QMS-Auditing For Value Addition - Co.

ISO 9001:2008
Quality Management System;

Auditing for Value Addition
By
K. G. Garg
Foreword by : Dr Girdhar J. Gyani
ISO 9001:2008
Quality Management System;

Auditing for Value Addition
@ All Rights Reserved

No part of this book may be reproduced or transmitted in any form without
permission in writing from the author.
Published by:
Quality Council of India (QCI)
2nd Floor, Institution of Engineers Building
Bahadur Shah Zafar Marg,
New Delhi 110 002, INDIA.
Tel: 011-23379321/0567, Fax:011-23379621
Website: www.qcin.org
Month and Year of Publication : September 2009
First Edition
Printed by:
Perfact Impression Pvt. Ltd.
2, Prem Nagar Market, Tyag Raj Nagar
New Delhi-110 003
Tel. : 011-24602233/77, 24603123/24
E-mail : mail@perfactimpression.com
CONTENTS
FOREWORD
I-IV
PREFACE
REFERENCES
VII
CHAPTER
PARTICULARS
PAGES NO.
GENERAL
1-4
1.1 Quality management principles
1-2
1.1.1 Customer focus
1.1.2 Leadership
1.1.3 Involvement of people
1.1.4 Process approach
1.1.5 System approach to management
1.1.6 Continual improvement
1.1.7 Factual approach to decision making
1.1.8 Mutually beneficial supplier relationships
1.2 Mission, vision, strategy, policy & Objectives
2-5
1.2.1 Mission & Vision
1.2.2 Aspects of strategy
1.2.3 Strategic planning
1.2.4 Policy and objectives
1.2.5 Objective deployment
1.3 Processes
6-8
1.3.2 Types of processes
- Management processes
- Realization processes
- Support processes
1.4 Measurement and analysis
8-11
1.4.1 Measurement approach
1.4.2 Performance matrix
1.4.3 Measuring achievements of objectives
1.4.4 Key indicators

1.4.5 Measurement tools
1.5 Improvements
1.6 Innovation
9
10
11
11-14
1.6.1 General
11
1.6.2 Types of innovations
12
1.6.3 Factors influencing the effectiveness of the innovations
12
1.6.4 Planning of the innovation processes
13
AUDITOR GUIDE
2.1 Certification Audit types
15-47
15
2.1.1 Introduction-Certification
15
2.1.2 Initial certification stage 1 audit
15
- Process audits during stage 1 audit

21
- Process audits during stage 2 audit

2.1.4 Assumption Audit (Transfer of accredited certification)
23
- Review of certification information & prior reports

- Audit programme development
- Process audits
2.1.5 Surveillance audits
24
- Surveillance audit planning

- Renewal audit planning during last surveillance audit
2.1.6 Renewal audit
25
2.1.7 Corrective action audit
26
2.2 Auditors competence

2.3 Roles and responsibilities for
assessment/certification personnel
27
28-29
2.3.1 Roles and responsibilities of top management
28
2.3.2 Roles and responsibilities of lead auditors
28
2.3.3 Roles and responsibilities of auditors
29
2.3.4 Roles and responsibilities of technical experts
29
2.3.5 Roles and responsibilities of trainee auditors/observers
29
2.4 Audit time
29-36
2.5 Audit scopes
36-45
2.6 Maturity assessment
46
2.6.1 Introduction
46
2.6.2 Description of the maturity levels
46
AUDITING GUIDE
47-70
3.0 Process classification
47-52
3.1 Required Processes Management processes (Group 1)
49
3.1.1 Management involvement & Customer focus
49
3.1.2 Improvement process
51
3.2 Required Processes Realization processes (Group 2)
52-57
3.2.1 Customer process contract/ order management
52
3.2.2 Design and development
54
3.2.3 Supplier Management
55
3.2.4 Product manufacturing process or Service delivery process
56
3.3 Required processes, Support Processes - (Group 3
57-60
3.3.1 Document control
58
3.3.2 Customer focus customer complaints and satisfaction
58
3.3.3 Internal audit
59
3.4 Sample processes, Support Processes - (Group 4)
59-70
3.4.1 Records management
61
3.4.2 Training
62
3.4.3 Employee deployment
63
3.4.4 Maintenance
63
3.4.5 Planning for product realization or

Planning for service realization
64
3.4.6 Customer process - Customer communication
65
- Customer; supplied product

- Customer; supplied product
3.4.7 Purchasing process
66
3.4.8 Process validation
67
3.4.9 Stores management: Packing, shipping and delivery
68
3.4.10 Calibration
68
3.4.11 Inspection - Receiving inspection
69
- Process inspection
- Stage inspection
- Final inspectionTemplate 1: Audit Time table
Template 1: Audit programme
71-72
Template 2: Audit timetable
73-75
Template 3: Nonconformance & Corrective action request format 77-80

Appendix A Opening Meeting Agenda
81
Appendix B Closing Meeting Agenda
83
Appendix C Quality System Questionnaire

Appendix D - ISO 9001: Auditing Practices Group
85-102
103-117
FOREWORD
International Standard ISO 9001:2008 specifies the requirements for a quality management
system (QMS), which an organization must implement to:
a)
demonstrate its ability to consistently provide products or services that meet

customer and applicable statutory as well as regulatory requirements and
b)
enhance customer satisfaction through the effective application of the QMS,

