ISO/TC 176/SC 3/WG 7 - Rev 3: C:WD2N841

ISO/TC 176/SC 3/WG 7 N94 – rev 3
COMMITTEE-IN-CONFIDENCE
Reference number of working document: ISO/TC 176/SC 3/WG 7 N94
Date: 1998-02-27
Working Draft: WG 7-WD 3
Committee identification: ISO/TC 176/SC 3/WG 7
SC 3 Secretariat: NN1
WG 7 Convenership: SAA
Guidelines for auditing quality systems
C:WD2N841.doc Page 1 (10)

Contents
Foreword.............................................................................................................................3
Introduction..........................................................................................................................5
SECTION 1: SCOPE, REFERENCES AND TERMINOLOGY
1.1 Scope..........................................................................................................................6
1.2 Normative references..................................................................................................6
1.3 Terms and definitions..................................................................................................6
SECTION 2: AUDITING
2.1 Audit principles/processes...........................................................................................8
2.2 Managing audits........................................................................................................11
2.3 Auditing activities......................................................................................................16
SECTION 3: QUALIFICATION AND COMPETENCE OF QUALITY AUDITORS
3.1 General.....................................................................................................................26
3.2 Audit Team/ Auditor Competency Requirements......................................................26
3.3 Evaluating Auditor Competence................................................................................27
3.4 Selection of Audit Team Members...........................................................................30
3.5 Continuing Professional Development.......................................................................31
ANNEX A: AUDITOR CODE OF ETHICS.........................................................................33
ANNEX B: EXAMPLES.....................................................................................................35
ANNEX C: AUDITOR FUNDAMENTAL ABILITIES, PERSONAL ATTRIBUTES AND

COMPETENCE REQUIREMENTS.................................................................52
ANNEX D: GLOSSARY OF TERMS AND DEFINITIONS ...............................................56

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of

national standards bodies (ISO member bodies). The work of preparing International
Standards is normally carried out through ISO technical committees. Each member body
interested in a subject for which a technical committee has been established has the right
to be represented on that committee. International organizations, governmental and non-
governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with
the International Electrotechnical Commission (IEC) on all matters of electrotechnical
standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC
Directives, Part 3.
Draft International Standards adopted by the technical committees are circulated to the
member bodies for voting. Publication as an International Standard requires approval by
at least 75 % of the member bodies casting a vote.
This draft revision of ISO 10011 prepared by ISO/TC 176/SC 3/WG 7 covers the scope of
the existing three parts of the Standard, and proposes a single document having three
sections and four informative Annexes.
It proposes a more generic approach to auditing based on the competence required for
successful audit, and which needs to be considered in planning and managing audits.
Competence requirements differ significantly between audits, and the draft presents a
step-by-step approach to identifying requirements and ensuring that the necessary
competence and resources are available in the audit team. (However, readers need to be
aware that in many cases the audit ‘team’ will be one person who has the necessary
competence for the particular audit: Typical examples of a one-person audit team could
include internal audit of a small business or a third-party certification audit of a medium
sized enterprise.)
The management of audit programmes previously addressed in Part 3 (ISO 10011-

3:1993) is now covered in a more general sense by identifying audit principles and
ongoing management activities. This is intended to make it adaptable to a wider range of
business needs and applications, including small to medium enterprises. ISO/IEC Guide
62, General requirements for bodies operating assessment and certification/registration of
quality systems, may also be relevant for third-party certification bodies/registrars.
The annexes in this draft international standard are informative.

Copyright

Introduction
The ISO 9000 series emphasizes the importance of quality audit as a key management
tool for achieving the objectives set out in an organization's policy. The quality system
audit also provides objective evidence concerning the need for the reduction, elimination
and, especially, prevention of non-conformities.
Any organization which has an ongoing need to carry out audits of quality systems should
establish a capability to provide overall management and performance of the entire
process.
ISO 10011, Auditing, provides guidelines for managing and performing an audit of a
quality management system of any organization. It allows users to adjust the guidelines
described to suit their needs and contains the qualification criteria for auditors to ensure
that the audit is carried out effectively and consistently.

Guidelines for auditing quality management systems
Section 1 Scope, References and Terminology
1.1 Scope
This International Standard provides the general principles of auditing. It describes how a
series of audits is managed, provides guidelines for performing quality audits, and
describes criteria by which quality auditors are able to demonstrate their competence.
This standard is applicable to quality management system audits specifically, and is
sufficiently general in nature to allow its use in many different types of audits, including
audits of integrated management systems.
1.2 Normative references
The following normative documents contain provisions, which through reference in this
text, constitute provisions of this International Standard. For dated references, subsequent
amendments to, or revisions of, any of these publications do not apply. However, parties
to agreements based on this International Standard are encouraged to investigate the
possibility of applying the most recent editions of the normative documents indicated
below. For undated references, the latest edition of the normative document referred to
applies. Members of IEC and ISO maintain registers of currently valid International
Standards.
ISO 8402 Quality management and quality assurance - Vocabulary

[under revision, to become ISO9000-?]
[Deleted: ISO 14050, Environmental management vocabulary - France]
1.3 Terms and definitions
For the purposes of this International Standard, the terms and definitions given in
ISO 8402 and the following apply:
1.3.1 Audit (quality) A quality audit is a systematic, unbiased, objective and

comprehensive examination and comparison of quality related activities and their results
with specified requirements, and a determination as to whether these are suitable for and
effective in meeting objectives.
NOTE 1: See also the Glossary, Annex D, for the ISO 8402 definition and further
explanation of quality audits and their applications.

ISO/TC 176/SC 3/WG 7 N94– rev 3
1.3.2 Audit findings Results of the evaluation of the collected audit evidence
compared against the agreed audit criteria, and which provide the basis for the audit
report.
1.3.3 Auditor A person who has the qualification and competence to perform an
audit.
1.3.4 Client The person or organization requesting an audit.
1.3.5 Competence (audit) That combination of education, training, experience and

personal attributes which need to be applied in various audit situations in order to
successfully meet the audit objectives, scope and criteria. Competence requirements may
differ significantly between audits.
1.3.6 Auditee An organization to be audited

Section 2 Auditing
2.1 Audit principles/process
2.1.1 General Auditing Principles
Organizations and interested parties having a need to conduct efficient and

effective audits, employ common core principles in planning, organizing, and
carrying out their audits.
Figure 1 shows the broad groupings or areas relating to general principles of

quality auditing. Those groupings are further explained in the clauses following.
Types of audit, such as internal or external audit, are described in Clause 2.2.1 and
the Glossary, Annex D.
Objectives, Scope and Outcomes
Methods and Techniques Roles, Responsibilities,

Competence and Motivation
GENERAL
AUDIT
PRINCIPLES
RELATED TO:
Resources Managing Audits
Figure 1 General Audit Principles
2.1.2 Audit Objectives, Scope and Outcomes
2.1.2.1 Audits are an effective management tool to examine systems

(activities, processes) and their outcomes (products and services).
Audits collect information and objective evidence related to the conformity,

adequacy and effectiveness of the system and its outcome. The audit can serve
as an effective tool to identify situations causing nonconformance (or potential

ISO/TC 176/SC 3/WG 7 N94– rev 3
nonconformance), and thus allow timely corrective or preventive action.
Management should use the audit information for improvement.
2.1.2.2. Audits are performed to examine and evaluate controls and to

provide information on effectiveness.
Audits also examine and evaluate the controls associated with systems, activities
or processes. This evaluation will determine if these controls are meeting stated
objectives. Audits evaluate conformity to planned arrangements, activities and
related results; their effectiveness and their ability to meet stated objectives.
2.1.2.3 Audits are performed to established criteria.
Auditors evaluate activities against established audit criteria as agreed between

interested parties. These criteria may consist of standards, policies, practices,
specifications, manuals, procedures, work instructions, regulations, codes of
practice, and other requirements which pertain to the activities audited.
2.1.2.4 The result of an audit is information.
Audit information is based on evaluation of objective evidence, which is then

communicated for subsequent use.
2.1.3 Audit roles, responsibilities, competence, and motivation
2.1.3.1 Audit team members and audit management staff are qualified and
competent.
The auditor(s) and audit management staff possess an appropriate combination of

knowledge, skills, motivation, and experience to carry out their responsibilities. An
audit team is competent to meet the audit objectives.
2.1.3.2 Audit team members abide by a code of ethics and are independent
of the function audited.
A code of ethics may include auditor behaviour, integrity, confidentiality and other
attributes. Audit team members should be objective and free from bias and conflict
of interest throughout the process. (See Annex B.)
2.1.3.3 Audits are authorized
Authority for the audit may result from legislation, regulation, contract, company
policy, or at the request of management.

