ISO 9001:2015 Internal Audit

Using ISO 19011:2018 Guidelines

AED Marketing and Consultancy Services

Course Overview
Target participants: Existing and potential QMS Auditors & Auditees

Course duration: 2 days

Course prerequisite: Participant should have previously attended..

• ISO 9001:2015 Awareness / Foundation Course or
• ISO 9001:2015 Transition Course
Course Objectives
• To interpret the requirements of the ISO 9001:2015 Standard in the context
of an audit
• Understand the concept of an audit and its purpose as a
management tool
• Describe the roles and responsibilities of auditors and lead auditors
• Plan and conduct an audit (in accordance with ISO 19011:2018)
• Understand the benefits of conducting an audit
Course Outline
A. Interpreting the Intent of the ISO 9001:2015 Standard

B. Audit Objectives, Principles, and Concepts

C. Audit Preparation

D Conducting On-site Audit

Course Outline
E. Audit Reporting

F. Auditor Selection and Evaluation

G. Workshop / Exercises

H. Question and Answer

I. Post-training examination
ISO 9001:2015 Review
Review of selected QMS Key Terms
Quality: Degree to which a set of inherent characteristics fulfills
requirements
System: Set of interrelated or interacting elements
Management system: System to establish policy and objectives and
achieve
those objectives
Quality management system: Management system to direct and
control an organization with regard to quality

Risk-based thinking:
• Opportunities: can arise as a result of a situation favorable to
achieving an intended result
• Risk: effect of uncertainty can have (+ or -)
ISO 9001:2015 High Level Structure
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
ISO 9001:2015 Requirements

4 Context of the organization

4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the QMS
4.4 QMS and its processes
Audit sample questions and evidences

• QMS scope determined taking into account the following:

– External and internal issues?
– Interested parties?
– Organization’s products and services?

• QMS established including the processes needed and their sequence

and interaction?

• Criteria for managing these established together with responsibilities,

methods, measurements and related performance indicators needed to
ensure the effective operation and control?
Documented information:
• Scope of the QMS
• To the extent necessary:
– ‘maintain documented information to support the operation of its processes’
– ‘retain documented information to have confidence that the processes are being
carried out as planned
ISO 9001:2015 Review
5 Leadership
5.1 Leadership and commitment
5.1.1 General
5.1.2 Customer focus
5.2 Policy
5.2.1 Establishing the quality policy
5.2.2 Communicating the quality policy
5.3 Organizational roles, responsibilities and
authorities
Audit sample questions and evidences

• Top management takes accountability for the effectiveness of the QMS?

• Policy and objectives for the QMS
– Compatible with the context and strategic direction of the organization?
– Established?
– Communicated?
• QMS integrated into the business process?
Audit sample questions and evidences
Customer requirements and applicable statutory and regulatory
requirements:
– Determined?
– Met?
– Communicated?
• Risks and opportunities that can affect conformity of products and services
and the ability to enhance customer satisfaction..
– Determined?
– Addressed?
• Organization established and communicated the responsibilities and
authorities for the effective operation of the QMS?
Audit sample questions and evidences
Documented information
• Quality Policy
ISO 9001:2015 Review
6 Planning
6.1 Actions to address risks and opportunities
6.2 Quality objectives and planning to achieve them 6.3 Planning of
changes
Audit sample questions and evidences

• Risks and opportunities that need to be addressed to give assurance that

the QMS can achieve its intended results established?

• Planned actions to address these risks and opportunities?

• Objectives established at relevant functions, levels and processes for

QMS?

