Professional Documents
Culture Documents
Welcome to your CQI and IRCA Certified QMS Auditor / Lead Auditor Training Course
TÜV NORD CERT GmbH has been independently assessed and approved by the CQI and IRCA. This means they
have the processes and systems in place to deliver certified courses to the highest standard.
The CQI leads the quality profession and is dedicated to promoting excellence through the key competencies of
Governance, Assurance and Improvement.
We hope you enjoy your course.
Today, auditing is recognized as an extremely powerful technique that may be used by managers alongside other
management techniques to ensure adequacy of operations and assist in the achievement of objectives.
Auditing is no longer confined to financial operations, in relation to which it is an accepted and respected practice
the need for which is well understood and demanded in senior management circles. With the explosion of interest
in Quality Improvement throughout the world, auditing has received much attention as a means of ensuring that
plans and systems for the achievement of customer satisfaction are being followed and are fully effective. In
addition, the increasing legal requirements that must be met by organizations and individuals has resulted in the
setting up of regulatory authorities who need to establish if such legal obligations are being met. The approach
adopted to gain this information is to use audit techniques, basically similar to those adopted by those with an
interest in Quality Improvement.
There is therefore a need to ensure that when auditing is required, for whatever purpose, those delegated the task
are adequately equipped by way of training in the tools and techniques necessary to perform audits in a fully
satisfactory manner. Audits need to be conducted efficiently and effectively to gain information in the least
disruptive manner to those subject to audit activity. It is also necessary to ensure that those who are to undertake
such a task are the "right type of person" capable of seeking out the information in a manner that is fully acceptable
to those under scrutiny, without causing antagonism or ill feeling, and fostering a culture of partnership and
no blame.
We hope you enjoy the course, even though it will require a good deal of hard work on your part. Our trainers have
been selected for their experience and ability to impart knowledge to others. You are in capable hands. We wish
you every success and look forward to seeing you on our other training courses.
CONTENTS
SECTION 0: ............................................................................................................................................. 8
ISSUE SURVEY ....................................................................................................................................... 8
SECTION 1 .............................................................................................................................................. 9
INTRODUCTION ...................................................................................................................................... 9
IRCA & the Auditor Certification Scheme................................................................................................10
Requirements for certification. ................................................................................................................11
SECTION 2 ............................................................................................................................................ 13
AN OVERVIEW OF QUALITY MANAGEMENT ..................................................................................... 14
What Is Quality? .....................................................................................................................................15
Managing For Quality .............................................................................................................................18
What Is Quality Assurance? ...................................................................................................................19
The Evolution Of Quality Management Systems .....................................................................................21
An Overview Of The ISO 9000 Series ....................................................................................................23
Background To ISO 9001 .......................................................................................................................24
What Is Annex SL? .................................................................................................................................31
SECTION 3 ............................................................................................................................................ 33
THE REQUIREMENTS OF ISO 9001 ..................................................................................................... 34
An Overview Of ISO 9001 Requirements ...............................................................................................35
Clause 4 - Context Of The Organization .................................................................................................37
Clause 5 - Leadership ............................................................................................................................39
Clause 6 - Planning ................................................................................................................................40
Clause 7 - Support..................................................................................................................................41
Clause 8 - Operation ..............................................................................................................................44
Clause 9 - Performance Evaluation ........................................................................................................50
Clause 10 - Improvement .......................................................................................................................52
SECTION 4: ........................................................................................................................................... 53
QUALITY AUDITING ............................................................................................................................. 54
What Is An Audit & Why Are Audits Necessary? ....................................................................................55
The Audit Process ..................................................................................................................................61
Audit Methods. .......................................................................................................................................66
Human Interaction ..................................................................................................................................67
No Human Interaction.............................................................................................................................68
Auditing In Relation To The "Process Approach" ....................................................................................69
Auditor Competence ...............................................................................................................................74
SECTION 5: ........................................................................................................................................... 77
THE ASSESSMENT PROCESS ............................................................................................................ 78
An Overview ...........................................................................................................................................79
Initial Contact..........................................................................................................................................83
Pre-Assessment Visits............................................................................................................................85
Review Of Documentation Maintained: ...................................................................................................86
Initial Preparation ...................................................................................................................................89
Development Of The Assessment Schedule...........................................................................................96
Communication ......................................................................................................................................99
Detailed Planning .................................................................................................................................100
The On-Site Assessment ......................................................................................................................101
The Opening Meeting ...........................................................................................................................102
Audit Conduct .......................................................................................................................................104
Evaluating Results ................................................................................................................................106
The Closing Meeting:............................................................................................................................112
Formal Report ......................................................................................................................................116
Corrective Action ..................................................................................................................................118
Follow-Up And Surveillance Visits ........................................................................................................122
SECTION 6: ......................................................................................................................................... 124
AUDIT TOOLS & TECHNIQUES ......................................................................................................... 125
Detailed Planning & Check List Development .......................................................................................126
Searching For Evidence .......................................................................................................................137
Conducting Interviews And Asking Questions.......................................................................................144
Questioning Techniques: ......................................................................................................................148
Audit Etiquette: .....................................................................................................................................154
Auditor And Auditee Tactics .................................................................................................................156
Recording The Results .........................................................................................................................159
SECTION 7: ......................................................................................................................................... 164
EXAMPLES & WORK SHEETS ........................................................................................................... 165
Example Audit Check List .....................................................................................................................166
A Typical QMS Information Document/S, Front Sheet, Contents And Procedural Section ....................167
Check List Development To Include: ....................................................................................................170
An Example Of A Completed Non-Conformity Report...........................................................................175
IRCA Registration
For delegates wishing to register as an Auditor or Lead Auditor with IRCA there are some important requirements
that should be noted:
Following successful completion of this course delegates may apply to become registered as an Auditor or Lead
Auditor with IRCA. This will require the submission to IRCA of the necessary documentary evidence of education,
work experience, audit experience etc., and in addition evidence of satisfactory training, including documentary
evidence of successful completion of this course in the form of a copy of the certificate issued.
In each case the application must be made within 5 years of completion of the training course (final day of
course and not the day when the examination was passed).
Delegates who successfully complete this course will be issued with a TNC numbered certificate which bears the
CQI and IRCA logo and clearly states the course certification number 18034, and indicates that the delegate has
passed the examination.
Delegates who fail to reach the necessary standard will be issued with a certificate of course attendance which will
not carry such details. Delegates who have failed to achieve the minimum pass mark in the examination will be
permitted to re-sit the examination on one occasion only which must be within twelve months of the original course
attended and with the original course provider.
Right of Appeal:
The CQI and IRCA has introduced the “Online Exams: Appeals Policy and Process” which you find incorporated in
the document “CQI and IRCA online exams: Learner Guide”
Quality management can include establishing Quality objectives are generally based on the
quality policies and quality objectives and organization's quality policy.
processes to achieve these quality objectives
through quality planning, quality assurance, Quality objectives are generally specified for
quality control and quality improvement. relevant functions, levels and processes in the
organization.
Quality Objective
Objectives related to quality. Quality Policy
Intentions and directions of an organization as
formally expresses by its top management.
SECTION 0:
ISSUE SURVEY
SECTION 1
INTRODUCTION
It is in the interests of both Accreditation Bodies and Third Parties, and indeed society in general, that those
carrying out assessment activities involving the auditing of management systems are properly qualified. It was to
this end that the U.K. Institute of Quality Assurance set up a scheme for the training and certification of auditors.
This scheme has been an international success and has been paralleled in many parts of the world. (The IQA has
now become the Chartered Quality Institute - CQI)
The International Register of Certificated Auditors (IRCA) is the major international controlling body for auditors and
auditor training organizations.
It was originally set up by the U.K. Institute of Quality Assurance in the form of
the Registration Board of Assessors (RBA) in 1984, and now operates independently of the CQI with a Governing
Board comprising members representing a broad range of industry user groups interests.
IRCA does not restrict its scope to the auditing of Quality Management Systems, and now embraces other
management systems including Health & Safety and Environmental Management and Food Safety Management.
The Certification Scheme operates for the qualification and certification of Auditors engaged primarily in the
auditing of quality management systems. They may be engaged in undertaking audits within their own organization
or acting either for purchasing organizations conducting second party assessments, or within independent
certification bodies and similar organizations conducting third party assessments, provided they are applying
nationally or internationally recognized standards, for quality and related management systems.
The Scheme is administered by the IRCA. Membership of the CQI is not a requirement for certification.
The Scheme is limited to establishing the competence, proficiency and integrity of those certified to conduct audits
of management systems, and where applicable to control and co-ordinate the assessment work undertaken by a
team under their leadership, and also the training they receive in audit and assessment practice and techniques. It
does not attempt to determine the suitability or capability of personnel to undertake specialized technical audits.
Where a product or service is highly specialized, or where stringent safety or statutory requirements, environmental
problems or national or commercial security considerations are involved, audit / assessment organizations may
wish to add their own specific criteria.
To become certificated as an Internal Auditor, Provisional Auditor, Lead Auditor or Principal Auditor various criteria
need to be met, the details of which may be obtained by application to the IRCA. In summary it involves a formal
submission demonstrating the suitability of an applicant in relation to:
Applicants must have also successfully completed a training course certificated with IRCA.
Participants may apply to become certificated as an Internal Auditor, Provisional Auditor, Lead Auditor or Principal
Auditor following successful completion of the appropriate course and submission of necessary documentary
evidence of education, work experience, audit experience etc. In each case the application must be made within 5
years of successful completion of the training course and is subject to a five yearly re-certification requiring
evidence of audit activities and an applicant's "Continuing Professional Development" (a planned programme of
personal development in knowledge, skills and application). For full details of the IRCA Auditor Certification scheme
together with the requirements for "Continuing Professional Development" contact:-
SECTION 2
What is Quality?
What Is Quality?
The word "Quality" is a non-specific term which has no meaning until it is translated into the various features and
characteristics of a product and/or service all of which may then be specified in the form of a standard or level of
service.
Customers will judge the quality of what they buy by how their needs and expectations are satisfied by these
features and characteristics, including the price they have to pay.
In practice therefore "Quality" is about customer satisfaction. Quality is not about providing 'high' standards of
product and/or service, but about providing the 'right' standard to attract and retain customers.
If we are trying to provide [good] quality then it is necessary to first identify who our target customers are, and then
determine what features and characteristics need to be exhibited by our product and/or service together with the
necessary standards that will act as a 'magnet' to attract them to buy from us.
Any product or service can be described using specific terms relating to its performance requirements, reliability,
safety, colour, taste, feel, smell etc. all of which may be detailed in formal specifications and against which the
product and/ or service may then be objectively judged.
The term 'Quality' should not be confused with the "standard" of a service and/or product. It is possible for
organizations to provide a good quality product or service, but at different standards.
Hotels are a very good example where it is easy to see hotels providing a service of varying standards which do
however provide a 'quality' service in relation to their target customers.
Once we have fully identified the needs or requirements of the customer we must then provide a formal definition or
specification of these needs or requirements written in the language of our own organization.
Quality Management
The means by which an organization manages its activities to achieve its quality objectives.
We must determine suitable processes (activities) that will ensure that we provide a product or service that does
ultimately meet the specification and in turn the customer needs or requirements.
This will require an extensive period of (quality) planning following which we will have identified the various actions
and associated checks that need to be performed.
The planning output will be a whole series of instructions, resource requirements and associated responsibilities
that when implemented will deliver the required product or service.
Once the plans have been communicated and the processes set in motion it will then be necessary to ensure that
the plans are followed exactly and continuously. We need to exercise managerial control over the processes.
Quality Assurance involves the application of quality systems, in the form of written procedures, coupled with
specific (and necessary) quality control checks, all designed to ensure that products and/or services meet defined
specifications and satisfy customer expectations. It also involves periodic checks to verify that the systems and
associated quality controls are all being applied and are effective.
Quality Assurance
The means of providing confidence that quality requirements will be met.
The assurance of "Quality" is required by customers and an organizations own management. It is also sometimes
required by a regulatory authority. Each of these needs to have the confidence of knowing that the organization is
managing its activities in an effective way and that the products and/or services will meet the specified
requirements. Evidence of formal quality management systems and associated quality control actions together with
a self monitoring mechanism to ensure that it is all being used and is effective is required to provide visibility of
process management.
As per the requirements determined we plan the processes (P), execute the processes (D), Measure the processes
based on the objectives/ requirement(C), Act depending upon achievement (A).
Many organizations recognize the importance of re-planning periodically in order to plan to do things better in the
future than they have done in the past, and hence they talk in terms of a 'PDCA' spiral of continuous improvement.
Current quality (management) system standards can be traced back to a common parent in the form of standards
used in 1950s in the United States.
However over the years many thoughts and experiences have been incorporated to provide the current range of
National and International standards.
Interest in Quality Systems developed to such an extent that in1987 the International Organization for
Standardization, based in Geneva - Switzerland, published a series of Quality System models to enable the World
community to standardize on a common set of Quality System requirements and thus facilitate the removal of trade
barriers based on lack of compatibility (or understanding) of various national Quality System documents. These
became known as the ISO 9000 series.
Many National standards organizations chose to replace the wording of their previous standards with that of the
ISO 9000 series (as intended by ISO), and reissue in line with ISO. For example, the UK revised and re-issued its
quality system standards as the BS 5750 series.
A similar policy was adopted in the U.S.A. with the ANSI 90 Series, in Singapore with SS308 and in most other
industrially active nations In moves towards harmonization of European Standards, CEN (Comite Europeen de
Normalisation) adopted the ISO 9000 Series in 1987 as the European Norm, EN 29000 series.
The International Organization for Standardization has a policy that standards should be revised approximately
every four to five years.
In parallel with this drive towards the use of internationally harmonized Quality Systems there has developed the
growth in “Assessment” of an organization's ability to put into practice the disciplines of such systems.
Initially major procurement authorities decided that suppliers must adopt a formalized system with the requirement
that the suppliers must submit to in depth evaluation by the purchaser to establish if all the necessary disciplines
were in place and being effectively implemented.
This lead in turn to the setting up of sub-sections of such purchasing authorities solely for the purpose of
conducting these evaluation activities, later to be termed “Assessments”.
In order to verify a company’s adoption of ISO 9001 disciplines it is necessary for a formal assessment to be
undertaken by an independent and authorized body i.e. A third party assessment.
The worldwide interest in the ISO 9000 series, together with the increasing use of such by the European
Community has increased worldwide interest in, and stimulated the need for third party assessment on a worldwide
scale.
The basic concept that an assessment carried out by an authorized organization in Singapore shall be acceptable
to a purchaser in the Netherlands is sound and sensible, but for this to be the case a scheme acceptable to all and
administered to a common standard is necessary.
Many national governments actively encourage their industries to adopt sound Quality Management practices, and
actively promote the setting up of schemes to assist registration of a company to ISO 9001 following formal
successful assessment of its quality management system by an approved and authorized third party assessment
organization. It has been recognized within the United Nations organization that countries where international
standards are not actively pursued may experience significant disadvantages when attempting to sell their products
into more mature markets, effectively a form of trade barrier.
Such "Third Party" organizations need to satisfy strict requirements for competence and technical ability. Thus they
need to be 'Accredited' to act as an organization competent to undertake assessments of quality systems and grant
formal Certification.
Supported by:
ISO 10012 : Measurement management systems - Requirements for measuring processes and
measurement systems.
An organization can only be assessed and registered to ISO 9001. An organization cannot be assessed against
ISO 9000 or ISO 9004.
ISO 19011 is a very useful guidance document for the planning and conduct of management systems audits,
relating primarily to First and Second Party auditing, however it also has application in relation to Third Party
auditing, when it should be read in conjunction with ISO 17021, Conformity assessment - Requirements for bodies
providing audit and certification of management systems.
An important point to note in relation to the development of ISO 9001 is the much broader involvement of experts
and committee participants drawn into the process of standards development than ever before. This is one of the
reasons why it took a long time to reach agreement on the detailed content of ISO 9001 and the relationship of ISO
9004.
It is a very healthy and encouraging sign that the standard is moving away from the more traditionalist view of
quality management to one that is much more in tune with business activities and the need to make a profit.
The standard continues to use the title “Quality Management Systems” rather than the much more appropriate term
“Management System”.
ISO 9001 together with its ‘partner’ standard ISO 9004 focus on and make use of what are described in ISO 9000
as “seven quality management principles”, and which bear a striking similarity to the characteristics identified for
those organizations that adopted a Total Quality approach in the 1980s, namely:
Customer Focus
Quality First
Excellence
Long Term View
Investment in Quality
Management Leadership
Culture
Continuous Improvement
Suppliers as Partners
Organized for Processes
Internal customers
Respect for People
It should be noted that what ends up in a standard is only catching up with what has taken place in the world.
