of 74
7/29/2019 isointernalauditor-12772442373227-phpapp01
1/74
Issue 1 December, 2008 QMS-030-01-EN-GX 2008 BSI Management Systems
raising standards worldwide TM
The British Standards Institution
7/29/2019 isointernalauditor-12772442373227-phpapp01
2/74
ISO Internal AuditorCompliance Management
Prepared &Presented by
Yamin K Hajeej
7/29/2019 isointernalauditor-12772442373227-phpapp01
3/74
4
3
2
1Introduction to Auditing
The Process Approach and Process Auditing
Managing an Audit Program
Audit Activities
Table of Content
5 Auditor Competence and Responsibilities
6 Conclusion
7/29/2019 isointernalauditor-12772442373227-phpapp01
4/74
Introduction
to
Auditing
7/29/2019 isointernalauditor-12772442373227-phpapp01
5/74
Auditing
What is an audit?
Systematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to
determine the extent to which audit criteria are fulfilled
(ISO19011: 2002 clause 3.1)
Why audit?
Requirement of ISO 9001:2008
Monitor and measure the management system
Promote continuous improvement of the management
system
7/29/2019 isointernalauditor-12772442373227-phpapp01
6/74
Principles of Auditing
Principles relating to auditors:
Ethical conduct
Fair presentation
Due professional care
Principles relating to audit: Independence
Evidence-based approach
4.0
Note: reference toISO 19011:2002
Clause number
7/29/2019 isointernalauditor-12772442373227-phpapp01
7/74
Benefits of Auditing
Verifies conformity to requirements
Increases awareness and understanding
Provides a measurement of effectiveness of the management
system to top management
Reduces risk of management system failure
Identifies improvement opportunities
Continuous improvement if performed regularly
7/29/2019 isointernalauditor-12772442373227-phpapp01
8/74
Types of Audit
Registration / Certification
Product
Customer contract
Gap assessment / Pre-assessment
Surveillance Combined audit / joint audit
7/29/2019 isointernalauditor-12772442373227-phpapp01
9/74
The Process
Approach
and ProcessAuditing
7/29/2019 isointernalauditor-12772442373227-phpapp01
10/74
Process Approach
The process approach emphasize the importance of:
Understanding and meeting requirements
Looking at processes in terms of added value
Obtaining results of process performance Continual improvement of process
7/29/2019 isointernalauditor-12772442373227-phpapp01
11/74
Your
Process
Act
DoPlan
Check
PDCA (Plan-Do-Check-Act)
ContinualImprovement
The Plan-do-Check-Act (PDCA) methodology
applies to all processes Deploy and conform with plan
Activities
Controls
Documentation
Resources
Objectives
Analyze/review
Decide/change
Improve effectiveness
Measure
and monitor for
conformity and
effectiveness
M t S t St d d d th
7/29/2019 isointernalauditor-12772442373227-phpapp01
12/74
Management System Standards and the
Process Approach
ISO 9001:2008:
Is based upon the PDCA cycle which can be applied to
processes
Applies the PDCA cycle to implementing, operating,
monitoring, exercising, maintaining and improving the
effectiveness of a QMS
ISO 19011:2002 does not explicitly mention process audits, but
is written for application to all management system audits
7/29/2019 isointernalauditor-12772442373227-phpapp01
13/74
Applying the Process Approach to Auditing
Auditors can apply the process approach to auditing by ensuringthe auditee:
Can define the objectives, inputs, outputs, activities, and
resources for its processes
Analyzes, monitors, measures, and improves its processes
Understands the sequence and interaction of its processes
7/29/2019 isointernalauditor-12772442373227-phpapp01
14/74
Process Auditing Approaches
Individual Process:
Input / Output / Value-added Activity
Plan-Do-Check-Act
Resources
Relationship with other processes: Flow / Sequence / Linkage / Combination
Interaction / Communication
Evidence
Customer and supplier contract(s)
7/29/2019 isointernalauditor-12772442373227-phpapp01
15/74
Process Auditing Turtle Diagram
With what?