including the processes for its continual improvement and the assurance of
conformity to customer and applicable regulatory requirements
The Standard ISO 9001 is one of the most widely used certification system in the world,
against which more than 12, 00,000 organizations have already been certified. The
certificates are issued by Certification Bodies, after verifying that the organization (supplier
of products or services) is complying with the requirements specified in ISO 9001 Standard.
The competency of the Certification Bodies is ensured through a process, wherein a
designated Accreditation Body grants the accreditation to the Certification Body, based on
International Standard ISO 17021 .In addition, the International Accreditation Forum, a
consortium of Accreditation Bodies, has established a mechanism of mutual recognition of
accredited certification world over. By this process of accreditation, products or services of a
certified organization get global acceptance. Such a robust mechanism acts as a guarantee
to the ultimate consumer that the product /services from the certified organizations would
comply with the specified requirements. However, of late, this guarantee has unfortunately
eluded the ultimate user.
I had the opportunity to undertake field survey at Quality Council of India on more than 800
ISO 9001 certified organizations, the first of its kind, undertaken to validate the effectiveness
of certification process, and which revealed wide ranging inadequacies in the certification
process. Analysis of the data conclusively indicated lack of consistency in the certification
process adopted by different Certification Bodies, in spite of the fact that they were
accredited and were expected to follow uniform practices.
ISO 9000 series of standards based on the British standard BS 5750 was first issued in 1987.
i
The certification to BS 5750 was initially started in UK and subsequently the standard was
adopted as ISO 9000 by the international community. The certification activity was mainly led
by the organizations that were involved in third party certification like ship registrars etc.
Later the Certification Bodies established in UK and Europe realized that it would be easier to
operate through branch offices set up in the developing countries.
As the awareness in the market grew and the thrust by the European countries that ISO 9000
certification would help improve the exports potential of developing countries, number of
organization started looking at the ISO 9000 series of standards. The Certification Bodies
took this as a business opportunity and began to look at various options to expand their
operations. They started having partnership or tie-up with appropriate agencies in the
developing countries. Simultaneously, it gave rise to local CBs coming into being and
seeking accreditation from the overseas ABs in the developed countries. This was because
most of the developing countries, at that point of time, did not have their own accreditation
bodies. Proliferation in certification brought in competition and with inadequate control of
foreign Accreditation Bodies on the Certification Bodies, resulted in considerable dilution of
the certification process.
It is mandatory for the Accreditation Bodies to carry out a regular surveillance assessment of
the Certification Bodies at least once a year. Similarly the Certification Bodies will carry out a
regular audit, at least once a year, on the certified organizations to ensure continued
compliance. One of the main reason for dilution of the standards of certification process is
inadequate control of the Accreditation Bodies on the Certification Bodies that are operating
through the branch offices, franchisee or through representation. The Certification Bodies
(CBs) operating in most of the developing countries fall into the following three categories;
Category A:
Certification Bodies having direct accreditation from the National

Accreditation Body.
Category B:
Certification Bodies operating under foreign Accreditation Bodies (Abs)
Category C:
Certification Bodies operating through branch offices, Franchisee or

through
representation of foreign Certification Bodies (CBs)
The CBs in the categories 'A' and 'B' undergo mandatory annual surveillance by their ABs, as
ii
provided in the IAF guidelines. This ensures regular monitoring & control over the functioning
of CBs. The CBs in category 'C' are in fact the ones, which lack in terms of monitoring and
control mechanism. Many CBs in this category have never been subjected to the
surveillance by the concerned ABs.
The ISO 9000 series of quality standards work on the premise that customers require
products with characteristics that satisfy their needs and expectations, collectively referred
to as customer requirements or product specifications. The quality management system
(QMS) approach encourages organizations to determine the needs and expectations of
customers and other interested parties, establish the processes and responsibilities
necessary to address and comply with these needs, establish methods to measure the
effectiveness and efficiency of each process and finally establish & apply a process for
continual improvement of the quality management system. Some organizations have used
the ISO 9000 series of standards to develop quality management systems that are
integrated into the way they do business and are useful in helping them to achieve their
strategic business objectives and add value for the organization. On the other hand, many
other organizations have simply created a set of bureaucratic procedures and records that
do not reflect the way the organization actually works. Setting up such elaborate procedures
simply adds costs, without providing any value additions to the product or process.
Many organizations generally agree that they have been benefited from the ISO 9000
certification. However, most of this initial benefit has been due to the creation of well-defined
documentation of work processes, assimilation of data, and maintenance of records. Many
of these organizations also recognize that benefit has not gone beyond adding any value into
the internal system by way of improvement in efficiency and cost reduction etc. Most of the
audit schedules focus only on determining whether documented procedures are being
implemented in practice. Few procedures, however, define what the process they describe
are designed to achieve or how these are to be measured. The audits in many cases fail to
ascertain whether the process is suitable to deliver products that meet defined requirements
and whether the process has realized the quality objectives of the organization.
Consequently, most of the audit efforts reinforce the status quo and do little to identity the
scope for business improvement. Many consider that such audits add little value to the
organization, and are necessary only to retain certification.
iii
The effectiveness of quality management system certification is based upon the credibility of
the certification process. In this entire process of certification, auditing takes the center
stage and auditor plays the key role. Mr. Garg has done commendable job in bringing out at
one place all the best practices in auditing for value addition. The book will serve as a good
Auditor's Manual in general and as excellent training aid for the new and budding auditors
(DR GIRDHAR J. GYANI)

Secretary General
Quality Council of India
iv
PREFACE
This document is prepared based on ISO 9000:2005, ISO 9001:2008, ISO 9004:2000, ISO
9004:2007 (draft), 19011:2002, 17021:2006, IAF mandatory documents and experiences of
NVT-Quality Certification audits to ISO 9001 series of standards
This document contains 3 chapters.
Chapter 1: Deals with basic understanding and contains subjects on quality management
principles, mission, vision, strategy, policy, objectives, objective deployment,
processes, measurement, analysis, improvement and innovation.
Chapter 2: Deals with audit understanding and contains subjects on audit: types, planning,
programme, processes, initial certification, assumption (transfer of accredited
certification), surveillance, renewal, corrective action, auditors competence,
audit time, audit scopes including maturity assessment.
Chapter 3: Deals with auditing for required processes (management processes group1,
realization processes group 2 & support processes group 3) and sample
processes (support processes group 4). Each process audit includes purpose
of the process, requirements, audit at operational level and audit at process
owner level.
This document also contains templates on audit timetable, audit programme and corrective
action request format (this is also called nonconformity report format).
This document further contains appendices on quality system questionnaire & ISO 9001
auditing practice group advices/interpretations on different topics.
It is expected that auditors after developing knowledge from chapter 1 and following
practices as per chapter 2 & 3 should be able to add considerable value to the third party
audits.
I acknowledge with thanks KEMA Quality for their excellent support in last 15 years in
assisting and developing our audit process. I also acknowledge with thanks publishers of
ISO standards and IAF since I have quoted and used some of the materials from ISO/IAF
publications.
I am thankful to Prof. Y.R. Rau & Mr. K.T.Thomas for review. I am thankful to Dr. Girdhar J.
Gyani for review and foreword. I am thankful to Prof. A.K. Chaudhuri for guiding me through
out the project. I am also thankful to Mr. Mohan Rao for administrative support.
K.G. GARG
v
REFERENCES
1.
ISO 9000:2005
- Quality Management Systems: Fundamentals &

