MODERN INTERNAL AUDITS

- compliance - improvement -

ISO 9001:2000
1

THE PURPOSE OF INTERNAL AUDITS

AUDIT (ISO 9000:2000 VOCABULARY)

Systematic, independent and documented

process for obtaining audit evidence and
evaluating it objectively to determine the
extent to which audit criteria are fulfilled

Audit criteria; Set of policies, procedures or

requirements used as a reference

ISO 19011 COMBINES THE QMS AND EMS AUDIT PROCEDURES

THE PURPOSE OF INTERNAL AUDITS

ISO 9000:2000 2.8.2 Auditing the Quality Management System

Audits are used to determine the extent to which the quality
management system requirements are fulfilled. Audit findings
are used to assess the effectiveness of the quality management
system and to identify oppurtunities for improvement

2.8.1 Evaluating processes within the QMS

a)
b)
c)
d)

Is the process identified and appropriately defined?

Are responsibilities assigned?
Are the procedures implemented and maintained?
Is the process effective in achieving the required results?

ISO 9001:2000 8.2.2 Internal audit

transformed into positive claims:
Internal audit
We conduct audits at planned intervals to determine
whether our QMS conforms to the planned
arrangements and to the requirements of the ISO
9001 standard and to check that it is effectively
implemented and maintained.
Planning of audit program
We plan an audit program taking into consideration
the status and importance of the processes and areas
to be audited, as well as the results of previous
audits.

Documented audit procedure

We have established a documented procedure for
the planning, conducting, criteria, scope, frequency
and methods of audits including reporting of results
and maintenance of audit records.

ISO 9004:2000 8.2.1.3 Internal audit

Examples of subjects for consideration
by internal auditing:
effective and efficient implementation of processes
oppurtunities for continuous improvement
capability of processes
effective and efficient use of statistical techniques
use of information technology
analysis of quality cost data
effective and efficient use of resources
processes and product performance results
adequacy and accuracy of performance measurements
improvement activities
relationships with interested parties

Auditors
We select our auditors and conduct audits in such a
way that the objectivity and impartiality of our
audits is ensured.
Responsibility of corrective actions
Our management responsible for the area audited
ensures that actions are taken without undue delay
to eliminate any detected nonconformities and their
causes.
Follow up
We perform follow-up activities to verify that
actions are taken to eliminate nonconformities and
their causes, and we report the results of our
verification activities.

SELF ASSESSMENT MODEL OF ISO 9004

Performance level

Guidance

No formal approach

No systematic approach evident, no results, poor

results or unpredictable results

Reactive approach

Problem- or corrective based systematic approach,

minimum data on improvement results available

Stable formal system approach

Systematic process-based approach, early stage of

systematic improvements, data available on conformance
to objectives and existence of improvement trends

Continuous improvement emphasized

Improvement process in use, good results and

sustained improvement trends

Best-in-class performance

Strongly integrated improvement process, best-in-class

benchmarked results demonstrated

PERFORMANCE MATURITY LEVELS (A.2 ISO 9004:2000)

CIRCUMSTANCES FOR EFFECTIVE AUDITING?

Change willingness organization is willing to implement reasonable audit findings

Attitudes support improvement without that auditing work in mainly lost!

Top management briefs auditors what special themes they want the auditors to verify

Members of top management work as auditors in some extent shows the importance
of audits to organization and gives them an oppurtunity to interact with people

Feedback to auditors what really happened with nonconformities and recommendations

AUDIT LIFE - CYCLE PROCEDURE

Annual audit
schedule of
the whole
QMS

Month and year

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

00

Monday

Tues day

Wednesday

Thursda y

Friday
Saturday
Sunday

Individual
audit
plans

Competence

Product audit
System audit
Process audit

Purpose why and what?

Documents and records - reading

Planning

Qualifications
Planning
skills

Preparing of
single audit visit

Procedures
and records

Interactive
skills
Independency

Compliance with
standards, norms,
legistlation, QMS,
contracts etc.
(ISO 9001)

Questionnaires

Interviews, follow up of
processes and inspections

Auditors
Conduct of
audits

Purpose
Corrective
actions

Identification of
areas of improvement
(ISO 9000, 9004)
Management
reviews
Follow up and closing
of the corrective
actions

Reporting

Verification of essential
must - be points, records
Identification of improvement needs
Audit records

Strengths
(ISO 9004)
Recommendations
(ISO 9004)
Nonconformities
(ISO 9001)
Scheduled
corrective
actions

WHAT IS A MODERN AUDIT?