Standards do not lead, they follow what is considered to be “best practice”. In this respect what is contained in ISO
9001 is hardly likely to be a revelation to any professional and world class organization, but merely an endorsement
of their approach
The main purpose of providing the ISO 9000 series of Quality Management System standards is to assist
organizations who might wish to develop, implement and maintain a quality management system which will enable
them to cost effectively meet the needs of customers in a consistent manner.
The current quality management system standards form a complimentary set of standards aimed at facilitating
mutual understanding in national and international trade in respect of quality management.
ISO 9000 describes fundamentals of quality management systems and specifies the terminology for quality
management systems.
ISO 9001 specifies requirements for quality management systems for use where an organization’s capability to
provide products that meet customer and applicable regulatory requirements needs to be demonstrated.
ISO 9004 provides guidance on how the use of quality management principles can contribute to the satisfaction of
an organization’s customers and other interested parties, and lead to the sustained success of an organization.
ISO 19011 provides guidance on managing an audit programme, performing an audit and competence and
evaluation of auditors.
The ISO 9000 series of standards do not provide specifications for products or services, and are intended to
provide a generic approach for quality management systems to enable an organization to provide products and/or
services meeting specific customer, company or regulatory requirements. Such generic approaches are applicable
to any industry or economic sector regardless of the product and/ or service offered. The requirements for products
and/or services (and in some cases specific associated processes) need to be contained in technical specifications
of some form, product and process specifications, contractual agreements and regulatory requirements.
The intention is that these two standards form a ‘consistent’ pair of quality management system standards
designed to be used together but also suitable for use independently.
The structure of both documents is very similar in order to facilitate combined use, however the intention behind
both standards is possibly clarified by their respective scopes.
ISO 9001 provides a model for a quality system that may be used as a basis for the development of a Quality
System to suit a particular organization's needs. It may be used in a contractual situation between two parties
where the supplier needs to demonstrate a capability to design and supply product.
A reduced "scope" of application of the ISO 9001 requirements to suit an organization's actual operations is
acceptable, providing an organization clearly identifies why certain elements of ISO 9001 are deemed to not be
relevant to that particular organization, and agrees this with the Third Party (Certification Body).
This International Standard does not refer to "exclusions" in relation to the applicability of its requirements to the
organization's quality management system as was referred in the 2008 version.
However, an organization can review the applicability of requirements due to the size or complexity of the
organization, the management model it adopts, the range of the organization's activities and the nature of the risks
and opportunities it encounters.
The requirements for applicability are addressed in standard which defines conditions under which an organization
can decide that a requirement cannot be applied to any of the processes within the scope of its quality
management system.
The organization can only decide that a requirement is not applicable if its decision will not result in failure to
achieve conformity of products and services.
ISO 9004 is intended to provide guidance on how organizations may make use of the seven quality management
principles to assist with the achievement of their sustained success. It provides a useful 'self-assessment' tool
based around the concept of 'Capability Maturity'.
The process approach involves the systematic definition and management of processes, and their interactions, so
as to achieve the intended results in accordance with the quality policy and strategic direction of the organization.
Management of the processes and the system as a whole can be achieved using the PDCA cycle with an overall
focus on risk-based thinking aimed at taking advantage of opportunities and preventing undesirable results
.
The application of the process approach in a quality management system enables: Understanding and achieving
consistency in meeting requirements;
The consideration of processes in terms of added value;
The achievement of effective process performance;
Improvement of processes based on evaluation of data and information.
Following figure gives a schematic representation of any process and shows the interaction of its elements.
The monitoring and measuring checkpoints, which are necessary for control, are specific to each process and will
vary depending on the related risks.
Clause 8 of ISO 9001 talks in terms of “Operation” and deals with various aspects of “Product Realization”, and
requires an organization to understand and identify those processes that relate to the provision of its products
and/or services and then exercise full control over them.
In particular the following are identified as some of the “main” or “key” business processes that will need to be so
identified and controlled:
ISO 9000 makes reference to "Seven Quality Management Principles" which are considered to be fundamental to
business success. These principles have been recognized for many years as relating to:
An organization should plan its improvement activities, and the link with the requirements for ‘correction’ and
‘Corrective action’ should provide a powerful motivator for continual improvement in any organization.
Policy Deployment
The management systems standards shall follow the above high level structure.
This will ensure consistency in approach (PDCA) and compatibility of various standards.
The ISO 9001:2015 thus has these clauses with details such as:
SECTION 3
The ISO 9001 is based on Annex SL frame work and is also compatible with other standards such as ISO 14001,
to make it easier for those organizations wishing to integrate several management systems.
This may now be regarded as a basic framework for a quality management system, which may be used by an
organization as a basis for developing its own system, incorporating as many elements as seen necessary to
exercise control over business activities.
The following information is not intended to be a complete explanation of the ISO 9001 requirements, but to provide
an overview and highlight the key features. It should be read in conjunction with ISO 9001.
This International Standard is based on the seven quality management principles including process approach as
already described in this handout.
Risk-based thinking:
One key focus in the 2015 revision of ISO 9001 is to establish a systematic approach to risk, rather than treating it
as a single component of a quality management system.
By taking a risk-based approach, an organization becomes proactive rather than purely reactive, preventing or
reducing undesired effects and promoting continual improvement. Preventive action is automatic when a
management system is risk- based.
It is also necessary to analyze the opportunities and consider which can or should be acted upon. Both the impact
and the feasibility of taking an opportunity must be considered. After the action is taken, the risks may change and
these must then be reconsidered.
ISO 9001:2015 uses risk-based thinking to achieve this approach in the following way:
Clause 4 (Context) the organization is required to determine the context. The issues which are relevant to its
purpose and strategic direction are to be identified. It has to be noted that the issues can be internal or external and
on the same lines, the issues can have positive or negative impact.
Clause 5 (Leadership) top management are required to demonstrate commitment by promoting the use of the
process approach and risk-based thinking; and by ensuring that the risks and opportunities are determined and
addressed
Clause 6 (Planning) the organization is required to determine risks and opportunities that need to be addressed.
Clause 8 (Operation) the organization is required to implement processes and implement actions as determined in
clause 6.
Clause 9(Performance evaluation) the organization is required to monitor, measure, analyze and evaluate the
effectiveness of actions taken to address risks and opportunities.
Clause10(Improvement) the organization is required to improve by responding to changes in risk , update risks and
opportunities determined during planning, and is also required to determine if there are needs or opportunities to be
addressed for continual improvement.
There is no requirement for the terms used by an organization to be replaced by the terms used in this International
Standard to specify quality management system requirements.
Organizations can choose to use terms which suit their operations (e.g. using "records", "documentation" or
"protocols" rather than "documented information"; or "supplier", "partner" or "vendor" rather than "external
provider"),
This International Standard relates to ISO 9000 and ISO 9004 as follows:
ISO 9000 Quality management systems — Fundamentals and vocabulary provides essential background for
the proper understanding and implementation of this International Standard;
The organization is required to monitor and review information about these external and internal issues.
External issues arising from legal, technological, competitive, market, cultural, social and economic environments,
etc. can be picked up.
Internal issues arising from values, culture, knowledge, performance of the organization, etc .can be picked up.
The organization is required to determine the relevant interested parties and their requirements.
The organization is required to monitor and review information about these interested parties and their relevant
requirements.
It is for the organization to decide if a particular requirement of a relevant interested party is relevant to its quality
management system.
The organization has to apply all the applicable requirements within the determined scope of its quality
management system.
The scope to be available and be maintained as documented information and is required to state the types of
products and services covered.
The organization has to provide justification for any requirement of this International Standard that it
determines as not applicable
The requirement then continues with the need for the organization to determine the processes involved within its
system and to exercise effective managerial control over them in accordance with the requirements of the standard.
Thus, implementing process approach is indicated and also specific mention is made to:
• determine the resources needed for these processes and ensure their availability;
• assign the responsibilities and authorities for these processes;
• address the risks and opportunities as determined
The organization is expected to:
• maintain documented information to support the operation of its processes;
• retain documented information to have confidence that the processes are being carried out as planned.
Clause 5 - Leadership
The standard expects the Top Management to take accountability for the effectiveness of the quality management
system and Management is required to lead from the front and is placed with various responsibilities including
following: it has to
Ensure that the quality policy and quality objectives are established and are compatible with the context and
strategic direction of the organization;
Ensure the integration of the quality management system requirements into the organization's business processes;
Ensure that the resources needed for the quality management system are available;
Further the top management is required to engage, direct and support persons to contribute to the effectiveness of
the quality management system; promoting improvement; and also support other relevant management roles to
demonstrate their leadership.
Customer focus
Top management is required to demonstrate leadership and commitment with respect to customer focus by
ensuring that:
customer and applicable legal requirements are determined, understood and consistently met;
the risks and opportunities that can affect conformity of products and services and the ability to enhance
customer satisfaction are determined and addressed;
the focus on enhancing customer satisfaction is maintained.
Policy
Top management is required to establish, implement and maintain a quality policy that:
is appropriate to the purpose and context of the organization and supports its strategic direction;
provides a framework for setting quality objectives;
includes a commitment to satisfy applicable requirements;
includes a commitment to continual improvement of the quality management system.
Clause 6 - Planning
This is required to enhance desirable effects; prevent, or reduce, undesired effects; & achieve improvement.
The organization is required to plan actions to address these risks and opportunities; and also plan how to:
integrate and implement the actions into its quality management system processes
evaluate the effectiveness of these actions.
For taking such actions the potential impact on the conformity of products and services is looked at.
Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing
new clients, building partnerships, using new technology etc.
Documented information is to be maintained on the quality objectives and these objectives have to be consistent
with the quality policy,
Planning of changes
The changes to quality management system are expected to be carried out in a planned manner .
Clause 7 - Support
Resources
The organization is required to determine and provide the resources needed for the quality management
system.
For determining and providing resources, it is required to consider the existing internal resources and also any
need from external providers.
People
The persons necessary for the effective implementation of the quality management system and for the operation
and control of its processes are the first category of the resources which need to be determined and planned.
Infrastructure
The organization is required to determine, provide and maintain the infrastructure necessary for the operation of its
processes and to achieve conformity of products and services.
These factors can differ substantially depending on the products and services provided.
The resources provided are expected to be suitable for the specific type of monitoring and measurement activities
being undertaken and also are maintained to ensure their continuing fitness for their purpose.
Evidence of fitness for purpose of the monitoring and measurement resources is required to be retained as
documented information.
Measurement traceability
When measurement traceability is a requirement, or is considered essential by the organization, measuring
equipment has to be:
calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to
international or national measurement standards;
when no such standards exist, the basis used for calibration or verification is required to be retained as
documented information;
Such measuring equipment has to be identified to determine their status; and be safeguarded from adjustments,
damage or deterioration that would invalidate the calibration status and subsequent measurement results.
The organization is required to determine if the validity of previous measurement results has been adversely
affected when measuring equipment is found to be unfit, and in such cases is required to take appropriate actions.
Organizational knowledge
The organization is required to determine the knowledge necessary for the operation of its processes and to
achieve conformity of products and services. This knowledge is required to be maintained and be made available to
the extent necessary.
When addressing changing needs and trends, considering the current knowledge the organization is required to
determine how to acquire or access any necessary additional knowledge and required updates.
Competence :
The organization is expected to:
determine the necessary competence of person(s) doing work under its control that affects the performance
and effectiveness of the quality management system;
ensure that these persons are competent on the basis of appropriate education, training, or experience;
take actions to acquire the necessary competence when needed, and evaluate the effectiveness of the actions
taken;
Awareness:
The organization is required to ensure that persons doing work under the organization's control are aware of the
quality policy; relevant quality objectives, their contribution to the effectiveness of the quality management system,
including the benefits of improved performance; and also the implications of not conforming with the quality
management system requirements.
Communication
The organization is required to determine the internal and external communications relevant to the quality
management system:
What to communicate;
when to communicate;
with whom to communicate;
how to communicate;
who communicates, shall be determined
Documented information
The organization's quality management system is required to include documented information required by this
International Standard as well as the documented information determined by the organization as being necessary
for the effectiveness of the quality management system.
Depending upon the size of the organization, its type of activities, processes, products and services; the complexity
of processes and their interactions; the extent of documented information can differ.
Further, review and approval for suitability and adequacy has to be ensured for all such documented information.
The organization is required to maintain documented information that is required by this International Standard and
also by the organization itself where it considers such documented information necessary to ensure the smooth
functioning of quality management system.
Both these types are required to be controlled.
Such documented information is to be available at the place of use and be suitable for use.
Further, it is to be adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
For such documented information, the organization is required to address distribution, access, retrieval and use;
storage and preservation, legibility; retention and disposition.
Also for all such documented information control of changes (e.g. version control has to be done in a controlled
manner.
Then the requirements further extend for the documented information of external origin. It is required that the
organization determines which external documented information needs to be controlled considering the activities of
the organization and the impact due to such documented information.
Having determined this, such documented information is required to be identified as appropriate, and be controlled.
Documented information retained as evidence of conformity is required to be protected from unintended alterations.
Access to documented information can be either a permission to view the documented information only, or the
permission and authority to view and change the documented information.
Clause 8 - Operation
This requirement goes to say that the processes needed to meet the requirements for the provision of products and
services and those that are needed to implement actions in the clause number 6, such as those responsible for
taking some actions to prevent certain risk/s, are to be to planned, implemented and controlled .
For all such processes, the requirements for the products and services has to be determined, criteria has to be
established for the processes as well as for the acceptance of products and services;
Further, it is required to determine the resources needed and implement control of the processes in accordance
with the criteria;
The organization is also required to determine maintain and retain documented information to have confidence that
the processes have been carried out as planned as well as to demonstrate the conformity of products and services
to their requirements.
The output of this planning is required to be suitable for the organization's operations.
The organization is required to control planned changes and review the consequences of unintended changes,
taking action to mitigate any adverse effects, as necessary.
The organization is also required to ensure that outsourced processes are controlled.
Obtaining customer feedback relating to products and services, including customer complaints;
Handling or controlling customer property; and
Establishing specific requirements for contingency actions, when relevant.
Review is also to ensure that contract or order requirements differing from those previously expressed in earlier
communications such as enquiry, minutes, etc are resolved.
In certain cases where the customer does not provide a documented statement of their requirements, such
requirements are to be confirmed by the organization before acceptance.
The standard also recognizes that in situations, such as internet sales, a formal review is impractical for each order.
Instead, the review can cover relevant product information, such as catalogues or advertising material.
The organization is required to retain documented information, as applicable on the results of the review and on
any new requirements for the products and services.
The controls to be applied to externally provided processes, products and services need to be determined.
This requirement applies when:
products and services from external providers are intended for incorporation into the organization's own
products and services;
products and services are provided directly to the customer(s) by external providers on behalf of the
organization;
a process, or part of a process, is provided by an external provider as a result of a decision by the organization.
The criteria for the evaluation, selection, monitoring of performance, and re- evaluation of external providers is to
be determined and applied by the organization based on their ability to provide processes or products and services
in accordance with requirements.
The organization is required to retain documented information of these activities and any necessary actions arising
from the evaluations.
Such externally provided processes shall be within the control of its quality management system.
The controls are to be defined both for the external provider and also for the resulting output.
These controls shall take into consideration the potential impact of the externally provided processes, products and
services and the effectiveness of the controls applied by the external provider;
The organization is required to determine the verification, or other activities, necessary to ensure that the externally
provided processes, products and services meet requirements.
The external providers are to be communicated about the requirements for the processes, products and services to
be provided;
Organization has to communicate to external providers its requirements for the approval of products and services,
methods, processes and equipment; and also for the release of products and services
Any competence requirements including any requirements for qualification of persons is also required to be
communicated
Further the communication is required for how the external providers' can interact with the organization; and what
will be the methodology to be applied by the organization for control and monitoring of the external providers'
performance;
What verification or validation activities that the organization, or its customer, intends to perform at the external
providers' premises to be also communicated.
When traceability is a requirement, the organization is required to control the unique identification of the outputs,
and is required to retain the documented information necessary to enable traceability.
Preservation
The organization is required to preserve the outputs during production and service provision, to the extent
necessary to ensure conformity to requirements.
Preservation can include identification, handling, contamination control, packaging, storage, transmission or
transportation, and protection.
Post-delivery activities
The organization is required to meet requirements for post-delivery activities associated with the products and
services.
In determining the extent of post-delivery activities that are required, the
organization is required to consider:
statutory and regulatory requirements;
the potential undesired consequences associated with its products and services;
the nature, use and intended lifetime of its products and services;
customer requirements;
customer feedback.
The post-delivery activities can include actions under warranty provisions, contractual obligations such as
maintenance services, and supplementary services such as recycling or final disposal.