Vocabulary
2.
ISO 9001:2008
- Quality Management Systems- Requirements
3.
ISO 9004:2000
- Quality Management Systems-Guidelines for

performance improvement
4.
ISO 9004:2007
- Managing for sustainability A quality management

approach (Draft)
5.
19011:2002
- Guidelines for quality and/or environmental

management systems auditing
6.
17021:2006
- Conformity assessment - Requirements for bodies

providing audit and certification of management
systems
7.
www.tc176.org/default.asp
- ISO 9001: Auditing Practices Group
8.
IAF MD 1:2007
- IAF Mandatory Document for the Certification of

Multi sites Based on Sampling
9.
IAF MD 2:2007
- IAF Mandatory Document for the Transfer of

Accredited Certification of Management Systems.
10. IAF MD 3:2008
- IAF Mandatory Document for Advanced

Surveillance and Recertification Procedures
11. IAF MD 4:2008
- IAF Mandatory Document for the use of Computer

Assisted Auditing Techniques (CAAT) for
accredited Certification of Management System
12. IAF MD 5:2009
- IAF Mandatory Document for Duration of QMS and

EMS audits
Note: The requirements given in the ISO standards, IAF documents and decisions of IAF,
shall at any time supersede any of the provisions covered under this document.
vii
General
K.G. Garg
CHAPTER 1
GENERAL
1.1
QUALITY MANAGEMENT PRINCIPLES

To lead and operate an organization successfully, it is necessary to direct and control it
in a systematic and transparent manner. Success can result from implementing and
maintaining a management system that is designed to continually improve
performance while addressing the needs of all interested parties. Managing an
organization encompasses quality management amongst other management
disciplines.
Eight quality management principles have been identified that can be used by top
management in order to lead the organization towards improved performance.
1.1.1 Customer focus

Organizations depend on their customers and therefore should understand current
and future customer needs, should meet customer requirements and strive to exceed
customer expectations.
1.1.2 Leadership
Leaders establish unity of purpose and direction of the organization. They should
create and maintain the internal environment in which people can become fully
involved in achieving the organization's objectives.
1.1.3 Involvement of people
People at all levels are the essence of an organization and their full involvement
enables their abilities to be used for the organization's benefit.
A desired result is achieved more efficiently when activities and related resources are
managed as a process.
1.1.5 System approach to management
Identifying, understanding and managing inter related processes as a system
contributes to the organization's effectiveness and efficiency in achieving its
objectives.
1
General
K.G. Garg

Continual improvement of the organization's overall performance should be a
permanent objective of the organization.
1.1.7 Factual approach to decision making
Effective decisions are based on the analysis of data and information.
1.1.8 Mutually beneficial supplier relationships
An organization and its suppliers are interdependent and a mutually beneficial
relationship enhances the ability of both to create value.
These eight quality management principles form the basis for the quality management
system standards within the ISO 9000 family.
1.2
MISSION, VISION, STRATEGY, POLICY & OBJECTIVES
1.2.1 Mission and vision

By understanding and analysing the organization's environment, its management
should be able to establish a mission and vision for the organization, as well as the
strategic orientations needed to achieve them.
A mission (why we exist?) and vision (what we want to be?) should be developed in
light of external and internal SWOT (strength, weakness, opportunity & threats
analysis) analysis.
An organization should have an identified aim or purpose, within its social
environment. The organization should identify its mission and vision on the basis of
understanding of relationship to the stakeholders, their characteristics, and its own
competencies.
The mission should describe the values which the organization seeks to create for its
stakeholders.
The vision presents the state the organization wishes to achieve, once it is equipped
with the necessary competencies.
1.2.2 Aspects of strategy
An organization should develop a strategy to fulfill its mission and vision, which is also
directed towards the achievement of improvements & sustainability. This should
include consideration of:
a)
2
its external environment, including trends;

Quality Management System Auditing For Value Addition
General
K.G. Garg
b)
the needs and expectation of stakeholders;
c)
its capabilities and resources; and
d)
lessons learnt from previous experiences
1.2.3 Strategic Planning

In order to provide a framework for the proper allocation of resources, to incorporate
success factors in the business domain, and to meet the needs and expectations of
stakeholders, management should ensure that the organization's strategic plan gives
consideration to the following:
- the organization's environment;

- new opportunities;
- target markets and customers;

- products to be provided;
- the organization's capability profile;
- the allocation of resources.
- Risk analysis.
1.2.4 Policy and objectives
Policy and objectives define an organization's desired results and assist the
organization to apply its resources in achieving these results.
The organization should establish policy and objectives, based on its strategy
- to provide a focus to direct the organization,
- to ensure that plans are communicated to all relevant stakeholders, and
- to assure that its policy and objectives are aiming for improvements & sustainability.
Policy that is based on the organization's mission, vision and strategy provide a
framework for establishing and reviewing its objectives.
Objectives are used to put the policy into operation, i.e. they answer the question "what
should be done to fulfill the policy"? The objectives need to be consistent with the
General
K.G. Garg
policy and their achievement needs to be measurable. The achievement of objectives

should have a positive impact on the organizations: products, operational
effectiveness, financial performance, as well as, on the satisfaction, confidence and
loyalty of stakeholders.
1.2.5 Objective deployment:

SWOT ANALYSIS
POLICY
Customer related
perspective
Product related
perspective
Key objectives
Financial related
perspective
Key objectives
Innovative related
perspective
Key objectives
Key objectives
DEPLOYMENT AT FUNCTIONAL (PROCESS OWNER) LEVEL

Objective deployment
(PDCA cycle)
M
A
N
A
G
E
M
E
N
T
R
E
V
I
E
W
Mission
A
C
D
P
Policy & Objectives
Policy & Objectives
Policy & Objectives
Information on :
Corr. & Prev. Action
Information on :
Corr. & Prev. Action
Information on :
Corrective & Preventive Action
P
D
I
N
T
E
R
N
A
L
C
A
A
U
D
I
T
S
Policy objective deployment
Figure 1 : Objective Deployment
General
K.G. Garg
Based on SWOT (Strength, weakness, opportunity and threats)

analysis for external and internal aspects and quality policy, SMART
(Specific, Measurable, Achievable, Realistic and Time bound)
objectives should be decided for all perspectives (customer related,
internal process/product/service related, financial related and
innovative related). For each of the perceptive at least 3 to 5 key
objectives should be identified. These objectives in turn should be
deployed to each of the process owner. Within each process owner
PDCA (Plan Do Check and Act) cycle should be followed. Example: for
an engineering company deployment process is as below:
The Vision
As our customers preferred
Financial
Perspective
Return on capital
Cash flow
Project profitability
Reliability of performance
Customer
Perspective
Value for money (Tier I)