How rules and requirements are followed in practice?
relevant instructions, procedures, norms, standards. . .
objectives, action plans, values, policies, environmental programs...
customer- and delivery contracts and conditions, purchase contracts
laws, acts, regulatory requirements, permissions, eco-labelling criterias.
 what deviations do we find out in fulfilling the requirements
Should something be done more effectively and more efficiently to
improve customer satisfaction and profitability?
what could be done better to achieve the expectations?
the people working in the process know best the weak points
 recommendations and identification of potential risks of not to
fulfill the requirements, things that could be done better!
8

WHAT - HOW - RESULTS - IMPROVEMENT

The basic formula of any work and modern
audit

WHAT?
- content

Right things
- criterias
- laws, acts,,,
- expectations
- objectives
- requirements
- etc.
More accurate
definition of
must be
things

HOW?

RESULTS
- indicators -

- process
Right things right,
efficiently without
wasting of resources

Improvement
Learning

What has been achieved?

What do the results indicate?
- level of results?
- trends of results
- fulfilling of specification limits
- learning from the results

Do we find any sign

of utilization of results?
Any sign of learning?
Any sign of improvement?

ASSIGNMENT OF MODERN AUDITORS

 Personal
Understands systems
Plans in advance
Problem centric whats behind the problems
Investigator remember the superindent Columbo!
Gets along with bosses as well as with workers
Constructive sees problems as oppurtunities to some better
Good listener makes people discuss and tell their story
Creates confidence, is frank and honest
Not the huge number
of questions but good
listening and active
scanning!

Competent and professional

PROFILE OF AN EFFECTIVE AUDITOR

10

AUDIT TEAM (ISO 19011)

Lead auditor:
total responsibility
leader of the audit team
Auditors:
experts
appropriate competence
independent
knowledge of applicaple requirements
Team:
planning of the audit (audit program)
choice of the audit approach (product or system or process audit)
planning of audit questions
carrying out of audit (interviews, verifications, information collections, clarifying of backgrounds)
reporting (judgement, conclusions, compiling of audit report)
close up of audit (presenting of audit report)
follow up of completing of corrective actions, if agreed
Auditee:
works in cooperation with the audit team
gives open information to the audit team
reserves the key persons to be present during the audit
commits to perform the corrective actions needed
11

WHAT COULD BE CONSIDERED IN AUDIT PLANNING?

Shareholder
expectations?

Personnel
expectations?

Customer
expectations?

Supplier
expectations
Society
expectations?

Needs and expecDocumented

tations of stakerequirements?
holders?
Audit Rough
Planning

Continuous
improvement?

Specifications
Quality Manual
Work instructions
Contracts
ISO 9001
ISO 14001
GMP, GLP etc.
What are the most critical
requirements in fulfilling
customer expectations?

Results and their

trends, level, history
=> Hints for the audit?

What do they
express?

Any violations,
trends, peaks
etc?

12

ISO 9001:2000 SHORTLY

7 Processes
process planning

4 QMS
LKK
MEO
TO

documents

structure
records

6 Resources
provision of resources
competence, training, awareness

infrastructure
work environment

customer related processes

design and development
purchasing
production / service delivery
calibration
- reasonable process description
- process measures
- process improvement

5 Management responsibility
commitment, regulatory req.

customer focus
quality policy (success factors)
measurable quality objectives, deployment
communication
organization, responsibilities,
authorities
reviews

8 Measurement, analysis, improv.

measurement (customer, product, process,

supplier)
internal audits
nonconforming products
analysis, conclusions, corrective and
preventive actions, continuous improvement
13

ISO 9001:2000 TAKES A NEW APPROACH TO AUDITING

(There are a lot of requirements which are not explicitely required
to be documented, but which have to be implemented and applied)

Does there exist any approach required by the shall be? Find out evidence!

Have people understood it? Find out evidence!

