internal auditor ttttttttttttttttttraining.pptx

1 Introduction to Auditing
Table of Content
2
3
4
5
6
The ProcessApproachand ProcessAuditing
Managing an Audit Program
AuditActivities
Auditor Competence and Responsibilities
Conclusion

Auditing
 What is an audit?
 Systematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to
determinetheextent towhich auditcriteriaare fulfilled
(ISO19011: 2002 clause 3.1)
 Whyaudit?
 Requirementof ISO 9001:2008
 Monitorand measure the managementsystem
 Promotecontinuous improvementof the managementsystem

Principles of Auditing
 Principles relating toauditors:
 Ethical conduct
 Fairpresentation
 Due professional care
 Principles relating toaudit:
 Independence
 Evidence-based approach
4.0
Note: reference to
ISO 19011:2002
Clause number

Benefits of Auditing
 Verifiesconformitytorequirements
 Increasesawareness and understanding
 Providesa measurementof effectiveness of the management
system to top management
 Reduces risk of managementsystem failure
 Identifies improvementopportunities
 Continuous improvement if performed regularly
Ramasubramanian.s Management
consultant/Trainer/Auditor +919952229598

Types of Audit
 Registration / Certification
 Product
 Customercontract
 Gapassessment / Pre-assessment
 Surveillance
 Combined audit / jointaudit

The Process
Approach
and Process
Auditing

Process Approach
The process approach emphasize the importanceof:
 Understanding and meeting requirements
 Looking at processes in termsof added value
 Obtaining resultsof process performance
 Continual improvementof process

Act
Do
Plan
Check
Continual
Improvement
Process
PDCA (Plan-Do-Check-Act))
The Plan-do-Check-Act (PDCA) methodology
applies to all processes
• Deploy and conform with plan
•
•
•
•
•
Activities
Controls
Documentation
Resources
Objectives
•
•
•
Analyze/review
Decide/change
Improve effectiveness
•
and
Measure
monitor
for conformity
and
effectiveness

Management System Standards and the Process Approach
 ISO 22716:
 Is based upon the PDCA cycle which can be applied to
processes
 Applies the PDCA cycle to implementing, operating,
monitoring, exercising, maintaining and improving the
effectiveness of a Cosmetic GMP
 ISO 19011:2002 does not explicitly mention process audits, but is
written for application toall managementsystem audits

Applying the Process Approach to Auditing
Auditors can apply the process approach to auditing by ensuring the
auditee:
 Can define the objectives, inputs, outputs, activities, and
resources for its processes
 Analyzes, monitors, measures, and improves its processes
 Understands thesequence and interactionof its processes

Process Auditing Approaches
Individual Process:
 Input / Output / Value-added Activity
 Plan-Do-Check-Act
 Resources
Relationshipwith otherprocesses:
 Flow / Sequence / Linkage / Combination
 Interaction / Communication
 Evidence
 Customerand suppliercontract(s)

Process Auditing “Turtle Diagram”
With who?
Personnel
Outputs
To
Whom/
Where
What results?
Performance
indicators
Inputs
From
Whom/
Where
With what?
Resources
Process
(specific value-added
activities)
How done?
Methods/
Documentation

Process Auditing Example
With what?
• Order processing
system
With who?
• Customers
• Competent sales and
processing staff
What results?
• Order processing
•
•
•
time
Number or orders
Value of orders
Contract accuracy
Outputs
Production/Service
Delivery
Inputs
•
•
Customer
requirements
Sales staff
How done?
•
•
•
•
IT system
Processing system
Terms and conditions
Contract review procedure
Contract
Review

Managing an
Audit
Program

Managing an Audit Program Process Flow
PLAN DO CHECK ACT 5.1
AUTHORIZE
MONITOR &
IMPROVE
ESTABLISH
• OBJECTIVES
• EXTENT
• ROLES
• RESOURCES
• PROCEDURES
IMPLEMENT
• SCHEDULE AUDITS
• EVALUATE
• AUDITORS
• SELECTTEAMS
• DIRECT ACTIVITIES
• MAINTAIN RECORDS
AUDITOR
COMPETENCE
& EVALUZATION
REVIEW
• MONITOR
• REVIEW
• IDENTIFY NEED
FOR CA/PA
• IDENTIFY
OPPORTUNITIES
TO IMPROVE
SPECIFIC AUDIT
ACTIVITIES

Audit
Activities

Typical Audit Activities
Initialing theAudit
Conducting Document Review
Preparing forOn-siteActivities
Conducting for On-siteActivities
Preparing, Approving, Distributing Audit Report
Completing theAudit
Conducting Audit Follow-up
PLAN
DO
CHECK
ACT
6.1

