Professional Documents
Culture Documents
Ovo su smernice za auditore koji ocenjuju prema zahtevima ISO 9001:2015. Primer auditorskog teksta je dat isključivo kao smernica i ne treba ga kopirati u auditorskim
izveštajima. Napomene su pisane oblikom italic. Napoemene I smernice su prikupljene iz različitih izvora, npr. IAF, ISO, ISO 9001 Auditing Practises Group, itd. Učinjeni su
svi napori da se obezbedi tačnost informacija, ipak ovaj dokument predstavlja samo smernice I različita mišljenja I tumačenja mogu postojati.
Definicije:
Objektivni dokaz, kako je definisano u ISO 9000, je podatak koji podržava postojanje ili istinitost nečega. Objektivni dokaz se može obezbediti kroz posmatranje, merenje,
testiranje ili drugim sredstvima. Objektivni dokaz za potrebe audita najčešće predstavlja zapis, izjavu o činjenici ili drugu informaciju koja je relevantna za kriterijume audita
I proverljiva.
Put audita, u nedostatku definicije iz ISO 9000, standardna definicija iz rečnika za 'audit' i ‘trag’ daje sledeće: Sistematski pristup prikupljanju dokaza, zasnovan na
specifičnim uzorcima, da rezultat niza interno povezanih procesa zadovoljava očekivane ishode.
npr. Put audita za rizikie I mogućnosti: ovaj put audita počinje internih+m I eksternim pitanjima I zahtevima zainteresovanih strana. Ovo zajedno sa politikom kvaliteta
određuje ‘’nameravane rezultate’’ organizacije. Organizacija je onda obavezna da odgovori na rizike I mogućnosti kako bi obezbedila sposobnost da postigne svoje ciljeve
(‘’nameravane rezultate’’). Mogućnosti odgovaranja na rizike mogu uključiti izbegavanje rizika, prihvatanje rizika kako bi se iskoristila mogućnost, eliminisanje uzroka rizika,
izmenu verovatnoće ili posledice, podelu rizika ili zadržavanje rizika. Drugi deo audit puta za rizik ispituje da li je organizacija utvrdila rizike I mogućnosti koji utiču na
usaglašenost proizvoda I usluga. Na primer, rizici mogu biti ublaženi u procesu razvoja novog proizvoda počevši sa planiranjem projekta, zatim planom proizvoda I
proizvodnje I konačno u samom procesu proizvodnje I pružanja usluga.
Procesni pristup
Understanding and managing interrelated processes as a system contributes to the organisation’s effectiveness and efficiency in achieving its intended results. This
approach enables the organisation to control the interrelationships and interdependencies among the processes of the system, so that the overall performance of the
organisation can be enhanced. The process approach involves the systematic definition and management of processes, and their interactions, so as to achieve the intended
results in accordance with the quality policy and strategic direction of the organisation.
A process is not a clause or element of ISO 9001 and it is probably not confined within a single organisational department but typically process is cross-functional and done
“what we do level”. Sometimes there is confusion between a business processes and procedures that are flowcharted. Procedures are ‘how’ something happens, and as
such are not cross-functional. If an organisation is to manage the process it needs to understand the results that it achieves and how those results are used to improve the
performance of that process.
The process approach starts with a full understanding of the external and internal environments in which the organisation operates. This covers all customer and other
stakeholder requirements and is where a clear understanding of what the unique requirements are for the organisation. From this, the senior management can prioritise
and define the strategic objectives and the standards or frameworks they need to apply within the organisation. When this has been done it is possible to describe the key
processes that will deliver them. These processes then have to be defined in order to deliver these objectives. The performance of the processes needs to be appropriately
measured and used to identify and drive improvements.
1
Izdanje 1
The processes need to cover everything that is included in the 'scope' of the management system. They need to cover all functions and all elements of the organisation's
planning and operational cycle - all the way from gaining market intelligence to learning and improving based on the results achieved. It must also include all of the
‘support' processes necessary to ensure the core processes can be consistently delivered.
Clause 4.4 lays out detailed requirements on how processes need to be structured, address risk, be measured and monitored, and include performance indicators. It also
requires the organisation to evaluate a process and make changes if it’s not achieving intended results. Process performance is also a requirement of the organisational
roles and responsibilities in clause 5.3. The auditor should start the process performance audit by checking the structure of the process i.e. process owner and process
linkages. Some auditors find a useful to document the process in the form of a turtle diagram. The auditor should look for answers to the questions like what overall
objective is this process trying to help achieve? Are there risks and opportunities identified for the process? Are the actions implemented? Did it mitigate the risk? Is the
process performing satisfactorily? Are there any changes planned due to the process performance not met?
4. Kontekst organizacije
Standard Kriterijum Dokaz Nalazi audita Usklađenost
ISO 9001:2015 4.1 Razumevanje Ocenjivati na Fazi 1 I 2. Ako je usklađen = usklađeno/OFI
organizacije I njenog Zarad efektivnog planiranja, organizacija mora da razume: primena I efektivnost mala/velika NC
konteksta. • svoj status, ocenjivanog procesa su
• šta želi da postigne, i uzorkovani I smatraju
• svoju strategiju kako to želi da postigne. se usklađenima.
Ako je neusklađen =
Informacije koje bi mogle biti od pomoći u ovom procesu bi mogle da obuhvate: opis za OFI/NCR
• Biznis plan
• preispitivanje strateških planova
• analizu konkurencije
• ekonomske izveštaje iz poslovnih sektora
2
Izdanje 1
• SWOT ili PESTLE analizu
• Zapisnike sa sastanaka
• Listu aktivnosti/mera
• dijagrame, tabele/kalkulacije, mape umova
• izveštaje eksternih konsultanata
Izlaz iz ove aktivnosti bi trebao biti evidentan kod utrđenih rizika I mogućnosti iz tačke
6.1.
3
Izdanje 1
Kultura – relaksirano / prijateljski / ‘’mogu uradi’’.
Znanje – Postoji visok nivo iskustva, koje je umereno jako. Organizacija je snažna u
predstavljanjima, slabija kod posebnih događaja I maloprodaje. Mora da radi više na
marketingu.
performanse – 100% isporuka na vreme / snažni u kvalitetu.
Struktura: plitka struktura.