Is the approach implemented and deployed? Find out evidence!

Is it effective? Are there any positive feedback? Find out evidence!

Is there any evidence of improvement of the approach? Find out evidence!

14

Improvement
Commitment
Internal
2. Focus on customers

1. Emphasis from documented

procedures to measurable
objectives, feedback analysis
and continous improvement

3. Role of management
increases
4. Communication

5. People development
(competence, effectiveness)

ISO 9001:2000
challenges
for
auditors

11. ISO 9004

Data, feedbac
information,
analysis, conclusions,
actions, follow up

Between
functions,
organzations

7. Suitability and maintenance

of machines, rooms, systems,
support services

10. Continuos
improvement

Improvement
processes

6. Work environment
- suitability

9. Process
approach

8. Fulfillment of legal and regulatory

requirements
15

Plan whom to meet during the audit and the

order of interviews
Process owner
or functional
manager

Either or

Supervisor or
team leader

People performing
the work

PLAN WHOM TO MEET AND IN WHICH

ORDER

16

PREPARING FOR THE AUDIT

Identification of stakeholder needs and expectations
to find out what is crucial for the business to be audited
Quality, environmental and
safety policy
Company vision, goals,
objectives and programs

Relevant manuals, procedures

and instructions - prioritize!
Organizational and process changes,
investment programs concerning products
Reports of earlier audits

Get acquainted with the

information systems
of the company

Organization structure and

essential responsibilities and
authorities

Critical human, material,

equipment etc. resources
needed to meet customer
and other requirements

DECIDE WHAT IS THE

RED THREAD OF
YOUR FORTHCOMING
AUDIT AND THEN
PRIORITIZE YOUR
SOURCE READINGS!

Particular substance and /

or material requirements
Product changes
and change control

Most critical standards, norms

and legistlation e.g. GMP, GLP
Process flow sheets
Customer complaints, feedback,
quality control summaries, process
measure trends, supplier delivery
data and trends etc.
17

5.6 Management review

Quality Policy 5.3

8.2.2

Quality Objectives 5.4.1

QMS Planning (5.4.2)
Resources 6.0
N
E
E
D
S

PROCESS 7.0

Inputs

Outcomes

Monitoring
8.2.3/4
8.5

Special Requirements
4.2.4

8.4
8.2.1

5.5.1

C
U
S
T
O
M
E
R

4.2.3
Plan reasonable audit programs
18

Management responsibility 5.1 5.6

Documentation
audit
5.4.2
4.2.3
7.1
7.5.1

6.1
6.3
7.6

Infrastructure
audit

Human Resources
audit

Product &
Process audits
7.2
7.3
7.4
7.5.3
7.5.5
8.2.4
8.3

6.1
6.2
5.5.1
5.5.3
4.2.4
5.2
5.3
5.4.1
7.5.2
8.2.3
8.4
8.5.1

Performance &
Records audit

PROCESS

6.4

Work Environment
audit

ISO 9001:2000 GIVES YOU POSSIBILITIES

TO PLAN AUDIT PROGRAMS ACCORDING TO
DIFFERENT NEEDS AND ASPECTS

19

Auditors have to understand the value generating systems

Enterprise architecture and infrastructure

K
N
O
W
L
E
D
G
E

C
O
M
P
E
T
E
N
C
E

Management of structures, functions and processes

Human resource management
Technology development and innovation
Financial management

Strategic
management

Procurement
and supply
chain management

Marketing
and sales
management

Logistics
Operations and distribution
managemanagement
ment

VALUE
GENERATION
AND VALUE
ADDITION

C
u
s
t
o
m
e
r
s

Quality
Service

REVISED VALUE CHAIN BY T Morden, 1999

CHALLENGE FOR THE AUDITORS- SYSTEM AUDITING

20

BROAD PERSPECTIVE OF AUDIT

Supplier
value chains

Organizations
value chain

Distribution
channel
value chains

Customer
value chains

Enterprise architecture and infrastructure

K
N
O
W
L
E
D
G
E

C
O
M
P
E
T
E
N
C
E

Management of structures, functions and processes

Human resource management
Technology development and innovation
Financial management

Strategic
management

Procurement
and supply
chain management

Marketing
and sales
management

Logistics
Operations and distribution
management
management

VALUE
GENERATION
AND VALUE
ADDITION

Quality
Service

MODERN AUDITING IS VERIFYING THE REQUIRED IMPLEMENTATION

OF VALUE ADDING CHAINS. AS AN AUDITOR YOU HAVE TO UNDERSTAND
THE WHOLE BUSINESS SYSTEMS TO BE EFFECTIVE!