Competitive price (Tier II)
Hassle-free relationship
High-performance
professionals
innovation
Internal
Perspective
Shape customer
requirement
Tender effectiveness
Quality service
Safety /loss control
Superior project
management
Innovative
Perspective
provider, we shall be the industry

leader. This is our vision.
Continuous improvement
Product and service
innovation
Empowered work force
Strategy
Services that surpass Needs

Customer satisfaction
Continuous improvement
Quality of employees
Shareholder expectations
Policy
SMART
Objectives
Objectives deployed
to relevant process
owner
SMART
Objectives
Objectives deployed
to relevant process
owner
SMART
Objectives
Objectives deployed
to relevant process
owner
SMART
Objectives
Objectives deployed
to relevant process
owner
General
1.3
K.G. Garg
PROCESSES
1.3.1 The process approach

An organization should use a "process approach" to facilitate the effective
operation and interaction of its processes, and should develop the
interrelating strategic and operational processes necessary for the
achievement of improvement & sustainability. Benefits of the process
approach include
a) the achievement of planned results,
b) the improvement of the effectiveness and efficiency of the organization,
c) the provision of confidence to customers, and other stakeholders, about
the consistent performance of the organization,
d) transparency of operations within the organization,
e) lower costs and shorter cycle times, through the effective use of
resources,
f) improved, consistent and predictable results,
g) provision of opportunities for focused and prioritized improvement
initiatives, and
h) encouragement of the involvement of people and the clarification of their
responsibilities.
Refer figure 2 and 3 for process approach models for quality management
system.
1.3.2 Types of processes
Processes are specific to the organization, and shall vary depending on its
type, size and degree of development. Process can be identified in terms of
the following types:
General
K.G. Garg
Management processes
These include the processes relating to strategic planning, establishing policy,
setting objectives, providing communication, ensuring availability of
resources needed, life cycle management and management reviews. This
includes all the processes for the provision of the resources that are needed
for the realization of organization's objectives. This includes improvement
processes based on analysis of data, corrective and preventive actions,
projects of improvements and innovative approaches for future of the
organization.
Realization processes
These include all the processes that provide the intended output of the
organization. (E.g. Contract / order management, design, purchasing,
manufacturing, services).
Support processes
These include all those processes needed to contribute directly or indirectly to
the realization processes (e.g. financial, training, maintenance, marketing,
sales, and quality management).
Continual Improvement of the
Quality Management System
Inputs
Product
realization
Measurement,
analysis,
improvement
Customers
Resource
management
S
A
T
I
S
F
A
C
T
I
O
N
and other interested parties
Customers
and other interested parties
R
E
Q
U
I
R
E
M
E
N
T
S
Management
responsibility
Product Outputs
Figure -2 : Model Of Process Approach QMS

General
K.G. Garg
Information
Execution and
Control
INPUTS
Verification
OUTPUTS
Activity
Methods
Resources
Materials
Machines
Man
Environment
Activity
Process Requirements
Process and
company objectives
SMART: Specific,
Measurable, Achievable,
realistic and time bound.
Measurement
Figure -3 : Process Approach
1.4
MEASUREMENT AND ANALYSIS
1.4.1 Measurement approach

Reliable measurement data are an important input for an organization aiming
for improvement & sustainability. This will also enable a factually based
approach to management and priority setting. The organization should
monitor and/or measure systematically the performance of all relevant
processes. The measurement approach adopted should be related to the
criticality of the processes involved and the objectives stated for these
processes.
In planning its measurement approach, the organization should give
consideration to the following:
determining where, how and why measuring and monitoring should be

applied. The aim should be to improve the performance of the
organization's processes and to improve their outputs;
recording the results of these activities;
verifying that all process objectives are met; and

General
K.G. Garg
taking corrective action when objectives are not met, for example by
means of additional process activities, or new policy and objectives to
improve the process.
1.4.2 Performance metrics

A robust set of performance metrics, put into context by the use of comparative
data, allows the management to monitor trends in the performance of an
organization. The organization should identify its key performance indicators.
To be capable of signaling approaching risk or potential opportunity an
organization needs to employ a broad set of performance metrics that
address the desired outcomes and processes deployed. The organization's
management should consider: The performance indicators for the processes
of the organization, including input, in-process and output measurements; the
level of satisfaction and expectation(s) of all stakeholders; the correlation
between process parameters and the desired results (outputs) that will enable
specific, measurable, achievable, realistic and timely process objectives to be
set; the performance gaps with other organizations; tracking results to identify
trends in key process parameters.
Examples of performance metrics include customer satisfaction levels,
supplier performance, on time delivery, lead times, failure rates, waste,
process costs, incident frequencies, customer complaints, product returns
etc.
The criteria for measuring the effectiveness and efficiency of a process should
be consistent with the objectives set for its outputs. These should, in turn, be
consistent with the strategy of the organization.
1.4.3 Measuring achievement of objectives
An organization should monitor carefully the degree and speed at which it
achieves its objectives, by defining appropriate key indicators of performance,
by using effective tools to gather information, and by comparing the
information gathered against the established objectives.General
1.4.4 Key indicators
Key indicators can relate to processes, products, customer satisfaction, and
General
K.G. Garg
the satisfaction of other stakeholders (such as shareholders, people in the

organization, partners, suppliers and society).
Key indicators can take many different forms, and typically relate to one of the
above topics. The following list gives some examples:
-
the effectiveness and efficiency of the organization's processes (including

parameters such as speed, productivity and competitiveness);
the "voice of the customer" (commendation or complaints);
the performance of products (as identified through market share, sales,

profit etc.);
the loyalty of customers;
the image of the organization (as identified through benchmarking, or

brand image);
opinion and dissatisfaction expressed in shareholders meetings;
the organization's credit rating;
evaluations of the organization performed by external bodies;
impact on the natural environment;
safety records;
contribution to society (culture and community);
degree of legal compliance;
opportunities for sustainable employment; and
the cost of poor quality.
1.4.5 Measurement tools

