The document outlines the responsibilities and processes of internal auditors within a management system, emphasizing the requirements of ISO 9001:2015 and the importance of the Plan-Do-Check-Act (PDCA) cycle. It describes the audit management process, types of audits, and the various stages involved in preparing and conducting an audit, including collecting evidence, generating findings, and reporting results. Additionally, the document highlights the significance of auditor competence, ethical conduct, and continuous improvement in maintaining an effective quality management system.

1. ISO Internal Auditor
Compliance Management

2. • Describe the responsibilities of an Internal Auditor
• Describe the role of internal audits within a
management system including the audit management
process
• Explain, the model of a process-based Quality
Management System, including the purpose and
structure of ISO 9001:2015
• Plan and prepare an internal audit
• Gather objective evidence through observation, interview
and sampling of documents and records
• Write factual audit findings and reports that help to
improve the effectiveness of the management
system
• Define and describe ways in which the effectivenes
COURSE AIMS AND OBJECTIVES

3. Session 1 Objectives
• Understand the purpose and typical structure of
management systems and ISO 9001:2015
• Understand the ISO 9001:2015 requirements
relating to Internal Audits
• Understand the Plan Do Check Act (PDCA)
Cycle
• Understand what is a process, key terminology,
and the different types of processes and their
significance for internal auditors

4. Purpose of a Quality
Management System
• ISO 9001:2015 is used if you are seeking to
establish a management system that provides
confidence in the conformance of your
product to meet customer and applicable
statutory & regulatory requirements
• In addition, ISO 9001:2015 seeks to enhance
customer satisfaction by improving your Quality
Management System

5. 4 Audit Activities
3
2
1 Introduction to Auditing
The Process Approach and Process
Auditing
Managing an Audit Program
Table of Content
5 Auditor Competence and Responsibilities
6 Conclusion

6. Introduction
to
Auditing

7. AUDITING
What is an audit?
 Systematic, independent and documented
process for obtaining audit evidence and
evaluating it objectively to determine the extent to
which audit criteria are fulfilled
(ISO19011: 2002 clause 3.1)
Why audit?
 Requirement of ISO 9001:2015
 Monitor and measure the management
system
 Promote continuous improvement of the
management system

8. Principles of Auditing
• Principles relating to auditors:
 Ethical conduct
 Fair presentation
 Due professional care
• Principles relating to audit:
 Independence
 Evidence-based approach
4.0
Note: reference to
ISO 19011:2002
Clause number

9. Benefits of Auditing
• Verifies conformity to requirements
• Increases awareness and understanding
• Provides a measurement of effectiveness
of the management
system to top management
• Reduces risk of management system
failure
• Identifies improvement opportunities
• Continuous improvement if performed
regularly

10. Types of Audit
• Registration / Certification
• Product
• Customer contract
• Gap assessment / Pre-assessment
• Surveillance
• Combined audit / joint audit

11. Process Approach
Auditing

12. Process Approach
The process approach emphasize the importance
of:
• Understanding and meeting requirements
• Looking at processes in terms of added value
• Obtaining results of process performance
• Continual improvement of process

13. Your
Process
Act
Do
Plan
Check
PDCA (PLAN-DO-CHECK-
ACT)
Continual
Improvement
The Plan-do-Check-Act (PDCA)
methodology applies to all processes •
Deploy and conform with
plan
•
•
•
•
•
Activities
Controls
Documenta
tion
Resources
Objectives
•
•
•
Analyze/review
Decide/change
Improve
effectiveness
•Measure and
monitor for
conformity and
effectiveness

14. MANAGEMENT SYSTEM STANDARDS
AND THE PROCESS APPROACH
• ISO 9001:2015:
 Is based upon the PDCA cycle which
can be appliedto processes
 Applies the PDCA cycle to implementing,
operating, monitoring, exercising, maintaining
and improving the effectiveness of a QMS
• ISO 19011:2002 does not explicitly mention
process audits, but
is written for application to all management system
audits

15. Applying the Process Approach to Auditing
•Auditors can apply the process approach to auditing by ensuring
the auditee:
• Can define the objectives, inputs, outputs, activities, and
• resources for its processes
• Analyzes, monitors, measures, and improves its processes
• Understands the sequence and interaction of its processes

