ISO 9001:2015 Clause 9.2 Internal Audit
ISO defines audits as “Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.”
Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization itself for management review and other internal purposes, and may form the basis for an organization’s declaration of conformity. In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited. External audits include those generally termed second- and third-party audits. Second-party audits are conducted by parties having an interest in the organization, such as customers, or by other persons on their behalf. Third-party audits are conducted by external, independent auditing organizations, such as those providing certification/registration of conformity to ISO 9001 or ISO 14001. When two or more management systems are audited together, this is termed a combined audit. When two or more auditing organizations cooperate to audit a single auditee, this is termed a joint audit.
An audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. Audits are structured and formal evaluations. The term systematic means the company must plan and document its system for auditing. It must have management support and resources behind it. Audits must be performed in an impartial manner, which requires auditors to have freedom from bias or other influences that could affect their objectivity. For example, having responsibility for the work, or a vested interest or shares in a supplier or third party company they are assigned to audit would be conflicts of interest. Internal audits must be carried out to a procedure according to requirements given in clause 9.2 of ISO 9001:2015. The procedure must address the responsibilities for conducting the audits, ensuring independence, recording results, and reporting to management. Audits obtain objective evidence of conformity with requirements. The evidence must be based on fact and may be obtained through observation, measurement, test, or by other means. Evaluating the extent to which audit criteria are fulfilled involves an assessment of both implementation and effectiveness. Is the organization practicing what it described in its documentation? Are the practices being carried out well? The presence of nonconformities in a department or process may indicate the system is ineffective for those areas.
9.2 Internal Audit
The organization should conduct internal audits at planned intervals to provide information on whether the quality management system conforms to the organization’s own requirements, the requirement of ISO 9001:2015 standards and is effectively implemented and maintained
The organization must plan, establish, implement, and maintain an audit program, which must include frequency, methods, and responsibilities, planning requirements, and reporting. While making an audit program, consideration must be given to the importance of concerned processes, changes impacting the organization, and the results of previous audits. It must define audit criteria and scope for each audit. It must select auditors and conduct audits for the impartial and objective audit process. It must ensure the results of audits are reported to relevant management. it must take necessary correction and corrective actions without undue delay. It must retain evidence of audit program implementation and audit results.
Internal audit is one of the important tools required by this standard used to gauge the health of your QMS. How effective is it in meeting ISO 9001, your own QMS, customer, and regulatory requirements? You must have a documented procedure for your internal audit process. The scope of your internal audit program must cover the:
- Audit of operation processes to determine conformity of both product /services and their processes to the customer and applicable regulatory requirements.
- Audit of the QMS to determine conformity to the ISO 9001 standard.
- Audit of the QMS to determine conformity to organizational requirements.
Audit of QMS processes and their interaction to determine if the QMS has been effectively implemented and maintained.
In determining the time frame for your audit program, you should consider organization size, the complexity of product and processes, the health of the QMS, customer, registrar, and regulatory requirements, etc. The most common time frame is six months. Consider adjusting the audit frequency and perhaps even the audit scope, of specific processes or group of processes, when:
- You experience internal or external nonconformities.
- Get customer complaints.
- Have critical or high-risk processes.
- Have frequent or significant changes to processes and product.
Your internal audit program should consider the following:
- Input from the audited area and related areas
- Key customer-oriented processes
- Process and product performance results and expectations
- Opportunities for continual improvement
- Feedback from customers
Audit criteria refer to the specific QMS policies, objectives, ISO requirements, documentation, customer and regulatory requirements, etc., that the audit is referenced to or conducted against. Audit criteria may relate to the whole audit program as well as each individual audit. Audit methods refer to the specific techniques that auditors use to gather objective audit evidence that can be evaluated to determine conformity to audit criteria. Examples of audit methods include an interview of personnel, observation of activities, review of documents and records, etc. You must define the minimum qualification requirements for internal auditors. These requirements include knowledge of QMS processes and their interaction, related QMS controls, customer requirements, applicable regulatory requirements, the ISO 9001 standard, the audit process, and audit techniques. Internal auditors need to be trained in the ISO 9001 standard as they generally audit for conformity to organizational requirements and also for conformity to ISO 9001 requirements. Additionally, the ISO 19011:2002 Guidelines for quality and environmental auditing says that auditors should have knowledge of quality management system standards and their application to the organization.
You must have appropriate resources for your annual audit program. These include having sufficient trained auditors available to conduct scheduled audits, sufficient time to perform audits, availability of department or process personnel to be audited, time and tools to prepare audit records and reports, etc. The auditor should be Independence. During the audit, auditors should ensure that the objectivity and impartiality of the audit are not compromised. Auditors cannot audit their own work. Auditor independence must be ensured when assigning personnel to specific audits. Process owners must take timely corrective action on nonconformities found in their area. They should use the corrective action procedure to determine the root cause, take appropriate action, and follow-up to determine if results indicate that the root cause has been eliminated. Audit results must be summarized and reported for management review. The Process manager must also report any opportunities for QMS improvement. The Process manager must analyze the results of each audit as well as the annual audit program to determine strengths and weaknesses in QMS processes, interactions, functions, products, etc., to identify and prioritize opportunities for improvement. Audit records include annual audit schedule, audit planning such as criteria, scope, frequency, methods, auditor selection, and assignment, etc., auditor competence and training, audit checklists and forms, audit notes and other evidence gathered, audit findings, nonconformity reports, audit reports, corrective actions and follow-up of internal audit nonconformities, analysis of audit program performance indicators and trends, and identified improvement opportunities. Performance indicators should be used to measure the effectiveness of your internal audit process and monitor trends in these indicators, to continually improve your audit program. Performance indicators may include reducing the number of – late or delayed audits, incomplete audits, incomplete audit records and late reports, auditor errors, auditee complaints, and use of untrained auditors, etc.
The output of your internal audit program may be used as performance indicators to:
- Determine the degree of conformity of the QMS to ISO 9001, customer and regulatory requirements.
- Determine the effectiveness of QMS implementation and maintenance.
- Determine the degree of conformity of product to contractual and regulatory requirements.
- Identify areas of the QMS that need improvement.
Always establish the objectives of the audit. Audit objectives are not limited to the ISO 9001 standard. Clear audit objectives help determine the scope and depth of the audit, as well as, the resources needed. Being clear on the objectives provides focus and helps the auditor from being distracted and going off on unnecessary detours beyond the scope of the audit. Audit objectives may include:
- Evaluating conformity of requirements to ISO 9001
- Evaluating conformity of documentation to ISO 9001
- Judging conformity of implementation to documentation
- Determining effectiveness in meeting requirements and objectives
- Meeting any contractual or regulatory requirements for auditing
- Providing an opportunity to improve the quality management system
- Permitting registration and inclusion in a list of registered companies
- Qualifying potential suppliers
Types of Audits
Audits that are carried out to determine whether an organization conforms to a quality Standard may be termed Quality System Audits. This type of audit requires the auditor to use a fair degree of judgment to establish whether controls are adequate. Many second and third-party audits are carried out as Quality System Audits, as are many audits for the purpose of consultancy. Audits that are carried out against specifically defined practices, procedures, and instructions, and that are perhaps (but not necessarily) more limited in their scope, are termed conformity audits. Many internal audits and many contract-related audits between two parties are carried out as conformity audits. Process and product audits are subsets of QMS conformity audits and therefore limited in scope. An ISO 9001 process audit evaluates the controls and characteristics of a specific process, as well, as its relationship with other processes, and may include using some or all of the following approaches:
1 Individual processes in terms of:
- Input / Output / Value-added activity
- Plan / Do / Check / Act
2) Relationship to other processes in terms of:
- Flow / Sequence / Linkage / Combination
- Interaction / Communication
Customer contracts for conformity to contractual requirements through the various processes used to fulfill the customers’ orders.
Audit trails – following concerns or unresolved issues to processes or departments, that are beyond the scope of a specific audit.
Process audits may include the following processes, as well, as related sub-processes – Context of the organization; Leadership; Planning; support; Operations; Performance evaluation; Improvement. A product/Service audit is a process audit that focuses on the processes needed for executing operations for the product or service realization. For the purposes of this discussion, however, there are two basic types, further sub-divided according to different emphases and objectives. The two types are external audits and internal audits.
These are audits done outside one’s own organization and there are at least two distinct types of external audit second and third party.
Second Party Audits
These audits, carried out by one company on another, originally came from the idea of an organization auditing its suppliers. There are a number of reasons why an organization may wish to audit its suppliers.
- One method to satisfy clause 8.4.1 of the ISO 9001:2015
- Input to selecting, grading, and approving suppliers
- Help to improve supplier Quality Management Systems
- Mutual understanding of quality requirements
Many major organizations carry out second-party audits to advise user departments of areas of weakness in suppliers so appropriate contract and/or surveillance mechanisms can be instigated if the supplier is to be given work. It can also highlight likely additional costs.
Third Party Audits
As a result of the growth in interest in Quality Assurance during the 1960s and 1970s, more and more second-party audits were being carried out. Some companies in certain fields had to employ people whose sole task was to accompany visiting auditors around the company! Clearly, this state of affairs was helping nobody, particularly the supplier. After considerable discussions at national levels, the ISO 9000 scheme was introduced to rationalize all the assessment schemes as a third-party audit operated by an independent body that would certify companies as conforming with the Standard (or not, as the case may be). Various bodies became registration bodies (Registrars) and BSI, UL, SGS, DNV are prominent examples. There are different types of registration, but the main interest here is on the Registrar’s Quality Management System assessment and registration. On payment of an initial fee to the Registrar, they will assess your Quality Management System to ISO 9001 and, depending on the results of the assessment, the organization would become registered.
Internal audits or First Party Audits
First-party audits are carried out by an organization on itself to conform to management that their documented quality management system is working effectively. An organization’s own defined and documented system forms the basis for this audit. Reasons for a first-party audit:
- ISO 9001:2015 clause 9.2 requires it
- Control and feedback mechanism for management
- Correction of nonconformities before external bodies find them
- Systematic improvement of the organization
As in the second party, if the audits are done only for reason (1) or (3) above, the value is going to be limited. By establishing an internal audit program, management is making available an extremely useful and powerful tool for improving business, and for assessing the effectiveness of the quality management system. Of course, in considering (3) above, it means that if an organization is to find for itself the kinds of nonconformities that external bodies are likely to find, it should, if possible, carry out its audits in a similar way to the Registrars. It must be remembered that all audits are based on sampling; therefore, there is no guarantee that all nonconformities will be found during the internal audit process.
Benefits of Quality Management System Audits
- Provides information for management review
- Demonstrates senior management commitment
- Improves personnel awareness, participation, and motivation
- Provides opportunities for continual improvement
- Improves customer confidence and satisfaction
- Increases operational performance
Audit results are a major input to the management review process. Management must take appropriate actions based on the review of quality system strengths, weaknesses, and opportunities for improvement. The allocated time and for conducting internal audits demonstrates top management commitment. If the purpose of the audit is properly communicated, and employees realize that the audit is not an evaluation of personal performance, they are more likely to discuss weak areas and opportunities for improvement. This should lead to an improvement in operational performance and improved customer satisfaction.
The Auditor within the Audit System
All systems in an organization have to be designed and made to work by people. The audit system is no different. It must have procedures and training to advise the auditor what the role requires, and also what and who qualifies or authorizes the auditor to do the work. An auditor is defined by ISO 19011 as a person with the competence to perform an audit. To perform an audit, the auditor must be authorized for that particular audit.
The Auditor has the following responsibilities:
- Support the team leader
- Be prepared
- Participate in opening and closing meetings
- Carry out assigned tasks
- Keep to the timetable and audit scope
- Document and support all findings
- Keep team leader and auditee informed
- Safeguard all documents
- Maintain confidentiality
- Be objective and ethical
- Verify corrective actions (if assigned as the auditor)
Lead Auditor Responsibilities
In addition to the auditor’s responsibilities, the lead auditor must possess management capabilities that include:
- Assisting in team selection and briefing the team
- Responsibility for planning and managing all phases of the audit
- Representing the audit team with auditee
- Controlling conflicts and handling difficult situations
- Conducting and controlling all meetings with team and auditee
- Making decisions on audit issues and quality system
- Reporting audit results without delay
- Reporting major obstacles encountered
- Reporting critical nonconformities immediately
- Possessing effective communication skills
The Lead Auditor must balance the on-site audit workload so that there is sufficient time to conduct these managerial tasks.
The Auditee is a department or the process of the organization to be audited. The auditee could be one of its manufacturing or service facilities. The Organization determines the audit scope and objective
Principles of ISO 9000 Auditing
QMS auditors must adhere to the following principles and attributes, based on ISO 19011, Principles relating to auditors:
1, Ethical Conduct is the foundation of professionalism. It includes auditor behavior that reflects trust, integrity, confidentiality, and discretion.
2. Fair Presentation is the obligation to report truthfully and accurately:
- Audit activities through – audit findings, conclusions, and reports
- Significant obstacles encountered
- Unresolved diverging opinions between auditee and audit team
3.Due Professional Care is applying diligence and judgment in auditing. Auditors must exercise care related to the importance of the task and the confidence placed in them by the auditee and other interested parties. Having the necessary competence is an important factor.
