Iso Internal Auditor

Issue 1 December, 2008 QMS-030-01-EN-GX © 2008 BSI Management Systems

raising standards worldwide TM

The British Standards Institution

ISO Internal Auditor Compliance Management

Prepared &Presented by

Yamin K Hajeej

4

3

2

1Introduction to Auditing

The Process Approach and Process Auditing

Managing an Audit Program

Audit Activities

Table of Content

5Auditor Competence and Responsibilities

6Conclusion

Introduction to

Auditing

Auditing

• What is an audit? Systematic, independent and documented process for

obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled

(ISO19011: 2002 clause 3.1)• Why audit?

Requirement of ISO 9001:2008 Monitor and measure the management system Promote continuous improvement of the management

system

Principles of Auditing

• Principles relating to auditors: Ethical conduct Fair presentation Due professional care

• Principles relating to audit: Independence Evidence-based approach

4.0

Note: reference toISO 19011:2002Clause number

Benefits of Auditing

• Verifies conformity to requirements• Increases awareness and understanding• Provides a measurement of effectiveness of the management

system to top management• Reduces risk of management system failure• Identifies improvement opportunities• Continuous improvement if performed regularly

Types of Audit

• Registration / Certification• Product• Customer contract• Gap assessment / Pre-assessment• Surveillance• Combined audit / joint audit

The Process Approach

and Process Auditing

Process Approach

The process approach emphasize the importance of:

• Understanding and meeting requirements• Looking at processes in terms of added value• Obtaining results of process performance• Continual improvement of process

Your

Process

Act

DoPlan

Check

PDCA (Plan-Do-Check-Act)

Continual

Improvement

The Plan-do-Check-Act (PDCA) methodology applies to all processes

• Deploy and conform with plan

• Activities• Controls• Documentation• Resources• Objectives

• Analyze/review• Decide/change• Improve effectiveness

• Measure and monitor for conformity and effectiveness

Management System Standards and the Process Approach

• ISO 9001:2008: Is based upon the PDCA cycle which can be applied to

processes Applies the PDCA cycle to implementing, operating,

monitoring, exercising, maintaining and improving the effectiveness of a QMS

• ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system audits

Applying the Process Approach to Auditing

Auditors can apply the process approach to auditing by ensuring the auditee:• Can define the objectives, inputs, outputs, activities, and

resources for its processes• Analyzes, monitors, measures, and improves its processes• Understands the sequence and interaction of its processes

Process Auditing Approaches

Individual Process:• Input / Output / Value-added Activity• Plan-Do-Check-Act• Resources

Relationship with other processes:• Flow / Sequence / Linkage / Combination• Interaction / Communication• Evidence• Customer and supplier contract(s)

Process Auditing “Turtle Diagram”

With what?

Resources With who?

Personnel

What results?

Performance

indicators

Outputs

To

Whom/

Where

Inputs

From

Whom/

Where

How done?

Methods/

Documentation

Process(specific value-added

activities)

Process Auditing Example

With what?• Order processing

system

With who?• Customers• Competent sales and processing staff

What results?• Order processing

time• Number or orders• Value of orders• Contract accuracy

OutputsProduction/Service

Delivery

Inputs• Customer

requirements• Sales staff

How done?• IT system• Processing system• Terms and conditions• Contract review procedure

Contract

Review

Managing an Audit Pro-

gram

Managing an Audit Program Process Flow

PLAN DO CHECK ACT 5.1

AUTHORIZE

ESTABLISH IMPLEMENTMONITOR &

REVIEW IMPROVE

• OBJECTIVES• EXTENT• ROLES• RESOURCES• PROCEDURES

• SCHEDULE AUDITS• EVALUATE• AUDITORS• SELECT TEAMS• DIRECT ACTIVITIES• MAINTAIN RECORDS

• MONITOR• REVIEW• IDENTIFY NEED FOR CA/PA• IDENTIFY OPPORTUNITIES TO IMPROVE

AUDITORCOMPETENCE

& EVALUZATION

SPECIFIC AUDITACTIVITIES

Audit Activi-ties

Typical Audit Activities

Initialing the Audit

Conducting Document Review

Preparing, Approving, Distributing Audit Report

Completing the Audit

Conducting Audit Follow-up

Preparing for On-site Activities

Conducting for On-site Activities

PLAN

DO

CHECK

ACT

6.1

Audit Program

• Top management should authorize responsibility for program management to: Establish, implement, review, and improve the audit

