Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Iso Internal Auditor


Published on

Presentation i did about ISO internal Auditor

Published in: Technology, Business

Iso Internal Auditor

  1. 1. The British Standards Institution<br />raising standards worldwide TM<br />Issue 1 December, 2008 QMS-030-01-EN-GX © 2008 BSI Management Systems<br />
  2. 2. ISO Internal Auditor<br /> Compliance Management<br />Prepared &<br />Presented by<br /> Yamin K Hajeej<br />
  3. 3. 1<br />5<br />Introduction to Auditing<br />Auditor Competence and Responsibilities<br />2<br />3<br />6<br />4<br />Table of Content<br />The Process Approach and Process Auditing<br />Managing an Audit Program<br />Audit Activities<br />Conclusion<br />
  4. 4. Introduction to<br />Auditing<br />
  5. 5. Auditing<br />What is an audit?<br /><ul><li>Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled</li></ul> (ISO19011: 2002 clause 3.1)<br />Why audit?<br /><ul><li>Requirement of ISO 9001:2008
  6. 6. Monitor and measure the management system
  7. 7. Promote continuous improvement of the management system</li></li></ul><li>Principles of Auditing<br />4.0<br />Principles relating to auditors:<br /><ul><li>Ethical conduct
  8. 8. Fair presentation
  9. 9. Due professional care</li></ul>Principles relating to audit:<br /><ul><li>Independence
  10. 10. Evidence-based approach</li></ul>Note: reference to<br />ISO 19011:2002<br />Clause number<br />
  11. 11. Benefits of Auditing<br />Verifies conformity to requirements<br />Increases awareness and understanding<br />Provides a measurement of effectiveness of the management system to top management<br />Reduces risk of management system failure<br />Identifies improvement opportunities<br />Continuous improvement if performed regularly<br />
  12. 12. Types of Audit<br />Registration / Certification<br />Product<br />Customer contract<br />Gap assessment / Pre-assessment<br />Surveillance<br />Combined audit / joint audit<br />
  13. 13. The Process Approach and Process Auditing<br />
  14. 14. Process Approach<br />The process approach emphasize the importance of:<br />Understanding and meeting requirements<br />Looking at processes in terms of added value<br />Obtaining results of process performance<br />Continual improvement of process<br />
  15. 15. Plan<br />Your<br />Process<br />Act<br />Do<br />Check<br />PDCA (Plan-Do-Check-Act)<br />The Plan-do-Check-Act (PDCA) methodology applies to all processes<br /><ul><li>Deploy and conform with plan
  16. 16. Activities
  17. 17. Controls
  18. 18. Documentation
  19. 19. Resources
  20. 20. Objectives</li></ul>Continual<br />Improvement<br /><ul><li>Analyze/review
  21. 21. Decide/change
  22. 22. Improve effectiveness
  23. 23. Measure and monitor for conformity and effectiveness</li></li></ul><li>Management System Standards and the Process Approach<br />ISO 9001:2008:<br /><ul><li>Is based upon the PDCA cycle which can be applied to processes
  24. 24. Applies the PDCA cycle to implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of a QMS</li></ul>ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system audits<br />
  25. 25. Applying the Process Approach to Auditing<br />Auditors can apply the process approach to auditing by ensuring the auditee:<br />Can define the objectives, inputs, outputs, activities, and resources for its processes<br />Analyzes, monitors, measures, and improves its processes<br />Understands the sequence and interaction of its processes<br />
  26. 26. Process Auditing Approaches<br />Individual Process:<br />Input / Output / Value-added Activity<br />Plan-Do-Check-Act<br />Resources<br />Relationship with other processes:<br />Flow / Sequence / Linkage / Combination<br />Interaction / Communication<br />Evidence<br />Customer and supplier contract(s)<br />
  27. 27. Process Auditing “Turtle Diagram”<br />With what?<br />Resources<br />With who?<br />Personnel<br />Inputs<br />From <br />Whom/<br />Where<br />Outputs<br />To<br />Whom/<br />Where<br />Process<br />(specific value-added <br />activities)<br />What results?<br />Performance<br />indicators<br />How done?<br />Methods/<br />Documentation<br />
  28. 28. Process Auditing Example<br />With what?<br /><ul><li>Order processing system</li></ul>With who?<br /><ul><li>Customers
  29. 29. Competent sales and </li></ul> processing staff<br />Inputs<br /><ul><li>Customer</li></ul> requirements<br /><ul><li>Sales staff</li></ul>Outputs<br />Production/Service Delivery<br />Contract<br />Review<br />What results?<br /><ul><li>Order processing </li></ul>time<br /><ul><li>Number or orders