Resources With who?
Personnel
What results?
Performance
indicators
Outputs
To
Whom/
Where
Inputs
From
Whom/
Where
How done?
Methods/
Documentation
Process(specific value-added
activities)
7/29/2019 isointernalauditor-12772442373227-phpapp01
16/74
Process Auditing Example
With what?
Order processing
system
With who? Customers Competent sales and
processing staff
What results?
Order processing
time
Number or orders
Value of orders
Contract accuracy
OutputsProduction/Service
Delivery
Inputs
Customer
requirements
Sales staff
How done?
IT system
Processing system
Terms and conditions
Contract review procedure
Contract
Review
7/29/2019 isointernalauditor-12772442373227-phpapp01
17/74
Managing an
Audit
Program
7/29/2019 isointernalauditor-12772442373227-phpapp01
18/74
Managing an Audit Program Process Flow
PLAN DO CHECK ACT 5.1
AUTHORIZE
ESTABLISH IMPLEMENTMONITOR &
REVIEW IMPROVE
OBJECTIVES
EXTENT
ROLES
RESOURCES
PROCEDURES
SCHEDULE AUDITS
EVALUATE
AUDITORS
SELECT TEAMS
DIRECT ACTIVITIES
MAINTAIN RECORDS
MONITOR
REVIEW
IDENTIFY NEED
FOR CA/PA
IDENTIFY
OPPORTUNITIES
TO IMPROVE
AUDITOR
COMPETENCE
& EVALUZATION
SPECIFIC AUDIT
ACTIVITIES
7/29/2019 isointernalauditor-12772442373227-phpapp01
19/74
Audit
Activities
7/29/2019 isointernalauditor-12772442373227-phpapp01
20/74
Typical Audit Activities
Initialing the Audit
Conducting Document Review
Preparing, Approving, Distributing Audit Report
Completing the Audit
Conducting Audit Follow-up
Preparing for On-site Activities
Conducting for On-site Activities
PLAN
DO
CHECK
ACT
6.1
7/29/2019 isointernalauditor-12772442373227-phpapp01
21/74
Audit Program
Top management should authorize responsibility for programmanagement to:
Establish, implement, review, and improve the audit
program
Identify the necessary resources and ensure they are
provided
Organization should develop audit program processes
Program should be managed by a member of the organization
Keep appropriate audit records to monitor and review the audit
program
7/29/2019 isointernalauditor-12772442373227-phpapp01
22/74
Audit Program Responsibilities
Top management should authorize responsibility for programmanagement
Those assigned responsibility should:
Establish, implement, review, and improve the audit
program
Identify the necessary resources and ensure they are
provided
7/29/2019 isointernalauditor-12772442373227-phpapp01
23/74
Initiating the Audit
Initiating the audit includes:
Appointing the audit team leader
Defining audit objectives, scope, criteria
Determining feasibility of the audit
Selecting the audit team
Establishing initial contact with the auditee
6.2
7/29/2019 isointernalauditor-12772442373227-phpapp01
24/74
Defining Audit Objectives, Scope, Criteria
Audit Objectives may include:
Determining of the extent of conformity of auditee`s QMS with
audit criteria
Evaluation of capability of QMS to ensure compliance with
statutory, regulatory, and contractual requirements
Evaluation of effectiveness of the QMS to meet its objectives
Identification of areas of improvement
6.2.2
7/29/2019 isointernalauditor-12772442373227-phpapp01
25/74
Selecting the Audit Team
For Team size and competence, consider:
Audit objectives, scope, criteria, and duration
Whether audit is combined or joint
Competence of team to meet objectives
Statutory, regulatory, contractual and accreditation/certificationrequirements
Independence of the team
6.2.4
7/29/2019 isointernalauditor-12772442373227-phpapp01
26/74
Auditor
Competenceand
Responsibilities
7/29/2019 isointernalauditor-12772442373227-phpapp01
27/74
Auditor Competence
Auditor competence is based on:
Personal attributes
Application of knowledge and skills
Competence is to be developed, maintained, and improved
7.1
A dit C t
7/29/2019 isointernalauditor-12772442373227-phpapp01
28/74
Personal
Attributes
Ethical
Diplomatic
Open-
minded
Auditor CompetencePersonal Attributes
Observant
Perceptive
Versatile
Tenacious
Decisive
Self-reliant
7.2
A dit C t
7/29/2019 isointernalauditor-12772442373227-phpapp01