Audit Program
 Top management should authorize responsibility for program
management to:
 Establish, implement, review, and improve theaudit program
 Identifythe necessary resourcesand ensure theyare provided
• Organizationshould developaudit program processes
• Program should be managed by a memberof theorganization
• Keep appropriate audit records to monitor and review the audit
program

Audit Program Responsibilities
 Top management should authorize responsibility for program
management
 Thoseassigned responsibilityshould:
 Establish, implement, review, and improve theaudit program
 Identify the necessary resourcesand ensure theyare provided

Initiating the Audit
Initiating theaudit includes:
 Appointing theaudit team leader
 Defining auditobjectives, scope, criteria
 Determining feasibilityof theaudit
 Selecting theaudit team
 Establishing initial contactwith theauditee
6.2

Defining Audit Objectives, Scope, Criteria
Audit Objectives may include:
 Determining of the extent of conformity of auditee`s QMS with
auditcriteria
 Evaluation of capability of QMS to ensure compliance with
statutory, regulatory, and contractual requirements
 Evaluationof effectiveness of the QMS to meet itsobjectives
 Identificationof areas of improvement
6.2.2

Selecting the Audit Team
ForTeam size and competence, consider:
 Auditobjectives, scope, criteria, and duration
 Whetheraudit is combined or joint
 Competenceof team to meetobjectives
 Statutory, regulatory, contractual and accreditation/certification
requirements
 Independenceof the team
6.2.4

Auditor
Competenceand
Responsibilities

Auditor Competence
 Auditorcompetence is based on:
 Personal attributes
 Application of knowledgeand skills
 Competence is to bedeveloped, maintained, and improved
7.1

Personal
Attributes
Open-
minded
Diplomatic
Auditor Competence
Personal Attributes
Ethical
Observant
Perceptive
Versatile
Decisive
Tenacious
Self-
reliant
7.2

Auditor Competence
Generic Knowledge and skills
Auditorskills and competencecould include:
 Auditprinciples, procedures, and techniques
 Managementsystem and referencedocuments
 Organizational situations
 Laws, regulations, and otherrequirements
7.3.1

Auditor Competence
Specific Knowledge and skills
Specific knowledgeand skills forqualityauditorscould include:
 Quality methodsand techniques
 Quality terminology
 Quality management toolsand theirapplication
 Processes and products/services specific to the sector being
audited
7.3.3

Auditor Responsibilities
 Arriveon time
 Maintainconfidentiality
 Be objectiveand ethical
 Support theaudit team and team leader
 Plan and prepare work documents
 Informauditeesof theaudit process
 Documentand supportall findings
 Keepauditee informed
 Safeguard all documents
 Prepare theaudit report

Audit Planning
 Determine theobjectiveof theaudit
 Identifyspecified requirements
 Determineauditdurationand resources needed
 Select the team
 Contacttheauditee – agree thedate(s)
 Draw up audit plan
 Brief the team
 Preparework documents

Conducting Document Review
A reviewof documentation:
 Should be conducted prior to on-site audit activities unless
deferring review is not detrimental to the effectiveness of the
audit
 May include relevant FSMS documents, records, and previous
audit reports
 May includea preliminary sitevisit
6.3

Prepare Work Documents
 Preparework documents
 Useas a referenceand forrecording audit proceedings
 Include checklists, sampling plans and forms, ISO 22000:2005
standard, etc.
 Keep checklists flexible to allow changes resulting from
informationcollected during theaudit
 Safeguard anyconfidential and proprietary information
 Retainwork documentsand records

Checklists Preparation
One Approach is to:
 Identifyauditscope and process(es) within scope
 Identify applicable factors (inputs, outputs, measures, resources,
etc.)
 Use these points and otherrequirements
(ISO 22716 system documentation, etc.) to:
 Plan what to look at
 Plan what to look for (auditevidence)
 Preparechecklist

Process/ActivityAudited:
Requirement Source Evidence Notes
ISO22716
Clause#orother
requirement
Whatto
“lookat”
Whatto
“lookfor”
Notes
Checklists Structure
Auditchecklist structure:

Conduct on-Site Audit Activities
 Conductopening meeting
 Communicateduring theaudit
 Explain rolesand responsibilitiesof participants
 Collectand verify information
 Generateaudit findings
 Prepareauditconclusions
 Conductclosing meeting
6.5

Opening Meeting
 Hold opening meeting with auditee top managementand
those responsible forprocesses audited




Meeting may be informal
Chaired by team leader
Audit team present
Purpose is toconfirm all priorarrangements
6.5.1

Sources of
information
Collecting and Verifying
Information
Collect by
appropriate
sampling &
verification
Evaluate
againstaudit
criteria
Review
Audit
Conclusions

Auditing Process Collect & Verify information
 Collect informationrelevant to:
 Auditobjectives, scope, and criteria
 interfaces between functions, activitiesand processes
 Collect audit evidence by appropriate sampling and verify and
record it
 Be aware on sampling limitations, if acting on the audit
conclusion
 Useonly information that isverifiableas auditevidence
6.5.4