Control of changes
The organization is required to review and control changes for production or service provision, to the extent
necessary to ensure continuing conformity with requirements.
The organization is required to retain documented information describing the results of the review of changes, the
person(s) authorizing the change, and any necessary actions arising from the review.
The organization is required to retain documented information on the release of products and services and this
information is required to include:
a) evidence of conformity with the acceptance criteria;
b) traceability to the person(s) authorizing the release.
This requirement also applies to nonconforming products and services detected after delivery of products, during or
after the provision of services.
The organization shall deal with nonconforming outputs in one or more ways from the following:
correction;
segregation, containment, return or suspension of provision of products and services;
informing the customer;
obtaining authorization for acceptance under concession.
However, when nonconforming outputs are corrected, the description of nonconformity, the action taken, and any
concessions obtained has to be retained as documented information.
The requirement is also to ensure that when such product/ service is corrected conformity to requirements has to
be verified.
The retained documented information has to identify the authority deciding the action in respect of the
nonconformity.
The organization is required to evaluate the performance and the effectiveness of the quality management system
and is required to retain appropriate documented information as evidence of the results.
Determine
what needs to be monitored and measured;
the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results;
when the monitoring and measuring is required to be performed;
when the results from monitoring and measurement is required to be analyzed and evaluated.
Customer satisfaction
The organization is required to monitor customers' perceptions of the degree to which their needs and expectations
have been fulfilled.
The methods for obtaining, monitoring and reviewing this information have to be determined.
Examples of monitoring customer perceptions can include customer surveys, customer feedback on delivered
products and services, meetings with customers, market share analysis, compliments, warranty claims and dealer
reports.
The organization is required to analyze and evaluate appropriate data and information arising from monitoring and
measurement.
Internal audit
The organization is required to conduct internal audits at planned intervals. Conformance of the quality
management system to the organizations own requirements as well as the requirements of this International
Standard to be verified.
Also the audits verify that the quality management system is effectively implemented and maintained.
Management review
Top management is required to review the organization's quality management system, at planned Intervals.
This is to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the
organization.
Clause 10 - Improvement
Determine and select opportunities for improvement and implement necessary actions to meet customer
requirements and enhance customer satisfaction.
Improvement includes:
Improving products and services,
Addressing future needs and expectations;
Correcting, preventing or reducing undesired effects;
Improving the performance and effectiveness of the quality management system.
Examples of improvement can include correction, corrective action, continual improvement, breakthrough change,
innovation and re-organization.
The organization is expected to retain documented information as evidence of the nature of the nonconformities
and any subsequent actions taken & the results of any corrective action.
Continual improvement
The organization is expected to continually improve the suitability, adequacy and effectiveness of the quality
management system.
The organization is expected to consider the results of analysis and evaluation, and the outputs from management
review, to determine if there are needs or opportunities that shall be addressed as part of continual improvement.
SECTION 4:
QUALITY AUDITING
QUALITY AUDITING
Auditor competence
Auditing is a means of obtaining information in an independent and unbiased manner. Information about what we
have achieved, or about the means of achievement.
Audits are undertaken in order to provide those who are responsible for achievement with the necessary
information to enable them to detect conditions that were they to remain uncorrected, could eventually lead to a
breakdown in the systems provided to enable achievement.
Thus managers of an organization need to know if the systems and processes are being operated in a manner
which will ensure adequacy of outputs.
Systems are an overall framework for performance of tasks, they provide for coordination of individuals and groups
of individuals to enable the achievement of organizational objectives.
Thus a purchasing system provides a framework for the buying in to an organization of materials and services to
support the organizations objectives. It ensures that those involved in purchasing activities understand what must
be done, how it must be done, by whom and when. Systems provide us with the means of achieving our policies
and objectives. Auditing enables us to establish if our systems are being followed and if they are fully effective. This
information enables us to proceed with confidence.
Systems can also be considered as collections of interrelated activities or processes. Systems result in the
achievement of objectives; processes (or activities) result in individual outputs that ultimately provide for the
achievement of objectives.
Information concerning systems operation and effectiveness can be achieved by undertaking audits of:
SYSTEMS
PROCESSES
PRODUCT
(where products are the outputs from processes)
________________________________
"Product"
Output of an organization that can be produced without any transaction-taking place between the organization and the
customer.
“Service”
Output of an organization with at least one activity necessarily performed between the organization and the customer
________________________________
Within an organization we may choose to undertake audits at any of these "levels", and thus an internal audit programme
may detail a range of audits to be undertaken at various levels dependent upon the organizational needs.
For example a hotel may choose to audit the guest receiving system, the check- out process and the meals provided in
the restaurant (an example of one audit from each level). The guest receiving system itself comprising many individual
processes such as car parking, reception, guest verification, check-in room allocation, luggage transportation, etc.
We may also use audits to establish if other organizations, such as suppliers or sub-contractors operate acceptable and
effective management systems.
Regulatory authorities, independent certification bodies, consumer interest groups etc. also use audits to establish
confidence in the acceptability and effectiveness of management systems operated by organizations, and in some cases
conduct audits of specific processes and product samples.
With the general integration of management systems auditors are now required to have a much broader understanding of
various company, customer and regulatory requirements, and to be able to audit against such. Although many larger
organizations choose to have specialist members of the audit team for undertaking audits of more technically complex
requirements, such as Safety or Environmental management systems, recognizing that one individual cannot be expected
to have in depth knowledge and experience of various specialist subjects. (Many organizations also prefer to have
specialists managing rather than auditing, and so allow the auditors to call upon the services of technical staff when it is
necessary to audit more technical activities).
Auditing undertaken by an organization on itself is a very powerful and important feedback mechanism which
provides both confidence to management and employees that all is going according to plan and also identifies
opportunities for improvement. Such audits may be delegated to an external contractor, and may include:
Auditing of projects or programmes of work to verify conformity with Terms of reference, contracts, Quality Plans,
etc.
Auditing of key business processes and procedures to verify conformity with and adequacy of process descriptions
and procedures.
Auditing of products to establish confidence in production methods and quality control techniques employed.
Auditing undertaken by one organization upon another organization forms an important and integral part of a
Supplier Management programme.
Audits of potential suppliers and contractors to establish confidence in their ability to meet the requirements of the
purchasing organization (can involve system, process and product audits as required), and to assist in the process
of supplier selection and determination of supplier control mechanisms.
Audits of existing suppliers to verify conformance with contract requirements. Audits of existing suppliers as a result
of problems experienced and to determine likely causes with a view to requiring targeted corrective action.
(May involve system, process and product audits).
Some auditing activities may be conducted on site, whilst there are some that may easily (and are often better)
conducted remotely, either due to the remoteness of the auditee organization, or because the auditing is more
concerned with reviewing or evaluating documentation. There are also situations where the auditing activity does
not require human interaction, and are conducted using documentation only or in situations where some form of
product audit is undertaken.
Audits of a first or second party nature may sometimes involve auditing conducted by means of the sending of
some form of audit questionnaire to the auditee organization. Usually this is restricted to the gathering of useful
data to assist the auditing organization to determine if an auditable situation exists or to assist in the preparation of
audit planning.
Audits undertaken by an independent authority authorized and/or mandated to undertake audits on organizations.
Such audits are more frequently of the systems variety, however from time to time process and product audits may
also be undertaken if appropriate to the audit objectives.
Trade organizations specifically set up by members of a particular trade or industry group to undertake audits on
behalf of the group, in order to assist purchasing decisions within the group or industry (e.g. QASCO - set up by the
Energy exploration and extraction companies operating in the U.K.). Thus minimizing the audit resource required
by individual member companies.
Regulatory authorities operating at an International, National or local level, verifying compliance with International
or National law (e.g. in the U.K. HSE - the Health & Safety Executive, Her Majesty's Inspectorate of Pollution etc.).
Audit or Assessment?
Generally speaking, when we talk about “External” or "Third Party" audits the term “Assessment” or "Evaluation" is
often used.
An assessment is the name given to such audits to differentiate them from Internal Quality Management System
audits. Whereas the term “Audit” is somewhat generic, the term “Assessment” is specific to audits of ‘external’ or
"Third Party" nature that are solely concerned with establishing conformance of a management system to laid
down requirements and the effective implementation of such. Such "Assessments" normally involve two separate
stages:
Stage 1: A review of the documentary evidence provided by the organization to demonstrate that it has
understood and developed processes designed to implement the appropriate requirements in its documented
system.
(Often referred to as a "Desk Top Audit", however it is not an audit at all but a full and formal review against a full
set of requirements that the organization is required to meet.)
Stage 2: An on-site audit to establish that the organization is indeed implementing its documented system. This is
a true audit that involves sampling of activities undertaken or records relating thereto.
An audit will not always lead to a formal request for corrective action. Auditing is concerned with the gathering of
factual information for the auditor's' client', and what the client chooses to do with the information is the client's
business. Many auditors feel that it is their right to demand corrective action, forgetting that they are there only to
serve the needs of the 'client' and the client will decide what is to happen next.
Hence there are two separate sub processes in relation to any auditing activity:
The issue of audit guidance in the form of ISO19011 has re- enforced the existence of these two separate sub
processes and forms the basis of this training course).
Stage 1
Review of
Pre-audit visit
documented information maintained
Stage 2
Audit Report
Preparation On-site audit
(issued to 'client'
ISO 19011
ISO 19011 provides guidance on fundamental audit principles, the management of audit programmes, audit
conduct and auditor competency requirements.
It has been prepared in a general way so as to be applicable to different industries and organizations, is equally
applicable to First, Second and Third Party auditing and is now used as the basis for audit approaches throughout
the world and by a diverse range of organizations undertaking audits and assessments.
There are of course variations in the particular approaches adopted, however it is generally acknowledged that ISO
19011 provides a good foundation for audit activities.
It is important to note that ISO 19011 makes it quite clear that an auditor always has a client, and the sole purpose
of undertaking an audit is to provide the 'client' with information. In other words audits are not undertaken to keep
auditors employed or for the benefit of the auditors!
All things found by an auditor, and supported by factual evidence, are classed as audit 'findings'. In ISO 19011 it is
made quite clear that the auditor (team leader) should review the audit findings, together with other information
collected during the audit, against the audit objectives and agree on the audit conclusions.
The term "observation" does not appear in ISO 19011,( except as observation of activities, etc.) however there are
many auditors throughout the world who continue to use the term 'observation' to be an expression of their
personal opinion (assuming that they know more about the subject being audited than the auditees or that their
opinions are worth having or even required!).Some auditors and auditing organizations use the term 'observation' to
mean a less significant nonconformity, and again this must be regarded as a misuse as far as ISO 19011 is
concerned.
ISO 19011 provides guidance on the management of audit programmes, audit conduct and auditor competency
requirements. It has been prepared in a general way so as to be applicable to different industries and organizations
and provides guidance that is intended to be flexible in the way that it is applied dependent upon the size, nature
and complexity of the organization to be audited as well as the objectives and scope of the audit to be conducted.
ISO 17021
Conformity assessment - Requirements for bodies providing audit and certification of management systems
(ISO/IEC 17021)
This document specifies requirements that need to be met by Certification bodies, and against which they will be
audited by the relevant Accreditation body. It provides mandatory and internationally harmonized requirements.
Audit Methods.
When developing an audit programme consideration should be given to the various audit methods which might be
adopted dependent upon the nature of the audit and the type of organization being audited.
Some auditing activities may be conducted on site, whilst there are some that may easily (and are often better)
conducted remotely, either due to the remoteness of the auditee organization, or because the auditing is more
concerned with reviewing or evaluating documentation.
There are also situations where the auditing activity does not require human interaction.
Working definitions:
On-site audit:
An audit method where the auditor gathers information relevant to the audit objectives, scope and criteria when
physically present at the audit location.
Remote audit:
An audit method where the auditor gathers information relevant to the audit objectives, scope and criteria when
NOT physically present at the audit location.
Review of retained
documented information Pre-
audit visits Audit conduct
Familiarization visits
activities
Audit conduct
Familiarization visits
ISO 9001 focuses very much on the need for an organization to adopt a "process" approach when designing,
implementing and improving a quality management system, and verification that this has been undertaken in an
effective manner will place heavy demands on an assessment team leader to construct a suitable assessment
schedule and associated audit samples for the various team members.
It will require the team leader to develop a very good understanding of the organization, the various processes that
are in operation and how they interact with each other. Process analysis will need to be performed in greater depth
before the assessment schedule can be finalized.
It will now be necessary to determine not only if processes are being implemented throughout an organization but
that they are also subject to adequate management and monitoring to ensure satisfactory outputs and to identify
opportunities for process improvement. It is important to establish that processes are effective in delivering the
required outputs and ultimately the desired outcomes.
Auditors will need to understand the approach to improvement that is being taken by the organization and will be
required to verify if process improvement is being undertaken in a planned and systematic way by management.
Some processes are undertaken within a single department of an organization, some processes 'flow' through
several departments and are often called "cross functional processes".
In particular, where key processes are implemented across several departments (cross functional processes)
assessment planning will need to identify which key processes are to be verified by audit, and a conscious decision
taken to either arrange for the assessment to be focused on individual departments or to 'follow' processes across
the organization.
In the event that cross functional processes are to be verified the team leader will need to devise an assessment
schedule that will ensure audit activities are undertaken in the relevant departments and in an appropriate
sequence, together with appropriate samples for the team members.
Process analysis, which should have been undertaken by auditors in the past will now be very necessary, and an
essential tool within the auditor’s toolbox. This will need to be undertaken at two levels, at the first level process
analysis will involve looking at the organization at the macro level to understand the nature of the business, the
processes involved and the general sequence and interaction of these processes.
At the micro level it will involve the examination of individual processes to clearly understand how the process
functions, is managed and outputs measured against any performance standards.
An assessment team leader will wish to verify "4.4 Quality Management System and its processes" in relation to
the most important (or significant) processes undertaken by the company. However the specific requirements in the
various clauses of the standard that reflect the "process approach" will need to be verified in relation to those
processes for which business (quality) objectives have been set.
The team leader will need to be aware of the organizations objectives and overall approach to improvement to be
able to make decisions concerning the processes to be verified against the process approach requirements.
The feedback of performance from the process monitoring activities will be used to continually improve the process
management activity.
Here there is an important link into 9.1.3“Analysis and evaluation ” which holds the key to an organization’s
improvement focus and activities relating to process improvement, and subsequently leads in to 9.3 “Management
Review” where management need to work with the results of the analysis to determine the need for process and
quality management system improvement.
The assessment team leader will need to decide which processes are to be the focus of audit attention, and
determine the best approach to using the individual team members to obtain the necessary objective evidence of
compliance with ISO 9001 criteria directly relating to the process and to verify effective implementation of the
"process approach" in relation to those processes the subject of improvement activity..
Compliance auditing - The auditor verifies that an organization is complying with legal requirements together with
related internal procedures.
Conformance auditing - The auditor verifies that an organization is conforming to external requirements
(contractual, national /international standards etc.) together with internal policies and procedures.
Process approach - The auditor verifies that an organization is applying the ISO 9001 process approach principles
to key processes.
Each of these may be used independently or in combination. An ISO 9001 certification audit would need to verify
conformance to procedures as well as application of process approach principles.
For process approach auditing the auditor will need to establish if there are any process (or product) improvement
objectives that relate to the process and then verify that necessary actions are being undertaken to monitor the
achieved level of performance and ensure the required improvement.
Monitoring data relating to the achieved level of performance will provide an input in to 9.1.3 "Analysis and
evaluation ", and subsequently in to the Management Review process. Each of these will need to be examined by
the auditor to see that senior management are using the data to identify trends, investigate weaknesses and drive
for improvement of the process.
Auditor Competence
The competence of those conducting audits is important if an audit 'client' is to have confidence in the results.
Auditor competence is based on a demonstration of: a combination of personal attributes as well as the ability of
the auditor to apply their knowledge and skills resulting from their educational background, industry and audit
experience.
Auditors should have some generic knowledge and skills to act as an auditor or audit team leader together with
knowledge and experience in the appropriate management system discipline together with:
a) an appropriate education for their intended field of auditing coupled with appropriate knowledge and skills,
b) work experience relating to their intended field of auditing.
In particular audit team leaders should also have additional knowledge and skills in team / audit leadership to
facilitate efficient and effective conduct of an audit, e.g. audit planning, communication, organizing and directing,
reaching conclusions, preventing and resolving conflict, audit reporting.
Auditors should implement and demonstrate a personal programme of "Continual Professional Development"
relevant to their auditing field of specialization and their future career development. (IRCA CPD scheme supports
this for IRCA certificated auditors).Auditors should maintain competency by regular participation in audits.