Strategija: planiran je rast od 1mil. godišnje u narednih 5 godina, I, takođe, povećanje
bruto granice sa 34 na 39% u istom periodu.
Vrednosti: kreiranje, zajednički rad i isporuka sjajnih proizvoda uz ‘’mogu uraditi’’
filozofiju
ISO 9001:2015 4.2 razumevanje potreba I Ocenjivati na fazi 1 I 2. Ako je usklađen = usklađeno/OFI
očekivanja zainteresovanih primena I efektivnost mala/velika NC
strana Zainteresovane strane – interesne grupe: ocenjivanog procesa su
Osoba ili organizacija koji mogu uticati, biti pod uticajem ili imaju percepciju da su pod uzorkovani I smatraju
uticajem odluke ili aktvnosti. PRIMER: Korisnici, vlasnici, ljudi u organizaciji, isporučioci, se usklađenima.
bankari, regulatorna tela, sindikati, partneri ili društvo koje može da obuhvati Ako je neusklađen =
konkurenciju ili grupe koje kao protivnici vrše pritisak. opis za OFI/NCR
4
Izdanje 1
• itd.
Auditori bi trebali da sprovedu ovo preispitivanje u okviru intervjua sa najvišim
rukovodstvom I da prate ove nalaze kroz audit.
Zahtevi ovih zainteresovanih strana bi morali biti uzeti kao ulazi u proces planiranja,
klauzula 6.1, kao potencijalni rizici ili mogućnosti.
5
Izdanje 1
• više lokacija
• servisni centri
• servisna I korisnička mesta
• postojanje I proizvoda I usluga
Iz preispitivanja operacija, proizvoda I usluga ORG, obim sistema menadžmenta bi
trebao biti jasan. Ovo bi trebalo biti iskazano kroz domen procesa I upravljačkih mera
koje je ORG uspostavila.
Odgovornost je auditora:
- da obezbedi da konačna izjava o obimu sertifikacije ne dovodi u zabludu;
- da verifikuje, tokom audita, da se ovaj obim odnosi samo na procese, proizvode,
usluge, lokacije, odeljenja ili divizije itd. organizacije koja je obuhvaćena obimom
sertifikacije;
- da verifikuje da ovaj obim definiše svaki neprimenljivi zahtev iz ISO 9001, I da je
opravdanje za neprimenu pruženo I razumno.
Aneks A iz ISO 9001:2015 pruža objašnjenje za “Primenljivost” svojih zahteva. Tačka 4.3
6
Izdanje 1
“Obim će sadržati vrste proizvoda I usluga koji su njime obuhvaćeni I pružiti opravdanje
za svaki zahtev iz ovog međunarodnog standard za koji je organizacija odlučila da
nije primenljiv.”
7
Izdanje 1
• Ko prima rezultate vašeg rada?
• Kako znate da ste ispravno odradili vaš posao?
• itd.
Organizacije često identifikuju previse procesa; neki ili svi od njih su aktivnosti, ili
definišu po jedan za svaku tačku standarda, koji ne ispunjava zahteve za proces. U
ovakvim situacijama, auditor bi trebao (u Fazi 1 inicijalnog auidta) da konstatuje
potrebu da se redefinišu procesi, zasnovanu npr. na kritičnim tačkama aktivnosti I
procesnom pristupu.
8
Izdanje 1
5. Liderstvo
ISO 9001:2015 5.1 Liderstvo I posvećenost Da se oceni na Fazi 1 uzimajući u obzir dostupnost dokumentovanih informacija I na Fazi Ako je usklađen = usklađeno/OFI
2 kroz intervjue I dodatne dokaze. primena I efektivnost mala/velika NC
Auditori bi trebali da uključe najviše rukovodstvo u audit, tj. da ih pozovu na uvodni I ocenjivanog procesa su
završni sastanak, da odrede dovoljno vremena u audit planu za intervjuisanje najvišeg uzorkovani I smatraju
rukovodstva, da diskutuju o nalazima audita direktno sa njima, traže dokaze o njihovoj se usklađenima.
posvećenosti, itd. Važno je da promene centar pažnje sa samo menadžera kvalkteta na Ako je neusklađen =
celo najviše rukovodstvo. opis za OFI/NCR
Auditor bi trebao da smatra aktivnosti najvišeg rukovodstva za procese I u skladu sa
time I da ih auditira.
9
Izdanje 1
prisustvuju godišnjim preispitivanjima sistema I zapisnici su distribuirani svim
članovima. Članovi odbora I viši rukovodioci aktivno učestvuju u preispitivanju rezultata
sa audita. Članovi odbora I generalni direktor su bili prisutni na uvodnom I završnom
sastanku demonstrirajući svoju ulogu I posvećenost procesima sistema menadžemnta.
Periodični poslovni sastanci razmatraju poslovno planiranje I strateške pravce. Na
sastancima se takođe raspravlja o status ciljeva, zahtevima za resurse, rizicima I
mogućnostima I drugim oblastima. Zapisi sa ovih sastanaka su verifikovani, uključujući
xxx, xxxx.
ISO 9001:2015 5.2 Politika Ocenjivati na Fazi 1 I 2. Ako je usklađen = usklađeno/OFI
Politika I njen efektivni razvoj može biti istinski ocenjen samo na osnovu sveobuhvatnih primena I efektivnost mala/velika NC
rezultata audita. ocenjivanog procesa su
Metodi audita bi trebli da obuhvate: uzorkovani I smatraju
• intervjuisanje najvišeg rukovodstva da bi se shvatio njihov pristup i posvećenost; se usklađenima.
• ocenjivanje, putem zapisa sa prispitvanja sistema, posvećenosti I umešanosti najvišeg Ako je neusklađen =
rukovodstva u uspostavljanje, primenu, praćenje iažuriranje politike; opis za OFI/NCR
• Procenjivanje da li najviši menadžment efektivno ‘’preveo’’ politiku u razumljive reči
smernice na svim relevantnim nivoima organizacije, sa odgovorajaućim ciljevima za
svaki primenljivi process, fuknciju, nivo;
• Prikupljanje dokaza o efektivnom širenju politike kroz adekvtanu komunikaciju.
Odogovarajući dokazi o efektivnom širenju I razumevanju politike mogu biti prikupljeni
jedino na kraju audita, nakon procene rezultata audita.