4. Independence forms the basis for the impartiality of the audit and objectivity of the audit conclusions. Auditors must:
- Be independent of the activity being audited
- Be free from bias and conflict of interest
- Maintain an objective state of mind throughout the audit process
- Ensure that audit findings and conclusions will be based only on the audit evidence
5. The evidence-based approach is the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process. Audit evidence must:
- Be verifiable
- Be based on samples of the information available (since the audit is conducted during a finite period of time and with finite resources)
- Ensure that proper use of sampling is made, to contribute to the confidence that can be placed on the audit conclusions
Additionally, ISO 9001 QMS Auditors must be:
- Be open-minded and mature
- Possess sound judgment, analytical skills, and tenacity
- Have the ability to perceive situations in a realistic way
- Understand the role of individual units within the overall organization
- Understand complex situations from a broad perspective
The auditor must be able to apply these attributes in order to:
- Fairly obtain and assess objective evidence.
- Remain true to the purpose of the audit without fear or favor.
- Constantly evaluate the effects of audit observations and personal interactions.
- Treat participating personnel in a way that will best achieve the audit objective.
- React with sensitivity to conventions of the area where the audit is performed.
- Perform the audit process without deviating due to distractions.
- Commit full attention and support to the audit process.
- React effectively in stressful situations.
- Arrive at generally acceptable conclusions based on audit observations.
- Remain true to the conclusion despite pressure to change not based on evidence.
Auditors must be open-minded and base decisions on objective evidence. They cannot assume, feel, or impose their views. Remember that ISO 9001 is interpretative, not prescriptive. There are many ways to implement a requirement to achieve effective control. Keep an open mind. Don’t jump to conclusions.
Other useful attributes:
- Other desirable personal attributes that an ISO 9000 auditor may possess include being polite, punctual, practical, principled, persevering, industrious, positive, and prepared. Be mature, have sound judgment, be tenacious, be perceptive and realistic.
- Maturity comes from education, understanding, and experience. Sound judgment and analytical skills are gained through research and experience in interpreting and applying the requirements of the standard. Learn from experienced auditors. Take notes of their audit evaluation techniques.
- Tenacious does not mean digging until you find a nonconformance. It refers to your ability to stay focused on the audit objective and scope, in spite of distractions. Perceptive means being alert to changing circumstances or concerns. Realistic is being pragmatic. Evaluate the risk. How serious is it? What is the probability of occurrence?
Very few organizations are alike. They have different products, processes, management structures, cultures, and environments. Auditors must learn to quickly gauge these factors to determine to what extent they will facilitate or hinder conducting the audit.
- Auditors must be free from bias and influence
- They cannot audit their own work
- All participants in an audit must respect the integrity and independence of the auditors
From a first party perspective, internal auditors cannot audit their own work. They must be selected to perform impartial and objective audits. From a second or third party perspective, independence may be jeopardized if the auditors have a business or other association with the second or third party company that may influence their objectivity, or they own shares in the company to be audited, or their spouse or relative works there.
Role of an Internal Auditor
The Internal auditors may have many roles depending upon whether they perform as Lead auditor or team member. The scope and objective of the assignment must also be taken into consideration. Some of the key roles and issues are discussed below:
- Is the management interface
- May facilitate the documentation and implementation process
- May act as a guide during audits
- May interface with customer and external auditors
- Must maintain “independence” and confidentiality
- Exhibit professional behavior
Internal auditors are the management interface. They follow management’s directives and conduct internal audits on behalf of management. Internal auditors report audit findings to top management so the system can be improved. Internal auditors may facilitate the communication, documentation, and implementation of the system and communicate with the registrar or customers. They may also act as guides during audits by external auditors or customers. They know the facility and audit process, plus it provides a good learning opportunity. They may consult as a resource for interpretation, as well as, facilitate in implementation of the requirements through the provision of training and review of implementation steps. If they are directly involved in the implementation or take corrective actions, they should not audit the areas they implemented. The Registrar would likely view such activity as a conflict of interest. Internal auditors cannot audit their own work and must remain impartial and objective. They must behave professionally and maintain the confidentiality of information.
Managing An ISO 9001 Audit Program
Authority for Audit Program An ISO 9001 audit program may include one or more audits, depending on the size, nature, and complexity of the organization to be audited. These audits may have a variety of objectives and may also include joint (multiple auditing organizations) or combined (QMS and EMS) audits. An audit program also includes all activities necessary for planning and organizing the types and number of audits, and for providing resources to conduct them effectively and efficiently within the specified time frames. An organization may establish more than one audit program. The organization’s top management should grant the authority for managing the audit program. Those assigned the responsibility for managing the audit program should:
- Plan, establish, implement, monitor, review and improve the audit program
- Identify the necessary resources and ensure they are provided.
If the organization to be audited operates both quality management and environmental management systems, combined audits may be included in the audit program. In such a case, special attention should be paid to the competence of the audit team. Two or more organizations may cooperate, as part of their audit programs, to conduct a joint audit. In such a case, special attention should be paid to the division of responsibilities, the provision of any additional resources, the competence of the audit team, and the appropriate procedures. Agreement on these considerations should be reached before the audit commences.
Examples of ISO 9001 audit programs include the following:
- A series of internal audits covering an organization-wide quality management system for the current year.
- Second-party management system audits of potential suppliers of critical products to be conducted within six months.
- Registration and surveillance audit conducted by a registrar on a quality management system within an agreed time period.
An audit program also includes appropriate planning, the provision of resources, and the establishment of procedures to conduct the audits within the program.
Establishing the ISO 9001 Audit Program
Audit program objectives
Objectives should be established for an audit program to direct the planning and conduct of audits. These objectives should be based on consideration of:
- Management priorities
- Commercial intentions
- Management system requirements
- Statutory, regulatory and contractual requirements
- Need for supplier evaluations
- Customer requirements
- Needs of other interested parties
- And risks to the organization
Extent Of An Audit Program
The extent of an audit program can vary and will be influenced by the size, nature, and complexity of the organization to be audited, as well as, by the following:
- The scope, objective and duration of each audit to be conducted
- The frequency of audits to be conducted
- The number, importance, similarity, and locations of the activities to be audited
- Standards, statutory, regulatory and contractual requirements, and other audit criteria
- Conclusions of previous audits or results of a previous audit program review
- Any language, cultural or social issues
- The concerns of interested parties
- Significant changes to an organization or its operations
Factors that may cause the frequency to increase include:
- The significant change in management, organization, policy, techniques, or technology
- Requests by the customer or regulatory body
- Changes to the quality management system
- Results of recent audits
- Status and importance – internal audit results
Audit Frequency for Internal Audits
Clause 9.2.2 Internal audits are scheduled on the basis of the importance of the activity to be audited, changes affecting the organization as well as, previous audit results.
Importance – Refers to the criticality of the processes or activity to the quality of the product or service (critical internal or external suppliers). Also reflects top management’s priorities.
Audits – refers to the results of previous internal and external audit results. You must consider past audit findings and coverage in setting audit frequency. The complete quality management system must be audited at least once a year. Weak areas or activities must be audited more often. Top management determines the frequency of internal audits with the help of the Management Representative. Audit frequency is also determined by contractual or regulatory requirements, as well as, significant changes in ownership, policies, products, processes, technology, control systems, documentation, or the organization.
Audit Program Responsibilities, Resources, And Procedures
ISO 9001 Audit Program Responsibilities
The responsibilities for managing an audit program should be assigned to one or more individuals with a general understanding of audit principles, the competence of auditors, and the application of audit techniques. They should have management skills, as well as, technical and business understanding relevant to the activities to be audited. Those assigned responsibility for managing the audit program should:
- Establish the objectives and extent of the audit program
- Establish the responsibilities and procedures, and ensure that resources are provided
- Ensure the implementation of the audit program
- Ensure the appropriate audit program records are maintained
- Monitor, review and improve the audit program
ISO 9001 Audit Program Resources
Consider the following when identifying resources:
- Financial resources necessary to develop, implement, manage and improve audit activities
- Audit techniques
- Processes to achieve and maintain the competence of auditors appropriate to the particular audit program objectives
- The extent of the audit program
- Traveling time, accommodation and other auditing needs
Audit Program Procedures
Audit program procedures should address:
- Planning and scheduling audits
- Assuring the competence of auditors and audit team leaders
- Selecting appropriate audit teams and assigning their roles and responsibilities
- Conducting audits
- Conducting audit follow-ups, if necessary
- Maintaining audit program records
- Monitoring the performance and effectiveness of the audit program
- Reporting to top management on the overall achievements of the audit program
For smaller organizations, the activities above can be addressed in a single procedure.
Audit Program Implementation
Implementation should address:
- Communicating the audit program to relevant parties
- Coordinating and scheduling audits and other activities to the audit program
- Establishing and maintaining a process for the evaluation of auditors and their continual professional development
- Ensuring the selection of audit teams
- Providing necessary resources to the audit teams
- Ensuring the conduct of audits according to the audit program
- Ensuring the control of records of the audit activities
- Ensuring review and approval of the audit records and their distribution to the audit client and other specified parties
- Ensuring follow-up if applicable
Audit Program Records
Records should be maintained to demonstrate the implementation of the audit program and should include the following:
- Records related to individual audits such as audit plans, audit and nonconformity reports, corrective and preventive action reports, and audit follow-up reports
- Results of the audit program review
- Records related to the audit personnel regarding:
- Auditor competence and performance evaluation
- Audit team selection
- Maintenance and improvement of competence
- Records should be retained and suitably safeguarded.
Audit Program monitoring and reviewing
The implementation of the audit program should be monitored and at appropriate intervals, reviewed to assess whether its objectives have been met and to identify opportunities for improvement. The results should be reported to top management. Performance indicators should be used to monitor characteristics such as:
- The ability of the audit team to implement the audit plan
- Conformity with audit program and schedules
- Feedback from audit clients, auditees and auditors
The audit program should consider
- Results and trends from monitoring
- Conformity with procedures
- Evolving needs and expectations of interested parties
- Audit program records
- Alternative or new auditing practices
- Consistency in performance between audit teams in similar situations
Results of audit program reviews can lead to corrective and preventive actions and the improvement of the audit program.
The extent of audit activities is applicable depending on the scope and complexity of the specific audit and the intended use of the audit conclusions. The planning and conducting of audit activities involve the following process flow or life cycle:
Initiating The Audit
- Appointing the audit team leader
Those assigned the responsibility for managing the audit program should appoint the audit team leader for the specific audit. Where a joint audit is conducted, the agreement should be reached between the audit organizations, before the audit commences on the specific responsibilities of each organization, particularly with regard to the authority of the team leader appointed for the audit. The leader has responsibility for planning, conducting, and reporting the audit, following these rules and guidelines. The leader is briefed on the objectives and scope of the audit and is then required to specify the resources necessary to carry out the audit, in terms of staff days, and the number of auditors required, including any with special technical expertise. This latter point about technical expertise merits some discussion. There are some schools of thought that say that an auditor does not need technical knowledge of the area they have to audit. The auditor needs knowledge of quality management systems and the Standard. This is, of course, partly true. However, auditors will be required to use all applicable senses during an audit. Familiarity with the kinds of processes going on around the audit will allow auditors to determine conformity, or otherwise, quicker and with probably less doubt, than if they have little experience of that particular process. With a lack of knowledge or experience, it will take auditors longer to reach the same decision based on the same evidence that it would take an experienced auditor. The team leader may be chosen on the basis of a particular experience or it may be decided to include a member in the team who has particular expertise.
2. Defining Audit Objectives, Scope And Criteria
Within the overall objectives of the audit program, an individual audit should be based on documented objectives, scope, and criteria. The audit objectives define what is to be accomplished by the audit and may include the following:
- Determining the degree of conformity of the QMS, or parts of it with audit criteria
- Evaluating the capability of the QMS to ensure compliance with statutory, regulatory and contractual requirements
- Evaluating the effectiveness of the QMS in meeting specified objectives
- Identifying areas for potential improvement of the QMS. The objectives can be many and diverse, but it is essential to be clear on the objectives at the beginning of the audit process.
The audit scope describes the extent and boundaries of the audit, such as:
- Applicable requirements of ISO 9001
- Physical locations – facilities, plants, offices
- Organizational activities – products, processes, departments, functions
- Date the quality management system was formally in effect
The audit criteria are used as a reference against which conformity is determined and may include:
- Applicable policies and procedures
- Standards, laws, and regulations
- ISO 9001 and organization management system requirements
- Industry requirements
- Business sector codes of conduct
The audit scope and criteria should be defined by the organization in accordance with audit program procedures.