Auditors and audit team leaders should be periodically evaluated for competence against appropriate criteria
relevant to the auditing activities that they are required to undertake.
The following table specifies the knowledge and skills that a certification body shall define for specific certification
functions. X means the certification body shall define the criteria and depth of knowledge and skills.
Knowledge of business X
management practices
Knowledge of audit principles, X X
practices and techniques
Knowledge of specific X X X
management system
standards/normative documents
Knowledge of certification body's X X X
processes
Knowledge of client business X X X
sector
Knowledge of client products, X X
processes and organization
Language skills appropriate to all X
levels within the client
organization
Note-taking and report-writing X
skills
Presentation skills X
Interviewing skills X
Audit-management skills X
NOTE: Risk and complexity are other considerations when deciding the level of expertise needed for any of these
functions.
SECTION 5:
An overview
Initial contact
Pre-Assessment Visits
Review of documentation maintained
Initial Preparation
Development of Audit Schedule
Communication
Detailed planning
The on-site Audit
Opening Meeting
Audit Conduct
Evaluating Results
Closing Meeting
Corrective Action
Formal Report
Follow-up and Surveillance Visits
An Overview
Generally speaking, when we talk about Second or Third Party audits the term “Assessment” is often used.
An assessment is really only the name given to such audits to differentiate them from Internal Quality System
audits. Whereas the term “Audit” is somewhat generic, the term “Assessment” is specific to audits of Second or
Third Party nature that are solely concerned with establishing conformance of a quality system to laid down
requirements and the effective implementation of such.
Stage 1: A review of the documentary evidence provided by the organization to demonstrate that it has adequately
addressed the appropriate requirements in its documented system. This is sometimes referred to as a "Desk Top
Audit", however it is not an audit at all but a full and formal review against a full set of requirements that the
organization is required to meet.
Stage 2: An on-site audit to establish that the organization is indeed implementing its documented system. This is
a true audit that involves sampling of activities undertaken or records relating thereto.
Note:
The term "Assessment" is used within these course notes to refer to the activity of assessing an organization's
ability to meet specific requirements, and involving the two previously identified stages. The term "Evaluation" is
often used in place of "Assessment". Whilst it is recognized that ISO 19011 only uses the term "Audit" many
organizations involved in undertaking some form of capability assessment and regulatory bodies granting an
approval of an organization use the term "Assessment" or "Evaluation".
Within these course notes the term "Audit" will be restricted to the physical act of on-site verification whilst the term
"Assessment" will be used to denote the more comprehensive Review of documentation maintained, together with
on-site verification activities. However it should be recognized that the terms "Assessment" and "Audit" are in
common use to denote the same activity and hence by implication the terms are fully interchangeable.
Although there may be variations in the way that individual organizations carry out assessments there are some
generally accepted protocols and elements of good practice that have evolved and are now accepted as "best
practice” and incorporated in ISO 19011. In the following pages what has generally come to be regarded as the
standard approach to carrying out assessments will be detailed and is believed to be a desirable approach to
encourage.
PRE-ASSESSMENT ACTIVITIES
Initial Contact
Pre-Assessment Visit
REVIEW OF DOCUMENTATION MAINTAINED,
PREPARATION FOR AUDIT
Initial Preparation
Development of Audit Schedule
Communication
DETAILED PLANNING
THE ON SITE AUDIT
Opening Meeting
Audit
Evaluate Results
Closing Meeting
FORMAL REPORT
CORRECTIVE ACTION
AUDIT FOLLOW UP AND ONGOING SURVEILLANCE
The Team Leader has some additional responsibilities in relation to the entire assessment process. In particular
acting as the prime interface between the organization requesting the assessment (client) and the assessment
team, and also between the assessment team and the organization to be assessed.
The Team Leader will be expected to chair key meetings such as the Opening and Closing meetings, and will
possibly be the only member of the team involved in any pre- assessment visits.
If the client is not the subject of assessment, as may be the case for the majority of second party assessments,
then it will be the client who determines any requirement for corrective action and audit follow up.
Initial Contact
Following a decision that an assessment is to be carried out there should then be an initial contact between the
assessing organization and the organization to be assessed. For second party assessments this initial contact may
be followed up with a "pre-survey" or "Vendor" questionnaire for the purpose of gaining more information about the
Company, its organization, commercial details and Quality System.
If this is a Second Party Assessment then this initial contact should make clear what is the purpose of the
assessment and what the outcome will be, dependent upon the result.
Thus:
To explore new suppliers
To evaluate potential suppliers
To evaluate existing suppliers:
Routine
Because of problems.
If this is a Third Party Assessment, then it is likely that the initial contact is at the request of the company requiring
assessment and thus the initial contact is for the purpose of clarifying the objectives and scope of the assessment,
setting-up a communication channel and arranging for a pre-assessment visit. Possibly the organization requesting
assessment requires further information about the process itself and how it can lead to formal Registration. In
particular costs will need to be clarified.
For Regulatory assessments the initial contact could be either at the request of the organization or the Regulatory
Authority.
For any assessment that is to involve a formal on-site audit initial contact will be used to:
Establish communication channels, confirm authority to conduct audit,
provide information on proposed timing and audit team composition request access to relevant documents,
determine applicable safety rules,
make general arrangements for the audit,
agree on the attendance of observers and the need for audit guides.
It is normal practice for the Assessment Team Leader, or person responsible for the assessment function within the
assessing organization to undertake this initial contact and to ensure adequate communication of the purpose of
the assessment.
Pre-Assessment Visits
The purpose of a pre-assessment visit is to ensure that both parties understand the objectives and scope of the
assessment, to ensure that the organization to be assessed has a clear understanding of what the assessment is
all about and what it will involve, and to enable the assessing organization to gather preliminary information about
the target company and to communicate clearly its reasons for wanting to carry out an assessment and how the
assessment will be undertaken.
Nature of business
Product range
Company details (employees, turnover etc.)
General organization
Outline of Quality System
It is essential to obtain sufficient information to be able to advise the company if an assessable Situation exists and
to enable “Review of documentation maintained,” to be undertaken.
At, or shortly after the pre-assessment visit agreement should be reached as to how the Quality System Standard
is applicable to the company/s operations, and in particular the Scope of the assessment. Scope relates to the
geographical areas of the organization, or specific company operations / product activities that are to be the subject
of assessment activity.
It is normal practice for a pre-assessment meeting to be arranged and undertaken by the Team Leader (or person
responsible for managing assessment activity) The meeting should last only two hours maximum, and may also
involve a brief walk around the organization. Information obtained at a pre-assessment visit will assist in the
preparation and planning of the on-site audit.
For Third Party audits the organization will be expected to at least have developed processes for the ISO 9001
requirements and produced as a minimum the documentation specified as necessary in ISO 9001 (Statements of
Quality Policy and Objectives, and wherever the standard has indicated to maintain documented information ).
For Second Party audits the level of detail examined will be very much dependent upon the nature of the
assessment being undertaken, the contractual relationship envisaged etc.
In either case it will be the responsibility of the Team Leader to decide whether to continue with the on-site audit or
indicate to the company that there remains some further work to be done, either in respect of the level of detail in
the Quality Documentation maintained or the process details.
It is not the task of the auditors to criticize the general format and layout of such documents, nor to require vast
amounts of detail explaining exactly how tasks are undertaken, remembering that the detail required in procedures
is dependent upon the competence for whom they have been written, and the level of control determined by the
organization.
The results of a Review of documentation maintained, should be communicated to the organization as soon as
possible, with comments restricted to main concerns only AND NOT TRIVIA such as layout, format, spelling etc.
Organizations are, in most cases free to choose any style or format they wish for their documented QMS, and
auditors should not demand that this documented information be written in any specific way except where there
may be specific regulatory requirements, and should always remember that the Quality Documentation exists to
enable the company to implement its own QMS.
In the case of the need to meet regulatory requirements it may be necessary for the documentation to comply with
defined criteria and in this case the Review of documentation maintained, will be carried out against those criteria.
ISO 9001 encourages a common sense approach with the necessity for procedures and the associated level of
detail being balanced against the need for control, the complexities of the organization and processes undertaken
together with the skills and abilities of those undertaking the work.
Clearly, for highly competent and motivated individuals procedural detail may be largely irrelevant and
unnecessary, particularly when engaged in fairly standard and repetitive tasks.
However, for individuals who are not so skilled and experienced, or where there is high staff turnover or greater
complexity, significant concerns over safety etc. then a greater level of procedural detail in an organization may be
very necessary.
It is not for auditors to determine the level of procedural detail necessary in an organization, but to clearly establish
if this has been given due consideration and acted upon accordingly. Auditors will need to look for clear signs that
the level of procedural detail is sufficient to ensure satisfactory outputs from work activities.
During the Review of documentation maintained, the auditor will need to develop a good understanding of the
nature of the organization’s activities and will clearly need to understand which are the main processes that should
be the focus of audit attention. It will be necessary to establish how various processes relate to each other (this
should be facilitated by the description provided in the Quality Documentation by the organization. - following the
ISO 9001 requirement detailed in clause 4.4.1 b).
The Assessment Team Leader will undertake the Review of documentation maintained, and may be assisted by
other Assessment Team Members if they are known and available at the time, and occasionally by a technical
expert (in the case of Software etc.).
The Review of documentation maintained, is usually undertaken off-site, however there may be situations where it
could be advantageous to undertake part of the Review of documentation maintained, on-site.
If, after completing the Review of documentation maintained, the audit team leader discovers that there is a very
limited documented QMS then the auditor may, if not on site, wish to undertake a pre-audit visit in order to establish
if more procedural documentation might be necessary or exists in some other form.
The audit team leader ultimately will need to make a judgment in relation to the products concerned, the scale and
complexity of operations and whether to proceed with the audit, and then working with an understanding of the
product, the scale of requirements that need to be complied with and the processes undertaken, establish if such
processes are operating consistently and effectively.
Clearly a greater burden on the audit team, however the focus should always be on process effectiveness rather
than merely compliance to procedures. In some cases it might be quite acceptable to have a very minimal
documented QMS.
In particular, for Second Party audits, it may be the case that an auditor is required to undertake an audit of an
organization that has virtually no formal documented QMS, in which case it will be very necessary to establish or
agree the objective and scope of the audit with the auditors client as well as the organization to be audited, identify
the requirements (contractual, regulatory, QMS standard etc.).
The auditor should request any policy statement and/or quality objectives together with any procedures, work
instructions, forms or any other documents relating to the activities to be audited as well as any company or
product brochures.
Again a pre- audit visit could be very beneficial to facilitate auditor understanding and information requests. Finally
the auditor should prepare a suitable audit plan and checklist of people, activities, documents and records to be
reviewed.
Initial Preparation
It will be necessary for the team leader to develop an understanding of the company to be assessed, its products,
processes and organization, to finalize the Scope of the assessment, decide on the composition of the audit team
and the outline on- site audit schedule and to begin the preliminary activity of developing a plan of action for
undertaking the on-site audit.
It is important that before this preparation is undertaken the full objectives of the assessment are fully understood
by the team leader, and if there is any doubt then further discussion should take place with the organization to be
assessed, or the client organization requiring the assessment.
The scope of the on-site audit will now be finalized by the team leader, if necessary consulting with the client
(person requesting the assessment) or the organization to be assessed as appropriate. (The term "Scope" is used
to mean those aspects of the company operations that are to be subject to audit, i.e. specific processes,
departments or functional areas).
The scope is determined by relating the company operations to the audit objectives. Thus if the assessment is
concerned only with a particular product range, then the scope of the on-site audit will include only those areas of
the organization that are involved with that product range and not other areas that are of no relevance.
It is at this stage that the team leader, or lead auditor, will decide on who from the available pool of assessors
would be best to include in the team, either due to knowledge and experience with this particular industry or
because a specific technology undertaken by the Company requires the audit team to be accompanied by an
appropriate technical expert.
An audit team may include a technical expert who is only involved in assisting an auditor and not actually auditing,
and occasionally an auditor with specialist technical knowledge may only be involved in undertaking a small
proportion of the audit and hence is only present for part of the time (this can cause problems if such an expert
is not available for the Closing Meeting, when nonconformities involving technical matters may need to be
discussed, and it should be so arranged that all members of the audit team are available for the Closing Meeting
even if they were not all available at the Opening Meeting).
The team leader will undertake this preparation by studying documents and data obtained at the pre-assessment
visit, talking to others who have some knowledge of the business and/or technologies involved, or referring to other
information.
The question often arises, “how many auditors will be required and for how long”. This is almost the same as “how
long is a piece of string”. Judgment is required based on practical experience of auditing and the nature of the
different company operations.
Auditors with greater experience are likely to require less time than less experienced auditors to gain the same
confidence in an organization. It also depends on the "sample" that is to be taken (activities to be audited and
requirements that they will be audited against).
The Team Leader may wish to develop a better understanding of the company by undertaking a form of Process
Analysis, which will also assist in determining a suitable audit sample.
General Guidance
More time will be required in larger companies. More time will be required when complex technologies or business
processes are involved.
Two auditors can cover more ground and in greater depth than one (not necessarily twice as much!), and the
involvement of more than one auditor allows for comparison of observations and active discussion on the direction
that the audit should take, or trails that should be followed after the discovery of nonconformities.
A typical company involved in medium technology design and manufacture operating on a single site with
approximately 400 employees might require a team of three auditors for three days (i.e. 9 auditor days). A typical
office undertaking sales and marketing activities with approximately 50 employees might require a single auditor
for 1 to 1½ days.
It should also be recognized that the longer the duration of the assessment, the more disruption to the company,
and efforts should be made to reach an acceptable compromise between the number of auditors and the total
number of days over which the audit is undertaken.
It may also be necessary at this stage to determine which specific requirements of a code / system standard must
be verified as this will also have an impact on the audit duration. (See also section on "DETAILED PLANNING").
Accreditation Bodies usually issue guidance to Third Party organizations.
The Team Leader will need to undertake a detailed analysis of the organization to clearly understand what is
happening, where it happens, when and how.
This can be achieved by closely studying company documentation such as organization charts, Quality
documentation etc. and by producing block diagrams of the company structure, flow charts showing how the work
is progressed through the company structure, and by making educated guesses as to what should happen and
roughly how. Process Analysis is a useful technique to assist with this process. Once this has been done it is then
possible to clearly identify which of the requirements of the quality system standard are applicable in each section
of the company. i.e. The management criteria that are applicable.
Process Analysis:
Initially auditors must develop a good understanding of the processes involved, and process analysis may assist in
this task.
For the area(s) of the company that are to be the subject of audit activity the auditor must first develop a good
understanding of what activities are undertaken, how and in what order. This process may be assisted by use of a
process modeling technique and by undertaking a process dissection. Once this has been done it is then a
relatively straight forward task to identify which of the management criteria have some scope for application in
relation to the different activities. Thus for any area of a company we may represent it thus:
Area of
Inputs Outputs
Company
We may now set about listing all of the inputs, activities undertaken, and outputs. This will help us to gain a good
understanding of what is involved in this particular area of the company. It may then be helpful to draw the
processes and process steps undertaken within that area of the company (even if some guesswork is involved).
Input( Output(
Goods s) DELIVERY INDENTIFY UNPACK s) Goods
Advice Notes Information
Associated Queries
Paperwork Non-
Certificates of conformance
Conformance Reports
Drawings Goods
Specifications Receipt
Inspection/Te QUANTITY Notes
st VERIFICATION INSPECT TO STORE Test Results
Instructions Inspection
Sample Plans Results
Tools Vendor
Test Performance
Equipment Data
Risks/ Scrap
Opportunities UPDATE Quarantined
Interested TEST RECORDS Goods
parties’ Goods Back
requirements to Suppliers
Goods
RETURN TO Returned
SUPPLIERS Paperwork
Activitie
Receipt atsunloading bay
Identification and Booking-In
Unpack
Quantity Verification
Pack in lots of 10 (Risk of pilferage!!)
Verification (Test, Inspection)
Quality Records
Store in lots as per BOM (Interested party’s requirement)
Stock Records, Handling, Movements to Stores
Colour - wise storage (Opportunity of a particular colour demand)
We are now in a position to decide which of the requirements of a Management System are applicable within this
area of the company.
If each department within an organization is identified by a unique number, then it is possible to 'map' the
requirements of the management criteria onto the total company and display such on a Matrix chart.
Such a chart may then be used for audit sample planning purposes, and to assist in the determination of times
required to be spent in each department (or functional area) in order to satisfy that sample. An example of such a
matrix chart, using a typical set of QMS requirements is given below.
Clearly for some of the departments there will only be limited scope for application of the criteria, and so
sometimes it may be of help to indicate the degree of relationship that exists between the individual criteria and the
department that is to be audited (A,B,C, etc.)