2.1.4 Audit Management
2.1.4.1 The management of individual audits or a series of audits is essential.
Audit management defines, implements, maintains, and improves the

management of audits to ensure the audits are conducted in a consistent manner
and the results are credible.
2.1.4.2 Audits are planned.
Prior to conducting an audit, the audit is planned to ensure that it is carried out in
an efficient, effective, and organized manner.
2.1.5 Commitment of audit resources
Adequate resources are committed to the audit.
Audit management is required to commit appropriate resources to ensure efficient

and effective operation of audit programs and audits, and to ensure achievement of
audit objectives.
2.1.6 Defined audit methods and techniques
Audits are conducted according to defined methods and techniques.
Audits are conducted using proven techniques and according to defined

documented procedures. Audit results are based on samples of activities and
samples of process information, therefore an element of uncertainty is inherent in
the results of all audits.

2.2.1 General
It is essential that audits are managed to ensure, for example, that resources are
appropriate and the results are consistent and credible. The following guidance is
appropriate to all organizations who need to manage one or more series of audits.
Organizations may manage one or more series of the following types of audits:
-0 external systems audits (second and third party),
-1 internal systems audits, (first party)
-2 process audits,
-3 product audits, (including service audits)
The relationship of some different types of audit is illustrated in Figure 2, and further
explanation of audit terms and applications is provided in the Glossary, Annex D.
Small organizations may only need to implement internal system audits.
Management of Audits
(procedures, resources, personnel)
Series of external Series of Internal Product Audits

Audits System Audits Process Audits
A small organization
Individual
may only need to Audits
implement one series
of audits
Evaluation, Review and Improvement of Management of Audits
Figure 2 Management of Audits
Managing these series of audits includes establishment and implementation of an overall

policy, procedures and provision of resources.

2.2.2 Determining the authority, objectives and scopes
The organization should first establish the authority for managing audits.
Authority for managing internal audits is granted by executive management. Authority for
managing external audits is obtained from executive management, the client and the
auditee, as appropriate.
Objectives should be identified to assist in planning and implementing the types of audits
to be conducted.
The scope or extent of activities to be audited should be defined, considering factors such
as:
a)0types of audits;
b) business, industry or economic sectors of operation;
c) the number, nature and locations of the organization’s activities and sites to be
audited, (including, for example, locations in other countries);
d)0legal and regulatory issues;
d)1potential needs for accreditation and registration/certification;
d)2operational performance feedback; and
d)3organizational policy.
2.2.3 Developing the system for managing audits
2.2.3.1 Responsibilities
The responsibilities for managing and conducting audits, as described in this International
Standard, may be performed by one or more individuals, for example audit manager, lead
auditor and auditor. In some organizations there may be only one individual responsible
for managing, coordinating and conducting audits, and this individual may have other
responsibilities and perform other tasks within the organization.
2.2.3.2 Resource needs
The resources needed to manage and conduct audits should be identified and provided.
Resource needs may include :

a)0financial requirements to develop, implement, and manage audit activities;
a)1administrative staff, their physical needs and facilities;
a)2number of auditors, methods, time, travel and other auditing needs;
a)3any required technical and other experts to support audit activities; and
a)4a programme of ongoing training to maintain and improve auditor competence.
Depending on the size of the organization, this may involve only the identification of costs
associated with auditing time requirements and providing the necessary training to
maintain auditor competence.

2.2.3.3 Personnel qualifications
Qualification requirements for each position or job function should be documented.
Managers of audit activities should have, in addition to management skills:
a)0an understanding of the skills required in auditing;

a)1planning, administrative and organizational skills;
a)2communication and interpersonal skills;
a)3the ability to make objective and unbiased decisions; and
a)4technical or business knowledge for audit activities to be undertaken.
Auditors require specific attributes, knowledge and skills, as described in Section 2 of this
International Standard. A documented process for identifying and recording the necessary
competence should be developed and implemented.
2.2.3.4 Procedures
The procedures for managing and conducting audits should be documented and
maintained.
Documented procedures may include instructions on or requirements for the following

processes:
a)0reviewing the objectives and scope with the client;

a)1audit planning and scheduling;
a)2selecting the audit team, including any technical or other experts;
a)3establishing audit methods, including any variations for particular audit activities;
a)4the process for grading nonconformities, where specified by the client.
a)5audit reporting, including any follow-up activities;
a)6audit records, including records to be maintained, retention times, and
confidentiality and security requirements;
a)7auditor training, qualification and specific competences;
a)8monitoring and improvement of audit activities.
2.2.3.5 Methods for evaluating the effectiveness of audit management
The methods to be used in evaluating effectiveness in meeting objectives should be

developed, including initial levels of acceptability.
Effectiveness may be measured by using performance indicators such as:
a)0individual auditor performance;

a)1audit team performance;
a)2adherence to audit activity plans and schedules;
a)3auditee and client feedback (customer surveys) and complaints;
a)4results of audits on the audit management system.

2.2.4 Implementing and maintaining a series of audits
2.2.4.1 Initiating a series of audits
A series of audits (e.g. a cycle of supplier evaluation audits, or a yearly cycle of internal
audits) should be established by performing a review with the client to determine, among
other considerations, the:
a)0objectives and scope;

a)1types of audits to be conducted;
a)2organizations, activities and sites to be audited;
a)3standards, legislation, policies, and other audit requirements;
a)4time scales and frequency of audits.
a)5 language and cultural considerations;
a)6reporting requirements;
a)7confidentiality and impartiality considerations ;
a)8audit team requirements and approval ;
a)9identification of improvement opportunities.
The objectives and scope should be clearly defined in such a manner as to describe the
intent of the audit outcome necessary to meet the client’s needs and take into account the
results of previous audits.
For a series of internal audits, this review process may be greatly reduced and result in
the documentation of an agreed audit schedule indicating management approval.
2.2.4.2 Managing a series of audits
Each series of audits should be managed and carried out by :
a)0 selecting and assigning a team of competent auditors;

a)1 scheduling and coordinating activities with the client ;
a)2 providing required resources to the audit teams including
a)3 - appropriate documented procedures
a)4 - technical or other experts, and
a)5 - interpreters for the language used by the auditees, if necessary;
a)6 maintaining records of the audit activities ;
a)7 ensuring the confidentiality of all appropriate audit records.
2.2.4.3 Reporting and follow-up
The progress and results should be reported to and reviewed with the client at defined
intervals. Action should be taken to assure the suitability and effectiveness of the reporting
activities. Changes in the reporting process should be agreed and documented.

2.2.5 Monitoring and reviewing the audit system and activities
Each series of audits should be reviewed for effectiveness and suitability in achieving
objectives, and for possible improvements such as methods, economy and efficiency.
Means of identifying opportunities for improvement in audit management can include:
a)0 overall evaluation of the methods and effectiveness of the audit organization,
by internal audit and other means;
a)1 evaluation of auditor performance ;
a)2 review of the audit reporting process and records retained;
a)3 examining complaints, appeals and other feedback, e.g. from clients and
auditees;
a)4 reviewing the requirements of external organizations, where applicable;
a)5 assessing the results of the audits on the management system;
a)6 evaluating effect of the audit outcome on the auditee’s product;
a)7 determining mechanisms by which consistency of audits are achieved;
a)8 examining other guidance as defined in this standard.
2.2.6 Records
Records should be maintained as defined in documented procedures. Records may

include:
a)0 personnel qualification, training and competence;

a)1 audit contract reviews ;
a)2 audit schedules;
a)3 individual audit records, such as audit plans, audit reports, nonconformity
reports, corrective action reports;
a)4 audit activity monitoring results and reviews of audit activities.

Clause 2.3 Auditing activities
[was Clause 6, Auditing]
Objectives and scope

Audit requirements
Initiating the audit Feasibility of the audit and establishing the audit team
Notifying the auditee
Initial review
Audit plan
Preparing the on-site Audit work assignment and logistics
auditing activities Reference documents
Work documents
Opening meeting
Roles and responsibilities of guides
Performing the on-site Collecting information
Evaluating evidence
auditing activities Audit findings
Closing meeting with auditee
Reporting on Audit report preparation

the audit Report content
Report approval and distribution
Record retention
Audit completion
Follow up
[ Add to on-site activities: Closing meeting preparation]
Figure 3 Flow of Audit process
2.3.1 Initiating the audit
2.3.1.1 Objectives and scope
Each individual audit should be based on clearly defined objectives and scope. Examples
of audit objectives are
a)0 determining conformity or nonconformity of the auditee's quality system, process or

product with specified requirements;
a)1 determining compliance with legislation requirements;

a)2 evaluating the quality system of an organisation where there is a desire to establish
a contractual relationship, such as with a potential supplier;
a)3 permitting the listing of the audited quality system in a register;
a)4 measuring performance in achieving quality objectives and confirming the
effectiveness of the implemented quality system in meeting specified
objectives;
a)5 identifying areas of potential improvement
The audit scope may describe the system elements, processes, products, sites and
activities to be audited. It should also consider the depth and focus of the audit. Where
concurrent audits are planned to be performed by different organizations or quality system
audits are combined with other types of audits (such as Environmental Management
System audits, safety audits), care should be taken to clearly define the objectives and
scope.
The objectives and scope should be communicated to the auditee prior to the on-site audit
activities.
2.3.1.2 Audit requirements
Audit requirements may include policies, practices, documented procedures, standards,

