Audio version of the article
ISO 9001:2015 Clause 9.2 Internal Audit
ISO defines audits as “Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.”
Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization itself for management review and other internal purposes, and may form the basis for an organization’s declaration of conformity. In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited. External audits include those generally termed second- and third-party audits. Second-party audits are conducted by parties having an interest in the organization, such as customers, or by other persons on their behalf. Third-party audits are conducted by external, independent auditing organizations, such as those providing certification/registration of conformity to ISO 9001 or ISO 14001. When two or more management systems are audited together, this is termed a combined audit. When two or more auditing organizations cooperate to audit a single auditee, this is termed a joint audit.
An audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. Audits are structured and formal evaluations. The term systematic means the company must plan and document its system for auditing. It must have management support and resources behind it. Audits must be performed in an impartial manner, which requires auditors to have freedom from bias or other influences that could affect their objectivity. For example, having responsibility for the work, or a vested interest or shares in a supplier or third party company they are assigned to audit would be conflicts of interest. Internal audits must be carried out to a procedure according to requirements given in clause 9.2 of ISO 9001:2015. The procedure must address the responsibilities for conducting the audits, ensuring independence, recording results, and reporting to management. Audits obtain objective evidence of conformity with requirements. The evidence must be based on fact and may be obtained through observation, measurement, test, or by other means. Evaluating the extent to which audit criteria are fulfilled involves an assessment of both implementation and effectiveness. The presence of nonconformities in a department or process may indicate the system is ineffective for those areas.
9.2 Internal Audit
The organization should conduct internal audits at planned intervals to provide information on whether the quality management system conforms to the organization’s own requirements, the requirement of ISO 9001:2015 standards and is effectively implemented and maintained
The organization must plan, establish, implement, and maintain an audit program, which must include frequency, methods, and responsibilities, planning requirements, and reporting. While making an audit program, consideration must be given to the importance of concerned processes, changes impacting the organization, and the results of previous audits. It must define audit criteria and scope for each audit. It must select auditors and conduct audits for the impartial and objective audit process. It must ensure the results of audits are reported to relevant management. it must take necessary correction and corrective actions without undue delay. It must retain evidence of audit program implementation and audit results.
Internal audit is one of the important tools required by this standard used to gauge the health of your QMS. How effective is it in meeting ISO 9001, your own QMS, customer, and regulatory requirements? You must have a documented procedure for your internal audit process. The scope of your internal audit program must cover the:
- Audit of operation processes to determine conformity of both product /services and their processes to the customer and applicable regulatory requirements.
- Audit of the QMS to determine conformity to the ISO 9001 standard.
- Audit of the QMS to determine conformity to organizational requirements.
Audit of QMS processes and their interaction to determine if the QMS has been effectively implemented and maintained.
In determining the time frame for your audit program, you should consider organization size, the complexity of product and processes, the health of the QMS, customer, registrar, and regulatory requirements, etc. The most common time frame is six months. Consider adjusting the audit frequency and perhaps even the audit scope, of specific processes or group of processes, when:
- You experience internal or external nonconformities.
- Get customer complaints.
- Have critical or high-risk processes.
- Have frequent or significant changes to processes and product.
Your internal audit program should consider the following:
- Input from the audited area and related areas
- Key customer-oriented processes
- Process and product performance results and expectations
- Opportunities for continual improvement
- Feedback from customers
Audit criteria refer to the specific QMS policies, objectives, ISO requirements, documentation, customer and regulatory requirements, etc., that the audit is referenced to or conducted against. Audit criteria may relate to the whole audit program as well as each individual audit. Audit methods refer to the specific techniques that auditors use to gather objective audit evidence that can be evaluated to determine conformity to audit criteria. Examples of audit methods include an interview of personnel, observation of activities, review of documents and records, etc. You must define the minimum qualification requirements for internal auditors. These requirements include knowledge of QMS processes and their interaction, related QMS controls, customer requirements, applicable regulatory requirements, the ISO 9001 standard, the audit process, and audit techniques. Internal auditors need to be trained in the ISO 9001 standard as they generally audit for conformity to organizational requirements and also for conformity to ISO 9001 requirements. Additionally, the ISO 19011:2002 Guidelines for quality and environmental auditing says that auditors should have knowledge of quality management system standards and their application to the organization.The output of your internal audit program may be used as performance indicators to:
- Determine the degree of conformity of the QMS to ISO 9001, customer and regulatory requirements.
- Determine the effectiveness of QMS implementation and maintenance.
- Determine the degree of conformity of product to contractual and regulatory requirements.
- Identify areas of the QMS that need improvement.
Always establish the objectives of the audit. Audit objectives are not limited to the ISO 9001 standard. Clear audit objectives help determine the scope and depth of the audit, as well as, the resources needed. Being clear on the objectives provides focus and helps the auditor from being distracted and going off on unnecessary detours beyond the scope of the audit. Audit objectives may include:
- Evaluating conformity of requirements to ISO 9001
- Evaluating conformity of documentation to ISO 9001
- Judging conformity of implementation to documentation
- Determining effectiveness in meeting requirements and objectives
- Meeting any contractual or regulatory requirements for auditing
- Providing an opportunity to improve the quality management system
- Permitting registration and inclusion in a list of registered companies
- Qualifying potential suppliers
Types of Audits
Audits that are carried out to determine whether an organization conforms to a quality Standard may be termed Quality System Audits. This type of audit requires the auditor to use a fair degree of judgment to establish whether controls are adequate. Many second and third-party audits are carried out as Quality System Audits, as are many audits for the purpose of consultancy. Audits that are carried out against specifically defined practices, procedures, and instructions, and that are perhaps (but not necessarily) more limited in their scope, are termed conformity audits. Many internal audits and many contract-related audits between two parties are carried out as conformity audits. Process and product audits are subsets of QMS conformity audits and therefore limited in scope. An ISO 9001 process audit evaluates the controls and characteristics of a specific process, as well, as its relationship with other processes, and may include using some or all of the following approaches:
1 Individual processes in terms of:
- Input / Output / Value-added activity
- Plan / Do / Check / Act
2) Relationship to other processes in terms of:
- Flow / Sequence / Linkage / Combination
- Interaction / Communication
Customer contracts for conformity to contractual requirements through the various processes used to fulfill the customers’ orders.
Audit trails – following concerns or unresolved issues to processes or departments, that are beyond the scope of a specific audit.
These are audits done outside one’s own organization and there are at least two distinct types of external audit second and third party.
Second Party Audits
These audits, carried out by one company on another, originally came from the idea of an organization auditing its suppliers. There are a number of reasons why an organization may wish to audit its suppliers.
- One method to satisfy clause 8.4.1 of the ISO 9001:2015
- Input to selecting, grading, and approving suppliers
- Help to improve supplier Quality Management Systems
- Mutual understanding of quality requirements
Many major organizations carry out second-party audits to advise user departments of areas of weakness in suppliers so appropriate contract and/or surveillance mechanisms can be instigated if the supplier is to be given work. It can also highlight likely additional costs.
Third Party Audits
As a result of the growth in interest in Quality Assurance during the 1960s and 1970s, more and more second-party audits were being carried out. Some companies in certain fields had to employ people whose sole task was to accompany visiting auditors around the company! Clearly, this state of affairs was helping nobody, particularly the supplier. After considerable discussions at national levels, the ISO 9000 scheme was introduced to rationalize all the assessment schemes as a third-party audit operated by an independent body that would certify companies as conforming with the Standard (or not, as the case may be). Various bodies became registration bodies (Registrars) and BSI, UL, SGS, DNV are prominent examples. There are different types of registration, but the main interest here is on the Registrar’s Quality Management System assessment and registration. On payment of an initial fee to the Registrar, they will assess your Quality Management System to ISO 9001 and, depending on the results of the assessment, the organization would become registered.
Internal audits or First Party Audits
First-party audits are carried out by an organization on itself to conform to management that their documented quality management system is working effectively. An organization’s own defined and documented system forms the basis for this audit. Reasons for a first-party audit:
- ISO 9001:2015 clause 9.2 requires it
- Control and feedback mechanism for management
- Correction of nonconformities before external bodies find them
- Systematic improvement of the organization
As in the second party, if the audits are done only for reason (1) or (3) above, the value is going to be limited. By establishing an internal audit program, management is making available an extremely useful and powerful tool for improving business, and for assessing the effectiveness of the quality management system. Of course, in considering (3) above, it means that if an organization is to find for itself the kinds of nonconformities that external bodies are likely to find, it should, if possible, carry out its audits in a similar way to the Registrars. It must be remembered that all audits are based on sampling; therefore, there is no guarantee that all nonconformities will be found during the internal audit process.