• Plan for the determining the need for changes to the QMS and managing
their implementation?
Audit sample questions and evidences
Documented information:
• Quality Objectives
ISO 9001:2015 Review
7 Support
7.1 Resources
7.1.1 General
7.1.2 People
7.1.3 Infrastructure
7.1.4 Environment for the operation of processes
7.1.5 Monitoring and measuring resources
7.1.6 Organizational knowledge
ISO 9001:2015 review

7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
Audit sample questions and evidences
• Determined and provided the resources needed for the establishment
implementation maintenance and continual improvement of the QMS?
• Monitoring or measuring used for evidence of conformity of products
and services?
• Infrastructure necessary for the operation of processes available?
Audit sample questions and evidences
• Determined the knowledge necessary for the operation of its processes
and achievement of conformity of products and services?
• Persons who can affect the performance and effectiveness of the QMS
are competent on the basis of appropriate education, training, or
experience or taken action to ensure that those persons can acquire the
necessary competence?
• Persons doing work under their control are aware of the :
– quality policy and objectives?
– their contribution to QMS?
– the implications of not conforming?
Audit sample questions and evidences
• Determined internal and external communications relevant to the QMS?
• Documented information required by the standard and necessary for the
effective implementation and operation of the QMS established?
Documented information:
• Evidence of fitness of purpose of monitoring and measurement resources
• Evidence of competence
• Documented information as evidence of conformity
• Documented information of external origin
ISO 9001:2015 review

8 Operation
8.1 Operational planning and control
8.2 Requirements for products and services
8.2.1 Customer communication
8.2.2 Determining the requirements for products and services
8.2.3 Review the requirements for products and services
8.2.4 Changes to requirements for products and services

8.3 Design and development of products and services

ISO 9001:2015 Review
8.4 Control of externally provided processes products and
services
8.4.1 General
8.4.2 Type and extent of control
8.4.3 Information for external provided
8.5 Production and service provision
8.5.1 Control of production and service provision
8.5.2 Identification and traceability
8.5.3 Property belonging to customers or external providers
8.5.4 Preservation
8.5.5 Post-delivery activities
ISO 9001:2015 review
8.6 Release of products and services
8.7 Control of nonconforming outputs
Audit sample questions and evidences
• Defined processes for the provision of products and services that meet
specified requirements for the products and services?
• Changes are planned and carried out in a controlled way and actions
taken to mitigate any adverse effects?
• Process for reviewing and communicating with customers in relation to
information relating to products and services, enquiries, contracts or
order
handling?
• Review conducted prior to the organizations commitment to supply
products and services?
Audit sample questions and evidences
• Use of controlled conditions:
– The availability of documented information that defines the
characteristics of the products to be produces or the services to be
provided?
– The availability of documented information that defines the results to
be achieved?
– Monitoring and measurement activities at appropriate stages?
– Ensuring the people carrying out the tasks are competent?
Audit sample questions and evidences
Documented information:
• For Operational planning and control, to the extent necessary:
– To have confidence that the processes have been carried out as planned
– To demonstrate the conformity of products and services to their
requirements
• Results of Review of requirements for products and services or any new
requirements
• Changes to requirements for products and services
ISO 9001:2015 review
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General
9.1.2 Customer satisfaction
9.1.3 Analysis and evaluation
9.2 Internal Audit
9.3 Management review
10 Improvement
10.1 General
10.2 Nonconforming and corrective action
10.3 Continual improvement
Audit sample questions and evidences
Documented information:
• Evidence of monitoring, measurement, analysis and evaluation of QMS
• Evidence of implementation of the audit program and the audit results
• Evidence of the results of Management reviews
• Determined opportunities for improvement and implemented the
necessary actions to meet customer requirements and enhance customer
satisfaction?
• Processes for managing nonconformities and the related corrective
actions?
• How to continually improve the suitability adequacy and effectiveness of
the QMS?
Audit sample questions and evidences

Documented information:
• Nature of NC and actions taken
• Results of Corrective action
Auditing Objectives, Principles, and
Concepts
Objectives of an Audit
• Certification or internal audit
• Assess effectiveness, doubtful performance
• Verify compliance
– Regulatory or contractual requirements
– After significant changes
• Needs from supplier evaluation
• Identify opportunities for improvement
Terms Relating to Audit. . .
AUDIT
Systematic, independent and documented process for obtaining
objective evidence and evaluating if objectively to determine the
extent to which audit criteria are fulfilled