10
Izdanje 1
Organizacija je vođena dobro definisanim najvišim rukovodstvom I struturom opis za OFI/NCR
odgovarajućom za organizacionu veličinu I operacije. Uloge I odgovornosti su dodeljene
I saopštene unutar organizacije od strane najvišeg rukovodstva I interjui sa xx, xxx i xx
potvrđuju da imenovano osoblje razume svoje uloge I odgovornosti dobro. Doc ref:
xxxx. Tipično, procesi odeljenja I procesi sistema menadžmenta su projektovani kao I
krajnje odogovrno osoblje. Starijoj funkciji << ime I rang>> imenovanoj od strane << ime
I funkcija>> dodeljena je odgovornost koordinacije procesa sistema menadžmenta, da
bi se postigla konzistentnost I efektivnost. Ovaj tim je odgovoran za performanse
sistema menadžmenta, upravlja internim auditima, koordinira analizu sistema
menadžmenta sa ciljem poboljšavanja I olakšava preispitivanje sistema. Više internih
auditora je kvalifikovano za jedan ili više standard sistema menadžmenta. Zapisi sa
obuke su dostupni.
6. Planiranje
ISO 9001:2015 6.1 Aktivnosti postupanja sa Ocenjivati na Fazi 2. Ako je usklađen = usklađeno/OFI
rizikom I mogućnostima Standarda specificira zahteve za organizaciju da mora da razume svoj kontekst (vidi 4.1) primena I efektivnost mala/velika NC
I utvrdi rizike kao osnovu za planiranje (vidi 6.1). Ovo predstvalja primenu RBT-a radi ocenjivanog procesa su
planiranja I primene procesa sistema menadžmenta (vidi 4.4) I pomoćiće u utvrđivanju uzorkovani I smatraju
potrebnog obima dokumentovanih informacija. se usklađenima.
Ako je neusklađen =
Audit RBT-a u organizaciji se ne može izvesti kao zasebna aktivnost. Trebala bi biti opis za OFI/NCR
implicirana tokom čitavog audita uključujući intervjuisanje najvišegr ukovodstva.
Auditor bi trebao da se sledećih koraka I da prikupi objketivne dokaze kao što sledi:
• kakve ulaze koristi organizacija kod utvrđivanja rizika I mogućnosti?
Ovi ulazi bi trebali da obuhvate sledeće:
Analizu internih I eksternih pitanja
Srateški pravac organizacije.
Zainteresovane strane, u vezi QMS-a, I njihove zahteve, takođe u vezi sa QMS-
om
Obim primene QMS-a u organizaciji.
Procese organizacije.
• Auditor bi trebao da notira da je organizacija utvrdila potreban obim dokumentovanih
informacija potrebnih da se pruži objketivan dokaz o primeni RBT-a.
• Kako će organizacija da utvrdi svoje rizike I mogućnosti, imajući u vidu navedeno?
Objketivni dokazi mogu biti u više oblika.Npr:
Zapisi sa sastanaka
11
Izdanje 1
SWOT analiza
Izveštaji o povratnoj informaciji od korisnika.
Brain-storming aktivnosti
Analiza konkurencije.
Planiranje, analiza I procena aktivnosti vezanih za nekoliko procesa, npr.
Srtateško planiranje, projektovanje I razvoj, marketing, proizvodnja I pružanje
usluge, korektivne mere, …
Preisptivanje od strane najvišeg rukovodstva
Utvrđivanje rizika ili zapisi sa procenom, ako je organizacija utvrdila da je
primenljivo ili potrebno
itd.
• Kako bi organizacija mogla da odgovori na utvrđene rizike I mogućnosti? Mere koje bi
se trebale preduzeti mogu biti u različitim formama. Na primer:
revizija starih ili postavljanje novih ciljeva.
Akcioni plan.
Obuka na poslu
Radna uputstva
Ciljevi I projekti poboljšanja itd.
• da li organizacija ocenjuje efektivnost gore preduzetih mera?
Auditor bi trebao da potrvdi da li interni auditi ili ocean performansi uzima u obzir
efektivnu primenu RBT-a.
12
Izdanje 1
Kada je planirala sistem menadžmenta, organizacija je razmotrila pitanja koja se odnose
na tačku 4.1 I zahteve iz tačke 4.2 I utvrdila rizike I mogućnosti kojima je potrebno da se
bavi:
Obezbediti da integrisani sistem menadžmenta može postići nameravane ishode;
Upravljati aspektima životne sredine I obavezama za usklađenost;
Utvrditi potencijalne vanredne situacije u odnosu na BC zahteve;
Povećati željene efekte;
Sprečiti ili smanjiti neželjene efekte;
Postići poboljšanje.
ISO 9001:2015 6.2 Quality objectives and To be audited in stage 1 and 2. Ako je usklađen = usklađeno/OFI
planning to achieve them Auditors need to verify that the organisation’s overall objectives: primena I efektivnost mala/velika NC
• have been defined, ocenjivanog procesa su
• reflect the policy, uzorkovani I smatraju
• are substantially coherent, se usklađenima.
• are aligned and compatible with the organisation’s context and strategic direction, Ako je neusklađen =
• and are aligned with its overall business objectives, including customer expectations. opis za OFI/NCR
If this is not the case, the auditors should further evaluate Top Management
commitment to quality.
The auditors should obtain evidence of the way the objectives are suitably cascaded
throughout the organisation’s structure and processes, linking the general strategic
objectives to management objectives and down to specific operational activities.
Auditors should also keep in mind that there is a clear link between the dynamic aspects
of revising the policy, the objectives and the commitment of the organisation to
improvement.
13
Izdanje 1
References to change are made in several clauses in ISO 9001:2015: 4.4, 5.3, 6.3, 8.1, implementation and Minor/major
8.3.6, 8.5.6, 9.2, 9.3, 10.2. effectiveness of the
Some changes need to be carefully managed while others can be safely ignored. process audited has
In order to sort through this, the organisation should consider a method to prioritize. been sampled and is
To determine the priority, the organisation should consider a methodology that allows considered to be
them to take into account: compliant.
Consequences of the change If not compliant =
Likelihood of the consequence description of OFI/NCR
Impact on customers
Impact on interested parties
Impact on objectives
Effectiveness of processes that are part of the management system
Others
Changes are intended to be beneficial to the organisation and need to be carried out as
determined by the organisation. In addition, consideration of new introduced risks and
opportunities need to be taken into account.
