4

IQA TO ISO 9000:2000

Audit Terms and

Definitions

Ref: ISO/CD.3 19011

• Audit: systematic, independent and documented
process for obtaining audit evidence and evaluating it
objectively to determine the extent to which audit
criteria are fulfilled

• Audit Criteria: set of policies, procedures or

requirements used as a reference

• Audit Evidence: records, statements of fact or

other information, relevant to the audit criteria and
which are verifiable (can be quantitative or qualitative)
• Audit Finding(s): result(s) of the evaluation of
the collected audit evidence against audit criteria

• Audit Conclusion(s): outcome of an audit,

reached by the audit team after consideration of the
audit objectives and all audit findings

• Auditee: organization being audited

• Auditor: person with the competence to conduct

an audit
• Audit Team: one or more auditors conducting an
audit (one being appointed as audit team leader)

• Technical Expert: person who provides specific

knowledge or expertise with respect to the subject
to be audited

• Audit Program: set of one or more audits

planned for a specific time frame and directed
toward a specific purpose
• Audit Plan: description of the on-site activities
and arrangements for an audit

• Audit Scope: extent and boundaries of an audit

(typically includes a description of physical
locations, organizational units, activities and
processes, as well as the time period covered

• Competence: demonstrated capability to apply

knowledge and skills
 5
IQA TO ISO 9000:2000

Principles of Auditing

Ref: ISO/CD.3 19011

 Five Principles of Auditing

Ethical Conduct
1
Trust, integrity,
the foundation of professionalism confidentiality, discretion

Fair Presentation
2
the obligation to report truthfully and accurately
Accurate and complete

Due Professional Care

3 Priorities of stakeholders
application of reasonable care in auditing
necessary competence

Independence
4 Free from bias and
impartiality and objectivity of the audit conclusion
conflict of interest

Evidence
5 Proper sampling
the rational basis for reaching audit conclusions
verifiable
 6
IQA TO ISO 9000:2000

Competence of Auditors

Ref: ISO/CD.3 19011

Elements of Competence

Work
Personal
Experience
Attributes

Auditor
Training

Audit
Education Experience
• There should be an evaluation process that should
first be used for initial evaluation of a person who
wishes to become an auditor
• Even in case where he/she doesn’t, the
development process of an auditor should be
clearly defined to ensure a sound and professional
function in the organization
• Providing competent auditors is only the first step
towards ensuring the reliability of the audit process
General Guidelines

• EDUCATION: minimum high school, preferably

graduation
• TOTAL WORK EXPERIENCE: minimum 5 years
• TOTAL QUALITY EXPERIENCE: at least 2 years
from the 5 years general
• AUDITOR TRAINING: two days for internal auditor,
5 days (Lead Auditor) for the External Auditors
• AUDIT EXPERIENCE: 4 complete audits or 20
days of audit
Auditor’s Personal Attributes

• Mature
• unbiased and fair
• ethical
• open minded
• diplomatic
• observant
• decisive
• self-reliant
 7
IQA TO ISO 9000:2000

Managing An Audit
Program
What is being Audited ?

Product Processes

Machinery
? People

Facilities Procedures
Why an organization is being
audited?

•
•
it is an ISO 9000’s requirement
no trust on employees
?
• check and balance is a human nature
• people tend to forget and/or neglect
• managers are not competent
• a sort of an external and internal
pressures to run systems
• or anything else
How the extent of an audit
vary?

Large Textile Automobile Dental Clinic

Spinning Plant 3 person
1000 persons 400 person Many Complex
4 processes 3 5 processes Treatment
Processes
•Scope ?
•Objective?
•Duration?
•Expertise?
•Frequency of Audit?
•Complexity of Product and Processes?
•Legal Requirements?
•Standards?
•Audit Criteria?
•Social Environment?
•Educational Environment?
What resources are required to
audit?
Large Textile Automobile Dental Clinic
Spinning Plant 3 person
1000 persons 400 person Many Complex
4 processes 3 5 processes Treatment
Processes

•Number of Auditor(s)?
•Competence of Auditor(s)?
•Technical Expertise?
•Duration?
•Administration?
•Documentation?
•Stationary?
Can you identify company’s
Product ?