If such an analysis is carried out for an entire company operation the matrix chart would show how the
management criteria related to all company departments or operations.
However it would be impractical to undertake an audit to establish if all such criteria requirements were indeed
being met in each of the company departments as such an audit would require a very large amount of time. We
need to recognize that auditing is always undertaken on a sampling basis, and thus it is only necessary to select a
realistic and practical sample of criteria in some departments only.
It is at this stage that the auditor needs to refer to the original audit objectives and to select an appropriate sample.
This sample must be determined such that it will provide sufficient confidence that key criteria are indeed being
implemented within the organization.
When auditing to verify application of the "process approach" it will be necessary to select samples that as well as
including requirements relating to the process itself, will also need to include those requirements of ISO 9001
relating generally to the process approach.
If an auditing organization undertakes over a period of time a series of surveillance audits, such as might be the
case for Third Party accredited companies or Regulatory Authorities, then such sampling may be used to very good
effect to establish if all criteria are being complied with.
Each audit will focus on certain selected criteria only and also be restricted to some of the organization's
operations. However, for each audit a different sample will be taken such that over the selected period of time all
criteria will be sampled in all of the organization's operations.
Clearly for this approach to be fully effective it will be necessary for records of each audit sample to be maintained
and for each auditor to consult such. Management may also decide to set the sample to be taken at each audit to
ensure satisfactory audit coverage.
Although there are some general guidelines issued by Third Party organizations and their controlling authorities, it
is not always easy to decide the exact audit timings and resource levels. This can be very dependent upon many
different factors, not least of which is the relative knowledge and experience of the auditors themselves (particularly
with respect to the organization to be audited). In some cases educated and experienced judgments are required.
Basically it is necessary to judge how long needs to be spent in the various areas of an organization in order to
obtain a reasonable degree of confidence in the organization's ability to meet the appropriate specified
requirements.
Larger and more complex situations will require more time, as will geographically distant and spread out locations.
Time constraints together with resource and cost limitations may also influence the final audit schedule. The
relative responsibilities of the team members should be agreed and detailed in writing. (See also ISO 19011).
Technical experts may be required to assist where particular technical subjects need to be audited.
It is at this stage that the Team Leader will need to finally decide the criteria (requirements of the quality system)
that will need to be verified in each area of the organization in order to ensure adequate coverage, and to gain
sufficient confidence in the organization's compliance with the quality system requirements. (Clearly if this is left to
the individual auditors to determine for their own audit areas then certain requirements may not be verified).
It is often useful to use some form of 'Matrix Chart' to summarize the results of this planning activity.
In many cases an auditing organization will need to determine if key processes are being implemented effectively in
an organization. In particular, where key processes are implemented across several departments (cross functional
processes) assessment planning will need to identify which key processes are to be verified by audit, and a
conscious decision taken to either arrange for the audit to be focused on individual departments or to 'follow'
processes across the organization.
In the event that cross functional processes are to be verified the team leader will need to devise an assessment
schedule that will ensure audit activities are undertaken in the relevant departments and in an appropriate
sequence, together with appropriate samples for the team members.
It will also be necessary for the audit team leader to clearly establish if a continual improvement process is in place
and focusing on some of the main processes. This information should be obtained in advance of the audit to enable
the audit team to focus not only on processes themselves, but also looking closely at the process monitoring
activities and objective measures in place for process outputs, together with the actions resulting to improve
processes.
It is now possible to break the audit down into manageable portions, allocated to each auditor in the team and thus
produce a suitable audit / assessment schedule.
The team leader must ensure that the audit schedule clearly indicates who will be where and at what times.
Several different styles of audit schedule have been observed, however the one that is recommended is as shown
below, and clearly details the various audit tasks that are to be undertaken by the team members. It can also be
used to show the criteria that are to be verified in each audit target area.
The Audit Schedule is, in practice, detailing a series of individual audits that are to be undertaken by the team
members throughout the duration of the on-site audit. It should also be noted that until this schedule is accepted by
the organization to be assessed it remains only a proposal.
In summary, the team leader will plan the assessment by studying documents such as organization charts, other
quality documentation etc., and by discussing with other team members. Also by gaining information at pre-audit
visits and by using the technique of Process Analysis.
The Team Leader should agree and finalize the proposed schedule, working where possible with the audit team
members, and it is then his/her job to agree the proposed assessment schedule with the organization to be audited.
Specific processes will be verified in relation to the ISO 9001 Process approach. The schedule has been arranged
such that a process is verified mainly in the departments or areas of the company where the process is undertaken.
Where it is necessary to verify in other departments that the process approach has been adopted in relation to a
specific process, the team leader will need to ensure what is to be verified and where.
Communication
It is very necessary for the team leader to ensure a clear understanding at all times of the proposed audit
arrangements between the Audit Team and the organization to be audited. Particularly in relation to the audit
schedule and key staff that will need to be available, support requirements (office facilities, guides, the need for
protective clothing, etc.), and the suggested attendees for Opening and Closing Meetings.
In relation to support requirements, the team leader should determine what will be required to support the audit
process, such as office facilities etc. It is normal practice for the team leader to request the use of an area where
the audit team may be based and where they may be able to meet for private discussion, and to have access to
any phone, fax or secretarial support as necessary. The team leader should also establish if there are facilities for
taking lunch.
It is important to note that at all times the team leader should remember that requests may be made, but that it is
wrong to make demands!
It would also be appropriate for the Team Leader to check at this stage on the working times, lunch times and any
restrictions on access that there may be due to safety hazards, confidential processes etc., and to request that
"Guides" be provided to accompany the auditors during audit conduct. The role of the guides, and hence their level
of knowledge, seniority etc. should be explained to the company.
As part of the communication process it is also advisable to telephone or fax the company a week before the audit,
just to ensure that there have been no misunderstandings and that the company is fully prepared and made all the
necessary arrangements.
The team leader should communicate the PROPOSED audit schedule, date for audit and any support requirements
by formal letter to the auditee organization. It is a primary responsibility of the team leader to ensure adequacy of
communication throughout the complete assessment process.
Detailed Planning
The Audit Team will need to be adequately prepared for the audit, have a good understanding of the company, the
nature of its business, its products, the technologies and/or processes involved and most of all they know what to
look for and where to look to verify conformance to the Quality System Standard requirements. The Team also
should know fully who is to do what and when and how they will handle the evaluation of data.
The Team Leader will need to communicate to the audit team the schedule and audit criteria to be checked
(sample), and the audit team members will need to closely study company documentation such as organization
charts, other quality documentation etc. and where necessary use process analysis to ensure a sufficient
understanding of the activities undertaken and how the requirements that they are auditing against relate to those
activities.
Each of the auditors will need to undertake his/her own detailed planning involving the development of their own
working documents in the form of:
Checklist
Arrival
It is good practice to arrive just a few minutes ahead of schedule, announce your presence to the member of staff
with whom you have been interfacing, and then wait patiently at reception.
It is surprising just how much you can learn about a company by standing in reception and looking and listening.
Try it someday.
An Opening Meeting
The Audit
A Closing Meeting
Following the initial receiving of the audit team, the Team Leader should hold an opening meeting with the
company management team or representatives thereof.
It must be remembered that from now on the auditors are guests in the company, and as good guests they must
always be on best behavior. They must not demand, only request. They may wish to hold meetings with company
management but they do not have the right to demand this or even attendance at any meeting by any one member
of the management team.
However, when making such requests they should carefully note the response and willingness on the part of the
company to co-operate and meet such requests.
The purpose of the Opening Meeting is to introduce the Audit Team to company management and allow
management to do likewise. Also to re-state the purpose of the audit i.e. the objective and scope, how it will be
undertaken and how the results are to be communicated back to the company. It should be made quite clear at this
point if immediate feedback of observations / findings / nonconformities will be provided using some sort of
“Nonconformity Report Form” or “Corrective Action Request”, and how this is to be handled. Also the company
should know if a daily closing meeting will be held for a summary of the day’s findings, or if all findings will be left
for a final “Exit” or “Closing” meeting. (Preferable to leave until closing meeting).
It should be stated that the audit is only a limited 'sample' and conclusions reached at the end of the audit can only
be based on what is revealed by the sample taken by the auditors. This is a 'snapshot' at this moment in time.
General administrative arrangements, such as office facilities, breaks, starting and finishing times should be
addressed. It should also be established if the previously supplied schedule is still acceptable and if there are any
reasons for making adjustments to this. Also will guides be available.
Company starting and finishing times should be re-checked together with possible staff/union difficulties etc.
The team leader should also ask if there are any Health & Safety requirements or considerations that the audit
team need to be aware of (safety hazards in the areas to be audited etc.).
Arrangements for final feedback of results at a formal “Closing” meeting should be discussed (time, duration, who
should be present etc.). If a report is to be produced it should be stated when this will be provided.
It should also be made clear to the company that everything seen and heard by the auditors, and results obtained
will be in total confidence and will not be revealed to any other parties.
Finally, allow a period of time for questions from company managers. We want them to feel comfortable with the
process.
Audit Conduct
This should be conducted in accordance with the laid down schedule, keeping to the set times as far as possible
and following each assessors detailed plan. Remember that the purpose now is to get on with the job and answer
ALL the questions on the Check List.
It is normal practice to request auditee organization staff to accompany individual auditors in the role of 'guides', not
only to show the auditors where to go but to introduce them to interviewees and, most importantly to act as witness
to facts found that relate to nonconformities.
As non-conformances are found they should be clearly recorded in a formal manner and company agreement
sought that the facts surrounding/relating to the non- conformance are true and accurate. Nonconformities should
be written on to official report forms as soon as possible following their discovery, and it is normal practice for
auditors to do this either at the time the nonconformity is found or before leaving the area being audited. If they are
not written down immediately then good notes will need to be taken.
The guide will often be expected to enter his/her name onto the formal nonconformity report form to indicate
concurrence with the observed facts, a practice that prevents possible problems later if the facts should be
challenged!
As the audit progresses we may find that trails require to be followed which could detract from the individual
auditor's plan, or even major concerns that need to be followed up and so result in a major change to the original
assessment schedule. How should these situations be handled and controlled?
It is a prime responsibility of the Team Leader to ensure that the assessment is satisfactorily completed having
covered all areas originally decided upon and checked all appropriate quality system requirements.
Individual auditors are required to refer decisions to deviate from the agreed schedule to the Team Leader, and
usually these matters are dealt with at regular team meetings held several times throughout the assessment.
Team meetings may be held at coffee or lunch breaks and are an opportunity for the team members to exchange
information, particularly relating to trails that may need to be followed by other team members. If a significant
change to the schedule is deemed necessary by the team leader this should always be discussed and agreed with
auditee management.
At the conclusion of each day it has become normal for the team leader to provide an overview of findings to the
company’s Quality contact person.
It is most important that the true role of such guides is fully understood by both the auditors, the auditees and the
guides themselves. Guides are not there to act as a buffer between the auditors and the auditees, they should not
themselves be audited, nor should they cut across the auditor or auditee by asking or responding to audit
questions.
They are there to ensure that the auditors are able to move around freely in the company, are accompanied at all
times to meet with company confidentiality and Health & safety requirements, and to ensure that fair play prevails.
In this latter respect, it is sometimes the case that either the auditor or the auditee misunderstands what is being
said and in this case the guide can be valuable to see that such misunderstandings do not occur. The guide must
also sometimes act in the capacity of Interpreter, not only from the foreign language aspect, but also to interpret
company or technical terminology for the auditors.
As the guides can have such a significant and important role it is well to select them with care and choose suitable
staff for this function. Inevitably a company will choose guides from its own QA staff.
The audit team leader should ensure that the guides allocated are suitable from the point of seniority, general
abilities etc. and should politely request alternatives if inappropriate guides are allocated. The Team Leader should
also be prepared to take action if guides should not act in an appropriate manner, and where necessary request
alternatives.
Evaluating Results
As the auditors reveal non-conformances or make observation/findings etc. So eventually there will be a list of
such. This list maybe long or short, however some of the findings may be more significant than others, some
may be closely related or manifestations of the same problem. The Audit Team must now undertake an
evaluation of all the audit results combined to establish what the real reportable concerns are.
Remember, management are not interested in trivia, they need to know what the main problems are. This
evaluation maybe undertaken on a daily basis or at the end of the audit and prior to the closing meeting. It should
be performed by the Team Leader with the Audit Team.
Some organizations categorize nonconformities as major or minor or attach a numerical indicator of severity i.e.
Category 1, 2 or 3. Following definitions and guidelines are available in ISO 17021-1: 2015
It is important for an auditor to differentiate between things that are of a serious nature and those that may be
less so, however the above definitions in common use are considered to be somewhat subjective and could
result in much debate at the time of audit, particularly if to receive a 'major' nonconformity could result in the lack of
formal approval or loss of an order.
In some instances an auditor may be given information or make an observation that whilst not a non-
conformance as such, indicates that potentially one might arise if the situation were not addressed. Auditors often
use the category "Observation" for such instances, however it is felt that unless hard factual (objective) evidence
of nonconformity is found by the auditor then one does not exist. The term 'observation' should not be used to
describe a lower category of nonconformity.
Prior to the closing meeting it is normal for the Team Leader to arrange for a team meeting at which only the audit
team are present. The purpose of this meeting is to evaluate all results and prepare a summary of findings which
will be presented to the company at the Closing Meeting.
It is normal to spend about one hour on this activity and a halt to all audit activity must be called if a successful
closing meeting is to be held.
The Team Leader will chair and control this meeting.
It is important when reviewing non-conformances to ensure that the statements made are factual, supported by
objective evidence and are clear, concise and understandable. If there is any doubt as to the ability to support a
conclusion made then the non-conformity should be discarded.
It may be possible to group some findings together, if they are clearly the same problem, and detail on a single
non-conformance report.
In preparing the summary statement the Team Leader must return to the reason for undertaking the assessment in
the first place:
Does the documented system address the requirements of the standard and to what extent? (Are there
weaknesses in relation to specific requirements or in relation to particular company activities?)
Is this system implemented and to what extent? (again are there weaknesses in relation to specific requirements or
particular company activities ? )
Is the system effective?
By analysing collectively the non-conformances raised the Team Leader will be able to answer these questions and
make a meaningful input to the closing meeting by indicating areas of the company that are weak in these respects,
and pass a final judgment on compliance to the requirements of the code/standard.
Hence the conclusion of the audit team.
The agenda for the closing meeting will allow for presentation of individual findings by the team members if this is
considered appropriate by the team leader.
The main concerns relate to a lack of adherence to quality system requirements rather than weaknesses in the
system itself, and it is suggested that this might be due to a lack of full consideration of some of the ISO 9001
requirements in relation to interdepartmental activities. It is considered that these issues could result in the
company failing a forthcoming ISO 9001 assessment and it is suggested therefore that appropriate action is taken
to address them as soon as possible.”
The purpose of the Closing Meeting is to continue the communication process with the audited company’s
management team and to feedback the results of the audit, together with any conclusions reached, to ensure that
company management are aware of and fully understand the findings and associated implications, and what they
need to do next. Also to formally close the audit.
In a similar style to the opening meeting, the Team Leader should call (advised at the opening meeting) and chair a
formal closing meeting (sometimes termed EXIT meeting) with company management. Again it must be
remembered that you cannot demand attendance at such a meeting of management, however it is likely that they
would not wish to miss such a meeting!
Again, it is wise to introduce Team Members to the management team, and allow them to do likewise and then
spend a few minutes explaining the purpose of the meeting (there may be attendees who were not present at the
Opening Meeting).
Before passing on to the results themselves the Team Leader would be wise to first thank the company for its co-
operation, hospitality, provision of facilities, and the courteous and professional manner in which it participated in
the audit process (even if it didn’t!) Generally let them know what a pleasure it was to be in their company before
letting them have the results.
It is recommended that the objective and scope of the audit be re- stated, for the benefit of any participants who
may not have been at the Opening Meeting, and that the audit can only be a sample of the activities undertaken by
the company and hence not every non- conformity that exists may have been found. The method of formally
reporting the audit results back to the company should also be explained.
The non-conformances should then be presented, usually by each of the team members in turn. Copies of such
may be supplied to save auditee management needing to take notes.
Finally the Team Leader should present the summary and make the final conclusions clear.
All non-conformance reports should now be signed, if that has not already been done, and an opportunity afforded
for questions. Dependent upon the nature of the non-conformances found there
may be some discussion on corrective actions, however it is unreasonable to expect well thought out and
appropriate corrective actions to be decided at the closing meeting and the
Team Leader should try not to become involved in a debate on individual nonconformities but leave copies of non-
conformity reports with company management and obtain a commitment from them to provide a formal response
by an agreed date.