29/74
Auditor CompetenceGeneric Knowledge and skills
Auditor skills and competence could include: Audit principles, procedures, and techniques
Management system and reference documents
Organizational situations
Laws, regulations, and other requirements
7.3.1
A dit C t
7/29/2019 isointernalauditor-12772442373227-phpapp01
30/74
Auditor CompetenceSpecific Knowledge and skills
Specific knowledge and skills for quality auditors could include: Quality methods and techniques
Quality terminology
Quality management tools and their application
Processes and products/services specific to the sector beingaudited
7.3.3
7/29/2019 isointernalauditor-12772442373227-phpapp01
31/74
Auditor Responsibilities
Arrive on time Maintain confidentiality
Be objective and ethical
Support the audit team and team leader
Plan and prepare work documents
Inform auditees of the audit process
Document and support all findings
Keep auditee informed
Safeguard all documents
Prepare the audit report
7/29/2019 isointernalauditor-12772442373227-phpapp01
32/74
Audit
Activities(Continued)
7/29/2019 isointernalauditor-12772442373227-phpapp01
33/74
Audit Planning
Determine the objective of the audit Identify specified requirements
Determine audit duration and resources needed
Select the team
Contact the auditee
agree the date(s)
Draw up audit plan
Brief the team
Prepare work documents
7/29/2019 isointernalauditor-12772442373227-phpapp01
34/74
Conducting Document Review
A review of documentation: Should be conducted prior to on-site audit activities unless
deferring review is not detrimental to the effectiveness of the
audit
May include relevant QMS documents, records, and previous
audit reports
May include a preliminary site visit
6.3
7/29/2019 isointernalauditor-12772442373227-phpapp01
35/74
Prepare Work Documents
Prepare work documents Use as a reference and for recording audit proceedings
Include checklists, sampling plans and forms, ISO 9001:2008
standard, etc.
Keep checklists flexible to allow changes resulting from
information collected during the audit
Safeguard any confidential and proprietary information
Retain work documents and records
7/29/2019 isointernalauditor-12772442373227-phpapp01
36/74
Checklists Preparation
One Approach is to: Identify audit scope and process(es) within scope
Identify applicable factors (inputs, outputs, measures,
resources, etc.)
Use these points and other requirements
(ISO 9001-2008, system documentation, etc.) to:
Plan what to look at
Plan what to look for (audit evidence)
Prepare checklist
7/29/2019 isointernalauditor-12772442373227-phpapp01
37/74
Checklists Structure
Audit checklist structure:
Process/Activity Audited:
Requirement Source Evidence Notes
ISO 9001:2008
Clause # or otherrequirement
What to
look at
What to
look for
Notes
7/29/2019 isointernalauditor-12772442373227-phpapp01
38/74
Conduct on-Site Audit Activities
Conduct opening meeting Communicate during the audit
Explain roles and responsibilities of participants
Collect and verify information
Generate audit findings
Prepare audit conclusions
Conduct closing meeting
6.5
7/29/2019 isointernalauditor-12772442373227-phpapp01
39/74
Opening Meeting
Hold opening meeting with auditee top management andthose responsible for processes audited
Meeting may be informal
Chaired by team leader
Audit team present
Purpose is to confirm all prior arrangements
6.5.1
C ll ti d V if i I f ti
7/29/2019 isointernalauditor-12772442373227-phpapp01
40/74
Review
Sources ofinformation
Collect by
appropriate
sampling &
verification
Evaluate
against audit
criteria
Collecting and Verifying Information
Audit
Conclusions
Auditing Process
7/29/2019 isointernalauditor-12772442373227-phpapp01
41/74
Auditing Process
Collect & Verify information
Collect information relevant to: Audit objectives, scope, and criteria
interfaces between functions, activities and processes
Collect audit evidence by appropriate sampling and verify and
record it
Be aware on sampling limitations, if acting on the audit
conclusion
