Professional Documents
Culture Documents
04
AU D I T P R O C E S S B A S E D
ON ISO 19011: 2018
GUIDELINES
COURSE OBJECTIVES
KNOWLEDGE SKILLS
With reference to Plan-Do-Check-Act cycle, Plan, conduct, report and follow-up an
explain the process-based quality internal audit of part of Quality Management
management system model for ISO 9001, System based on ISO 9001, and in
and the role internal audit in the maintenance accordance with ISO 19011
and improvement of quality management
systems.
Explain the role and responsibilities of an
auditor to plan, conduct, report and follow up
an internal quality management system audit,
in accordance with ISO 1901.
What is an audit?
1
4/8/2022
Types of audits
External
Main Characteristics
246
© - Copyright Bureau Veritas ISO 9001: 2015 | INTERNAL AUDITOR 246
The Actors
Expert Person who provides specific knowledge or expertise to the audit team
247
© - Copyright Bureau Veritas ISO 9001: 2015 | INTERNAL AUDITOR 247
2
4/8/2022
Types of auditors
Internal Auditors
Employed by individual companies to investigate and
appraise the effectiveness of company operations for
management.
Reports directly to the president or board
• their existence and work may affect the nature, timing and
extent of audit procedures;
• external auditors may use them to provide direct
assistance in audit.
248
© - Copyright Bureau Veritas ISO 9001: 2015 | INTERNAL AUDITOR 248
Types of auditors
External Auditors
Otherwise known as Independent auditors
249
© - Copyright Bureau Veritas ISO 9001: 2015 | INTERNAL AUDITOR 249
Principles of Auditing
1 integrity
2 fair presentation
4 confidentiality
5 independence
6 evidenced-based approach
7 risk-based approach
3
4/8/2022
Principles of Auditing
Principles of Auditing
1. integrity
the foundation of professionalism
Principles of Auditing
2. fair presentation
the obligation to report truthfully and
accurately
Audit findings, audit conclusions and audit
reports should reflect truthfully and accurately
the audit activities.
Significant obstacles encountered during the
audit and unresolved diverging opinions
between the audit team and the auditee
should be reported.
The communication should be truthful,
accurate, objective, timely, clear and
complete
4
4/8/2022
Principles of Auditing
Principles of Auditing
4. confidentiality
security of information
Auditors should exercise discretion in the use
and protection of information acquired in the
course of their duties.
Audit information should not be used
inappropriately for personal gain by the
auditor or the audit client, or in a manner
detrimental to the legitimate interests of the
auditee.
This concept includes the proper handling of
sensitive or confidential information.
Principles of Auditing
5. independence
the basis for the impartiality of the audit and
objectivity of the audit conclusions
Auditors should be independent of the activity
being audited wherever practicable, and
should in all cases act in a manner that is free
from bias and conflict of interest.
For internal audits, auditors should be
independent from the function being audited if
practicable.
Auditors should maintain objectivity
throughout the audit process to ensure that
the audit findings and conclusions are based
only on the audit evidence.
5
4/8/2022
Principles of Auditing
6. evidence-based approach
the rational method for reaching reliable and
reproducible audit conclusions in a
systematic audit process
Audit evidence should be verifiable. It should
in general be based on samples of the
information available, since an audit is
conducted during a finite period of time and
with finite resources.
An appropriate use of sampling should be
applied, since this is closely related to the
confidence that can be placed in the audit
conclusions.