Non-conformances that cannot be cleared at the time of the audit will, if of a significant nature, prevent an
organization being approved / certificated and hence are termed “Hold Points” by some
third party organizations.
Corrective Actions
Depending upon the nature of the audit undertaken, i.e. second or Third Party, it may be appropriate to discuss a
timescale for the company to propose necessary corrective actions.
_________________________________________
IT IS OFTEN NOT POSSIBLE, AND EVEN INADVISABLE, FOR CORRECTIVE ACTION TO BE DETERMINED AT THE TIME
OF AUDIT. MANAGEMENT NEED TIME TO UNDERTAKE THE NECESSARY INVESTIGATIONS
AUDITORS SHOULD NOT FORCE THE COMPANY TO DECIDE DURING THE CLOSING MEETING
WHAT CORRECTIVE ACTIONS ARE TO BE TAKEN.
_________________________________________
The Team Leader should not leave the company without a firm commitment from the company management as to
when the corrective actions proposed will be communicated to the Assessing Organization (if it is appropriate to do
so - i.e. a client requirement), and also what follow- up action will be necessary
Formal Report
It is good practice to always provide the audited organization with a formal report detailing findings and conclusions
of the audit.
The nature of such reports will vary depending upon the nature of the audit undertaken and the findings. However
the main purpose of such a report is to convey clearly to company management the findings and ultimate
conclusions of the audit. It is important to remember that the report should hold no surprises, and it should reflect
accurately what was presented at the closing meeting.
There are many texts on the subject of report writing and it is not intended to repeat such information here,
however there are a few pointers to assist the writing of reports following audits.
For second party assessments/evaluations it may be necessary for the team leader to prepare a version of the
report for use within the purchasing organization, and for such reports an Executive Summary may be appropriate.
Such summaries should be prepared with the busy executive in mind and should clearly and succinctly convey:
Report identification
Confidentiality clause.
Identification of the reference documents against which the audit was conducted (Quality Systems Standard,
auditee QMS information document/s, etc.).
Summary of findings.
Audit observations, non-conformities and supporting evidence. Recommendations for follow-up of corrective action
and for subsequent audits.
Conclusions of the audit team, judgments as to the degree of compliance with the Quality System Standard and the
system’s ability to achieve defined quality objectives.
Distribution List.
The audit report should be signed and dated by the team leader, and sent to the client/assessed company.
As the report is confidential it should not be distributed outside of the assessment organization without the
permission of the assessed company.
Corrective Action
It is normal practice to provide a formal written report fully detailing audit findings to the auditee within a reasonable
time, and it is often then necessary for the auditee to be required to respond to this report by indicating what action
will be taken in response to the audit findings. Such a response may include a "remedial action" and also a
"corrective action".
Remedial Action.
This will detail the immediate "remedial" action that will be undertaken to eliminate the problem that was revealed
by the audit. For example to provide the correct issue of a document at a location where an obsolete document was
found by the auditor.
Corrective Action.
It will also be necessary for the audited organization to investigate why an obsolete document was available for use
and to identify what is referred to as the "root cause" (underlying cause) for obsolete documents not being
withdrawn and replaced with the correct issue documents.
This may require an investigation to determine first if there are many other similar situations in the organization and
if there are, what is the reason.
It may be that the investigation reveals that this is not a frequently occurring problem and hence there is no need
for an action to address a root cause.
Such an investigation may require the gathering of additional data and analyzing as appropriate in order before the
root cause of the problem may be determined This is likely to take time and is the reason why it is not reasonable
to request details of corrective actions at the time of the Closing Meeting.
The audited organization will need to work with reported nonconformities and begin the process of corrective action
determination. It will be necessary for the audited organization to first understand each nonconformity, and the
auditors approach to writing clear and factual nonconformity statements is designed to ensure not only objective
audit reporting, but also nonconformity statements that are understandable to the auditees and also to future
auditors who may be called upon to undertake audit follow up verification activities.
Auditee management will need to ensure that each nonconformity situation is analyzed, where necessary gathering
further relevant information initiating detailed investigations, and/or internal audits to provide additional information
to enable the root causes of the nonconformities to be determined.
It is at this stage that management may wish to employ some of the various problem solving tools and techniques
to arrive at suitable fact based conclusions. Once the root cause has been identified it will then be necessary to
determine a suitable course of action to address the root cause and so eliminate the possibility of similar
nonconformities in the future (audit nonconformities are the symptoms of problems, and by addressing the root
cause the symptoms should go away).
When the corrective action proposal is received the auditing organization (or their client) should be concerned that
a fully detailed investigation has indeed been undertaken and that any proposed corrective actions are not just
addressing the symptoms of the observed non-conformances. Thus on receipt of the proposed corrective actions
the recipient should satisfy themselves that the action appears to address what is a likely cause of the problem, or
at least is going in the right direction, remembering that the actions should always be cost effective for the auditee.
However it is at this stage that a solution should not be 'imposed' on the audited organization by simply rejecting
any proposal unless it is the same as the auditing organization would itself undertake - there needs to be a fairly
wide 'band of acceptability' so that anything that is going in generally the right direction is accepted and the audited
organization retains ownership of the solution.
It is important to recognize at this stage that the auditors may, or may not be involved in this process, dependent
upon their terms of reference as communicated by the 'client'.
However, it is also important to recognize that in some second party audit situations no formal report may be
provided to the auditee, nor may corrective action be requested as there is no intention to use the auditee
organization as a supplier. It may also be fully the responsibility of the purchasing function to determine how this
stage of the assessment is to be handled, dependent upon the results and the original objectives of the
assessment.
In the case of Second and Third party audits it is likely to be necessary to send the remedial and corrective action
proposals to the auditing organization for their acceptance / agreement.
It is now that the original auditor(s) may be called upon to review these proposals and decide whether, in the
context of the audited organization that the proposals are realistic and likely to address the suspected root cause.
(although it must be remembered that the auditors will not have access to the detailed investigation results and so
can only judge from their understanding of the company and similar situations observed in other companies if the
proposed corrective action(s) appear to be sensible and also that there is evidence of detailed analyses having
been performed and the company has not simply resorted to adopting "Quick Fix" measures).
If the auditing organization is satisfied with the proposals (which should also include an appropriate timescale) they
should indicate this to the company and make arrangements for verification audits to be performed at an
appropriate time.
The audited organization will then need to implement their proposed remedial and corrective action and undertake
their own verification activity (which may involve audits) to clearly verify that the necessary actions have been
undertaken and that the root cause has been satisfactorily addressed and the symptoms first reported as the
nonconformity(s) are no longer evident.
Once corrective action has been implemented the audit management in the auditing organization should arrange
for formal verification that it is effective in overcoming the original non-conformance. This may, or may not, involve
the original audit team.
Once the auditing organization are satisfied as to the effectiveness of the remedial and corrective action taken,
then this should be formally recorded (preferably on the original audit report form) and the audit ‘closed out’.
It may be useful to check effectiveness of any corrective actions again at subsequent audits.
It is usual upon completion of an audit to establish a formal activity to verify the implementation of corrective
actions. This should be performed at an appropriate mutually agreed time following the audit, and after receiving
details of corrective actions proposed together with associated timescales. It is usually possible for the Team
Leader, or a member of the original audit team to undertake this activity, however in some organizations it is
delegated to some other local representative or agent.
For many third party assessments non-conformances of a relatively minor nature only are required to be addressed
before formal certification is granted. In these situations it is normal for the Team Leader to verify adequate
implementation of the corrective action agreed either at the time of audit, or shortly after, possibly two or three
months following the audit visit.
However for more major non-conformances it may be necessary to allow a greater period of time and undertake a
limited re-audit. (Dependent upon the severity of the nonconformities such a re-audit may be as in-depth as the
original audit and to a similar schedule).
Where required by the 'client' the Team Leader will review proposals for corrective action and decide if fully
appropriate. Arrangements may then be made to verify full implementation of
such either by the Team Leader, another member of the team, or
another local representative.
Some very minor documentation non-conformances may be corrected and verified by the Team Leader viewing
correspondence only, others will require a "Follow Up" visit to be made.
It is important to recognize that when examining corrective action proposals the focus of attention should be
establishing that the proposal shows clear signs of a thorough investigation having been carried out by the audited
organization to determine the 'root cause' of the problems revealed by the auditor(s).
It is all too easy for the audited organization to propose corrective actions that merely hide the symptoms rather
than deal with the cause of the problem.
When follow up visits are made, the detail originally entered onto the nonconformance reports is vital information
for the verifying party and so emphasizes the need for such information to be clear, complete and traceable.
If corrective action taken is found to be effective then the non- conformance report is signed off and the audit
closed out.
A complete re-assessment would be undertaken every two to three years, and periodic surveillance visits would
attempt to cover the entire system in this period.
Periodic surveillance visits are the means by which a Third Party organization continues to verify compliance with
the standard. They conduct a surveillance visit and undertake a limited audit sample (activities and requirements).
Such sampling must ensure that the
entire system is checked over the two or three year period.
Third Party Assessment Organizations usually arrange to undertake surveillance of a company’s Quality System
following successful Assessment and Registration. Such surveillance activities are usually
at six monthly or annual intervals depending upon the state of maturity of the Quality System or overall confidence
in the company.
Surveillance visits are usually undertaken by a single auditor and the company is often given very little notice of an
impending visit. (Reasonable notice is required if we wish to ensure seeing certain members of staff).
For Regulatory Authorities there may be a specific on-going surveillance activity performed by a separate group
within the
regulatory authority, or by a local representative who keeps close contact with the organization.
SECTION 6:
Preliminary preparation.
The auditor needs to have a very good understanding of the objectives and the "scope" of the audit. This must also
be understood by those that are to be audited.
Once the audit task has been allocated, the auditor must obtain information as necessary to develop an
understanding of the audit target area. This is best done by gathering documentation and studying as appropriate
and even by having preliminary discussions with the appropriate auditee management and in some cases those
with a technical knowledge applicable to the target area. (In some cases it may be beneficial to include technical
experts in the audit team).
Thus the auditor develops an understanding of WHO, WHAT and HOW relative to the target area as well as
physical layout, staff numbers, technologies involved, etc., etc.
It is also necessary to communicate with auditee management what is to happen, when, by whom, and what part
the auditees must play in the process. The full scope of the audit must also be agreed and again a preliminary
meeting between auditor(s) and auditee management will assist the communication process.
It is the responsibility of the audit team leader (even if it is a team of one!) to ensure adequate communication
between the audit team and the organization to be audited, and the setting up of the necessary communication
channel. It is also important to ensure adequate communication between audit team members, particularly at the
start of the audit process when it is helpful to call the proposed team together to explain the objectives and scope of
the audit and what is required of each team member.
Check list:
The auditor must first develop an understanding of the target area / company to be audited. Process Analysis may
help (but is not a mandatory requirement!).
Once the preliminary preparation has been completed and the auditor has a good understanding of the audit task
ahead then it is necessary to undertake detailed planning activities. The methodology that will be adopted is as
follows:
Step A) What are the requirements of the standard and are they implemented ?
Step B) What are the activities in the focus area relevant to the clause and where are they carried out?
Step C) How these requirements are addressed and implemented at these functions and how effective is it?
We shall look at these in turn and using the case study company Grand supermarket.
There is a logical flow in the development of the Check List and integrating it with the plan of action which tutors
must ensure delegates understand. It is an approach that has been found to be extremely powerful, prevents
auditors working in a random and haphazard way, and ensures that the audit is undertaken in a systematic and
time effective manner.
Step A) What are the requirements of the standard and are they implemented ?
At this stage, in line with the clause that is being audited, auditor asks questions to verify what the standard
requires and whether it is implemented by the organization.
Since the auditor at this stage is trying to find out whether the requirements are implemented in the QMS the
answers expected are in yes/ no, and hence the auditor goes for closed questions in general.
Are the risks determined considering the internal issues identified by the organization that are relevant to its
purpose and its strategic direction?
Are the risks determined considering the External issues identified by the organization that are relevant to its
purpose and its strategic direction?
Are the risks determined considering the requirements of the interested parties determined that are relevant to
the QMS?
Are opportunities also determined in all the above three cases?
Are the risks and opportunities prioritized and acted upon?
Are the actions integrated into the QMS processes?
And so on…
Step B) What are the activities in the focus area relevant to the clause and where are they carried
out?
Here, in line with the questions listed above, the auditor adds the details as which are the functions involved in
meeting those standard’s requirements and what are the activities performed by them in relation to these
requirements. This is in light of the QMS documented information maintained by the organization and made
available to the auditor.
In a nutshell, the organization’s activities are now getting linked in the check list.
As in the case of Grand supermarket the QSM 001 provides us with the information in the key process of strategic
planning.
“It is the responsibility of the Customer Services Manager to prepare list of the context, risks, interested parties and
their requirements.
Managing Director shall review and approve the same. Then these would form a part of the Strategic planning
manual which would be prepared by the Customer Services Manager. Managing Director would approve this
manual.
This manual reflects the methodology of percolation of the objectives, risks, interested parties’ requirements to
various functions.
All the line managers are responsible for implementing this manual. A review of the process objectives derived in
this manner, risks & opportunities is to be done quarterly by the line manager. These are reviewed in the
Management Review meet.
Any resource requirements in these regards shall be brought to the notice of the Top Management and shall be
taken on priority”…...
The auditor, starts adding questions now in the light of this information as below:
Is the list of context, risks, opportunities, interested parties & their
requirements prepared by the customer service manager?
Is this list approved by the managing director?
Is the percolation of this done to and done by the line
management?
Are adequate resources available?
At this stage also the auditor is trying to get the information which is again in Yes /No form and hence his choice of
questions is closed ended questions in general.
For undertaking a process approach audit there will be a need to develop comprehensive Check Points that
address the various clauses of ISO
9001 that are relevant to the process approach as well as any specific
ISO 9001 requirements that relate directly to the process itself
The auditor must now plan how to obtain information and evidence about the check points. Where to start the audit,
who to talk to first. Where to go next, and who to talk to next. How/where to observe the process, how/where to test
the system.
THUS A PLAN OF ACTION IS DEVELOPED (Audit strategy).
Clearly it is necessary for the auditor to have an understanding of how the company is organized and who the key
staff are in relation to the activity being audited.
The "Plan of Action" (strategy) is very necessary to ensure effective use of the limited time that is available to the
auditor, and also to ensure that information is gained in a logical and systematic manner that causes the least
disruption to the auditees. It should also be remembered that it is normal practice to start and end an audit of an
area of an organization with the most senior person, out of common courtesy and also because they are likely to
want to know if anything important has been found by the auditor in their area of responsibility!
This is achieved as the auditor further finds out from the QSM 001 the above paragraph and the organization chart
that the line management at this section is the Accounts Manager. The auditor hence knows who in the billing
section is responsible for the activities such as risk prioritization, actions, tracking, etc.
With further details known from the organization chart about the billing clerks the auditor makes plan for the audit of
those relevant personnel. This action plan for the audit includes the various related areas and provide the time slots
so as to cover all the areas appropriately
Such as:
Opening brief: 5 mins
Accounts Manager is responsible for risk prioritization, actions, tracking effectiveness, etc. (30 Mins)
Billing desk is responsible for implementation of some of these actions. (20Mins)
Customer service manager is responsible for the overall tracking of these activities along with the entire
organization. ( 20 Mins)
Closing meet: 15 mins
Finally,
Step C) How theses requirements are addressed and implemented at these functions and how
effective is it?
This is the check list the auditor can use during audit.
This is now progressing further from the earlier questions and information details.
At this stage, the auditor is trying to find out the maximum information during interviews because he is not only
interested in knowing whether it is done but is also trying to find out how it is done, is it complied by the various
personnel involved and is it effective as well ! ,
The questions he adds here are open ended questions in general, which shall elicit maximum information from the
auditee.
The questions that get added at this stage would make this check list comprehensive for use during the audit.
“What if”
And “Show me” would be the requirement of the auditor for looking at the retained documented information
At the organizational level, the Customer service manager shall be asked questions such as:
How do you approve the targets for the billing section and what are they?
How do you monitor these targets?
Is this information used as input to the management review?
And so on…
Whilst the “Check list” at step A should be entered into the audit files as a formal record of the audit sample, the
“Plan of Action” together with the fully developed “ Check list” are personal to the auditor and it would not normally
be necessary for them to be entered into the audit records file.
Often, auditors who cannot find the objective evidence they require will resort to passing a judgment by making an
"Observation" report. Whilst this may sometimes be a useful means of identifying a concern that due to time
constraints the auditor was unable to fully verify, it can lead to subjective auditing (auditor's opinion rather than
judgment against requirements), and conclusions not based on facts due to the auditor's reluctance (or laziness) to
follow a trail and find the necessary objective evidence.