3. Selecting The Audit Team
The team leader will select the audit team, following the criteria defined by the organization. Selection criteria may include the following:
- Audit objectives, scope, criteria and the estimated duration of the audit
- Whether it is a combined or joint audit
- The overall competence of the audit team to achieve audit objectives
- Statutory, regulatory, contractual and accreditation/ registration requirements, as applicable
- Independence of the audit team and avoiding conflict of interest
- The ability of an audit team to interact with each other and with auditee
- Language of the audit and an understanding of auditee’s social and cultural characteristics
- The need for a technical expert
- Availability of competent audit team members
Auditors-in-training may be included in the audit team, but should not audit without direction or guidance. Any team of auditors is likely to split up to audit individually. Each auditor will need an escort and each auditor will take up auditee management time. Although the auditors are working separately, they share a common objective and will meet regularly to review progress. At these points, one auditor may ask another to check on specific areas, documents, records, or systems, and in this way, the team will “cross-fertilize”. If the teams were in there for a short time only, there would be little chance to do this. It can be seen, therefore, that either two people for four days, or four people for two days, is likely to be the optimum. The choice will depend on auditor availability, auditee preference, and cost. In second-party audits, the Auditor Company is paying for the audit. They employ auditors. In the past, it has been common for audit groups to have two people auditing together since there are a number of advantages in having two people working together, for example, corroboration, some “independence” of the second person, timekeeper, special expertise, note-taking, can take over from the leader, etc. However, as costs have risen, it has become more typical for audits to be carried out by individual auditors. In internal audits it has been typical, and remains so, to have one person auditing alone. its objectives, scope, and criteria are appropriate to the nature of the combined audit.
4. Establishing Contacting With The Auditee
The initial contact with the auditee may be formal or informal and should be made by the audit team leader. The purpose is to:
- Establish communication channels with the auditee.
- Confirm the authority to conduct the audit
- Inform auditee on proposed timing and audit team composition
- Request access to relevant documents, including records
- Determine applicable site safety rules
- Make arrangements for the audit
- Agree on the attendance of observers and availability of guides
5. Preliminary Visit
These visits can be of great value since they allow the team leader to meet members of the organization. Much information can be gathered and benefit derived from a preliminary visit. Some of these may include:
- Clarification of the scope of the audit
- Agreement on procedures to be used during the audit
- Resolution of communication and any misunderstandings
- A quick tour to appreciate its scale, layout, and geography
- Perform documentation review
- Degree of readiness and cooperation
- Identification of any special needs – skills, protective clothing
- Provides the auditee with an opportunity to ask the team leader about the way the audit will be conducted.
In summary, the purpose of preliminary visits is to clarify the scope and objective of the audit, agree on the procedures to be adopted during the audit and resolve any misunderstandings. These visits may not always be practical and such factors as time, costs, distance, and availability of personnel to send may need to be considered.
6 Conducting Document Review
The auditee’s documentation should be reviewed to determine the conformity of the system, as documented with the audit criteria. The documentation may include relevant management system documents and records and previous audit reports. The review should take into account the size, nature, and complexity of the organization, and the objectives and scope of the audit. In some situations, this review may be deferred until the on-site activities commence if this is not detrimental to the effectiveness of the conduct of the audit. If the documentation is found to be inadequate, the audit team leader should inform the program manager and auditee. A decision should be made as to whether the audit should be continued or suspended until documentation concerns are resolved.
Preparing for the on-site audit activities
In preparing the plan, the team leader in consultation with the audit team will decide the strategy for the audit, and there are a number of options. Some auditors favor starting at the point in a company where inquiries from clients are received. The auditors then follow the process through confirming an order, going through technical, procurement, inventory, production, test, shipping, and service, plus taking in specialized areas along the way. This approach may be termed a “process audit”. The auditors follow a specific order or set of processes through the system and examine controls of each process along the way. The process audit approach will require the auditor to look at the following aspects of process management:
- Controls over inputs, outputs, and the value-added activities within a process
- Controls related to the utilization of resources in converting inputs to outputs
- Use of the PDCA methodology in applying the clauses of the ISO 9001:2015 standard to each process
- Reviewing the controls related to the interaction, linkage, and combination with other processes, both on the input and output sides
- Evidence of measurable objectives for each process and metrics to track performance to them
Another strategy would be to do a product audit where the auditor would look for all the controls required by clause 8.1 for fulfilling the requirements of a specific product, service, project or contract, or category of products. Yet another strategy is to consider all the activities in a particular department without reference to the overall workload. This would be termed a “departmental” audit and may include a number of processes within a department. Internal audits in each department often take this approach. There are some ISO 9001 clauses that are applied across the board in all departments such as clause 7 support and clause 10 improvement. These can be audited by themselves or in combination with the process, product, department, or contract strategies. Audits must always be planned. Audits that are not planned are likely to reflect worst practices. Audits may be termed “random”, but without an objective or a plan, then perhaps “unprofessional” should be the preferred term. The plan, therefore, is likely to be a reflection of the combined approach of both “up” and “down” and some “across” the organization. The auditors need to be sure that the plan gives them enough time in each area for sharing information within the team and to advise the auditee of where they are likely to be at any given time.
2. Preparing the Audit Plan
After having been in contact with the organization to be audited, and perhaps made a preliminary visit, the audit team leader will prepare an audit plan, which provides the basis for the agreement among the audit team and the auditee regarding the conduct of the audit. The plan should facilitate the scheduling and coordination of audit activities. The amount of detail in the audit plan should reflect the scope and complexity of the audit. The details may differ, for example, between initial and subsequent audits. The plan should be sufficiently flexible to permit changes in the audit scope, which can become necessary as the on-site audit activities progress. It is up to the team leader to determine how much flexibility to allow so the achievement of the audit objective and scope within the agreed time is not compromised. The audit plan should cover the following:
- Audit objectives, criteria, and reference documents
- Audit scope, including organizational and functional units and processes to be audited
- Dates and places where the on-site activities are to be conducted
- Expected time and duration of on-site activities, including all meetings with auditee or audit team
- The roles and responsibility of audit team members and accompanying persons
- Allocation of appropriate resources to critical areas of the audit
The audit plan should also cover, as appropriate:
- Identification of the auditee’s representative for the audit
- Working and reporting language of the audit
- Audit report topics
- Logistics arrangements
- Matters relating to confidentiality
- Any audit follow-up actions
- Confidentiality requirements
- Audit report distribution and issue date
The Team Lead prepares the Audit Plan as the output of the planning activities. It should be reviewed and accepted by the process manager, and presented to the auditee, and communicated to the audit team members before the on-site activities begin. Any objections by the auditee should be resolved between the audit team leader and the auditee. Any revised audit plan should be agreed to among the parties before continuing the audit. A typical plan might look like the one below based on a two-day audit with two groups. Some of the information above may be included in a cover letter with the audit plan.
3. Auditee’s Responsibility
The auditee has a responsibility to:
- Agree with or clarify the planned arrangements
- Arrange for personnel to be available
- Request full cooperation from all personnel
- Arrange office facilities for auditors
- Arrange for any safety equipment
4.Assigning Work To The Audit Team
The audit team leader, in consultation with the audit team, should assign to each team member, responsibility for auditing specific processes, functions, sites, areas, or activities. Such assignment should take into account the need for the independence and competence of auditors and the effective use of resources, as well as, the different roles and responsibilities of auditors, auditors-in-training, and technical experts. Changes to the work assignments may be made as the audit progresses, to ensure the achievement of audit objectives.
5. Preparing work documents
Auditors need to go forward armed with the tools of the trade in order to conduct an efficient and professional audit. The audit team members should review the information relevant to their assignments and prepare work documents as necessary for reference and for recording audit proceedings. Such work documents may include a copy of the ISO 9001: 2015 Standard, checklists, sampling plans, forms for recording information such as supporting evidence, audit findings, and records of meetings. Work documents, including records resulting from their use, should be retained at least until audit completion. Confidential and proprietary documents should be suitably safeguarded at all times by the audit team members. Documents pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with the audit program procedures and applicable statutory, regulatory, and contractual requirements. The use of checklists and forms should not restrict the extent of audit activities, which can change as a result of information collected during the audit. Always go prepared with them. They are designed to facilitate your audit by keeping observations and objective evidence organized and easy to retrieve. The auditor tools make you look and perform as a professional.
While conducting the Audit the purpose will be something like:
“To collect objective evidence for an informed judgment about the documentation, implementation, and effectiveness of the organization’s quality management system.”
The primary aim of the checklist is to help the auditor to ensure the depth and continuity of the audit, plus it will save time during an audit and the auditor to come to an informed judgment. The company conducting the audit usually defines the format of the checklist. The Checklist defines the Sample. The checklist must, therefore, be as representative as the auditors can make it, bearing in mind the objectives of the audit. The information available to the auditors could comprise:
- Information from previous audits
- Known quality problems
- Management priorities
- Documented Information
- Product/service specifications and information
- Auditor’s own considerations based on experience and knowledge,
The preparations must advise the auditors how the auditee’s system is meant to operate and with what documents. There will be a considerable number of checklists prepared for a large audit; probably one for each department, and where different responsibilities exist within a (large) department, perhaps further checklists for each group. The word “checklist” has an unfortunate connotation and smacks of ticks and crosses or “yes” and “no” answers. The checklists are not meant to be that at all. It is becoming more popularly known as an “aide memoir”, or memory aid. In developing suitable checklists, another factor must be considered. Not all audits (1st and the 2nd party only) are carried out on organizations with quality manuals and comprehensive formal procedures. Many small companies may operate very well, profitably, and consistently satisfy their customers without extensive quality documentation. Any company, in fact, that stays in business has a quality system. At this stage, you might give thought as to how you would plan the steps to audit an organization that does not have a formal documented system. Auditors may find it necessary to ask both very broad questions and some of a much more specific nature. The two types of questions indicate two types of checklists: Process criteria checklists and audit checklists. Process Criteria checklists convert clauses of the standard into questions related to the process characteristics – inputs, outputs, interactions, value-added activity, controls, etc. Many of the more detailed questions are those for use on an audit checklist. It might be reasonable for an auditor to start off with a criteria question in mind, but then select a sample and ask many other questions.. The style and format of a checklist are at the organization’s (1st and 2nd party audits) discretion. Less experienced auditors are advised to frame in full the points to probe on a checklist, while a more experienced auditor may use keywords instead. A good guide to the preparation of a checklist is to think in terms of “what to look at”’ and “what to look for”. It may be decided to look at documents, records, product, or equipment, and look for approval, completeness, status, and condition.
It may be decided to look at the Internal Audit System and look for a statement of its authority, comprehensive coverage of the system, training of auditors, timely action on findings, and follow-up. Clarity of mind concerning audit objectives and scope is, therefore, a must. The other point made in preparing checklists concerns making the sample representative. How can the auditor do this? There is no simple answer. Always using the same checklist is not to be recommended, although this is widely practiced. For a given department, the auditor should look to see what is the “mainstream” activity of that process is its main function? What are the inputs and outputs, the sequence, and interaction with other processes? If a representative sample is to be selected, then it is reasonable to look at what the process spends most of its time doing. Therefore, an engineering office process may be mainly preparing drawings and parts lists, a merchandiser in a retail organization may be mainly assessing products and negotiating prices, and a laboratory may be mainly making up standard formulations. If the purpose of the audit is to establish the degree of conformity with specified requirements, then the representative sample on the checklist should reflect these major activities. However, consider some of the other duties. Engineering personnel may carry out onsite troubleshooting, provide technical advice, prepare sales and service literature, and take technical customer calls. Purchasing agents may also influence outlet stock levels, pricing, display, and safety policy. Laboratories may carry out special studies, development tests, and fault analysis, as well as, provide specialist advice. Perhaps some of these aspects should be considered in the audit and, therefore, be added to the checklist. There is a further aspect to be considered by the auditor. The systems in any organization are fine when key personnel is there and no one is absent, ill, or on vacation. The systems are fine until some pressure is put on them, such as the end-of-the-month rush for invoicing, the major failure of equipment for an important customer, or a flood of warranty claims. What happens when the systems fail? How does the department react to put things right and keep them that way? There is, therefore, considerable choice open to the would-be auditors. The selection of subjects is up to them. The management and/or team leader may, of course, insist that certain samples are taken, but another team of auditors with the same purpose in mind may make a different selection. Neither is right or wrong. It would be impossible to predefine the sample.
There is no shortage of material for the auditor to examine. But there are disadvantages with checklists: they can be standardized and stifle any initiative and analysis of the process; they may become nothing more than a tick list. Very careful planning before the audit is essential. It pays considerable dividends during the audit. Bearing in mind the limited time on any audit, the auditor wants to spend it auditing, not wondering what to look at next. Planning is the secret; Some auditors believe they can conduct a good audit by arriving at the auditee with a blank piece of paper then “following their nose”. There is now considerable evidence that audits done this way are ineffective and all such auditors have done the profession a disservice. These audits are generally biased, providing good material for that auditor’s obsession. The audit conclusion is based on scant information and usually unrelated to the audit objectives. There is a school of thought that says the checklists should be sent to the auditee prior to the audit. This may have the advantage of saving time during the audit, as certain information can be made available. Other schools of thought are opposed to such an idea and, of course, it does depend on what the checklist contains. In principle, it should not matter that the checklists are sent if the auditee understands them and if this contributes to the achievement of audit objectives.