Use only information that is verifiable as audit evidence
6.5.4
Auditing Process
7/29/2019 isointernalauditor-12772442373227-phpapp01
42/74
Auditing Process
Techniques to Obtain Audit Evidence
Interview: Personnel that manage, perform, and verify activities
Also ensure they are responsible for the activity being
audited
Listen carefully to responses
Observe:
Identity, status, condition, processes, equipment, activities,
environment, and people
6.5.4
Auditing Process
7/29/2019 isointernalauditor-12772442373227-phpapp01
43/74
Auditing Process
Audit Evidence
Review documents that describe: Activities
Plans
Controls
Strategies
Exercises
tests
Review records for evidence of conformity to documents
Review records, statements of fact, or other information which
are relevant to the audit criteria and verifiable Audit evidence may be qualitative or quantitative
C i ti d i t l kill
7/29/2019 isointernalauditor-12772442373227-phpapp01
44/74
Communication and interpersonal skills
Put auditee at ease Ask short questions and listen
Reflect right attitude, tone of voice, body language, and facial
expressions
Smile and show eye contact
Avoid interruptions
Avoid off-cuff and condescending remarks
Give praise when appropriate
C i ti d i t l kill
7/29/2019 isointernalauditor-12772442373227-phpapp01
45/74
Communication and interpersonal skills
Show interest Be tactful and polite
Show patience and understanding
Remember to say please and thank you
Ask the right person
Don`t say you understand when you do not
Q ti i T h i
7/29/2019 isointernalauditor-12772442373227-phpapp01
46/74
Questioning Techniques
Open question Using why, who, what, where, when, or how gets more than
a yes or no answer
Expansive question
Further elaborates the current point
Opinion question
Asks opinion about current point
Non-verbal
Uses body language, for example: raise eye-brow to elicit
further information
Q ti i T h i
7/29/2019 isointernalauditor-12772442373227-phpapp01
47/74
Questioning Techniques
Repetitive question Repeats back response in form of a question
Hypothetical question
Uses what if, suppose that, etc.
Closed question
Gets yes or no answer
Avoid using too often
Used for confirmation
Silence
Draws more information
N t T ki
7/29/2019 isointernalauditor-12772442373227-phpapp01
48/74
Note Taking
Notes could be used as reference for: Immediate investigation
Investigation later
Use by a colleague
Subsequent audits
Notes taken during an audit are a record of:
The audit sample taken
What was reported
What was observed
Notes may be referenced by subsequent auditor
S li
7/29/2019 isointernalauditor-12772442373227-phpapp01
49/74
Sampling
Samples should test the effectiveness of the system and shouldbe:
Representative
Structured
Independently selected
Sample size should be based on:
Risk
Importance
Status
Findings from the previous/current audit
C t l f th A dit
7/29/2019 isointernalauditor-12772442373227-phpapp01
50/74
Control of the Audit
Checklist is an aid, not a requirement If potential audit trails appear, decide to:
Disregard
Note for later
Follow up immediately
Following audit trails may effect:
Sample size
Audit plan
Handling Difficult Situations
7/29/2019 isointernalauditor-12772442373227-phpapp01
51/74
EXAMPLES
Uncooperative
Long
telephonecalls
Cannot find
document
Unprepared
Constant
interruptions
Provocation
Long-winded
auditees
Interdepartmental
or personality
conflicts
Diversionary
tactics
Language
Noisy
environment
Boastful
Called away
Volunteered
information
Handling Difficult Situations
Establish the Facts
7/29/2019 isointernalauditor-12772442373227-phpapp01
52/74
Judgment in the Audit Process
Audit focus must be on conformity and effectiveness, NOT onfinding nonconformities
The auditee must be given the benefit of any doubt where there
is insufficient audit evidence
E t bli h th F t
7/29/2019 isointernalauditor-12772442373227-phpapp01
53/74
Establish the Facts
Discuss concerns Verify the findings
Record all the evidence:
Exact observation
Where, what, etc.