AUDIT CRITERIA
Set of requirements used as a reference against which objective
evidence is compared
Terms Relating to Audit. . .
OBJECTIVE EVIDENCE
Data supporting the existence or verity of something

AUDIT FINDINGS
Results of the audit evaluation of the collected audit evidence
against audit criteria

AUDITOR
Person who conducts an audit
Principles of Auditing ISO 19011:2018
Principles Details

1. Integrity  The foundation of professionalism

- Perform their work ethically, with honesty and
responsibility.
- only undertake audit activities if competent to
do so
- Perform their work in an impartial manner
Principles of Auditing ISO 19011:2018
Principles Details

2. Fair presentation  Obligation to report truthfully and accurately:

Significant obstacles and unresolved diverging
opinions between auditor and auditee are
reported and disclosed
Principles of Auditing ISO 19011:2018
Principles Details

3. Due professional care  Diligence and judgment in auditing

Exercise due care in accordance with the
importance of task performed.
Have the ability to make reasoned judgments
in all audit situations
Principles of Auditing ISO 19011:2018
Principles Details

4. Confidentiality  Security of information

Discretion in the use and protection of
information acquired in the course of their
duties.
This concept includes the proper handling of
sensitive or personal information
Principles of Auditing ISO 19011:2018
Principles Details

5. Independence  Impartiality of audit and objectivity of audit

conclusions
- Free from bias and conflict of interest.
- Maintain objectivity throughout the audit process.
- Audit findings and conclusions are based only on
audit evidence
Principles of Auditing ISO 19011:2018
Principles Details

6. Evidence based  Rational method for reaching reliable and

approach reproducible audit conclusions in a systematic
audit process
- Audit evidence is verifiable
- Based on samples of information available
- Use of appropriate sampling that is closely related
to confidence of audit conclusions
Principles of Auditing ISO 19011:2018
Risk Based Approach
 An audit approach that considers risks and opportunities
The risk-based approach should substantially influence the
- planning
- Conducting
- Reporting
Of audits
- Audits are focused on matters that are significant

A risk-based approach will seek to identify risks with the

greatest potential impact.
Audit Cycle

CHECK
Stages of a Certification Audit

 First Stage Audit

System and documentation audit

 Second Stage Audit

Compliance and Implementation audit
Objectives of Stage 1 Audit

• Understand the organization, scope and documentation

• Agree on audit planning and prepare audit documents
• Develop rapport, resolve misunderstandings
• Determine readiness for certification
• Develop a logical and effective stage 2 audit plan
• Establish audit team requirements
• Validation of the management system in question
Objectives of Stage 1 Audit

• Extent and boundaries of an audit

• Driven by audit objectives
– Establishes the boundary of an audit
– Geographical location
– Function/division
– Activities
– Product types
• Drives team competence requirements
Audit Types

Audits carried out by a

company on its own Audits carried out by
systems. independent
Your own accredited
Organization organizations.

1st Party Certification

Body
3rd Party

Subcontractor 2nd Party

Audits carried out by one organization on another
prior to or after contract placement.
 Difference Between 1st and 2nd and 3rd Party Audits
Elements First Party 2nd and 3rd Party
Offers of Advice Usually Expected Rarely in 2nd party,
never in 3rd party
Audit Style Can Be relaxed Much Normal
although sometimes
inhibiting if auditee is
senior mgt.
Opening Meeting Optional Required

Closing Meeting Optional Required

Auditee Reaction Depends on the Usually taken very

culture seriously due to
implication of audit
result
Auditor Skills and Responsibilities
Effective Auditors Skills
Objective :
To understand and use an appropriate set of skills and
interpersonal behavior for effective auditing.
Competence & Evaluation of Auditors – Requirements
(ISO 19011: 2018)
• Based on the demonstration of:
– Personal attributes as defined in clause 7.2.2
 Ethical  Versatile
 Open to improvement
 Open minded  Tenacious
 Culturally Sensitive
 Diplomatic  Decisive
 Collaborative
 Observant  Self Reliance

 Perceptive  Able to act with

fortitude
Auditor’s Qualities & Characteristics

• Good communicator
• Tactful and diplomatic
• Firm and tenacious • Inquisitive
• Able to judge significance • Patient
• Capable to decide priorities • Analytical, Flexible
• Knowledgeable • Good Planner
• Professional
• Self disciplined
• Good listener
The “Ideal” Auditor?