16. Process Auditing Approaches
Individual Process:
• Input / Output / Value-added Activity
• Plan-Do-Check-Act
• Resources
Relationship with other processes:
• Flow / Sequence / Linkage / Combination
• Interaction / Communication
• Evidence
• Customer and supplier contract(s)

17. Process Auditing “Turtle Diagram”
With what?
Resources With who?
Personnel
What results?
Performance
indicators
Outputs
To Whom/
Where
Inputs
From
Whom/
Where
How done?
Methods/
Documentation
Process
(specific value-added
activities)

18. Process Auditing Example
With what?
• Order processing
system
With who?
• Customers
• Competent sales and
processing staff
What results?
• Order processing
time
• Number or orders
• Value of orders
• Contract accuracy
Outputs
Production/Servic
e Delivery
Inputs
• Customer
requirements
• Sales staff
How done?
• IT system
• Processing system
• Terms and
conditions
• Contract review
procedure
Contract
Review

19. Managing an
Audit
Program

20. MANAGING AN AUDIT PROGRAM
PROCESS FLOW
PLAN DO CHECK ACT
AUTHORIZE
ESTABLISH IMPLEMENT
MONITOR &
REVIEW IMPROVE
• OBJECTIVES
• EXTENT
• ROLES
• RESOURCES
• PROCEDURES
• SCHEDULE
AUDITS
• EVALUATE
• AUDITORS
• SELECT TEAMS
• DIRECT ACTIVITIES
• MAINTAIN
RECORDS
• MONITOR
• REVIEW
• IDENTIFY NEED
FOR CA/PA
• IDENTIFY
OPPORTUNITIES TO
IMPROVE
AUDITOR
COMPETENCE
&
EVALUZATION
SPECIFIC
AUDIT
ACTIVITIES

21. Audit
Activities

22. Typical Audit Activities
Planning
Preparation
Preparing, Approving, Distributing
Audit Report Reporting
Follow-up
Conducting for On-site Activities
PLAN
DO
CHECK
ACT
6.1

23. AUDIT PROGRAM
• Top management should authorize responsibility for
program management to:
 Establish, implement, review, and improve the audit
• program
 Identify the necessary resources and ensure they are provided
• Organization should develop audit program processes
• Program should be managed by a member of the
organization
• Keep appropriate audit records to monitor and review the
audit program

24. AUDIT PROGRAM
RESPONSIBILITIES
• Top management should authorize
responsibility for program management
• Those assigned responsibility should:
 Establish, implement, review, and
improve the audit program
 Identify the necessary resources and
ensure they are provided

25. INITIATING THE AUDIT
Initiating the audit includes:
• Appointing the audit team leader
• Defining audit objectives, scope,
criteria
• Determining feasibility of the audit
• Selecting the audit team
• Establishing initial contact with the
auditee
6.2

26. Defining Audit Objectives, Scope, Criteria
Audit Objectives may include:
• Determining of the extent of conformity of
auditee`s QMS with audit criteria
• Evaluation of capability of QMS to ensure
compliance with statutory, regulatory, and
contractual requirements
• Evaluation of effectiveness of the QMS to
meet its objectives
• Identification of areas of improvement
6.2.2

27. Selecting the Audit Team
For Team size and competence, consider:
• Audit objectives, scope, criteria, and
duration
• Whether audit is combined or joint
• Competence of team to meet objectives
• Statutory, regulatory, contractual and
accreditation/certification requirements
• Independence of the team
6.2.4

28. Auditor
Competence and
Responsibilities

29. AUDITOR COMPETENCE
Auditor competence is based on:
 Personal attributes
 Application of knowledge and skills
• Competence is to be developed, maintained,
and improved
• Competence is the demonstrated ability to
perform a task
7.1

30. Personal
Attributes
Ethical
Diplomatic
Open-
minded
AUDITOR COMPETENCE
PERSONAL ATTRIBUTES
Observant
Perceptive
7.2
Versatile
Tenacious
Decisive
Self-reliant

31. AUDITOR COMPETENCE
GENERIC KNOWLEDGE AND SKILLS
Auditor skills and competence could include:
• Audit principles, procedures, and
techniques
• Management system and reference
documents
• Organizational situations
• Laws, regulations, and other
requirements
7.3.1