Benefits of Quality Management System Audits
Audit results are a major input to the management review process. Management must take appropriate actions based on the review of quality system strengths, weaknesses, and opportunities for improvement. The allocated time and for conducting internal audits demonstrates top management commitment. If the purpose of the audit is properly communicated, and employees realize that the audit is not an evaluation of personal performance, they are more likely to discuss weak areas and opportunities for improvement. This should lead to an improvement in operational performance and improved customer satisfaction.
- Provides information for management review
- Demonstrates senior management commitment
- Improves personnel awareness, participation, and motivation
- Provides opportunities for continual improvement
- Improves customer confidence and satisfaction
- Increases operational performance
The Auditor within the Audit System
All systems in an organization have to be designed and made to work by people. The audit system is no different. It must have procedures and training to advise the auditor what the role requires, and also what and who qualifies or authorizes the auditor to do the work. An auditor is defined by ISO 19011 as a person with the competence to perform an audit. To perform an audit, the auditor must be authorized for that particular audit.
The Auditor has the following responsibilities:
- Support the team leader
- Be prepared
- Participate in opening and closing meetings
- Carry out assigned tasks
- Keep to the timetable and audit scope
- Document and support all findings
- Keep team leader and auditee informed
- Safeguard all documents
- Maintain confidentiality
- Be objective and ethical
- Verify corrective actions (if assigned as the auditor)
Lead Auditor Responsibilities
In addition to the auditor’s responsibilities, the lead auditor must possess management capabilities that include:
- Assisting in team selection and briefing the team
- Responsibility for planning and managing all phases of the audit
- Representing the audit team with auditee
- Controlling conflicts and handling difficult situations
- Conducting and controlling all meetings with team and auditee
- Making decisions on audit issues and quality system
- Reporting audit results without delay
- Reporting major obstacles encountered
- Reporting critical nonconformities immediately
- Possessing effective communication skills
The Lead Auditor must balance the on-site audit workload so that there is sufficient time to conduct these managerial tasks.
The Auditee is a department or the process of the organization to be audited. The auditee could be one of its manufacturing or service facilities. The Organization determines the audit scope and objective
Principles of ISO 9000 Auditing
QMS auditors must adhere to the following principles and attributes, based on ISO 19011, Principles relating to auditors:
1, Ethical Conduct is the foundation of professionalism. It includes auditor behavior that reflects trust, integrity, confidentiality, and discretion.
2. Fair Presentation is the obligation to report truthfully and accurately:
- Audit activities through – audit findings, conclusions, and reports
- Significant obstacles encountered
- Unresolved diverging opinions between auditee and audit team
3.Due Professional Care is applying diligence and judgment in auditing. Auditors must exercise care related to the importance of the task and the confidence placed in them by the auditee and other interested parties. Having the necessary competence is an important factor.
4. Independence forms the basis for the impartiality of the audit and objectivity of the audit conclusions. Auditors must:
- Be independent of the activity being audited
- Be free from bias and conflict of interest
- Maintain an objective state of mind throughout the audit process
- Ensure that audit findings and conclusions will be based only on the audit evidence
5. The evidence-based approach is the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process. Audit evidence must:
- Be verifiable
- Be based on samples of the information available (since the audit is conducted during a finite period of time and with finite resources)
- Ensure that proper use of sampling is made, to contribute to the confidence that can be placed on the audit conclusions
Additionally, ISO 9001 QMS Auditors must be:
- Be open-minded and mature
- Possess sound judgment, analytical skills, and tenacity
- Have the ability to perceive situations in a realistic way
- Understand the role of individual units within the overall organization
- Understand complex situations from a broad perspective
The auditor must be able to apply these attributes in order to:
- Fairly obtain and assess objective evidence.
- Remain true to the purpose of the audit without fear or favor.
- Constantly evaluate the effects of audit observations and personal interactions.
- Treat participating personnel in a way that will best achieve the audit objective.
- React with sensitivity to conventions of the area where the audit is performed.
- Perform the audit process without deviating due to distractions.
- Commit full attention and support to the audit process.
- React effectively in stressful situations.
- Arrive at generally acceptable conclusions based on audit observations.
- Remain true to the conclusion despite pressure to change not based on evidence.
Auditors must be open-minded and base decisions on objective evidence. They cannot assume, feel, or impose their views. Remember that ISO 9001 is interpretative, not prescriptive. There are many ways to implement a requirement to achieve effective control. Keep an open mind. Don’t jump to conclusions.
Other useful attributes:
- Other desirable personal attributes that an ISO 9000 auditor may possess include being polite, punctual, practical, principled, persevering, industrious, positive, and prepared. Be mature, have sound judgment, be tenacious, be perceptive and realistic.
- Maturity comes from education, understanding, and experience. Sound judgment and analytical skills are gained through research and experience in interpreting and applying the requirements of the standard. Learn from experienced auditors. Take notes of their audit evaluation techniques.
- Tenacious does not mean digging until you find a nonconformance. It refers to your ability to stay focused on the audit objective and scope, in spite of distractions. Perceptive means being alert to changing circumstances or concerns. Realistic is being pragmatic. Evaluate the risk. How serious is it? What is the probability of occurrence?
Very few organizations are alike. They have different products, processes, management structures, cultures, and environments. Auditors must learn to quickly gauge these factors to determine to what extent they will facilitate or hinder conducting the audit.
- Auditors must be free from bias and influence
- They cannot audit their own work
- All participants in an audit must respect the integrity and independence of the auditors
From a first party perspective, internal auditors cannot audit their own work. They must be selected to perform impartial and objective audits. From a second or third party perspective, independence may be jeopardized if the auditors have a business or other association with the second or third party company that may influence their objectivity, or they own shares in the company to be audited, or their spouse or relative works there.
Role of an Internal Auditor
The Internal auditors may have many roles depending upon whether they perform as Lead auditor or team member. The scope and objective of the assignment must also be taken into consideration. Some of the key roles and issues are discussed below:
- Is the management interface
- May facilitate the documentation and implementation process
- May act as a guide during audits
- May interface with customer and external auditors
- Must maintain “independence” and confidentiality
- Exhibit professional behavior
They follow management’s directives and conduct internal audits on behalf of management. Internal auditors report audit findings to top management so the system can be improved. Internal auditors may facilitate the communication, documentation, and implementation of the system and communicate with the registrar or customers. They may also act as guides during audits by external auditors or customers.
Managing An ISO 9001 Audit Program
Authority for Audit Program An ISO 9001 audit program may include one or more audits, depending on the size, nature, and complexity of the organization to be audited. These audits may have a variety of objectives and may also include joint (multiple auditing organizations) or combined (QMS and EMS) audits. An audit program also includes all activities necessary for planning and organizing the types and number of audits, and for providing resources to conduct them effectively and efficiently within the specified time frames. An organization may establish more than one audit program. The organization’s top management should grant the authority for managing the audit program. Those assigned the responsibility for managing the audit program should:
- Plan, establish, implement, monitor, review and improve the audit program
- Identify the necessary resources and ensure they are provided.
Examples of ISO 9001 audit programs include the following:
- A series of internal audits covering an organization-wide quality management system for the current year.
- Second-party management system audits of potential suppliers of critical products to be conducted within six months.
- Registration and surveillance audit conducted by a registrar on a quality management system within an agreed time period.
An audit program also includes appropriate planning, the provision of resources, and the establishment of procedures to conduct the audits within the program.
Establishing the ISO 9001 Audit Program
Audit program objectives
Objectives should be established for an audit program to direct the planning and conduct of audits. These objectives should be based on consideration of:
- Management priorities
- Commercial intentions
- Management system requirements
- Statutory, regulatory and contractual requirements
- Need for supplier evaluations
- Customer requirements
- Needs of other interested parties
- And risks to the organization
Extent Of An Audit Program
The extent of an audit program can vary and will be influenced by the size, nature, and complexity of the organization to be audited, as well as, by the following:
- The scope, objective and duration of each audit to be conducted
- The frequency of audits to be conducted
- The number, importance, similarity, and locations of the activities to be audited
- Standards, statutory, regulatory and contractual requirements, and other audit criteria
- Conclusions of previous audits or results of a previous audit program review
- Any language, cultural or social issues
- The concerns of interested parties
- Significant changes to an organization or its operations
Factors that may cause the frequency to increase include:
- The significant change in management, organization, policy, techniques, or technology
- Requests by the customer or regulatory body
- Changes to the quality management system
- Results of recent audits
- Status and importance – internal audit results
Audit Frequency for Internal Audits
Clause 9.2.2 Internal audits are scheduled on the basis of the importance of the activity to be audited, changes affecting the organization as well as, previous audit results.
Importance – Refers to the criticality of the processes or activity to the quality of the product or service (critical internal or external suppliers). Also reflects top management’s priorities.
Audits – refers to the results of previous internal and external audit results. You must consider past audit findings and coverage in setting audit frequency. The complete quality management system must be audited at least once a year. Weak areas or activities must be audited more often. Top management determines the frequency of internal audits with the help of the Management Representative. Audit frequency is also determined by contractual or regulatory requirements, as well as, significant changes in ownership, policies, products, processes, technology, control systems, documentation, or the organization.