Principles of Auditing
7. risk-based approach
an audit approach that considers risks and
opportunities
The risk-based approach should
substantively influence the:
planning,
conducting and
5 MANAGING AN
5.3 Determining and evaluating AUDIT PROGRAMME
5.7 Reviewing and improving
audit programme risks and
audit programme
opportunities
6.3 Preparing audit activities 6.4 Conducting audit activities 6.7 Conducting audit follow-up
6
4/8/2022
6.3 Preparing audit activities 6.4 Conducting audit activities 6.7 Conducting audit follow-up
6. Conducting an audit
6.2 Initiating an audit
communication channels;
authority to conduct the audit;
audit objectives, scope, criteria, methods and audit team composition,
including any technical experts;
confidential information, arrangements for audit schedule and
audit locations specific arrangement
team leader
attendance
other issues that may affect the conduct of the audit
7
4/8/2022
6. Conducting an audit
6.2 Initiating an audit
6.3 Preparing audit activities 6.4 Conducting audit activities 6.7 Conducting audit follow-up
6. Conducting an audit
6.3 Preparing audit activities
6.3.1 6.3.4
Performing 6.3.3 Preparing
6.3.2
review of Assigning work documented
documented Audit planning
to audit team information for
information audit
8
4/8/2022
6. Conducting an audit
6.3 Preparing audit activities
6.3.4
6.3.1 6.3.3
Performing review 6.3.2 Preparing
of documented Assigning work to documented
Audit planning
information audit team information for
audit
• management system
documents and records,
• previous audit reports
6. Conducting an audit
6.3.1 Performing review of documented information
6. Conducting an audit
6.3 Preparing audit activities
6.3.4
6.3.1 6.3.3
Performing review 6.3.2 Preparing
of documented Assigning work to documented
Audit planning
information audit team information for
audit
• management system • to facilitate the efficient
documents and records, scheduling and
• previous audit reports coordination of the audit
activities in order to
achieve the objectives
effectively
9
4/8/2022
6. Conducting an audit
6.3.2 Audit planning
audit method,
establish audit
familiarize physical language of the audit,
objective, identify
and virtual location, risk and opportunities
audit scope and
processes related to the activity
criteria
to be audited
6. Conducting an audit
6.3.2 Audit planning
audit plan:
scope
criteria
dates and duration
audit team
detailed timetable
audit team
requirements
remember to cover
shifts
10
4/8/2022
6. Conducting an audit
6.3 Preparing audit activities
6.3.4
6.3.1 6.3.3
Performing review 6.3.2 Preparing
of documented Assigning work to documented
Audit planning
information audit team information for
audit
• management system • to facilitate the efficient • to assign to each team
documents and records, scheduling and member responsibility for
• previous audit reports coordination of the audit auditing specific
activities in order to processes, activities,
achieve the objectives functions or locations
effectively and, as appropriate,
authority for decision-
making.
Assigning auditors
Audit assignments should respect the independence of auditors and the effective use of
resources
1
(e.g. objectives, scope, criteria)
3. Depending on the
auditor
(e.g conflicts of interest,
availability, etc.)
3 2 2. Based on the
audit team
08/04/2022 330
© - Copyright Bureau Veritas ISO 9001: 2015 | INTERNAL AUDITOR 330
Main Characteristics
331
© - Copyright Bureau Veritas ISO 9001: 2015 | INTERNAL AUDITOR 331
11
4/8/2022
6. Conducting an audit
6.3 Preparing audit activities
6.3.4
6.3.1 6.3.3
Performing review 6.3.2 Preparing
of documented Assigning work to documented
Audit planning
information audit team information for
audit
• management system • to facilitate the efficient • to assign to each team • to guide the auditor to
documents and records, scheduling and member responsibility for address adequate
• previous audit reports coordination of the audit auditing specific elements of the
activities in order to processes, activities, management system
achieve the objectives functions or locations when obtaining objective
effectively and, as appropriate, evidence to determine
authority for decision- conformance to the
making. criteria.
6. Conducting an audit
6.3.4 Preparing documented information for audit
6. Conducting an audit
6.4 Conducting audit activities
Identifying and
Conducting the Preparing audit
recording audit
closing meeting conclusions
findings
Effectiveness of
Cause analysis of
Audit Report correction and
nonconformity corrective action
12
4/8/2022
6. Conducting an audit
6.4 Conducting audit activities
Identifying and
Conducting the Preparing audit
recording audit
closing meeting conclusions
findings
Effectiveness of
Cause analysis of
Audit Report correction and
nonconformity
corrective action
Approach to Audit
Approach to Audit
13
4/8/2022
Approach to Audit
Approach to Audit
Communications Process
Sender
encodes
Message
Recipient
decodes
Feedback and
interprets
Approach to Audit
Physical
Intellectual
Psychological
14
4/8/2022
Approach to Audit
Approach to Audit
Body Language
Interviewing technique
15
4/8/2022
Approach to Audit
Faking attention
Pre-occupation
Over-reaction
Interrupting the speaker ¡NO!