The methods used for collecting information regarding key indicators should
10
General
K.G. Garg
be practicable and appropriate to the organisation's circumstances. Typical

examples are:
1.5
interviews, questionnaires and surveys;
monitoring trends in levels of nonconforming product (internal and

external);
monitoring the time taken to deal with customers;
monitoring levels of machine downtime;
monitoring customers' perception (satisfaction/ complaints) during

meetings with their representatives;
monitoring trends in sales figures;
supplier reviews carried out by the customer; and
feedback from field visits to customers. General
IMPROVEMENTS
An organization's improvement activities should focus on the processes
needed to improve the satisfaction of stakeholders, as well seeking to improve
its products.
The organization should define objectives for the improvement of its products,
processes and management system, and should seek to improve them
continually and systematically.
Management should ensure that continual improvement becomes
established as part of the organization's culture through:
1.6
providing the opportunity to participate in effective improvement,
recognition and reward, and small group activity.
INNOVATION
1.6.1 General
Innovation is essential for sustainability; it needs to be based on the
11
General
K.G. Garg
organization's learning ability. The organization should carry out

innovation in its capabilities and organizational constitution, as is
necessary to ensure its future success. Innovation may mean entirely or
partially eliminating the existing framework of the organization and
constructing a new framework, which will require wisdom gained through
its learning.
1.6. 2 Type of innovation
Management should understand that major changes in the organization's
environment may require breakthrough innovations, and not mere
improvements to the organization's existing situation, for sustainability.
Innovations should be allowed to be realized whenever necessary.
Innovation includes the following:
a) innovation in technology or product, i.e. innovation to respond to changes
in the business environment and product lifecycle;
b) innovation in the business model, i.e. innovation to ensure that competitive
advantage is maintained and new business opportunities are realized,
when there are changes in the business environment;
c) innovation in the organization, i.e. innovation in the organization's
constitution in response to changes in the business environment;
d) innovation in processes, i.e. innovation in the methods for product
realization.
The design, implementation and management of processes for innovation
within an organization will be influenced by its respective needs, particular
objectives, products produced, processes used, size and structure.General
1.6.3 Factors influencing the effectiveness of the innovation
The organization should consider the following factors:
12
detecting indications of change,
understanding the reality accurately,
management's commitment to innovation,

General
K.G. Garg
a willingness to challenge and change the status quo,
identification of the barriers to innovation, and exchange of knowledge and

expertise internally, and with partners/suppliers outside the organization.
1.6.4 Planning of the innovation process

In order to achieve innovation, the organization should consider
-
the possibility that its processes and/or products may become obsolete,
thereby putting its very existence at risk,
- the need to innovate its processes and/or products, in order to meet

customers' needs and expectations and to create new value for its
stakeholders, and
-
the possibility of identifying or creating new customer needs, and thereby

creating new market opportunities.
The organization should take advantage of the following factors in the

planning of innovation
-
the results from reviews of its strategy for sustainability,
the results of activities to improve its quality management system,
- the results from reviews of its business strategy,

-
the organization's performance (such as market share, sales, profits, and

rating),
the results of assessments,
the identification and prioritization of objectives,
its internal situation, in terms of factors such as skills and knowledge,

availability of resources, and existing functions within the organization that
could be used for innovation,
the external situation, in terms of considerations such as the availability of

scientific or technical information,
13
General
K.G. Garg
the availability of methods for innovation, and
expected benefits and risk factors.
Innovation based on learning ability is essential for sustainability.

Sustainability is made possible only when the organization detects changes
in its business environment, understands its core competence and innovates
in its capabilities and organizational constitution as necessary.
14
Auditor Guide
K.G. Garg
CHAPTER-2
AUDITOR GUIDE
2.1
CERTIFICATION AUDIT TYPES
2.1.1 Introduction- Certification

Certification of a management system, such as a quality management system of an
organization, is one means of providing assurance that the organization has
implemented a system for the management of the relevant aspects of its activities, in
line with its policy.
Observance of the requirements of certification is intended to ensure that certification
bodies operate management system certification in a competent, consistent and
impartial manner, thereby facilitating the recognition of such bodies and the
acceptance of their certifications on a national and international basis. Certification of a
management system provides independent demonstration that the management
system of the organization
a)
conforms to specified requirements,
b)
is capable of consistently achieving its stated policy and objectives, and
c)
is effectively implemented.
Conformity assessment such as certification of a management system thereby

provides value to the organization, its customers and interested parties.
Certification audits require adequate preparation. Figure 4 provides overview of typical
audit activities. The initial certification audit of a management system shall be
conducted in two stages.
The stage 1 audit shall be performed
a)
to audit the organization's management system documentation;
b)
to evaluate the organization's location and site-specific conditions and to

undertake discussions with the organization's personnel to determine the
preparedness for the stage 2 audit;
15
Auditor Guide
K.G. Garg
c)
to review the organization's status and understanding regarding requirements of

the standard, in particular with respect to the identification of key performance or
significant aspects, processes, objectives and operation of the management
system;
d)
to collect necessary information regarding the scope of the management

system, processes and location(s) of the organization, and related statutory and
regulatory aspects and compliance (e.g. quality, environmental, legal aspects of
the organization's operation, associated risks, etc.);
e)
to review the allocation of resources for stage 2 audit and agree with the
organization on the details of the stage 2 audit;
f)
to provide a focus for planning the stage 2 audit by gaining a sufficient

understanding of the organization's management system and site operations in
the context of possible significant aspects;
g)
to evaluate if the internal audits and management review are being planned and
performed, and that the level of implementation of the management system
substantiates that the organization is ready for the stage 2 audit.
For most management systems, it is recommended that at least part of the stage 1
audit be carried out at the organization's premises in order to achieve the objectives
stated above.
Initiating the audit

- appointing the lead auditor
- defining audit objectives, scope and criteria
- selecting the audit team
- establishing initial contact with the or ganization
Conducting document review (stage 1)
- reviewing relevant management system documents,
including records and determining their adequacy with
respect to audit criteria.
16
Auditor Guide
K.G. Garg
Stage 1 audit activities

- confirm scope, processes and process owners
- prepare audit programme and timetable
- plan for logistics and resources
- evaluate internal audit and management review are
planned and performed.
- confirm readiness for stage 2 audit
Conducting on-site Stage 2 audit activities

-conducting opening meeting
- communication during the audit
- inform roles and responsibilities of guides, observers,
experts as applicable.
- collecting and verifying information
- generating audit findings
- preparing audit conclusions
- conducting closing meeting
Preparing, approving and distributing the audit report