 Relaxed and Friendly

 Good Listener/Communicator
 Interested, Objective and Logical
 Positive attitude and Enquiring Mind
 Explains the process and Understand the Technicality
 Gives good feedback
 Excellent Interpersonal Skills
 Can communicate at all levels of the organization
Roles and Responsibilities of the Auditors

Objective:

To outline the basic roles and responsibilities of the

Auditor and Lead Auditor
Lead Auditor’s Responsibilities

• Define purpose and comply with the requirement of the audit

• Prepare an Audit Plan and working documents
• Select ,assign and brief the audit team(s)
• Represent Audit team to Management
• Manage the audit team
• Finalize audit findings and submit report
• Require corrective and preventive action
• Resolve conflict
Auditor’s Responsibilities

• Comply with the audit requirement

• Plan/carry out responsibility effectively
• Remain within audit scope
• Be able to identify availability and adequacy of Documented System
• Verify understanding and implementation of Documented System
• Gather, check and analyze evidence
• Remain alert to further information/evidence
Auditor’s Responsibilities

• Act in ethical manner

• Documents audit findings
• Report audit results
• Require corrective and preventive action
• Verify implementation and effectiveness of Corrective and
Preventive Action
• Retain/safeguard audit documents
• Support Lead Auditor
Auditee’s Responsibilities
 Cooperate with lead auditor/team to ensure that audit is
conducted smoothly
– Establish communication channels
– Confirm the audit authority
– Ensure staff availability for interview and meetings
– Arrange logistics and necessary support
Team Appointment

• Audit team leader shall first be appointed

• Identification of knowledge and skills required based on

audit purpose, scope and time available

• Ensure impartiality and independence (not audit own work)

• Experts may be appointed to support competence

 Audit Preparation
• Objective:

To understand each
phase of the audit cycle
Internal Auditing ( 9.2 ISO9001:2015 )

• Audits must be at planned intervals

• Audits check that MS conforms
– Organization’s own requirements
– Requirements of ISO9001:2015

• Effective implementation/maintained
• Audit program
– Importance of process
– Changes
– Previous audit results
Audit Preparation
• Time and Resources

• Auditors Contacts Dept heads

• Prepare audit plan

• Prepare checklist

• Review documentation
Advantages of Audit Plan
• Clarifies Purpose of Audit

• Use Time More Effectively

• Ensure Important Elements Covered

• Shows Open Approach if Copied Before Audit

• Gives Framework of Audit

• Gives Professional Impression

• Provides Records of What Covered

Audit Planning(ISO 19011:2018, 6.3.2)
• Audit objectives, criteria and scope

• Dates and places

• Time required

• Roles and responsibilities of audit team and accompanying persons

• Allocation of appropriate resources to critical areas of audits

Audit Plan – template
DATE TIME UNIT / ELEMENT AUDITOR
LOCATION ISO
9001:2015
Jul 30, 2019 9:00 – 9:30 Conf. Room Opening ABC
Meeting
9:30 – 10:00 Facility Tour ABC
10:00 – 11:00 Office of Top 5.1.1, 4.2, 6.1.1, A
Mgt 6.3, 7.1
11:00 – 12:00 Front Desk 8.1.1, 8.2, 9.1, B
10.1
12:00 – 1:00 Lunch
1:00 – 2:00 Loan Dep’t. 4.2, 4.3, 5.1, 5.5, C
Auditor Toolkit
 Clipboard