guidelines and legislative requirements, against which the auditor compares collected
objective evidence.
2.3.1.3 Feasibility of the audit
Responsibility for the audit includes determining feasibility. Where the audit is feasible, a
team leader should be selected and notified. In consultation with the client, the audit team
leader identifies the overall resources necessary such as the audit team members, and
makes provision for any other resources required. Where the audit is not feasible, a
solution acceptable to the client should be proposed in consultation with all the
participating parties.
2.3.1.4 Establishing the audit team
When deciding the size and composition of the audit team, consideration should be given
to the following:
a)0 audit objectives, scope, location(s) and estimated time;

a)1 competence requirements, size and composition of the audit team;
a)2 the need to maintain the independence of the audit team from the activities to be
audited
a)3 the ability of the audit team to
a)4 work together to maximize their skills (synergy);
a)5 interact effectively with the auditee;
a)6 understand and take into consideration the particular objectives and
circumstances of the audit;
a)7 work with and utilize the information provided by any appointed expert;
a)8 pay attention to the ethics, philosophy and culture of the auditee’s
organization.
Experts may be called upon to supplement the capability of the designated audit team and
in this capacity should not act as auditors.
The technical or other expert provides additional understanding of any specific issues and
guidance on the significance of any observations.
The relationship between the audit scope, objectives and requirements and the decisions
to be made by management in establishing the audit team is illustrated in Figure 4.
Scope Objectives Requirements

- sector - system conformance - standards
- number of elements - regulatory compliance - regulations
- size and sites - potential improvements - procedures
Managing Audits
(assemble team to meet
the input requirements)
Expert
Audit team member competence - technical
- industry sector - service competence
- manufacturing - design
- regulatory
Figure 4
2.3.1.5 Notifying the auditee
The audit team leader should contact the auditee to establish communication channels,
request documentation and historical records, if needed, and to initiate the arrangements
for the audit. The need for accompanying persons such as auditors-in-training, observers,
or guides for the auditor should be agreed with the auditee.
2.3.1.6 Initial review
The auditee's quality system documentation necessary for the audit, previous audit
reports and any other relevant documents should be subject to an initial review.
The documentation should be reviewed for adequacy taking into account the size and
complexity of the organization, and its products and processes, in order to determine

readiness. If the information is insufficient for determining readiness, a preliminary on-site
visit may be useful.
If the quality system documentation is found to be inadequate to meet the requirements,

the client and the auditee should be informed and the audit should not proceed unless the
client agrees.
2.3.2 Preparing the on-site auditing activities
2.3.2.1 Audit plan
The audit team leader should prepare the audit plan, which should be reviewed and
accepted by the client. This plan provides detailed information to the audit team, auditee
and client and facilitates scheduling and coordination of further audit activities.
Where a defined level of confidence is required in the outcome of the audit, the use of
adequate statistical techniques should be considered to control the depth and focus of the
audit and this level of confidence should be included in the audit plan.
An audit plan may include:
a)0 the audit objectives and scope;

a)1 the audit requirements and/or identification of relevant quality system
documentation;
a)2 the dates and places where the audit is to be conducted;
a)3 the identification of the auditee's organizational and functional units to be audited;
a)4 the identification of the individuals within the auditee's organization having significant
direct responsibilities for the units to be audited;
a)5 the identification of the auditee’s functions, sites, activities or quality system
elements that are of high audit priority;
a)6 references to any relevant specific auditing methods;
a)7 the expected time and duration for audit activities, including meetings with auditee’s
management and audit team meetings;
a)8 the working and reporting language of the audit;
a)9 identification of roles and responsibilities of auditors and any accompanying persons;
a)10 the confidentiality requirements;
a)11 the required level of confidence in the outcome of the audit;
a)12 the audit report topics, format and structure, expected date of issue and distribution.
The amount of detail provided may differ between internal and external audit situations
and also between initial and subsequent audits. Detail should also be adapted to suit the
size and complexity of the auditee’s organization.
The audit plan should be sufficiently flexible to permit changes, such as any changes in
emphasis which may become necessary as the on-site auditing activities progress. (Such
changes may need to be reviewed and approved by the client.)
2.3.2.2 Audit team work assignments and logistics

The audit team leader, in consultation with the audit team, should assign to each member
of the team responsibility for audit of specific elements of the quality system, functions,
sites, areas or activities. Such assignments should take into account requirements for
auditor independence and efficient use of the resources. Changes to the work
assignments may be made to ensure the achievement of the audit objectives.
The audit team leader or any other appropriate party should prepare any audit logistics
(such as travel arrangements) needed.
2.3.2.3 Reference documents
Reference documents may include standards and other relevant documents.
2.3.2.4 Work documents
The work documents may include:
a)0 audit procedures, sampling plans defined in documented procedures or in the audit
plan;
a)1 checklists;
a)2 forms for recording information, supporting evidence, records of meetings and audit
findings;
The use of work documents, such as checklists and proformas, should not restrict the
scope of audit activities.
Work documents should be retained as specified in the relevant documented procedures,

at least until audit completion; those involving confidential or proprietary information
should be suitably safeguarded by the audit team members.
2.3.3 Performing the on-site auditing activities
2.3.3.1 Opening meeting
The following list of items may be considered for discussion at the opening meeting.
a)0 mutual introduction of the participants and encouragement of active participation in

the audit;
a)1 introduction of any observers or external participants, including an outline of their
roles and reasons for attendance;
a)2 review of the audit plan;
a)3 the audit time table and other relevant arrangements with the auditee, such as the
time and date for the closing meeting, any interim meetings between the audit
team and the auditee's management, and any late changes;
a)4 an overview of the way to conduct the on-site auditing activities;

a)5 identification of the formal communication channel between the audit team and the
persons responsible for functions to be audited, and any resources and
facilities needed by the audit team;
a)6 confirmation of matters relating to confidentiality;
a)7 confirmation of relevant work safety and emergency procedures for the audit team;
a)8 confirmation that during the audit, the auditee should be kept informed of progress
and, if the objectives appear to become unattainable, the audit team leader
should discuss the reasons with the auditee and the client; and
a)9 confirmation of availability, roles and identity of any guides.
In many instances a simplified approach may be taken depending on the audit objectives
and scope.
2.3.3.2 Roles and responsibilities of guides
The guide should assist the audit team, act on request of the auditor and witness the
performance of the audit on behalf of the auditee. Guides may also have additional duties,
for example, ensuring that rules concerning safety procedures are known and respected
by the auditor on site. Care should be taken to ensure that the guide does not exercise
undue influence or interference.
2.3.3.3 Collecting information
Information may be obtained in different ways from several sources such as:
a)0 interviews;
a)1 observations of activities and the surrounding work environment and conditions;
a)2 internal documentation, for example, plans, customer feedback, internal audit
reports, documented procedures, instructions, specifications, drawings;
a)3 records, such as inspection records, meeting minutes, reports or logbooks;
a)4 data summaries and analyses;
a)5 reports from other sources, for example, external laboratory reports and vendor
ratings.
Information should also be collected relating to interfaces between functions.
Interviews are an important means of collecting information and should be carried out in a
manner adapted to the situation and person interviewed. However, the following should be
considered by the auditor:
a)0 in order to obtain representative information, persons from different levels within the
auditee’s organization may be interviewed during the audit, especially those
persons performing activities or tasks under consideration;
a)1 the interview should be performed at the normal workplace of the interviewed
person, if possible;
a)2 every attempt should be made to put the interviewed person at ease prior to the
actual interview;
a)3 the reason for the interview and any note taking should be explained;
a)4 the interviewed persons should be asked to describe the nature of their work and
how it is carried out, or to describe a particular issue under consideration;
a)5 the results from the interview should be summarized and any conclusions drawn
should be verified where possible; and
a)6 the interviewed persons should be thanked for their co-operation during the
interview.
2.3.3.4 Evaluating evidence
The information collected during the audit should be verified or confirmed by the auditors,
using alternative sources where possible. Such information, after verification, can be
considered to be objective evidence, which should then be evaluated for significance
relative to the specified requirements. Information which appears relevant but cannot be
verified should be identified and recorded.
Evidence suggesting nonconformities should be noted and should be investigated if

significant and within the scope of the audit.
Should a significant concern arise which is outside the scope of the audit, it should be
noted and reported to the audit team leader, for possible communication to the client and
auditee. Any need for major changes in emphasis which may become apparent as an-site
auditing activities progress (e.g. as a result of identifying nonconforming activities) should
be reviewed with (and possibly approved by) the client.
Where the available evidence indicates that the audit objectives are unattainable, the
audit team leader should report the reasons to the client and the auditee to determine the
appropriate action, which may include termination of the audit or a change in the objective
of the audit.
The information collected during an audit will inevitably be only a sample of the
information available, since an audit is conducted during a limited period of time and with
limited resources. There is thus an element of uncertainty inherent in all audits, and users
of the result of audits should be aware of this uncertainty.
2.3.3.5 Audit findings
The audit team should review their findings at suitable stages during the audit, and in
particular prior of the closing meeting with the auditee.
Conformities or nonconformities to specified requirements should be identified and

recorded in a clear, concise manner, supported by objective evidence.
Any nonconformities should be recorded in adequate detail and in a manner which is

easily understood by the auditee.
Nonconformities should be reviewed with an appropriate auditee representative to obtain

acknowledgement of the factual basis. The auditee’s acknowledgement indicates that the
facts contained in the nonconformity are accurate, and that the nonconformance is
understood. Every attempt should be made to resolve any divergence of opinion
concerning the facts, and unresolved points should be recorded.

