isointernalauditor-12772442373227-phpapp01

7/29/2019 isointernalauditor-12772442373227-phpapp01

1/74

Issue 1 December, 2008 QMS-030-01-EN-GX 2008 BSI Management Systems

raising standards worldwide TM

The British Standards Institution


2/74

ISO Internal AuditorCompliance Management

Prepared &Presented by

Yamin K Hajeej


3/74

4

3

2

1Introduction to Auditing

The Process Approach and Process Auditing

Managing an Audit Program

Audit Activities

Table of Content

5 Auditor Competence and Responsibilities

6 Conclusion


4/74

Introduction

to

Auditing


5/74

Auditing

What is an audit?

Systematic, independent and documented process for

obtaining audit evidence and evaluating it objectively to

determine the extent to which audit criteria are fulfilled

(ISO19011: 2002 clause 3.1)

Why audit?

Requirement of ISO 9001:2008

Monitor and measure the management system

Promote continuous improvement of the management

system


6/74

Principles of Auditing

Principles relating to auditors:

Ethical conduct

Fair presentation

Due professional care

Principles relating to audit: Independence

Evidence-based approach

4.0

Note: reference toISO 19011:2002

Clause number


7/74

Benefits of Auditing

Verifies conformity to requirements

Increases awareness and understanding

Provides a measurement of effectiveness of the management

system to top management

Reduces risk of management system failure

Identifies improvement opportunities

Continuous improvement if performed regularly


8/74

Types of Audit

Registration / Certification

Product

Customer contract

Gap assessment / Pre-assessment

Surveillance Combined audit / joint audit


9/74

The Process

Approach

and ProcessAuditing


10/74

Process Approach

The process approach emphasize the importance of:

Understanding and meeting requirements

Looking at processes in terms of added value

Obtaining results of process performance Continual improvement of process


11/74

Your

Process

Act

DoPlan

Check

PDCA (Plan-Do-Check-Act)

ContinualImprovement

The Plan-do-Check-Act (PDCA) methodology

applies to all processes Deploy and conform with plan

Activities

Controls

Documentation

Resources

Objectives

Analyze/review

Decide/change

Improve effectiveness

Measure

and monitor for

conformity and

effectiveness

M t S t St d d d th


12/74

Management System Standards and the

Process Approach

ISO 9001:2008:

Is based upon the PDCA cycle which can be applied to

processes

Applies the PDCA cycle to implementing, operating,

monitoring, exercising, maintaining and improving the

effectiveness of a QMS

ISO 19011:2002 does not explicitly mention process audits, but

is written for application to all management system audits


13/74

Applying the Process Approach to Auditing

Auditors can apply the process approach to auditing by ensuringthe auditee:

Can define the objectives, inputs, outputs, activities, and

resources for its processes

Analyzes, monitors, measures, and improves its processes

Understands the sequence and interaction of its processes


14/74

Process Auditing Approaches

Individual Process:

Input / Output / Value-added Activity

Plan-Do-Check-Act

Resources

Relationship with other processes: Flow / Sequence / Linkage / Combination

Interaction / Communication

Evidence

Customer and supplier contract(s)


15/74

Process Auditing Turtle Diagram

With what?

Resources With who?

Personnel

What results?

Performance

indicators

Outputs

To

Whom/

Where

Inputs

From

Whom/

Where

How done?

Methods/

Documentation

Process(specific value-added

activities)


16/74

Process Auditing Example

With what?

Order processing

system

With who? Customers Competent sales and

processing staff

What results?

Order processing

time

Number or orders

Value of orders

Contract accuracy

OutputsProduction/Service

Delivery

Inputs

Customer

requirements

Sales staff

How done?

IT system

Processing system

Terms and conditions

Contract review procedure

Contract

Review


17/74

Managing an

Audit

Program


18/74

Managing an Audit Program Process Flow

PLAN DO CHECK ACT 5.1

AUTHORIZE

ESTABLISH IMPLEMENTMONITOR &

REVIEW IMPROVE

OBJECTIVES

EXTENT

ROLES

RESOURCES

PROCEDURES

SCHEDULE AUDITS

EVALUATE

AUDITORS

SELECT TEAMS

DIRECT ACTIVITIES

MAINTAIN RECORDS

MONITOR

REVIEW

IDENTIFY NEED

FOR CA/PA

IDENTIFY

OPPORTUNITIES

TO IMPROVE

AUDITOR

COMPETENCE

& EVALUZATION

SPECIFIC AUDIT

ACTIVITIES


19/74

Audit

Activities


20/74

Typical Audit Activities

Initialing the Audit

Conducting Document Review

Preparing, Approving, Distributing Audit Report

Completing the Audit

Conducting Audit Follow-up

Preparing for On-site Activities

Conducting for On-site Activities

PLAN

DO

CHECK

ACT

6.1


21/74

Audit Program

Top management should authorize responsibility for programmanagement to:

Establish, implement, review, and improve the audit

program

Identify the necessary resources and ensure they are

provided

Organization should develop audit program processes

Program should be managed by a member of the organization

Keep appropriate audit records to monitor and review the audit

program


22/74

Audit Program Responsibilities

Top management should authorize responsibility for programmanagement

Those assigned responsibility should:

Establish, implement, review, and improve the audit

program

Identify the necessary resources and ensure they are

provided


23/74

Initiating the Audit

Initiating the audit includes:

Appointing the audit team leader

Defining audit objectives, scope, criteria

Determining feasibility of the audit

Selecting the audit team

Establishing initial contact with the auditee

6.2


24/74

Defining Audit Objectives, Scope, Criteria

Audit Objectives may include:

Determining of the extent of conformity of auditee`s QMS with

audit criteria

Evaluation of capability of QMS to ensure compliance with

statutory, regulatory, and contractual requirements

Evaluation of effectiveness of the QMS to meet its objectives

Identification of areas of improvement

6.2.2


25/74

Selecting the Audit Team

For Team size and competence, consider:

Audit objectives, scope, criteria, and duration

Whether audit is combined or joint

Competence of team to meet objectives

Statutory, regulatory, contractual and accreditation/certificationrequirements

Independence of the team

6.2.4


26/74

Auditor

Competenceand

Responsibilities


27/74

Auditor Competence

Auditor competence is based on:

Personal attributes

Application of knowledge and skills

Competence is to be developed, maintained, and improved

7.1

A dit C t


28/74

Personal

Attributes

Ethical

Diplomatic

Open-

minded

Auditor CompetencePersonal Attributes

Observant

Perceptive

Versatile

Tenacious

Decisive

Self-reliant

7.2

A dit C t


29/74

Auditor CompetenceGeneric Knowledge and skills

Auditor skills and competence could include: Audit principles, procedures, and techniques

Management system and reference documents

Organizational situations

Laws, regulations, and other requirements

7.3.1

A dit C t


30/74

Auditor CompetenceSpecific Knowledge and skills

Specific knowledge and skills for quality auditors could include: Quality methods and techniques

Quality terminology

Quality management tools and their application

Processes and products/services specific to the sector beingaudited

7.3.3


31/74

Auditor Responsibilities

Arrive on time Maintain confidentiality

Be objective and ethical

Support the audit team and team leader

Plan and prepare work documents

Inform auditees of the audit process

Document and support all findings

Keep auditee informed

Safeguard all documents

Prepare the audit report


32/74

Audit

Activities(Continued)


33/74

Audit Planning

Determine the objective of the audit Identify specified requirements

Determine audit duration and resources needed

Select the team

Contact the auditee

agree the date(s)

Draw up audit plan

Brief the team

Prepare work documents


34/74


A review of documentation: Should be conducted prior to on-site audit activities unless

deferring review is not detrimental to the effectiveness of the

audit

May include relevant QMS documents, records, and previous

audit reports

May include a preliminary site visit

6.3


35/74

Prepare Work Documents

Prepare work documents Use as a reference and for recording audit proceedings

Include checklists, sampling plans and forms, ISO 9001:2008

standard, etc.

Keep checklists flexible to allow changes resulting from

information collected during the audit

Safeguard any confidential and proprietary information

Retain work documents and records


36/74

Checklists Preparation

One Approach is to: Identify audit scope and process(es) within scope

Identify applicable factors (inputs, outputs, measures,

resources, etc.)

Use these points and other requirements

(ISO 9001-2008, system documentation, etc.) to:

Plan what to look at

Plan what to look for (audit evidence)

Prepare checklist


37/74

Checklists Structure

Audit checklist structure:

Process/Activity Audited:

Requirement Source Evidence Notes

ISO 9001:2008

Clause # or otherrequirement

What to

look at

What to

look for

Notes


38/74

Conduct on-Site Audit Activities

Conduct opening meeting Communicate during the audit

Explain roles and responsibilities of participants

Collect and verify information

Generate audit findings

Prepare audit conclusions

Conduct closing meeting

6.5


39/74

Opening Meeting

Hold opening meeting with auditee top management andthose responsible for processes audited