  30. 30. Value of orders
  31. 31. Contract accuracy</li></ul>How done?<br /><ul><li>IT system
  32. 32. Processing system
  33. 33. Terms and conditions
  34. 34. Contract review procedure</li></li></ul><li>Managing an Audit Program<br />
  35. 35. Managing an Audit Program Process Flow<br />5.1<br />PLAN<br />DO<br />CHECK<br />ACT<br />AUTHORIZE<br />MONITOR &<br />REVIEW<br />ESTABLISH<br />IMPLEMENT<br />IMPROVE<br /><ul><li> SCHEDULE AUDITS
  36. 36. EVALUATE
  37. 37. AUDITORS
  38. 38. SELECT TEAMS
  41. 41. OBJECTIVES
  42. 42. EXTENT
  43. 43. ROLES
  44. 44. RESOURCES
  45. 45. PROCEDURES
  46. 46. MONITOR
  47. 47. REVIEW
  49. 49. Audit Activities<br />
  50. 50. Typical Audit Activities<br />6.1<br />Initialing the Audit<br />PLAN<br />Conducting Document Review<br />Preparing for On-site Activities<br />Conducting for On-site Activities<br />DO<br />Preparing, Approving, Distributing Audit Report<br />Completing the Audit<br />CHECK<br />Conducting Audit Follow-up<br />ACT<br />
  51. 51. Audit Program<br />Top management should authorize responsibility for program management to:<br /><ul><li>Establish, implement, review, and improve the audit program
  52. 52. Identify the necessary resources and ensure they are provided
  53. 53. Organization should develop audit program processes
  54. 54. Program should be managed by a member of the organization
  55. 55. Keep appropriate audit records to monitor and review the audit program</li></li></ul><li>Audit Program Responsibilities<br />Top management should authorize responsibility for program management<br />Those assigned responsibility should:<br /><ul><li>Establish, implement, review, and improve the audit program
  56. 56. Identify the necessary resources and ensure they are provided</li></li></ul><li>Initiating the Audit<br />6.2<br />Initiating the audit includes:<br />Appointing the audit team leader<br />Defining audit objectives, scope, criteria<br />Determining feasibility of the audit<br />Selecting the audit team<br />Establishing initial contact with the auditee<br />
  57. 57. Defining Audit Objectives, Scope, Criteria<br />6.2.2<br />Audit Objectives may include:<br />Determining of the extent of conformity of auditee`s QMS with audit criteria<br />Evaluation of capability of QMS to ensure compliance with statutory, regulatory, and contractual requirements<br />Evaluation of effectiveness of the QMS to meet its objectives<br />Identification of areas of improvement<br />
  58. 58. Selecting the Audit Team<br />6.2.4<br />For Team size and competence, consider:<br />Audit objectives, scope, criteria, and duration<br />Whether audit is combined or joint<br />Competence of team to meet objectives<br />Statutory, regulatory, contractual and accreditation/certification requirements<br />Independence of the team<br />
  59. 59. Auditor Competence and Responsibilities<br />
  60. 60. Auditor Competence<br />7.1<br />Auditor competence is based on:<br /><ul><li>Personal attributes
  61. 61. Application of knowledge and skills</li></ul>Competence is to be developed, maintained, and improved<br />
  62. 62. Personal<br />Attributes<br />Open-minded<br />Decisive<br />Perceptive<br />Ethical<br />Observant<br />Diplomatic<br />Versatile<br />Tenacious<br />Self-reliant<br />Auditor CompetencePersonal Attributes<br />7.2<br />
  63. 63. Auditor CompetenceGeneric Knowledge and skills<br />7.3.1<br />Auditor skills and competence could include:<br />Audit principles, procedures, and techniques<br />Management system and reference documents<br />Organizational situations<br />Laws, regulations, and other requirements <br />
  64. 64. Auditor CompetenceSpecific Knowledge and skills<br />7.3.3<br />Specific knowledge and skills for quality auditors could include:<br />Quality methods and techniques<br />Quality terminology<br />Quality management tools and their application<br />Processes and products/services specific to the sector being audited<br />
  65. 65. Auditor Responsibilities<br />Arrive on time<br />Maintain confidentiality<br />Be objective and ethical<br />Support the audit team and team leader<br />Plan and prepare work documents<br />Inform auditees of the audit process<br />Document and support all findings<br />Keep auditee informed<br />Safeguard all documents<br />Prepare the audit report<br />
  66. 66. Audit Activities<br />(Continued)<br />
  67. 67. Audit Planning<br />Determine the objective of the audit<br />Identify specified requirements<br />Determine audit duration and resources needed<br />Select the team<br />Contact the auditee – agree the date(s)<br />Draw up audit plan<br />Brief the team<br />Prepare work documents<br />