2.3.3.6 Closing meeting preparation
The audit team should confer prior to the closing meeting in order to:
a)0review result of the audit against objectives;

a)1reach team consensus on the results and conclusions;
a)2agree roles and tasks for the closing meeting.
a)3record recommendations, if required by the audit plan;
a)4discuss subsequent corrective action, if required by the audit plan.
However, in many instances such as internal audits, a simplified approach may be taken
for the audit team review and the subsequent closing meeting.
2.3.3.7 Closing meeting with the auditee
A closing meeting should be held with the auditee's management and those responsible
for the functions audited. The purpose of this meeting is to present audit findings in such a
manner as to ensure that they are clearly understood and acknowledged by the auditee.
The audit team leader should present the audit team's conclusions in line with stated audit
objectives and scope. Any outstanding diverging opinions between the audit team and the
auditee should be discussed and if possible resolved. If not resolved, both opinions should
be recorded.
Records of the closing meeting should be kept.
If required by audit objectives, scope or documented procedures, the audit team leader
may present the team's recommendations for improvements to the quality system,
emphasizing that recommendations are not binding. The auditee should determine the
extent, the way and means of actions to improve the quality system.
2.3.4 Reporting on the audit
2.3.4.1 Audit report preparation
The audit team leader is responsible for the preparation, accuracy and completeness of
the audit report.

2.3.4.2 Report content
An audit report should provide all interested parties with an accurate record of the audit
findings and conclusions. These can include whether
-0 the quality system conforms to the specified audit requirements,
-1 the system is properly implemented and maintained and
-2 the implemented quality system is effective in meeting stated policy and
objectives.
The report may also include the following, as appropriate:
a)0the identification of the organization audited and of the client;

a)1the agreed objectives, scope and plan of the audit;
a)2the specified audit requirements;
a)3the date(s) and place(s) the audit was conducted;
a)4the identification of the auditee's representatives participating in the audit;
a)5the identification of audit team members;
a)6a summary of the audit process including any obstacles encountered;
a)7a statement of the confidential nature of the contents;
a)8a distribution list for the audit report;
a)9evidence that the audit objectives and scope have been accomplished in accordance
with the audit plan;
a)10date of any agreed or recommended subsequent audit.
2.3.4.3 Report approval and distribution
The audit report should be issued within the agreed time period. If this is not possible, the
reasons for the delay should be formally communicated to both the client and the auditee
and a revised issue date agreed.
The report should be dated and signed by the audit team leader and reviewed and/or
approved as defined in appropriate documented procedures.
The audit report should be sent to the client, whose responsibility is to provide the auditee
with a copy of the audit report, and to decide, in consultation with the auditee, upon any
distribution outside the auditee's organization.
The audit report is the property of the client and confidentiality should be respected and
appropriately safeguarded by the auditors and all report recipients.
2.3.4.4 Record retention
Work documents and draft and final reports pertaining to the audit should be retained by
agreement between the participating parties, and in accordance with any applicable
requirements.

2.3.5 Audit completion
The audit is completed when all activities in the audit plan have been concluded, including
the distribution of the approved audit report.
2.3.6 Follow up
The auditee is responsible for determining and initiating any corrective action needed to
deal with a nonconformity. Corrective action and subsequent follow up actions, which may
include audits, should be completed within an agreed time period. The auditee should
keep the client informed of the status of corrective action activities.
Corrective action implementation should be verified in accordance with the appropriate

documented procedure. A follow up report should be prepared and distributed in a
manner similar to the original audit report.

Section 3. Qualification and competence of quality auditors
3.1 General
These guidelines describe an approach to identifying and evaluating competence

requirements that can be applied to potential auditors, used for the formation of audit
teams to meet specific audit objectives, and for the assignment of auditors to specific
audits as part of an audit team.
Competence can be considered as the combination of education, training, experience and

personal attributes which need to be applied in various audit situations in order to
successfully meet the audit objectives, scope and criteria. Competence requirements may
differ significantly between audits.
The use of predetermined minimum levels of education, specific training and amounts of
work experience to define generic auditor qualifications is only appropriate for the initial
qualification of potential auditors, and should not be applied indiscriminately to all audit
situations. The assignment of auditors for a specific audit requires a more detailed
evaluation of the competence required to meet the particular audit objectives.
The concept contained within this standard is that the specific audit competence
requirements needed to meet particular audit objectives are first identified and defined,
and then evaluated and compared with the competence possessed by individual auditors,
as a basis for selecting a team to perform the audit (a ‘team’ being one or more auditors
posessing the necessary competences).
This information can also be used as a basis for continual improvement, e.g. to further
develop the auditing capability of an organization, or to identify weaknesses in the
education, training and work experience of individual auditors and thus form the basis for
their further professional development.
3.2 Audit Team/Auditor Competency Requirements
3.2.1 Prerequisites
Fundamental abilities for an auditor, i.e. those which are essential in all audit situations,
include, for example, the ability to plan and organize audit activities and perform in a
timely manner, to interact, communicate and obtain objective evidence effectively. Further
guidance is provided in Annex C, are examples are listed in Clause C.2.1.
The personal attributes which an auditor should possess in order to achieve effective use
of these fundamental abilities include interpersonal skills such as tact, open-mindedness,
and maturity, and characteristics such as tenacity, decisiveness, self reliance and sound
judgement. Further guidance is provided in Annex C, and examples are listed in Clause
C.2.2.

In addition to having a suitable set of fundamental abilities and personal attributes,
auditors should have acquired knowledge and skills through a combination of education
and training, and have gained an appropriate level of workplace experience. Effective
audit performance will thereafter depend upon factors such as audit experience, ongoing
training, and other forms of continuing professional development.
Auditors require good communication skills, i.e. they need the ability to communicate
clearly and concisely in writing, the ability to read and comprehend audit documentation,
to be articulate, and to be able to listen and ask questions effectively during an audit.
In complex situations the auditor should also have the ability to understand operations
from a broad perspective, e.g. to understand the role of individual units within the overall
organization
3.2.2 Core Competence Requirements
Typical requirements which may need to be considered in determining auditor

competence are:
-0 knowledge and skills of quality principles and techniques
-1 general auditing skills
-2 knowledge and understanding of reference documents
-3 understanding of organizational situations
-4 sector specific knowledge
These core competence requirements are an integral part of the audit team competence
as shown in Table X, Audit Team / Auditor Selection (see Clause 3.3) .
Further guidance on core competence requirements is provided in Annex C.
3.3 Evaluating Auditor Competence
3.3.1 General
Managers of audit activities should define the core competence requirements for auditors
who are to perform audits. These should include initial qualification requirements for
potential auditors, including auditors in training, and any education, training and work
experience necessary to meet ongoing competence requirements.
Auditor, audit team leader and audit team competence should be subject to a documented
evaluation process, and to ongoing periodic evaluation.


3.3.2 Evaluation process
The process for evaluating audit team and auditor competence needs to be planned to
provide an outcome that is consistent, fair and reliable. Determination and evaluation of
competence requires the following steps:
- definition of the competence requirement;
- identification of indicators by which competence is to be measured; and
- the method to be used to evaluate competence.
An example of a method of completing this process is shown in Table X.
This method can be used as a tool to evaluate potential auditors, for the ongoing
professional development of individual auditors and for audit team selection. Evaluation
can be undertaken by a competent person or a panel as assigned by those responsible
for the management of the audit.
In Table X, column 1 contains a set of core competencies. Column 2 should define the
specific competence requirements necessary for the potential auditor or auditor in
training, auditor and/or audit team leader as required. Column 3 should define the
indicators to be used to measure performance. Column 4 identifies the method by which
performance is to be evaluated and column 5 how the evaluation method is to be applied.
In evaluating competencies by the method illustrated in Table X, users should:
1) Identify the method (or methods) most appropriate to evaluate each specific
competence and the competence indicators. This will complete column 4 of Table X. The
method chosen should take into account the desired level of reliability for the evaluation
process.
2) Identify the specific application or way in which the evaluation is to be made, for each
core competence and competence indicator. This will complete column 5 of Table X.
Table Y shows several applications for possible methods for application.