Audit Program Responsibilities, Resources, And Procedures
ISO 9001 Audit Program Responsibilities
The responsibilities for managing an audit program should be assigned to one or more individuals with a general understanding of audit principles, the competence of auditors, and the application of audit techniques. They should have management skills, as well as, technical and business understanding relevant to the activities to be audited. Those assigned responsibility for managing the audit program should:
- Establish the objectives and extent of the audit program
- Establish the responsibilities and procedures, and ensure that resources are provided
- Ensure the implementation of the audit program
- Ensure the appropriate audit program records are maintained
- Monitor, review and improve the audit program
ISO 9001 Audit Program Resources
Consider the following when identifying resources:
- Financial resources necessary to develop, implement, manage and improve audit activities
- Audit techniques
- Processes to achieve and maintain the competence of auditors appropriate to the particular audit program objectives
- The extent of the audit program
- Traveling time, accommodation and other auditing needs
Audit Program Procedures
Audit program procedures should address:
- Planning and scheduling audits
- Assuring the competence of auditors and audit team leaders
- Selecting appropriate audit teams and assigning their roles and responsibilities
- Conducting audits
- Conducting audit follow-ups, if necessary
- Maintaining audit program records
- Monitoring the performance and effectiveness of the audit program
- Reporting to top management on the overall achievements of the audit program
For smaller organizations, the activities above can be addressed in a single procedure.
Audit Program Implementation
Implementation should address:
- Communicating the audit program to relevant parties
- Coordinating and scheduling audits and other activities to the audit program
- Establishing and maintaining a process for the evaluation of auditors and their continual professional development
- Ensuring the selection of audit teams
- Providing necessary resources to the audit teams
- Ensuring the conduct of audits according to the audit program
- Ensuring the control of records of the audit activities
- Ensuring review and approval of the audit records and their distribution to the audit client and other specified parties
- Ensuring follow-up if applicable
Audit Program Records
Records should be maintained to demonstrate the implementation of the audit program and should include the following:
- Records related to individual audits such as audit plans, audit and nonconformity reports, corrective and preventive action reports, and audit follow-up reports
- Results of the audit program review
- Records related to the audit personnel regarding:
- Auditor competence and performance evaluation
- Audit team selection
- Maintenance and improvement of competence
- Records should be retained and suitably safeguarded.
Audit Program monitoring and reviewing
The implementation of the audit program should be monitored and at appropriate intervals, reviewed to assess whether its objectives have been met and to identify opportunities for improvement. The results should be reported to top management. Performance indicators should be used to monitor characteristics such as:
- The ability of the audit team to implement the audit plan
- Conformity with audit program and schedules
- Feedback from audit clients, auditees and auditors
The audit program should consider
- Results and trends from monitoring
- Conformity with procedures
- Evolving needs and expectations of interested parties
- Audit program records
- Alternative or new auditing practices
- Consistency in performance between audit teams in similar situations
Results of audit program reviews can lead to corrective and preventive actions and the improvement of the audit program.
The extent of audit activities is applicable depending on the scope and complexity of the specific audit and the intended use of the audit conclusions. The planning and conducting of audit activities involve the following process flow or life cycle:
Initiating The Audit
- Appointing the audit team leader
Those assigned the responsibility for managing the audit program should appoint the audit team leader for the specific audit. Where a joint audit is conducted, the agreement should be reached between the audit organizations, before the audit commences on the specific responsibilities of each organization, particularly with regard to the authority of the team leader appointed for the audit. The leader has responsibility for planning, conducting, and reporting the audit, following these rules and guidelines. The leader is briefed on the objectives and scope of the audit and is then required to specify the resources necessary to carry out the audit, in terms of staff days, and the number of auditors required, including any with special technical expertise. The auditor needs knowledge of quality management systems and the Standard. However, auditors will be required to use all applicable senses during an audit.
2. Defining Audit Objectives, Scope And Criteria
Within the overall objectives of the audit program, an individual audit should be based on documented objectives, scope, and criteria. The audit objectives define what is to be accomplished by the audit and may include the following:
- Determining the degree of conformity of the QMS, or parts of it with audit criteria
- Evaluating the capability of the QMS to ensure compliance with statutory, regulatory and contractual requirements
- Evaluating the effectiveness of the QMS in meeting specified objectives
- Identifying areas for potential improvement of the QMS. The objectives can be many and diverse, but it is essential to be clear on the objectives at the beginning of the audit process.
The audit scope describes the extent and boundaries of the audit, such as:
- Applicable requirements of ISO 9001
- Physical locations – facilities, plants, offices
- Organizational activities – products, processes, departments, functions
- Date the quality management system was formally in effect
The audit criteria are used as a reference against which conformity is determined and may include:
- Applicable policies and procedures
- Standards, laws, and regulations
- ISO 9001 and organization management system requirements
- Industry requirements
- Business sector codes of conduct
The audit scope and criteria should be defined by the organization in accordance with audit program procedures.
3. Selecting The Audit Team
The team leader will select the audit team, following the criteria defined by the organization. Selection criteria may include the following:
- Audit objectives, scope, criteria and the estimated duration of the audit
- Whether it is a combined or joint audit
- The overall competence of the audit team to achieve audit objectives
- Statutory, regulatory, contractual and accreditation/ registration requirements, as applicable
- Independence of the audit team and avoiding conflict of interest
- The ability of an audit team to interact with each other and with auditee
- Language of the audit and an understanding of auditee’s social and cultural characteristics
- The need for a technical expert
- Availability of competent audit team members
4. Establishing Contacting With The Auditee
The initial contact with the auditee may be formal or informal and should be made by the audit team leader. The purpose is to:
- Establish communication channels with the auditee.
- Confirm the authority to conduct the audit
- Inform auditee on proposed timing and audit team composition
- Request access to relevant documents, including records
- Determine applicable site safety rules
- Make arrangements for the audit
- Agree on the attendance of observers and availability of guides
5. Preliminary Visit
These visits can be of great value since they allow the team leader to meet members of the organization. Much information can be gathered and benefit derived from a preliminary visit. Some of these may include:
- Clarification of the scope of the audit
- Agreement on procedures to be used during the audit
- Resolution of communication and any misunderstandings
- A quick tour to appreciate its scale, layout, and geography
- Perform documentation review
- Degree of readiness and cooperation
- Identification of any special needs – skills, protective clothing
- Provides the auditee with an opportunity to ask the team leader about the way the audit will be conducted.
6 Conducting Document Review
The auditee’s documentation should be reviewed to determine the conformity of the system, as documented with the audit criteria. The documentation may include relevant management system documents and records and previous audit reports. The review should take into account the size, nature, and complexity of the organization, and the objectives and scope of the audit. In some situations, this review may be deferred until the on-site activities commence if this is not detrimental to the effectiveness of the conduct of the audit. If the documentation is found to be inadequate, the audit team leader should inform the program manager and auditee. A decision should be made as to whether the audit should be continued or suspended until documentation concerns are resolved.
Preparing for the on-site audit activities
In preparing the plan, the team leader in consultation with the audit team will decide the strategy for the audit, and there are a number of options. Some auditors favor starting at the point in a company where inquiries from clients are received. The auditors then follow the process through confirming an order, going through technical, procurement, inventory, production, test, shipping, and service, plus taking in specialized areas along the way. This approach may be termed a “process audit”. The auditors follow a specific order or set of processes through the system and examine controls of each process along the way. The process audit approach will require the auditor to look at the following aspects of process management:
- Controls over inputs, outputs, and the value-added activities within a process
- Controls related to the utilization of resources in converting inputs to outputs
- Use of the PDCA methodology in applying the clauses of the ISO 9001:2015 standard to each process
- Reviewing the controls related to the interaction, linkage, and combination with other processes, both on the input and output sides
- Evidence of measurable objectives for each process and metrics to track performance to them
2. Preparing the Audit Plan
After having been in contact with the organization to be audited, and perhaps made a preliminary visit, the audit team leader will prepare an audit plan, which provides the basis for the agreement among the audit team and the auditee regarding the conduct of the audit. The plan should facilitate the scheduling and coordination of audit activities. The amount of detail in the audit plan should reflect the scope and complexity of the audit. The details may differ, for example, between initial and subsequent audits. The plan should be sufficiently flexible to permit changes in the audit scope, which can become necessary as the on-site audit activities progress. It is up to the team leader to determine how much flexibility to allow so the achievement of the audit objective and scope within the agreed time is not compromised. The audit plan should cover the following:
- Audit objectives, criteria, and reference documents
- Audit scope, including organizational and functional units and processes to be audited
- Dates and places where the on-site activities are to be conducted
- Expected time and duration of on-site activities, including all meetings with auditee or audit team
- The roles and responsibility of audit team members and accompanying persons
- Allocation of appropriate resources to critical areas of the audit
The audit plan should also cover, as appropriate:
- Identification of the auditee’s representative for the audit
- Working and reporting language of the audit
- Audit report topics
- Logistics arrangements
- Matters relating to confidentiality
- Any audit follow-up actions
- Confidentiality requirements
- Audit report distribution and issue date
3. Auditee’s Responsibility
The auditee has a responsibility to:
- Agree with or clarify the planned arrangements
- Arrange for personnel to be available
- Request full cooperation from all personnel
- Arrange office facilities for auditors
- Arrange for any safety equipment
4.Assigning Work To The Audit Team
The audit team leader, in consultation with the audit team, should assign to each team member, responsibility for auditing specific processes, functions, sites, areas, or activities. Such assignment should take into account the need for the independence and competence of auditors and the effective use of resources, as well as, the different roles and responsibilities of auditors, auditors-in-training, and technical experts. Changes to the work assignments may be made as the audit progresses, to ensure the achievement of audit objectives.