  68. 68. Conducting Document Review<br />6.3<br />A review of documentation:<br />Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit<br />May include relevant QMS documents, records, and previous audit reports<br />May include a preliminary site visit<br />
  69. 69. Prepare Work Documents<br />Prepare work documents<br />Use as a reference and for recording audit proceedings<br />Include checklists, sampling plans and forms, ISO 9001:2008 standard, etc.<br />Keep checklists flexible to allow changes resulting from information collected during the audit<br />Safeguard any confidential and proprietary information<br />Retain work documents and records<br />
  70. 70. Checklists Preparation<br />One Approach is to:<br />Identify audit scope and process(es) within scope<br />Identify applicable factors (inputs, outputs, measures, resources, etc.)<br />Use these points and other requirements<br /> (ISO 9001-2008, system documentation, etc.) to:<br /><ul><li>Plan what to look at
  71. 71. Plan what to look for (audit evidence) </li></ul>Prepare checklist<br />
  72. 72. Checklists Structure<br />Audit checklist structure:<br />
  73. 73. Conduct on-Site Audit Activities<br />6.5<br />Conduct opening meeting<br />Communicate during the audit<br />Explain roles and responsibilities of participants<br />Collect and verify information<br />Generate audit findings<br />Prepare audit conclusions<br />Conduct closing meeting<br />
  74. 74. Opening Meeting<br />6.5.1<br />Hold opening meeting with auditee top management and <br /> those responsible for processes audited<br />Meeting may be informal<br />Chaired by team leader<br />Audit team present<br />Purpose is to confirm all prior arrangements<br />
  75. 75. Sources of information<br />Audit Conclusions<br />Collect by appropriate sampling & verification<br />Evaluate against audit criteria<br />Review<br />Collecting and Verifying Information<br />
  76. 76. Auditing ProcessCollect & Verify information<br />6.5.4<br />Collect information relevant to:<br /><ul><li>Audit objectives, scope, and criteria
  77. 77. interfaces between functions, activities and processes</li></ul>Collect audit evidence by appropriate sampling and verify and record it<br />Be aware on sampling limitations, if acting on the audit conclusion<br />Use only information that is verifiable as audit evidence<br />
  78. 78. Auditing ProcessTechniques to Obtain Audit Evidence<br />6.5.4<br />Interview:<br /><ul><li>Personnel that manage, perform, and verify activities
  79. 79. Also ensure they are responsible for the activity being audited
  80. 80. Listen carefully to responses</li></ul>Observe:<br /><ul><li>Identity, status, condition, processes, equipment, activities, environment, and people</li></li></ul><li>Auditing ProcessAudit Evidence<br />Review documents that describe:<br /><ul><li>Activities
  81. 81. Plans
  82. 82. Controls
  83. 83. Strategies
  84. 84. Exercises
  85. 85. tests</li></ul>Review records for evidence of conformity to documents<br />Review records, statements of fact, or other information which are relevant to the audit criteria and verifiable<br />Audit evidence may be qualitative or quantitative<br />
  86. 86. Communication and interpersonal skills<br />Put auditee at ease<br />Ask short questions and listen<br />Reflect right attitude, tone of voice, body language, and facial expressions<br />Smile and show eye contact<br />Avoid interruptions<br />Avoid off-cuff and condescending remarks<br />Give praise when appropriate<br />
  87. 87. Communication and interpersonal skills<br />Show interest<br />Be tactful and polite<br />Show patience and understanding<br />Remember to say please and thank you<br />Ask the right person<br />Don`t say you understand when you do not<br />
  88. 88. Questioning Techniques<br />Open question<br /><ul><li>Using why, who, what, where, when, or how gets more than a yes or no answer</li></ul>Expansive question<br /><ul><li>Further elaborates the current point</li></ul>Opinion question<br /><ul><li>Asks opinion about current point</li></ul>Non-verbal<br /><ul><li>Uses body language, for example: raise eye-brow to elicit further information</li></li></ul><li>Questioning Techniques<br />Repetitive question<br /><ul><li>Repeats back response in form of a question</li></ul>Hypothetical question<br /><ul><li>Uses what if, suppose that, etc.</li></ul>Closed question<br /><ul><li>Gets yes or no answer