To achieve the benefits associated with changes, the organisation should consider all
types of changes that may need to occur. These changes may be generated, for
example, in:
Processes
Documented information
Tooling
Equipment
Employee training
Supplier selection
Supplier management, etc.
14
Izdanje 1
7. Support
ISO 9001:2015 7.1 Resources To be audited in stage 2. If compliant = The Compliant/OFI
Auditors should verify that the resources needed to implement, maintain and improve implementation and Minor/major
the management system is adequately managed. This means that appropriate effectiveness of the
resources are to be identified, planned, made available, used, monitored and process audited has
changed as necessary by the organisation. been sampled and is
It is recommended that the management of resources is not audited in isolation. considered to be
Irrespective of the way the organisation is structured and identifies its processes, compliant.
auditors should be able to verify the adequacy and effective management of the If not compliant =
resources to achieve planned results. It is important for auditors to verify whether the description of OFI/NCR
organisation has evaluated past and present performance (e.g. using cost-benefit
analysis, risk assessment) when deciding what resources are to be allocated.
Evidence can be obtained at different stages of the audit – reviewing inputs, process
performance and outputs. This has to be carried out when auditing all the processes
and related system and process documentation, such as:
• management commitment and responsibilities;
• management review process;
• product realization processes, including the control of nonconforming products,
corrective and preventive actions and continual improvement.
Auditors should avoid making subjective judgements on the adequacy of the resources
allocated by the organisation and should limit their role to the evaluation of
the effectiveness of the resource management process.
Auditors should verify that the people, infrastructure and the environment for the
operation of the processes are provided and maintained in a way that is consistent with
the policy and objectives, as well as contributing to conformity to product or
service requirements.
15
Izdanje 1
especially for the purpose of regulation or control.
measuring considers the determination of a value, e.g. a physical quantity,
magnitude or dimension (using measuring equipment).
In the extent needed, auditors should confirm that, in addition to providing the
necessary calibration records and assuring the related measurement uncertainty and
traceability, the organisation is aware of and has implemented, as appropriate, a
metrological confirmation system as described in ISO 10012 adequate to the extent and
types of the measurements performed.
The service sector (e.g. hotels, restaurants, education centres, consultants, public
services), perform monitoring and measuring activities using surveys, examination
papers, questionnaires, statistical methods, etc., due to the nature of their product. The
applicability and validity of these methods has to be determined.
Applicability vs non-applicability:
When the impact is relevant, auditors should evaluate issues such as:
- How the organisation validates that the monitoring and measuring resources are
consistent with the monitoring and measurement requirements.
- How the organisation assures the information validity and the consistency of the
results.
- The competence of those responsible for using the monitoring and measuring
resources
From the description above, the organisation should be able to decide whether or not all
or part of the relevant requirements may not be applicable. It is stressed that just
because an organisation does not have measuring equipment that needs to be
calibrated does not mean that it doesn’t automatically need to apply all the
requirements for monitoring and measurement resources. To do so would imply that it
also does not monitor or measure nor uses any monitoring or measuring resources.
16
Izdanje 1
an explicit or implicit way this knowledge is, or can be, used to attain the organisation’s
objectives.
Requirements regarding organisational knowledge were introduced for the purpose of:
a) safeguarding the organisation from loss of knowledge, e.g.
through staff turnover;
failure to capture and share information;
b) encouraging the organisation to acquire knowledge, e.g.
learning from experience;
mentoring;
benchmarking.
17
Izdanje 1
agency.>>
Relevant infrastructure facility is found to be adequate for achievement of conformity
to products and services. Following were verified:
Building and utilities: RCC structure, machinery layout matching the process flow,
availability of wash/cooling water adequate, in process parts/assembly movement
support adequate (fork-lift, trolleys). Upkeep of building and utilities adequate (Last
routine building maintenance done on <date>.
Equipment, other hardware, software: The organisation has installed state-of-the-art
machinery to realise its products and services. It operates and ERP and an intra network
to control the infrastructure. Machinery upkeep is managed by the maintenance
department. Responsible person <name / designation>. Current contractor <Name
xxxx>. Outsourced process in maintenance activity <xxxx>
Transportation resources: Type of transportation resources used for employees-
contractor name <xxxx>, For production parts <company owned>, for finished good <as
per customer instructions>.
IT infrastructure is outsourced for hardware. Contractor name: <xxxx> Contract expiry
date <xxx>, Last routine maintenance date <xxxx>, last breakdown maintenance <xxxx>.
Software management is done in house. Responsible person: <Name>, Competency
details <xxxx>.
The organisation operates in an environment adequate for achievement of conformity
of products and services. The walk around and people interactions provided evidence
of: good work culture, friendly workplace, good ventilation and airflow, temperature
and lighting.>>
The organisation maintains a list of inspection, monitoring and test equipment (IMTE) -
List ref:xxxxxx. The calibration and readiness for use is managed as per procedure ref:
xxxx. Measuring equipment are tagged to maintain control over calibration and
readiness. Critical measuring instruments are calibrated by externally contracted and
accredited laboratories. Non critical measuring equipment is calibrated internally by
using referenceable comparators. Monitoring and measuring equipment verified:
Micrometre IDxxxx. Last calibrated on: xxxx. Next calibration due: xxxxxx Calibrated
by:xxxxx. Calibration body is part of approved supplier list.
Ambient thermometer ID: xxxx, last calibration checks on: xxxx, calibrated internally
using glass thermometer. the company does not use any instrument where traceability
is requirement. Documented procedure: xxxxxx>>
All operational machineries have their own technical support information. This
information is included as part of operator and supervisor training programmes.
18
Izdanje 1
Example machinery: xxxxxx, Technical manual available with: xxxxxx, Operator name /
ID: xxxx. All process information maintained internally: Technical information is
maintained by <xxxxx>. Non-technical information is maintained by the respective area
operational heads. E.g. HR and training information with HR head. Lessons learnt, with
respective process heads.
Other knowledge is gained from external information gathers from various standards,
research publications, sector journals, conferences and industry interactions.
2 – Are competent people assigned to those work place activities necessary to control
the quality characteristics of its processes and products?