TABLE X
Auditor/Team Competence Auditor Evaluation Auditor Evaluation

Core Specific Competence Method Application Auditor Name(s)
Competence Competence Indicators
Knowledge and
skills of quality
principles and
techniques
General auditing
skills
Knowledge and
understanding of
reference
documents
Understanding of
organisational
situations
Sector specific
knowledge
Column 1 Column 2 Column 3 Column 4 Column 5 Column 6

Table Y should be used to select the evaluation method with the most appropriate degree
of reliability. The reliability of the process increases from a records review through
examination and personnel interviews to a demonstration of in field performance and
should be chosen based upon each audit situation.
ELIABILITY METHOD APPLICATION

Records - Attestation: oral or written statement by a person, a
testimonial (may give different levels of confidence,
depending upon the credibility and independence of the
provider);
- Substantiation: Obtaining or providing additional

LEAST objective evidence to support documentation or
attestation substantiation
- Verification: Independent check of information or

evidence;
- Sample of previous work: audit reports, checklists, etc.

MORE examination - written examination;
- oral examination or evaluation;
- review of results of training;
- interview.
MOST demonstration - peer or other observations of auditor performance;
- demonstration to show specific skills, such as role

play showing communication skills.
Table Y. Methods for evaluating auditor competence
Examples of the application of this method are shown in Annex B.
Example B1 applies to internal auditor evaluation, see Table B1 [Glovemaker, internal

audit].
Example B2 applies to prequalification of auditors by a third party certification

body/registrar, as shown in Table B2 [Third-party certification].
3.4 Selection of Audit Team Members
Audit teams should be selected by those responsible for managing the audit after
identifying competence requirements for the audit, and based on the specific audit
objectives, scope and criteria. Audit team competence can be evaluated using the method
documented in 3.3.2. and the competence of available auditors to undertake the audit can
compared against the team requirements.
Selection of audit team members will also depend on planning to estimate the duration of
the audit and the number of auditor-days required.
Managers of audit activities should ensure that all audit team competence requirements
are met either by a single auditor, multiple auditors or in combination with technical or
other experts.
The results of the audit team selection process should be documented.
Examples of the use of this method are shown in Annex B.
Examples B1, B3 and B4 apply in a small to medium manufacturing organisation, a bank

and a large design and manufacturing organisation respectively [see Tables B1, B3 and
B4].
3.5 Continuing Professional Development

Continuing professional development is concerned with continuously updating
professional knowledge, personal skills and competencies. It ensures that professional
credibility is maintained in an ever changing world where new ideas, concepts, and
practical tools are constantly being developed. This paragraph provides guidelines for
ensuring that important aspects of continuing professional development are addressed.
3.5.1 New requirements and current interpretations
Auditors should maintain their knowledge of any new standards or requirements relevant
to the audit situations which they are expected to encounter, and the current
interpretations associated with those requirements.
3.5.2 Current application of auditor practices
Auditors should maintain their knowledge of audit practices and the most current
application of those practices to sustain their auditing effectiveness.
3.5.3 Current audit experience
Auditing involves the use of unique combinations of technical skills, interpersonal skills
and communications skills which requires continual use in order to maintain effectiveness.
Auditors should therefore maintain their auditing skills through regular practice to ensure
those skills are current.
3.5.4 Awareness of current issues
Auditors should keep abreast of current issues related to quality auditing through training,
reading, and professional contacts. This awareness may be satisfied through more formal
refresher training or special courses as judged necessary.
Auditors should have their performance reviewed at regular intervals by means of an

independent evaluation in order to determine progress made with continuing professional
development and aid auditor credibility.
ANNEX A
(Informative)
Auditor Code of Ethics
Auditors should adhere to a strict code of ethics. The following example of a typical code
of ethics for third-party auditors is provided as a model, and can be freely adapted,
particularly with respect to internal audit situations. However, a code of ethics should
reflect the principles set out in the model. Each person in charge of managing a series of
audits should adopt an appropriate documented code and obtain a formal undertaking
from the auditors to respect the code.
Auditors shall uphold professional principles in fulfilment of the auditor’s responsibility to

promote and maintain high standards of ethical conduct by:
1.0 Conducting professionally, in a trustworthy and unbiased manner, with truth,

accuracy, fairness and responsibility to both the organization by which the auditor is
employed, or to which the auditor is contracted, and any other organization involved in an
audit performed by the auditor or by personnel under auditor’s direct control.
2.0 Striving to increase the competence and prestige of the profession and aiding the
professional development and advancement of those in the auditor’s employ or under
the auditor’s supervision.
3.0 Representing the auditor’s qualifications or qualifications of those in the auditor’s

employ or supervision in a truthful and accurate way and by not undertaking auditing
work beyond these qualifications.
4.0 Disclosing conflicting or competing interests that may be in conflict with the interests of
a client, an employer, or an auditee. These interests include:
4.1 Auditing a competitor of an organization, division, or business unit by which the
auditor is employed or
4.2 Auditing an organization in which the auditor has a consulting arrangement in effect
unless written approval is received from both parties.
4.3 Auditing an organization where the auditor may have business connections,
interest, affiliations that might influence the auditor’s judgement or impair the
equitable character of the auditor’s services, including, financial, familial, or
personal; such restrictions to apply for one year after the termination of the
interest or affiliation.
5. Treating all client, employer and auditee information as confidential, unless

authorized in writing by the company to disclose it with the following precautions,
taken:
4.4 Not discussing information or findings with anyone outside of those entitled to such
information;
4.5 Not disclosing the names, or otherwise revealing the identities of auditees in
association with the findings, both during and after the audit process.
6. Not accepting retainers, commissions, gifts, or other valuable considerations which

would impair or be presumed to impair the auditor’s professional judgement from the
company audited, or from any other interested parties.
7. Not disclosing confidential information or exchanging or communicating

information that may compromise the integrity of the audit or the decisions therein.
8. Not accepting compensation from more than one party for the same service
without the consent of all parties. If employed, the auditor shall engage in supplementary
auditing or consulting employment only with the consent of the auditor’s employer.
9. In the event of any alleged breach of this code, cooperating fully in any formal
inquiry process.
Annex B:
(Informative)
EXAMPLES
Example B1 [Scenario: Glovemaker, internal audit]
Introduction
Gropper Gloves is an SME making an exclusive brand of lead gloves for the fishing
industry. The organisation has 8 employees and uses old technology presses to wrap the
gloves on to steel fingers. The finished gloves are then removed, visually inspected,
tested for leaks, pained green and packed in paper bags for despatch to the customer.
The organisation is certified to ISO 9002.
Audit Objective
The objective is to determine the degree of conformity of the organizations quality

management system with ISO 9002 through the conduct of an internal audit.
Audit Scope
The scope of the audit limited to ISO 9002, Clause 4.9 (part).
Audit Requirements
The requirement is specified in Gropper Gloves Operational Procedure 4.9/I-I Glove

Painting.
Audit Team / Auditor Selection
Audit Team Competence Auditor Evaluation Potential Team Members
(Section 2.3) (Section 3.3) (Section 3.4)
Core Competence Specific competence for this Competence Indicators Method Application Ian Colour Abu Bakar
audit
Knowledge and skills of Practical knowledge of the Successfully completed Examination Review of results of inhouse Completed this course. Completed this course.
quality principles and application of basic quality inhouse training on quality training.
techniques system practices and principles and techniques.
processes.
General auditing skills Ability to lead and perform Completed an externally Examination Review of results of Meets the audit team leader Meets auditor requirements
an internal audit in a known recognised internal auditor external training course. requirements.
environment interacting with training course. Acted as an Demonstration Observation of audits.
workplace colleagues in a audit team member with the
low technology situation. QA manager for six full
system audits and as an audit
team leader for four audits.
Knowledge and Ability to understand current Successfully completed a Records Interviews, reference Served five year Worked in the paint shop as
understanding of reference ISO 9002 clause 4.17 and training course in these checking and testimonials apprenticeship as a a supervisor for two years
documents inhouse audit procedure. subjects used to confirm work tradesman painter. some three years ago.
experience gained externally
High level of knowledge of and within Gropper Gloves
Gropper Procedure 4.9/1-1 Six months experience in in painting techniques.
Glove Painting. using Gropper glove Examination Completed inhouse training
Knowledge of ISO 9002 painting procedure. course.
clause 4.9 and relevant Completed this course
internal procedures
Understanding of Good understanding of paint Employment within Gropper Records Verification of previous Employed for 5 years Employed for 10 years
organizational situations shop culture and employee for two years. work performance reports.
interaction with management
and union.
Sector specific knowledge High level understanding of Two years work experience Records Interviews, reference Previously employed in the Previously employed in the
painting process and in industrial application of checking and testimonials paint technology industry for paint technology industry for
associated technology. paint to metal surfaces. used to confirm work 4 years 4 years
Awareness of problems experience gained meets
previously encountered with Demonstration requirement.
the process. Supervisor observation
1 2 3 4 5 6 7
Annex B - example 3 (Scenario: Banker)
Introduction
Banque de Credit Launder is a well established bank catering for a wide range of
international clients seeking to deposit large sums of cash for short periods and then
withdrawing their funds in other forms of currency such as bonds, negotiable notes,
gold and other non traceable securities. The bank has a strong investment division
but does not offer insurance or superannuation services as this is not favoured by
their particular client base. The Banks headquarters are located in the Crook Islands
and it operates a number of branches located in key international cities around the
world. Most transactions are performed electronically through a numbered banking
account system and personal contact with clients is rarer. Clients are generally
represented by a third party with appropriate power of attorney. The bank is certified
to ISO 9001 for design as its customers require an innovative range of investment
portfolios in order to ensure that their funds are secure from taxation and other
restrictive regulatory practices.
Audit Objective
This audit is to be conducted by a world-wide casino operator seeking to enter into a