The main purpose of the checklist remains as a memory aid for the auditor. This point is related to another. Some auditors prefer not to advise the auditee that an audit is going to be carried out. In this way, it is argued the auditee area is seen as it really operates and there is no “tidying up” for the audit. There is little merit in this, as having auditors suddenly leap out and take people by surprise is not generally sound policy, nor is it considered to be professional. Successful and effective audits are somewhat dependent on a good and trusting relationship between auditor and auditee. Surprise audits project the image of the auditor as a secret agent and, therefore, add nothing to the trust. It is also true that pre-knowledge of an audit may instigate at least some improvement because people do “tidy up”. This can be a good thing; there is nothing wrong in that. It’s a shame of course if the area needs to be in its tidy state when there is an audit due. However, it is also true that the kinds of nonconformities that can be cleared by a quick “tidy up” are of a very minor nature and often not worth any major audit effort. The auditor, if capable, needs to be considering more important potential improvements.
- Identifies relevant samples
- Defines a formal audit process
- Requires helpful research
- Helps maintain the pace of audit
- Keeps audit objectives clear
- Gives historical reference as an audit record
- Reduces workload on auditor during the audit
- Assures auditee of auditor professionalism
- Provide space for audit notes
- Can become a tick list
- Maybe full of yes-no questions
- If not on the checklist, will not look at the area
- May stifle initiative and process analysis
Conducting On-Site Activities
Having made all the preparations with the auditee and confirmed all arrangements, it is proper etiquette for the team leader to contact the auditee a few days in advance of the audit to verify all the arrangements are in place.
Conducting The Opening Meeting
The opening meeting, sometimes called the entry meeting, pre-audit conference, or start-up meeting is typically held at the location of the audit. Good practice demands the auditors arrive together, neither early nor late, otherwise, it can be embarrassing for both parties and, what is more, it is unprofessional. This meeting, like any other, requires preparation by the team leader. The meeting is usually held in a manager’s office or the company’s conference room. It will usually begin with a welcome and introductions by the Process Manager/ Management Representative. The audit team has prepared an agenda to ensure that all necessary points are covered quickly and efficiently. It should be remembered that this meeting may be the first time the two parties (auditor and auditee) have met, therefore, it is an opportunity to make introductions and maybe “break the ice” since many of the auditees may be feeling tense. The way the opening meeting is carried out can set the style or tone for the remainder of the audit. The opening meeting is the place to establish the rules of conduct for the audit. Matters to be addressed include:
- Introduction of personnel
The lead auditor should introduce the team and explain the way they are organized if there is more than one group, particular specialists in the group, etc. It is normally a requirement to record the attendees at this meeting. Passing around an attendance sheet and asking everyone present to record their name and position is a practical solution.
- Audit purpose and scope
Just in case there is any doubt about why the audit is being carried out, and the extent to which the company is going to be examined, the team leader needs to restate these points. In certain situations, the auditee may require evidence or a statement about the team’s authority, although matters such as these tend to be covered during the preparation stage.
- Review of the audit plan
The plan will have been discussed, developed, and agreed upon with the auditee. However, plans may have to be altered slightly and these possibilities should be covered at this stage. The plan should have enabled the company to ensure that someone represents them in each department and has been made aware of the audit and will therefore be available as defined by the plan. The team leader should confirm the intention to keep to the plan to the extent possible.
- Audit Methods
Describe briefly the methods that the auditors will use to gather objective evidence, such as interviews, observations, document and record reviews, and trend analysis.
- Reporting methods
The method of recording nonconformities, and of presenting the audit report that will be left by the auditors at the end of the audit, will need to be explained by the team leader.
- The audit is a Sample
The team leader should make it clear that the audit is a sampling activity and subject to those limitations. A good statement to make is “This assessment is based on representative samples and, therefore, nonconformities may exist that have not been identified”. Both conforming and nonconforming aspects will be seen and missed. The team leader should assure management, however, that they will make samples as representative as possible and draw only reasonable conclusions.
Logistics covers all the other arrangements transport, protective clothing, lunch arrangements, and facilities for use by the auditors.
Although any major restrictions to the auditors will tend to have been made clear during the planning stage, these may need confirmation or discussion during the opening meeting. Such restrictions include clean areas or hazardous areas where particular arrangements for protective clothing have to be made.
- ClarificationThere may be questions or points the auditees wish to raise and the team leader should deal with these items during the opening meeting. The team leader also needs to confirm the current issue status of the key documents in the quality management system.
When all the above and any other matters have been dealt with, the team leader should bring the opening meeting to a close by thanking the management and confirming the date, time, and location of the closing and any interim (end of day management briefings) meetings.
Communicating During the Audit
Depending upon the scope and complexity of the audit, it can be necessary to make formal arrangements for communication within the audit team and with the auditee during the audit. The audit team should confer periodically to exchange information, assess audit progress, and reassign work between the audit team members as needed. During the audit, the audit team leader should periodically communicate audit progress and any concerns to the auditee and top leadership, as appropriate. Evidence collected during the audit suggests that an immediate and significant (e.g., safety, environmental, or quality) should be reported without delay to the auditee and as appropriate to the top leadership. Any concern about an issue outside the audit scope should be noted and reported to the audit team leader, for possible communication to the auditee. Where the available audit evidence indicates that audit objectives are unattainable, the audit team leader should report the reasons to the auditee to determine appropriate action. Such action may include reconfirmation or modification of the audit plan, changes to the audit objectives or audit scope, or termination of the audit. Any need for changes to the audit scope that can become apparent as on-site audit activities progress should be reviewed with and approved by the process manager and, as appropriate, the auditee. Auditing deals with people. People are unpredictable in their behavior, emotions, and dispositions. A good auditor must know how to interact and get information from people in an effective manner.
Auditor Communication Skills:
- Put auditee at ease before interviewing
- Ask and listen
- Ask short questions
- Show interest in people; what they say
- Reflect the right attitude and tone of voice
- Be tactful and polite
- Watch body language and facial expressions
- Show patience and understanding
- Smile and show eye contact
- Turn off your own problems
- Avoid interruptions and contradictions
- Remember to say please and thank you
- Avoid off-cuff or condescending remarks
- Ask the right person
- Give praise when appropriate
- Don’t say you understand if you don’t
Any audit carried out anywhere has an objective. Auditors who lose sight of this will not be effective. They are better off asking two questions than lose their way because they asked only one. The quality of the audit can be considered in terms of achieving the audit objectives. The ability to discover information of relevance (facts related to the audit objective) is dependent on the ability to ask the right questions. The apt quotation below, though in danger of being over-quoted, so suitably and elegantly encapsulates the basis of all successful questioning:
|“I keep six honest serving men,|
they taught me all I knew,
their names are What and Why and When
and How and Where and Who.”
(Rudyard Kipling, “The elephant child.”).
Elsewhere, particularly in quality training, they are called 5 W’s and an H. Although a clumsy description, the idea is the same. Questions beginning with these words will elicit more than just Yes or No answers and are, therefore, called open questions. It takes longer to answer such a question than it does to ask, so the auditor also gets some thinking time. Auditors can control the tone of discussions to their advantage with the use of these questions since the questions demand meaningful answers. It is impossible to correctly answer an open question with a Yes or No response. There are different types of questions:
- Themed questions set a theme quite clearly before posing a question, e.g., “Talking of process validation, how do you … ?”
- Expansive questions expand the conversation and create a high level of empathy because they show the auditor is interested in the points the auditee has put forward. It can often clear up vague areas for the auditor, as well as, clarify the auditee’s perception, e.g.,
“How important is it for you to be advised of this type of procedure?”
“Why do you feel there is a need for … ?”
“How can you be certain the supplier can deliver … ?”
“What areas are you thinking of?”
- Opinion questions are often neglected. There is a danger in straying too far from fact, but this type of question can be very useful for gaining someone’s attention or for gaining new approaches to problem-solving. They indicate that the auditor regards the auditee’s view as important, thereby raising the auditee’s self-image, plus they encourage the auditees who regard themselves as the local expert to say more. They can also encourage junior people in an organization to say more.
“What do you think would be the most effective … ?”
“How would you go about … ?”
- Investigative questions are most useful when the auditor is not sure whether the auditee has fully understood what has been said, but avoids making it obvious that the auditor realizes the lack of understanding. The auditee can feel at ease and the auditor is able to clarify a point without embarrassing the auditee.
“Can you tell me why this unit marked with a red tag is on the pallet of finished goods tested OK?”
- Non-verbal questions may seem to be a contradiction in terms, but questions do exist in this form. For example, the raising of the eyebrows while maintaining eye contact can indicate a wish for the auditee to continue. Also, remaining silent after you have been given an answer and continuing to look at the auditee in an expectant manner often encourages people to carry on talking without verbal interruption. Such a technique must be used with care to avoid the appearance of an interrogation.
- Repetitive questions are used to gain time since they keep the conversation going. For example, an auditee might say, “I don’t think a written procedure is necessary”, and the auditor asks, “You don’t think a written procedure is necessary?” The auditee is obliged to answer the question.
This type of question should be used like the “dumb” question. No question should be considered too stupid for the auditor to ask if the audit objectives are going to be met. However, repetitive or dumb questions should be used sparingly. If overused, the repetitive questions can be seen as an inability to communicate, and too many dumb questions may cause the auditee to wonder whether it is deliberate or not.
- Hypothetical questions should also be used with care. It is reasonable to ask people what they would do if an instruction is not received or if key individuals were unavailable. It is not reasonable to add together a complicated set of possibilities in the remote chance that this would possibly cause a problem. There is usually enough material in actual current practices without overdoing hypotheses. It can, however, be a good way of finding out what the priorities are and what sort of contingency planning has taken place in the system, for example, “What if no calculations satisfied this equation?”, “Suppose the power failed?”
- Closed questions are ones that can be answered Yes or No. They are assumptive and can be very powerful. They should only be used in audits where the Yes and No answer can quite definitely be given because of what has gone before. They should be used to verify that the auditor has clearly understood what has been explained. If an auditor wants a commitment from someone, for example, “Ha the rate of customer complaints has risen” (Yes). “So if we examined the causes of these complaints and took action we could reduce them?” (Yes). Such questions can also save time, although they should not be used for this reason alone on an audit. Another type of closed question is the leading question that is used when a quick reply is required and the auditor wishes to suggest the right answer. For example, “So you will go ahead with this corrective action and report back within two weeks?” In this way, the auditor leads the question to an obvious answer and (probably) gets the commitment to the preferred line of action. Leading questions are common in bad audits and rare in good ones. The auditor should not lead the auditee to an answer except perhaps after exhaustive attempts have been made to reach a conclusion by other means.
Without a doubt, the ability to ask questions of the right type is one of the most powerful tools in the auditor’s toolbox. It is taken for granted as a management skill, but auditors must learn to identify and use the appropriate techniques. In this way, they will improve communications and conduct more effective audits.
The Roles And Responsibilities Of Audit Participants
- It is in the team leader’s interest to keep the number of people in such a group to a minimum, but with patience, good management and a clear idea of the audit objectives, the auditors can carry out the audit with even a large following.
- It must be made quite clear to all in the party that only two people should speak during the audit: the auditor and the person being interviewed at the time.
- The team members carry out the audit as per the audit plan and support the lead auditor. The team leader manages the audit team and also shares in the auditing workload.
- Observers do not participate in the audit. They can only watch the audit, take notes as necessary, and clarify issues at the audit team meetings.
- Experts may be used when auditing a highly specialized business. Their role is not to audit, but to provide technical guidance on products, processes, and activities.
- From the auditee side, guides take audit team members to the specific parts of the organization and introduce auditors to various auditees at the scheduled times. They should ensure that the audit team is aware of and conform to the safety and security rules of the organization. They should not participate in the audit interview unless invited to do so by the auditor, perhaps to clarify a question or assist in collecting information. They should take notes and witness the audit observations. Observers and trainees must not participate in the audit interview but should take notes to witness or learn.
- Consultants must declare their relationship with the auditee and must not participate in any of the audit activities unless permitted to do so by the team leader.
Collecting and verifying information
During the audit, information relevant to the objectives, scope, and criteria, including information relating to the interfaces between functions, activities, and processes, should be collected by appropriate sampling and should be verified. Only information that is verifiable may be audit evidence. Audit evidence should be recorded. The audit evidence should be based on samples of the available information. Therefore, there is an element of uncertainty in auditing, and those acting upon the audit conclusion should be aware of this uncertainty. Process for collecting information to reaching audit conclusions:
The purpose of an audit is to collect audit evidence to permit audit findings and by evaluating the evidence against audit criteria and then reviewing all individual findings to reach an overall audit conclusion about the degree of conformity and effectiveness of the quality management system. Auditors must not allow their opinions or prejudices to influence decisions. Audit evidence supports the existence or conformity of an element of the quality management system. The evidence must be capable of being verified and may be:
- Information, records, or statements of fact
- Qualitative (non-numerical) or quantitative (numerical)
- Based on observation, measurement, or test
Audit information can exist in a variety of forms:
- It may be quantitative, such as numerical performance data on products, processes and the QMS.
