H&S

1. Training on Internal Audit
Conducted By
Kaisar Mahmud
Chief Operating Officer & Principal Consultant
iota Consulting BD

2. Trainer’s Short Profile
Kaisar Mahmud
Academics:
M.Sc. – Advanced Material Engineering
(Dong-Eui University, Busan, South Korea)
B.Sc. – Mechanical Engineering
(Islamic University of Technology (IUT),
Bangladesh)
Profession:
1. HES Engineer (Pipeliners Limited) – 2.2 years
2. OEHS Engineer (ACI Godrej Agrovet Private
Limited) – 2.3 years
3. COO & Principal Consultant (iota Consulting BD)
– 2 years

3. Experience in Management Consultancy
Client Project
GIZ (German Organization) Employee Injury Prevention Scheme (EIPS)
Rahimafrooz Renewable
Energy
Conversion from OHSAS 18001 to
ISO 45001:2018
Bangladesh Edible Oil
Limited
ISO 45001:2018
BSRM ISO 45001:2018
GPH Ispat Limited ISO 9001:2015, ISO 14001:2015 and ISO
45001:2018
GIZ (German Organization) GBQP (STeP by OEKO-TEX)-100 factories
Rangs Motors Workshop
Limited
ISO 9001:2015
Baraka Power Limited ISO 9001:2015 & ISO 45001:2018
BPDB ISO 9001:2015, ISO 14001:2015 and ISO
45001:2018 (200+ locations)
IBBL, SEBL, DBL etc. ISO 27001:2013 (Training)
Kaisar Mahmud

5. Learning Topics (Session 1)
• PDCA Cycle
• Process of ISO Certification
• What is Audit
• Why we need to do Audit
• Why we need to do Internal Audit
• Why we need to do External Audit
• Principals of Auditing
• Audit Process
• Important Definitions
• What to do when an incident/nonconformity occurs?
• How to Prepare an Audit Checklist
• Clauses to Cover by Process

6. PDCA Cycle
Plan what you
are doing
Do what you said
you would do
Check what you
did it right
Act on anything
that went wrong
to avoid errors of
the same nature
in future

8. Certification Process

9. Certification Process
• Stage 1 Audit: Documentation Audit
• Stage 2 Audit: Site Audit
• 1st Surveillance Audit
• 2nd Surveillance Audit
3 Year
Validity

10. What is Audit:
Systematic, independent and documented process for obtaining audit
evidence and evaluating it objectively to determine the extent to which
the audit criteria are fulfilled.

11. Why we need to do Audit?
• Part of Performance Evaluation
Why we need to do Internal Audit?
• Requirement of ISO 9001:2015, Clause 9.2
• Internal People knows what system gap they have
Why we need to do External Audit?
• For Certification from the Certification Body
• A third eye can see things which internal people cant see.

12. Principals of Auditing
Integrity: The foundation of professionalism
Auditors and the individual(s) managing an audit programme should:
— perform their work ethically, with honesty and responsibility;
— only undertake audit activities if competent to do so;
— perform their work in an impartial manner, i.e. remain fair and
unbiased in all their dealings;
— be sensitive to any influences that may be exerted on their judgement
while carrying out an audit.

13. Principals of Auditing (Cont.)
Fair Presentation: the obligation to report truthfully and accurately
Audit findings, audit conclusions and audit reports should reflect
truthfully and accurately the audit activities. Significant obstacles
encountered during the audit and unresolved diverging opinions
between the audit team and the auditee should be reported. The
communication should be truthful, accurate, objective, timely, clear and
complete.

14. Principals of Auditing (Cont.)
Due professional care: the application of diligence and judgment in
auditing
Auditors should exercise due care in accordance with the importance of
the task they perform and the confidence placed in them by the audit
client and other interested parties. An important factor in carrying out
their work with due professional care is having the ability to make
reasoned judgments in all audit situations.

15. Principals of Auditing (Cont.)
Confidentiality: security of information
Auditors should exercise discretion in the use and protection of
information acquired in the course of their duties. Audit information
should not be used inappropriately for personal gain by the auditor or the
audit client, or in a manner detrimental to the legitimate interests of the
auditee. This concept includes the proper handling of sensitive or
confidential information.