_____________
REMEMBER THAT THE AUDITOR MUST ALWAYS VERIFY ANSWERS GIVEN BY
OBSERVATION OF ACTUAL PRACTICE.
______________
In conclusion, the auditor has developed an understanding of the target area to be audited, has understood how
the requirements of the Quality System standard apply to the activities undertaken within that area, and has then
determined exactly what must be verified at the time of audit.
A plan of action has been developed which will enable the auditor to systematically obtain information, using a
combination of questioning and examination of physical items, or even just observation of actual activities, to
enable the auditor to conclude that requirements are either being met or not.
This planning approach has been found to be very effective in focusing the auditor's mind and forcing the planning
process, which is so often neglected due to the lack of time or the view often held "I know how to audit so let's get
on with it!" It has led to effective and efficient auditing, and enabled relatively inexperienced auditors to undertake
some very in- depth and searching audits, with minimal disruption to the auditees so allowing them to continue with
their work as quickly as possible.
Auditing of Processes to verify conformity with the process management requirements of ISO 9001 will require
verification of the requirements detailed in clause 4.4.
Criteria Resources
Process Output
Methods Information
There will also be feedback of performance from both the process and process output monitoring activities (8.6.
and 9.1.1) that will be used to continually improve the Process management activity.
Here there is an important link into 9.1.3 “Analysis and evaluation” which holds the key to an organization’s
improvement focus and activities relating to process improvement, and subsequently leads in to 9.3 “Management
Review” where management need to work with the results of data and information analysis to determine the need
for process and quality management system improvement.
Auditors will also need to establish if the process under audit is the subject of any improvement focus, and in
particular if there are any organizational goals or objectives that relate to the process or process output. Customer
feedback may need to be examined closely to see if there are any significant concerns relating to the process or
process output.
In summary, it will be necessary for the auditor to verify not only that the process conforms to the organizations
process requirements, but also that the process approach principles of ISO 9001 are being applied in relation to
the process, and check lists will need to be developed accordingly.
Audits involve the collection of evidence in order to verify that what should be happening is actually happening.
That practice is in line with intent.
Auditors task
Verify that the defined system elements exist, are implemented and are effective
Guidance contained in ISO 19011 suggests that evidence should be collected through interviews, examination of
documents and observation of activities and conditions in the areas of concern.
The auditor’s checklists and associated plans of action will generally steer the audit process through a range of
activities aimed at searching out evidence to confirm conformance with the checklist.
The task of the auditor is to verify that what is prescribed in the documented quality system is happening in
practice, what is stated by management to be happening is happening. Information gained through interviews
should be tested by obtaining the same information from other interviews or independent sources such as
observation of practice, materials/products and records.
The auditor always needs "Objective Evidence", however we must also take the view that the auditees are innocent
until proven guilty, so we are searching for objective evidence of nonconformity to stated requirements.
Throughout the audit a certain degree of flexibility needs to be maintained. We must adhere as much as possible to
our audit plan and remain true to our audit sample as detailed in our checklist.
However we must not become a slave to the checklist. Auditors should always decide in advance the sample of
documents, products, materials etc. that they examine at the time of audit, this is known as the audit 'sample' and is
a recognized approach to obtaining objective evidence.
However, there will clearly be some limitations in relation to audit sampling and this must be recognized by those
who receive audit results.
The auditor may have selected a random sample which revealed no evidence of nonconformity, although if the
auditor had taken a larger or different sample such evidence may have been revealed.
It is the auditor's task to determine a reasonable sample, making it larger if there is an indication of a problem, but
not to take such a large (100%!) that the auditor spends an undue amount of time undertaking the audit. The
principle of auditing is to take a reasonable sample in order to gain a level of confidence in a system.
What do we examine?
Auditors will need to decide what they will examine in order to obtain the necessary objective evidence to be able to
answer the questions on their Check List. They will need to decide how many they look at and how they will access
the necessary documents /records / items etc.
Documentation
There is often a vast quantity of paperwork that may be examined by an auditor, e.g.
Work related documented information maintained by the company such as
Procedures/Work Instructions
Quality Plans Project Plans
Inspection/Test Data
Specifications Drawings
Contracts/Orders Minutes of Meetings Failure Reports
Vendor Performance Data
Verification Results
Design Review Meeting Minutes etc., etc.
Remember, procedures are provided to communicate company requirements to the auditee’s staff, and not for the
auditors! When auditing it is not good practice to simply request various documents for examination on the 'off
chance' that you mind find something wrong.
You should decide which documents will provide you with the evidence that you require to answer the questions on
your Check List and then ensure that you obtain a sample of your choosing.
The following provides examples of typical items that auditors might wish to examine during an audit, dependent
upon the type of organization they are auditing.
Good auditors will always remain alert to potential problems in relation to these, and a few reminders are also
provided (although auditors should not get sidetracked from their primary objectives as detailed on the Check List,
they should nevertheless remain alert to such potential problems). The auditor may decide to examine the
following:
Materials:
Correct materials
Handling/storage facilities Identified
Correctly used
Disposal facilities
Shelf life requirements
Appropriate instructions
Safety warnings
Return to stores
Products:
Identification
Storage Handling Packaging
Test results / Inspection results
Traceability
Conformance Paperwork
People :
Competence(Training/Qualifications etc.)
Attitude
Physical attributes,
Suitable environment,
Sufficient numbers
Familiarity with Procedures and Instructions
Awareness of responsibilities
Availability
Auditing Technique.
At the time of audit we may use a combination of audit strategies and techniques in order to verify conformance to
requirements. The auditor should also maintain a degree of flexibility and be prepared to follow audit trails as they
arise.
The following of audit trails may of course prove helpful or a complete waste of time, and the auditor must use
judgment in deciding when to follow trails that may require considerable deviation from the audit sample originally
deemed necessary.
The auditor follows a logical sequence of audit progression through an activity. The auditor may start at the
beginning of a process and observe the process as each process step is undertaken, asking questions at
appropriate times or requesting to see various documents, examining materials, tools etc.
Alternatively the auditor may start at the output of the process and work backwards to establish how the
organization has arrived at the outputs that have been obtained.
The auditor may decide to start with managers and work 'down' the organization to working level, or may first
observe the process and then work up through the organization talking to supervisors and then managers.
The auditor may decide to examine a client file and select some of the contents for examination. The auditor could
check the file index to verify that what has been selected should be contained within the client file, and then
examine the procedure to verify that the index and what has been selected is required to be contained within the
file by the procedure.
The auditor could then question management (or process owner) to establish the view of what is required to be
contained within the client file. The auditor has undertaken a 'backwards' trace.
An alternative approach would be to talk with management (or the process owner) first to establish needs, then
examine the procedure to see that the needs were reflected, and then examine the index of a client file following
which the contents of the file would be examined to verify that what was supposed to be in the file was indeed
present.
The advantage of the first approach is that the auditor may find some very interesting details contained within the
client file that might not be filed in the correct place, or may indicate a possible problem in an aspect of operation
that relates to general matters involving the interface with clients.
The auditor may decide to observe the process of receiving goods into the organization, beginning with the goods
in the receiving area and observing the progress of these into a stores area (or directly to the point of use). The
auditor would observe activities undertaken, asking questions of staff as appropriate, examining work instructions,
inspection/test tools and equipment etc.
An alternative approach, working 'backwards' would be to begin the audit in the stores area, selecting some items,
requesting to see the paperwork that relates to them, identifying the inspector, obtaining the inspection records,
viewing the inspection instructions and verifying that the records are as the instructions require.
The auditor could then verify that the instructions have been produced to reflect the requirements of associated
design specifications, and have been correctly authorized. The auditor could also identify the supplier and establish
that the goods have been received from a supplier that is "Approved" and has been formally 'evaluated'.
Clearly backwards tracing can be very probing and leads the auditor quickly into the possibility of following trails,
however it is much easier for an auditor to be distracted from the original objective when working in this manner,
and so careful control over the process needs to be exercised if the auditor is to complete the intended audit tasks
without unnecessary distraction.
Trail Following
During the course of an audit the auditor uncovers something that is worthy of further investigation, however this
now leads away from the original plan of action and may even involve progressing the audit into other areas of the
organization not originally intended for audit or areas that have been/are to be audited at some other time.
Sometimes it is better to take notes and follow the trail at a more convenient time or when the audit moves to the
area where the trail leads. It may even be more appropriate if time is limited to report the concern to the auditees in
order that they may investigate. (This does not mean writing an "Observation Report"!)
Throughout the audit a certain degree of flexibility needs to be maintained. We must adhere as much as possible to
our audit plan and remain true to our audit sample as detailed in our checklist. However we must not become a
slave to the checklist. If a trail arises that is relevant to the overall objectives of the audit, or relates to something of
major concern (safety, health etc.), then consideration should be given to investigating fully.
The following of audit trails may of course fail to reveal nonconformities and waste a large amount of audit time,
and the auditor must use judgment in deciding when to follow trails that may require considerable deviation from
the audit sample originally determined. In some cases it may be necessary to refer such decisions to the audit team
leader.
At the time of audit we may use a combination of audit strategies and techniques in order to probe the system and
verify conformance to requirements. The auditor should maintain a degree of flexibility and be prepared to follow
audit trails as they arise and if relevant to the audit objectives. It should be remembered that the audit is being
conducted to provide both the auditees and the auditor's client with information with a view to overall improvement.
Interview Techniques
From our plan of action we know who we should interview and what information we are searching for. The persons
we wish to interview will range from very senior managers through to those who actually undertake the day to day
activities in the organization and clearly the information we seek from the different levels in the hierarchy will be
possibly different and will need to be sought after in different ways. We need to be aware not only of who we wish
to see, what we are trying to establish and therefore what questions to ask, but we need also to be aware of the
psychological aspects of this process.
Remember also that even asking one question of an auditee is effectively conducting a short interview.
For senior managers we will inevitably adopt a more formal style of interviewing technique than with other
employees. Senior staff are more likely to feel comfortable with this style, and it can be modified to suit
the circumstances and the relationship between both parties that either exists at the start of the interview or as it
progresses. Both the interviewer and interviewee appreciate that time is always precious and a well prepared
interviewer will be able to extract the necessary information in the shortest time and allow a busy manager to get on
with his work.
We select the right people during the preparation and planning stages, and the generation of check lists ensures
that we are well prepared.
Interviewers must remember that everyone is human, and that the interviewee may not fully understand what we
are trying to achieve and may have some fears about the process and the eventual outcome. We will achieve far
more if the interview is conducted in a relaxed atmosphere and one where neither party feels threatened or
intimidated. Good interviewers learn to adjust their style dependent upon the response to the process from the
interviewee.
Preparation
Preparation is everything previously addressed for audit/assessment preparation, however, the interviewee also
needs to be prepared for the interview process.
Clearly for senior management there should already be a good understanding of what an assessment is likely to
involve, and one always hopes that appropriate steps have been taken to convey this to middle management and
other company employees and the part that they are expected to play.
However, when interviews are conducted with middle management one must expect to spend a short period of time
“preparing” the interviewee for the questioning process, introducing yourself and explaining what you are about to
do and how you intend to do it.
Entry
The first step in undertaking a successful interview is to arrive on time. Introduce yourself to the interviewee and
ensure you record the interviewee’s name and job title when they introduce themselves to you. It is important to
spend a short period of time gaining the person’s trust and confidence, if necessary explaining the assessment
process and how you intend to proceed. If possible request that telephone calls and other interruptions be blocked
and indicate the time that you will need. When the person is seated comfortably begin by explaining the process
and give the interviewee the opportunity to ask questions about the process and how the information gained will be
used.
It is not good practice to use a tape recorder at such interviews, however if the interview is to be recorded ask
permission to do so. Explain that you are only recording the interview so that you can pay greater attention to the
interviewee and will not have to take detailed notes. Let the interviewee see the tape recorder, switch it on and
place it in full view. If there is clearly a negative reaction, or the interviewee is uncomfortable about the use of a
tape recorder, don’t push the point, switch it off and return to taking notes. If a guide has been allocated by the
company, try to ensure that it is the interviewee that responds to the questions.
Conduct
Interviews are conducted by basically asking questions of the interviewee and taking appropriate notes of the
responses.
For a well prepared interviewer the previously prepared check list provides a framework for the interview and
enables satisfactory responses to be recorded against each question. Only points of interest, variances to previous
responses (obtained from previous as well as this interview) and outright deficiencies or nonconformances need to
be recorded.
Exit
Once all questions on the check list have been addressed give the interviewee an opportunity to make any other
comments. Now is the time to summarize any concerns or deficiencies that have been noted and ensure that the
interviewee agrees with your conclusions and if required signs the official record of findings. If a guide has been
present throughout the interview you may require this person to sign such formal documentation. Tell the
interviewee what you need to do next (you may need to be taken to another part of the company or be introduced
to somebody else in the same department), thank the interviewee for their time and co-operation.
INFORMATION GAINED THROUGH INTERVIEWS SHOULD BE VERIFIED BY ACQUIRING THE SAME FROM
OTHER INDEPENDENT SOURCES, SUCH AS PHYSICAL OBSERVATIONS, MEASUREMENTS AND
RECORDS.
REMEMBER THAT THE AUDITOR MUST ALWAYS VERIFY ANSWERS GIVEN BY OBSERVATION OF
ACTUAL PRACTICE.
“OBJECTIVE EVIDENCE"
Questioning Techniques:
An auditor needs to be a good communicator. However, communication must be in both directions, and it is
necessary for the auditor to seek information by asking a question, and then to await and fully understand the
response to that question.
Asking closed questions. (Those requiring only a YES/NO response). Asking and answering own questions.
Not giving the interviewee sufficient time to respond.
The auditor must learn how to formulate and ask questions that promote feedback of information, and also how to
gather additional information when the initial feedback includes generalizations or distortions or has omissions.
We use language to communicate thoughts and ideas which exist in our brains, however the words we use are only
a representation of those thoughts and ideas. We do not communicate the full extent of the image/thoughts/feelings
or understanding that exists in our mind, and some people find it very difficult to convey in words what they really
mean. Hence the language that we use may not be translated back into the same
image/thoughts/feelings/understanding by the recipient. Once the recipient is aware of this problem he/she can
work to build up a better picture by testing the information given and retrieving missing information.
Thus communication from an interviewee may include generalizations, omissions and distortions, and it is the job of
the interviewer to retrieve this missing information to provide a clearer or more complete representation.
An interviewer, and hence assessor or auditor, must know how to ask a question in the first instance to gain
information, and in the second instance to ask further questions to clarify or obtain more accurate or complete
information.
1. Missing Information
The interviewer must supply omitted information or, recognizing that it is missing, ask for more information.
2. Unspecified Nouns
“Vehicle” is less specific than “car”. “Car” is less specific than “BMW” “BMW” is less specific than “320i”.
Words like IT, THIS, THEY are also very unspecific terms.
3. Unspecified Verbs
Some verbs are more specific than others e.g. “carry” is more specific than “move”. To get more information an
interviewer will use the word “HOW”.
Thus:
Very often an interviewee will use words that imply a lack of choice , such as CANNOT, SHOULD NOT, MUST,
SHOULD; there is actually a choice and on further questioning the interviewer is often able to establish why there
is a lack of choice or what the actual choices are.
Thus:
Q. The customer needs to know the pricing structure for this product, can you provide it?
A. We should not give customers that information.
Q. What is the reason for not giving the customer this information?
What would happen if you did?
(We could also establish if it is “all customers” or just some customers who should not get this information).
3. Universal Quantifiers
Words such as “NEVER”, “ALWAYS”, “ALL” and “EVERYBODY” are universal quantifiers and are usually used as
a very broad generalization. The interviewer should not accept these generalizations and should try to obtain
additional information.
Thus:
Key Words
In the previous section you will have noticed the frequent use of certain key words. Words which may be used in a
question to force a response (i.e. open questions).
WHY
WHEN
WHERE
WHO
WHAT
HOW
These words may be used to very good effect, but particularly when used with SHOW ME are very powerful in
gaining not only information but enabling verification of what is said.
Thus:
Q. How do you store flammable materials?
A. They are stored in a separate secure area provided with appropriate warnings and fire fighting mechanisms.
Q. Could you please SHOW ME!
Sometimes in order to “test” the system the auditor will use hypothetical questions such as -
I am sorry, I did not quite understand that, could you explain that again please?
Repetitive questions can be very useful to verify conformance to procedures. The same question may be asked of
different people, to see if the response is the same. The same question may be asked of the same person, with an
interval of time, to see if the response is the same. The same question may be asked of the same person, but
asked in a different way, to see if the response is the same. In all cases if there is a difference in the response then
the auditor needs to investigate in more depth to find if there is a nonconformity.