Establish why a nonconformity or otherwise
State who (if relevant) preferably by job title
Obtain agreement with the facts
Generate A dit Findings
7/29/2019 isointernalauditor-12772442373227-phpapp01
54/74
Generate Audit Findings
Evaluate audit evidence against audit criteria to generate auditfindings
Indicate if findings are conformities, nonconformities or
opportunities for improvement
Meet (audit team) to review findings
Specify (with supporting evidence) or summarize conformity bylocation, function, or processes, as required by audit plan
6.5.5
Nonconformity
7/29/2019 isointernalauditor-12772442373227-phpapp01
55/74
Nonconformity
Non-fulfillment of a specified requirement: Not doing it
Partially doing it
Doing it the wrong way
Specified requirement:
Conditions of the customer contract
Quality standard (ISO 9001:2008)
Quality management system
Statutory or regulatory requirements
6.5.5
Generate Audit Findings
7/29/2019 isointernalauditor-12772442373227-phpapp01
56/74
Generate Audit Findings
Record nonconformity findings and supporting evidence Obtain auditee acknowledgement of nonconformities for
accuracy and understandability
Try and resolve differences of opinion
Keep a record of unresolved issues
6.5.5
Nonconformity Minor
7/29/2019 isointernalauditor-12772442373227-phpapp01
57/74
Nonconformity - Minor
Failure to comply with a requirement which (based on judgmentand experience) is not likely to result in QMS failure
Single observed lapse or isolated incident
Minimal risk of nonconforming product or service
Examples:
A two month lapse in the internal audit program
A training record not available
No actions taken to improve system based on previous
result findings
Nonconformity Major
7/29/2019 isointernalauditor-12772442373227-phpapp01
58/74
Nonconformity - Major
Absence or total breakdown of a system to meet a requirement A number of minors related to the same clause or requirement
A nonconformity that experience and judgment indicate will
likely result in QMS failure or significantly reduce its ability to
assure controlled processes and products
Nonconformity Major
7/29/2019 isointernalauditor-12772442373227-phpapp01
59/74
Nonconformity - Major
Examples: No documented procedure for a required documented ISO
9001:2008 process/activity
Document changes routinely made without authorization
No awareness program for the quality management system
No future planned internal audits
Insufficient scope
Numerous minor nonconformities found in the production
process
Nonconformity
7/29/2019 isointernalauditor-12772442373227-phpapp01
60/74
Classifying the Nonconformity
Consider the seriousness: What could go wrong if the nonconformity remains
uncorrected?
Is it likely the system would detect it before the customer is
affected?
If you are not certain it is a nonconformity, it is not.
You must have:
A requirement that has been broken
Proof that it has been broken
Nonconformity
7/29/2019 isointernalauditor-12772442373227-phpapp01
61/74
Good Report Examples
QMS Nonconformity Report Incident Number:1
Company under audit: XYZ, Inc.
Area under Review: Purchasing ISO 9001 Clause number 7.4
Category: Major Minor
Requirement:
Clause 7.4.1 of ISO 9001:2008 requires that the organization establish criteria for evaluation and
re-evaluation of suppliers.