16. Principals of Auditing (Cont.)
Independence: the basis for the impartiality of the audit and objectivity
of the audit conclusions
Auditors should be independent of the activity being audited wherever
practicable, and should in all cases act in a manner that is free from bias
and conflict of interest. For internal audits, auditors should be
independent of the function being audited if practicable. Auditors should
maintain objectivity throughout the audit process to ensure that the audit
findings and conclusions are based only on the audit evidence.
For small organizations, it may not be possible for internal auditors to
be fully independent of the activity being audited, but every effort
should be made to remove bias and encourage objectivity.

17. Principals of Auditing (Cont.)
Evidence-based approach: the rational method for reaching reliable
and reproducible audit conclusions in a systematic audit process
Audit evidence should be verifiable. It should in general be based on
samples of the information available, since an audit is conducted during
a finite period of time and with finite resources. An appropriate use of
sampling should be applied, since this is closely related to the
confidence that can be placed in the audit conclusions.

18. Principals of Auditing (Cont.)
Risk-based approach: an audit approach that considers risks and
opportunities
The risk-based approach should substantively influence the planning,
conducting and reporting of audits in order to ensure that audits are
focused on matters that are significant for the audit client, and for
achieving the audit programme objectives.

19. Audit Process
• Intent Audit
• Implementation Audit
• Effectiveness Audit
Every requirement need to be audited in this 3 steps and any
nonconformity in any of these 3 steps will lead to a nonconformity of
that requirement.

20. Intent Audit
Implementation
Audit
Effectiveness
Audit
Audit Process: Intent, Implement & Effectiveness

21. Important Definitions: (ISO 19011:2018)
Audit Scope:
extent and boundaries of an audit (3.1)
• Note 1 to entry: The audit scope generally
includes a description of the physical and
virtual-locations, functions, organizational
units, activities and processes, as well as the
time period covered.
• Note 2 to entry: A virtual location is where
an organization performs work or provides a
service using an on-line environment
allowing individuals irrespective of physical
locations to execute processes.

22. Important Definitions: (ISO 19011:2018)
Audit Criteria
set of requirements (3.23) used as a reference against
which objective evidence (3.8) is compared
• Note 1 to entry: If the audit criteria are legal (including
statutory or regulatory) requirements, the words
“compliance” or “non-compliance” are often used in an
audit finding (3.10).
• Note 2 to entry: Requirements may include policies,
procedures, work instructions, legal requirements,
contractual obligations, etc.

23. Important Definitions:
Requirement:
Need or Expectation that is:
i) stated
ii) generally implied or
iii) obligatory

24. Important Definitions:
Objective Evidence:
data (3.8.1) supporting the existence or verity of
something
• Note 1 to entry: Objective evidence can be
obtained through observation, measurement
(3.11.4), test (3.11.8), or by other means.
• Note 2 to entry: Objective evidence for the
purpose of audit (3.13.1) generally consists of
records (3.8.10),
• statements of fact or other information (3.8.2)
which are relevant to the audit criteria (3.13.7)
and verifiable.

25. Important Definitions:
Record:
document (3.8.5) stating results achieved or providing evidence of activities
performed
Document:
information (3.8.2) and the medium on which it is contained
Documented Information:
information (3.8.2) required to be controlled and maintained by an
organization (3.2.1) and the medium on which it is contained

26. Nonconformity
• non-fulfilment of a requirement
 action to eliminate a detected nonconformity
Correction
Corrective Action
 action to eliminate the cause of a nonconformity
 action to eliminate the cause of a potential nonconformity
Preventive Action
Risk Assessment
Important Definitions:

27. What to do when an incident/nonconformity occurs?
Correction
Root Cause Analysis
Corrective Action
Revise HIRA
Share the lesson learnt
Report the incident