Listening without looking
Listening only to what we want to hear
Using listening time to collect the thought
6. Conducting an audit
6.4 Conducting audit activities
6.4.3 Conducting opening meeting
opening meeting provide a short explanation
of how the audit activities will be undertaken.
purpose of the opening meeting is:
confirm the agreement of all participants (e.g.
auditee, audit team) to the audit plan;
introduce the audit team and their roles;
6. Conducting an audit
6.4 Conducting audit activities
6.4.3 Conducting opening meeting
small organizations – communicating that an
audit is being conducted and explaining the
nature of the audit.
others - formal and records of attendance
should be retained
opportunity to ask questions
16
4/8/2022
6. Conducting an audit
6.4 Conducting audit activities
opening meeting agenda
• of the participants • to manage risks to the • audit objectives, scope and • method of reporting audit
(observers, guides, organization which may criteria findings (criteria for
interpreters, and an outline result from the presence of • audit plan grading, if any)
of their roles the audit team members. • formal communication • conditions under which the
channels (audit team and audit may be terminated
auditee) • how to deal with possible
• language to be used findings during the audit
• auditee being kept • any system for feedback on
informed of audit progress findings or conclusions of
during the audit the audit
• availability of resources
and facilities
• matters relating to
confidentiality and
information security
• access to: health and
safety, security, emergency,
etc.
• activities on site that can
impact the conduct of the
audit
6. Conducting an audit
6.4 Conducting audit activities
Identifying and
Conducting the Preparing audit
recording audit
closing meeting conclusions
findings
Effectiveness of
Cause analysis of
Audit Report correction and
nonconformity
corrective action
6. Conducting an audit
6.4 Conducting audit activities
6.4.4 Communication during audit
audit team should confer periodically to
exchange information, assess audit progress
and reassign work between the audit team
members, as needed.
audit team leader should periodically
communicate the progress, any significant
findings and any concerns to the auditee and
audit client, as appropriate.
evidence collected during the audit that
suggests an immediate and significant risk
should be reported without delay to the auditee
and, as appropriate, to the audit client.
any concern about an issue outside the audit
scope should be noted and reported to the
audit team leader, for possible communication
to the audit client and auditee.
© - Copyright Bureau Veritas ISO 9001: 2015 | INTERNAL AUDITOR 357
17
4/8/2022
6. Conducting an audit
6.4 Conducting audit activities
Guides and observers may accompany the audit team with approvals
from;
the audit team leader,
audit client and/or
auditee, if required
Guides responsibilities should include the following:
assisting the auditors in identifying individuals to participate in
interviews and confirming timings and locations;
arranging the rules are known and respected by the audit team
members and observers and any risks are addressed;
witnessing the audit on behalf of the auditee, when appropriate;
providing clarification or assisting in collecting information, when
needed.
Guides and observers should not influence or interfere with the conduct of the audit.
6. Conducting an audit
6.4 Conducting audit activities
Identifying and
Conducting the Preparing audit
recording audit
closing meeting conclusions
findings
Effectiveness of
Cause analysis of
Audit Report correction and
nonconformity
corrective action
6. Conducting an audit
6.4 Conducting audit activities
18
4/8/2022
6. Conducting an audit
6.4 Conducting audit activities
6.4.7 Collecting and verifying information
Methods of collecting information include, but not
limited to the following:
interviews
observations
review of documented information
INFORMATION based on scope and complexity of the
audit.
Interviewing Technique
interviews are not interrogations
ask questions in conversational manner
weave questions into general conversation
do not cross question
avoid question answer exercise
19
4/8/2022
Interview Tips
Questioning techniques
20
4/8/2022
Questioning techniques
Close questions
Open questions
Clarifying questions
Observations
Observation.
Auditor’s Proverb: “Seeing is believing”
Visit the field! See the 'real world'!!!
What to look for:
► emergency exits
actual operations
► fire fighting equipment
housekeeping
► communications postings
barriers and guards
► signage
behaviour
► awareness reminders
adherence to PPE requirements
► calibration tags
communication routes
► infrastructure
evacuation routes
Document Review
IMS manual
procedures
work instructions
other documents
records
21
4/8/2022
Document review
Should inform audit team leader if documents cannot be provided within the time frame
Performing an Audit
► to assist memory
► to ensure covering all issues and control points
► to ensure depth and continuity of the audit
► help in time management
► organise note taking
► part of audit report
Performing an Audit
22
4/8/2022
Performing an Audit
Audit Trail
Audit trail
23
4/8/2022
Do not:
►Be side-tracked
Do
►Be prepared
►Be punctual
►Avoid misunderstandings
Be aware of:
►Aggressive auditees
►Timid auditees
►Missing people
►Missing documents
►Special cases
►Emotional blackmail
24
4/8/2022
Performing an Audit
Time management
What is nonconformity?