32. AUDITOR COMPETENCE
SPECIFIC KNOWLEDGE AND SKILLS
Specific knowledge and skills for quality auditors
could include:
• Quality methods and techniques
• Quality terminology
• Quality management tools and their application
• Processes and products/services specific to
the sector being audited
7.3.3

33. AUDITOR RESPONSIBILITIES
• Arrive on time
• Maintain confidentiality
• Be objective and ethical
• Support the audit team and team leader
• Plan and prepare work documents
• Inform auditees of the audit process
• Document and support all findings
• Keep auditee informed
• Safeguard all documents
• Prepare the audit report

34. Audit
Activities
(Continued)

35. AUDIT PLANNING
• Determine the objective of the audit
• Identify specified requirements
• Determine audit duration and resources
needed
• Select the team
• Contact the auditee – agree the date(s)
• Draw up audit plan
• Brief the team
• Prepare work documents

36. CONDUCTING DOCUMENT
REVIEW
A review of documentation:
• Should be conducted prior to on-site audit
activities unless deferring review is not detrimental
to the effectiveness of the audit
• May include relevant QMS documents, records,
and previous audit reports
• May include a preliminary site visit
6.3

37. Prepare WorkDocuments
• Prepare work documents
• Use as a reference and for recording audit
proceedings
• Include checklists, sampling plans and forms,
ISO 9001:2015 standard, etc.
• Keep checklists flexible to allow changes
resulting information collected during the audit
• Safeguard any confidential and proprietary information
 Retain work documents and records
from

38. CHECKLISTS PREPARATION
One Approach is to:
• Identify audit scope and process(es) within scope
• Identify applicable factors (inputs, outputs,
resources, etc.)
• Use these points and other requirements
(ISO 9001-2015, system documentation, etc.) to:
measures
,
 Plan what to look at
 Plan what to look for (audit evidence)
• Prepare checklist

39. Checklists Structure
Audit checklist structure:
Process/Activity Audited:
Requirement Source Evidence Notes
ISO 9001:2015
Clause # or
other
requirement
What to
“look
at”
What to
“look
for”
Notes

40. Conduct on-Site Audit Activities
• Conduct opening meeting
• Communicate during the audit
• Explain roles and responsibilities
of participants
• Collect and verify information
• Generate audit findings
• Prepare audit conclusions
• Conduct closing meeting
6.5

41. OPENING MEETING
• Hold opening meeting with auditee top
management and those responsible for
processes audited
• Meeting may be informal
• Chaired by team leader
• Audit team present
• Purpose is to confirm all prior arrangements
6.5.1

42. Review
Sources of
information
Collect by
appropriate
sampling &
verification
Evaluate against
audit criteria
Collecting and Verifying Information
Audit
Conclusions

43. AUDITING PROCESS
COLLECT & VERIFY INFORMATION
• Collect information relevant to:
 Audit objectives, scope, and criteria
 interfaces between functions, activities and
processes
• Collect audit evidence by appropriate
sampling and verify and record it
• Be aware on sampling limitations,if acting
on the conclusion
• Use only information that is verifiable as audit
evidence
audit
6.5.4

44. AUDITING PROCESS
TECHNIQUES TO OBTAIN AUDIT
EVIDENCE
• Interview:
 Personnel that manage, perform, and verify activities
 Also ensurethey are responsible
audited
 Listen carefully to responses
for the activity being
• Observe:
 Identity, status, condition, processes,
equipment, activities, environment,
and people
 Listen:
 Information from relevant authority
and that it is verifiable
6.5.4

45. Auditing Process Audit Evidence
• Review documents that describe:
 Activities
 Plans
 Controls
 Strategies
 Exercises
 tests
• Review records for evidence of conformity to
documents
• Review records, statements of fact, or other
information which are relevant to the audit criteria
and verifiable
• Audit evidence may be qualitative or quantitative

46. Communication and interpersonal skills
• Put auditee at ease
• Ask short questions and listen
• Reflect right attitude, tone of voice, body
language, and facial
expressions
• Smile and show eye contact
• Avoid interruptions
• Avoid off-cuff and condescending remarks
• Give praise when appropriate

47. Communication and interpersonal skills
• Show interest
• Be tactful and polite
• Show patience and understanding
• Remember to say please and thank
you
• Ask the right person
• Don`t say you understand when you
do not