Auditing Process Techniques to Obtain Audit Evidence
 Interview:
 Personnel that manage, perform, and verifyactivities
 Alsoensure theyare responsible fortheactivity being audited
 Listencarefully to responses
 Observe:

Identity, status, condition, processes, equipment, activities,
environment, and people
6.5.4

Auditing Process Audit Evidence
 Reviewdocuments thatdescribe:
 Activities
 Plans
 Controls
 Strategies
 Exercises
 tests
 Review records forevidenceof conformitytodocuments
 Review records, statements of fact, or other information which are
relevant to theauditcriteriaand verifiable
 Auditevidence may bequalitativeorquantitative

Communication and interpersonal skills
 Putauditeeatease
 Ask shortquestionsand listen
 Reflect right attitude, tone of voice, body language, and facial
expressions




Smile and showeye contact
Avoid interruptions
Avoid off-cuff and condescending remarks
Give praise when appropriate

Communication and interpersonal skills
 Show interest
 Be tactful and polite
 Show patience and understanding
 Remembertosay please and thank you
 Ask the rightperson
 Don`tsayyou understand when you do not

Questioning Techniques
 Open question
 Using why, who, what, where, when, or how gets more than a
yes or noanswer
 Expansivequestion
 Furtherelaborates thecurrentpoint
 Opinion question
 Asks opinionaboutcurrentpoint
 Non-verbal
 Uses body language, for example: raise eye-brow to elicit
further information

Questioning Techniques
 Repetitivequestion
 Repeats back response in form of a question
 Hypothetical question
 Uses what if, suppose that, etc.
 Closed question
 Getsyes or noanswer
 Avoid using toooften
 Used forconfirmation
 Silence
 Draws more information

Note Taking
 Notescould be used as reference for:
 Immediate investigation
 Investigation later
 Use bya colleague
 Subsequentaudits
 Notes taken during an auditarea record of:
 The auditsample taken
 Whatwas reported
 Whatwas observed
 Notes may be referenced by subsequentauditor

Sampling
 Samples should test theeffectiveness of the system and should be:
 Representative
 Structured
 Independentlyselected
 Sample size should be based on:
 Risk
 Importance
 Status
 Findings from the previous/currentaudit

Control of the Audit
 Checklist is an aid, nota requirement
 If potential audit trailsappear, decide to:
 Disregard
 Note for later
 Followup immediately
 Following audit trails may effect:
 Sample size
 Audit plan

EXAMPLES
Uncooperative
Long
telephone
calls
Cannotfind
document
Unprepared
Constant
interruptions
Provocation
Long-winded
auditees
Interdepartmental
orpersonality
conflicts
Diversionary
tactics
Language
Noisy
environment
Boastful
Called away
Volunteered
information
Handling Difficult Situations

Establish the Facts
Judgment in the Audit Process
 Audit focus must be on conformity and effectiveness, NOT on
finding nonconformities
 The auditee must be given the benefit of any doubt where there is
insufficientauditevidence

Establish the Facts
 Discussconcerns
 Verify the findings
 Record all theevidence:
 Exactobservation
 Where, what, etc.
 Establishwhya nonconformityorotherwise
 Statewho (if relevant) – preferably by job title
 Obtainagreementwith the facts

Generate Audit Findings
 Evaluate audit evidence against audit criteria to generate audit
findings
 Indicate if
findings are conformities, nonconformities or
opportunities for improvement
 Meet (audit team) to review findings
 Specify (with supporting evidence) or summarize conformity by
location, function, orprocesses, as required by audit plan
6.5.5

Nonconformity
 Non-fulfillmentof a specified requirement:



Notdoing it
Partiallydoing it
Doing it thewrong way
 Specified requirement:
 Conditionsof thecustomercontract
 Qualitystandard (ISO 22716)
 Quality managementsystem
 Statutoryorregulatoryrequirements
6.5.5

Generate Audit Findings
 Record nonconformityfindingsand supporting evidence
 Obtain auditee acknowledgement of nonconformities for accuracy
and understandability
 Try and resolvedifferencesof opinion
 Keepa record of unresolved issues
6.5.5

Nonconformity - Minor
 Failure to comply with a requirement which (based on judgment
and experience) is not likely toresult in QMS failure
 Singleobserved lapse or isolated incident
 Minimal risk of nonconforming productorservice
 Examples:
 A two month lapse in the internal audit program
 A training record notavailable
 No actions taken to improve system based on previous result
findings

Nonconformity - Major
 Absenceortotal breakdownof a system to meeta requirement
 A numberof minors related to the sameclause orrequirement
 A nonconformity that experience and judgment indicate will likely
result in QMS failure or significantly reduce its ability to assure
controlled processes and products

