ISO 9001 Internal Auditors Trainingwww.iso9001consultant.org
Empty your cup andenjoy the presentationFacts about ISO 90011. ISO 9001 is beingimplemented in 175countries around theworld2. Over 1.2 millioncertificates issuedworldwide3. ISO has 163 membercountries
Learning objectives1. What is an audit?2. How to manage an audit program?3. How to perform an audit?4. What kinds of evidence to look for in an audit?5. What are the responsibilities and competencyrequirements of an internal auditor?Target audience1. Internal auditors2. Relevant interested parties
ISO 9001:2008 Clause 8.2.2 Internal audit• The organization shall conduct internal audits at planned intervals todetermine whether the quality management systema) conforms to the planned arrangements (see 7.1), to the requirementsof this International Standard and to the quality management systemrequirements established by the organization, andb) is effectively implemented and maintained.• An audit programme shall be planned, taking into consideration the statusand importance of the processes and areas to be audited, as well as theresults of previous audits.• The audit criteria, scope, frequency and methods shall be defined. Theselection of auditors and conduct of audits shall ensure objectivity andimpartiality of the audit process.
ISO 9001:2008 Clause 8.2.2 Internal audit• Auditors shall not audit their own work.• A documented procedure shall be established to define theresponsibilities and requirements for planning and conductingaudits, establishing records and reporting results.• Records of the audits and their results shall be maintained (see 4.2.4).• The management responsible for the area being audited shall ensurethat any necessary corrections and corrective actions are takenwithout undue delay to eliminate detected nonconformities and theircauses.• Follow-up activities shall include the verification of the actions takenand the reporting of verification results (see 8.5.2).• NOTE See ISO 19011 for guidance.
Benefits of audits1. Conformance to Clause 8.2.2 of the ISO9001:2008 Standard2. Continual improvement of the QMS3. Generate a “second opinion” on the QMS
Audit defined 1• Audit is a systematic and documented processfor gathering audit evidence and evaluating itagainst the audit criteria to determinewhether it has been fulfilled• Audit criteria is a set of policies, procedures orrequirements ISO 9001 and your QualityManual is the audit criteria
Audit defined 2• Audit evidence is records, statements of factor other information which are relevant tothe audit criteria and verifiable• Audit conclusion is the outcome of an auditprovided by the audit team afterconsideration of the audit objectives and allaudit findings – Does it conform or not?
Objectives/Purpose of audits• To verify whether your QMSa) Conforms to your quality planning,b) conforms to ISO 9001 requirements,c) conforms to your QMS requirements, andd) is effectively implemented and maintained
Audit mindset• Your QMS can bring your organization closer to itsvision• Your QMS is a tool for continual improvement• Audit is one of the tools of continual improvement (seeClause 8.5.1)• As an auditor, you are part of this continualimprovement process.• You don’t audit to find flaws but you audit to findopportunities where improvements can be made toyour QMS.• During an audit, the auditor and auditee are partnersin this continual improvement process.
Types of audits 1• First party audit you are your auditor (internalauditor)• Second party audit your customer is yourauditor• Third party audit your Registrar is your auditorNote:• Auditor is the person performing the audit• Auditee is the person being audited
Types of audits 2• Combined audit when a qualitymanagement system and anohs/environmental management system areaudited together• Joint audit when two or more auditingorganizations cooperate to audit a singleauditee
Audit strategies• Horizontal audit Verifying a specific audit criteria acrossall departments. Example, checking for conformance to thedocument procedure in the Sales and HR, PurchasingDepartments.• Vertical audit Walking through the business processfrom start to end (or backwards) while gathering the auditevidence• Process approach auditing Audit by verifying theinputs, activities of the process and the outputs• Clause auditing Audit clause by clause of the ISO 9001Standard
Which strategy to adopt?• Doesn’t matter which audit strategy you adopt aslong as you find all the required audit evidence• In the end, as you begin to form an opinionabout the auditee’s QMS, you will discover thatyou have gone horizontal, vertical, processapproach and clausal.
• Who is in charge of the internal auditprogram? Quality Manager/Mgt Rep• Schedule your internal audits and distributethe schedule to all managers annually, semiannually, quarterly• Generate the audit plan for each scheduledaudit and distribute it to the auditor andauditee
Elements of an audit plan Audit number Audit date Audit objectives and criteria Audit scope Auditor Auditee Audit methodology Audit time-table Method of reporting Information regarding safety Any other relevant information pertaining to the audit
Opening Meeting• Attended by auditor, auditee, QualityManager, CEO, etc.• Purpose is to make introductions, confirm theAudit Plan, etc.• Minutes may be recorded
Methods for gathering audit evidence• Interviewing of relevant personnel• Inspection of records• Observation of ongoing activitiesTips• Know what to look for• Ask “Can you show me …..”• Or rephrase the ISO 9001 clauses into questions• Don’t ask leading or misleading questions• Don’t make verbal remarks on the audit evidence, justrecord them• Don’t act like you’re a policeman, just be objective andprofessional
Audit sampling• If it’s a small organization and time permits it,try to interview everyone as you walk around• If there are tons of records, pick randomsamples• How much random sampling would beenough? Keep sampling until you as theauditor are satisfied and convinced
Types of audit evidence to look for 1• Quality Policy• Quality Manual• Procedures (SOP’s) Control ofdocuments, control ofrecords, internalaudit, control ofnonconformingproduct, correctiveaction, preventive action• Quality objectives• KPI’s• Quality Plan• These documents orcombinations thereof, arerequired by ISO 9001.• Verify the contents ofthese documents againstthe ISO 9001requirements• Check to see if they havebeen established andimplemented• The auditee is sayingwhat they are doing inthese documents. Verifythat they are doing it.