• Shoe company
• Pharmacy
• Hospital
• Airline
• University
• Primary School
• Insurance Company
What does it mean to Audit a
Process Model ?

• to audit every process

• to audit departments in a certain sequence
• to audit people in a certain sequence
• to audit QMS in a certain sequence and logic
Discussion Exercise - Process
Model

• You are auditing a purchase dept. that buys

material for the company. How would you apply the
QMS Process Model on the activities of the
department? Identify the sequence of your check
points / from the requirements of ISO 9000:2000.
Audit Process

1
• Definition of scope, objective and
Initiating the Audit criteria
• Establish audit team and contacts

2
• Review the documents of the QMS and
Document Review establish their completeness and correct
ness (relevance to their processes)

3 Site Audit
Preparation
• Planning
• Team assignments
. • Preparing working documents
Audit Process (cont.)

4 Site Audit
• Opening Meeting
• Verification Process (collecting and
verifying information), audit findings,
. communicating findings, closing meeting.

5
• audit report preparation
Audit Reporting • report review, approval and distribution
• retention of documents

6
• confirmation of completion as per the
Audit Completion
audit plan

7
• Verification of Corrective, Preventive
Audit Follow-up
and/or Improvement Action
Key Points of the Audit Process

• Audit Objectives, scope, and criteria

– to be defined by the auditee
– Objectives: compliance to all applicable ISO 9001 QMS
requirements, legal obligations (illegality) for product
conformity, contractual obligations to clients, and
consumer protection (in general)
– scope: boundaries of audit, I.e. location, organizational
units, activities and processes to be audited
– criteria: applicable policies, procedures, standards, laws,
QMS requirements, contractual requirements, industry
codes,
Audit Team’s Requirement

• GENERAL
– independence, process familiarity, mature personality,
good communicator and analyzer, motivated, physically fit,
socially disciplined, free from conflict of interest, honest,
capable to write objective audit findings/reports, not
submissive, and interactive

• APPROPRIATE COMPETENCE
– relevant technical expertise or take assistance of technical
experts with appropriate technical knowledge, skills and
experience.
Auditee’s Right on acceptability
of Auditors

• Both the audit client and auditee have a right to

request the replacement of particular team
members on reasonable grounds, which should be
communicated to those responsible for managing
the audit program.
• Examples of reasonable grounds can be conflict of
interest situation (formal employees, consultant),
unethical behavior, lacking appropriate professional
background of the audit team, non-professional
behavior (e.g. violating confidentiality), etc.
Document Review

• A necessary step before site audit

• Should be reviewed in light of audit objectives,
scope and criteria
• A preliminary on-site visit may be necessary to be
able to carry out the document review
• Document Review should be done very carefully,
and is most effectively done with the support of
relevant records.
Planning for On-Site Audit

• Parameters of plan: auditor(s), departments /

sections, time (usually hours), applicable QMS
processes (clauses), applicable criteria (standards,
legal, contractual, etc.), locations / sites, logistics,
language limitations, technical expertise (doctors,
computer specialists, pharmacists, architecture,
etc.)
Working Documents

• Audit procedure
• audit checklist(s)
• sampling plan
• forms / papers for recording information and
supporting evidence
• NCR forms
On-Site Activities

• Opening Meeting
• Investigation
– Observation
– Interviews
– confirmations
– Communication
• Audit Findings
• Closing Meeting
Opening Meeting

• Establish an Audit Environment and

Communication links with the management
• Inform about the audit plan and methodology
• confirm the audit criteria (contractual, legal,
industrial, and company’s obligations and
standards)
• confirm the sampling plan (number of samples to
be used in the width and depth of audit)
• confirmation of relevant work safety, emergency
and security procedures for the audit team
Investigation

• Main objectives:
– what are the contractual and legal requirements
– Does the company products meets the contractual and
legal requirements
– Is consistency ensured in the standards
– Are company policies and procedures followed as a
routine activity
– Is the company following the standards and procedures
genuinely
– Is there any serious discrepancy between what is
produced and the test results
(cont.)