5. Preparing work documents
Auditors need to go forward armed with the tools of the trade in order to conduct an efficient and professional audit. The audit team members should review the information relevant to their assignments and prepare work documents as necessary for reference and for recording audit proceedings. Such work documents may include a copy of the ISO 9001: 2015 Standard, checklists, sampling plans, forms for recording information such as supporting evidence, audit findings, and records of meetings. Work documents, including records resulting from their use, should be retained at least until audit completion.
While conducting the Audit the purpose will be something like:
“To collect objective evidence for an informed judgment about the documentation, implementation, and effectiveness of the organization’s quality management system.”
The primary aim of the checklist is to help the auditor to ensure the depth and continuity of the audit, plus it will save time during an audit and the auditor to come to an informed judgment. The company conducting the audit usually defines the format of the checklist. The Checklist defines the Sample. The checklist must, therefore, be as representative as the auditors can make it, bearing in mind the objectives of the audit. The information available to the auditors could comprise:
- Information from previous audits
- Known quality problems
- Management priorities
- Documented Information
- Product/service specifications and information
- Auditor’s own considerations based on experience and knowledge,
The point made in preparing checklists concerns making the sample representative. Always using the same checklist is not to be recommended, although this is widely practiced.
- Identifies relevant samples
- Defines a formal audit process
- Requires helpful research
- Helps maintain the pace of audit
- Keeps audit objectives clear
- Gives historical reference as an audit record
- Reduces workload on auditor during the audit
- Assures auditee of auditor professionalism
- Provide space for audit notes
- Can become a tick list
- Maybe full of yes-no questions
- If not on the checklist, will not look at the area
- May stifle initiative and process analysis
Conducting On-Site Activities
Having made all the preparations with the auditee and confirmed all arrangements, it is proper etiquette for the team leader to contact the auditee a few days in advance of the audit to verify all the arrangements are in place.
Conducting The Opening Meeting
The opening meeting, is typically held at the location of the audit. Good practice demands the auditors arrive together, neither early nor late, otherwise, it can be embarrassing for both parties and, what is more, it is unprofessional. This meeting, like any other, requires preparation by the team leader. The meeting is usually held in a manager’s office or the company’s conference room. It will usually begin with a welcome and introductions by the Process Manager/ Management Representative. The audit team has prepared an agenda to ensure that all necessary points are covered quickly and efficiently. Matters to be addressed include:
- Introduction of personnel
The lead auditor should introduce the team and explain the way they are organized if there is more than one group, particular specialists in the group, etc. It is normally a requirement to record the attendees at this meeting. Passing around an attendance sheet and asking everyone present to record their name and position is a practical solution.
- Audit purpose and scope
Just in case there is any doubt about why the audit is being carried out, and the extent to which the company is going to be examined, the team leader needs to restate these points. In certain situations, the auditee may require evidence or a statement about the team’s authority, although matters such as these tend to be covered during the preparation stage.
- Review of the audit plan
The plan will have been discussed, developed, and agreed upon with the auditee. However, plans may have to be altered slightly and these possibilities should be covered at this stage. The team leader should confirm the intention to keep to the plan to the extent possible.
- Audit Methods
Describe briefly the methods that the auditors will use to gather objective evidence, such as interviews, observations, document and record reviews, and trend analysis.
- Reporting methods
The method of recording nonconformities, and of presenting the audit report that will be left by the auditors at the end of the audit, will need to be explained by the team leader.
- The audit is a Sample
The team leader should make it clear that the audit is a sampling activity and subject to those limitations. Both conforming and nonconforming aspects will be seen and missed. The team leader should assure management, however, that they will make samples as representative as possible and draw only reasonable conclusions.
Logistics covers all the other arrangements transport, protective clothing, lunch arrangements, and facilities for use by the auditors.
Although any major restrictions to the auditors will tend to have been made clear during the planning stage, these may need confirmation or discussion during the opening meeting. Such restrictions include clean areas or hazardous areas where particular arrangements for protective clothing have to be made.
- Clarification: There may be questions or points the auditees wish to raise and the team leader should deal with these items during the opening meeting. The team leader also needs to confirm the current issue status of the key documents in the quality management system.
When all the above and any other matters have been dealt with, the team leader should bring the opening meeting to a close by thanking the management and confirming the date, time, and location of the closing and any interim (end of day management briefings) meetings.
Communicating During the Audit
Depending upon the scope and complexity of the audit, it can be necessary to make formal arrangements for communication within the audit team and with the auditee during the audit. The audit team should confer periodically to exchange information, assess audit progress, and reassign work between the audit team members as needed. During the audit, the audit team leader should periodically communicate audit progress and any concerns to the auditee and top leadership, as appropriate. Evidence collected during the audit suggests that an immediate and significant (e.g., safety, environmental, or quality) should be reported without delay to the auditee and as appropriate to the top leadership. Any concern about an issue outside the audit scope should be noted and reported to the audit team leader, for possible communication to the auditee. Where the available audit evidence indicates that audit objectives are unattainable, the audit team leader should report the reasons to the auditee to determine appropriate action. Auditing deals with people. People are unpredictable in their behavior, emotions, and dispositions. A good auditor must know how to interact and get information from people in an effective manner.
Auditor Communication Skills:
- Put auditee at ease before interviewing
- Ask and listen
- Ask short questions
- Show interest in people; what they say
- Reflect the right attitude and tone of voice
- Be tactful and polite
- Watch body language and facial expressions
- Show patience and understanding
- Smile and show eye contact
- Turn off your own problems
- Avoid interruptions and contradictions
- Remember to say please and thank you
- Avoid off-cuff or condescending remarks
- Ask the right person
- Give praise when appropriate
- Don’t say you understand if you don’t
Any audit carried out anywhere has an objective. Auditors who lose sight of this will not be effective. They are better off asking two questions than lose their way because they asked only one. The quality of the audit can be considered in terms of achieving the audit objectives. The ability to discover information of relevance (facts related to the audit objective) is dependent on the ability to ask the right questions. Elsewhere, particularly in quality training, they are called 5 W’s and an H. Although a clumsy description, the idea is the same. Questions beginning with these words will elicit more than just Yes or No answers and are, therefore, called open questions. It takes longer to answer such a question than it does to ask, so the auditor also gets some thinking time. Auditors can control the tone of discussions to their advantage with the use of these questions since the questions demand meaningful answers. It is impossible to correctly answer an open question with a Yes or No response. Without a doubt, the ability to ask questions of the right type is one of the most powerful tools in the auditor’s toolbox. It is taken for granted as a management skill, but auditors must learn to identify and use the appropriate techniques. In this way, they will improve communications and conduct more effective audits.
The Roles And Responsibilities Of Audit Participants
- It is in the team leader’s interest to keep the number of people in such a group to a minimum, but with patience, good management and a clear idea of the audit objectives, the auditors can carry out the audit with even a large following.
- It must be made quite clear to all in the party that only two people should speak during the audit: the auditor and the person being interviewed at the time.
- The team members carry out the audit as per the audit plan and support the lead auditor. The team leader manages the audit team and also shares in the auditing workload.
- Observers do not participate in the audit. They can only watch the audit, take notes as necessary, and clarify issues at the audit team meetings.
- Experts may be used when auditing a highly specialized business. Their role is not to audit, but to provide technical guidance on products, processes, and activities.
- From the auditee side, guides take audit team members to the specific parts of the organization and introduce auditors to various auditees at the scheduled times. They should ensure that the audit team is aware of and conform to the safety and security rules of the organization. They should not participate in the audit interview unless invited to do so by the auditor, perhaps to clarify a question or assist in collecting information. They should take notes and witness the audit observations. Observers and trainees must not participate in the audit interview but should take notes to witness or learn.