21

DIFFERENT AUDITING TACTICS

Effective in revealing
systematic deficiencies

Effective in revealing
systematic deficiencies

From delivery to
sales

From sales to
delivery
Downstream auditing

Upstream auditing
Verification of
product requirements

Process auditing

Product auditing

Departmental
auditing

Horizontal auditing
Vertical auditing
Identification of problems
between departments

Vertical walk through

the same department

Not so effective in
revealing systematic
deficiencies

Identification of
information flow,
commitment to objectives etc.

22

PROCESS AUDIT TACTICS

Goals, budgets, strategy, procedures,
legistlation, instructions, standards etc.
CONTROL

Sales

Inputs

Engineering

Production

Delivery

Down stream

Outputs

Up stream

RESOURCES
PROCESS AUDITS CAN BE DONE EITHER IN DOWN STREAM
OR IN UP STREAM. UP STREAM IS MORE BENEFICIAL FOR
AUDITORS, IT GIVES PRACTICAL EXPERIENCES ALONG THE
ROUTE AND FINALLY AT SALES OFFICE YOU CAN ASK
VERY TIGHT QUESTIONS

23

Usage

DOWN STREAM OR UPSTREAM

AUDITING AND FOLLOWING OF
TRACEABILITY IS ONE OF THE
MOST EFFECTIVE AUDIT TACTICS
- traceability audit
Information
Systems

Packing and
delivery logistics

Storage

Maintenance
- process capability

Production

Human Resource
Administration

Take an
example,
a certain
lot or batch
and trace
data and
procedures
to it through
the process

Production
planning

Purchase
- raw materials
- logistics

Specs
R&D
Marketing &Sales

Take a specific product batch and follow its

path through the process and track essential data, 24
information and instructions linked to the same batch!

Plan the process

audit

Make questions concerning:

- Process planning and documentation, process intsructions, regulatory req.
- Process boundaries (functional and / or team boundaries)
- Process management, responsibilities, ownership, objectives, measures
- Customer definition and identification of their needs and expectations
- Supplier selection criterias, purchasing, feedback and re-evalution procedures
- Product specifications
- Quality control, measurement, calibration, test status requirements
- Corrective and preventive and process improvement procedures

Suppliers

INPUTS

Make questions conserning:

- Input information and data
(orders, contracts, needs, expectations, experiences)
- Raw materials, components etc.
- Supplier quality
- Etc.
Choose and
trace some
certain lot

E.G. SALES DELIVERY

PROCESS

RESOURCES

Make questions concerning:

- Resource management
- People competence
- Infrastructure
- Work environment

OUTPUTS

Customers

Control

Make questions concerning:

- Product quality
- Delivery quality
- Nonconformities
- Customer feedback
- Customer satisfaction
25

 skills, knowledge, qualifications

 work content and order
 motivation, attitudes, satisfaction
 awareness of own role

Man

Marks

 capability of machines, yield

 effectiveness, efficiency
 maintenance
 performance
 degree of utilization

Machines

WHAT IS
IMPORTANT
in process control?

 preventive costs
 appraisal costs
Milieu
 defect and scrap costs
 complaint costs
 environmental sanctions
 penalty costs
 working conditions
 sampling conditions
 analysis conditions
 sample storing conditons
 working environment

 properties
 uniformity, stability
 environmental aggressiveness

Materials

Methods

Measurements

 work flow
 who, what, when, how
 unambiguity, clarity
 readability
 variation control
 utilization of feedback
 updating of content
 information flow

 sampling methods, representativeness

 repeatability, reproducibility
 measuring uncertainty
 records
 conditions
 traceable calibration

PRACTICAL ITEMS FOR PROCESS AUDITS

26

Additional
questions
during
audit

THE RED THREAD OF THE AUDIT

?
?