• Interviews:
– relevant people must be interviewed directly at all levels
– auditor should go to the relevant people to interview; they
should not be called to answer the auditor
– tone must be respectful and genuine
– objective of interview must be clarified to the interviewee
– Types of questions: Open-ended, Closed-ended, Leading-
questions, Personal -questions, Interrogative-questions,
taunting-questions. Certain types must be avoided.
– The results from the interview should be summarized and
reviewed with the interviewed person
– End must be with thanks
(cont.)

• Observations and Confirmations

– actual products
– actual processes (operators, skill levels, equipment,
material)
– actual operators
– actual environment
– actual records
– external documents (customers’, vendors’, legal, and
referenced standards)
– computerized data bases
– effectiveness of procedures
Audit Findings

• Auditors should review all facts and the overall

situation
• Conformities should be summarized to at least
indicate locations, functions, processes, or
requirements that were audited, where no
nonconformities were observed
• Nonconformities should be recorded and supported
by audit evidence. It should be reviewed by the
auditee to ensure accuracy and understanding.
• Difference of opinions should be resolved before
finalizing
Nonconformity Statement -
a critical output of an Auditor

• Few auditors write accurate, clear, and complete

statements of non-conformity
• Example of a good non-conformity statement

“One of the voltmeters, number 389000, used for

the testing of generators at the final test bench of
the main assembly shop was not calibrated, as
required by the Quality Procedure No.
QSP4.11/2000. All test equipment which affect
product quality shall be calibrated to ensure
accuracy of results”
(cont.)

• Poor way of writing NC statements:

Examples

– quality objectives were not defined

– test equipment was not calibrated
– there were no training programs
– identifications were missing
– the procedure for SPC was wrong

Can you identify why the above statements are not good?
(cont.)

• Statements blaming to wrong people !

“An operator was repairing the machine with wrong

method”
OR
“The operator was not properly trained to repair the
machines”

who is to be blamed in the same incident above?

Preparing for the Closing
Meeting

• Review the overall audit findings

• Prepare the list of audit findings
• reach consensus on the audit conclusions
• agree on the roles and tasks for the closing
meetings (for more than one auditors)
• prepare recommendations
• discuss subsequent audit follow-up
Closing Meeting

• Present overall conclusion and findings. Address

your summary of Conformity and Non-conformity,
both.
• Present non-conformities in order of priority (from
more important findings to less important)
• Provide direction to management on Corrective,
Preventive and Improvement actions. It is auditee's
responsibility to identify C/A or P/A; however they
normally do not understand the difference.
• Confirm follow-up audit
Auditor-Auditee Roles
AUDITOR

Audit Approve Verify

Audit Report C/A
C/A
AUDITEE

Identify
Rootcause & Take
C/A Improve-
Suggest
ment
C/A
Audit Report

• Should provide a complete, accurate, concise and

clear record of the audit and should contain audit
conclusions on the following issues:
– extent of conformance of the management system to the
audit criteria
– effective implementation and maintenance of the
management system, and
– the ability of management review process to ensure the
continuing suitability, adequacy, and effectiveness of the
management system
Contents of Audit Report

• The second/third party reports are formal, whereas,

first party audit can be less comprehensive and
may include just nonconformance reporting.
Audit Follow-up

• Focus should be on whether the auditee has gone

into the root cause of the nonconformance, and
whether solution provided by the auditee eliminate
the root cause(s)
• Auditee tend to neglect timely corrective actions.
Therefore, auditor should ensure timely corrective
actions. Appropriate time should be ensured, as
most often daily or weekly solutions are projected
into monthly tasks.
• Just recorded answers to solutions are not
sufficient. Physical verification of effectiveness of
the solution is necessary
Audit Completion

• An audit is completed when all activities in the audit

plan have been finalized and the approved audit
report has been distributed
Normal Problems in Audits

• Lack of Product Orientation

• Lack of Process Orientation
• Non-technical audits in technical areas
• Incomplete audits
– depth
– width
Final Words ...

• Audits driven by professional programs can be highly

valuable in improving the Quality of organizations. On
the other hand, if conducted unprofessionally, the same
can be damaging
• Auditors and audit programs should also be subject to
checking and improvements
• Progressive development of auditors is generally
neglected, resulting in poor value
• Technical competence and personal attributes are both
important parts of the auditors
• Announced audits can be mixed with unannounced ones