- Consultants must declare their relationship with the auditee and must not participate in any of the audit activities unless permitted to do so by the team leader.
Collecting and verifying information
During the audit, information relevant to the objectives, scope, and criteria, including information relating to the interfaces between functions, activities, and processes, should be collected by appropriate sampling and should be verified. Only information that is verifiable may be audit evidence. Audit evidence should be recorded. The audit evidence should be based on samples of the available information. Therefore, there is an element of uncertainty in auditing, and those acting upon the audit conclusion should be aware of this uncertainty. Process for collecting information to reaching audit conclusions:
The purpose of an audit is to collect audit evidence to permit audit findings and by evaluating the evidence against audit criteria and then reviewing all individual findings to reach an overall audit conclusion about the degree of conformity and effectiveness of the quality management system. Auditors must not allow their opinions or prejudices to influence decisions. Audit evidence supports the existence or conformity of an element of the quality management system. The evidence must be capable of being verified and may be:
- Information, records, or statements of fact
- Qualitative (non-numerical) or quantitative (numerical)
- Based on observation, measurement, or test
Audit information can exist in a variety of forms:
- It may be quantitative, such as numerical performance data on products, processes and the QMS.
- It may be qualitative, such as from interview, observations and documents.
- The auditor must decide if the information is relevant to the product or quality system.
- Statements can be used as objective evidence when made by those responsible for the activity being audited – known as “admissible statements”.
- If possible, auditors should gather documented support for the admissible statements.
- Nonconformities, when found, must be quantified for communication to the auditee.
Techniques to obtain objective evidence include:
- Interview People:
- that manage, perform and verify activities
- with responsibility and authority for work
- Observe Operations:
for identification, status, condition, flow, and operation of facilities, materials, product, equipment, processes, and tasks
- Review Documents:
- pertaining to processes and activities
- for details of why, who, what, when, and where
- Examine Records:
for objective evidence of implementation of processes, activities, controls, inspections, and tests
- Evaluate Results:
- to summarize and analyze the audit observations
- to determine the effectiveness of the quality system
- Objective evidence is obtained by sampling processes, people, documents, and records
- It is based on a small representation of the audited activities
- Not finding nonconformities do not equate to the total assurance of control
- Determine sample size and selection based on:
- past problems
- audit time span
- Collect the sample on a random basis (ask permission of the auditee)
- Don’t let the auditee select the samples and possibly bias the representation
- Don’t dig deeper, or select another sample, if the first sample doesn’t find nonconformities
- If no nonconformities are found, move on to the next area of the audit
- Review and agree on conformity with the auditee, guide, and department head
- Deviate from the audit checklist, if appropriate
- Follow unexpected audit trails only if warranted (consult Management Representative or team leader)
- Consider minimal sample size guidelines of 4/10; 10/100; 20/1000
Generating Audit Findings
Audit evidence should be evaluated against the audit criteria to generate the audit findings. Audit findings can indicate either conformity or nonconformity with audit criteria. When specified by audit objectives, audit findings can identify an opportunity for improvement. The audit team should meet as needed to review the audit findings at appropriate stages during the audit. Conformity with audit criteria should be summarized to indicate locations, functions, or processes that were audited. If included in the audit plan, individual audit findings of conformity and their supporting evidence should also be recorded. Nonconformities and their supporting audit evidence should be recorded. Nonconformities may be graded or classified. They should be reviewed with the auditee to obtain acknowledgment that the audit evidence is accurate and that they are understood.
Evidence gathering process
In order to gain the facts and enough of them from which to come to a conclusion, auditors have to examine samples of documents, items, products, etc. Only the auditors can decide how many samples should be taken. It would obviously be dangerous to see one example of a system in a correct operation (when there are hundreds of examples that could also be looked at) and assume that because one had been seen the system was correct all the time. Similarly, it would also be wrong, particularly if a minor aspect is being considered, to look at every single example. Typically, the sample size can vary between 6 –30 items. In most cases, this small number will be sufficient as long as some attempt has been made to make it representative. To make a sample representative, it needs to be chosen at random. Certain systems, for example, those for documentation control, are company-wide and every department has examples of documents. The auditor needs to be clear about who is responsible for what when verifying the correctness of the documents seen in any given department. Auditors should always seek the help of local personnel affected by the system in question in understanding the evidence. Naturally, the kind of evidence often being produced is that which will show a failure of the system or a lack of management control. Provided that the auditor has remained objective, has been open with the people contacted, and has invariably been polite in requests for information, there should be no difficulty in reaching an agreement on such points with the responsible persons.
Only the most experienced auditors make sufficient notes of all the relevant things seen and heard during an audit. It is obviously an extremely important technique to develop. The auditors must record enough information to make an informed judgment based on an adequate set of notes containing considerable facts. Notes need to be taken of references to documents, item identification, batch numbers, job numbers, statements, who said them, job titles, relevant questions asked, etc. This information needs to be legible and needs to be retrievable. Much of it might be referenced in subsequent audits, either in the next department to be visited, or in a department to be visited by another member of the audit team. Whichever format they use, auditors must safeguard the confidentiality of the information they gain during the audit.
Control of the Audit
At all times, the team leader is responsible for maintaining control of the audit. Experience helps auditors to develop their own way of working in an area and then adapting various techniques as each situation demands. On entering an area and being introduced to the departmental representative, the team leader should go over the audit plan for that area with the departmental representative and the guide. Their advice as to the best sequence to follow can usually be taken. The items on the checklist are then worked through in a systematic manner. The amount of time the auditor has to spend talking to management in each area about their system will vary according to how much information was originally made available to the auditors. Where there was very little detail, then more time may have to be spent determining some of the basic controls. In order to understand some of these controls, the auditor will not only speak to management, but also to the people doing the work. If the auditors find no evidence of nonconformities, they can and should proceed quickly. Having covered their sample, they should move on. If there are problems, the auditors must examine the evidence to the depth necessary to gain objective evidence.
As the audit proceeds, there might arise situations where the facts indicate there is a failure, either partially or wholly, of the quality management system, such a situation is called “a nonconformity”.
What is nonconformity?
- a condition adverse to Quality
- the non-fulfillment of a requirement
Examples of requirements:
- Conditions of contract
- ISO 9001 standard
- QMS documentation
- Regulatory and industry
There may be nonconformity for one of three reasons:
- the procedure or defined process does not conform to ISO 9001 requirements
- the procedure or process has not been put into practice in the described way
- the practice, what is actually done, is not effective (planned results not achieved).
Many situations arise during an audit with the potential to become nonconformities. As soon as the facts are indicative of nonconformity, the auditors should immediately voice their thoughts to the departmental representative. The auditee should agree with the facts at this point (and certainly before the auditors leave the area for another part of the audit). The statement of nonconformity needs to be in a format understandable both to people in the audit and to those who were not. People who were not present at the audit will often be assigned to take the necessary corrective action. This need alone defines some rules for the recording of nonconformities:
- Exact observation of the facts. Only the facts are needed and the reporting of them needs to be exact.
- Where was it found? The statement needs to identify exactly where it was found, otherwise, it may not be found again.
- What was found? It needs to be clear so that people understand what aspect of the system is nonconforming.
- Why it is a nonconformity? The statement needs to make it clear what the specified requirement has not been met.
- What is the objective evidence of the nonconformity? What audit evidence do we have – records, documents, statements or observations for our nonconformity findings?
- Who was involved? The statement often has no need to involve specific people, but where the objective evidence was based on a statement, then the statement and the originator(s) need to be clear. Job titles rather than names should be used.
- Use local terminology. The industry has its own names for certain activities, documents, etc. These unique terms should be used for clarity.
- Make it retrievable. Someone has to go back after the audit and put it right, possibly after a considerable period of time.
- Make it helpful. To be helpful, nonconformity statements should be complete, correct, concise and clear. Suggestions, particularly on external audits, are not recommended, nor are they the auditor’s duty. Some examples of typical nonconformities will allow at least some of the above points to be made, assuming these are from audits to ISO 9001.
The number of nonconformities that can arise during an audit can be numerous. However, it is unlikely that they are all equally serious. The auditor needs to be able to differentiate between those that are serious and those that are less so. In order to help with this analysis, there are three questions the auditor can ask:
- What could go wrong if the deficiency remains uncorrected?
- What is the likelihood of such a thing going wrong?
- Is it likely the system would detect it before the customer is affected?
It is also common practice for auditors to raise opportunities for improvement that are points of concern, but for which there is insufficient objective evidence to raise a nonconformity. Opportunities for improvement are an additional way by which auditors can be seen as being helpful.
The definition of a MINOR nonconformity:
- Failure to conform to a requirement which (based on judgment and experience) is not likely to result in QMS failure
- A single observed lapse or isolated incident
- Minimal risk of nonconforming product or service
- A drawing marked up with unauthorized changes
- A purchase order released without review and approval
- An inspection instrument passed its calibration date
- A training record not available
Minor nonconformities have little likelihood of allowing non-conforming products or services to be delivered or causing a breakdown of system control. It does indicate that there are occasional lapses that must be formally addressed through corrective action.