Verify that some form of evaluation process is in place to ensure that the competencies
are appropriate to the organisation's activities, and that the persons selected as
competent are demonstrating these competencies. Also, the process should ensure that
any deficiencies are being acted upon and the effectiveness of persons is being
measured. Verify that the activities that affect quality are performed by persons
selected as competent. Evidence may be obtained throughout the audit with an
emphasis on those processes, activities, task and products where human intervention
19
Izdanje 1
may have the greatest impact. The auditor may review job descriptions, testing or
inspection activities, monitoring activities, records of management reviews, definition of
responsibilities and authorities, nonconformity records, audit reports, customer
complaints, processes validation records etc.
3- The organisation needs to evaluate the effectiveness of the actions taken to satisfy
the competence needs and to ensure that the necessary competence has been achieved
The organisation may use a number of techniques including role-play, peer review,
observation, reviews of training and employment records and/or interviews (see ISO
19011, Table 2, for further examples). The organisation may need to demonstrate the
attainment of competence of its persons through a combination of education, training
and/or work experience.
4 – Maintenance of competence.
The auditor needs to verify that some form of effective monitoring process is in place
and being acted upon. Ways of doing this include a continuing professional
development process (such as the one described in ISO 19011), regular appraisals of
persons and their performance, or the regular inspection, testing or auditing of product
for which individuals or groups are responsible. Ongoing changes in competence
requirements may indicate that an organisation is proactive in maintaining persons’
performance levels.
20
Izdanje 1
First aid training records for <Name/ID> and date of training xxxxx>>.
Procedure for HR management/training: xxxxx.
21
Izdanje 1
E-mail, intranet and web sites If not compliant =
Company or in house magazine/newsletter description of OFI/NCR
Staff meetings
Individual notices or letters
Product recalls
Customer communication, e.g. brochures, sales presentations
Any communication requirements based on the regulatory requirements, etc.
Compliance with the ISO 9001 requirements on communication should only be
determined at the end of the audit, after evaluation of the audit evidence and after
reaching consensus with other audit team members.
22
Izdanje 1
The quality objectives (clause 6.2).
b) Documented information maintained by the organisation for the purpose of
communicating the information necessary for the organisation to operate (low level,
specific documents). E.g. Organisation charts, Process maps, process flow charts and/or
process descriptions, Procedures, Work and/or test instructions, Specifications, etc.
c) Documented information needed to be retained by the organisation for the purpose
of providing evidence of result achieved (records).
Documented information to the extent necessary to have confidence that the
processes are being carried out as planned (clause 4.4).
Evidence of fitness for purpose of monitoring and measuring resources (clause
7.1.5.1).
Evidence of the basis used for calibration of the monitoring and measurement
resources (when no international or national standards exist) (clause 7.1.5.2).
Evidence of competence of person(s) doing work under the control of the
organisation that affects the performance and effectiveness of the QMS (clause
7.2).
Results of the review and new requirements for the products and services (clause
8.2.3).
Records needed to demonstrate that design and development requirements have
been met (clause 8.3.2)
Records on design and development inputs (clause 8.3.3).
Records of the activities of design and development controls (clause 8.3.4).
Records of design and development outputs (clause 8.3.5).
Design and development changes, including the results of the review and the
authorization of the changes and necessary actions (clause 8.3.6).
Records of the evaluation, selection, monitoring of performance and re‐evaluation
of external providers and any and actions arising from these activities (clause 8.4.1)
Evidence of the unique identification of the outputs when traceability is a
requirement (clause 8.5.2).
Records of property of the customer or external provider that is lost, damaged or
otherwise found to be unsuitable for use and of its communication to the owner
(clause 8.5.3).
Results of the review of changes for production or service provision, the persons
authorizing the change, and necessary actions taken (clause 8.5.6).
Records of the authorized release of products and services for delivery to the
customer including acceptance criteria and traceability to the authorizing person(s)
23
Izdanje 1
(clause 8.6).
Records of nonconformities, the actions taken, concessions obtained and the
identification of the authority deciding the action in respect of the nonconformity
(clause 8.7).
Results of the evaluation of the performance and the effectiveness of the QMS
(clause 9.1)
Evidence of the implementation of the audit programme and the audit results
(clause 9.2.2).
Evidence of the results of management reviews (clause 9.3.3).
Evidence of the nature of the nonconformities and any subsequent actions taken
(clause 10.2.2).;
Results of any corrective action (clause 10.2.2).
Organisations may be able to demonstrate conformity without the need for extensive
documented information. To claim conformity with ISO 9001:2015, the organisation has
to be able to provide objective evidence of the effectiveness of its processes and its
quality management system. Clause 3.8.3 of ISO 9000:2015 defines “objective
evidence” as “data supporting the existence or verity of something” and notes that
“objective evidence may be obtained through observation, measurement, test, or other
means.” Objective evidence does not necessarily depend on the existence of
documented information, except where specifically mentioned in ISO 9001:2015. In
some cases, (for example, in clause 8.1 (e) Operational planning and control, it is up to
the organisation to determine what documented information is necessary in order to
provide this objective evidence. Where the organisation has no specific documented
information for a particular activity, and this is not required by the standard, it is
acceptable for this activity to be conducted using as a basis the relevant clause of ISO
9001:2015. In these situations, both internal and external audits may use the text of ISO
9001:2015 for conformity assessment purposes.
24
Izdanje 1
Drawing Issue and Control:
Drawings received for any part of the design process or for manufacture use the latest
version of the drawing.
Control of drawing change for all drawings is by use of a suffix. I.e. enquiry/job number,
project name, drawing number and then version 1, 2, 3 – tested on factory floor
Witnessed drawing xxx - status confirmed.
Various documents and records sampled are listed throughout this report.
Soft copy records and documentation are backed up periodically. Last back up done on:
<date>. Back up procedure is documented in ref: xxxx under the responsibility of
<Name>.
Ongoing protection against integrity, availability or loss is managed through appropriate
antivirus. Current antivirus used: xxxxxxx.
8. Operation
ISO 9001:2015 8.1 Operational planning To be audited in stage 2. If compliant = The Compliant/OFI
and control The organisation shall plan, implement and control the processes (see 4.4) needed to implementation and Minor/major
8.2 Requirements of meet the requirements for the provision of products and services, and to implement the effectiveness of the
products and services actions determined in Clause 6. process audited has
The output of this planning shall be suitable for the organisation’s operations. been sampled and is
The organisation shall control planned changes and review the consequences of considered to be
unintended changes, taking action to mitigate any adverse effects, as necessary. compliant.