- It may be qualitative, such as from interview, observations and documents.
- The auditor must decide if the information is relevant to the product or quality system.
- Statements can be used as objective evidence when made by those responsible for the activity being audited – known as “admissible statements”.
- If possible, auditors should gather documented support for the admissible statements.
- Nonconformities, when found, must be quantified for communication to the auditee.
Techniques to obtain objective evidence include:
- Interview People:
- that manage, perform and verify activities
- with responsibility and authority for work
- Observe Operations:
for identification, status, condition, flow, and operation of facilities, materials, product, equipment, processes, and tasks
- Review Documents:
- pertaining to processes and activities
- for details of why, who, what, when, and where
- Examine Records:
for objective evidence of implementation of processes, activities, controls, inspections, and tests
- Evaluate Results:
- to summarize and analyze the audit observations
- to determine the effectiveness of the quality system
- Objective evidence is obtained by sampling processes, people, documents, and records
- It is based on a small representation of the audited activities
- Not finding nonconformities do not equate to the total assurance of control
- Determine sample size and selection based on:
- past problems
- audit time span
- Collect the sample on a random basis (ask permission of the auditee)
- Don’t let the auditee select the samples and possibly bias the representation
- Don’t dig deeper, or select another sample, if the first sample doesn’t find nonconformities
- If no nonconformities are found, move on to the next area of the audit
- Review and agree on conformity with the auditee, guide, and department head
- Deviate from the audit checklist, if appropriate
- Follow unexpected audit trails only if warranted (consult Management Representative or team leader)
- Consider minimal sample size guidelines of 4/10; 10/100; 20/1000
Generating Audit Findings
Audit evidence should be evaluated against the audit criteria to generate the audit findings. Audit findings can indicate either conformity or nonconformity with audit criteria. When specified by audit objectives, audit findings can identify an opportunity for improvement. The audit team should meet as needed to review the audit findings at appropriate stages during the audit. Conformity with audit criteria should be summarized to indicate locations, functions, or processes that were audited. If included in the audit plan, individual audit findings of conformity and their supporting evidence should also be recorded. Nonconformities and their supporting audit evidence should be recorded. Nonconformities may be graded or classified. They should be reviewed with the auditee to obtain acknowledgment that the audit evidence is accurate and that they are understood. Every attempt should be made to resolve any diverging opinions concerning the audit evidence and/or findings and unresolved points should be recorded.
Evidence gathering process
In order to gain the facts and enough of them from which to come to a conclusion, auditors have to examine samples of documents, items, products, etc. Only the auditors can decide how many samples should be taken. It would obviously be dangerous to see one example of a system in a correct operation (when there are hundreds of examples that could also be looked at) and assume that because one had been seen the system was correct all the time. Similarly, it would also be wrong, particularly if a minor aspect is being considered, to look at every single example. Typically, the sample size can vary between 6 –30 items. In most cases, this small number will be sufficient as long as some attempt has been made to make it representative. To make a sample representative, it needs to be chosen at random. One way to do this is for the auditor to make the choice of sample with management permission. The “sample” may even be the people to interview. The smaller the set of evidence, the smaller the sample. However, in some cases, a 100% sample might be appropriate. For example, if quarterly management reviews and semi-annual surveillance audits, both meeting minutes would be examined. The auditor may wish to confirm the manager’s understanding of a system is the same as that of the operator. Again, provided the auditor asks for and receives permission, it is good practice to “audit where the action is” and speak to the people doing the work. The audit will continue in this vein. The auditor asks the departmental representative how something is done and confirms what has been said by examining samples or talking to someone else. Certain systems, for example, those for documentation control, are company-wide and every department has examples of documents. The auditor needs to be clear about who is responsible for what when verifying the correctness of the documents seen in any given department. Auditors should always seek the help of local personnel affected by the system in question in understanding the evidence. Naturally, the kind of evidence often being produced is that which will show a failure of the system or a lack of management control. Provided that the auditor has remained objective, has been open with the people contacted, and has invariably been polite in requests for information, there should be no difficulty in reaching an agreement on such points with the responsible persons.
Only the most experienced auditors make sufficient notes of all the relevant things seen and heard during an audit. It is obviously an extremely important technique to develop. The auditors must record enough information to make an informed judgment based on an adequate set of notes containing considerable facts. Notes need to be taken of references to documents, item identification, batch numbers, job numbers, statements, who said them, job titles, relevant questions asked, etc. This information needs to be legible and needs to be retrievable. Much of it might be referenced in subsequent audits, either in the next department to be visited, or in a department to be visited by another member of the audit team. It will also be used in the verbal and written reports to the auditee for the purpose of defining areas of nonconformity or raising points for discussion. Notes will form part of the Registrar’s customer record file and might also be referenced by auditors on subsequent audits. The auditor’s notes during an audit remain part of the record system and as such should be retained for a given period. Clearly, they need to be usable and understandable if there is a subsequent need to reference them (perhaps months or years afterward). The format of notes and the medium on which to write them are matters for each auditor to decide. Many use clipboards with loose sheets that are then clipped together; others find a notebook more practical. Whichever format they use, auditors must safeguard the confidentiality of the information they gain during the audit.
Control of the Audit
At all times, the team leader is responsible for maintaining control of the audit. Experience helps auditors to develop their own way of working in an area and then adapting various techniques as each situation demands. On entering an area and being introduced to the departmental representative, the team leader should go over the audit plan for that area with the departmental representative and the guide. Their advice as to the best sequence to follow can usually be taken. The items on the checklist are then worked through in a systematic manner. The amount of time the auditor has to spend talking to management in each area about their system will vary according to how much information was originally made available to the auditors. Where there was very little detail, then more time may have to be spent determining some of the basic controls. In order to understand some of these controls, the auditor will not only speak to management, but also to the people doing the work. If the auditors find no evidence of nonconformities, they can and should proceed quickly. Having covered their sample, they should move on. Auditors should never continue the investigation in one area until something wrong is found. Doing that is adding bias to the sample; it is making a sample less representative than the one that was chosen during the planning stage. The checklist outlines what the auditors want to look at and what they are looking for. The auditors have an audit objective in mind. As the audit proceeds, situations arise where the auditor has to decide whether to continue the investigation or whether to leave it there. If the team leader thinks continuing the investigation will be useful as far as achieving objectives is concerned, then the checklist can be ignored and the desired audit trail followed. In doing that, a longer period may be spent than was originally planned to examine a particular aspect. This means the rest of the audit must be compressed or parts removed, otherwise, the auditors will not finish within the allocated time. If there are problems, the auditors must examine the evidence to the depth necessary to gain objective evidence.
In the context of audits, the concept of objective evidence is very similar to the concept of the expert witness in a court of law. When a witness is called an expert in a given technology or skill, their evidence in that specific area is taken as being objective. On an audit, people are not being put on a “witness stand”. However, when people are talking about their area of responsibility for action or decision, then their evidence is admissible. Statements made outside their areas of responsibility are viewed as hearsay. It is good auditing practice to seek out documented support where possible, for all stated evidence. Objective evidence is also that which is seen. It is possible to observe the lack of status, signature, protection, or a label. It is possible to see records, or lack of them, and to examine items or material. The senses of sight and sound are probably the ones most used in audits.
As the audit proceeds, there might arise situations where the facts indicate there is a failure, either partially or wholly, of the quality management system, such a situation is called “a nonconformity”.
What is nonconformity?
- a condition adverse to Quality
- the non-fulfillment of a requirement
Examples of requirements:
- Conditions of contract
- ISO 9001 standard
- QMS documentation
- Regulatory and industry
There may be nonconformity for one of three reasons:
- the procedure or defined process does not conform to ISO 9001 requirements
- the procedure or process has not been put into practice in the described way
- the practice, what is actually done, is not effective (planned results not achieved).
Many situations arise during an audit with the potential to become nonconformities. As soon as the facts are indicative of nonconformity, the auditors should immediately voice their thoughts to the departmental representative. This is certainly not a cause for rejoicing, but total openness from auditors will encourage the same from the auditee. It is essential that both parties fully understand the problem and how serious it is. Auditors will often need a little help from the auditee to do that. Once the facts of the matter are established, they should be written down by the auditor and agreed to by the auditee. It is generally not good practice to complete the form during the interview, as it might break the flow of the interview, as well as, to avoid rushing the writing of the nonconformity statement. The auditee should agree with the facts at this point (and certainly before the auditors leave the area for another part of the audit). The statement of nonconformity needs to be in a format understandable both to people in the audit and to those who were not. People who were not present at the audit will often be assigned to take the necessary corrective action. This need alone defines some rules for the recording of nonconformities:
- Exact observation of the facts. Only the facts are needed and the reporting of them needs to be exact.
- Where was it found? The statement needs to identify exactly where it was found, otherwise, it may not be found again.
- What was found? It needs to be clear so that people understand what aspect of the system is nonconforming.
- Why it is a nonconformity? The statement needs to make it clear what the specified requirement has not been met.
- What is the objective evidence of the nonconformity? What audit evidence do we have – records, documents, statements or observations for our nonconformity findings?
- Who was involved? The statement often has no need to involve specific people, but where the objective evidence was based on a statement, then the statement and the originator(s) need to be clear. Job titles rather than names should be used.
- Use local terminology. The industry has its own names for certain activities, documents, etc. These unique terms should be used for clarity.
- Make it retrievable. Someone has to go back after the audit and put it right, possibly after a considerable period of time.
- Make it helpful. To be helpful, nonconformity statements should be complete, correct, concise and clear. Suggestions, particularly on external audits, are not recommended, nor are they the auditor’s duty. Some examples of typical nonconformities will allow at least some of the above points to be made, assuming these are from audits to ISO 9001.
The number of nonconformities that can arise during an audit can be numerous. However, it is unlikely that they are all equally serious. The auditor needs to be able to differentiate between those that are serious and those that are less so. In order to help with this analysis, there are three questions the auditor can ask:
- What could go wrong if the deficiency remains uncorrected?
- What is the likelihood of such a thing going wrong?
- Is it likely the system would detect it before the customer is affected?
It is also common practice for auditors to raise opportunities for improvement that are points of concern, but for which there is insufficient objective evidence to raise a nonconformity. Opportunities for improvement are an additional way by which auditors can be seen as being helpful.
The definition of a MINOR nonconformity:
- Failure to conform to a requirement which (based on judgment and experience) is not likely to result in QMS failure
- A single observed lapse or isolated incident
- Minimal risk of nonconforming product or service
- A drawing marked up with unauthorized changes
- A purchase order released without review and approval
- An inspection instrument passed its calibration date
- A training record not available
Minor nonconformities have little likelihood of allowing non-conforming products or services to be delivered or causing a breakdown of system control. It does indicate that there are occasional lapses that must be formally addressed through corrective action.
The definition of a MAJOR nonconformity:
- The total breakdown of the system, control, or procedure
- Absence of an ISO 9001 requirement
- A number of minors related to the same clause
- A nonconformity that would result in the probable shipment of nonconformity or un-inspected product
- A condition that may result in the failure or materially reduce the usability of the product for the intended purpose;
- A nonconformity that experience and judgment indicate will likely result in QMS failure or materially reduce its ability to assure controlled processes and products
- Between these two extremes a number of less serious nonconformities, when considered together, may identify a system failure and hence a Major nonconformity.
- No documented information for any required element of the standard
- Document changes routinely carried out in an unauthorized manner
- Critical purchases made from unevaluated suppliers
- Product shipped without required inspection and tests
- Majors represent serious problems in the system that must be addressed with attention and resources on a priority basis. It puts the business at risk with customers and the Registrar.
In an internal audit, many organization does not differentiate between major and minor nonconformance. The auditors need to consider all the evidence available to see whether there a process or sub-system of the QMS is failing. It is the combination of all the evidence that will contribute to the informed judgment that the auditors will be required to present to the organization.
Some Examples of Major Non-Conformance, Minor Nonconformance, and Opportunities for improvement.
1. In an XYZ company, while auditing in the Insurance claims manager’s office, the auditor saw an office file titled “Insurance Process Guide” lying on a shelf. The auditor was told that these are important Standard Operating He promptly glanced through work procedure No. PWP02, PWP04 & PWP06 contained in the “Insurance Process Guide’” section A, PWP 2,4,&6 which were at revision status 01. The auditor cross-checked these SOPs on the company’s central server and noted that PWP02 & PWP04 were at revision status 02 and PWP0 6 at revision status 03.
The company under Audit: XYZ
Non Conformity Number: 5
The area under review: Insurance claims’ Manager office ISO 9001 clause number: 18.104.22.168(c)
Nonconformity statement: In the Insurance claims’ Manager’s office, and Office file titled ”Insurance Process Guide” was found without version control with no suitable identification. There was no control to prevent unintended use of this obsolete document and apply suitable identification to this document.