‘non-fulfilment of a requirements’
25
4/8/2022
WIRITING NONCONFORMITY
AUDIT EVIDENCE - to support auditor findings (What is seen during the audit)
Example:
Non-conformance and
Corrective Action
Request Form
Factual
Precise
Objective
Traceable
Concise
Will someone else be able to trace back and find the same
evidence you found, based on what you wrote?
26
4/8/2022
EXERCISE
27
4/8/2022
AUDIT SCENARIO
AUDIT SITUATION 1
You are auditing an electronic component manufacturer. They have a process for dealing with customer
complaints that require them to investigate and take corrective action.
Documented information (records) show that several customers have recently complained about faulty
components being delivered. The customers returned the faulty components to the organisation. The
organisation then repaired them and returned them back to their customers.
Documented information (records) show that an investigation report found the cause to be that two new
employees were undergoing training and had been assigned to tasks where they should have been
supervised. Due to staff shortages however, no supervision was provided.
Following the investigation, records show their training had been completed and the employees were
assessed as being competent.
There was no evidence of any further investigation or corrective action being carried out and the report had
been closed.
AUDIT SCENARIO
NONCONFORMITY REPORT 1(1)
Nonconformity
Description of Nonconformity
Corrective action has not been implemented effectively to evaluate the need for action to eliminate the cause(s) of the nonconformity,
in order that it does not recur or occur elsewhere and to review the effectiveness of any corrective action taken.
Evidence
Two new employees in the inspection department had been deployed without adequate supervision before they were assessed as
being fully competent. This resulted in faulty components being delivered to customers followed by a series of customer complaints.
Although they were subsequently trained and assessed as being competent, no corrective action was implemented to prevent a
recurrence of personnel being deployed unsupervised, prior to them being assessed as fully competent.
10.2.1 When a nonconformity occurs, including any arising from complaints, the organisation shall:
b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by:
1) reviewing and analysing the nonconformity
2) determining the causes of the nonconformity
3) determining if similar nonconformities exist, or could potentially occur
AUDIT SCENARIO
NONCONFORMITY REPORT 1(2)
Nonconformity
Description of Nonconformity
The organisation has failed to provide the persons necessary for the effective implementation of its QMS and the operation of
its processes.
Evidence
Two new employees in the inspection department had been deployed without adequate supervision before they were
assessed as being fully competent. This resulted in faulty components being delivered to customers, followed by a series of
customer complaints. Although they were subsequently trained and assessed as being competent, no corrective action was
implemented to prevent a recurrence of personnel being deployed unsupervised, prior to them being assessed as fully
competent.
ISO 9001:2015 clause and requirement:
7.1.2 The organisation shall determine and provide the persons necessary for the effective implementation of its QMS and for
the operation and control of its processes.
28
4/8/2022
Auditor Auditee
Identify, note
and communicate Agreement
Acknowledge
Prepare
Prepare NCR
NCR
and investigate
Explain Cause/Propose
Agreement
Corrective Action
Review Implement,
effectiveness verify and notify
NON-CONFORMITY REPORTS
COMMUNICATING FINDINGS OF NONCONFORMANCE
Do not view non-conformance in a negative way. This is NOT like a speeding fine. It is NOT a
punishment.
29
4/8/2022
Auditors should:
►apply professional judgement during the audit process
and;
►avoid concentrating on the specific requirements of each
clause of the standard at the expense of achieving the
intended outcome of the management system,
especially in auditing the organization’s approach to
determination of risks and opportunities.
AUDIT MANAGEMENT
CLOSING MEETING AGENDA
Report the
Thank the auditee and Recap reason, scope Review audit plan and
observations, positive
reintroduce the team & criteria methods
& negative
Recommendation Follow-up
Ref:ISO 19011-6.4.9
30
4/8/2022
Audit scope
Audit criteria
Audit conclusions
AUDIT REPORT
reviews the:
►corrections,
►corrective actions
31
4/8/2022
32
4/8/2022
Audit Follow-up
33
4/8/2022
AUDIT FOLLOW-UP
FOLLOW-UP ACTION
►At agreed time
►Photographs
►Videos
AUDIT FOLLOW-UP
34
4/8/2022
PERCEPTIVE
• i.e. aware of and able to understand
situations;
• i.e. able to act responsibly and ethically, even though these actions may
ABLE TO ACT WITH FORTITUDE not always be popular and may sometimes result in disagreement or
confrontation;
CULTURALLY SENSITIVE • i.e. observant and respectful to the culture of the auditee;
• i.e. effectively interacting with others, including audit team members and
COLLABORATIVE the auditee’s personnel.
35