procedure Required
Records Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 93
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 94
8.4 Analysis of Data(Primary Element)
Collect & analyze data to determine suitability and effectiveness of the QMS and to identify where improvements can be made
Include data from measurement & monitoring & other relevant sources
Analyze data to provide information on:a) Customer satisfaction and/or dissatisfaction
b) Conformance to customer requirements
c) Characteristics of processes, products and/or services and their trends
d) Supplier performance
NOTES:
Internal Auditor Training ISO 9001-2008
Page 95
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 96
8.5.1 Continual Improvement(Primary Element)
The organization must plan and manage processes necessary for continual improvement of the QMS
Facilitate continual improvement using:
a) Quality policy
b) Objectives
c) Audit results
d) Analysis of data
e) Corrective actions
f) Preventive actions
g) Management review
NOTES:
Internal Auditor Training ISO 9001-2008
Page 97
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 98
8.5.2 Corrective Action(Primary Element)
Documented procedure (#5) for corrective action to eliminate the causes of nonconformance and prevent recurrence
Actions appropriate to the impact of the problems encountereda) Identification of nonconformances including customer complaints
b) Determine the cause of the nonconformity
c) Evaluate the need for actions to ensure nonconformities do not recur
d) Determining & implementing the corrective action needed
e) Recording the results of actions taken
f) Reviewing the effectiveness of corrective action taken
Procedure Required
Records Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 99
Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?
Internal Auditor Training ISO 9001-2008
Page 100
8.5.3 Preventive Action(Primary Element)
Documented procedure (#6) for preventive action to eliminate the causes of potential nonconformances to prevent occurrence
Preventive action taken shall be appropriate to the impact of the potential problems
a) Identification of potential nonconformances and their causes
b) Determining and ensuring the implementation of preventive action needed
c) Recording results of action taken
d) Review the effectiveness of preventive action taken
Procedure Required
Records Required
NOTES:
Internal Auditor Training ISO 9001-2008
Page 101
This page intentionally left blank.
Internal Auditor Training ISO 9001-2008
Page 102
Open Book Quiz – Section 8
Statement: Answer:
1. Records of the product inspection process include the identity of the person
or persons responsible for releasing the product for shipment to the customer.
2. Internal auditors are impartial and objective and do not audit their own areas
of responsibility.
3. Where risks are identified that may cause the failure of a product or process,
appropriate action is taken to eliminate or minimize the risk.
4. When processes are not achieving the intended objectives suitable corrections or corrective actions are implemented to remedy the issue.
5. Product that does not conform to customer requirements, and is reworked,
must be reinspected to verify that customer requirements are met. Records of this reinspection must be maintained.
6. Nonconforming products and processes are utilized as sources for corrective
actions.
7. No product is shipped to the customer until all planned inspections and tests
are completed unless approved by appropriate management, and the
customer where warranted.
8. Nonconforming material and product must be clearly identified as
nonconforming to ensure it is not used by accident.
9. All deficiencies, identified by internal audit, are corrected either through the corrective action process or some other documented form of correction.
10. Supplier performance data is determined, collected and analyzed to evaluate
qualification.
11. Methods such as customer surveys and warranty information are used to
determine how the customer feels about the overall quality of the
organization.
12. All appropriate resources are utilized to identify opportunities for continually
improving both products and processes.
13. Records must be maintained that demonstrate that the product shipped to the customer meets all acceptance criteria.
Internal Auditor Training ISO 9001-2008
Page 103
4.1 General Requirements(Reference Element)
Determine processes necessary for QMS (ref. 4.2.2)
Determine the sequences and interaction of processes (ref. 4.2.2)
Determine criteria & methods to ensure effective operation & control of these processes (ref. 8.2.3, 8.4)
Ensure availability of resources & information needed to effectively operate & monitor processes (ref. 6)
Measure, monitor, analyze processes (ref. 8.2.3, 8.4)
Act as necessary to achieve planned results and continual improvement (ref. 7.1, 8.5.1)
Control outsourced processes (ref. 7.4)
4.2.1 Documentation Requirements (General) (Reference Element)
Documented statements of quality policy and quality objectives (ref. 5.3, 5.4.1)
A quality manual (ref. 4.2.2)
Documented procedures and records required by the International Standard (ref. 4.2.2, “documented procedure”, “see 4.2.4”)
Documents and records needed to ensure effective planning, operation and control of processes (ref. 7.1, 7.5.1)
Internal Auditor Training ISO 9001-2008
Page 104
NOTES:
Internal Auditor Training ISO 9001-2008
Page 105
5.1 Management Commitment5.2 Customer Focus (Reference Elements)
Shall provide evidence of commitment to the development and improvement of the QMS by:
a) Communicating the importance of meeting customer and legal/regulatory requirements (ref. 7.2.1)
b) Establishing quality policy (ref. 5.3)
c) Ensuring that quality objectives are established (ref. 5.4.1)
d) Conducting management reviews (ref. 5.6)
e) Ensuring availability of resources (ref. 6)