 Logbook

 Checklist

 Audit plan

 Report Forms

 ISO Standard
Sources for the Creation of Checklist
• ISO Standard Requirements

• Key elements of QMS Documentation

• Known or Classic Problems of Organization

• Ideas from Auditors

• Knowledge of Industry

• Previous Checklist
Verify Process Ability

• Objectives
• Input/output
• Activities control
• Resources
• Monitoring, measurement, analysis
• Continual improvement
• Interrelation and interaction with other processes
Checklist - templates
Unit / Location Top Management
Auditor (A) Rodney
Auditee Tony
Date July 30, 2019
Clause Item / Question C NC Remarks
5.1.1 Has top Mgmt. taken Accountabili
accountability for the ty seen by
effectiveness of QMS? showing QP
 Conducting On-Site Audit

Objective:

• To conduct audit effectively and

professionally
Audit Communications
 With Auditee
– Opening meeting
– Daily review
– Informal communications
– Closing meeting

 Within Audit team

– Regular communications (normally each half day)
– Internal meeting
Opening Meeting ((ISO 19011: 2018 6.4.3)

 Purpose
– Confirm agreement to audit plan
– Introduce team
– Ensure that all planned audit activities can be performed

 Consider
– Audit methods to manage risks to the organization
– Auditee informed of audit progress
– Confidentiality and information security
Process Approach to Auditing((ISO 19011: 2018 A.2)

 Auditors should understand that

– Auditing the management system is auditing the processes and their
interaction

 Consistent and predictable results achieved

– Activities understood and managed as interrelated processes that
function as a coherent system
The Audit Triangle
QUESTION
(Ask them what
they do)

OBSERVE CHECK
(see what they (what the process says they
actually do) should do)
Type of Questions
 OPEN QUESTION

• Encourage Auditee to talk freely ex. “set the scene”

• Use what, where, why, who, when & how?
• Take care to prevent Auditee from talking to much
Probing Questions
• “Follow-up” or “Focusing” questions
• Search for information in greater depth
• Cornerstone of audit techniques

 Closed Questions

• Used to established specific facts ex. “Do you…?”

• Normally receives a yes / no answer
• Do not use too often
Applying the Technique
• What is scope of responsibility (documentations?)

• What are process input and output ?

• How process controlled, monitoring and measuring

improved? Critical aspects, risk?

• What are objectives, Results to date, trend?

• What level of training is required and how qualified?

Interview Technique

• Avoid sitting in an “ opposing” manner

• Develop rapport with a small talk, eye contact
• Explain the reason why you are here, note-taking
• Spend more time listening
• Good idea to have a audit at the auditee’s office

Objective is to use the minimum time to gain a maximum

understanding
Evidence
• Results of interview with employees/others

• Observation of activities, work environment, etc.

• Review of documents and records

• Review of physical samples, photos taken, etc.

• Could be positive or negative

Verifying Information ( ISO19011:2018 A.5 )

 COMPLETE / CORRECT / CONSISTENT / CURRENT

Interviewing Process
• Identify individual to be audited
• Introduce yourself
• Explain why you are there
• Ask open question(s)
• Do “show me please”
• Check facts and make notes
• Thank the auditee
• Identify next auditee on trail
Auditors Should:

• Avoid “ nit-picking”
• Take good points into accounts
• Be punctual
• Perform all tasks
• Avoid argument and audit against specification and
system not individual
• Respect confidentiality
• Record objective evidence
Professional Judgment ( ISO19011:2018 A.3 )
 Auditors should apply professional judgment during the audit process

– Avoid concentrating on the specific requirements of each clause of

the standard at the expense of achieving the intended outcome of
the management system
Performance Results( ISO19011:2018 A.4 )

 Focus on the intended results of the management system

throughout the audit process

 While processes and what they achieve are important, the result of
the management system and its performance are what counts

 It is also important to consider the level of integration of the

different management systems and their intended results
 Audit Reporting
Objective:

• To understand how an audit should be

reported both verbally and in written form.
Nonconformity

Material Non-fulfillment of a requirement, e.g.