?
?

?
?

?
?

?
?

?
?

?
?

?
?

Dont make the questionnaire too detailed

Follow your main themes, listen and make additional questions
Return to your main questions when you feel that the main
content to your earlier question has been achieved

27

PLANNING OF AUDIT QUESTIONNAIRE

What is important
to customers, owners,
personnel, suppliers
and society?

Management
responsibility
- what kind of
support?

Critical process
phases?
- what to observe?

Choose 1 3 MustBe matters as drivers

of the audit

Audit questionnaire

Support of
documents,
records, norms,
(GMP, GLP, ISO,,,)
standards, procedures etc.?

Critical resources?
- what kind
of support?

Feedback, measures
- corrective actions?
- preventive actions?
- continuous improvement?

FIND OUT WHETHER THEY MANAGE THE MATTERS

EFFECTIVELY AND EFFICIENTLY IN THE AUDITED AREA

28

Page:________

QUESTIONNAIRE
Questions

Auditees

Auditors

Records

OK NOT OK

Arrange the questions either

according to themes or according to people to be audited

Remember questions inspiring

improvement ideas
Remember questions concerning
learning from feedback, results
Rememeber to collect facts during
discussions

29

THEMES FOR THE INTERVIEW OF ORDINARY PEOPLE

1 Who are your internal customers? What do they expect or require from your job?
2 How do you see that your bosses empasize the customer focus in practice?
3 With whom do you work together? What is crucial in this cooperation?
4 What work phases are critical in your work? What are the requirements?
5 How do you see that procedures, manuals, instructions etc. support you and your work?
6 How is the acceptability of your work phase assessed? How do you receive feedback?
7 What kind of records you are requested to fulfill? Are they clear?
8 How do you handle deviating parts, materials, products, situations etc.?
9 What would you like to specially improve in your work?
10 What kind of training or competence improvement needs do you have?
11 How well do you see that the infrastructure (facilities etc.) is supporting your work?
12 How well do you see that the work environment is supporting your work?
13 How well do you see that suppliers actions and deliveries support your work?

30

COLLECTION OF OBSERVATIONS DURING AUDIT

Follow up of inspections and process phases,
use of clarifying questions
Interviews of personnel
(management, white and blue collar
people; awareness of their roles,
duties, authorities, QMS, awareness
of process thinking)

Review of files and records

Implementation of
rules and criteria
and relevant
documents

Order, tideness, hygiene

Status of materials, products, qualified
processes, testing and measuring systems
Skills and competences of personnel
Training and qualifications of personnel

Identification of
non-conformities and
their handling, prevention
of reoccurrence, use of
early warning indicators,
continuous improvement

Identification of material
markings and labels,
traceability of chemicals,
additives, analysis data,
calibrations chains,
acceptances etc.

Follow up of the skills of

people to use computer
systems in controlling
operations

31

SCHEDULING THE AUDIT DAY

Opening

introductions
objectives
program
reporting

Auditing

5 - 10 min
(In practice auditors start
directly with interviews etc.
and shortly introduce the
purpose and scope to everyone
met during the audit)

2-5h

interviews, observings, verifications

and additional tasks

Report compilation

1/2 - 2 h

Close up meeting

1/2 h

32

CONDUCT OF AUDIT

ASK
Open ended questions
to receive the
best information

RECORD
Objective evidence,
both positive and
negative points

OBSERVE
Follow what
is occurring
in processes

VERIFY
The compliance with
the documents and
requirements
The existence of relevant
files and history of results

33

BACKGROUND INFORMATION FOR THE AUDITS

Clarify to yourself what are the objectives of this audit what do you want to find out?
Inform the organization to be audited
Be positive even in the case that things are not so well looked after
Prepare, prepare and once more prepare thoroughly before your audit visit
Collect and record the facts from the company, not your opinions
Be systematic
Never loose the product and customer requirements from your sight
Never accuse the interviewee
Record what the interviewee himself is saying, not your interpretations
If you have made wrong conclusions, be correct and change your decisions
34

2 You have to
focus on the
essential features
1 You have to
understand the scope
and the objectives of
every audit

3 You have to have

the red thread and logics
in your audit assignment

To be a good
auditor . . .
4 You have to be
frank, confident and
make people to discuss
with you