Nonconformity Findings:
Upon speaking with the purchasing Manager, it was found that no evaluation of ABC supplier had
taken place since the contract was signed and business begin with ABC supplier
Nonconformity
7/29/2019 isointernalauditor-12772442373227-phpapp01
62/74
Poor Report Examples
The nonconformity statements below are inadequate due to thelack of specified requirements and detailed evidence:
Steering Group meeting minutes are not adequate
The authority level for the Emergency Controller must be
documented for clarify purposes
Preparing Audit Conclusions
7/29/2019 isointernalauditor-12772442373227-phpapp01
63/74
Preparing Audit Conclusions
Audit team confer prior to the closing meeting: Scheduling of the audit plan
To plan for closing meeting
Purpose is to:
Review audit findings and other information
Agree on audit conclusions
To prepare the audit report and recommendations
If included in audit plan, to discuss audit follow-up
6.5.6
Audit ReportP A & Di ib
7/29/2019 isointernalauditor-12772442373227-phpapp01
64/74
Prepare, Approve & Distribute
1. Audit reference2. Client and Auditee details
3. Audit team details
4. List of auditee representatives
5. Objectives, scope, and criteria
6. Audit plan dates, places, areas audited and timing
7. Summary of audit process
8. Audit Summary
9. Uncertainty due to sampling
6.6.1
6.6.2
Audit ReportP A & Di t ib t
7/29/2019 isointernalauditor-12772442373227-phpapp01
65/74
Prepare, Approve & Distribute
10. Nonconformity reports11. Recommendation
12. Obstacles encountered
13. Any areas in audit scope not covered
14. Any unresolved issues between the auditee and team
15. Confirmation that audit objectives accomplished
16. Confidentiality statement
17. Distribution list
6.6.1
6.6.2
Audit ReportDi t ib ti
7/29/2019 isointernalauditor-12772442373227-phpapp01
66/74
Distribution
Issue within agreed time period If delayed, provide reasons and agree on new issue date
Report must be dated, reviewed, and approved as per
procedures
Distribute to recipients designated by audit client
Report is property of audit client
Recipients and audit team must respect the confidentiality of
the report
6.6.1
Completing the Audit
7/29/2019 isointernalauditor-12772442373227-phpapp01
67/74
Completing the Audit
Audit is complete when all activities in audit plan have beencarried out and audit report is distributed
Maintain or dispose of audit documents based on contractual,
regulatory, and audit program procedures
Maintain confidentiality of audit documents, information, and
report Notify audit client and auditee ASAP if disclosure of audit
information is required.
6.7
Closing Meeting
7/29/2019 isointernalauditor-12772442373227-phpapp01
68/74
Closing Meeting
Hold closing meeting to present audit findings and conclusions Cover situations encountered during audit that may decrease
reliance on audit conclusions
Discuss and resolve diverging audit findings and conclusions
Keep a record if not resolved
Provide recommendations for improvement where specified by
audit objectives
Keep minutes and attendance records
Will normally be informal for internal audits
6.5.7
Completing the AuditC d ti th F ll
7/29/2019 isointernalauditor-12772442373227-phpapp01
69/74
Conducting the Follow-up
Audit conclusions may require corrective, preventive, orimprovement actions
Auditee decides and carries out these actions within agreed
timeframe
These actions are not part of the audit
Audit team number should verify completion and effectivenessof actions taken
This verification may be part of a subsequent audit
Maintain independence in subsequent audit activities
6.8
Completing the AuditC ti th F ll
7/29/2019 isointernalauditor-12772442373227-phpapp01
70/74
Corrective the Follow-up
Auditee receives the nonconformity report Auditee prepares and approves a corrective action plan
Auditee submits the plan to auditors
Auditors evaluate and approve the plan
Auditee implements the approved corrective action plan
Auditor verifies the implementation and effectiveness
Records of all actions taken by auditor and auditee
6.8
7/29/2019 isointernalauditor-12772442373227-phpapp01
71/74
Conclusion
Typical Audit Activities
7/29/2019 isointernalauditor-12772442373227-phpapp01
72/74
Typical Audit Activities
Initialing the Audit
Conducting Document Review
Preparing, Approving, Distributing Audit Report
Completing the Audit
Conducting Audit Follow-up
Preparing for On-site Activities
Conducting for On-site Activities
7/29/2019 isointernalauditor-12772442373227-phpapp01
73/74
Final
Questions?
7/29/2019 isointernalauditor-12772442373227-phpapp01
74/74
For you attendance and participation!