Meeting may be informal

Chaired by team leader

Audit team present

Purpose is to confirm all prior arrangements

6.5.1

C ll ti d V if i I f ti


40/74

Review

Sources ofinformation

Collect by

appropriate

sampling &

verification

Evaluate

against audit

criteria

Collecting and Verifying Information

Audit

Conclusions

Auditing Process


41/74

Auditing Process

Collect & Verify information

Collect information relevant to: Audit objectives, scope, and criteria

interfaces between functions, activities and processes

Collect audit evidence by appropriate sampling and verify and

record it

Be aware on sampling limitations, if acting on the audit

conclusion

Use only information that is verifiable as audit evidence

6.5.4

Auditing Process


42/74

Auditing Process

Techniques to Obtain Audit Evidence

Interview: Personnel that manage, perform, and verify activities

Also ensure they are responsible for the activity being

audited

Listen carefully to responses

Observe:

Identity, status, condition, processes, equipment, activities,

environment, and people

6.5.4

Auditing Process


43/74

Auditing Process

Audit Evidence

Review documents that describe: Activities

Plans

Controls

Strategies

Exercises

tests

Review records for evidence of conformity to documents

Review records, statements of fact, or other information which

are relevant to the audit criteria and verifiable Audit evidence may be qualitative or quantitative

C i ti d i t l kill


44/74

Communication and interpersonal skills

Put auditee at ease Ask short questions and listen

Reflect right attitude, tone of voice, body language, and facial

expressions

Smile and show eye contact

Avoid interruptions

Avoid off-cuff and condescending remarks

Give praise when appropriate

C i ti d i t l kill


45/74

Communication and interpersonal skills

Show interest Be tactful and polite

Show patience and understanding

Remember to say please and thank you

Ask the right person

Don`t say you understand when you do not

Q ti i T h i


46/74

Questioning Techniques

Open question Using why, who, what, where, when, or how gets more than

a yes or no answer

Expansive question

Further elaborates the current point

Opinion question

Asks opinion about current point

Non-verbal

Uses body language, for example: raise eye-brow to elicit

further information

Q ti i T h i


47/74

Questioning Techniques

Repetitive question Repeats back response in form of a question

Hypothetical question

Uses what if, suppose that, etc.

Closed question

Gets yes or no answer

Avoid using too often

Used for confirmation

Silence

Draws more information

N t T ki


48/74

Note Taking

Notes could be used as reference for: Immediate investigation

Investigation later

Use by a colleague

Subsequent audits

Notes taken during an audit are a record of:

The audit sample taken

What was reported

What was observed

Notes may be referenced by subsequent auditor

S li


49/74

Sampling

Samples should test the effectiveness of the system and shouldbe:

Representative

Structured

Independently selected

Sample size should be based on:

Risk

Importance

Status

Findings from the previous/current audit

C t l f th A dit


50/74

Control of the Audit

Checklist is an aid, not a requirement If potential audit trails appear, decide to:

Disregard

Note for later

Follow up immediately

Following audit trails may effect:

Sample size

Audit plan

Handling Difficult Situations


51/74

EXAMPLES

Uncooperative

Long

telephonecalls

Cannot find

document

Unprepared

Constant

interruptions

Provocation

Long-winded

auditees

Interdepartmental

or personality

conflicts

Diversionary

tactics

Language

Noisy

environment

Boastful

Called away

Volunteered

information

Handling Difficult Situations

Establish the Facts


52/74

Judgment in the Audit Process

Audit focus must be on conformity and effectiveness, NOT onfinding nonconformities

The auditee must be given the benefit of any doubt where there

is insufficient audit evidence

E t bli h th F t


53/74

Establish the Facts

Discuss concerns Verify the findings

Record all the evidence:

Exact observation

Where, what, etc.

Establish why a nonconformity or otherwise

State who (if relevant) preferably by job title

Obtain agreement with the facts

Generate A dit Findings


54/74

Generate Audit Findings

Evaluate audit evidence against audit criteria to generate auditfindings

Indicate if findings are conformities, nonconformities or

opportunities for improvement

Meet (audit team) to review findings

Specify (with supporting evidence) or summarize conformity bylocation, function, or processes, as required by audit plan

6.5.5

Nonconformity


55/74

Nonconformity

Non-fulfillment of a specified requirement: Not doing it

Partially doing it

Doing it the wrong way

Specified requirement:

Conditions of the customer contract

Quality standard (ISO 9001:2008)

Quality management system

Statutory or regulatory requirements

6.5.5



56/74


Record nonconformity findings and supporting evidence Obtain auditee acknowledgement of nonconformities for

accuracy and understandability

Try and resolve differences of opinion

Keep a record of unresolved issues

6.5.5

Nonconformity Minor


57/74

Nonconformity - Minor

Failure to comply with a requirement which (based on judgmentand experience) is not likely to result in QMS failure

Single observed lapse or isolated incident

Minimal risk of nonconforming product or service

Examples:

A two month lapse in the internal audit program

A training record not available

No actions taken to improve system based on previous

result findings

Nonconformity Major


58/74

Nonconformity - Major

Absence or total breakdown of a system to meet a requirement A number of minors related to the same clause or requirement

A nonconformity that experience and judgment indicate will

likely result in QMS failure or significantly reduce its ability to

assure controlled processes and products

Nonconformity Major


59/74

Nonconformity - Major

Examples: No documented procedure for a required documented ISO

9001:2008 process/activity

Document changes routinely made without authorization

No awareness program for the quality management system

No future planned internal audits

Insufficient scope

Numerous minor nonconformities found in the production

process

Nonconformity


60/74

Classifying the Nonconformity

Consider the seriousness: What could go wrong if the nonconformity remains

uncorrected?