28. Break:

29. Audit Checklist:

30. Audit Checklist (Sample)
Auditor: Process/Department:
Auditee: Date & Time:
Ref Doc. (If any) Standard
Reference
To Check Duration Audit
Findings
Remarks/Trail
Audit
Manaul-05 QMS Manual 7.5.2 and 7.5.3 To check procedure for creation, update and control
of documented information for QMS is in line with
clause no. 7.5.2 and 7.5.3 of ISO 9001:2015
30
RA-02 Risk Assessment Report 6.1. - To check whether they are assessing the risk and
the assessment is effective.
- Check the control plans, if those are effective and
attainable
- Interview several employees to verify that they
know about the risk and respective control
measures.
-To verify one or two evidence of the control plan of
the risk been managed.
45
PM 01 measurement and
monitoring of system performance,
Plan for measurement and
monitoring,
Internal Audit Report,
Management Review Meeting
Minutes
9.1, 9.2 and 9.3 - To check if there is a program for monitoring,
measurement, analysis and evaluation
- To check monitoring, measurement, analysis and
evaluation has been carried out as per plan
- To see the MRM minutes includes the discussion
of previous MRM.
- To see the QMS performance is discussed and
evaluated in the MRM.
45

31. Clauses to Cover by Process:
Sl. No. Clause Process/ Dept.
1 4.1, 4.2, 4.3 Top Management, Admin, Operation/production
2 4.4 All Process
3 5.1, 5.2, 5.3 Top Management, Admin
4 6.1, 6.2 All Process
5 7.1 HR & Admin, Operations/Production
6 7.2, 7.3 HR & Admin
7 7.4 HR, Operations/production, All process
8 7.5 MR, Admin
9 8 Operations/Production, All process
10 8.1.3 Top Management, Admin
11 8.2 Operations/Production, Maintenance
12 9 Operations/Production, Maintenance
13 10 All process

32. Some important things to remember
Sampling can be done for collecting evidence from different process
Sampling cannot be done from the standard, all the clauses must be audited or
come under the process
Auditor should keep in mind that there a lot of things which he/she don’t know
The intention of the audit is not to find fault, but to improve the system
The audit result need to be effectively utilized by taking proper Corrective Actions

34. Learning Topics (Session 2)
• Overview of typical process of collecting and verifying information
• Auditor Evaluation Method
• Audit Program
• Audit Plan
• Opening Meeting
• Sample Auditing
• Process flow of Management of an Audit Program
• Implementing Audit Program
• Closing Meeting
• Audit Findings
• How to Write an Audit Report
• How to write an NC Report

37. Audit Program
Title:
Audit Location:
Preparing Date:
Standards:
Auditing Period
Department
to be Audited
Auditors Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Top Management P
HR, Admin & Accounts P P
Engineering &
Operation
P P
Production/Operation P P
Procurement P P
OHS P P P P

38. Audit Plan
Date of Audit Department/Process Auditor Auditee Hour
Day 1
Opening Meeting X, Y, Z All Auditees, IPs 10:00AM-10:30AM
Top Management X, Y A 10:30AM-11:00AM
Document Review X, Y B 11:00AM-12:00PM
Procurement Z C 10:30AM–12:00PM
HR Admin & Accounts X,Y D 11:00AM-12:00PM
Store Z E 11:00AM-12:00PM
Operations/Production X, Y, Z F, P, Q 02:00PM-04:00PM
Day 2
Quality Control X G 10:00AM-01:00PM
Calibration Y H 10:00AM-01:00PM
Teting Z I 10:00AM-01:00PM
Team Liaison Meeting X, Y, Z - 02:00PM-03:00PM
Closing Meeting X, Y, Z All Auditees, IPs 03:00PM-04:00PM

39. Opening Meeting:
Purpose:
a) confirm the agreement of all participants
(e.g. auditee, audit team) to the audit plan;
b) introduce the audit team and their roles;
c) ensure that all planned audit activities can
be performed.