program Identify the necessary resources and ensure they are

provided• Organization should develop audit program processes• Program should be managed by a member of the organization• Keep appropriate audit records to monitor and review the audit

program

Audit Program Responsibilities

• Top management should authorize responsibility for program management

• Those assigned responsibility should: Establish, implement, review, and improve the audit

program Identify the necessary resources and ensure they are

provided

Initiating the Audit

Initiating the audit includes:• Appointing the audit team leader• Defining audit objectives, scope, criteria• Determining feasibility of the audit• Selecting the audit team• Establishing initial contact with the auditee

6.2

Defining Audit Objectives, Scope, Criteria

Audit Objectives may include:• Determining of the extent of conformity of auditee`s QMS with

audit criteria• Evaluation of capability of QMS to ensure compliance with

statutory, regulatory, and contractual requirements• Evaluation of effectiveness of the QMS to meet its objectives• Identification of areas of improvement

6.2.2

Selecting the Audit Team

For Team size and competence, consider:• Audit objectives, scope, criteria, and duration• Whether audit is combined or joint• Competence of team to meet objectives• Statutory, regulatory, contractual and accreditation/certification

requirements• Independence of the team

6.2.4

Auditor Compe-tence and Re-sponsibilities

Auditor Competence

• Auditor competence is based on: Personal attributes Application of knowledge and skills

• Competence is to be developed, maintained, and improved

7.1

Personal

Attributes

Ethical

Diplomatic

Open-

minded

Auditor CompetencePersonal Attributes

Observant

Perceptive

Versatile

Tenacious

Decisive

Self-reliant

7.2

Auditor CompetenceGeneric Knowledge and skills

Auditor skills and competence could include:• Audit principles, procedures, and techniques• Management system and reference documents• Organizational situations• Laws, regulations, and other requirements

7.3.1

Auditor CompetenceSpecific Knowledge and skills

Specific knowledge and skills for quality auditors could include:• Quality methods and techniques• Quality terminology• Quality management tools and their application• Processes and products/services specific to the sector being

audited

7.3.3

Auditor Responsibilities

• Arrive on time• Maintain confidentiality• Be objective and ethical• Support the audit team and team leader• Plan and prepare work documents• Inform auditees of the audit process• Document and support all findings• Keep auditee informed• Safeguard all documents• Prepare the audit report

Audit Activi-ties

(Continued)

Audit Planning

• Determine the objective of the audit• Identify specified requirements• Determine audit duration and resources needed• Select the team• Contact the auditee – agree the date(s)• Draw up audit plan• Brief the team• Prepare work documents

Conducting Document Review

A review of documentation:• Should be conducted prior to on-site audit activities unless

deferring review is not detrimental to the effectiveness of the audit

• May include relevant QMS documents, records, and previous audit reports

• May include a preliminary site visit

6.3

Prepare Work Documents

• Prepare work documents• Use as a reference and for recording audit proceedings• Include checklists, sampling plans and forms, ISO 9001:2008

standard, etc.• Keep checklists flexible to allow changes resulting from

information collected during the audit• Safeguard any confidential and proprietary information• Retain work documents and records

Checklists Preparation

One Approach is to:• Identify audit scope and process(es) within scope• Identify applicable factors (inputs, outputs, measures,

resources, etc.)• Use these points and other requirements

(ISO 9001-2008, system documentation, etc.) to: Plan what to look at Plan what to look for (audit evidence)

• Prepare checklist

Checklists Structure

Audit checklist structure:

Process/Activity Audited:

Requirement Source Evidence Notes

ISO 9001:2008Clause # or other

requirement

What to “look at”

What to“look for”

Notes

Conduct on-Site Audit Activities

• Conduct opening meeting• Communicate during the audit• Explain roles and responsibilities of participants• Collect and verify information• Generate audit findings• Prepare audit conclusions• Conduct closing meeting

6.5

Opening Meeting

• Hold opening meeting with auditee top management and

those responsible for processes audited• Meeting may be informal• Chaired by team leader• Audit team present• Purpose is to confirm all prior arrangements

6.5.1

Review

Sources of

information

Collect by

appropriate

sampling &

verification

Evaluate

against audit

criteria

Collecting and Verifying Information

Audit

Conclusions

Auditing ProcessCollect & Verify information

• Collect information relevant to: Audit objectives, scope, and criteria interfaces between functions, activities and processes