The definition of a MAJOR nonconformity:
- The total breakdown of the system, control, or procedure
- Absence of an ISO 9001 requirement
- A number of minors related to the same clause
- A nonconformity that would result in the probable shipment of nonconformity or un-inspected product
- A condition that may result in the failure or materially reduce the usability of the product for the intended purpose;
- A nonconformity that experience and judgment indicate will likely result in QMS failure or materially reduce its ability to assure controlled processes and products
- Between these two extremes a number of less serious nonconformities, when considered together, may identify a system failure and hence a Major nonconformity.
- No documented information for any required element of the standard
- Document changes routinely carried out in an unauthorized manner
- Critical purchases made from unevaluated suppliers
- Product shipped without required inspection and tests
- Majors represent serious problems in the system that must be addressed with attention and resources on a priority basis. It puts the business at risk with customers and the Registrar.
In an internal audit, many organization does not differentiate between major and minor nonconformance. The auditors need to consider all the evidence available to see whether there a process or sub-system of the QMS is failing. It is the combination of all the evidence that will contribute to the informed judgment that the auditors will be required to present to the organization.
Some Examples of Major Non-Conformance, Minor Nonconformance, and Opportunities for improvement.
1. In an XYZ company, while auditing in the Insurance claims manager’s office, the auditor saw an office file titled “Insurance Process Guide” lying on a shelf. The auditor was told that these are important Standard Operating He promptly glanced through work procedure No. PWP02, PWP04 & PWP06 contained in the “Insurance Process Guide’” section A, PWP 2,4,&6 which were at revision status 01. The auditor cross-checked these SOPs on the company’s central server and noted that PWP02 & PWP04 were at revision status 02 and PWP0 6 at revision status 03.
The company under Audit: XYZ
Non Conformity Number: 5
The area under review: Insurance claims’ Manager office ISO 9001 clause number: 18.104.22.168(c)
Nonconformity statement: In the Insurance claims’ Manager’s office, and Office file titled ”Insurance Process Guide” was found without version control with no suitable identification. There was no control to prevent unintended use of this obsolete document and apply suitable identification to this document.
2. In a material procurement department, the purchasing process describes that all the purchase orders must contain complete details of the material ordered. While sampling, the auditor selected 10 purchase orders and found that P.O No. A-10, B-44 & K-22 contain insufficient information relating to material specifications. The materials manager explained that there is no need to incorporate these details since these are our regular suppliers and are well aware of material specifications.
The company under Audit: XYZ
Non Conformity Number: 6
The area under review: material procurement department
ISO 9001 clause number: 8.4.2
Nonconformity statement: In the material procurement department, P.O No. A-10, B-44 & K-22 contain insufficient information relating to material specifications. P.O No. A-10, B-44 & K-22 do not describe the purchase requirements for the purchased product.
3. In a laboratory, the samples are identified by a unique sample code. The auditor examines the records, which are held in a computer database. Each database record has five columns, one each of the following: 1. Sample code, 2. Date, 3. Test Results, 4 Decision on next action, 5. Approval for decision. In a representative sample of 20 records, 18 records are fully identified but on 2 records, the last two columns relating to the decision are blank.
There is no sufficient evidence of nonconformity to indicate that the person authorizing the release of the product has not been recorded. I would try to find evidence of
- If there are any other records that indicate the person(s) authorizing the release of the product for delivery to the customer.
- Records provide evidence of conformity to requirements.
- Has the organization established a documented procedure to define the controls needed for identification, storage, protection, retrieval, retention, and disposition of records?
- Are Records controlled?
- Have the characteristics of the product been monitored and measured to verify that the product requirements have been met?
- Is the release of the product to the customer taking place before the planned arrangement has been satisfactorily completed or unless otherwise approved by a relevant authority and where applicable, by the customer?
- Does the organization ensure that the product which does not conform to the product requirements is identified and controlled to prevent their further use?
- Does the personnel working in the laboratory have the necessary competence on the basis of appropriate education, training, skills, and experience?
4. After the recently concluded internal audit of a company, the auditor noted that the quality manager had compiled a summary of NCR’s which showed 100 NCRs. The sales department had a maximum NCR’s to the tune of 75%, the rest of NCR’s were evenly distributed among 5 other departments, 2 departments received no NCRs. The Quality Manager explained that the corrective and preventive actions have been already initiated and six-monthly intervals of internal audit are being adhered to ever since the system is put in place 3 years ago. The sales department deals with the review of product requirements.
The company under Audit: XYZ
Non Conformity Number: 6
The area under review: Internal audit
ISO 9001 clause number: 9.2.2(a)
Nonconformity statement: After the recently concluded internal audit of a company, the auditor noted that the quality manager had compiled a summary of NCR’s which showed 100 NCRs. The sales department had a maximum NCR’s to the tune of 75%, the rest of NCR’s were evenly distributed among 5 other departments, 2 departments received no NCRs. The audit program was planned without taking into consideration the status as well as the results of the previous audits.
5. In a packing section of a food processing unit, the auditor notes that 6 out of 18 people are not wearing company-issued nylon headgear, which is contrary to the work procedure OCP 13, Issue 2.
Company under Audit: Food processing unit
Non Conformity Number: 7
The area under review: packing section
ISO 9001 clause number: 7.3(d)
Nonconformity statement: In a packing section of a food processing unit, 6 out of 18 people are not wearing company-issued nylon headgear, which is contrary to the work procedure OCP 13, Issue 2. Personnel performing work affecting conformity to product requirements are not aware of the implications of not conforming with QMS requirements
Reaction of Auditees
If an experienced auditor cares to look back over several different types of audits they have done, the likelihood is they will be able to recall a whole range of auditee reactions they have experienced, from outright hostility to willing cooperation. The auditor has to be prepared to meet and deal with this range of reaction. In general, top management will set the “tone” by their general interest and involvement in quality assurance (or lack of it). Although it must be said that as organizations realize more and more the full benefits of ISO 9001, auditee reactions are very much on the decline and normally occur when faced by a negative auditor. Let’s look at some possible reactions.
- Authority – This can work both ways. Some auditees become protective of their departments or company and try to “browbeat” the auditor. The auditor must insist firmly, but politely, on being given respect (provided, of course, the auditor gives it first). Some auditees feel “inferior” to the auditors, and because the auditors are a representation of authority, become nervous. The auditor must use patience and politeness, and where appropriate, be empathetic.
- Antagonism – For whatever reason, auditees may occasionally become hostile and aggressive towards the auditor. Naturally, the auditor must ignore any rudeness from the auditee. However, they may have to spend slightly longer in the area using patience, firmness, and politeness as their main defenses.
- Diversionary tactics – These tactics can be many and varied. Anything that uses up time that was otherwise planned for auditing can be included here. People may sometimes be very well-meaning, but if they spend a lot of time explaining things that the auditors have not asked them for, they must be politely stopped. Videos about the company can be very interesting and sometimes useful, but if not relevant to the audit, should be avoided (as should the interesting machine or process). Auditees will sometimes appeal to your curiosity and want to show the “latest thing”. It is not always a deliberate ploy, but the departmental representative can waste a lot of time “just going off to get what you want”. The auditor should accompany the person, or perhaps arrangements can be made to get it later. A lot of time can also be wasted while the auditee answers the telephone, or involves the employees in a lot of discussion about matters external to the audit. Sometimes, auditors are kept waiting for information, or for auditee representatives to appear, because they are on the telephone or in a meeting. If this does happen, then above all do not get angry, be firm yet polite, refrain from critical comments and confrontation, continue with the audit plan and point out that there are many areas still to be covered in the remaining time. If the problem arises again, speak to the management representative.
- Volunteered information – Auditors receive a lot of data during an audit. They hope to get the information they want in an effective manner. Sometimes, people give them the information they have not asked for, maybe about a failure in part of the quality system. The auditor is now in a quandary. Do they follow up that lead now, later, or do they ignore it? It may be a “red herring”, taking up a lot of time and leading nowhere. It may be important and relate to the audit objective. Only experienced auditors will tend to make the right decision here. There is no right answer and it is just one of the many things an auditor has to consider while performing an audit.
- Internal conflicts – Audits can be stressful on all involved and sometimes findings during an audit provoke an argument between members of the organization. The audit is not the place for this and the auditor needs to use a little tact in smoothing the situation, without getting involved, and continue with the audit. Seek objective evidence without being seen to take sides.
- Continual challenge – The auditee has the right, and indeed the duty, to challenge auditors that reach conclusions on the basis of unsound information. This can happen where auditors are not fully briefed about contract conditions, product requirements, or where they stray from objective evidence. However, it is for the auditor to continually put up a strong and factual case for all conclusions reached so that the auditee accepts them.