  89. 89. Avoid using too often
  90. 90. Used for confirmation</li></ul>Silence<br /><ul><li>Draws more information</li></li></ul><li>Note Taking<br />Notes could be used as reference for:<br /><ul><li>Immediate investigation
  91. 91. Investigation later
  92. 92. Use by a colleague
  93. 93. Subsequent audits</li></ul>Notes taken during an audit are a record of:<br /><ul><li>The audit sample taken
  94. 94. What was reported
  95. 95. What was observed</li></ul>Notes may be referenced by subsequent auditor<br />
  96. 96. Sampling<br />Samples should test the effectiveness of the system and should be:<br /><ul><li>Representative
  97. 97. Structured
  98. 98. Independently selected</li></ul>Sample size should be based on:<br /><ul><li>Risk
  99. 99. Importance
  100. 100. Status
  101. 101. Findings from the previous/current audit</li></li></ul><li>Control of the Audit<br />Checklist is an aid, not a requirement<br />If potential audit trails appear, decide to:<br /><ul><li>Disregard
  102. 102. Note for later
  103. 103. Follow up immediately</li></ul>Following audit trails may effect:<br /><ul><li>Sample size
  104. 104. Audit plan</li></li></ul><li>Constant interruptions<br />Cannot find document<br />Diversionary tactics<br />Called away<br />EXAMPLES<br />Long telephone calls<br />Noisy environment<br />Interdepartmental or personality conflicts<br />Volunteered information<br />Long-winded<br />auditees<br />Boastful<br />Uncooperative<br />Unprepared<br />Provocation<br />Language<br />Handling Difficult Situations<br />
  105. 105. Establish the FactsJudgment in the Audit Process<br />Audit focus must be on conformity and effectiveness, NOT on finding nonconformities<br />The auditee must be given the benefit of any doubt where there is insufficient audit evidence<br />
  106. 106. Establish the Facts<br />Discuss concerns<br />Verify the findings<br />Record all the evidence:<br /><ul><li>Exact observation
  107. 107. Where, what, etc.</li></ul>Establish why a nonconformity or otherwise<br />State who (if relevant) – preferably by job title<br />Obtain agreement with the facts<br />
  108. 108. Generate Audit Findings<br />6.5.5<br />Evaluate audit evidence against audit criteria to generate audit findings<br />Indicate if findings are conformities, nonconformities or opportunities for improvement<br />Meet (audit team) to review findings<br />Specify (with supporting evidence) or summarize conformity by location, function, or processes, as required by audit plan<br />
  109. 109. Nonconformity<br />6.5.5<br />Non-fulfillment of a specified requirement:<br /><ul><li>Not doing it
  110. 110. Partially doing it
  111. 111. Doing it the wrong way</li></ul>Specified requirement:<br /><ul><li>Conditions of the customer contract
  112. 112. Quality standard (ISO 9001:2008)
  113. 113. Quality management system
  114. 114. Statutory or regulatory requirements</li></li></ul><li>Generate Audit Findings<br />6.5.5<br />Record nonconformity findings and supporting evidence<br />Obtain auditee acknowledgement of nonconformities for accuracy and understandability<br />Try and resolve differences of opinion<br />Keep a record of unresolved issues<br />
  115. 115. Nonconformity - Minor<br />Failure to comply with a requirement which (based on judgment and experience) is not likely to result in QMS failure<br />Single observed lapse or isolated incident<br />Minimal risk of nonconforming product or service<br />Examples:<br /><ul><li>A two month lapse in the internal audit program
  116. 116. A training record not available
  117. 117. No actions taken to improve system based on previous result findings</li></li></ul><li>Nonconformity - Major<br />Absence or total breakdown of a system to meet a requirement<br />A number of minors related to the same clause or requirement<br />A nonconformity that experience and judgment indicate will likely result in QMS failure or significantly reduce its ability to assure controlled processes and products<br />
  118. 118. Nonconformity - Major<br />Examples:<br />No documented procedure for a required documented ISO 9001:2008 process/activity<br />Document changes routinely made without authorization<br />No awareness program for the quality management system<br />No future planned internal audits<br />Insufficient scope<br />Numerous minor nonconformities found in the production process<br />
  119. 119. NonconformityClassifying the Nonconformity<br />Consider the seriousness:<br />What could go wrong if the nonconformity remains uncorrected?<br />Is it likely the system would detect it before the customer is affected?<br />If you are not certain it is a nonconformity, it is not.<br /> You must have:<br /><ul><li>A requirement that has been broken