• Collect audit evidence by appropriate sampling and verify and record it

• Be aware on sampling limitations, if acting on the audit conclusion

• Use only information that is verifiable as audit evidence

6.5.4

Auditing ProcessTechniques to Obtain Audit Evidence

• Interview: Personnel that manage, perform, and verify activities Also ensure they are responsible for the activity being

audited Listen carefully to responses

• Observe: Identity, status, condition, processes, equipment, activities,

environment, and people

6.5.4

Auditing ProcessAudit Evidence

• Review documents that describe: Activities Plans Controls Strategies Exercises tests

• Review records for evidence of conformity to documents• Review records, statements of fact, or other information which

are relevant to the audit criteria and verifiable• Audit evidence may be qualitative or quantitative

Communication and interpersonal skills

• Put auditee at ease• Ask short questions and listen• Reflect right attitude, tone of voice, body language, and facial

expressions• Smile and show eye contact• Avoid interruptions• Avoid off-cuff and condescending remarks• Give praise when appropriate

Communication and interpersonal skills

• Show interest• Be tactful and polite• Show patience and understanding• Remember to say please and thank you• Ask the right person• Don`t say you understand when you do not

Questioning Techniques

• Open question Using why, who, what, where, when, or how gets more than

a yes or no answer• Expansive question

Further elaborates the current point• Opinion question

Asks opinion about current point• Non-verbal

Uses body language, for example: raise eye-brow to elicit further information

Questioning Techniques

• Repetitive question Repeats back response in form of a question

• Hypothetical question Uses what if, suppose that, etc.

• Closed question Gets yes or no answer Avoid using too often Used for confirmation

• Silence Draws more information

Note Taking

• Notes could be used as reference for: Immediate investigation Investigation later Use by a colleague Subsequent audits

• Notes taken during an audit are a record of: The audit sample taken What was reported What was observed

• Notes may be referenced by subsequent auditor

Sampling

• Samples should test the effectiveness of the system and should be: Representative Structured Independently selected

• Sample size should be based on: Risk Importance Status Findings from the previous/current audit

Control of the Audit

• Checklist is an aid, not a requirement• If potential audit trails appear, decide to:

Disregard Note for later Follow up immediately

• Following audit trails may effect: Sample size Audit plan

EXAMPLES

Uncooperative

Long

telephone

calls

Cannot find

document

Unprepared

Constant

interruptions

Provocation

Long-winded

auditees

Interdepartmental or

personality conflicts

Diversionary

tactics

Language

Noisy

environment

Boastful

Called away

Volunteered

information

Handling Difficult Situations

Establish the FactsJudgment in the Audit Process

• Audit focus must be on conformity and effectiveness, NOT on finding nonconformities

• The auditee must be given the benefit of any doubt where there is insufficient audit evidence

Establish the Facts

• Discuss concerns• Verify the findings• Record all the evidence:

Exact observation Where, what, etc.

• Establish why a nonconformity or otherwise• State who (if relevant) – preferably by job title• Obtain agreement with the facts

Generate Audit Findings

• Evaluate audit evidence against audit criteria to generate audit findings

• Indicate if findings are conformities, nonconformities or opportunities for improvement

• Meet (audit team) to review findings• Specify (with supporting evidence) or summarize conformity by

location, function, or processes, as required by audit plan

6.5.5

Nonconformity

• Non-fulfillment of a specified requirement: Not doing it Partially doing it Doing it the wrong way

• Specified requirement: Conditions of the customer contract Quality standard (ISO 9001:2008) Quality management system Statutory or regulatory requirements

6.5.5

Generate Audit Findings

• Record nonconformity findings and supporting evidence• Obtain auditee acknowledgement of nonconformities for

accuracy and understandability• Try and resolve differences of opinion• Keep a record of unresolved issues

6.5.5

Nonconformity - Minor

• Failure to comply with a requirement which (based on judgment and experience) is not likely to result in QMS failure

• Single observed lapse or isolated incident• Minimal risk of nonconforming product or service• Examples:

A two month lapse in the internal audit program A training record not available No actions taken to improve system based on previous

result findings

Nonconformity - Major

• Absence or total breakdown of a system to meet a requirement• A number of minors related to the same clause or requirement• A nonconformity that experience and judgment indicate will

likely result in QMS failure or significantly reduce its ability to assure controlled processes and products

Nonconformity - Major

Examples:• No documented procedure for a required documented ISO

9001:2008 process/activity• Document changes routinely made without authorization• No awareness program for the quality management system• No future planned internal audits• Insufficient scope• Numerous minor nonconformities found in the production

process

NonconformityClassifying the Nonconformity

Consider the seriousness:• What could go wrong if the nonconformity remains

uncorrected?• Is it likely the system would detect it before the customer is

affected?• If you are not certain it is a nonconformity, it is not.