The organisation shall ensure that outsourced processes are controlled (see 8.4). If not compliant =
description of OFI/NCR
Example audit of this clause:
The organisation has planned, implemented, maintains and controls its process to
ensure the management system achieves objectives, including when changes happen.
Controls applies to unintended changes.
Outsourced process has adequate controls established on them as per procedure ref:
xxxx
For realization of its production and services the organisation has developed quality
plans, referred to as QAP, for each of its product ranges. The quality plan details the
controls and criteria required for realisation of products/services. Example: Product
name: xxxxx, QAP reference: xxxxx.
25
Izdanje 1
Example outsourced process: XXXXXX, preliminary evaluation done on: xxxxx, audit
done on: xxxxx, work process monitoring frequency: xxxxx, responsible person within
the organisation: xxxxx Records maintained and available for verification with: xxxx.
ISO 9001:2015 8.2 Requirements of To be audited in stage 2. If compliant = The Compliant/OFI
products and services Customer communication falls into three general categories: implementation and Minor/major
• An organisation’s general communication to existing or potential customers – such as effectiveness of the
advertisements or marketing information, process audited has
• Specific information relating to a customer enquiry, requirement or order, and been sampled and is
• Communication in response to customer feedback and complaints considered to be
compliant.
Where the organisation receives orders from dealers and not the end users, the auditor If not compliant =
should establish that the product information available to the end users (pamphlets, description of OFI/NCR
brochures, web sites etc.) describes the products and services adequately and
accurately. The auditor should also try to establish how the customer needs have been
identified and product specifications arrived at.
The auditor would verify the product information to confirm that it is readily available
to
customers or potential customers and provides information that is up-to-date and
accurate.
Some or all of the following means of an organisation’s specific customer
communication may be observed by the auditor:
a) Enquiries, contracts or order handling, including amendments
• quotations
• order forms
• confirmation of order
• amendment to order
• delivery documentation
• invoices
• credit notes
• e-mail & general correspondence
• visit reports or notes to/from customer
b) Customer feedback and complaints management process
• Letters in response to complaints
• Acknowledgments
There are also further instances where the auditor will experience the organisation’s
26
Izdanje 1
communication with the customer:
• During the ordering process where the customer provides no documented statement
of requirements, the organisation needs to have a system in place to obtain or confirm
these customer requirements before the organisation accepts the order.
• During the design and development process there may be considerable
communication between the organisation and the customer.
• During the process of authorizing the use of nonconforming product by release or
acceptance under concession by a relevant authority and, where applicable, by the
customer.
The auditor needs to be aware of the specific characteristics of the organisation’s
products and services that are likely to impact customer satisfaction. Throughout the
audit the auditor should be alert for indications that may suggest customer satisfaction
or dissatisfaction which could serve as input into the audit of the customer feedback
process.
The organisation should demonstrate that the statutory and regulatory requirements
applicable to its products and services have been properly identified, are available and
easily retrievable.
27
Izdanje 1
and services it offers and how it meets these claims.
The organisation needs to conduct a review before committing to supply products and
services to a customer.
The organisation need to retain documented information, as applicable:
a) on the results of the review;
b) on any new requirements for the products and services.
The organisation needs to also ensure that in the case of changes into the requirements
of products and services relevant documented information is amended, and that
relevant persons are made aware.
28
Izdanje 1
It is necessary to note that for service organisations, the approach to design and been sampled and is
development may be different from “traditional” manufacturing organisations. considered to be
Product and service design and development is the set of processes for transforming compliant.
requirements for the products and services into specified product/ service If not compliant =
characteristics (characteristic = distinguishing feature. E.g. physical (e.g. mechanical, description of OFI/NCR
electrical, chemical or biological characteristics); sensory (e.g. related to smell, touch,
taste, sight, hearing); behavioural (e.g. courtesy, honesty, veracity); temporal (e.g.
punctuality, reliability, availability, continuity); ergonomic (e.g. physiological
characteristic, or related to human safety); functional (e.g. maximum speed of an
aircraft).
In order for to determine if the organisation is in fact involved in design and
development, auditors need to establish who is responsible for defining the
characteristics of the product or service, together with how and when this is carried
out. This may apply to original design or ongoing design changes.
The need for design and development comes from an organisation’s context and the
application of risk based thinking. Auditors should review how the decision to proceed
with design and development is taken, i.e. have risks and opportunities, including cost
implications, been considered and have all relevant interested parties (internal or
external) been consulted.
The following issues should be considered when auditing the planning function:
• what is the overall flow of the design planning process?
• how is it described?
• what resources and competencies are required?
• what part of the design will be outsourced?
• who is responsible and are the authorities defined?
• how are (internal and external) interfaces between various groups identified and
managed?
• are the required verification, validation and review points defined?
• are the main milestones and timelines identified?
• is the implementation and effectiveness of the plan monitored?
• is the plan updated and communicated to all relevant functions as necessary?
When auditing the design and development inputs, auditors should develop an
understanding of how the organisation identifies its own inputs. Auditors should
evaluate the risks, the possible implications for customer satisfaction and issues that the
29
Izdanje 1
organisation may encounter if some relevant inputs are not considered.
The design and development outputs should comply with the identified needs in order
to
ensure that the resulting product can fulfil its intended use.
Auditors should verify that the overall design and development process is controlled in
accordance with the organisation’s original plan, that it is being reviewed and that the
design and development reviews take place at appropriate planned stages.
Design and development verification is aimed at providing assurance that the outputs
of a design and development activity have met the input requirements for this activity.
Auditors should determine that only verified design and development outputs have
been submitted to the next stage, as appropriate.
Design and development validation is the confirmation by examination, and the
provision of evidence, that the particular requirements for specific intended use are
fulfilled. In other words, is the validation process capable of checking that the final
product and/or service will meet, or does meet, the customer’s needs when it is in use?
Where validation cannot be carried out prior to delivery or implementation, auditors
should ensure that these activities are carried out at the earliest opportunity, such as
when commissioning a complex plant or factory, and that this is communicated to the
client. Auditors should determine that only validated design and development outputs
have been submitted for customer use.