contractual relationship with the bank for the deposit of large sums of money through
all the banks branches on a daily basis.
Audit Scope
The scope of the audit will be a full ISO 9001 system audit to be conducted at the
banks head office.
Audit Requirements
The requirements will be those specified in ISO 9001, the sector application guide
developed by the relevant banking association and Banque de Credit Launder’s own
quality policy and procedures manuals.
TABLE B3 Audit Team/Auditor Selection: Example 3

Core Competence Specific Competence Method Application Auditor A Auditor B Auditor C/
competence for Indicators Technical Expert
this audit
Knowledge and Practical Successfully Examination Review results of Completed this Completed this
skills of quality knowledge of the completed a training course course course
principles and application of training course in
techniques quality principles in service sector Records Interviews, Implemented a
a finance related quality reference cracking certified quality
customer service implemented and/ and testimonials system to ISO
environment or maintained a used to confirm 9001 in an
certified/ registered work experience insurance
quality gained company
management
system in an
organisation
delivering finance
related services
General auditing Ability to Completed an Examination Review of results Completed a Completed a
skills understand the externally of external training recognised recognised
application of ISO recognised auditor course. external auditor external auditor
9001 in a finance training course training course. training course.
related customer Registered quality IRCA registered IRCA registration
service auditor under lead auditor lapsed
environment IRCA/RAB or
similar
Ability to conduct Acted as an audit Demonstration Observation of Performed ten full Performed four full
quality auditors to team member in audits system audits in system audits in
ISO 9001 audits of financial banks and acted banks and
institutions for a as a lead auditor in insurance
minimum of four four full system organisations.
full system audits audits
and as an audit
team leader for
two audits
(Section 3) (Section 3.3) (Section 3.4)
Core Competence Specific Competence Method Application Auditor A Auditor B Auditor C/

competence for Indicators Technical Expert
this audit
Ability to apply Been part of an audit Demonstration Observation of audits Applied the sector Applied the
sector application team for at least two guide in four full sector guide in
guide to audit audits using the system audits two audits
situations sector application
guide in a banking
situation
Knowledge and High level of
understanding of knowledge of ISO
reference documents 9001 in a service
application
Detailed knowledge
of the sector
application guide
for banking services
General knowledge
of banking
processes and
procedures
Understanding of Good Previous employment Records Interviews, reference Past employee with Past insurance
organisational understanding of within Banque de checking and five years service company
situations banking culture Credit Launder other testimonials used to employee
banks or similar confirm work
financial sector for experience gained
not less than two meets requirement
years.
Knowledge of Conduct of internal Records Conducted
Banque de Credit audits within Banque internal audits
Launder operating de Credit launder; over a five year
environment other banks or similar period in an
financial sector over insurance
a minimum three company
year period
Core Competence Specific Competence Method Application Auditor A Auditor B Auditor
competence for this indicators C/Technical
audit Expert
Understanding of Employment in a Records Past employee Insurance
confidentiality security sensitive company
requirements of work environment for employee
Banque de Credit not less than three
Launder years
Sector specific High level of Previous employment Records Interviews, reference Past employee
knowledge understanding of within Banque de checking and
banking operations Credit launder other testimonials used to
banks or similar confirm work
financial sector for at experience gained
least three years meets requirement
Knowledge of bank Previous employment Records Past employee Insurance
security and within Banque de company
confidentiality Credit Launder other employee
processes. banks or similar
financial sector as
above.
Previous employment
Knowledge of bank constituting or Records Retired head (15
management auditing within an years) of
information information systems management
systems environment for not information
less than two years systems for world
bank. Currently
providing financial
services to a
range of clients
Knowledge of Employment as an
investment portfolio investment consultant
design or financial adviser
for a minimum of 5
years
1 2 3 4 5 6 7 8
Annex B - Example 2 (Scenario: Third-party certification body registrar)
Introduction
Organisations specialised in the performance of audits (e.g. third-party certification

bodies/registrars) may wish to prequalify auditors.
This can be done on the basis of a generic set of defined prerequisites in order to
simplify the selection process of audit teams for each individual audit.
The defined generic prerequisites may reflect the organisations scope and extend of
activities.
Consequently the definition of audit team competencies required to meet particular

audit objectives can be limited to the additional audit specific requirements.
EXAMPLE
An International organisation, specialised in the performance of third party audits,

may have the following scope and extend of activities.
Generic:
· accredited third party audits

· Majority of the auditees are SME
· Majority of the audits are of medium risk
· Majority of the audits are of medium reliability
· Majority of the audits are against ISO 9001/2
Specific:
· different types and sizes of organisations

· different types of production and services
· different technical environments
· different complexity
· different risks
· different languages
· different cultures
· different legal and regulatory requirements
· different types of management systems and standards
· different auditees personal attributes/characteristics
From this list a number of generic (minimum) prerequisites can be identified based
on the fundamental similarities in all situations.
Prior to each audit, the specific competencies must be identified and used for the
assessment of the audit team competence.
Minimal Objectives
Performance of audits to determine the degree of conformity of at least low complex,

small/medium size organisations, medium risk, medium reliability quality
management systems with ISO 9001/2.
Minimal Scope
Design/development, production, installation and servicing, serial production, single

site.
TABLE B2
Audit team competence auditor evaluation potential learn members
Core competences specific competences competence indicators Method Application Auditor A B etc.
Knowledge and skill of Practical knowledge of At least a degree or Records
quality principles and application of quality equivalent. A minimum of 4
techniques principles years work experience after
the degree
General auditing skills Ability to perform a third Completed an international Records
party quality audit recognised quality lead-
auditor training course.
Observe two complete
audits. Records
Successfully carry out Demonstratio
twenty mandays auditing n/Records
under supervision and
guidance of the Team
Leader
Ability to lead a third Successfully participate at Demonstratio
party audit team least five times as Team n/Records
Leader under supervision
and guidance of an
experienced team leader
Audit organisations culture Fit within the audit Successfully pass the Demonstratio
organisers specified organisations human n/Records
personal attributes and resources selection process
skills
Knowledge and High level of knowledge Completed ISO 9001 Records
understanding of reference of ISO 9001 in multiple training course.
documents applications Practical experience with Records
the establishment of quality
management system based
on ISO 9001/2
Understanding of Knowledge and A minimum of 2 years Records
Organisational situations understanding of management experience
managing an
organisation
Sector specific knowledge
1 2 3 4 5 6 7 8
Annex B - Example 4 (Scenario: Exploration vehicle development and
manufacture)
Introduction
Egocentric Dynamics is a large single organisation involved with the design and
manufacture of a remote controlled explorer vehicle used for rock evaluation on the
planet Zog.
The organisation has 1,500 employees and uses advanced technology to produce
special vehicles.
The Zog explorer vehicle consists of:
· a fabricated special alloy body

· electrically powered motor
· embedded computer software to remotely control the drive motor and operate the
rock sample selection arm
· hydraulic suspension
· steel and rubber track drive
Audit Objective
The objective of this audit is for Bestever Quality Assurance which is a Third Party
Certification Body/Registrar to determine the degree of conformity of Egocentric
Dynamics quality management system with ISO 9001.
Audit Scope
The scope of the audit covers all elements of ISO 9001.
Audit Requirements
The requirements are specified in Bestever Quality Assurance Procedures PO 60-90

for conducting initial assessments in the automotive sector.
TABLE B4: Audit Team/Auditor Selection