- Enlisting help – In some companies, the Quality Assurance staff often guides auditors around during an audit, and frequently a good rapport is developed. If the Quality Assurance people are having difficulty in getting the corrective action taken, they may “lead” the auditors to deficient areas. While not exactly volunteering information, the auditee is enlisting the (powerful) support of customer representatives. The auditors may use this information by gaining facts (considering how to protect their sources) so that any nonconformities found are indisputable.
Audit Team Meeting:
An audit team meeting should be held after the auditing process completes so the team leader can plan the closing meeting in detail, and ensure the team knows what is going to be presented to the organization in the way of nonconformities and a summary. The team leader chairs the audit team meeting and has some points that must be covered:
- To complete the recording of all nonconformities with supporting audit evidence
- To review the audit findings, and any other appropriate information collected during the audit, against the audit objectives
- To agree on the audit conclusions, taking into account the uncertainty inherent in the audit process
- To prepare the Audit Summary Report
- To prepare recommendations, if specified by the audit objectives and
- To discuss audit follow-up, if included in the audit plan
The team meeting needs to be at least an hour before the closing meeting, or less if some of the work has already been previously completed (for example, the night before).The team leader may present everything in all nonconformities and the summary or the team members may be asked to present the nonconformities they found. The review of nonconformities is important and members should be rigorous in their review of one another’s statements. As a result of the “review team” findings, the team leader prepares an audit summary. This summary reflects the degree to which a company is conforming to its own documented quality management system and the ISO 9001 standard. As a suggestion, a team leader should answer three questions asked about the quality management system in an audit:
- Is there a documented (and defined) system addressing the clauses of ISO 9001? to what extent? (audit of documentation)
- Has this documented system been put into practice? to what extent? (audit of implementation)
- Is the quality management system achieving objectives? to what extent? (audit of effectiveness).
– Are nonconformities being prevented by the existing controls?
To answer these questions, the nonconformities raised will give some guidance.
Further questions may be answered by the summary:
- Do the nonconformities indicate weakness in any particular department, processes or, ISO 9001 clause within the audit scope?
- Do the nonconformities indicate weakness in any particular part of the QMS?
The team leader also prepares an agenda for the closing meeting and arranges, either through a team member, for copies of all nonconformities to be passed over to the company’s management at the appropriate time. It is ideal, but no means possible on every audit, for the team leader to organize the seating arrangements for the closing meeting.
Audit Conclusions – QMS Effectiveness
As the audit comes towards the end, the auditors should be gradually building up a picture of the organization’s QMS strengths and weaknesses. The team leader has the responsibility for generating this composite picture as their audit conclusion of the degree to which working systems conform to stated requirements and objectives (and the Standard), after consideration of all audit findings. This information comes from the findings during the audit, but it is necessary to “sort” this so that a reasonable conclusion can be reached (assuming nonconformities have been found):
- number of major nonconformities raised
- number of nonconformities raised during the audit of defined processes and documentation (intent)
- number of nonconformities raised during the audit of implementation (practices)
- number of nonconformities related to the effectiveness of the system
- number of nonconformities raised against each clause of the Standard
- number of nonconformities in each department or area of responsibility
- The capability of the management review process to ensure the continuing suitability, adequacy, effectiveness, and improvement of the management system
Based on this, a picture emerges of the kinds of failure found, relative frequency, where found in the company, and the quality management system requirement (clause of the standard) that is weakest. However, this is not the only information the auditor should be considering. A further picture can emerge from examining the following:
- Internal failures How many modifications to drawings, specifications, or purchase orders were made that should have been avoided? How much avoidable product scrap, rework, and concessions or waivers occur?
- External failures How often do customers complain and/or return the product? Is there a large Returns department?
- Past Audits Have recent internal and external audits established many nonconformities?
- Trends Do they consider any or all the above in reviews to establish how their quality management system should be changed to prevent such events in the future? Is the number of nonconformities rising, static, or falling?
- Corrective action Has there been any evidence to show that a strong and consistently effective system operates to correct things that are wrong and monitor it to ensure it stays that way? What techniques are used to establish the causes? Are they shown to work?
- Management attitude Does top management know the results of audits, the level of product defects, and the cost of poor quality? Are they involved rather than only stated to be committed? What evidence is there, if any, that top management takes an interest in the quality management system? Are they proud of their system?
- Staff attitude to management Are the employees positive about their management? Is there an open or closed-door style? Did the management representative have easy access to various managers during the audit? Does the staff have to “dress up” nonconformities for presentation to management? If auditors find information that indicates a distinct lack of management support for the system, then they should say so in their report. Their task is to collate the evidence as fairly and objectively as they can and highlight areas of the greatest risk and least assurance.
Options for recommendation
In the case of internal or second-party audits, audit conclusions can lead to recommendations regarding improvements, business relationships, or future auditing activities.
The closing meeting is the concluding meeting of the audit and is the formal presentation by the team of the findings and conclusions of the audit. Participants should include the auditee top management and may also include other parties such as outsourced processes in case they have been audited. In many instances, for example, internal audits in a small organization, the closing meeting may consist of just communicating the audit findings and conclusions. For other audit situations, the meeting should be formal, and minutes, including records of attendance, should be kept. Any diverging opinions regarding the audit findings and/or conclusions between the audit team and the auditee should be discussed and resolved. If not resolved, all opinions should be recorded. If specified by audit objectives, recommendations for improvements should be presented. It should be emphasized that recommendations are not binding. The following points need to be covered in some form:
- List of Attendees
The team leader or the second auditor passes around an attendance list with name and position to be entered by each attendee.
The team leader should thank the auditee on behalf of the team for their help, time, etc. The team leader should also thank the guides for their assistance.
- Objectives, Scope, and Criteria
As a formality, and to ensure that the basis for the audit is not in doubt, the objectives, scope, and criteria should be restated. This is for a number of practical reasons. There is usually no real doubt about this in the organization because it has been discussed and agreed upon before the audit took place.
The audit conclusions on system effectiveness will be formally reported and the results to be given to the auditee should be described.
It bears repetition that the audit was a sample of activities and is, therefore, subject to the risks associated with sampling. Not every conforming or nonconforming area was seen, only a representative selection. Therefore, the possibility exists that there are additional nonconformities in areas not covered by this audit.
It is recommended that the auditors develop a standard statement covering the essence of the above in their own words.
The lead auditor should reassure the auditee that everything seen or heard during the audit is kept in strict confidence. Any documents provided to the audit team will be returned before the auditors leave the premises.
- Audit Summary
The audit results should be summarized for presentation to management. Do not forget to start your presentation with ‘accentuating the positive’. Based on your audit, provide sincere and factual feedback on the QMS strengths – departments, processes, resources, controls, documentation, etc. Nonconformity findings may be grouped by functional area (department), the clause of the standard, and severity level (major, minor, or concern). Findings could also be categorized by type of failure, for example, intent (defined processes and documentation), implementation (practices), or effectiveness (results).
- Presentation of Nonconformities
It is recommended that the nonconformities be read out one after the other until they have all been presented, although it might be necessary to give a summary. In some cases, the auditee representatives will have copies of the nonconformities, if some were agreed earlier. Nonconformities may be agreed upon with the authorized person. Signature usually designates acceptance, however, there will be times when the auditee may disagree with a particular nonconformity and not accept it. In this case, the signature may simply denote acknowledgment of receipt of the nonconformity.
Each of the nonconformities presented was based on the facts agreed to earlier by a departmental representative. Although the agreement was reached at that time, the wording of the nonconformity is unlikely to have been at its most complete and concise. Either at review meetings or at the Closing Meeting, these nonconformities are signed by the auditee to acknowledge receipt and understanding of the content.
The team leader is responsible for presenting the conclusion reached by the team based on the audit results. This is the “informed judgment” of the auditors. It must consider the seriousness of any nonconformities and whether they indicate a departmental or company-wide breakdown of the system. The conclusion must be balanced with positive findings made during the audit.
The auditee must have an opportunity to ask questions about the nonconformities or the summary and it would normally come at this point. The facts as stated should not be in dispute. Assuming the auditee accepts all the nonconformities or the summary, the auditor may be asked what response is necessary for the points raised. The auditors would expect the auditee to propose some corrective action in a given timeframe.
The closing meeting is not the place to discuss actual corrective action. That should be given very careful consideration by the auditee. The team leader should, therefore, state that a proposed plan of corrective action is necessary within a number of days or weeks after receipt of the report. However, if the recommendation is for a full re-audit, then it will not be necessary to submit a corrective action plan.
Having presented the findings and discussed them to the auditee’s satisfaction, the audit team can depart, once again thanking the auditee for time, etc.
However, at various times in the past, and perhaps also to be expected in the future, audit teams are faced with the meeting not going to plan for some reason or another.