Customer requirements are determined and met to the satisfaction of the customer (ref. 7.2, 8.2.1, 8.2.4)
5.4.2 Quality Management System Planning(Reference Element)
Top management shall ensure that the QMS is carried out in order to meet requirements as well as quality objectives (ref. 5.6.1)
Top management shall ensure that the integrity of the QMS is maintained when changes to the QMS are planned and implemented (ref. 5.6.2)
Internal Auditor Training ISO 9001-2008
Page 106
NOTES:
Internal Auditor Training ISO 9001-2008
Page 107
5.5.1 Responsibility and Authority5.5.3 Internal Communication
(Reference Elements)
Top management shall ensure that the responsibilities, authorities and their interrelation are defined and communicated throughout (ref. 4.2.2, 6.2.1)
The organization shall ensure communication between various levels and functions regarding the processes of the QMS and their effectiveness (ref. 4.2.2, 5.4.1)
6.1 Provision of Resources(Reference Element)
Determine & provide resources needed to:a) Implement and improve the processes of the
quality management system
b) Address customer satisfaction
(ref. 6.2, 6.3, 6.4)
Internal Auditor Training ISO 9001-2008
Page 108
8.1 Measurement, Analysis &
Improvement (General) (Reference Element)
The organization shall plan and implement monitoring, measurement & analysis activities to assure conformance and achieve improvement (ref. 8.2.3, 8.4)
This includes determination of the need and use of applicable methodologies and statistical techniques (ref. 8.4)
NOTES:
Internal Auditor Training ISO 9001-2008
Page 109
Procedures and Records Exercise
Quality System Element “documented procedure” “see 4.2.4”
4.1 QMS General requirements --- ---
4.2 QMS Document requirements 4.2.1, 4.2.2, 4.2.3, 4.2.4 4.2.1
5.1 Management commitment
5.2 Customer focus
5.3 Quality policy
5.4 Planning
5.5 Responsibility, authority & communication
5.6 Management review
6.1 Provision of resources
6.2 Human resources
6.3 Infrastructure
6.4 Work environment
7.1 Planning of product realization
7.2 Customer-related processes
7.3 Design and development
7.4 Purchasing
7.5 Production and service provision
7.6 Control of monitoring & measuring devices
8.1 Measurement, analysis & improvement - General
8.2 Monitoring & measuring
8.3 Control of nonconforming product
8.4 Analysis of data
8.5 Improvement
Internal Auditor Training ISO 9001-2008
Page 110
NOTES:
Internal Auditor Training ISO 9001-2008
Page 111
Clause Identification Exercise
Statement: Answer:
1. Product released for use prior to completion of all required inspections
will be approved by a relevant authority, including the customer where needed.
2. The quality system and its documentation structure are defined in a
quality manual that covers the requirements of the appropriate American National Standard.
3. The inspection process includes evidence that the inspections are taking
place. These records identify the authority of the employee releasing the product.
4. During the design of a new product, responsible personnel carry out documented meetings, at appropriate intervals, to review progress and
compliance with the design plan.
5. Appropriate methods are utilized to monitor and control system processes to ensure they are capable of meeting requirements.
6. Documents that have been superseded by a later revision are either
promptly removed from use or clearly identified as obsolete.
7. Management reviews relevant information to confirm that the preventive
action process is implemented and effective.
8. Before quoting a job or accepting an order, the organization ensures the customer’s requirements are known and that they can be achieved.
Records of this process are maintained.
9. Objective evidence that the quality system is implemented and effective is maintained such that it is protected from damage and retrievable
within a reasonable period of time.
10. Where the work performed affects quality, the organization ensures that the authority and responsibility of the personnel, who manage, perform
and verify that work is defined and understood.
11. Deficiencies, identified by internal audit, are brought to the attention of appropriate management, which initiates timely action to correct the
deficiencies.
12. Purchase orders for products that affect the quality of the product are
reviewed for adequacy by appropriate personnel prior to release to the
supplier.
13. At a frequency based on importance, the organization verifies that
quality system activities, and the results achieved, comply with the
objectives of the quality system plan.
Internal Auditor Training ISO 9001-2008
Page 112
Clause Identification Exercise
Statement: Answer:
14. A reasonably senior representative of management is appointed who has the responsibility and authority to ensure the quality system is defined,
implemented and achieves objectives.
15. Material or product found to be nonconforming to specifications is clearly identified and controlled to prevent any accidental or unintended use.
16. The correct issue of documents, necessary for producing a quality
product, is available to the employees performing the work.
17. Computer software and comparative references used as inspection
devices are verified for suitability prior to first use and rechecked at appropriate intervals to ensure continued accuracy.
18. Materials and services affecting the quality of the product are obtained
only from suppliers that can meet the requirements specified on the purchase order.
19. Personnel performing quality related tasks are qualified based on
training, education or experience. Records of this qualification are maintained.
20. Top management defines its policy, objectives and commitment to
quality and ensures these are understood and implemented throughout the organization.
21. Materials and products throughout the organization’s operation are
suitably identified concerning the performance of required inspections and the results of those inspections.