Core Competence Specific Competence Indicators Method Application Auditor A Auditor B Auditor C
competence for
this audit
Knowledge and Practical Successfully completed Examination Review the results Completion of this Completion of this Completion of this
skills of quality knowledge of the a training course in of a training course course course course
principles and application of quality assurance and
techniques quality principles in management principles
the automotive specific to the
industrial sector. automotive sector.
Implemented and/ or Records Interviews, Implemented a
maintained a reference checking certified quality
certified/registered and testimonials system in a major
quality management used to confirm Automotive plant
system preferably within work experience designing and
the automotive industrial gained manufacturing xxx
sector.
General Auditing Ability to Completed an externally Examination Review the results Completed as Completed an Completed an
Skills understand the recognised auditor of external training internationally internationally internationally
applications of ISO training course course recognised quality recognised quality recognised quality
9001 in a very lead auditor auditor training auditor training
specialised and training course course course
high technology
environment within
the automotive
sector.
Ability to lead/ Acted as an auditor team Demonstration Two complete Completed 420 Completed 27 third Completed 15 third
conduct third party member in third party audits subject to third party audits party audits as a party audits in the
quality system audits in the automotive independent as team leader in support auditor in automotive sector
audits to ISO 9001 industrial sector for a witnessed the automotive the automotive and 180 in the
minimum of ten full assessment with sector sector computer software
system audits and as an the remainder sector
audit team leader for five monitored by more
audits. All audits subject experienced
to witnessed members of the
assessment. team.
competence for
this audit
Ability to apply Been part of an audit Demonstration As above Automotive sector Automotive sector Computer software
automotive and/or team for at least five
computer software audits using automotive
sector application and computer software
guides to third sector application
party audit guidance.
situations.
IRCA or similar auditor Records Check registration IATCA Registered RAB Registered IRCA Registered
registration card or verify by Lead Auditor Auditor Tick IT Auditor
contacting the
Registration Body
Knowledge and High level of Successfully completed Examination Review result of Completion of this Completion of this Completion of this
understanding of knowledge of ISO an ISO 9001 training training course training course training course training course
reference 9001 in multiple module with an
documents applications automotive bias
Detailed Received on the job Examination Review results of Completion of Completion of completion of
knowledge of the training in the application training course training course training course training course
automotive sector of the sector guides
applications guide
and supplementary
requirements
specific to the
automotive
industry.
Detailed Successfully completed Examination Review results of N/A N/A Completion of
knowledge of ISO a Tick IT auditor training training course training course and
9000-3 and other course some participation
documentation in the development
relevant to of the sector guide
computer software
sectoral schemes
such as Tick IT
1 2 3 4 5 6 7 8
Audit Team/Auditor Selection

competence for
this audit
Understanding of High level of Previous employment within Records Interviews, Over 30 years Former employee Although not
organisational understanding of the automotive industry or reference experience in the of this company originally from this
situations the modern and similar is essential for at least checking and automotive many years sector, he has
advanced one member of the team testimonials used industry regularly previous as a acquired
organisational to confirm work keeping abreast technician significant
management experienced with new apprentice knowledge of the
systems in the gained meets developments by automotive
automotive industry requirements membership and industry in recent
attendance at years. Gained
meetings of the mainly through
Automotive training and from
societies and also auditing
by reading experience within
journals this sector
Well versed in At least 2 years practical Records
Project experience of Project
Management Management through
techniques and participation as a member of
modern methods of the team
procurement
Familiar with This can be gained through Records
functional/ cellular in-house cascade training or
group working from recent work related or
styles now endemic auditing experience
throughout this
industry
Awareness of This can similarly be attained Records
cultural working through in-house training or
practises and from recent work related or
demarcation issues auditing experience within the
specific to the automotive sector
automotive sector
competence for
this audit
Sector specific Detailed knowledge Hold a degree or equivalent Examination and Interviews, Chartered
knowledge of design on in mechanical engineering records reference mechanical
development of with 5 years design checking and engineer - 20
special purpose experience of motor vehicles testimonials used years working
tracked vehicles to confirm with design of
experience main battle tanks
and tracked
armoured
recovery vehicles
Detailed knowledge Hold a degree or equivalent Examination and Interviews, Technician
of design and in electrical engineering with records reference engineer with 15
development of 5 years experience in checking and years electrical
remote controlled Electrical and electronic testimonials used design
vehicle electric equipment to confirm experience with
motors and experience NASA on the
associated electrical similar lunar
and electronic remote vehicle
control equipment project
Highest level of Hold a degree or equivalent Examination and Interviews, Software engineer
experience with in computer science with 4 records reference with 6 years
hands-on years experience in safety checking and experience in the
development of critical software development testimonials used aerospace sector
safety critical to confirm and 3 years
software including experience acquired
subsequent testing experience in the
automotive
industry gained
through audits
competence for
this audit
Advanced Hold a degree or Examination and Interviews, Gained a
standard of equivalent in mechanical records reference checking supplementary
technical engineering, metallurgy, and testimonials degree in materials
knowledge for or materials science with used to confirm science as a
selection and a minimum of 4 years experience mature student.
processing of a experience Acquired
wide range of experience through
materials and 9 years auditing
special processes.
This will include
fusion welding of
highly
sophisticated non-
ferrous metals and
their associated
testing
1 2 3 4 5 6 7 8
ANNEX C AUDITOR FUNDAMENTAL ABILITIES,
PERSONAL ATTRIBUTES AND
COMPETENCE REQUIREMENTS.
C.1 General
This International Standard recognizes that that there are certain prerequisites for
effective audit, which include those fundamental abilities required in all audit situations,
certain personal attributes of the auditor, and core competencies which need to be
available in all audit teams if the audit is to be conducted effectively. Section 3 describes
their application to the qualification and competence of quality auditors and audit teams.
This Appendix provides further guidance on these fundamental abilities, personal
attributes and competence requirements as an expansion of the guidance in Section 3,
and may be of assistance when using the tables in Section 3.
C.2 Fundamental abilities and personal attributes of auditors
C.2.1 Fundamental abilities
Auditors should have the ability to:
-0 plan and organize audit activities;

-1 identify conflicting and competing interests
-2 commit full attention and support to the audit process;
-3 interact and communicate with all levels of the audited organization and the
-4 auditors in a way that will best achieve the audit objective;
-5 obtain and assess objective evidence in a fair and realistic manner;
-6 remain true to the purpose of the audit without intimidating the auditee or being
intimidated by the auditee,
-7 remain true to the purpose of the audit without favor,
-8 evaluate constantly the effects on the audit process caused by audit observations
and personal interactions during an audit;
-9 react with sensitivity to the conventions and culture of the country or region in
-10which the audit is performed;
-11perform the audit process in a timely manner and without deviating due to
-12distractions;
-13deal with stressful situations effectively;
-14reach sound conclusions based on objective evidence;
-15remain true to a conclusion despite pressure to change that is not based on
-16objective evidence;
-17hold information confidential
In complex situations the auditor should have the ability to understand operations from a
broad perspective, e.g. to understand the role of individual units within the overall
organization
Auditors also require good communication skills, i.e. they need the ability to communicate
clearly and concisely in writing, the ability to read and comprehend audit documentation,
to be articulate, and to be able to listen and ask questions effectively during an audit.
C.2.2 Personal Attributes
In order to achieve effective use of the fundamental abilities, the auditor should possess
personal attributes that include, but are not limited to the following:
open mindedness - willingness to consider alternate ideas or views;
maturity - related to behaviour, and includes diplomacy and tact;
sound judgement - based on logical reasoning and analytical skills;
observant - this includes visual observation and listening ability;
perceptive - this includes the auditor’s instincts, intuition and ability to

know where to look or who to ask;
tenacity - persistent, focused, oriented towards objectives;
decisiveness - firm, able to make objective and unbiased decisions;
self-reliance - ability to act on one’s own and interact effectively

with others;
integrity - the auditor needs to demonstrate ethical behaviour and
to be truthful, sincere, honest, motivated and
committed.
C.3 Core Competence Requirements
C.3.1 General
Core competence requirements are an integral part of the audit team and auditor
selection and assignment process, as described in Clause 3.3. Typical requirements
which may need to be considered in determining auditor competence are:
-0
-1 knowledge and skills of quality principles and techniques
-2 general auditing skills
-3 knowledge and understanding of reference documents
-4 understanding of organizational situations
-5 sector specific knowledge
Further details of these requirements are provided in the following Clauses.
C.3.1.1 Knowledge and Skills of Quality Principles and Techniques
Knowledge and skills of quality principles and techniques is necessary to enable the
auditor to examine the quality systems and determine that it is being properly applied.
Typical areas of competence necessary to achieve this objective include:
-0 Quality terminology;
-1 Structure and function of quality management systems;
-2 Practical knowledge of the application of basic quality system practices and
processes;
-3 Understanding the application of quality tools used by auditors and auditees;
-4 Evaluation of the significance of collected information and their impact on quality.
C.3.1.2 General Auditing Skills

General auditing skills are necessary to ensure that the audit process is conducted
systematically. Auditors should be able to apply these skills during the complete cycle:
-0 Initiating the audit;