• Customer requirements
• Statutory and regulatory requirements
• System requirements

Shall not be withdrawn during closing meeting. It shall

represent the situation at time of audit.
Nonconformity Classification

NONCONFORMITIES (N):

Failure to fulfill one or more requirements of the management

system standard or a situation that raises significant doubt about the
ability of the client's management system to achieve its intended
outputs.
Nonconformity Classification
Major Non-Conformance:
Based on objective evidence, the absence of, or a significant failure to
implement and/or maintain conformance to the requirements of the
applicable standard. (i.e. the absence of or failure to implement a
complete Management System clause of the standard)

The causes of the identified nonconformities must be analyzed and the

planned corrective actions effectively implemented prior to the decision
on certificate issue/renewal. The auditor generally verifies the
effectiveness of corrective action in an on-site re-audit unless verification
is possible on the basis of submitted new documentation.
Nonconformity Classification
MINOR NONCONFORMITIES (MIN):
In individual cases some of the requirements of the
management-system standard are not fulfilled completely.
However, this does not jeopardize the effectiveness of the
management-system element (chapter of the standard).

The lead auditor evaluates the submitted corrective actions and confirms
acceptance thereof. The implementation and effectiveness of corrective
actions will be verified in the next audit.
Nonconformity Classification

OPPORTUNITIES FOR IMPROVEMENT (I):

Aspects that would lead to management system optimization with respect

to a requirement of the standard. (Basic requirement for the identification
and recording of opportunities for improvement is that the requirements
of the standard regarding the process element have been fulfilled
but that there are still areas for potential improvement of system
effectiveness and efficiency. Implementation by the organization is
recommended.)
Nonconformity Classification

POSITIVE ASPECTS (P):

Positive aspects of the management system meriting

special mention
Nonconformities Must
• Be factual / objective
• Be clear and concise
• Give clause number of Quality Standard / Company Document
• Be traceable by the Auditors
• Define the exact instance
• Be given a unique identifier
• Be categorized
• Be accepted / signed by the audited company
NC report template
Non Conformance Report
Company CAEMC Classification Minor NC
Area HR DEP’T. ISO Clause 5.1.1
Reference

Detail of NC

Auditor:
Corrective Remarks
Action
By: Verified by:
Discuss and Agree Findings
• Don’t raise nonconformities / findings in front of staff, if possible
• Raise, at first opportunity, with Guide/Dept Heads
• Resolve problems by discussion
• Agree corrective action timetable
Preparing Audit Report (ISO 19011: 2018 6.5)

• Audit objectives
• Audit Scope
• Audit client
• Audit team leader and members
• Audit criteria
• Audit findings
• Audit conclusions
Closing Meeting (ISO 19011: 2018 6.4.10 )

• Thanks for cooperation, etc

• Summary of good findings / points
• Nonconformities / finding(s) and recommendation(s)
• Corrective actions
• Report details
• What happens next
• Any questions
Corrective Action Steps
Confirm NC

Identify Root Cause/s

Identify Solution

Propose, Review, Accept

Implement, Close
Follow –up Action (ISO 19011: 2018 6.7)

• Report circulated
• Audit program updated
• Checklist filed
• Corrective action performed
• Trends/findings fed to management review
• Corrective action verified
 Auditor Selection and Evaluation

Competence & Evaluation of Auditors – Requirements (ISO 19011: 2011 7.0)

 Based on the demonstration of:

– Ability to apply knowledge and skills defined in
clause 7.2.3
– Gained education, work experience, auditor
training and audit experience defined in clause 7.2.4
Selection of Auditors

An internal auditor should be selected against established

criteria such as:

❑Acquiring the knowledge and skills necessary to conduct

audits, and
❑Acquiring the essential personal attributes required

Indicators of competence:
• Education
• Work Experience
• Training
 Selection of Auditors
Education
Auditor’s should have:
✓Completed at least secondary education
✓Demonstrated competence in clearly and fluently expressing
concepts and ideas orally and in writing in their agreed language.

Training
Auditor’s training should cover:
✓Knowledge and understanding of the standard including legal and other
requirements
✓Assessment techniques
✓Skills required for managing an audit

Work Experience
✓Should be in a position where the activities undertaken helped
develop skills and knowledge in MS.
Reference:

- TÜV SÜD PSB Philippines Inc.

Q&A / Course Wrap-Up