- preparing the audit report
- approval and distribution the audit report
Conducting audit follow up
Figure 4 - Overview of Typical Initial Certification Audit Activities
Stage 1 audit findings shall be documented and communicated to the organization,

including
identification of areas of concern that could be classified as nonconformity.
In determining the interval between stage 1 and stage 2 audits, consideration shall be
given to the needs of the organization to resolve areas of concern identified during the
stage 1 audit. The certification body may also need to revise its arrangements for
stage 2.
Organization may request additional process Audit(s) (other than described above) be
included at the stage 1 audit. These usually take approximately 1.0 -2.0 hours per
17
Auditor Guide
K.G. Garg
Process Audit. These process audits are considered part of the Certification process.
When process audits are performed during Stage 1, the organization should be
encouraged to select a variety of processes covering multiple process owners. If the
final Certification Stage 2 is performed within six (6) months of the Stage 1 audit date,
these results are counted as part of the certification process, following completion of
applicable corrective action. If the organization desires to have the Certification Audit
more than six months after Stage 1, then the Stage 1 review and audits shall be
redone.
MANAGEMENT SYSTEM DOCUMENT REVIEW
The Management System Document Review is the most critical part of the
assessment process. The basic Management System design is reviewed in detail to
confirm that the documentation addresses and satisfies the requirements of the
applicable standard(s). The Management System Document Review segment of the
report provides documentary evidence of the assessment process and the outcome.
The Management System Document Review consists of a clause by clause
comparison of the standard(s) requirements to the solutions presented in the Quality
Manual, the second-tier Documented Procedures and other forms of documentation
such as work instructions, specifications, policy, training documents, records, etc.
Occurrences where the requirements have not been satisfied or where
documentation is unclear or ambiguous are noted as a major nonconformance or a
minor nonconformance. Completion of the Management System Document Review,
including resultant corrective action, establishes the foundation for audits to verify
effective implementation with the confidence that structural problems due to
documentation will not be encountered.
All elements of the standard shall be represented either directly or indirectly. The only
exception to this pertains to the predefined permissible exclusion of elements of
Section 7 of the ISO 9001:2008 standard. Such exclusions may not affect the
organization's ability or responsibility to provide product that fulfills customer and
applicable regulatory requirements and needs justification.
During the Management System Document Review, the structure of the organization's
Management System should also be reviewed. Aspects of the Management System
that should be considered are description of process interaction, corrective
action/continual improvement mechanisms, management roles, customer
satisfaction processes, documentation approach, and quality objectives and
measurement / analysis processes.
18
Auditor Guide
K.G. Garg
The Management System Document Review should be conducted with a small group
of key employees of the organization. The QA Manager and, where appropriate, the
Management Representative, should be part of this core group. Often, other
participants will join the discussions when relevant sections of the standard are being
reviewed. For a medium-sized enterprise, the Management System Document
Review process should require one day to effectively complete. Even for small
organizations, one-half to three-quarters of a day should be allotted. Auditor notes
taken during the assessment should be complete enough to ensure that the report can
be completed. This includes persons interviewed, documents reviewed, and notes
defining the structure of the management system. Exclusions shall be recorded as
well as all Major and Minor Nonconformance. Strengths and Opportunities for
improvement are not recorded but included in the management summary of the audit
report.
AUDIT PROGRAMME
The Audit Programme defines the processes that comprise the organization's
Management System as certified to ISO 9001:2008. This tool is a matrix that relates
processes to individual process owners who are accountable for the outcome. It is
developed interactively and becomes the consensus definition of the agreed scope as
agreed to by knowledgeable participants.
The audit programme is used throughout to communicate in the organization which
processes will be audited at the upcoming audit. In this way the Audit Programme is a
dynamic tool that changes throughout audit cycle and is useful for internal audits &
certification audit.
In order to effectively plan the Certification Cycle, the Audit Programme shall be
developed at or prior to the first Audit Event. Any significant changes to the
management system, such as addition/reduction to scope or change in certification
standard, warrant consideration to redeveloping the Audit Programme. The audit
programme should be generated with the input of key individuals from the organization
and the Auditor. Recommended participants are the Quality Assurance Manager and
the Management Representative; representatives from other functions should
participate as required, but the working group should be manageable in size.
Structure of audit programme
The Audit Programme is created using a template supplied to the auditor (refer
template-1). The Audit Programme includes basic organization information:
19
Auditor Guide
K.G. Garg
Organization's name and location(s),
Organization's account number/Certificate number,
Total number of employees (full time) and number of shifts,
IAF / EAC-code, including description
Applicable Standard(s) and exclusion(s)
Revised by/on/for
Scope Statement
Process Matrix
The audit programme templates already have the required processes.

There are three types (four groups) of processes to be included in the Audit
Programme:
Management processes - required processes (Group I)
-
Realisation processes - required processes (Group II)
Support processes- Required processes (Group III)
Support processes - Samples processes (Group IV)
Note: Each Audit Programme should be structured to reflect the organization's

Management System and should express processes in the terms recognized by the
organization.
Audit Timetable
The timetable is a detailed schedule of which processes/activities/areas the auditors
will be covering and when. The auditors and the auditees should be ready for the audit
at the appointed times and the auditees can carry on with their normal job when they
are not required for audit but ensure that they are present when scheduled. The Lead
Auditor develops the timetable with inputs from the audit team and the auditee
organization, if feasible the Lead Auditor will hold a meeting of the team to brief them
on the task and to finalise the audit timetable which would have been sent as a draft
discussion document prior to the briefing meeting. Discussions will cover the scope of
the audit, the types of process they would expect to encounter and timings. The Lead
Auditor sends the timetable to the auditee organisation for agreement or comment as
the organization may wish to input to the audit timetable.
20
Auditor Guide
K.G. Garg
The Audit timetable is produced from the Business Process Flow Chart. Lead Auditor
produces or reproduces the business process map and identifies all the
areas/departments/processes and activities within the audit scope that auditors need
to audit (noting supporting activities such as laboratories, quality control,
maintenance, continual improvement, quality objectives, and Information control and
top management). Planning establishes how much time will be needed to effectively
audit each area and allocate auditor time to each area. This defines the timing needed
to complete the audit. The Lead auditor allocates auditors to each area following
activity flows and available time. (Auditees may not be available during lunches, shift
changeover or after normal working hours) Planning may be more difficult due to the
eased requirements for documentation.
Timetable is prepared for stage 1 and stage 2 audits (both) and communicated to the
organization and the team members at each stage prior to the stage 1 and stage 2
audits respectively.
The outputs of the Certification Stage 1 Audit are:
1
Report summarizing the audits performed and the results
Audit Programme & Audit time table
CAR findings
Tentative dates for the next audit