-1 Preparing for the audit;
-2 Performing the audit;
-3 Reporting the audit results
-4 Audit completion
-5 Follow-up
C.3.1.3 Knowledge and Understanding of Reference Documents
Knowledge and understanding of the reference documents is necessary to enable the

auditor to comprehend the framework within which the audit is to be conducted. The
framework for the audit may include standards, legal documents, applicable procedures or
other management system documentation. To comprehend the framework a knowledge
and understanding of the following may be necessary:
-0 Relevant reference documents used as the basis for the audit;

-1 Differences and precedence amongst the reference documents;
-2 Application of the reference documents to different audit situations;
-3 Understand the order of precedence of the reference documents to different
situations.
C.3.1.4 Understanding of Organizational Situations
Understanding of organizational situations is necessary in order to comprehend the

organizations operational environment. It may include the following:
-0 Organizational structure, functions, and interrelationships;

-1 Site specific contract, laws, regulations and related documents bearing on such
situations as labour, workplace safety, and working conditions;
-2 General business process and related terminology;
-3 Site cultural and social norms.
C.3.1.5 Sector Specific Knowledge
Sector specific knowledge is necessary to enable the auditor to understand the application
of quality within particular business, industry, or economic sector, business, government
and service sectors. Knowledge of the following may be required:
-0 Legal and regulatory requirements affecting the audit;

-1 Typical and customary sector accepted processes and practices;
-2 Sector-specific terminology.
ANNEX D GLOSSARY OF TERMS AND DEFINITIONS
(Informative)
This Glossary is intended to explain the terms used in this document which are specific to
auditing, in order to augment and summarize the application of the term in the text.
Terms from ISO 8402 have been included where relevant, however terms used in this
document may have a broader application in an audit context than the definition given in
ISO 8402 as applicable to ISO 9000.
Audit (quality) (ISO 8402, 4.9) Systematic and independent examination to determine

whether quality activities and related results comply with planned arrangements and
whether these arrangements are implemented effectively and are suitable to achieve
objectives.
NOTES:
1.0 The quality audit typically applies to, but is not limited to, a quality system or elements thereof,
to processes, to products or to services. Such audits are often called `quality system audit',
`process quality audit', product quality audit' or `service quality audit'.
1.1 Quality audits are carried out by staff not having direct responsibility in the areas being audited
but, preferably, working in cooperation with the relevant personnel.
1.2 One purpose of a quality audit is to evaluate the need for improvement or corrective action. And
audit should not be confused with quality surveillance or inspection activities performed for
the purposes of process control or product acceptance.
1.3 Quality audits can be conducted for internal or external purposes.
Quality system (8402, 3.6) Organizational structure, procedures, processes and

resources needed to implement quality management.
NOTES:
1.0 The quality system should be as comprehensive as needed to meet the quality objectives.
1.1 The quality system of an organization is designed primarily to satisfy the internal managerial needs of
the organization. It is broader than the requirements of a particular customer, who evaluates only
the relevant parts of the quality system.
1.2 For contractual or mandatory quality assessment purposes, demonstration of the implementation of
identified quality system elements may be required.
Quality evaluation (8402, 4.6)

systematic examination of the extent to which an entity is capable of fulfilling specified
requirements.
Notes: A quality evaluation may be used to determine supplier quality capability. In this
case, depending on specific circumstances, the result of quality evaluation may used for
qualification, approval, registration, certification or acreditation purposes.
An additional qualifier may be used with the term ‘quality evaluation’ depending on the
scope[e.g. rocess, personnel, system], and timing (e.g. precontract) of the quality evaluation,
such as ‘precontract process quality evaluation’.
An overall supplier quality evaluation also may include an appraisal of financial and
technical resources.
In English, quality evaluation is sometimes called ‘quality assessment’, ‘quality appraisal’

or ‘quality survey’ in specific circumstances.
Quality audit observation ( 8402, 4.10)

Statement of fact made during a quality audit and substantiated by objective evidence.
Audit findings Results of the evaluation of the collected audit evidence compared

against the agreed audit criteria, and which provide the basis for the audit report.
Alternative (or audit conclusion?) Statement after evaluation of the collected evidence compared
against the agreed requirements, and which provides the basis for the audit report.
Audit method systematic way of performing an audit.
Audit resources personnel, material, documents, financial means and facilities provided for
an audit.
Audit scope the boundaries of the audit.
Audit technique practical, technical elaboration and facilitation of a method.
Auditor competence ability of an auditor to apply knowledge and skill to an audit task or
assignment (see also definition, Clause 1.3. 5).
Depth degree of detail in in the auditing of an element.
Effectiveness meeting objectives.
Efficiency meeting objectives with the optimal (least) use of resources.
Evaluation identification and comparison of results to determinr whether the entity is

capable of fulfilling specified requirements.
Focus relative significance of an audit element
Follow-up activities related to an audit after the audit report is submitted and the audit
completed, as determined by the client.
Level of confidence degree of trust and reliance on the audit result.
Managing audits coordinated activities to establish a series of audits in order to implement a

policy and to achieve objectives.
Nonconformity non-fulfillment of specified requirement.
Objective desired outcome
Outcome actual result of an activity or process.
On-site auditing activities normally performed at the location of the auditee.
Process audit audit of a set of activities that transform inputs (resources) into specified
outputs.
Product audit audit of the result (output) of a process.

ISO/TC 176/SC 3/WG 7 - Rev 3: C:WD2N841

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO/TC 176/SC 3/WG 7 - Rev 3: C:WD2N841

Uploaded by

Copyright:

Available Formats

ISO/TC 176/SC 3/WG 7 N94 – rev 3

Guidelines for auditing quality systems

C:WD2N841.doc Page 1 (10)

SECTION 1: SCOPE, REFERENCES AND TERMINOLOGY

1.2 Normative references..................................................................................................6

1.3 Terms and definitions..................................................................................................6

2.1 Audit principles/processes...........................................................................................8

2.2 Managing audits........................................................................................................11

2.3 Auditing activities......................................................................................................16

SECTION 3: QUALIFICATION AND COMPETENCE OF QUALITY AUDITORS

3.2 Audit Team/ Auditor Competency Requirements......................................................26

3.3 Evaluating Auditor Competence................................................................................27

3.4 Selection of Audit Team Members...........................................................................30

3.5 Continuing Professional Development.......................................................................31

ANNEX A: AUDITOR CODE OF ETHICS.........................................................................33

ANNEX C: AUDITOR FUNDAMENTAL ABILITIES, PERSONAL ATTRIBUTES AND

ANNEX D: GLOSSARY OF TERMS AND DEFINITIONS ...............................................56

C:WD2N841.doc Page 2 (10)

ISO (the International Organization for Standardization) is a worldwide federation of

The management of audit programmes previously addressed in Part 3 (ISO 10011-

The annexes in this draft international standard are informative.

C:WD2N841.doc Page 3 (10)

C:WD2N841.doc Page 4 (10)

C:WD2N841.doc Page 5 (10)

Guidelines for auditing quality management systems

Section 1 Scope, References and Terminology

ISO 8402 Quality management and quality assurance - Vocabulary

[Deleted: ISO 14050, Environmental management vocabulary - France]

1.3 Terms and definitions

1.3.1 Audit (quality) A quality audit is a systematic, unbiased, objective and

C:WD2N841.doc Page 6 (10)

1.3.4 Client The person or organization requesting an audit.

1.3.5 Competence (audit) That combination of education, training, experience and

1.3.6 Auditee An organization to be audited

C:WD2N841.doc Page 7 (10)

2.1 Audit principles/process

2.1.1 General Auditing Principles

Organizations and interested parties having a need to conduct efficient and

Figure 1 shows the broad groupings or areas relating to general principles of

Objectives, Scope and Outcomes

Methods and Techniques Roles, Responsibilities,

Resources Managing Audits

Figure 1 General Audit Principles

2.1.2 Audit Objectives, Scope and Outcomes

2.1.2.1 Audits are an effective management tool to examine systems

Audits collect information and objective evidence related to the conformity,

C:WD2N841.doc Page 8 (10)

2.1.2.2. Audits are performed to examine and evaluate controls and to

2.1.2.3 Audits are performed to established criteria.

Auditors evaluate activities against established audit criteria as agreed between

2.1.2.4 The result of an audit is information.

Audit information is based on evaluation of objective evidence, which is then

2.1.3 Audit roles, responsibilities, competence, and motivation

The auditor(s) and audit management staff possess an appropriate combination of

2.1.3.3 Audits are authorized

C:WD2N841.doc Page 9 (10)

2.1.4.1 The management of individual audits or a series of audits is essential.

Audit management defines, implements, maintains, and improves the

2.1.4.2 Audits are planned.

2.1.5 Commitment of audit resources

Adequate resources are committed to the audit.

Audit management is required to commit appropriate resources to ensure efficient

2.1.6 Defined audit methods and techniques