22. Customer complaints are reviewed to determine whether or not corrective actions are required or justified.
23. Materials and products included in the scope of the quality system are
clearly identified throughout the organization’s operation from the receiving dock to the shipping dock.
24. Materials or products having shelf life or environmental considerations,
such as temperature or humidity, are stored and preserved in a manner that prevents deterioration.
25. Written work instructions are maintained and available in production
where the instructions are necessary to ensure the quality of the product.
Internal Auditor Training ISO 9001-2008
Page 113
Section 3: Phases of Internal Auditing
Internal Auditor Training ISO 9001-2008
Page 114
Four Phases of an Audit
Planning & Preparation
Conducting
Closing & Reporting
Follow-up
2
3
4
1
Audit Planning & Preparation
Determine: Auditing by area, function, element or process
Define scope of audit
Determine supporting documents needed
If working in a team, determine individual responsibilities
Determine agenda, time, and locations
Assemble other paperwork
12 3
4
Internal Auditor Training ISO 9001-2008
Page 115
Audit Planning & Preparation
Notify area of audit Send notice to area, functional manager
Give adequate lead time
Schedule Opening Meeting
Tour of the facility or area as necessary
Closing meeting
12 3
4
NOTES:
Internal Auditor Training ISO 9001-2008
Page 116
Audit Scope
Benefits of a well defined scope:
An efficient audit
Reduced time for all
Better coverage of the area to be audited
Determine and examine the supporting elements for the audit
Stay within the defined scope unless a lead is discovered
Then follow the lead outside of the scope to determine the effect on the system
Entire Quality Management System:
ManualProcedures
InstructionsForms
ISO Elements(5.3, 6.2, 7.1, etc.)
Organization Areas(Sales, Purchasing, etc.)
Preparation Hints
Review all documents The standard
Your organization’s documents
Review previous audits Results
People interviewed
Review corrective actions Closed
Open
12 3
4
Internal Auditor Training ISO 9001-2008
Page 117
NOTES:
Internal Auditor Training ISO 9001-2008
Page 118
How to Use a Checklist
The audit checklist is one of the most helpful tools and is used to: Prepare for the audit
Ensure audit coverage
Record notes, evidence, findings, and observations
Manage time
Report the audit
Use to prepare a guidelist
12 3
4
NOTES:
Internal Auditor Training ISO 9001-2008
Page 119
Develop an Audit Matrix Exercise
QM
S G
enera
l re
quirem
ents
QM
S D
ocu
ment
requirem
ents
Managem
ent
com
mitm
ent
Cust
om
er
focu
s
Qualit
y p
olic
y
Pla
nnin
g
Resp
onsi
bili
ty, auth
ority
& c
om
munic
ation
Managem
ent
revie
w
Pro
vis
ion o
f re
sourc
es
Hum
an r
eso
urc
es
Infr
ast
ruct
ure
Work
environm
ent
Pla
nnin
g o
f pro
duct
realiz
ation
Cust
om
er-
rela
ted p
roce
sses
Desi
gn a
nd d
evelo
pm
ent
Purc
hasi
ng
Pro
duct
ion a
nd s
erv
ice p
rovis
ion
Contr
ol of
monitoring &
measu
ring e
quip
ment
Measu
rem
ent,
analy
sis
& im
pro
vem
ent
- G
enera
l
Monitoring &
measu
ring
Contr
ol of
nonco
nfo
rmin
g p
roduct
Analy
sis
of
data
Impro
vem
ent
Department 4.1
4.2
5.1
5.2
5.3
5.4
5.5
5.6
6.1
6.2
6.3
6.4
7.1
7.2
7.3
7.4
7.5
7.6
8.1
8.2
8.3
8.4
8.5
Internal Auditor Training ISO 9001-2008
Page 120
Developing a Guidelist1
2 34
Begin with an audit checklista) A generic one of your organization
Advantages:a) Keeps objectives clear
b) Standardizes audits
c) Simplifies the audit process
Disadvantages:a) Time consuming preparation
b) Discourages initiative
Define three things:a) Who do I “talk to?”
b) What do I “look at?”
c) What do I “look for?”
NOTES:
Internal Auditor Training ISO 9001-2008
Page 121
Stages of Conducting the Audit
Stage 1 (Management)
Hold an opening meetingIntroduce audit team
Review audit objectives and scope
Review audit schedule
Confirm time and location of closing meeting
Tour if necessary
12 3
4
NOTES:
Internal Auditor Training ISO 9001-2008
Page 122
Stages of Conducting the Audit
Stage 2 (Workforce) Introduce yourself
Explain purpose of the audit
Explain that an internal quality audit is an audit of:Systems
Processes
Methods
Not people
Gather informationRead
Listen
Observe
12 3
4
NOTES:
Internal Auditor Training ISO 9001-2008
Page 123
How to Conduct Yourself
Be punctual
Be polite – please and thank you, ask permission
Be professional, yet friendly
Maintain eye contact at auditee eye level
Keep an open mind
Be flexible
Be persistent, yet pleasant
Put people at ease
Avoid arguments – move on to the next person
Establish non-threatening environment
12 3
4
8 Step Interviewing Method
1. Make the auditee comfortable
2. Explain the purpose of your visit
3. Ask auditee to summarize his/her responsibilities and typical activities
4. Record major steps and analyze what was said and/or not said
5. Review procedures and samples
6. Record observations, examples, samples, nonconformities, (don’t make a lot of copies)
7. Review your findings
8. Explain the next step(s)
12 3
4
Internal Auditor Training ISO 9001-2008
Page 124
NOTES:
Internal Auditor Training ISO 9001-2008
Page 125
Types of Questions1
2 34
Opinion – “How would you go about…?”