2. In a material procurement department, the purchasing process describes that all the purchase orders must contain complete details of the material ordered. While sampling, the auditor selected 10 purchase orders and found that P.O No. A-10, B-44 & K-22 contain insufficient information relating to material specifications. The materials manager explained that there is no need to incorporate these details since these are our regular suppliers and are well aware of material specifications.
The company under Audit: XYZ
Non Conformity Number: 6
The area under review: material procurement department
ISO 9001 clause number: 8.4.2
Nonconformity statement: In the material procurement department, P.O No. A-10, B-44 & K-22 contain insufficient information relating to material specifications. P.O No. A-10, B-44 & K-22 do not describe the purchase requirements for the purchased product.
3. In a laboratory, the samples are identified by a unique sample code. The auditor examines the records, which are held in a computer database. Each database record has five columns, one each of the following: 1. Sample code, 2. Date, 3. Test Results, 4 Decision on next action, 5. Approval for decision. In a representative sample of 20 records, 18 records are fully identified but on 2 records, the last two columns relating to the decision are blank.
There is no sufficient evidence of nonconformity to indicate that the person authorizing the release of the product has not been recorded. I would try to find evidence of
- If there are any other records that indicate the person(s) authorizing the release of the product for delivery to the customer.
- Records provide evidence of conformity to requirements.
- Has the organization established a documented procedure to define the controls needed for identification, storage, protection, retrieval, retention, and disposition of records?
- Are Records controlled?
- Have the characteristics of the product been monitored and measured to verify that the product requirements have been met?
- Is the release of the product to the customer taking place before the planned arrangement has been satisfactorily completed or unless otherwise approved by a relevant authority and where applicable, by the customer?
- Does the organization ensure that the product which does not conform to the product requirements is identified and controlled to prevent their further use?
- Does the personnel working in the laboratory have the necessary competence on the basis of appropriate education, training, skills, and experience?
4. After the recently concluded internal audit of a company, the auditor noted that the quality manager had compiled a summary of NCR’s which showed 100 NCRs. The sales department had a maximum NCR’s to the tune of 75%, the rest of NCR’s were evenly distributed among 5 other departments, 2 departments received no NCRs. The Quality Manager explained that the corrective and preventive actions have been already initiated and six-monthly intervals of internal audit are being adhered to ever since the system is put in place 3 years ago. The sales department deals with the review of product requirements.
The company under Audit: XYZ
Non Conformity Number: 6
The area under review: Internal audit
ISO 9001 clause number: 9.2.2(a)
Nonconformity statement: After the recently concluded internal audit of a company, the auditor noted that the quality manager had compiled a summary of NCR’s which showed 100 NCRs. The sales department had a maximum NCR’s to the tune of 75%, the rest of NCR’s were evenly distributed among 5 other departments, 2 departments received no NCRs. The audit program was planned without taking into consideration the status as well as the results of the previous audits.
5. In a packing section of a food processing unit, the auditor notes that 6 out of 18 people are not wearing company-issued nylon headgear, which is contrary to the work procedure OCP 13, Issue 2.
Company under Audit: Food processing unit
Non Conformity Number: 7
The area under review: packing section
ISO 9001 clause number: 7.3(d)
Nonconformity statement: In a packing section of a food processing unit, 6 out of 18 people are not wearing company-issued nylon headgear, which is contrary to the work procedure OCP 13, Issue 2. Personnel performing work affecting conformity to product requirements are not aware of the implications of not conforming with QMS requirements
6. In an audit of a “placement agency” named Zzz, the auditor was looking at the procedure for handling non-conformity. Zzz Company had defined that if a person appointed by the client through Zzz, resigns within three months, then such incidence is treated as non-conformity. When auditing the concerned officer, she asked what mechanism is used to obtain information about such resignations. She was told that this information is given by the client in the feedback form. Auditor noted that the feedback form FCS-01R03 did not have any column or question related to this information. Also, she noted that most of the feedback is received within two weeks of the appointment of the person.
The company under Audit: Zzz
Non Conformity Number: 8
The area under review: Placement agency office
ISO 9001 clause number: 8.7.1/9.1.1
Nonconformity statement: In a Placement agency office, the auditor finds that the output that does not conform to their requirement is controlled. There are no suitable methods for monitoring and measurement of the QMS processes.
7. During an audit of a scheduled bank, the auditor observed that the envelopes containing bank cheques, which are being cut open by the attendant in a haphazard manner. The ‘Cheque clearance’ department of a bank deals with the collection of cheques for onward clearance and crediting to the customer’s bank account.
The company under Audit: – scheduled bank
Non Conformity Number: 9
The area under review: cheque clearance dept.
ISO 9001 clause number: 7.2/7.3
Nonconformity statement: In cheque clearance dept, of a scheduled bank, the attendant was found to cut open the envelopes containing bank cheques in a haphazard manner. Personnel performing work affecting conformity to product requirements is not competent on the basis of appropriate training, skills, and experience. The personnel is not aware of the implications of not conforming with the QMS Requirements
9. While auditing the Superintendent of a medical ward in a hospital, the auditor had noted that “Discharge against medical advice” is considered to be a crucial control parameter and is closely monitored by the Superintendent. While auditing the records of discharges in the ward, the typical pattern was noted a week after week
When asked for details, the Matron-in-charge of the ward told me that senior doctors are not available on Sunday. Internees authorize discharge for some patients, which are then regularized by senior doctors on Monday.
There is no sufficient evidence of nonconformity to indicate that Patients were discharged without the approval of the senior doctors. I would try to find evidence of
- whether the senior doctors instruct the internees either by phone on Sunday or verbally on Saturday night to release the patients when certain conditions are fulfilled
- Whether the patients are released only after planned arrangements have been satisfactorily completed
- Whether the monitoring of patients and measurement of test results, where appropriate are carried out at appropriate stages
- Whether the proper analysis of date takes places to confirm the wellness of the patients before patients are discharged
- Are proper Measurement and monitoring process in places to determine the wellness of the patients.
- Whether the person authorizing the discharge of patients against medical advice is recorded
10. In an unaided school, while auditing a secondary school supervisor, the auditor noted that when a particular teacher was on leave, the school had used the services of one Mrs. A. Auditor asked for the qualification records of Mrs. A. He was told that Mrs. A is a renowned scholar and had offered her services free. Therefore the supervisor dared not ask for her qualification record.
The company under Audit: – unaided school
Non Conformity Number: 10
The area under review: secondary school supervisor
ISO 9001 clause number: 7.2(d)
Nonconformity statement: It was found that the qualification record of a particular teacher Mrs. A was not recorded. The school had failed to maintain the appropriate records of education, training, skills, and experience
11. In a particular office of the revenue department of the government of XXXX, the auditor was auditing one of the clerks who was sitting on the counter directly in contact with people. When asked for the Quality policy the clerk pointed out at a board that showed information about the RTI Act. The auditor then asked who is top management in the context of QMS and was told that the Chief Minister is top management. The auditor then asked what the product of their department is; the clerk replied that they are a government department and not a manufacturing company.
The company under Audit: – government of XXXX
Non Conformity Number: 11
The area under review: revenue dept
ISO 9001 clause number: 7.3
Nonconformity statement: In the revenue dept of the government of XXXX, a clerk was found to have no knowledge about the Quality policy, Top management in context to QMS, and the product of their dept. TM did not ensure that the Quality policy was communicated and understood within the organization. TM did not ensure that appropriate communication processes were established and communication regarding the effectiveness of the QMS took place
Reaction of Auditees
If an experienced auditor cares to look back over several different types of audits they have done, the likelihood is they will be able to recall a whole range of auditee reactions they have experienced, from outright hostility to willing cooperation. The auditor has to be prepared to meet and deal with this range of reaction. In general, top management will set the “tone” by their general interest and involvement in quality assurance (or lack of it). Although it must be said that as organizations realize more and more the full benefits of ISO 9001, auditee reactions are very much on the decline and normally occur when faced by a negative auditor. Let’s look at some possible reactions.
- Authority – This can work both ways. Some auditees become protective of their departments or company and try to “browbeat” the auditor. The auditor must insist firmly, but politely, on being given respect (provided, of course, the auditor gives it first). Some auditees feel “inferior” to the auditors, and because the auditors are a representation of authority, become nervous. The auditor must use patience and politeness, and where appropriate, be empathetic.
- Antagonism – For whatever reason, auditees may occasionally become hostile and aggressive towards the auditor. Naturally, the auditor must ignore any rudeness from the auditee. However, they may have to spend slightly longer in the area using patience, firmness, and politeness as their main defenses.
- Diversionary tactics – These tactics can be many and varied. Anything that uses up time that was otherwise planned for auditing can be included here. People may sometimes be very well-meaning, but if they spend a lot of time explaining things that the auditors have not asked them for, they must be politely stopped. Videos about the company can be very interesting and sometimes useful, but if not relevant to the audit, should be avoided (as should the interesting machine or process). Auditees will sometimes appeal to your curiosity and want to show the “latest thing”. It is not always a deliberate ploy, but the departmental representative can waste a lot of time “just going off to get what you want”. The auditor should accompany the person, or perhaps arrangements can be made to get it later. A lot of time can also be wasted while the auditee answers the telephone, or involves the employees in a lot of discussion about matters external to the audit. Sometimes, auditors are kept waiting for information, or for auditee representatives to appear, because they are on the telephone or in a meeting. If this does happen, then above all do not get angry, be firm yet polite, refrain from critical comments and confrontation, continue with the audit plan and point out that there are many areas still to be covered in the remaining time. If the problem arises again, speak to the management representative.
- Volunteered information – Auditors receive a lot of data during an audit. They hope to get the information they want in an effective manner. Sometimes, people give them the information they have not asked for, maybe about a failure in part of the quality system. The auditor is now in a quandary. Do they follow up that lead now, later, or do they ignore it? It may be a “red herring”, taking up a lot of time and leading nowhere. It may be important and relate to the audit objective. Only experienced auditors will tend to make the right decision here. There is no right answer and it is just one of the many things an auditor has to consider while performing an audit.
- Internal conflicts – Audits can be stressful on all involved and sometimes findings during an audit provoke an argument between members of the organization. The audit is not the place for this and the auditor needs to use a little tact in smoothing the situation, without getting involved, and continue with the audit. Seek objective evidence without being seen to take sides.
- Continual challenge – The auditee has the right, and indeed the duty, to challenge auditors that reach conclusions on the basis of unsound information. This can happen where auditors are not fully briefed about contract conditions, product requirements, or where they stray from objective evidence. However, it is for the auditor to continually put up a strong and factual case for all conclusions reached so that the auditee accepts them.
- Enlisting help – In some companies, the Quality Assurance staff often guides auditors around during an audit, and frequently a good rapport is developed. If the Quality Assurance people are having difficulty in getting the corrective action taken, they may “lead” the auditors to deficient areas. While not exactly volunteering information, the auditee is enlisting the (powerful) support of customer representatives. The auditors may use this information by gaining facts (considering how to protect their sources) so that any nonconformities found are indisputable.
Audit Team Meeting:
An audit team meeting should be held after the auditing process completes so the team leader can plan the closing meeting in detail, and ensure the team knows what is going to be presented to the organization in the way of nonconformities and a summary. The team leader chairs the audit team meeting and has some points that must be covered:
- To complete the recording of all nonconformities with supporting audit evidence
- To review the audit findings, and any other appropriate information collected during the audit, against the audit objectives
- To agree on the audit conclusions, taking into account the uncertainty inherent in the audit process
- To prepare the Audit Summary Report
- To prepare recommendations, if specified by the audit objectives and
- To discuss audit follow-up, if included in the audit plan
The team meeting needs to be at least an hour before the closing meeting, or less if some of the work has already been previously completed (for example, the night before). Some auditors try to “squeeze in” a bit more auditing at this point. The law of diminishing returns applies and very little will be gained by trying to rush through some more auditing. There is no set rule about who presents the information. The team leader may present everything in all nonconformities and the summary or the team members may be asked to present the nonconformities they found. The review of nonconformities is important and members should be rigorous in their review of one another’s statements. Are all the facts there? Is it clear it is a nonconformity? Can it be read easily? Is it grammatically correct? As a result of the “review team” findings, the team leader prepares an audit summary. This summary reflects the degree to which a company is conforming to its own documented quality management system and the ISO 9001 standard. As a suggestion, a team leader should answer three questions asked about the quality management system in an audit:
- Is there a documented (and defined) system addressing the clauses of ISO 9001? to what extent? (audit of documentation)
- Has this documented system been put into practice? to what extent? (audit of implementation)
- Is the quality management system achieving objectives? to what extent? (audit of effectiveness).
– Are nonconformities being prevented by the existing controls?
To answer these questions, the nonconformities raised will give some guidance.
Further questions may be answered by the summary:
- Do the nonconformities indicate weakness in any particular department, processes or, ISO 9001 clause within the audit scope?
- Do the nonconformities indicate weakness in any particular part of the QMS?
The team leader also prepares an agenda for the closing meeting and arranges, either through a team member, for copies of all nonconformities to be passed over to the company’s management at the appropriate time. It is ideal, but no means possible on every audit, for the team leader to organize the seating arrangements for the closing meeting. This is not for any underhand reason, but they should try to ensure that the arrangements suit the purpose and no one is in an awkward position. Often, the closing meeting is in the very room the auditors used for their team meeting.