Sometimes it is useful to find out the opinion that an auditee has of a procedure, or system. If they appear to
consider the procedure to be
complex, or even unnecessary, then it may indicate to the auditor that the procedure is not always followed and so
further investigation is needed to see if there are instances when there has been a failure to comply with the
procedure.
The auditor should not avoid asking the obvious questions, and this can be a particular problem for auditors who
have technical knowledge about the audit subject, and who may feel that by asking an obvious question they are in
some way revealing their own weakness in knowledge to the auditee.
In Summary, the auditor needs to be systematic. All questions that ought to be asked should be asked; if it is on the
check list, then it must be addressed. We should use various questioning techniques aimed at establishing what is
happening and which encourage the free flow of information.
Once we have asked a question we must then give the auditee an opportunity to respond, and most important of all
we must listen carefully to the response.
AUDITORS MUST LEARN TO LISTEN WITH THE MIND AS WELL AS THE EARS!
Points to remember
Audit Etiquette:
It is worth noting that there are no rules that relate to the general activities of auditors specified in any national or
international standards, only approaches that have evolved over time and been found to be helpful in ensuring
audit objectives are satisfied in a systematic manner satisfactory to the auditees and the client and generally in
ensuring no misunderstandings, bad feelings etc.
This is the whole purpose of ISO 19011. The protocols provided in ISO
19011 relating to Opening, Closing meetings, audit preparation, gathering of information, roles and responsibilities
of auditors and team leaders, evaluating findings, reporting of nonconformities etc. are regarded as good practice
and provide general guidance or a 'code of practice' for auditors.
The main problem in relation to auditing is the selection of the right people to act as auditors and ensuring that they
do not misunderstand their role and associated responsibilities, or assume that they have some increased authority
as a result of acting as an auditor. Many auditors have become filled with their own self-importance.
Auditors should always remember that they are not auditing for their own amusement or to keep themselves
employed, they are there to obtain information on behalf of their 'client'. They should always conduct themselves in
a friendly, non-threatening manner remembering that at all times they are a 'guest' in someone else's house and so
should obey the 'house' rules.
They should never accuse or try to make people feel guilty of a 'crime'.
Their task is to find the objective evidence without resorting to tricks and traps, to focus on important things and not
trivia and not to jump up and down with ecstatic delight when they find a nonconformity !!
Auditors should always respect confidentiality at all times and be aware of sensitivities in this respect. It is often the
case that regulatory audit results are entered into the public domain, and any regulatory auditor will need to
understand that this is the case and that what they write into audit reports, or documents that they photocopy and
take back to their office could be viewed by others on demand.
Many organizations are very concerned that auditors will audit competitors and then reveal commercial secrets
(unintentionally). A typical example of this is an auditor who notices an example of good practice in one
organization and then tries to encourage another organization to adopt this practice - this is usually done by an
auditor making "observations" (expressions of personal opinion based on the auditors own experiences).
Some organizations are now insisting that the auditors they see from a Third Party organization are not involved in
carrying out audits in competitor organizations. Auditors should keep their opinions to themselves, and only give
them to their 'client' if the client has asked for them.
Auditors should always be sensitive to the needs and feelings of the people that they are auditing, and have
respect for people generally and be aware of and sensitive to cultural issues, particularly when working outside of
their usual cultural environment. They should always politely introduce themselves to whoever they meet and
explain what they are there to do.
It is not normal practice for auditors to demand to see things, or speak with people, always to request, and to
respect the right of the auditee to sometimes refuse a request (it may be for a good reason).
They should never remove or keep documents etc. without a formal request and should always ask if they wish to
photocopy any item. After examining items they should hand them back and thank the auditee.
Upon completion of an audit activity the auditor should always thank those who have assisted by responding to
questions or providing information, access to areas etc.
Auditors should always remember that they are in a very privileged position and should never abuse that privilege.
From the auditors point of view, the intention is to expose any weakness that there may be in the Quality
(Management) System, however from the auditees point of view it may be undesirable for the weaknesses to be
observed by an external auditor.
Hence a game is often played!
People can often feel threatened when the auditors appear, they may fear for their job if deficiencies are found in
their area of responsibility. They may be easily upset.
People do not like being observed carrying out their day to day tasks by those with a critical eye.
If we take the above into consideration, then it is hardly surprising if sometimes the auditor is not made to feel
particularly welcome! Or indeed feels that the truth is being hidden.
We should try and remember a few simple rules that relate to the personal side of auditing:
Be relaxed.
Be human.
Be courteous.
Display interest in the auditees and their work. Remain cool, calm and collected.
Act professionally.
Remember that auditing is not "interrogation". The auditor should engage all auditees in gentle and polite
conversation, injecting questions as appropriate, and should not appear to be disappointed when nonconformities
are not found and ecstatically excited when they are!
Auditor Tactics
The task of the auditor is to clearly establish if working practices accord with the appropriate Quality System
Standard and are in compliance with laid down procedures, and to do this certain tactics may need to be adopted
depending upon the situation at the time of audit and the degree of co-operation that prevails.
Be well prepared.
Be on time.
Get on with the task.
Do not argue.
Use the check list.
Discuss problems when they are found. Additionally, the following are points worthy of note
If you cannot get the information that you require in one part of the organization, seek it elsewhere.
If you are faced with non-co-operation from one person, try another.
Follow trails to the ultimate conclusion (if they are relevant to the audit).
Auditee Tactics
It is worth noting that a successful audit is dependent not only upon the skill of the auditor, but also upon the
degree of openness and co- operation of the auditees. The auditors task can often be made more difficult when
faced with the following, and a skillful auditor must learn how to handle successfully these situations:
Argumentative people. Outright aggression. Time wasters.
Wafflers. Flatterers. Senility.
One-upmanship.
Planned/ unplanned interruptions. Cook’s Tours and long explanations. Extended coffee/lunch breaks. Pleading of
special cases.
Missing Documents.
Remember, the most difficult people to audit are very often those who have been trained as auditors themselves,
they know all the tricks in the book!
Auditing is about learning to talk to and handle people, and it is worth noting that auditors should be
selected from those who exhibit the necessary attributes, as well as those who have received professional
training.
The auditor should maintain a record of areas visited, key staff interviewed, and, where it may be necessary to refer
to in subsequent discussions or interviews particular observations made, items of equipment / tools / materials and
documents viewed. It is not necessary to record the details of all interviews or responses to questions asked,
however an auditor quickly learns that it is very necessary to take good notes at the time of audit as invariably they
will need to be referred to later in the audit or when writing a formal report.
Such auditors notes are for the auditor's personal use only and are very rarely retained as formal audit records
(although some auditors will keep them until the report has been accepted).
As a minimum the following should be recorded in a formal manner: Instances of nonconformance to the Quality
System Standard.
Instances of nonconformance to the QMS information document/s, or documented working practices.
These formal records constitute the output from the audit and should be recorded on official paperwork.
For Internal Audits company auditors invariably use the terminology given above. For assessments undertaken by
second or third party organizations the following terms may also be encountered:
The important point to remember is that the auditor must detail clearly and concisely what has been observed and
why it is a concern. The auditee needs to know what the problem is before it can be satisfactorily corrected.
The term "Observation" is not preferred by us as it is invariably misused by auditors to indicate either a lower order
nonconformity or an impression gained but without supporting facts. It is also often used by auditors as an
expression of personal opinion which could be closely linked to the auditor recommending a course of action or
encouraging an organization to adopt a practice which the auditor has learnt about in a competing organization.
Auditors must remember that they should report only agreed findings based on factual evidence. It is good practice
to gain the signature of the auditee (or auditee's representative) on the audit ‘Nonconformity’ report, however not all
third party organizations will do this at the time of finding the facts but may wait until a later time when reviewing the
audit results with management or the contact person.
It is important however that the facts are agreed before the auditors move on to another area, and good practice to
complete a nonconformity report at the time of finding the nonconformity and gaining an auditee signature (guide or
senior person with responsibility for the area being audited - not the actual person at working level, as they may
feel that they are being forced to admit to a crime and signing to agree their guilt!)
The Nonconformity statement needs to be worded so that it is understandable to those who were present at the
time of audit and also to those who were not and who may be involved in implementing corrective actions. It is a
means of communication, and if the auditee cannot understand it then the auditor has failed to communicate
effectively!
Statements should be clear, concise and meaningful to enable the auditee to fully understand the problem and
correct it.
Remember that such statements need to be written at the time of audit and so should be short, sharp and to the
point. It is normal protocol not to name names in such statements as this could give rise to the allocation of blame
without determining the real (root) cause of the problem. It is better to give someone's title rather than name if it is
unavoidably necessary.
EXAMPLES:
Procedure EM008 issue 03 requires that all temperature controlled vehicle trailers have the temperature
monitoring unit checked monthly.
Records of checks viewed in the Logistics Department indicate that Vehicle trailer GB107 has been in service for
six months without such a check having been performed.
Procedure CBD1/91 requires all out of date leaflets to be removed from the display point immediately on receipt of
re- issued stock. Leaflets BE03, BE05 and BE 15 A were displayed at the reception desk alongside versions
BE03A, BE05A and BE15B, which had been issued 6 months prior to the date of audit.
Work Instruction JF1063/1 found in the possession of laboratory technical assistant Ian Howes was found to be at
issue 03.
Master Record Index MRI 010 indicates that the latest issue that should be in the possession of all relevant staff is
04.
To make it easier to write a non-conformance it is suggested that auditors first collect information in the categories
WHAT, WHERE, WHY and then try to rearrange the words to provide a clear and concise statement.
For example:
Issue 03 drawing for Frame Assembly (GT 0816).
Production planning document PP86 requires issue 04. Inspector undertaking inspection of frame assembly.
This could be written as follows:
Inspection of Frame Assembly GT 0816 was observed being performed in the inspection area of production unit B
by inspector using issue 03 of drawing. Production planning document PP86 indicates that issue 04 drawing should
be used.
Alternatively:
In the inspection area of production unit B, frame assembly GT 0816 was being inspected to issue 03 of drawing
instead of issue 04 as required by production planning document PP86.
There are many ways of saying the same thing, what is important is to convey meaningful information to the
auditee to enable appropriate corrective action to be undertaken, and to do so using the minimum number of words
whilst not losing information or meaning.
Some auditing organizations require their auditors to categorise nonconformities as major or minor or attach a
numerical indicator of severity, i.e. Category 1, 2 or 3.
It is important for an auditor to differentiate between things that are of a serious nature and those that may be less
so, however the categorizations in common use (and not identified in ISO 19011) are considered to be somewhat
subjective and could result in much debate at the time of audit, particularly if to receive a 'major' nonconformity
could result in the lack of formal approval or loss of an order.
Such judgments are best left to the Team Leader once all audit results are available.
In summary, the human short term memory is not particularly adept at retaining large amounts of data when such
data is being rapidly received. In an audit situation we are in a completely new and possibly strange environment, it
is easy to become overwhelmed by what we see and hear.
In this situation it is often difficult to remember all of those interesting things that need to be investigated further at
some later time or in another section of the organization. It is advisable and indeed good practice for an auditor to
record this type of data in working notes.
Also, notes should be made of who has been interviewed, where in the organization the audit has been conducted
and what procedures or documented working practices or drawings etc., have been examined.
IF ADEQUATE NOTES ARE NOT TAKEN IT WILL BE VERY DIFFICULT TO RECALL WHAT HAS BEEN
OBSERVED.
Person(s) interviewed
Document numbers and issue status Equipment identification Product/material identification General housekeeping
conditions
Make mental notes or write down impressions gained of:
Workloads,
Attitudes,
Reactions
Organization,
Condition of equipment
Awareness and understanding of procedures
Remember to listen to what is said and observe at all times, analyse and record what is important, and
when nonconformities are found.
Record the important facts and gain agreement with those facts.
SECTION 7:
Check List based on ISO 9001 clause 7.1.6, 7.2, 7.3 (Organizational knowledge, Competence, awareness )
A Typical QMS information document/s, front sheet, contents list and procedural section (Training & Staff
Development).
Check list incorporating QMS information document/s
requirements.
An example of a Check List Form. Example of an auditor's "Plan of Action".
NONCONFORMITY REPORTING
COURSE MATERIALS
WHAT THE AUDITOR IS TRYING TO FIND OUT: Determination of knowledge required Maintaining this
knowledge
Availability of knowledge Changing needs determination Competence determination
Identification of competence gaps
Actions
Retaining documented information Awareness of quality policy and objectives Awareness of contributions to
effectiveness
Implications of not conforming to the quality system requirements.
A Typical QMS Information Document/S, Front Sheet, Contents And Procedural Section
CONTENTS
1.0 FOREWORD
SUPPORT PROCESSES
Process control Configuration management
Strategic planning/context/risk and interested parties’ requirements
Product identification & traceability
Property belonging to customers or external providers
Control of documented information
Inspection & testing
Monitoring and measuring resources
Facilities maintenance
Nonconforming output
Corrective action Storage of items Product safety
Competency, training & staff development
It is our policy that all staff shall be appropriately qualified to enable them to undertake the tasks expected of them
and that they shall be provided with the opportunity to develop their skills and abilities in support of company
operations and their desire for self-improvement. They shall be made aware of the relevance and importance of
their jobs and how they contribute to the achievement of company objectives.
Implementation:
The Director of Human Resources shall act in the capacity of Training Manager on behalf of the
Executive Management Team and shall coordinate all training activities.
The Director of Human Resources shall ensure that the training needs of all staff are reviewed on an annual basis.
All managers are responsible for undertaking an annual review of the competency requirements for work activities
undertaken in their areas of responsibility and for the assessment of individuals performing tasks against these
competency requirements. Where there is an identified need to develop an individual's competency the actions
necessary, including any desirable training shall be communicated to the Director of Human Resources.
Managers shall assist in the development of staff by identifying training needs necessary to enable staff to perform
their tasks and also preparing them for future tasks and promotional possibilities.
Departmental managers shall ensure that all staff within their department are provided with formal Role Definition
Documents that make clear how activities undertaken by the job holder contribute to the achievement of company
objectives, and in particular any specific actions to be taken in support of such..
The Director of Human Resources shall review all training requirements on an annual basis and prepare a
Company Training Programme together with an associated budget for consideration and approval by the Executive
Management Team.
The Company Training Programme shall be a combination of In-Company and external training solutions to meet
both essential and desired training requirements for both the company and individuals.
Individual staff development programmes shall be prepared by managers working under the guidance of, and in
conjunction with, the Director of Human Resources.
Procedures:
CQM 001
Date: 01/01/0x
A review of the Company’s QMS Information document requirements enables the auditor to develop the Check
Points to include those requirements of the Company’s QMS Information document that are relevant to the
Competence, awareness and training requirement of ISO 9001. Thus:
Has the organization identified competency needs for personnel performing work affecting product quality?
Does the Director of Human Resources ensure that the training needs of all staff are reviewed on an annual basis?
Are competence requirements for all work activities reviewed on an annual basis by managers?
Are actions to achieve competence, including training needs communicated to the Director of Human Resources?
Do managers identify training needs necessary to enable staff to perform their tasks and also to prepare them for
future tasks and promotional possibilities?
Does the Director of Human Resources review all training requirements on an annual basis and prepare a
Company Training Programme together with an associated budget?
Has the organization provided training, or taken other actions to satisfy these needs?
etc., etc.
THIS CHECK LIST MAY NOW BE PLACED ONTO A CHECK LIST FORM, WHICH IS OFTEN USED BY
AUDITORS IN ORDER TO FORMALLY RECORD THE HIGH LEVEL CHECK LIST AND ALSO TO PROVIDE
THEM WITH A DOCUMENT THAT MAY BE USED AT THE TIME OF AUDIT.
ITEM NOTES
ITEM NOTES
etc., etc.
Section 7 / Page 7
Example "Check list with details of Auditor’s Plan of Action" - ISO 9001 clauses 7.1.6, 7.2, 7.3 (Organizational
knowledge, Competence, awareness )
Speak to Director Human resources. 20 mins. Verify statements made by Manager & Staff.
Detailed Check List - ISO 9001 clauses 7.1.6, 7.2, 7.3,7.4 (Organizational knowledge, Competence, awareness,
Communication )
To Manager of Department:
How do you ensure that department staff are competent to undertake their duties? How are training needs
assessed?
Who is responsible for assessing training needs?
How do you ensure that necessary training is provided? Who is responsible for providing necessary training?
How often are training needs assessed?
For three identified staff members - What aspects of the job are particularly relevant to the achievement of
company objectives?
(Review training needs assessment and record of training received for three staff).
You will be contacted by the CQI and IRCA for feedback on the course and your Approved
Training Partner.
Filling in this short survey will help to ensure the continuing high standards of these courses.
For further information, the CQI and IRCA offer a range of services to support you
throughout your career.