Investigative – “Are there any more…?”
Repetitive – “Tell me again…”
Hypothetical – “What if…?”
Leading – “You know how…?”
Informative – “And then what…?”
Imperative – “Please show me…?”
Don’t lose sight of the power of a DIRECT question.
Types of Questions
All questions can be phrased in a way that makes them “OPEN ENDED” or “CLOSED ENDED” questions Open ended questions begin a conversation
Closed ended questions can be answered with a simple yes or no
Both open and closed ended question have their uses
Who, what, when, where, how, why & show me
12 3
4
Internal Auditor Training ISO 9001-2008
Page 126
Information Gathering Techniques
“Please explain what you are doing”
“What procedures and or work instructions do you have for this?”
“Please show me the procedures or work instructions for what you are doing?”
“How do you know this is the current procedure?”
“What happens when this procedure changes?”
“What training have you had?”
12 3
4
Information Gathering Techniques
“What happens when you are not here?”
“How do you know if the measuring device you’re using is calibrated?”
“Please show me the records you keep for this operation?”
“Please show me your job description?”
“What, in your own words, is the company quality policy?”
“How do you initiate corrective action?”
“Do you train others? Do you keep records of this training?”
12 3
4
Internal Auditor Training ISO 9001-2008
Page 127
Sampling
Sample – definition: “A part of a population studied to gain information
about the whole”
Auditors sample: Procedures
People
Departments
Records
An audit sample needs to be representative
The audit sample is chosen by the auditor
12 3
4
NOTES:
Internal Auditor Training ISO 9001-2008
Page 128
This page intentionally left blank.
Internal Auditor Training ISO 9001-2008
Page 129
Closing and Reporting - Work Papers
Auditors are required to retain records
Records can take the form of work papers
Work papers may include:Notes: used for interviews, visual confirmation and record of items reviewed.
Guidelist: used for recording specifics such as people talked to and items reviewed
Checklist: used for recording actual questions asked during the audit
Previous audit reports: used in follow-up activities
Objective evidence: recorded during the audit
12 3
4
Objective Evidence
Information which can be proved true, based on facts obtained through observation, measurement, test, or other means
Qualitative or quantitative information, records, or statements of fact, which is based on observation, measurement, or test and which can be verified
JUST THE FACTS!
12 3
4
Internal Auditor Training ISO 9001-2008
Page 130
NOTES:
Internal Auditor Training ISO 9001-2008
Page 131
Evaluation Process
1) EXISTENCE:
•Quality Manual•Procedures
•Work Instructions•Specifications 2) ADEQUACY:
•ISO 9001•Other Requirements 3) COMPLIANCE:
•Requirements implemented•Authority defined
•Documents followed•Records acceptable
4) EFFECTIVENESS:
•Achieving goals•Satisfying customers
1) Does a documented
quality management system exist?
2) Does the documented QMS
meet the requirements of
ISO 9001?
3) Are we doing what we say?
Does practice match the documentation?
4) Are the practices achieving
their goals?
Perception of Facts
Perceptions of the same facts may differ
Highlights the critical need to discuss audit findings with: Other auditors
Auditees
Audit management
Area management
Avoid: Misunderstanding of facts
Misinterpretation of facts
12 3
4
Internal Auditor Training ISO 9001-2008
Page 132
NOTES:
Internal Auditor Training ISO 9001-2008
Page 133
Nonconformity Rules1
2 34
What is a nonconformity? The non-fulfillment of specified requirements
Start with the requirement: Management System Procedure , Program,
Protocol, Schedule
Management System Work Instruction
Standard (ISO 9001, ISO 14001, AS9100, etc.)
Customer contract, or purchase order , bill of material, etc.
Nonconformity Rules
Just the facts, objective evidence, not opinion
Each nonconformity should be written independently
Each nonconformity forms a problem statement for corrective action
Use good, clear and concise English
Review with management of the area audited
12 3
4
Internal Auditor Training ISO 9001-2008
Page 134
NOTES:
Internal Auditor Training ISO 9001-2008
Page 135
Nonconformity Levels
Consider the seriousness when writing a non-conformity What is the impact on the management system?
What is the impact on product, service, or customer?