Audit Conclusions – QMS Effectiveness
As the audit comes towards the end, the auditors should be gradually building up a picture of the organization’s QMS strengths and weaknesses. This is the composite picture the auditors are required to present at the closing meeting and in their written report. The team leader has the responsibility for generating this composite picture as their audit conclusion of the degree to which working systems conform to stated requirements and objectives (and the Standard), after consideration of all audit findings. This information comes from the findings during the audit, but it is necessary to “sort” this so that a reasonable conclusion can be reached (assuming nonconformities have been found):
- number of major nonconformities raised
- number of nonconformities raised during the audit of defined processes and documentation (intent)
- number of nonconformities raised during the audit of implementation (practices)
- number of nonconformities related to the effectiveness of the system
- number of nonconformities raised against each clause of the Standard
- number of nonconformities in each department or area of responsibility
- The capability of the management review process to ensure the continuing suitability, adequacy, effectiveness, and improvement of the management system
Based on this, a picture emerges of the kinds of failure found, relative frequency, where found in the company, and the quality management system requirement (clause of the standard) that is weakest. However, this is not the only information the auditor should be considering. A further picture can emerge from examining the following:
- Internal failures How many modifications to drawings, specifications, or purchase orders were made that should have been avoided? How much avoidable product scrap, rework, and concessions or waivers occur?
- External failures How often do customers complain and/or return the product? Is there a large Returns department?
- Past Audits Have recent internal and external audits established many nonconformities?
- Trends Do they consider any or all the above in reviews to establish how their quality management system should be changed to prevent such events in the future? Is the number of nonconformities rising, static, or falling?
- Corrective action Has there been any evidence to show that a strong and consistently effective system operates to correct things that are wrong and monitor it to ensure it stays that way? What techniques are used to establish the causes? Are they shown to work?
- Management attitude Does top management know the results of audits, the level of product defects, and the cost of poor quality? Are they involved rather than only stated to be committed? What evidence is there, if any, that top management takes an interest in the quality management system? Are they proud of their system?
- Staff attitude to management Are the employees positive about their management? Is there an open or closed-door style? Did the management representative have easy access to various managers during the audit? Does the staff have to “dress up” nonconformities for presentation to management? If auditors find information that indicates a distinct lack of management support for the system, then they should say so in their report. Their task is to collate the evidence as fairly and objectively as they can and highlight areas of the greatest risk and least assurance.
As usual, there is no substitute for experience, and even experienced team leaders are very careful about their conclusions, and about the way they present them.
Options for recommendation
In the case of internal or second-party audits, audit conclusions can lead to recommendations regarding improvements, business relationships, or future auditing activities.
The closing meeting is the concluding meeting of the audit and is the formal presentation by the team of the findings and conclusions of the audit. Participants should include the auditee top management and may also include other parties such as outsourced processes in case they have been audited. In many instances, for example, internal audits in a small organization, the closing meeting may consist of just communicating the audit findings and conclusions. For other audit situations, the meeting should be formal, and minutes, including records of attendance, should be kept. Any diverging opinions regarding the audit findings and/or conclusions between the audit team and the auditee should be discussed and resolved. If not resolved, all opinions should be recorded. If specified by audit objectives, recommendations for improvements should be presented. It should be emphasized that recommendations are not binding.
The way the meeting is carried out is by conventions developed over the years in which audits have been carried out. As long as the auditee management understands the findings and agrees to the facts surrounding them before the team leaves, the team leader and team have done their job. Promptly, at the agreed time, the team should make themselves available for the meeting. The team leader chairs the meeting. The team leader should take the initiative and work through the agenda as prepared during the audit team meeting. The following points need to be covered in some form:
- List of Attendees
The team leader or the second auditor passes around an attendance list with name and position to be entered by each attendee.
The team leader should thank the auditee on behalf of the team for their help, time, etc. The team leader should also thank the guides for their assistance.
- Objectives, Scope, and Criteria
As a formality, and to ensure that the basis for the audit is not in doubt, the objectives, scope, and criteria should be restated. This is for a number of practical reasons. There is usually no real doubt about this in the organization because it has been discussed and agreed upon before the audit took place. However, some of the people attending the closing meeting may not have been present at the opening meeting and are not necessarily aware of everything that has happened in between. Audits cover a lot of ground, some of it irrelevant (not too much in a well-planned audit). The objectives can become hazy. Therefore, the statement by the team leader of the objective and scope resets the context of the audit.
The audit conclusions on system effectiveness will be formally reported and the results to be given to the auditee should be described.
It bears repetition that the audit was a sample of activities and is, therefore, subject to the risks associated with sampling. Not every conforming or nonconforming area was seen, only a representative selection. Therefore, the possibility exists that there are additional nonconformities in areas not covered by this audit.
It is recommended that the auditors develop a standard statement covering the essence of the above in their own words.
The lead auditor should reassure the auditee that everything seen or heard during the audit is kept in strict confidence. Any documents provided to the audit team will be returned before the auditors leave the premises.
- Audit Summary
The audit results should be summarized for presentation to management. Do not forget to start your presentation with ‘accentuating the positive’. Based on your audit, provide sincere and factual feedback on the QMS strengths – departments, processes, resources, controls, documentation, etc. Nonconformity findings may be grouped by functional area (department), the clause of the standard, and severity level (major, minor, or concern). Findings could also be categorized by type of failure, for example, intent (defined processes and documentation), implementation (practices), or effectiveness (results).
- Presentation of Nonconformities
It is recommended that the nonconformities be read out one after the other until they have all been presented, although it might be necessary to give a summary.
In some cases, the auditee representatives will have copies of the nonconformities, if some were agreed earlier. There are different schools of thought about giving copies of the nonconformities to the auditees at the time of the closing meeting. Generally, there are few disadvantages, and it is recommended here as good practice. There is then no need for auditees to try to make notes. It is also recommended that the nonconformities be read from the report rather than trying to describe them. This limits the tendency to add unnecessary words and comments that should not be necessary if the nonconformity statement is complete in all respects. Reading the statements also encourages less experienced auditors to present the nonconformities in a clear, firm voice and not apologetically. Nonconformities may be agreed upon with the authorized person. Signature usually designates acceptance, however, there will be times when the auditee may disagree with a particular nonconformity and not accept it. In this case, the signature may simply denote acknowledgment of receipt of the nonconformity.
Each of the nonconformities presented was based on the facts agreed to earlier by a departmental representative. Although the agreement was reached at that time, the wording of the nonconformity is unlikely to have been at its most complete and concise. Either at review meetings or at the Closing Meeting, these nonconformities are signed by the auditee to acknowledge receipt and understanding of the content.
The team leader is responsible for presenting the conclusion reached by the team based on the audit results. This is the “informed judgment” of the auditors. It must consider the seriousness of any nonconformities and whether they indicate a departmental or company-wide breakdown of the system. The conclusion must be balanced with positive findings made during the audit.
The auditee must have an opportunity to ask questions about the nonconformities or the summary and it would normally come at this point. The facts as stated should not be in dispute. Assuming the auditee accepts all the nonconformities or the summary, the auditor may be asked what response is necessary for the points raised. The auditors would expect the auditee to propose some corrective action in a given timeframe.
The closing meeting is not the place to discuss actual corrective action. That should be given very careful consideration by the auditee. The team leader should, therefore, state that a proposed plan of corrective action is necessary within a number of days or weeks after receipt of the report. However, if the recommendation is for a full re-audit, then it will not be necessary to submit a corrective action plan.
Having presented the findings and discussed them to the auditee’s satisfaction, the audit team can depart, once again thanking the auditee for time, etc.
However, at various times in the past, and perhaps also to be expected in the future, audit teams are faced with the meeting not going to plan for some reason or another.
Some possible situations encountered by an audit team relative to the closing meeting:
- The senior person in the company is not present at the closing meeting
The auditors arranged the closing meeting as part of the audit plan agreed to by the auditee prior to the audit. By the very nature of the closing meeting, most companies want to have someone in senior management represent them at the closing meeting. However, the auditors cannot demand the presence of top management, but can certainly ask why they are unable to attend. If the team leader thinks that the auditee representation is not senior enough, someone senior can be requested to be available. If it was arranged for top management to be there and they do not arrive, then it is reasonable for the team leader to delay the meeting for a short time to wait for them. A telephone call will probably be necessary to check. After a reasonable time has elapsed (perhaps half an hour), the team leader should hold the meeting with whoever is there. Under no circumstances should the meeting be canceled. But, remember to add this to your audit report.
- Corrective action taken since a nonconformity was recorded
It may be that minor nonconformities can be corrected quite quickly and easily. If this is what has occurred, and the team leader is satisfied that effective corrective action has been taken, then the nonconformity is noted as “closed out”. The fact that it was found during the audit remains noted in the report. If corrective action taken for a major nonconformity is presented, the team leader should politely point out that the closing meeting is not the forum to discuss such issues and the corrective action will be audited during the next audit for effectiveness.
- Clear evidence produced that shows there is no nonconformity: If the auditors find they were mistaken about a nonconformity, and they are convinced of it based on the new information, they should withdraw the nonconformity.
- Bulky evidence produced that apparently shows there is no nonconformity: Such evidence should have been made available during the audit at the time the nonconformity was raised. The team leader should explain that the auditors would consider the evidence produced, but not at the closing meeting. If the evidence shows there is no nonconformity, then they will withdraw it.
- Auditee wants to extend the meeting: Once the nonconformities have been discussed, and some commitment to a plan of corrective action has been given, there is no value in allowing the meeting to continue. Most closing meetings normally are over within half an hour. The team leader, therefore, may need to be firm in closing the meeting after the necessary points have been covered.
The report of an external should provide a complete, accurate, concise, and clear record of the audit. It is the major output of the audit process and maybe read and used by people who were not at the audit (and have no other information about the audit). It is, therefore, important that the audit report gives a balanced picture of the whole audit not merely the nonconformities found. The whole reason for preparing a report is for the use of various people to initiate corrective actions and evaluate and address any recommended opportunities for improvement. The audit team leader should be responsible for the preparation and contents of the audit report. Essentially, the following points are to be addressed in an audit report:
- Unique audit identity (number/ letter, etc.)
- Audit objectives and criteria
- The audit scope, particularly the organizational and functional units or processes audited and time period covered
- Identification of the audit client
- The dates and places where the on-site audit was conducted
- The audit findings and conclusions
The report may also include or refer to the following, as appropriate:
- The audit plan
- A list of audit attendees
- A summary of the audit process, including the uncertainty and/or any obstacles encountered that could decrease the reliability of the audit conclusions
- Confirmation that the audit objectives have been accomplished within the audit scope in accordance with the audit plan
- Any areas not covered, although in the audit plan
- Any unresolved diverging opinions between the audit team and the auditee
- Recommendations for improvement, if specified in the audit objectives
- Agreed on follow-up actions if any
- A statement of the confidential nature of the contents
- The distribution list for the audit report
- Applicable quality system requirements (the Standard)
- Names and positions of team leader and team
There should be a summary statement of the “polished up” version of the one presented at the closing meeting. This summary provides the informed judgment of the auditors.
All audit reports include the nonconformities exactly as they were written and presented to the auditee. If there is a classification system, such as Major or Minor, then this is used. There may also be a reference to a clause in the Standard. If a nonconformity was “closed out” during the audit, then a note is made to that effect.
2. Suggestions for correction of nonconformities
This is becoming less typical as organizations recognize its futility. However, certain companies require auditors to include suggestions for the correction of nonconformities. This is difficult, time-consuming, and risky; it may also be nonconforming with registrar policy and procedures (for reasons previously discussed). The auditors have to be very careful about any suggestions because their knowledge of the auditee’s systems is so very limited. Their ability to make valued criticism is so limited, in fact, that in many cases, it is useless and best omitted.
3. Suggestions for improvement
As part of the value-added approach to auditing, the audit team should provide improvement suggestions relating to:
- Areas of concern where controls are in place and conforming with requirements, but in the auditor’s experience and judgment, appear weak and likely to lead to nonconformity in the future
- Opportunities where organizations can more effectively or efficiently manage, perform or control activity or process, based on the auditor’s experience with similar situations in other organizations. It should be understood that the organization has no obligation to implement such suggestions, but it must be aware of the risks of not doing so.
The report should be signed and dated by the audit team leader as “approved”. Some organizations require a further sign of a senior person before the report is issued. It is important to prepare and issue an audit report within a reasonable timeframe. Typically, the report should be issued within 1/ 2 weeks of the audit and include a letter defining the required response. As with any record, audit reports should be retained on file for a prescribed time. All the other records from the audit should also be retained. For example, checklists that are useful for re-audits, as well as, the auditor’s own notes made during the audit investigation. Records will also be kept of corrective actions to satisfy the “close out” requirements of each nonconformity. Internal audits may not require the same depth of documentation of reporting, but the records retained will include at least the following:
- Reference and date of the audit
- Department/office/section audited
- Audit scope and objective
- Names of auditor(s), audit plan, and audit checklists plus nonconformities
- Auditor notes
- Audit summary and conclusions
- Corrective actions are taken.