48. QUESTIONING TECHNIQUES
• Open question
 Using why, who, what, where, when, or
how gets more than
• a yes or no answer
• Expansive question
 Further elaborates the current point
• Opinion question
 Asks opinion about current point
• Non-verbal
 Uses body language, for example: raise
eye-brow to elicit further information

49. QUESTIONING TECHNIQUES
• Repetitive question
 Repeats back response in form of a
question
• Hypothetical question
 Uses what if, suppose that, etc.
• Closed question
 Gets yes or no answer
 Avoid using too often
 Used for confirmation
• Silence
 Draws more information

50. NOTE TAKING
• Notes could be used as reference for:
 Immediate investigation
 Investigation later
 Use by a colleague
 Subsequent audits
• Notes taken during an audit are a record of:
 The audit sample taken
 What was reported
 What was observed
• Notes may be referenced by subsequent
auditor

51. SAMPLING
• Samples should test the effectiveness of
the system and should be:
 Representative
 Structured
 Independently selected
• Sample size should be based on:
 Risk
 Importance
 Status
 Findings from the previous/current

52. Control of the Audit
• Checklist is an aid, not a requirement
• If potential audit trails appear, decide to:
 Disregard
 Note for later
 Follow up immediately
• Following audit trails may effect:
 Sample size
 Audit plan

53. EXAMPLES
Cannot find
document
Uncooperative
Noisy
environ
ment
Long
telephone
calls
Unprepared
Constant
interruptions
Provocation
Long-winded
auditees
Interdepartmen
tal or
personality
conflicts
Diversionary
tactics
Language
Boastful
Called
away
Volunteered
information
HANDLING DIFFICULT
SITUATIONS

54. ESTABLISH THE FACTS
JUDGMENT IN THE AUDIT PROCESS
• Audit focus must be on conformity and
effectiveness, NOT on finding
nonconformities
• The auditee must be given the benefit of
any doubt where there is insufficient
audit evidence

55. Establish the Facts
• Discuss concerns
• Verify the findings
• Record all the evidence:
 Exact observation
 Where, what, etc.
• Establish why a nonconformity
or otherwise
• State who (if relevant) –
preferably by job title
• Obtain agreement with the
facts

56. GENERATE AUDIT FINDINGS
6.5.5
• Evaluate audit evidence against audit criteria
to generate audit findings
• Indicate if findings are conformities,
nonconformities or opportunities for
improvement
• Meet (audit team) to review findings
• Specify (with supporting evidence) or
summarize conformity by location, function, or
processes, as required by audit plan

57. NONCONFORMITY 6.5.5
• Non-fulfillment of a specified requirement:
 Not doing it
 Partially doing it
 Doing it the wrong way
• Specified requirement:
 Conditions of the customer contract
 Quality standard (ISO 9001:2015)
 Quality management system
 Statutory or regulatory requirements

58. GENERATE AUDIT FINDINGS
• Record nonconformity findings and supporting
evidence
• Obtain auditee acknowledgement of
accuracy and understandability
• Try and resolve differences of opinion
• Keep a record of unresolved issues
Nonconformities for
6.5.5

59. NONCONFORMITY - MINOR
• Failure to comply with a requirement which (based on
judgment and experience) is not likely to result in QMS
failure
• Single observed lapse or isolated incident
• Minimal risk of nonconforming product or service
• Examples:
 A two month lapse in the internal audit program
 A training record not available
 No actions taken to improve system based on
result findings
previous

60. NONCONFORMITY - MAJOR
• Absence or total breakdown of a
system to meet a requirement
• A number of minors related to the same
clause or requirement
• A nonconformity that experience and
judgment indicate will likely result in
QMS failure or significantly reduce
its ability to assure controlled
processes and products

61. NONCONFORMITY - MAJOR
Examples:
• No documented procedure for a required
documented ISO 9001:2015 process/activity
• Document changes routinely made without authorization
• No awareness program for the quality management system
• No future planned internal audits
• Insufficient scope
• Numerous minor nonconformities found in the production
process

62. NONCONFORMITY
CLASSIFYING THE NONCONFORMITY
Consider the seriousness:
• What couldgo wrongif the nonconformity
remains
uncorrected?
• Is it likely the system would detect it before
the customer is affected?
• If you are not certain it is a nonconformity, it is not.
You must have:
 A requirement that has been broken
 Proof that it has been broken