  120. 120. Proof that it has been broken</li></li></ul><li>NonconformityGood Report Examples<br />
  121. 121. NonconformityPoor Report Examples<br />The nonconformity statements below are inadequate due to the lack of specified requirements and detailed evidence:<br />Steering Group meeting minutes are not adequate<br />The authority level for the Emergency Controller must be documented for clarify purposes<br />
  122. 122. Preparing Audit Conclusions<br />6.5.6<br />Audit team confer prior to the closing meeting:<br />Scheduling of the audit plan<br />To plan for closing meeting<br />Purpose is to:<br /><ul><li>Review audit findings and other information
  123. 123. Agree on audit conclusions</li></ul>To prepare the audit report and recommendations<br />If included in audit plan, to discuss audit follow-up<br />
  124. 124. Audit ReportPrepare, Approve & Distribute<br />6.6.1<br />Audit reference<br />Client and Auditee details<br />Audit team details<br />List of auditee representatives<br />Objectives, scope, and criteria<br />Audit plan – dates, places, areas audited and timing<br />Summary of audit process<br />Audit Summary<br />Uncertainty due to sampling<br />6.6.2<br />
  125. 125. Audit ReportPrepare, Approve & Distribute<br />6.6.1<br />Nonconformity reports<br />Recommendation<br />Obstacles encountered<br />Any areas in audit scope not covered<br />Any unresolved issues between the auditee and team<br />Confirmation that audit objectives accomplished<br />Confidentiality statement<br />Distribution list<br />6.6.2<br />
  126. 126. Audit ReportDistribution<br />6.6.1<br /><ul><li>Issue within agreed time period
  127. 127. If delayed, provide reasons and agree on new issue date
  128. 128. Report must be dated, reviewed, and approved as per procedures
  129. 129. Distribute to recipients designated by audit client
  130. 130. Report is property of audit client
  131. 131. Recipients and audit team must respect the confidentiality of the report</li></li></ul><li>Completing the Audit<br />6.7<br /><ul><li>Audit is complete when all activities in audit plan have been carried out and audit report is distributed
  132. 132. Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures
  133. 133. Maintain confidentiality of audit documents, information, and report
  134. 134. Notify audit client and auditee ASAP if disclosure of audit information is required.</li></li></ul><li>Closing Meeting<br />6.5.7<br /><ul><li>Hold closing meeting to present audit findings and conclusions
  135. 135. Cover situations encountered during audit that may decrease reliance on audit conclusions
  136. 136. Discuss and resolve diverging audit findings and conclusions
  137. 137. Keep a record if not resolved
  138. 138. Provide recommendations for improvement where specified by audit objectives
  139. 139. Keep minutes and attendance records
  140. 140. Will normally be informal for internal audits</li></li></ul><li>Completing the AuditConducting the Follow-up<br />6.8<br /><ul><li>Audit conclusions may require corrective, preventive, or improvement actions
  141. 141. Auditee decides and carries out these actions within agreed timeframe
  142. 142. These actions are not part of the audit
  143. 143. Audit team number should verify completion and effectiveness of actions taken
  144. 144. This verification may be part of a subsequent audit
  145. 145. Maintain independence in subsequent audit activities</li></li></ul><li>Completing the AuditCorrective the Follow-up<br />6.8<br /><ul><li>Auditee receives the nonconformity report
  146. 146. Auditee prepares and approves a corrective action plan
  147. 147. Auditee submits the plan to auditors
  148. 148. Auditors evaluate and approve the plan
  149. 149. Auditee implements the approved corrective action plan
  150. 150. Auditor verifies the implementation and effectiveness
  151. 151. Records of all actions taken by auditor and auditee</li></li></ul><li>Conclusion<br />
  152. 152. Typical Audit Activities<br />Initialing the Audit<br />Conducting Document Review<br />Preparing for On-site Activities<br />Conducting for On-site Activities<br />Preparing, Approving, Distributing Audit Report<br />Completing the Audit<br />Conducting Audit Follow-up<br />
  153. 153. Final Questions?<br />
  154. 154. Thank You!<br />For you attendance and participation!<br />Prepared &<br />Presented by<br /> Yamin K Hajeej<br />