“Major” indicates a critical deficiency
“Minor” indicates an isolated weakness
“Observation” or “Opportunity” is not a nonconformity but is an issue the auditor wants to point out to management
12 3
4
Nonconformity Report
ISO 9001 requires that audit results be recordedand retained
Each nonconformity must be documented
The documentation must include the following information: Requirement (controlling ISO element ,organization
procedure, Customer requirement, etc.)
Nonconformity (deficiency)
Evidence (proof)
Auditor(s), area audited, auditee(s), date, etc.
Ensure connectivity to work papers
12 3
4
Internal Auditor Training ISO 9001-2008
Page 136
Writing Nonconformities
Written nonconformities should: State the requirement
State the deviation or gap
Include evidence (proof)
Stand alone as a problem statement
Written nonconformities should not: Name names
Make unverifiable observations / opinions
12 3
4
NOTES:
Internal Auditor Training ISO 9001-2008
Page 137
Identification of Nonconformities Exercise
1. During an audit of the Sales Department the auditor asks if employees are aware
of the quality policy. The Sales Manager says that all Sales employees are trained in the policy and can explain it in their own words. The auditor decides to test this by talking to a couple of Sales people. The people he interviews don’t appear to know anything about the policy. The Sales Manager says that’s not a problem because they are field Sales people who are contractor employees and not regular employees.
2. During the audit of Engineering the auditor notices that there are numerous
revisions of the same drawings in the drawing file. The Engineering Manager says that they sometimes need the obsolete drawings to respond to customer inquiries. The auditor asks how they avoid getting confused. He is told they put a little “x” on the lower right hand corner of the obsolete drawings. If the drawing has an “x”, it’s not the most current. If there’s no “x”, that’s the current drawing.
3. The Engineering Department controls the design process. They are responsible
for making certain that the design input is clear and understood and that the design output complies with the input. The auditor asks them to describe this process for verifying the design. They tell him that the way they do this is by having a senior engineer review the design data and, based on his experience, giving the OK to send the design to the customer for validation. There is no formal sign-off or record of this process.
4. Finished goods are packaged, labeled and stored in the company finished goods
warehouse. Each of the labels bears the warning that storage conditions should
not exceed a temperature of 80 F and humidity of 70%. When the auditor asks about the temperature and humidity of the finished goods warehouse he is told they are unknown. The Warehouse Supervisor says the restrictions apply only after the product is shipped.
5. Internal audits are performed on a regular basis and the deficiencies are brought
to the attention of the appropriate management personnel. The auditor selects an audit file and asks to see the corrective actions for the deficiencies. For several deficiencies there are no corrective actions. He is told that they don’t initiate corrective action on all deficiencies. The management of the responsible area evaluates the deficiencies and, based on whether or not they agree with the internal auditor, they initiate corrective action to address the deficiency.
Internal Auditor Training ISO 9001-2008
Page 138
NOTES:
Internal Auditor Training ISO 9001-2008
Page 139
Nonconformity Statement
Department Audited:
Audit Date:
Auditor:
Auditee(s):
Requirement (indicate standard or document reference):
Nonconformity:
Evidence (Proof):
Major Minor Opportunity for Improvement
Date Corrective Action Response Required:
Auditor Signature:
Report Date:
Internal Auditor Training ISO 9001-2008
Page 140
Nonconformity Statement
Department Audited:
Audit Date:
Auditor:
Auditee(s):
Requirement (indicate standard or document reference):
Nonconformity:
Evidence (Proof):
Major Minor Opportunity for Improvement
Date Corrective Action Response Required:
Auditor Signature:
Report Date:
Internal Auditor Training ISO 9001-2008
Page 141
Nonconformity Statement
Department Audited:
Audit Date:
Auditor:
Auditee(s):
Requirement (indicate standard or document reference):
Nonconformity:
Evidence (Proof):
Major Minor Opportunity for Improvement
Date Corrective Action Response Required:
Auditor Signature:
Report Date:
Internal Auditor Training ISO 9001-2008
Page 142
Nonconformity Statement
Department Audited:
Audit Date:
Auditor:
Auditee(s):
Requirement (indicate standard or document reference):
Nonconformity:
Evidence (Proof):
Major Minor Opportunity for Improvement
Date Corrective Action Response Required:
Auditor Signature:
Report Date:
Internal Auditor Training ISO 9001-2008
Page 143
Nonconformity Statement
Department Audited:
Audit Date:
Auditor:
Auditee(s):
Requirement (indicate standard or document reference):
Nonconformity:
Evidence (Proof):
Major Minor Opportunity for Improvement
Date Corrective Action Response Required:
Auditor Signature:
Report Date:
Internal Auditor Training ISO 9001-2008
Page 144
Closing Site Activities
Review worksheets, notes etc. for completeness
Hold an audit team meeting
Follow-up on all outstanding issues
Review nonconformities discovered with auditees
Conduct a closing meeting Facts only, be objective
Be brief and organized
Provide overall impression
Provide time for questions
Explain next steps
12 3
4
NOTES:
Internal Auditor Training ISO 9001-2008
Page 145
Section 4: Appendices
Ten Commandments of Internal Auditing
1. Thou shalt prepare an audit matrix, cross-referencing functional areas (departments)
with the elements of the standard.