Approving and distributing the audit report
The audit report should be issued within the agreed time period. The audit report should be dated, reviewed, and approved in accordance with audit program procedures. The approved report should then be distributed to the auditee and other recipients as designated by the organization. The audit report is the property of the organization. The audit team members and all report recipients should respect and maintain the confidentiality of the report.
Completing the audit
The audit is completed when all activities described in the audit plan have been carried out and the approved audit report is distributed. Documents pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with the audit program procedures and applicable statutory, regulatory, and contractual requirements. Unless required by law, the audit team and those responsible for managing the audit program should not disclose the contents of documents, any other information obtained during the audit, or the audit report, to any other party without the explicit approval of the top leadership of the organization and, where appropriate the approval of the auditee.
Conducting audit follow-up
The conclusions of the audit may indicate the need for corrective, or improvement actions, as applicable. Such actions are usually decided and taken by the auditee within an agreed timeframe and are not considered part of the audit. The auditee should keep the top leadership/process manager informed of the status of these actions. The completion and effectiveness of corrective action should be verified. This verification may be part of a subsequent audit. The audit program may specify follow-up by members of the audit team, which adds value by using their expertise. In such cases, care should be taken to maintain independence in subsequent audit activities.
Auditee post-audit actions
The auditee might have a number of areas that were found to not conform to requirements. These non-conformities must be corrected, the actions verified as effective, and some kind of monitoring implemented to ensure things stay conforming. If the company has only one set of audit results for which to verify corrective actions, its follow-up system may be quite basic. However, some companies may have several nonconformities from external audits, and more from their own internal audits, product reports, and customer complaints. A formal system is necessary to track each nonconformity as it goes towards “close out”. If the external body is returning to check on corrective action taken, the auditee needs a good system to ensure the action has been taken and was effective.
Auditor post-audit actions
For a small number of minor nonconformities found during an internal audit, the follow-up may be left until the next planned audit within that area, if practical. For second-party audits, a written response to minor nonconformities is required. Based on an acceptable response, the nonconformities would be reviewed and closed out during the next visit. For some of the nonconformities that were purely documentary in nature, it might be possible to deal with them by only a written response. If the auditor is to use the nonconformity statements to follow up on the corrective action, then the nonconformity statements must be very specific and traceable. A summary of the follow-up process is:
- Identification of nonconformities.
- Summary report prepared.
- Corrective action request (CAR) issued.
- The auditor evaluates response to CAR.
- Completion of corrective action by the auditee.
- Evaluation of effectiveness by the auditee.
- Verification of completion by the auditor.
- Escalation (if necessary).
- Records of each stage in this process,
Audit reports need to be read by various people in the company, so a distribution list can be helpful, especially where confidentiality is a major concern.
The auditor’s responsibility is to make clear to the auditee that corrective action is necessary. The auditor rarely specifies corrective action (that is the auditee’s duty). Since the auditee is likely to propose corrective action, the auditor must have a view about how effective, or otherwise, such an action might be in resolving the situation once and for all. Once a nonconformity is in the system, the auditee must ensure that effective and appropriate corrective action has been taken. After clarifying with the auditor for a clear understanding of the nonconformity, and certainly with people in the area where the nonconformity was found, the best corrective action can be decided. The process of taking, checking, and monitoring the action should be formal it is perhaps the most important “Quality” activity that takes place in a company. It is certainly where the audit system takes a positive aspect rather than a negative one. However, the process of corrective action is not an easy one. The auditee has to get to the root cause of the problem if it is going to be corrected forever. It is very easy to correct the effect of the nonconformance instead of the root cause, so in time the nonconformity will re-appear. The auditee also will have to consider the impact of the corrective action on the rest of the process, as well as, the effect it might have on areas not considered during the audit. The essential features of corrective action are as follows:
- Identification of nonconformity
- Establish responsibility for controlling the pertinent process
- Collect data to establish a root cause for the nonconformity
- Analyze the data and establish corrective action
- Monitor effectiveness of this action, including internal auditing
- Revise the action if ineffective
- Record all the actions taken
- Amend system documentation, as necessary
All corrective action is not necessarily so involved. Some of the stages listed above are completed rather easily. However, all corrective action follows this general path. – The forward-looking company will determine some criteria for success. If the company is going to be involved in these activities, the business should improve after the audits and the corrective(s) have been taken. Has the error rate reduced? Do we now respond to our customer needs quicker? Have we reduced the number of bad debts? Are we throwing out less waste every night,
Perspective On Internal Audits
The Internal audits or First party audit is an audit carried out by a company on itself to determine whether its systems and procedures are consistently improving products and services, and as a means to evaluate conformity with the procedures and the standard. Each second and third-party audit should consider the first-party audits carried out by the company in question. Ultimately, the only systems that should need to be examined are internal audits and reviews. In fact, the second or third parties themselves have to carry out internal or first-party audits to ensure their own systems and procedures are meeting business objectives. Within any company, therefore, the real benefit to be gained from auditing will come from these “self” audits. The value of an internal auditor is representative of the quality assurance resource of the company. What is the point in someone “independent” doing the auditing, if all the auditing effort is put into ensuring that the business has the right people, materials, resources, systems, etc.? If the effort is put into providing the support necessary to do a good job, why do a bad one? However, it is accepted that some companies still have a long way to go before the above state is reached. The need for an audit system, whether for external or internal audits, is paramount. Audits will be scheduled according to a plan, usually looking at various processes, their sequence, and interaction with other processes within the QMS, with some flexibility built in to allow for realigning a particular effort. There is a need to prepare for each audit with an audit plan and checklist. Formal opening meetings are not typical, except in fairly large organizations. The auditor meets briefly with the department manager and gets on with the audit. The auditor is examining the work and outputs of colleagues. This puts an added strain on the auditor and the auditee. The auditor will sometimes be in a difficult position because of this tension. How can both the auditors and the system be protected? There are two aspects considered here the system that is installed in partnership with everyone in the company – and the credibility of the auditor.
The system set up to carry out audits often has senior management’s signature appended to it. That, of course, means that the manager knows precisely what has been signed and believes absolutely in its value. That was not true of some managers in the past. They willingly signed such procedures and expected the system to work properly without them. They called it “delegation”. Many other managers realized that the audit could be a very powerful and useful tool and applied it to problem areas using people trained in investigative techniques. Because they wanted it to happen, they involved themselves in its operation; some of them even underwent the training with their colleagues. Such managers are running successful departments and organizations. People could see by their management’s actions, as well as, their statements that they meant what they said. A second aspect of the system for internal audits is that of escalation. The previous point made reference to management’s full interest in the system. There should no doubt of this in the company. It is so important that the operation of the internal audit system should be close to the policy statement in the Quality Manual. The audit procedure should include a clause for escalation. Managers get the system they deserve. Records of internal audits tend to be limited in comparison with those of external audits. There may not be reports, as such, issued only the requests for corrective action (CAR) and a way of monitoring them. The auditors should keep all their checklists so that over a period of time they can ensure that as comprehensive an audit program as possible is being carried out. They should also keep their notes in a secure place.
ISO 9001 Auditor Credibility
A number of points are made here. It is not meant to be an exhaustive treatise on the subject, merely recognition that the auditor is a human being dealing with human beings and that sets the highest qualifications for the would-be auditor. All auditors must be able to develop a rapport with auditees fairly quickly. Their real job is to facilitate improvement. Rarely do they have much real power, so they have to instigate change by other means. The situation will frequently arise where there is a nonconformity against procedures and the auditor has the answer. As an external auditor, regardless of whether the auditee would find the suggestion useful or not, they are unable to offer it (to avoid consulting). However, as an internal auditors working for the same company and having the same objectives as their colleagues, they are in a position where they can be of help to the company. They should be prepared to throw away their checklist, roll up their sleeves, and help. Wouldn’t such an action meet with the approval of the auditee? The auditee might even tell the auditor some of the other problems they have so that those can be addressed too. That is the kind of openness that the internal auditor must try to encourage as a natural result of their approach to auditing. Of course, the same degree of openness may not always be in the company’s interests where external auditors are concerned.
It should also be recognized that helping out in the above manner will impact the auditor’s independence and they will be unable to audit the area for the corrected action and perhaps for an extended period of time. A compromise approach may be to facilitate the discussion of corrective action options and leave the decision-making and implementation of the best option for the organization’s management. This will enable auditors to provide value-added service and still maintain their independence as auditors. The point has been made that the internal auditor and the auditees are working for the same organization. This can be a double-edged sword. As an external second-party auditor with apparent power in a (small) supplier, auditors can hide some of their less glorious attributes. When they are auditing their own colleagues, they have to be scrupulously fair, hardworking, reasonable, objective, polite, and respectful if they are to contribute anything to the company in the long term. It can be summarized as being “professional”, possibly the best accolade for an auditor to be given. Perhaps a part of the latter point, but one that is important enough to merit specific mention is that of preoccupation with trivia. In external audits, auditees will put up with someone “prying” around their company knowing that they will be gone tomorrow and they won’t see them again for a good while. Not so, with the internal auditor. Nothing is more designed to ravage the credibility of auditors and all they represent than the sight of them narrowly and trivially working their way through each department. It’s the best way known to “destroy” the system. So, the points are made. Internal auditing can provide companies with a valuable tool provided they have at least three characteristics:
STRONG MANAGEMENT DRIVEN SYSTEM
FULL UNDERSTANDING OF BENEFITS
PROFESSIONAL, TRAINED, AND CREDIBLE AUDITORS
EFFECTIVE AUDITS with VALUE ADDED
Auditor Competence Requirements
Confidence and reliance on the audit process depend on the competence of those conducting the audit. This competence is based on the demonstration of:
- Personal attributes
- The ability to apply knowledge and skills
- The gaining of knowledge and skills through:
- Work experience
- Auditor training
- Audit experience
ISO 9001 Auditors develop, maintain, and improve their competence through continual professional development and regular participation in audits.
Personal Attributes an auditor should be:
- Ethical – fair, truthful, sincere, honest, discreet
- Open-minded – willing to consider alternative ideas
- Diplomatic – tactful in dealing with people
- Observant – aware of surroundings and activities
- Perceptive – instinctively aware of and understands situations
- Versatile – be able to adjust to different situations
- Tenacious – persistent, focused on achieving objectives
- Decisive – reach timely conclusions
- Self-reliant – functions independently
Knowledge and Skills
An auditor should have knowledge and skills in:
- Audit principles, procedures, and techniques:
- Apply audit principles, procedures, and techniques
- Plan and organize work effectively
- Conduct an audit within the agreed time schedule
- Prioritize and focus on matters of significance
- Collecting objective audit evidence
- Understand sampling and its limitations
- Verify the accuracy of collected information
- Evaluate the adequacy of audit evidence and other factors affecting audit findings and conclusions
- Use work documents to record audit activities
- Maintain confidentiality and security of information
- Communicate effectively
2. Management systems and reference documents:
- Apply management systems to different organizations
- Interact between components of the management system
- Know QMS standards, applicable procedures, and other documents
- Recognize the difference and priority of reference documents
- Apply reference documents to different audit situations
- Information systems and technology for control of documents, data and information
3. Organizational situations:
- Organizational size, structure, functions, and relationships
- General business processes and related terminology
- Cultural and social customs of the auditee
- Applicable laws, regulations and other requirements relevant to QMS
- Local, regional and national codes, laws and regulations
- Contracts and agreements
- International treaties and conventions
- Other requirements applicable to the organization
4. Generic Knowledge and Skills Of Team Leaders
The audit team leader should be able to:
- Plan the audit and make effective use of resources
- Represent the audit team in communication
5. Specific Knowledge and Skills Of ISO 9001 QMS Lead Auditors
- Quality related methods and techniques
- Quality terminology
- Quality management principles and tools and their application
- Processes, products, including services
- Sector-specific terminology, processes, and practices
- Technical characteristics of products, processes, and services
6. Education, Work, Training and Audit Experience
- Education – Auditors should have:
- Sufficient education to acquire generic and QMS specific knowledge and skills
- Completed generic and specific auditor training (QMS), internally or externally
- Work experience – Auditors should have work experience that:
- Contributes to developing knowledge and skills as described above
- Relates to technical, managerial or professional positions involving judgment, problem-solving and communication with various parties
- Allows part of the work experience to be in the position that contributes to knowledge and skills in the quality management field
- Audit experience
- Auditors should have audit experience in audit life-cycle activities gained under an audit team leader
- Audit Team leaders should have additional knowledge, skills, and experience gained under a competent team leader
6. Maintenance and Improvement Of Competence
- Undergo continual professional development (CPD).CPD should take into account changes in individual and organizational needs, auditing practices and standards and other requirements
- Maintain and improve knowledge, skills and personal attributes
- Achieve through work experience, training, private study, coaching, attending meetings, seminars, conferences or other relevant activities
- Participate regularly in QMS audits