Design and development changes made during the design process need to be
controlled.
Example audit of this clause:
The organisation has a procedure for effectively managing the design and development
process. Procedure ref: xxxxx. Design and development process follows a
predetermined set of steps. The planning has been incorporated into a design
development documentation ref: xxxxx.
The format requires the number of information to be captured as evidence of the
process having been carried out.
Design process verified for: <Product name: xxxx>
Nature, description and timelines of the design and development: XXXXX (Design
inputs)
Products standards and default specs: xxxx (design input)
Other requirements specific to the products and requested by the customer: xxxxxx
(Design inputs)
Design & development activities, review, verification and validation requirements and
30
Izdanje 1
associated roles, responsibilities and authorities: XXXXX; (design controls)
Resources requirements: xxxxx; (design controls)
Interfaces within the organisation and external to the organisation including customers:
XXXXX (design controls);
Output of the design is in the form technical documentations like drawings, bill of
materials, product / part specification, assembly drawing, details of special processes.
All these are records/documented. Doc ref for the sample above: xxxxxx
8.4 Control of externally To be audited in stage 2. If compliant = The Compliant/OFI
provided processes, Auditors may consider it sufficient to evaluate conformity by checking that: implementation and Minor/major
products and services • there is documented information (e.g. a list) indicating which are the approved effectiveness of the
external providers and that this documented information is kept up to date, process audited has
• orders have been placed to external providers satisfying the defined criteria been sampled and is
• there is effective performance monitoring of outsourced processes providers, considered to be
and compliant.
• the activities necessary for ensuring that the specified requirements have been If not compliant =
met are carried out. description of OFI/NCR
Auditors have to verify that risk based thinking has been applied by an organisation in
determining appropriate controls over external providers.
In auditing the process for the management of procurement, the following points may
be useful:
• Confirm that the specification quoted in a purchase order is the same as the
specification contained in the design (or the specification received from the
customer);
• Identify whether or not there were discussions between the organisation and
potential suppliers regarding the design specification of critical components during the
design process or prior to an order being placed;
• Was there some form of “approval” of the specification before the final
specification/order was confirmed to the external provider?
• Does the purchase order contain or refer to any statutory or regulatory requirements?
In many cases, audits of the evaluation and selection of external providers simply
consists of a review of the organisation’s approved external provider list and whether
this list has been reviewed at regular intervals. Some cases this may not be
sufficient to ensure that the organisation has effective control of all of those external
31
Izdanje 1
providers within its supply chain. Issues to consider include:
• Are external providers of critical component products or critical services selected
based only on their ability to supply at an economical price, or is their ability to supply
consistently to specifications also taken into consideration?
• Are outsourced processes considered in the supply chain and relevant levels of
controls are in place?
• Are external providers included in approved lists solely on their continued registration
against a recognised quality standard, or is the scope of this registration reviewed?
• How frequently are credit notes raised by the organisation for products or
services that are initially rejected, but then subsequently accepted?
• How many concessions have been raised allowing the organisation to accept
previously rejected products or services?
32
Izdanje 1
handling customer property, preserving product, measuring product and service output, If not compliant =
and handling nonconforming product, measuring product and service output, and description of OFI/NCR
handling nonconforming product.
The following should be assessed for each process audited:
Operator work instructions or documented information (clause 8.5.1a)
How operator operates and sets up the machine (if applicable)
Operator responses versus work instructions
Inspections of products
Inspection plans or similar
Equipment used and their calibration
Product marking/tagging procedure versus reality (clause 8.5.2)
What does the operator do for nonconforming parts versus nonconforming procedure
(clause 8.7)
Production records
Operators awareness about quality policy
Operators awareness of process changes
Overall cleanliness of the plant/factory and the maintenance process including
Packaging and shipping areas
33
Izdanje 1
locations. Handling of the product and products parts were seen to be adequate.
Material handling equipment include < forklifts, trolleys, pulley-blocks.
Post-delivery activities include only warranty maintenance requirements. The
organisation has a procedure for managing warranty claims. Doc ref: xxxxx.
Should there be a change in requirement after the work order has been released,
appropriate action is taken to review, approve and communicate the changes to the
relevant personnel.
The XXXXX is authorised for final release once all the records in process inspection and
stage approval has been recorded. The goods go into finished goods store or to
despatch once the final approval has been given. Final inspection and release record
ref:xxxxx. the release takes place only after the designated authority has authorised.
Sample checked: product name: xxxxx, ID: xxxxxx, Approved by xxxxxxx, date: xxxx.
Traceable in the format ref: xxxx
Organisation follows a documented process for managing non-conforming outputs at
all stages. doc reference: xxxx. Records retained: Part inspection / rejection record:
xxxx, Part rework record: xxxxx, Scrap record: xxxx. Rejection/rework / scrap report:
xxxx Product return record: xxxxx, Customer complaint record: xxxx, Rework /
replacement cost record: xxxxx, Concessional approval records: xxxxx, Rework
inspection record: xxxx. Corrective action and analysis report: xxxx
Records verified for product rejection complaint report Ref:xxxx datedxxxx. The records
traced up to redressal of the rejection.
9. Performance evaluation
ISO 9001:2015 9.1 Monitoring, To be audited in stage 2. If compliant = The Compliant/OFI
measurement, analysis and Management system performance is evaluated in the risk opportunity and planning, implementation and Minor/major
evaluation performance evaluation, and improvement audit trails. Auditor should study customer effectiveness of the
satisfaction, customer complaints and problem solving, and overall performance (e.g. process audited has
KPIs) of the organisation. Poorly performing indicators represent lack of “intended been sampled and is
results” or customer dissatisfaction (clauses 6.1.1 and 5.1.2). considered to be
Auditor should start the audit by analysing overall customer satisfaction and compliant.
organisational performance. Lack of results or poorly performing indicators are then If not compliant =
linked to poorly performing processes. These also could be an indicator of poor risk description of OFI/NCR
assessment. The auditor takes these into consideration when auditing management
review and/or process performance. The auditor should evaluate customer-related
issues and how the organisation responds to them.