This matrix is used to ensure that you cover all required elements of the standard and all areas
of the company. When the registrar’s auditor asks “How do you know you’ve covered the entire standard and the whole company?” show him the matrix. The matrix enables you to
audit either by element or department (or both). This is a controlled document, make sure you keep it current and include a revision date.
2. Thou shalt prepare an audit schedule that describes the dates for all the audits in your
complete cycle.
This schedule is a great tool for administering the audit process. It should include both the
date scheduled and the date performed. It’s a good practice to be able to show the registrar’s auditor both the old schedule (for the last completed cycle) and the new schedule (for the next
proposed cycle). Schedules can always be revised so don’t be afraid if the new schedule is a little loose. This is a controlled document, make sure you keep it current and include a revision
date.
3. Thou shalt prepare a checklist for the audit.
The checklist is a very useful tool. Use it to make sure that you don’t forget to ask a question. Use it to record your notes, findings, observations, etc.
4. Thou shalt include the requirement, nonconforming condition and evidence for each
finding written during an audit.
The requirement should be stated in terms of the element of the standard or company document; be as specific as possible and don’t forget to include revision level where applicable.
The nonconforming condition should state, very simply, what is being done that does not
comply with the requirement. The evidence is the proof, such as purchase order number, lot number, document number, subcontractor, etc.
5. Thou shalt review the results of your audit with the auditee prior to issuing an audit
report.
There is no reason for not reviewing the results of the audit with the auditee prior to issuing a report. If the auditee is busy or not available, come back later. Ensure that the auditee
understands, and hopefully agrees with the findings. There should be nothing in an audit report that the auditee does not already know.
6. Thou shalt issue the audit report within two weeks of the audit.
The longer you take to prepare the audit report the more time it will take and the less accurate
it will be. Experienced auditors write the audit report immediately after the audit. Also, if you promptly issue the audit report your auditees will be more likely to promptly respond to your
corrective action due dates.
Internal Auditor Training ISO 9001-2008
Page 146
7. Thou shalt issue unique numbers for the audit, audit findings and corrective actions.
There must be a very clear link between audits, findings and corrective actions. A common way
to accomplish this is to number the audits with a department, year and audit sequence number. For example: MFG001, where MFG is Manufacturing, 00 is the year 2000, and 1 is the first
audit. The finding number is often the audit number with a sequence number added. For example: MFG001-1, for the first finding in audit MFG001, MFG001-2, for the second, etc.
The audit finding number should be referenced on the corrective action for that finding.
8. Thou shalt require a corrective action for every finding discovered during the internal
audit process.
This does not mean that you need to have a separate corrective action for each and every
finding. One corrective action may address several findings, and that’s OK. However, every
finding must be clearly tied to a corrective action (see Commandment # 7 above).
9. Thou shalt give the auditee a due date for each corrective action and take documented
action when an auditee is past due for a required corrective action response.
The due date is the date that the auditee is required to respond with their root cause analysis,
corrective action and the implementation schedule for that corrective action. The corrective action need not be implemented by the due date. If an auditee fails to respond by the due
date make sure you take action, and document that action. If your records indicate that auditees routinely miss due dates, and you cannot prove that action has been taken, this can
be a finding.
10. Thou shalt retain all evidence of the internal audit process in a readily accessible and
well-defined audit file.
When it comes to internal audit files, it pays to be a packrat; but please be an organized
packrat. Retain the annotated checklist (the checklist used by you during the audit marked up
with all your notes), audit report, finding statement and any other documentation of the audit in the audit file. It also pays to standardize the contents of the audit files to the extent
practical.