40. Opening Meeting: (ISO 19011:2018)
Confirmation of the following items should be considered, as appropriate:
• the audit objectives, scope and criteria;
• the audit plan and other relevant arrangements with the auditee, such as the date
and time for the closing meeting, any interim meetings between the audit team
and the auditee’s management, and any change(s) needed;
• formal communication channels between the audit team and the auditee;
• the language to be used during the audit;
• the auditee being kept informed of audit progress during the audit;
• the availability of the resources and facilities needed by the audit team;
• matters relating to confidentiality and information security;
• relevant access, health and safety, security, emergency and other arrangements
for the audit team;
• activities on site that can impact the conduct of the audit.

41. Audit Scope:
Audit Criterial:
Calibration, Testing, Production of ……, Store, SDS,
Admin, Logistics etc.
ISO 9001:2015

42. Opening Meeting:
The presentation of information on the following items should be
considered, as appropriate:
• the method of reporting audit findings including criteria for grading, if
any;
• conditions under which the audit may be terminated;
• how to deal with possible findings during the audit;
• any system for feedback from the auditee on the findings or
conclusions of the audit, including complaints or appeals.

43. Sampling Audit
For Details, See: ISO 19011 A.6 Sampling

45. Implementing Audit Program (5.5)
The individual(s) managing the audit programme should:
a) communicate the relevant parts of the audit programme, including
the risks and opportunities involved, to relevant interested parties and
inform them periodically of its progress, using established external and
internal communication channels;
b) define objectives, scope and criteria for each individual audit;
c) select audit methods (see A.1);
d) coordinate and schedule audits and other activities relevant to the
audit programme;
e) ensure the audit teams have the necessary competence (see 5.5.4);

46. Implementing Audit Program (5.5)
f) provide necessary individual and overall resources to the audit teams (see
5.4.4);
g) ensure the conduct of audits in accordance with the audit programme,
managing all operational risks, opportunities and issues (i.e. unexpected
events), as they arise during the deployment of the programme;
h) ensure relevant documented information regarding the auditing activities
is properly managed and maintained (see 5.5.7);
i) define and implement the operational controls (see 5.6) necessary for
audit programme monitoring;
j) review the audit programme in order to identify opportunities for its
improvement (see 5.7).

47. Defining the objectives, scope and criteria
for an individual audit
The audit objectives define what is to be accomplished by the individual audit and may
include the following:
a) determination of the extent of conformity of the management system to be audited, or
parts of it, with audit criteria;
b) evaluation of the capability of the management system to assist the organization in
meeting relevant statutory and regulatory requirements and other requirements to which the
organization is committed;
c) evaluation of the effectiveness of the management system in meeting its intended
results;
d) identification of opportunities for potential improvement of the management system;
e) evaluation of the suitability and adequacy of the management system with respect to the
context and strategic direction of the auditee;
f) evaluation of the capability of the management system to establish and achieve
objectives and effectively address risks and opportunities, in a changing context,
including the implementation of the related actions.

48. Selecting and determining audit methods
Audits can be performed on-site, remotely or as a combination
The use of these methods should be suitably balanced, based on, among others,
consideration of associated risks and opportunities
Where two or more auditing organizations conduct a joint audit of the same auditee,
the individuals managing the different audit programmes should agree on the audit
methods and consider implications for resourcing and planning the audit.
Sampling: how much or percentage?

49. Selecting audit team members
Identification of
the competence
needed to achieve
the objectives of
the audit
Selection of the
audit team
members so that
the necessary
competence is
present in the
audit team
Note: If the necessary competence is not covered by the auditors in the audit team, technical experts
with additional competence should be made available to support the team

50. Assigning responsibility for an individual
audit to the audit team leader
a) audit objectives;
b) audit criteria and any relevant
documented information;
c) audit scope, including identification of
the organization and its functions and
processes to be audited;
d) audit processes and associated methods;
e) composition of the audit team;
f) contact details of the auditee, the
locations, time frame and duration of the
audit activities to be conducted;
g) resources necessary to conduct the
audit;
h) information needed for evaluating and
addressing identified risks and
opportunities to the achievement of the
audit objectives;
i) information that supports the audit team
leader(s) in their interactions with the
auditee for the effectiveness of the audit
program.
To ensure the effective conduct of the individual audits, the following information should be
provided to the audit team leader:

51. Assigning responsibility for an individual
audit to the audit team leader
The assignment information should also cover the following, as
appropriate:
Working and reporting
language of the audit
where this is different from
the language of the auditor
or the auditee, or both
Audit reporting
output as required
and to whom it is to
be distributed
Matters related to
confidentiality and
information security,
as required by the
audit program
Any health, safety
and environmental
arrangements for
the auditors
Requirements for
travel or access to
remote sites
Any security and
authorization
requirements
Any actions to be
reviewed, e.g.
follow-up actions
from a previous
audit;
Coordination with other audit
activities, e.g. when different teams
are auditing similar or related
processes at different locations or
in the case of a joint audit

52. Managing audit programme results
The individual(s) managing the audit programme should ensure that the
following activities are performed:
a) evaluation of the achievement of the objectives for each audit within
the audit programme;
b) review and approval of audit reports regarding the fulfilment of the
audit scope and objectives;
c) review of the effectiveness of actions taken to address audit findings;
d) distribution of audit reports to relevant interested parties;
e) determination of the necessity for any follow-up audit.

53. Managing and maintaining audit program
records:
a) Records related to the
audit program, such as:
— schedule of audits;
— audit program objectives
and extent;
— those addressing audit
program risks and
opportunities, and relevant
external and internal issues;
— reviews of the audit
program effectiveness
b) Records related to each
audit, such as:
— audit plans and audit
reports;
— objective audit evidence
and findings;
— nonconformity reports;
— corrections and
corrective action reports;
— audit follow-up reports.
c) Records related to the
audit team covering topics
such as:
— competence and
performance evaluation of
the audit team members;
— criteria for the selection
of audit teams and team
members and formation of
audit teams;
— maintenance and
improvement of competence.

54. Closing Meeting
The audit team should confer prior to the closing meeting in order to:
a) review the audit findings and any other appropriate information
collected during the audit, against the audit objectives;
b) agree on the audit conclusions, taking into account the uncertainty
inherent in the audit process;
c) prepare recommendations, if specified by the audit plan;
d) discuss audit follow-up, as applicable.

55. Content of Audit Conclusion
Audit conclusions should address issues such as the following:
a) the extent of conformity with the audit criteria and robustness of the
management system, including the effectiveness of the management system
in meeting the intended outcomes, the identification of risks and effectiveness
of actions taken by the auditee to address risks;
b) the effective implementation, maintenance and improvement of the
management system;
c) achievement of audit objectives, coverage of audit scope and fulfilment of
audit criteria;
d) similar findings made in different areas that were audited or from a joint or
previous audit for the purpose of identifying trends.
If specified by the audit plan, audit conclusions can lead to recommendations
for improvement, or future auditing activities.

56. Audit Findings
• Conformity
• Strong Point
• Opportunity for Improvement
• Observation
• Nonconformity:
• Minor Nonconformity
• Major Nonconformity

57. Major and Minor Nonconformities
HR &
Admin
Calibration
Production
Accounts
Testing
Training
Store
Requirement

58. Major and Minor Nonconformities
HR &
Admin
Calibration
Production
Accounts
Testing
Training
Store
Requirement

59. Observation & OFI
Observation
Opportunity For
Improvement
The practice does not violate any
requirements directly, but has
potential to become nonconformity
if it continues
The present practice does not violate
any requirement and also will not lead
to any potential nonconformity. Its an
additional suggestion based on auditors
experience to strengthen the practice.

60. Some common audit questions:
Audit Process Examples
Intent Audit 1) Quality Policy Available as per ISO 9001:2015
Clause 5.2?
2) Process flowchart available as per clause 4.4?
3) Is correct version of documents used?
Implementation Audit 1) Is work done following the ISO 9001:2015
standard?
2) Are work done following the process defined in
the Manual, Procedures and SOPs?
Effectiveness Audit 1) Is the output of the processes are as per intended
outcome?
2) Are the processes effective?
3) Is there any opportunity to improve the process?