6 You have to keep

your timetables
5 You have to make
reasonable conclusions
from your observations

35

AUDIT RECORDS
1. Identifications:
auditor names
auditee names and positions
date
company, functios and / or products & processes

2. Main items of interviews:

records from the main items discussed
3. Checked examples - recording of facts:
reports, protocols and other documents reviewed - take copies with you!
identifications of rules, procedures, criterias applied during audit
information concerning processes, equipment, tests etc. followed

4. If necessary:
recording of conditions like temperature, moisture, dust etc.
order and tideness, hygiene, ventilation, illumination ...
attitudes among personnel to control and react production conditions,
process and product deviations, disturbances
awareness of their own roles, motivation, working atmosphere
36

A GOOD OBSERVATION?
Is based on facts
Gives such a clear description that it can be
understood even after years
A complete sentence
Does not use streching words as sufficiently, well enough etc.
Unambiguous and precise
Not an opinion
Does not refer to a person
Valuable for the corrective actions and improvement
Expresesses the situation as clearly as possible
Encourages and supports the receiver
37

 Verified documents (date, title, identification, version)

Background of the
observation
- random or systematic?
- linking to what ISO 9001,
GMP, GLP etc. element?
- linking to quality objectives?
- where in the QMS?
- situation where observed?
- area in charge?
- evidence received??

Verified equipment, systems, rooms etc.

Verified records and files (reports, files, memos,,,)
Interviewed persons (position, name, department,,,)
Verified products (product id, drawing, specification, place, lot,,,)
Verified production lines, infrastructure ,,,

OBJECTIVE EVIDENCE

38

Nonconformity
Report

Specify the problem accurately and unambiguosly

Link the verified facts to your report
Give information what kind of risks the problem
may cause to the auditee
Give a clear address of the problem (where, when, with whom,
machines etc.)
Refer to the documented requirement which has been violated
(procedure, instruction, ISO 9001 element etc.)

WRITING A NONCONFORMITY REPORT

39

REPORTING OF AUDIT RESULTS

Strengths; things that show strong
positive influence on product or service
quality, work atmosphere, profitability,
customer satisfaction etc.

Audit
Summary

Recommendations; things where

you are not completely sure whether they
are nonconformities, things which
were raised during the audit to be
improved etc.
Non-fulfilment of
a requirement
- based on objective
evidence

Nonconformity
Report (ISO 9001)

Strengths and
Recommendations
(ISO 9004)

Consider thoroughly your findings before reporting!

40

CLOSE UP MEETING
Introduction:
where and when
main items of audit
auditors
people met during audit
Audit approach:
execution
report structure
Report:
strengths and recommendations
nonconformities

Internal discussion within the audit team:

What did we learn from this audit?
What should we learn for the future audits?
41

CORRECTIVE ACTIONS AND CONTINUOUS IMPROVEMENT

Nonconformities:
immediate actions
plans and schedules
follow up of the effectiveness
closing
Cause

Recommendations:
prioritization
evaluation, decision and
communication

Impact

Small
Not
known
Known

Large
Resource needs

Strengths:
how to exploit strengths
to improve customer satisfaction and competitiveness?

Minor

Extensive

42

 Self assessment models (ISO 9004:2000)

Special questions asked literally during audit
Problem mapping during audits (e.g. with help of process flow sheets)
Cross-functional boundary problem identifications
Quality Award questions
Questionnaires to be fulfilled by the personnel during audits
Bottleneck analysis, lead time analysis etc. as a group work
during audits

DEVELOPING OF INTERNAL AUDITS

43

Improvement of internal audits

Viewpoint

What to improve next time?

Preparing for the audit?

available material sufficiency?
information from the auditee organization?
compiling of questions?
Audit plan in practice - functionality?
possible deficiencies
accuracy?
time schedule tight or loose?
Audit interviews, verification?
interactiveness?
questioning technics?
ability to make additional questions?
looking for facts, evidences?
follow up of your red thread?

Competence of the audit team in substance matters?

Recording of audit findings?

Compilation of audit report?

Close up meeting clarity, additional value?

44