Internal Auditor Training ISO 9001-2008
Page 147
Sample Audit Checklist
The following Internal Audit Checklist may be retrieved in electronic form via Prism’s website at www.prismesolutions.com. The checklist is free for your internal use and you are welcome to modify it to suit your exact needs. Organization: Auditor:
Date:
M = Major Nonconformity N = Minor Nonconformity
O = Observation
C = Comment
M N
O
C
4 QUALITY MANAGEMENT SYSTEM
4.1 General requirements There is a quality management system established, documented, implemented and maintained. (4.1)
Processes affecting the QMS: Are identified Have sequence and interaction
determined Are measured to ensure effectiveness Are monitored, measured, analyzed Continually improved (4.1)
4.2 Documentation requirements The documented QMS includes: Quality policy and quality objectives A quality manual Required documented procedures Required quality records (4.2.1)
The quality manual includes: QMS scope Documented procedures or
reference to documented procedures Process interaction definition (4.2.2)
Quality document control is defined in a documented procedure and adequately addresses: Revision control Availability External documents Obsolete documents (4.2.3)
Quality record control is defined in a documented procedure and adequately addresses: Identification Maintenance Retrievability Disposal (4.2.4)
Auditor’s question(s):
5 MANAGEMENT RESPONSIBILITY 5.1 Management commitment Top management commitment is evident and communicated through the: Quality policy and quality objectives Management reviews Availability of resources (5.1)
Internal Auditor Training ISO 9001-2008
Page 148
5.2 Customer focus Customer requirements are determined and fulfilled with the aim of enhancing customer satisfaction. (5.2)
5.3 Quality policy There is an appropriate quality policy in place that: Includes a commitment to comply with
requirements and continually improve Is communicated and understood Is reviewed for continuing suitability
(5.3)
5.4 Planning Appropriate quality objectives are established that are measurable and consistent with the quality policy. (5.4.1)
There is a QMS planning process consistent with the needs of this standard that includes integration of changes to the quality management system. (5.4.2)
5.5 Responsibility, authority and communication Responsibilities, authorities, and their interrelation are defined and communicated throughout the organization. (5.5.1)
There is a management representative who has the authority and responsibility to: Ensure processes are established and
implemented Report to top management on QMS
performance and need for improvement Ensure promotion of awareness of
customer requirements. (5.5.2)
Appropriate communication processes are established regarding QMS effectiveness (5.5.3)
5.6 Management review There is a periodic top management review of quality system suitability, adequacy and effectiveness supported by appropriate records. (5.6.1)
Management review input includes: Audit results Customer feedback Process performance and product
conformity Corrective and preventive actions Follow-up of previous management
review meetings Planned changes affecting the QMS Recommendations for improvement
(5.6.2)
Management review output includes: Improvement of QMS effectiveness and
its processes Improvement of product related to
customer requirements Resource needs (5.6.3)
Internal Auditor Training ISO 9001-2008
Page 149
Auditor’s question(s):
6 RESOURCE MANAGEMENT 6.1 Provision of resources Adequate resources are provided to implement and maintain the QMS, continually improve its effectiveness and enhance customer satisfaction. (6.1)
6.2 Human resources Personnel performing work-affecting quality are qualified on the basis of education, training, skills and experience supported by appropriate records. (6.2.1)
For work affecting quality the organization has: Determined necessary competence Provided training Evaluated training effectiveness Ensured QMS awareness (6.2.2)
6.3 Infrastructure Infrastructure is adequate to conform to product requirements. Infrastructure includes: Buildings, workspace, utilities Equipment, hardware, software Transport, communication (6.3)
6.4 Work environment The work environment is consistent with the needs to achieve conformity to product requirements. (6.4)
Auditor’s question(s):
7 PRODUCT REALIZATION 7.1 Planning of product realization Product realization planning is performed, as appropriate, to determine: Quality objectives and product
requirements Product specific processes, documents
and resources Product specific verification, validation,
monitoring, inspection and test activities
Appropriate records needed to provide evidence. (7.1)
7.2 Customer-related processes The organization has determined: Customer specified requirements Requirements necessary for specified
use or known and intended use Statutory and regulatory requirements
(7.2.1)
Internal Auditor Training ISO 9001-2008
Page 150
Contract review activities adequately ensure: Product requirements are defined Discrepancies resolved Capability to meet requirements This is performed prior to organization commitment. (7.2.2)
There are provisions to document and deploy contract changes throughout the organization? (7.2.2)
Records of contract review and the action arising from these activities are maintained. (7.2.2)
There are effective processes for communication with the customer in relation to product information, queries, amendments, feedback and complaints. (7.2.3)
7.3 Design and development planning There is a design and development plan, updated as appropriate, that includes: Design stages Design review, verification & validation Responsibilities & authorities (7.3.1)
The interfaces between different groups involved in design and development are managed to ensure effective communication and clear assignment of responsibility. (7.3.1)
Design inputs are determined and include: Functional & performance requirements Statutory & regulatory requirements Information from previous similar
designs (where applicable) Records of design inputs are maintained. Inputs are reviewed for adequacy. (7.3.2)
Design outputs are in a form that enables verification and are approved prior to design release. (7.3.3)
Design reviews are conducted at appropriate stages to evaluate project status and identify problems. Records of the results of design reviews and necessary actions are maintained. (7.3.4)
Design reviews include participants from concerned. (7.3.4)
Design verification is performed to ensure output satisfies input requirements. Records of the results of design verification and necessary actions are maintained. (7.3.5)
Design validation is performed in accordance with planned arrangements. Records of the results of design validation and necessary actions are maintained. (7.3.6)