Types of audit evidence to look for 2• Statements of facts via interviews• Observations of ongoing activities• Corrective and preventive action records• Audit records• Quality meeting records• Management review meeting records• KPI and process monitoring records• Analysis of data records• Business development, marketing and salesrecords• Design & development records
Types of audit evidence to look for 3• Production and/or service provision records• Quality control records• Purchasing records• Employee appraisal and training records, includingother relevant HR records• Sales receipts and supplier payment records• Management and other relevant reports• Customer complaints• Other records deemed as necessary by record ownersin order to satisfy the requirements of the ISO 9001International Standard
Audit Trail 1Example 1• Is there a Quality Manualas required by ISO 9001?• Does the Quality Manualsatisfy ISO 9001requirements?• Is the auditee conformingto contents of the QualityManual?Example 2• Is there a Control ofDocuments procedure asrequired by ISO 9001?• Does the Control ofDocuments proceduresatisfy ISO 9001requirements?• Is the auditee conformingto contents of the Controlof Documentsprocedure?
Audit Trail 2Example 3• Is there quality planningas required by ISO 9001Clause 7.1?• Does the quality planningsatisfy ISO 9001requirements?• Is the auditee conformingto contents of the QualityPlan?Example 4• Is there a purchasingprocess as required byISO 9001 Clause 7.4?• Does the purchasingprocess satisfy ISO 9001requirements?• Is the auditee conformingto the requirements ofthe purchasing process?
Audit trail• Is there an approved purchaserequisition?• How is the purchase requisitiongenerated?• Does the purchase order satisfythe requirements of the purchaserequisition?• How is the supplier selected?• Was the purchased productverified for conformity against thepurchase order requirements?• Does the auditee control thenonconforming purchasedproduct?• Does the auditee evaluate thesupplier’s performance?Example• Is there a purchasingprocess as required byISO 9001 Clause 7.4?• Does the purchasingprocess satisfy ISO 9001requirements?• Is the auditee conformingto the requirements ofthe purchasing process?
What to bring for the audit?• Auditors should bring the following:1. ISO 9001 Standard2. ISO 9001 Audit Checklist or Audit forms
Auditor’s first move• As you begin to audit, always ask for theQuality Manual first and read it• Why? Because that document describes thequality management system• Why? That document will help you map outthe auditee’s processes and documents
• Prepare for your presentation of your auditfindings by collecting relevant audit evidenceto support your nonconformity findings• You can also collect relevant audit evidence tohighlight any commendable practices of theauditee• Start your presentation with the good findings• Minutes may be recordedClosing Meeting/Audit Reporting
Audit findings• There are only two types of findings:1. Based on the audit evidence, it conforms to the auditcriteria CONFORMANCE2. Based on the audit evidence, it does not conform tothe audit criteria NONCONFORMANCENote: Audit criteria = All ISO 9001 clauses• You might record any opportunity forimprovement or potential nonconformity andcall it an “observation”
Audit report formatContains the following• Executive summary (optional)• Copy of the Audit Plan• Audit summary• Audit findings, which include the relevant ISO9001 criteria, audit evidence and auditconclusion/decision
Audit findings integrity• The integrity of your audit findings rests uponthe audit evidence that you have gatheredduring the audit• The audit findings can be challenged by theauditee if your audit evidence is weak• The audit findings should add value to theauditee’s QMS
Post-audit activities (follow-up)1. Transfer all audit records to Quality Manager2. *Issuance of corrective action requests, ifany, by Quality Manager/auditor (stipulateresponse deadline) based on the audit report3. *Verification of corrective actions taken byQuality Manager/auditor*Observe your Corrective Action Procedure
Issuance of NCR/Corrective Action Request• Nonconformity report source quote theaudit number and auditor• State the response deadline agree on thedate with the auditee• State the ISO 9001/QMS audit criteria thathad been breached• State the nature of the nonconformity,including references to the audit evidence
NCR/CAR response & verification• Record the corrections made• Record the Root Cause Analysis• Record the corrective action made• Record the results of actions taken• Verification of corrective action shall beconcluded as EFFECTIVE or INEFFECTIVE** Ineffective corrective action shall require a freshNCR/CAR to be issued
Auditor’s responsibilities & ethicsBased on these audit principles1. Integrity – the foundation of professionalism,2. Fair presentation – the obligation to report truthfullyand accurately3. Due professional care – the application of diligenceand judgment in auditing4. Confidentiality – security of information5. Independence - the basis for the impartiality of theaudit and objectivity of the audit conclusions6. Evidence-based approach - the rational method forreaching reliable and reproducible audit conclusionsin a systematic audit process
Auditor’s competence• Knowledge of the ISO 9001 requirements• Knowledge of the audit methodology• Have a good idea of what to look for in terms ofthe audit criteria (audit evidence)• In short, get trained.Plus• People skills• Investigative skills (cognitive, verbal, listening)• Presentation skills
Audit independence• Auditors shall not audit theirown work• So you cross audit each otherbased on the applicable auditcriteria
Auditee’s responsibilities• Ensure that all staff, documents and recordsare ready to facilitate the audit evidencegathering• Make immediate corrections to any detectednonconformities , as requested by the auditor• Expedite the corrective action process (do notdelay unnecessarily)
Audit exercises1. Establishing/Reviewing the Internal Audit Procedureplus group presentation2. Establishing the Internal Audit Schedule3. Establishing the Audit Plan4. Role play: Commencing the audit process via theOpening meeting5. Role play: Conducting the audit and gathering theaudit evidence by utilizing the ISO 9001 AuditChecklist6. Role play: Presenting the audit findings in the ClosingMeeting