63. NONCONFORMITY
GOOD REPORT EXAMPLES
QMS Nonconformity Report Incident Number:1
Company under audit: XYZ, Inc.
Area under Review:
Purchasing Category:
Major
Minor Requirement:
ISO 9001 Clause number 7.4
Clause 7.4.1 of ISO 9001:2015 requires that the organization
establish criteria for evaluation and re-evaluation of suppliers.
Nonconformity Findings:
Upon speaking with the purchasing Manager, it was found that
no evaluation of ABC supplier had taken place since the
contract was signed and business begin with ABC supplier

64. NONCONFORMITY
POOR REPORT EXAMPLES
The nonconformity statements below are
inadequate due to the lack of specified
requirements and detailed evidence:
• Steering Group meeting minutes are not adequate
• The authority level for the Emergency Controller
must be
documented for clarify
purposes

65. Preparing Audit Conclusions
Audit team confer prior to the closing meeting:
• Scheduling of the audit plan
• To plan for closing meeting
• Purpose is to:
 Review audit findings and other information
 Agree on audit conclusions
• To prepare the audit report and
recommendations
• If included in audit plan, to discuss audit
follow-up
6.5.6

66. AUDIT REPORT
PREPARE, APPROVE & DISTRIBUTE
1. Audit reference
2. Client and Auditee details
3. Audit team details
4. List of auditee representatives
5. Objectives, scope, and criteria
6. Audit plan – dates, places, areas
audited and timing
7. Summary of audit process
8. Audit Summary
9. Uncertainty due to sampling
6.6.1
6.6.2

67. AUDIT REPORT
PREPARE, APPROVE & DISTRIBUTE
10.Nonconformity reports
11.Recommendation
12.Obstacles encountered
13.Any areas in audit scope not covered
14.Any unresolved issues between the auditee and
team
15.Confirmation that audit objectives accomplished
16.Confidentiality statement
17.Distribution list
6.6.1
6.6.2

68. Audit Report
Distribution
• Issue within agreed time period
• If delayed, provide reasons and agree on new issue date
• Report must be dated, reviewed, and approved as per
procedures
• Distribute to recipients designated by audit
client
• Report is property of audit client
• Recipients and audit team must respect
the confidentiality of the report

69. Completing the Audit 6.7
• Audit is complete when all activities in audit
plan have been carried out and audit report is
distributed
• Maintain or dispose of audit documents based
on contractual,
regulatory, and audit program procedures
• Maintain confidentiality of audit documents,
information, and report
• Notify audit client and auditee ASAP
if disclosure of audit
information is required.

70. Closing Meeting 6.5.7
• Hold closing meeting to present audit findings and
conclusions
• Cover situations encountered during audit that may
decrease
reliance on audit conclusions
• Discuss and resolve diverging audit findings and
conclusions
• Keep a record if not resolved
• Provide recommendations for improvement where
specified by audit objectives
• Keep minutes and attendance records
• Will normally be informal for internal audits

71. Completing the Audit
Conducting the Follow-up 6.8
• Audit conclusionsmayrequire corrective,
preventive, or improvement actions
• Auditee decides and carries out these
actions within agreed
timeframe
• These actions are not part of the audit
• Audit team number should verify completion
and effectiveness of actions taken
• This verification may be part of a subsequent
audit
• Maintain independence in subsequent audit
activities

72. Why? Reason
Why 1
Why was our
customer unhappy?
The service has been delivered to late. The
customer was unsatisfied.
Why2
Why was the
service not
prepared on time?
We did not prepare the service on time because it
took much longer than we expected.
Why3
Why did it take so
much longer?
Because we did not receive all approvals on time
and underestimated the duration of the project.
Why4
Why did we
underestimate the
project duration?
Because we forgot to prepare a detailed list of all
tasks.
Why5
Why did we forget
about it?
Because we were running behind on other projects
and failed to review our task list and time estimation
during the project.
Root
Caus
e*
Because we didn’t have a checklist to clearly identify all tasks that we
must achieve
to estimate time accurately. We need to develop a systematic approach to
include these
factors in future projects.
FIVE WHY ANALYSIS
The 5 Whys is a questions-asking method used to explore the root cause of a
particular problem and to understand cause-effect relationships
* Note the root cause(s) of the problem here. Only the one who experienced the problem is qualified to perform
the analysis. There are usually more than one root cause