Internal Auditor Training ISO 9001-2008
Page 151
Design changes are reviewed, verified, validated (as appropriate), and approved before implementation. Records of design change results and actions are maintained. (7.3.7)
Internal Auditor Training ISO 9001-2008
Page 152
7.4 Purchasing Suppliers are evaluated and selected based on their ability to meet product requirements. Acceptance criteria are established. Records of evaluation results and necessary actions are maintained. (7.4.1)
Purchasing information, as appropriate, describes requirements for: Approval of product, procedures,
processes and equipment Qualification of personnel Quality management system (7.4.2)
The organization ensures the adequacy of specified purchase requirements prior to communication to the supplier. (7.4.2)
Inspection and other activities are established and implemented to ensure purchased product meets specified requirements. (7.4.3)
Provisions for source inspection, by either the organization or the customer, are addressed. (7.4.3)
7.5 Production and service provision Production and service are carried out under controlled conditions including, as applicable: Product characteristics Work instructions Suitable equipment Measuring devices Release and delivery activities (7.5.1)
Special processes are validated to assure they achieve planned results. (7.5.2)
Validation of special processes includes, as applicable: Defined validation criteria Personnel and equipment Specific methods and procedures Record requirements Revalidation requirements (7.5.2)
Product is identified, as appropriate, through all production processes. (7.5.3)
Inspection and/or test status is suitably identified through all production processes. (7.5.3)
Traceability, where required, is adequately provided and supported by records. (7.5.3)
Customer property provided for use or incorporation into the product is identified, verified, protected and safeguarded. (7.5.4)
Customer property that is lost, damaged or otherwise unsuitable for use is reported to the customer with records maintained. (7.5.4)
Internal Auditor Training ISO 9001-2008
Page 153
Product conformity is preserved through all production processes and delivery to the intended destination. (7.5.5)
7.6 Control of monitoring and measuring devices Monitoring and measuring devices provided to determine conformity to product requirements are adequate. (7.6)
Monitoring and measuring devices required to determine conformity to product requirements are identified. (7.6)
Where necessary to ensure accuracy, measuring devices are: Calibrated at specified intervals Identified concerning calibration status Safeguarded from improper adjustment Protected from damage and
deterioration Records of the results of calibration are maintained. (7.6)
Where devices are found not conforming to requirements, the validity of previous measurements is assessed. Records of these assessments are maintained. (7.6)
The capability of computer software, when used in conjunction with measuring devices, is confirmed as necessary. (7.6)
Auditor’s question(s):
8 MEASUREMENT, ANALYSIS AND IMPROVEMENT 8.1 General
Appropriate methods have been determined to monitor, measure, analyze and improve processes to: Demonstrate conformity of product Ensure conformity of the QMS Continually improve QMS effectiveness
(8.1)
8.2 Monitoring and measurement Information relating to customer perception of organization quality is gathered and analyzed. (8.2.1)
Internal audits are conducted at planned intervals to determine whether the QMS: Conforms to planned arrangements Is implemented and effective (8.2.2)
Audits are planned based on status and importance of the activity as well as results of previous audits. (8.2.2)
Internal Auditor Training ISO 9001-2008
Page 154
Audit criteria, scope, frequency and methods are defined. (8.2.2)
Auditors are independent of the area being audited. Auditors do not audit their own work. (8.2.2)
Responsibilities and requirements for planning and conducting audits, reporting results and maintaining records are defined in a documented procedure. (8.2.2)
Action is taken without delay to address nonconformities. Follow-up activities verify actions taken and the reporting of results. (8.2.2)
Suitable methods are applied for monitoring and, where applicable, measuring QMS processes. These methods demonstrate the ability of processes to achieve planned results. (8.2.3)
Where processes do not achieve planned results correction and corrective action, as appropriate, is taken. (8.2.3)
At appropriate stages, product characteristics are monitored and measured to verify product requirements are fulfilled. (8.2.4)
Records of conformity with acceptance criteria are maintained and indicate the person(s) authorizing release of the product. (8.2.4)
Product release and service delivery does not proceed until all planned arrangements have been completed unless approved by relevant authority. (8.2.4)
8.3 Control of nonconforming product Nonconforming product is identified and controlled to prevent unintended use. This process, including responsibilities and authorities, is defined in a documented procedure. (8.3)
Nonconforming product is handled in one or more of the following ways: Action taken to eliminate the
nonconformity Authorizing its use under concession by
a relevant authority Action to preclude its original use (8.3)
Records of nonconformities and any subsequent actions, including concession, are maintained. (8.3)
Nonconforming product that is corrected is re-verified to demonstrate conformity to requirements. (8.3)
Internal Auditor Training ISO 9001-2008
Page 155
When nonconforming product is detected after delivery or use, action appropriate to the effects, or potential effects, is taken. (8.3)
8.4 Analysis of data
Appropriate data is determined, collected and analyzed to: Demonstrate the suitability and
effectiveness of the QMS Evaluate opportunities for continual
improvement (8.4)
Data analyzed includes: Customer satisfaction Product conformance Process and product characteristics and
trends Suppliers (8.4)
8.5 Improvement
The QMS is continually improved through the use of: Quality policy and objectives Audit results Analysis of data Corrective and preventive actions Management review (8.5.1)
A corrective action process, defined by documented procedure, is in effect and includes: Product nonconformities Customer complaints Root cause analysis Determining and implementing action
needed Verification of CA effectiveness Records of CA results (8.5.2)
A preventive action process, defined by documented procedure, is in effect and includes: Determining potential nonconformities Evaluating need for action Determining and implementing action
needed Verification of PA effectiveness Records of PA results (8.5.3)
Auditor’s question(s):