The report of an external should provide a complete, accurate, concise, and clear record of the audit. It is the major output of the audit process and maybe read and used by people who were not at the audit (and have no other information about the audit). It is, therefore, important that the audit report gives a balanced picture of the whole audit not merely the nonconformities found. The wholeEssentially, the following points are to be addressed in an audit report:
- Unique audit identity (number/ letter, etc.)
- Audit objectives and criteria
- The audit scope, particularly the organizational and functional units or processes audited and time period covered
- Identification of the audit client
- The dates and places where the on-site audit was conducted
- The audit findings and conclusions
The report may also include or refer to the following, as appropriate:
- The audit plan
- A list of audit attendees
- A summary of the audit process, including the uncertainty and/or any obstacles encountered that could decrease the reliability of the audit conclusions
- Confirmation that the audit objectives have been accomplished within the audit scope in accordance with the audit plan
- Any areas not covered, although in the audit plan
- Any unresolved diverging opinions between the audit team and the auditee
- Recommendations for improvement, if specified in the audit objectives
- Agreed on follow-up actions if any
- A statement of the confidential nature of the contents
- The distribution list for the audit report
- Applicable quality system requirements (the Standard)
- Names and positions of team leader and team
There should be a summary statement of the “polished up” version of the one presented at the closing meeting. This summary provides the informed judgment of the auditors.
All audit reports include the nonconformities exactly as they were written and presented to the auditee. If there is a classification system, such as Major or Minor, then this is used. There may also be a reference to a clause in the Standard. If a nonconformity was “closed out” during the audit, then a note is made to that effect.
2. Suggestions for correction of nonconformities
This is becoming less typical as organizations recognize its futility. However, certain companies require auditors to include suggestions for the correction of nonconformities. This is difficult, time-consuming, and risky; it may also be nonconforming with registrar policy and procedures (for reasons previously discussed). The auditors have to be very careful about any suggestions because their knowledge of the auditee’s systems is so very limited. Their ability to make valued criticism is so limited, in fact, that in many cases, it is useless and best omitted.
3. Suggestions for improvement
As part of the value-added approach to auditing, the audit team should provide improvement suggestions relating to:
- Areas of concern where controls are in place and conforming with requirements, but in the auditor’s experience and judgment, appear weak and likely to lead to nonconformity in the future
- Opportunities where organizations can more effectively or efficiently manage, perform or control activity or process, based on the auditor’s experience with similar situations in other organizations. It should be understood that the organization has no obligation to implement such suggestions, but it must be aware of the risks of not doing so.
The report should be signed and dated by the audit team leader as “approved”. Some organizations require a further sign of a senior person before the report is issued. It is important to prepare and issue an audit report within a reasonable timeframe. Records will also be kept of corrective actions to satisfy the “close out” requirements of each nonconformity. Internal audits may not require the same depth of documentation of reporting, but the records retained will include at least the following:
- Reference and date of the audit
- Department/office/section audited
- Audit scope and objective
- Names of auditor(s), audit plan, and audit checklists plus nonconformities
- Auditor notes
- Audit summary and conclusions
- Corrective actions are taken.
Approving and distributing the audit report
The audit report should be issued within the agreed time period. The audit report should be dated, reviewed, and approved in accordance with audit program procedures. The approved report should then be distributed to the auditee and other recipients as designated by the organization. The audit report is the property of the organization. The audit team members and all report recipients should respect and maintain the confidentiality of the report.
Completing the audit
The audit is completed when all activities described in the audit plan have been carried out and the approved audit report is distributed. Documents pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with the audit program procedures and applicable statutory, regulatory, and contractual requirements. Unless required by law, the audit team and those responsible for managing the audit program should not disclose the contents of documents, any other information obtained during the audit, or the audit report, to any other party without the explicit approval of the top leadership of the organization and, where appropriate the approval of the auditee.
Conducting audit follow-up
The conclusions of the audit may indicate the need for corrective, or improvement actions, as applicable. Such actions are usually decided and taken by the auditee within an agreed timeframe and are not considered part of the audit. The auditee should keep the top leadership/process manager informed of the status of these actions. The completion and effectiveness of corrective action should be verified. This verification may be part of a subsequent audit. The audit program may specify follow-up by members of the audit team, which adds value by using their expertise. In such cases, care should be taken to maintain independence in subsequent audit activities.
Auditee post-audit actions
The auditee might have a number of areas that were found to not conform to requirements. These non-conformities must be corrected, the actions verified as effective, and some kind of monitoring implemented to ensure things stay conforming. If the company has only one set of audit results for which to verify corrective actions, its follow-up system may be quite basic. However, some companies may have several nonconformities from external audits, and more from their own internal audits, product reports, and customer complaints. A formal system is necessary to track each nonconformity as it goes towards “close out”. If the external body is returning to check on corrective action taken, the auditee needs a good system to ensure the action has been taken and was effective.
Auditor post-audit actions
For a small number of minor nonconformities found during an internal audit, the follow-up may be left until the next planned audit within that area, if practical. For second-party audits, a written response to minor nonconformities is required. Based on an acceptable response, the nonconformities would be reviewed and closed out during the next visit. For some of the nonconformities that were purely documentary in nature, it might be possible to deal with them by only a written response. If the auditor is to use the nonconformity statements to follow up on the corrective action, then the nonconformity statements must be very specific and traceable. A summary of the follow-up process is:
- Identification of nonconformities.
- Summary report prepared.
- Corrective action request (CAR) issued.
- The auditor evaluates response to CAR.
- Completion of corrective action by the auditee.
- Evaluation of effectiveness by the auditee.
- Verification of completion by the auditor.
- Escalation (if necessary).
- Records of each stage in this process,
Audit reports need to be read by various people in the company, so a distribution list can be helpful, especially where confidentiality is a major concern.
The auditor’s responsibility is to make clear to the auditee that corrective action is necessary. The auditor rarely specifies corrective action (that is the auditee’s duty). Since the auditee is likely to propose corrective action, the auditor must have a view about how effective, or otherwise, such an action might be in resolving the situation once and for all. Once a nonconformity is in the system, the auditee must ensure that effective and appropriate corrective action has been taken. After clarifying with the auditor for a clear understanding of the nonconformity, and certainly with people in the area where the nonconformity was found, the best corrective action can be decided. The process of taking, checking, and monitoring the action should be formal it is perhaps the most important “Quality” activity that takes place in a company. It is certainly where the audit system takes a positive aspect rather than a negative one. However, the process of corrective action is not an easy one. The auditee has to get to the root cause of the problem if it is going to be corrected forever. It is very easy to correct the effect of the nonconformance instead of the root cause, so in time the nonconformity will re-appear. The auditee also will have to consider the impact of the corrective action on the rest of the process, as well as, the effect it might have on areas not considered during the audit. The essential features of corrective action are as follows:
- Identification of nonconformity
- Establish responsibility for controlling the pertinent process
- Collect data to establish a root cause for the nonconformity
- Analyze the data and establish corrective action
- Monitor effectiveness of this action, including internal auditing
- Revise the action if ineffective
- Record all the actions taken
- Amend system documentation, as necessary
Perspective On Internal Audits
The Internal audits or First party audit is an audit carried out by a company on itself to determine whether its systems and procedures are consistently improving products and services, and as a means to evaluate conformity with the procedures and the standard. Each second and third-party audit should consider the first-party audits carried out by the company in question. Ultimately, the only systems that should need to be examined are internal audits and reviews. In fact, the second or third parties themselves have to carry out internal or first-party audits to ensure their own systems and procedures are meeting business objectives. Within any company, therefore, the real benefit to be gained from auditing will come from these “self” audits. The value of an internal auditor is representative of the quality assurance resource of the company. What is the point in someone “independent” doing the auditing, if all the auditing effort is put into ensuring that the business has the right people, materials, resources, systems, etc.? If the effort is put into providing the support necessary to do a good job, why do a bad one? However, it is accepted that some companies still have a long way to go before the above state is reached. The need for an audit system, whether for external or internal audits, is paramount. Audits will be scheduled according to a plan, usually looking at various processes, their sequence, and interaction with other processes within the QMS, with some flexibility built in to allow for realigning a particular effort. There is a need to prepare for each audit with an audit plan and checklist. Formal opening meetings are not typical, except in fairly large organizations. The auditor meets briefly with the department manager and gets on with the audit. The auditor is examining the work and outputs of colleagues. This puts an added strain on the auditor and the auditee. The auditor will sometimes be in a difficult position because of this tension. How can both the auditors and the system be protected? There are two aspects considered here the system that is installed in partnership with everyone in the company – and the credibility of the auditor.
3 thoughts on “ISO 9001:2015 Clause 9.2 Internal Audit”
Thank you so much!
This is one of the best article I have read for Quality Management System. Very thorough, clear and most importantly useful. Good Reference Material. GOOD JOB.