61. Audit Report
Audit Report (Page 1)
Name of Auditor: Designation Dept.
Name of Auditee: Designation Dept.
Audit Criteria:
Audit Scope:
Date of Audit:
Audit Summary:
Number of Nonconformities:
Major Nonconformities:
1)
2)
3)

62. Audit Report (Continuation)
Audit Report (Page 2)
Minor Nonconformities:
1)
2)
3)
No. of Strong Points:
Dept. A:
Dept. B:
Dept. C:
No. of Opportunities for Improvement (OFI):
Dept. A:
Dept. B:
Dept. C:
No. of Observations:
Dept. A:
Dept. B:
Dept. C:
Lead Auditor Name: Management Representative’s Name:
Signature: Signature:

63. Nonconformity Correction NC Report
Root Cause
Analysis
Corrective
Action
Corrective
Action Closed
& Recorded

64. Nonconformity Report
1. Audit Date: 2. Audit #*¹ 3. Department/ Area/ Process 4. NCR #
5. Department representative(s) /Auditee(s): 6. Auditor:
7. Statement of Nonconformity:
8. Objective Evidence:
9. Requirement:

65. Nonconformity Report (Continuation)
Major/Minor 9.1 NC against ISO Standard clause #:
9.2 NC against Manual/Procedure/SOP clause #:
Auditor’s Signature Auditee’s Signature
10. Correction:
11. Root Cause*² Identification (Why - Why Analysis): (if needed, use additional page and attach with this form)
12. Proposed Corrective Action:
12.1 Signature of Authorized 12.2 Name of FPR: 12.3 Target Date of Completion:
13. Implementation Report of Corrective Action:

67. Break 1:00-2:00pm

68. Learning Topics (Session 3)
• Conduct a Demo Opening Meeting
• Understand the Requirements of the standard
• How to make audit checkpoint
• How to seek objective evidence
• How to perform as an Auditor
• How to perform as an Auditee
• How to conduct Intent Audit
• How to conduct Implementation Audit
• How to conduct an Effectiveness Audit
• Conduct a Demo Closing Meeting
• Attitude during audit

69. Demo Audit
• Form 3 groups
• Group 1: Auditor (Lead the audit)
• Group 2: Auditee (Answer the audit questions)
• Group 3: Observer (Find the gaps of auditor and auditee team)
• Open a standard (ISO 9001:2015) and read out a requirement loud and
clear and try to make audit questions from it.

70. Demo Audit
• Conduct a Demo Opening Meeting with this three groups and
interchange it and do it again. The trainer will give a demo first which
the others will follow.
• Conduct Demo Audit by opening the Audit Checklist of the standard
and let the auditors question the auditee. The trainer will check if they
are doing it correctly. The audit will be conducted in a Power Plant of
BDPB.
• Conduct a Closing Meeting Demo with the three groups similar as
opening meeting. Try to focus on the Audit Findings and how to agree
those with the Auditees.

71. Sl. No. Type of Findings No. of Findings
1 Strong Point 4
2 OFI 2
3 Observation 4
4 Nonconformity 2
Total 12
Demo Internal Audit Findings in Closing Meeting:

72. Photo 1
NC 1:
Dept: Operations
Interview:
Document Reviewed:
Auditee: B
Demo Internal Audit Closing Meeting Findings Sharing:

73. Photo 2
NC 2:
Dept: Maintenance
Interview:
Document Reviewed: Doc No-005
Auditee:
Demo Internal Audit Closing Meeting Findings Sharing:

74. Don’t Conclude Early, what you experienced might not be
the actual scenario:

75. Attitude during Audit:
• Be Positive
• Do not argue with the auditee on some irrelevant issue
• Know that Auditees are the expert in their sections/process
• Try to collect evidence that is appropriate. Don’t be so biased to
collect evidence that you think is correct.
• Think of Indent audit, Implementation Audit and Effectiveness Audit
• Try to find out the effectiveness of the process, how it can be more
improved, and think outside the box.
• Conclude your decision based on objective evidence. Don’t let anyone
judge you wrong.