You must have: A requirement that has been broken Proof that it has been broken

NonconformityGood Report Examples

QMS Nonconformity Report Incident Number:1

Company under audit: XYZ, Inc.

Area under Review: Purchasing ISO 9001 Clause number 7.4

Category: Major Minor

Requirement:

Clause 7.4.1 of ISO 9001:2008 requires that the organization establish criteria for evaluation and re-evaluation of suppliers.

Nonconformity Findings:

Upon speaking with the purchasing Manager, it was found that no evaluation of ABC supplier had taken place since the contract was signed and business begin with ABC supplier

NonconformityPoor Report Examples

The nonconformity statements below are inadequate due to the lack of specified requirements and detailed evidence:• Steering Group meeting minutes are not adequate• The authority level for the Emergency Controller must be

documented for clarify purposes

Preparing Audit Conclusions

Audit team confer prior to the closing meeting:• Scheduling of the audit plan• To plan for closing meeting• Purpose is to:

Review audit findings and other information Agree on audit conclusions

• To prepare the audit report and recommendations• If included in audit plan, to discuss audit follow-up

6.5.6

Audit ReportPrepare, Approve & Distribute

1. Audit reference

2. Client and Auditee details

3. Audit team details

4. List of auditee representatives

5. Objectives, scope, and criteria

6. Audit plan – dates, places, areas audited and timing

7. Summary of audit process

8. Audit Summary

9. Uncertainty due to sampling

6.6.1

6.6.2

Audit ReportPrepare, Approve & Distribute

10. Nonconformity reports

11. Recommendation

12. Obstacles encountered

13. Any areas in audit scope not covered

14. Any unresolved issues between the auditee and team

15. Confirmation that audit objectives accomplished

16. Confidentiality statement

17. Distribution list

6.6.1

6.6.2

Audit ReportDistribution

• Issue within agreed time period• If delayed, provide reasons and agree on new issue date• Report must be dated, reviewed, and approved as per

procedures• Distribute to recipients designated by audit client• Report is property of audit client• Recipients and audit team must respect the confidentiality of

the report

6.6.1

Completing the Audit

• Audit is complete when all activities in audit plan have been carried out and audit report is distributed

• Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures

• Maintain confidentiality of audit documents, information, and report

• Notify audit client and auditee ASAP if disclosure of audit information is required.

6.7

Closing Meeting

• Hold closing meeting to present audit findings and conclusions• Cover situations encountered during audit that may decrease

reliance on audit conclusions• Discuss and resolve diverging audit findings and conclusions• Keep a record if not resolved• Provide recommendations for improvement where specified by

audit objectives• Keep minutes and attendance records• Will normally be informal for internal audits

6.5.7

Completing the AuditConducting the Follow-up

• Audit conclusions may require corrective, preventive, or improvement actions

• Auditee decides and carries out these actions within agreed timeframe

• These actions are not part of the audit• Audit team number should verify completion and effectiveness

of actions taken• This verification may be part of a subsequent audit• Maintain independence in subsequent audit activities

6.8

Completing the AuditCorrective the Follow-up

• Auditee receives the nonconformity report• Auditee prepares and approves a corrective action plan• Auditee submits the plan to auditors• Auditors evaluate and approve the plan• Auditee implements the approved corrective action plan• Auditor verifies the implementation and effectiveness• Records of all actions taken by auditor and auditee

6.8

Conclusion

Typical Audit Activities

Initialing the Audit

Conducting Document Review

Preparing, Approving, Distributing Audit Report

Completing the Audit

Conducting Audit Follow-up

Preparing for On-site Activities

Conducting for On-site Activities

Final Ques-tions?

For you attendance and participation!

Prepared &Presented by

Yamin K Hajeej