Is it likely the system would detect it before the customer is

affected?

If you are not certain it is a nonconformity, it is not.

You must have:

A requirement that has been broken

Proof that it has been broken

Nonconformity


61/74

Good Report Examples

QMS Nonconformity Report Incident Number:1

Company under audit: XYZ, Inc.

Area under Review: Purchasing ISO 9001 Clause number 7.4

Category: Major Minor

Requirement:

Clause 7.4.1 of ISO 9001:2008 requires that the organization establish criteria for evaluation and

re-evaluation of suppliers.

Nonconformity Findings:

Upon speaking with the purchasing Manager, it was found that no evaluation of ABC supplier had

taken place since the contract was signed and business begin with ABC supplier

Nonconformity


62/74

Poor Report Examples

The nonconformity statements below are inadequate due to thelack of specified requirements and detailed evidence:

Steering Group meeting minutes are not adequate

The authority level for the Emergency Controller must be

documented for clarify purposes

Preparing Audit Conclusions


63/74

Preparing Audit Conclusions

Audit team confer prior to the closing meeting: Scheduling of the audit plan

To plan for closing meeting

Purpose is to:

Review audit findings and other information

Agree on audit conclusions

To prepare the audit report and recommendations

If included in audit plan, to discuss audit follow-up

6.5.6

Audit ReportP A & Di ib


64/74

Prepare, Approve & Distribute

1. Audit reference2. Client and Auditee details

3. Audit team details

4. List of auditee representatives

5. Objectives, scope, and criteria

6. Audit plan dates, places, areas audited and timing

7. Summary of audit process

8. Audit Summary

9. Uncertainty due to sampling

6.6.1

6.6.2

Audit ReportP A & Di t ib t


65/74

Prepare, Approve & Distribute

10. Nonconformity reports11. Recommendation

12. Obstacles encountered

13. Any areas in audit scope not covered

14. Any unresolved issues between the auditee and team

15. Confirmation that audit objectives accomplished

16. Confidentiality statement

17. Distribution list

6.6.1

6.6.2

Audit ReportDi t ib ti


66/74

Distribution

Issue within agreed time period If delayed, provide reasons and agree on new issue date

Report must be dated, reviewed, and approved as per

procedures

Distribute to recipients designated by audit client

Report is property of audit client

Recipients and audit team must respect the confidentiality of

the report

6.6.1



67/74


Audit is complete when all activities in audit plan have beencarried out and audit report is distributed

Maintain or dispose of audit documents based on contractual,

regulatory, and audit program procedures

Maintain confidentiality of audit documents, information, and

report Notify audit client and auditee ASAP if disclosure of audit

information is required.

6.7

Closing Meeting


68/74

Closing Meeting

Hold closing meeting to present audit findings and conclusions Cover situations encountered during audit that may decrease

reliance on audit conclusions

Discuss and resolve diverging audit findings and conclusions

Keep a record if not resolved

Provide recommendations for improvement where specified by

audit objectives

Keep minutes and attendance records

Will normally be informal for internal audits

6.5.7

Completing the AuditC d ti th F ll


69/74

Conducting the Follow-up

Audit conclusions may require corrective, preventive, orimprovement actions

Auditee decides and carries out these actions within agreed

timeframe

These actions are not part of the audit

Audit team number should verify completion and effectivenessof actions taken

This verification may be part of a subsequent audit

Maintain independence in subsequent audit activities

6.8

Completing the AuditC ti th F ll


70/74

Corrective the Follow-up

Auditee receives the nonconformity report Auditee prepares and approves a corrective action plan

Auditee submits the plan to auditors

Auditors evaluate and approve the plan

Auditee implements the approved corrective action plan

Auditor verifies the implementation and effectiveness

Records of all actions taken by auditor and auditee

6.8


71/74

Conclusion



72/74


Initialing the Audit


Preparing, Approving, Distributing Audit Report


Conducting Audit Follow-up

Preparing for On-site Activities

Conducting for On-site Activities


73/74

Final

Questions?


74/74

For you attendance and participation!

Date post:	03-Apr-2018
Category:	Documents
Upload:	chowhk
View:	212 times
Download:	0 times