73. COMPLETING THE AUDIT
CORRECTIVE THE FOLLOW-UP
• Auditee receives the nonconformity
report
• Auditee prepares and approves a
corrective action plan
• Auditee submits the plan to auditors
• Auditors evaluate and approve the plan
• Auditee implements the approved
corrective action plan
• Auditor verifies the implementation and
effectiveness
• Records of all actions taken by auditor
and auditee
6.8

74. Cite the Source!!
ISO 9001:2015 (“The STANDARD”)
• Clause 4.0/Context of the Organization
• Clause 4.4/QMS and its
processes
• Clause 4.4.1 PROCESS
INTERACTION DIAGRAM

75. The STANDARD (4.4.1) states:
“The organization SHALL:
(1)Establish
(2)Implement
(3)Maintain
(4)Continually improve the QMS.”
including….
AUDITING THE CONTEXT OF THE
ORGANIZATION

76. “PROCESSES needed
AND
their INTERACTIONS…”

78. Clause 4.4.1
(Quality Management System and its Processes
1. What are we looking for when we
audit a client’s processes &
interactions?
 Required process inputs (4.4.1.a)
 Expected process outputs (4.4.1.a)
 Criteria & Methods (4.4.1.c)
 Monitoring/Measurement/Performance Indicators
 Resources needed to support the process (4.4.1.d)
 Process authority & responsibility assigned
(4.4.1.e)
 Risks and opportunities identified (4.4.1.f)

79. The PROCESS
INTERACTION
Audit Too/
Process Interaction Diag ram (ISO 9001:2015; Clause 4.4.1)
I' I'
(4.4.l.d ) Resources, i.e., 1
What?" People,
Materials, Equipment , Work Environment,
etc.
{Auditor Special lnterest Item} Expertlse, I.e.
"Whom?" Education, Knowledge,
Training, Skills, Experience, etc.
'- . / '- . /
::---
(4.4.1.a) Inputs, I.e. What ln utllized in
(4.4.l.e) Process Activities
(4.4.l.e) Responsible
Person(s)
(4.4.1.a) Outputs, i .e. What
output(s) does this recess
teed into? Outgoing Process
this process? I ncom ing Process
v
...
-
...........
I' I'
(4.4.1.1}Methods of Control (4.4.l.c) Measures of Effectiveness (MoE
) in Place?
•
•
Operationa l
Risk Identification & Mgt.
Risk Management/Matrix
Measure J Effectlvenen-+ Target? - Actual? -Met?- Actlon?
Quality (DPPMJFPY ?) Time (OTD)?
' . / . . /

80. THE PROCESS INTERACTION AUDIT
“…determine the inputs required and the
outputs expected from these processes…”

81. THE PROCESS INTERACTION AUDIT

82. THE PROCESS INTERACTION AUDIT
“…determine and apply the criteria and methods needed to
ensure the effective operation and control of these
processes…”

83. The PROCESS INTERACTION Audit
processes
…”

84. THE PROCESS INTERACTION AUDIT
“…address the risks and opportunities as determined
in accordance with the requirements of (Clause) 6.1
Risks and Opportunities”)”a

85. THE PROCESS INTERACTION
AUDIT
OPTIONAL Auditor areas of special
interest

86. The PROCESS
INTERACTION
Audit Too/
Process Interaction Diag ram (ISO 9001:2015; Clause
4.4.1)
I' I'
(4.4.l.d ) Resources, i.e., 1
What?"
People, Materials, Equipment , Work
Environment, etc.
{Auditor S ecial lnterest Item} Ex ertlse, I.e.
"Whom?" Education, Knowledge,
Training, Skills, Experience, etc.
'- . / '- . /
::---
(4.4.1.a) Inputs, I.e. What ln utllized ln
(4.4.l.e) Process
Activities
(4.4.l.e) Responsible
Person(s)
(4.4.1.a) Outputs, i .e. What
output(s) does this recess
teed into? Outgoing Process
this process? I ncom ing
Process
v ...
-
...........
I' I'
(4.4.1.1}Methods of Control (4.4.l.c) Measures of Effectiveness
(MoE ) in Place?
•
•
Operationa l
Risk Identification & Mgt.
Risk Management/Matrix
Measure J Effectlvenen-+ Target? - Actual? -Met?-
Actlon?
Quality
(DPPMJFPY ?)
Time (OTD)?
' . / . . /