34
Izdanje 1
Example audit of this clause:
The organisation has determined the performance indicators for the management
system and process parameters it wants to monitor and measure. The methods and
time lines of measurement have been documented in the respective
monitoring/measuring reports and formats. Responsibilities for analysis and evaluation
of management system performance happens effectively under the control of
responsible functions. Monitoring and measurement of the following areas were
verified:
Product rejection data: form ref: xxxx. Period: xxxxxxxx Data collected by XXXXX Data
analysed, reviewed and evaluated by: xxxxxx date: xxxxx, Action taken: xxxxx
Turnaround time data: form ref: xxxx. Period:xxxxxxxx Data collected by XXXXX Data
analysed, reviewed and evaluated by: xxxxxx date: xxxxx, Action taken: xxxxx
Supplier performance data: form ref: xxxx. Period: xxxxxxxx Data collected by XXXXX
Data analysed, reviewed and evaluated by: xxxxxx date: xxxxx, Action taken: xxxxx
Productivity data: form ref: xxxx. Period: xxxxxxxx Data collted by XXXXX Data analysed,
reviewed and evaluated by: xxxxxx date: xxxxx, Action taken: xxxxx
9.2 Internal audit To be audited in stage 1 and 2. If compliant = The Compliant/OFI
When third party auditors examine internal audit processes, they should evaluate issues implementation and Minor/major
such as: effectiveness of the
the competencies that are needed for and applied to the audit, process audited has
objectivity and impartiality of the internal audit process been sampled and is
the risk based thinking performed by the organisation in planning internal audits, considered to be
the degree of management involvement in the internal audit process, compliant.
the guidance provided by ISO 19011 (but note that ISO 9001 does not require the If not compliant =
organisation to use ISO 19011), and description of OFI/NCR
the way the outcome of the internal audit process is used by the organisation to
evaluate the effectiveness of its QMS and to identify opportunities for
improvements.
It is a good practice in third party audits to audit internal audits processes of the
organisation toward the end of the third party audit. Auditors will be able to compare
the results of internal audit process against their own findings and thereby be able to
evaluate effectiveness of this process and the resulting corrective actions.
35
Izdanje 1
xxxx, record of training of internal auditors: xxx. Internal audit report: xxxx,
Presentation of non-conformance and corrective action: xxxxx. Internal audit checklist
available for sampled processes: xxxx.
Documentation of internal audit cycle period verified: xxxxx. No conflicts of interest
identified in audit assignment. Number of non-conformance raised: xxxx, corrective
implemented date: xxxx corrective action verified on: xxxx. Internal audit schedule
verified for any potential changes to be made in the next cycle of audits on: xxx. NCs
have been closed in reasonable time. Results of the internal audit is collated as a report
dated: xxxx for presentation in the next management review meeting scheduled.
9.3 Management review To be audited in stage 1 and 2. If compliant = The Compliant/OFI
The management review is a process that should be conducted and audited utilizing the implementation and Minor/major
process approach. Organisations need to be able to demonstrate that they have effectiveness of the
evaluated the effectiveness of actions taken to address risks and opportunities during process audited has
management review; consequently, auditors will be able to obtain objective evidence on been sampled and is
the use of this approach. considered to be
Documented information on management reviews is required, but the format of this is compliant.
not specified; minutes of meetings are the most common type, but electronic records, If not compliant =
statistical charts, presentations etc. could be acceptable types. description of OFI/NCR
Auditors should look for evidence that the inputs and outputs of the management
review process are relevant to the organisation’s size and complexity and that they are
used to improve the business. Auditors should also consider how the organisation’s
management is structured and how the management review process is used within this
structure.
Example audit of this clause:
Frequency of management review is xxxxx. Management review follows a set
procedure Doc. ref: xxxx. Present meeting agenda (doc. ref: xxxx) includes the minimum
requirements of the standard and is sent in advance by email to potential participants.
Minutes of the meeting (doc ref: xxx) maintained and retained by the management
system coordinating team. Management review documentation verified for
management review meeting dated: xxxxx, Meeting chaired by the Managing Director.
Agenda and notice sent on xxxx. number of attendees: xxx, Minutes of the meeting with
appropriate action points Doc ref: xxxx, prepared on XXXX and distributed to the
attendees on xxxx.
36
Izdanje 1
10. Improvement
ISO 9001:2015 10.1 General To be audited in stage 2. If compliant = The Compliant/OFI
10.2 nonconformity and According to ISO 9000:2015: implementation and Minor/major
corrective action Nonconformity= non-fulfilment of a requirement effectiveness of the
10.3 Continual improvement Correction=action to eliminate a detected nonconformity process audited has
Corrective action=action to eliminate the cause of a nonconformity and to prevent been sampled and is
recurrence considered to be
"Correction" is action to eliminate a detected nonconformity. For example, correction compliant.
may involve replacing nonconforming product with conforming product or replacing an If not compliant =
obsolete procedure with the current issue, etc. description of OFI/NCR
Corrective action cannot be taken without first making a determination of the cause of
nonconformity. There are many methods and tools available to an organisation for
determining the cause of a nonconformity, from simple brainstorming to more complex,
systematic problem solving techniques (e.g. root cause analysis, fish-bone diagrams, “5
whys", etc). An auditor should be familiar with the appropriate use of these tools. The
extent and effectiveness of the corrective actions depends upon identifying the true
cause.
An auditor should also check if the organisation has taken action to determine if the
cause of a nonconformity was systematic in nature or merely accidental. If a systematic
failure is treated as an accidental one-off occurrence, then the corrective action will not
be successful, and there will be a risk of the problem recurring.
The auditor should seek to determine if the auditee has attempted to set objectives that
establish the correlation between the 3 factors of: corporate objectives, customer
needs, and market expectations. ISO 9001 lists a number of areas that an auditor can
assess to obtain evidence of both planning and actually implementation of
improvement. It is important to understand that improvement doesn’t necessarily just
mean improvement of product or process, but can and should also apply to the quality
management system itself.
Examples of areas where the quality management system can be improved include, but
are not limited to:
• internal communications,
• follow-up activities,
• documented procedures,
• the effectiveness of management review meetings,
37
Izdanje 1
• customer feedback systems, and
• training programs (e.g. for management or for internal auditors).
An auditor should remember that it would be unrealistic to expect an organisation to
make progress on all potential improvements simultaneously. What it means is when
opportunities for improvement are identified and when such improvements are justified,
an organisation needs to decide how they are to be implemented, based on the
available resources.
38
Izdanje 1