Nonconformity - Major
Examples:
 No documented procedure for a required documented ISO 22716
process/activity
 Documentchanges routinely made withoutauthorization
 Noawareness program forthe Food safety management system
 No futureplanned internal audits
 Insufficientscope
 Numerous minor nonconformities found in the production
process

Nonconformity
Classifying the Nonconformity
Considerthe seriousness:
 Whatcould gowrong if the nonconformityremains uncorrected?
 Is it likely the system would detect it before the customer is
affected?
 If you are notcertain it is a nonconformity, it is not.
You must have:
 A requirement that has been broken
 Proof that it has been broken

Nonconformity
Good Report Examples
Nonconformity Report Incident Number:1
QMS
Company underaudit: XYZ, Inc.
Area under Review: Purchasing ISO 22716 Clause number 7.4
Category: Major Minor
Requirement:
Clause 7.4.1 of ISO 9001:2008 requires that the organization establish criteria forevaluation and re-
evaluation of suppliers.
Nonconformity Findings:
Upon speaking with the purchasing Manager, it was found that noevaluation of ABC supplier had
taken place since the contract wassigned and business begin with ABC supplier

Nonconformity
Poor Report Examples
The nonconformity statements below are inadequate due to the lack
of specified requirementsand detailed evidence:
 Steering Group meeting minutesare notadequate
 The authority level for the Emergency Controller must be
documented forclarify purposes

Preparing Audit Conclusions
Audit team conferprior to theclosing meeting:
 Scheduling of theaudit plan
 To plan forclosing meeting
 Purpose is to:
 Reviewaudit findings and other information
 Agreeon auditconclusions
 To prepare theaudit reportand recommendations
 If included in audit plan, todiscussaudit follow-up
6.5.6

Audit Report
Prepare, Approve & Distribute
1.
2.
3.
4.
5.
6.
7.
8.
9.
Auditreference
Clientand Auditeedetails
Audit team details
Listof auditee representatives
Objectives, scope, and criteria
Auditplan – dates, places, areas audited and timing
Summary of audit process
Audit Summary
Uncertaintydue tosampling
6.6.1
6.6.2

Audit Report
Prepare, Approve & Distribute
10. Nonconformityreports
11. Recommendation
12.
13.
14.
15.
16.
17.
Obstacles encountered
Anyareas in audit scope notcovered
Any unresolved issues between theauditeeand team
Confirmation thatauditobjectivesaccomplished
Confidentialitystatement
Distribution list
6.6.1
6.6.2

Audit Report
Distribution
•
•
•
•
•
•
Issuewithinagreed time period
If delayed, providereasonsand agreeon new issuedate
Report must bedated, reviewed, and approved as per procedures
Distributetorecipients designated byauditclient
Report is propertyof auditclient
Recipients and audit team must respect the confidentiality of
the report
6.6.1

Completing the Audit
•
•
•
•
Audit is complete when all activities in audit plan have been
carried outand audit report is distributed
Maintain or dispose of audit documents based on contractual,
regulatory, and audit program procedures
Maintain confidentiality of audit documents, information, and
report
Notify audit client and auditee ASAP if disclosure of audit
information is required.
6.7

Closing Meeting
•
•
•
•
•
•
•
Hold closing meeting to presentaudit findingsand conclusions
Cover situations encountered during audit that may decrease
relianceon auditconclusions
Discussand resolvediverging audit findingsand conclusions
Keepa record if not resolved
Provide recommendations for improvement where specified by
auditobjectives
Keep minutesand attendancerecords
Will normally be informal for internal audits
6.5.7

Conducting the Follow-up
•
•
•
•
•
•
Audit conclusions may require corrective, preventive, or
improvementactions
Auditee decides and carries out these actions within agreed
timeframe
These actionsare not partof theaudit
Audit team number should verify completion and effectiveness
of actions taken
Thisverification may be partof a subsequentaudit
Maintain independence in subsequentauditactivities
6.8

Corrective the Follow-up
•
•
•
•
•
•
•
Auditee receives the nonconformityreport
Auditee prepares and approvesa correctiveaction plan
Auditeesubmits the plan toauditors
Auditorsevaluateand approve the plan
Auditee implements theapproved correctiveaction plan
Auditorverifies the implementation and effectiveness
Recordsof all actions taken by auditorand auditee
6.8

CASE STUDIES
 Find Major/Minor NC
 Find standard clause reference
 State Standard requirement
 Write NC statement

Conclusion

Final
Questions?

Foryouattendanceand participation!

internal auditor ttttttttttttttttttraining.pptx

More Related Content

Similar to internal auditor ttttttttttttttttttraining.pptx

More from RedhaElhuni

Recently uploaded

internal auditor ttttttttttttttttttraining.pptx