87. INTERNAL AUDITING PITFALLS
- AND SOME PREVENTIVE ACTIONS -
Common / Frequent Stumbling Blocks and
Some Preventive Steps and Tools for
Planning, Conducting, Reporting, Closing
Internal Audit
87

88. FOUR PHASES TO INTERNAL AUDITS
• Planning and Preparing for the Audit
• Conducting the Audit
• Reporting Results and Writing NCRs
• Performing Root Cause Analysis and Implementing and
Verifying Corrective Actions
All four phases must be addressed for internal audits
to be effective !
88

89. PLANNING AND PREPARING
PITFALLS
• “We always scramble to get our audits
done – sometimes we don’t finish them”
• Suggestion: Schedule defined processes
within your QMS to be done each month –
don’t overload auditors
• Alternate: Schedule an annual “blitz” of
whole system
89

90. PLANNING AND PREPARING PITFALLS
• “Some of our processes always seem to have
more problems or take longer to audit
because they are more complex”
• Suggestion: Schedule additional audits of
certain processes based on “status” or
“importance”. This is a requirement of ISO
9001:2015, 9.2. Internal Audits
90

91. PLANNING AND PREPARING PITFALLS
• “Our auditors say they are not sure what to look
for when they audit”
• Suggestion: Auditors should study applicable
sections of the standard, quality manual and
procedures, customer and legal requirements. Make
a “Turtle” diagram of the process, make a checklist.
• Alternate: Hire professional “external” auditors
91

92. THE TURTLE DIAGRAM
92
Process
With What?
(Materials & Equipment)
With Whom?
(Competence, Skills, Training)
How?
(Support Processes,
Procedures & Methods)
What Results?
(Performance Indicators)
Outputs
Inputs
Source: AIAG 2003

93. CONDUCTING THE AUDIT
• “Our auditors rarely report any problems. What
they do report is inconsequential”
• Suggestion: Audit for effectiveness
• Four challenging questions:
• “How are you (or your job) doing?”
• “How do you know that?”
• “Are you improving?”
• “How do you know that?”
93

94. CONDUCTING THE AUDIT
• “Our Certification’s auditor often finds that our
procedures don’t match the work”
• Suggestion: Audit for three contrasts:
• Policy – Is it clearly stated in our manual?
• Procedure – Is it up to date, support the policy? Do our
people understand it?
• Practice – Do we do what we say? Are innovative ways
of doing things better being considered, evaluated,
approved?
• When did you last review procedures ?
94

95. CONDUCTING THE AUDIT
• “Our auditors don’t know how to follow audit
trails or ask the probing questions”
• Suggestion: Conduct a “Learning Audit” = Evaluate
auditors regularly using a more experienced
auditor. Use the “Turtle Diagram” as a source of
questions. Ask “Why?” five times when something
doesn’t jive with the manual or procedures. Obtain
copies of evidence for better reporting.
• Practice, evaluate, practice, evaluate !
95

96. REPORTING THE AUDIT
• “Our supervisors resent internal audits as useless
fault finding”
• Suggestion: Start audit reports by summarizing the good
areas, especially “best practices”. Include
ideas/suggestions for resolving nonconformities (Yes,
internal auditors CAN consult!!). Constantly preach that
nonconformities are not the end of the world or cause for
personnel punishment, but Opportunities for
Improvement !
96

97. REPORTING THE AUDIT
• “Our nonconformity write-ups are often difficult to
understand (What do I do?)”
• Suggestion: ALWAYS state three items in Corrective
Action Requests (CARs):
• The requirement violated (doc/para/text)
• The nonconformity (text related to req’t)
• The objective evidence (what, where, when)
• If you can’t cite the requirement, you shouldn’t
write a CAR ! (Maybe an OFI?)
97

98. CLOSING THE AUDIT
• “Our corrective actions don’t work. The problems keep
coming back”
• Suggestion: Conduct formal Root Cause Analysis and
Effective Corrective Action training for all
managers/supervisors
• CAR respondees must fully comprehend the difference
between correction and corrective action and understand
that there is a system cause to the nonconformity, not just
“operator error”
98

99. CONTAINMENT ( AKA
CORRECTION )
• In some cases, swift action needs to be
taken to contain the problem and prevent
any consequences of the problem
(“escapes”) from affecting customers
• This containment action includes the
immediate fixing of the problem at hand,
which is referenced in ISO 9000 as
correction, which should not be confused
with corrective action
99

100. CORRECTION VS. CORRECTIVE
ACTION
• ISO 9000:2005 defines these as:
• Correction: Action to eliminate a detected nonconformity (3.6.6)
• Corrective action: Action to eliminate the cause of a detected
nonconformity or other undesirable situation(3.6.5)
• Note 1 There can be more than one cause for a nonconformity
• Note 2 Corrective action is taken to prevent recurrence
Bold = My emphasis
100

101. SOME MORE ADVICE
 Recognize that there are at least two causes for
each quality problem:
 A technical cause (and there may be more than one !!!)
such as a bearing failure or an operator error and
 A system cause such as an ineffective preventive
maintenance program or incomplete employee training
program or incorrect procedure or work instruction
You Must Fix Both (ALL)
101

102. EVEN MORE ADVICE
• Utilize all appropriate quality tools to get at the
root cause, such as:
• Ishikawa fishbone cause/effect diagram with the
seven M’s as the branches, Man, Machine,
Method, Materials, Measure- ments, Mother
Nature, Management
• “Five Why’s” fault tree analysis diagram, looking
for common “grandfathers” as high priority items to
fix
• Kepner-Tregoe Cause Analysis
102

103. ASSURING EFFECTIVENESS
• Don’t forget to prevent recurrence by changing
the system as appropriate:
• Revise procedures, policies, QA Manual
• Train/retrain employees, adjust training needs matrix
• Inform all who “touch” the process
• Look at other processes/products. Can or
should the fix(es) be used on them?
103

104. CLOSING THE AUDIT
• “Our CARs seem to hang open forever”
• Suggestion: Monitor CAR action item
timing/commitments, remind owners, only accept
corrective action plans that address true root causes,
are appropriate actions
• Audit the process to verify that ALL actions have
been effectively implemented, other processes have
been considered, there has been NO RECURRENCE
since the corrective action has been implemented
Only then can you close the CAR
104

105. Based on the information given, if you think the
situation represents a nonconformity, then write a
non conformity statement that includes the
following information: Situation
 #; area/process being audited; applicable ISO
9001 clause
 #; whether the nonconformity is major or minor; a
clear description of the specific requirement that
the situation is nonconforming against;
 a clear description (finding) of the nonconformity
itself, supported by relevant objective evidence.
OR, based on the information given,
if you do not think there is a nonconformity, then
clearly state your reason(s), and also provide at
least 3 further actions you would take to gather
additional evidence of conformity or nonconformity
(had you been there performing the audit).

106. CASE STUDY 1
In the purchasing department, the auditor notes
that the staff are placing orders over the phone with
suppliers using a computerized purchasing system.
On inquiry, the auditor is told that the staff has
been fully trained and the database holds details of
all supplier contract specifications and, therefore,
there is no need for an independent review of
individual orders.

107. CASE STUDY 2
• In the quality manager’s office, the auditor asks to see the schedule for internal audits.
This schedule shows that each of the eight QMS processes are audited every six months.
The auditor asks the quality manager how the frequency of audits was decided.
• The manager says that when the system was set up three years ago, 6-month intervals
were specified for all processes. The company has kept to this original schedule.
• The auditor asks to see the file containing corrective action requests (CARs). It lists 85
CARs for the past two rounds of internal audits. Of these, 65 CARs are in the production
department and the remainder are spread evenly over five other departments. Two
departments received no CARs.

108. CASE STUDY 3
• In the shipping area, the auditor stops to look at six finished
products, serial numbers X245 to X250, in individual cardboard
cartons.
• The auditor asked the shipper why the items are packed in
corrugated cardboard instead of plastic containers as required by
packaging work instruction PWI 6, revision 2.
• The shipper replied that the shipping supervisor had instructed
them to use corrugated cardboard when they ran out of plastic
containers three weeks ago.

109. ANY QUESTIONS?

110. For you attendance and
participation !