The Audit Components for the Certification Stage 2 Audit are Process Audits (from the
Audit Programme) and Corrective Action resolution (of findings from the previous
audit).
The purpose of the stage 2 audit is to evaluate the implementation, including
effectiveness, of the organization's management system. The stage 2 audit shall take
place at the site(s) of the organization. It shall include at least the following:
a)
information and evidence about conformity to all requirements of the applicable

management system standard or other normative document;
b)
performance monitoring, measuring, reporting and reviewing against key

performance objectives and targets (consistent with the expectations in the
applicable management system standard or other normative document);
21
Auditor Guide
K.G. Garg
c)
the organization's management system and performance as regards legal

compliance;
d)
operational control of the organization's processes;
e)
internal auditing and management review;
f)
management responsibility for the organization's policies;
g)
links between the normative requirements, policy, performance objectives and

targets (consistent with the expectations in the applicable management system
standard or other normative document), any applicable legal requirements,
responsibilities, competence of personnel, operations, procedures, performance
data and internal audit findings and conclusions.
Process Audits During Certification Stage 2

In each process audit, the interviews will begin at an appropriate high level (with
process owner) in the organization to understand management objectives and
expectations for the process, as well as how management communicates to the
organization and the customer. The audit will then progress to a review of the process
and implementation, while considering the business objectives. The persons
interviewed should be not only capable of performing the tasks and methods of
measurement and control, but also be able to explain the impacts of their actions on the
product and business objectives.
When appropriate to the organization and the process being assessed, the last phase
of the audit (with process owner) should focus on the continual improvement aspects:
analysis of product, process and data to identify opportunities for improvement. Quality
Objectives and feedback to the Management Review process are the results. The
larger objective is to verify that management initiatives are defined, delegated and
implemented, and that the results are monitored, measured and evaluated.
Initial certification audit conclusions
The audit team shall analyse all information and audit evidence gathered during the
stage 1 and stage 2 audits to review the audit findings and agree on the audit
conclusions.
The outputs of the Certification Stage 2 Audit are:
1.
22
Report summarizing the audits performed and the results, including:
Auditor Guide
K.G. Garg
EITHER
A Certification recommendation and description of resolution of all nonconformances
closed at the Certification Audit, if applicable.
OR
A schedule for corrective action plans addressing open nonconformance and a
schedule for follow-up to assess Corrective Action.
2
An updated Audit Programme defining the processes for the next audit.
CAR findings.
Tentative dates for the next audit and detailed agenda.
The certification body shall make the certification decision on the basis of an
evaluation of the audit findings and conclusions and any other relevant information
(e.g. public information, comments on the audit report from the organization).
2.1.4 Assumption audit (transfer of accredited certification)
Assumption audits (take over audits from other certification body) consist of the
following segments
Audit Programme Development
A new Audit Programme should be developed. Since a previous programme probably
does not exist, writing an Audit Programme may be a new experience for the
organization. The concept should be clearly explained to the organization. When
developing the Audit Programme, focus should be on the most critical processes, with
attention given to the amount of time and number of audits remaining before the
certificate expires. The audit shall include at a minimum: management review, quality
system documentation, internal auditing, corrective preventive action (even though
these processes may have been included in the last audit by the former certification
body).
Processes audit
The required process audit should be performed. Since this will be the first look at the
Management System, and the first chance to work with the organization, the review
shouldbe more detailed than the normal surveillance audit.
23
Auditor Guide
K.G. Garg
Review of certification information and prior reports

Prior to issuing the new certificate, recent audit reports issued by previous certification
body and other documentation should be reviewed. Any open issues and
nonconformance should be reviewed to assure that the Management System has
been maintained. Corrective action plans should be in place for any open findings. The
Certificate should be current and have been issued by a credible, accredited
certification body. For more details refer IAF MD 2:2007.
The outputs of the Assumption Audit are:
1.
Report summarizing the audits performed and the results
2.
Audit Programme
3.
CAR findings
4.
Tentative dates for the next audit and detailed agenda
2.1.5 Surveillance audits

The Audit Components for a Surveillance Audit are the required process audits,
sample of support process audits, and Corrective Action resolution. The process
audits to be performed are defined on the Audit Programme by the code Sx with x
referring to the sequence of surveillance audits and the highest number being the
current audit.
The outputs of a Surveillance Audit are:
1.
A Report summarizing the audits performed and the results
2.
An updated Audit Programme for the next audit
3.
CAR Findings
4.
A schedule of submittal of a corrective action plan, if required
5.
Following the completion of the surveillance audit, the Audit Programme shall be
updated to define the processes that will be audited at the next surveillance. These will
be designated as S (x) with x being the next surveillance number. This updated
programme will be submitted as part of the report package.
Renewal Audit Planning during last Surveillance Audit
24
Auditor Guide
K.G. Garg
During the last Surveillance Audit of the contract period, the Auditor shall discuss the
Certification/renewal situation with the organization.
Inputs for this discussion are:
-
Organization's desire to renew the Certification
General performance of the organization with respect to their Management Syste
Modification of the scope for the renewed Certification, if any
Options for renewal and subsequent surveillances
A full re-Certification Audit shall be performed when, in the judgment of Lead Auditor
and the Certification Official, it is warranted. This could be based on consecutive
surveillance audits with an unsatisfactory quality level. The decision shall be
documented in the last surveillance audit report. A full re-audit may also be required if
the applicable standard is changed, revised, or a significant change in the working
plan or organization structure would warrant.
The organization has the option at this time, to select a six- month or yearly interval for
the surveillance audit process. The audits and days will be as agreed in the approved
quotation and contract agreement.
2.1.6 Renewal Audit
A Renewal Audit is carried out at the conclusion of the three-year Certification
Agreement period for Management System contracts. The audit structure will be
identical to the Surveillance audit, although more process audits will be performed.
Again there are two objectives:
1.
Confirm that the implementation of the documented Management System

satisfies the requirements of the applicable standard and of the organization's
own management system,
2.
And continue the partnership building. Partnership with Integrity is the objective.
Information gathered shall also be sufficient to generate the report.Auditor Guide
The outputs of the Renewal Audit are:

1.
Report summarizing the audits performed and the results, including:
25
Auditor Guide
K.G. Garg
EITHER
A Certification renewal recommendation
OR
A schedule for corrective action plans addressing open nonconformance and a
schedule for Corrective Action Audit to assess corrective action.
2.
An updated Audit Programme defining the processes for the next audit.
3.
CAR Findings.
4.
Tentative dates for the next audit and detailed agenda
Note: as said above, all nonconformances shall be closed and corrective action
verified before certification renewal can be recommended.
Refer IAF MD 3 for more details on recertification and advance surveillance
procedures.
2.1.7 Corrective Action Audit
Corrective Action Audits are intended to document the closure of nonconformities
following an audit. The corrective action audit can be the review of documents off site
or an on site verification.
Again there are two objectives:
1.
Confirm that the corrective action was effective, and
2.
Continue the partnership building. Information gathered shall be sufficient to

output a report.
Outputs of the Corrective Action Audit are:

1.
Report summarizing the results of the audit, including:
EITHER
Closure of the corrective action with either a certification recommendation or
surveillance schedule as agreed,
OR
A schedule for corrective action plan addressing still open nonconformance and a
schedule for additional Corrective Action Audit.
2.
26

Auditor Guide
2.2
K.G. Garg
AUDITORS COMPETENCE
Confidence and reliance in the audit process depend on the competence of those
conducting the audit. This competence is based on the demonstration of
-
the personal attributes and
the ability to apply the knowledge and skills through the education, work
experience, auditor training and audit experience.
This concept of competence of auditors is illustrated in figure 5. Some of the

knowledge and skills are common to auditors of quality management systems, and
some are specific to auditors of the individual disciplines.
Auditors develop, maintain and improve their competence through continual
professional development and regular participation in audits.
Competence
Quality System
Quality-specific
Knowledge and skills
Education
Work
Experience
Generic knowledge
and skills
Auditor
Training
Auditor
experience
Personal attributes
Figure 5 - Competence of Auditors
For qualification of auditors, auditors shall meet the requirements of ISO 17021 (part 2), ISO
19011and procedures of certification body.
27
Auditor Guide
2.3
K.G. Garg
ROLES AND RESPONSIBILITIES OF ASSESSMENT/ CERTIFICATION

PERSONNEL
2.3.1 Roles and responsibilities of top management

a)
development of policies relating to the operation of the certification body;
b)
supervision of the implementation of the policies and procedures;
c)
supervision of the finances of the b certification body;
d)
development of management system certification services and schemes;
e)
performance of audits and certification, and responsiveness to complaints;
f)
decisions on certification;
g)
delegation of authority to committees or individuals, as required, to undertake

defined activities on its behalf;
h)
contractual arrangements;
I)
provision of adequate resources for certification activities.
2.3.2 Roles and responsibilities of lead auditors

(a) Carry out documentation review
(b) Prepare of audit program and audit time table
(c) Verify auditor days meets the requirement, sites to be covered, selection of audit
team members and dates of audit, travel arrangements.
(d) Conduct opening and closing meetings.
(e) Carry out audits as per timetable and prepare corrective action requests based on
audit findings.
(f)
Examine and finalise corrective action plans proposed by the organization.
(g) Finalise agreements for follow up actions on the nonconformances.

(h) Review of follow up reports if any.
(I)
28
Prepare final reports for approval by the certification management.
Auditor Guide
K.G. Garg
2.3.3 Roles and responsibilities of auditors

(a) Carry out audits assigned to them as per timetable.
(b) Prepare corrective action requests (Nonconformity finding report) as observed
and directed by the lead auditor.
(c) Prepare audit reports for the processes assigned to them and submit to the lead
auditor
(d) Assist the team leader as requested.
2.3.4 Roles and responsibilities of technical experts
(a) Accompany the auditors as per audit time table and observe the happenings
during the audit and is not required to take part in the audit process.
(b) Suggest to the lead auditor and auditor any changes required in the time table so
as to ensure better coverage of the audit scope.
(c) Offer his opinions (if any) on any of the issues arising out of the audit when
requested by the lead auditor/ auditor
(d) Inform to the lead auditor/auditor any specific subject, he considers not
addressed by the lead auditor/auditor.
(e) Submit his report at the end of the audit to the lead auditor.
2.3.5 Roles and responsibilities of trainee auditors/ observers
Trainee auditors/ observers do not take part in the audit and are only observers.
Auditor Guide
2.4
AUDIT TIME
Methodology for Determining Audit Duration
Table 1 provides a starting point for estimating initial certification audit (Stage 1 +
Stage 2) duration but is only based upon the number of employees.
Total employee numbers where applicable shall include those working on each shift.
Where product realization processes operate on a shift basis, each shift should be
subject to audit by appropriate methods. The extent of audit activity required during
each shift can depend on the nature of the realization processes; the process
information generated, and personnel availability outside of their shift hours.
29
Auditor Guide
K.G. Garg
For organizations of a similar number of employees, some will need more time and
some less. The variation of time spent on each audit depends on a number of factors
including the size, scope of the audit, logistics, complexity of the organization and its
state of preparedness for audit. These and other factors shall be examined during the
contract review process. Figure 6 below and its associated notes provides a visual
guide to making adjustments from the basic audit times and provides the framework
for a process that should be used for audit planning by identifying a starting point
based on the total number of employees for all shifts, then adjusting for the significant
factors applying to the organization to be audited, and attributing to each factor an
additive or subtractive weighting to modify the base figure. In every situation the basis
for the establishment of audit duration including adjustments made shall be recorded.
The Certification Body shall document the justification for each organization where it is
applying a reduction of audit duration by more than 30% from the times established in
table 1, and where accreditation applies, advise and make the justification available to
their accreditation body.
Multi-site audit durations:
In the case of multi-site audits, the starting point for calculating audit duration for each
site included in the audit plan shall be consistent with Table 1. However reductions can
be made taking into account situations where certain management system processes
are not relevant to the site and are the primary responsibility of the controlling site. For
the purpose of eligibility of organization for sampling and sampling IAF MD 1:2007
shall be used.
The average initial certification audit duration (stage 1 + stage 2) shown in
Table 1:
Includes off-site and on-site time spent by an Auditor or Audit Team in planning
and preparation; document review; interfacing with organization, personnel,
records, documentation and processes; and report writing.
Does not include auditor travel time.
Is based on an Auditor Day of 8 hours. The number of Auditor Days employed

may not be reduced at the initial planning stages by programming longer hours
per working day.
30
Auditor Guide
K.G. Garg
Shall not include time spent by technical experts or auditor in training.
It may include remote auditing techniques such as interactive web-based

collaboration, web meetings, teleconferences and/or electronic verification of the
organization's processes. These activities shall be identified in the audit plan, and
may be considered as contributing to the total on-site auditor time. If the
Certification Body plans an audit for which the remote auditing activities represent
more than 30% of the planned on-site auditor time, the Certification Body shall
justify the audit plan and keep records of the justification.
For further details refer table 1.

Initial Certification Stage 1 audit
For most management systems, it is desired that at least part of the stage 1 audit is
carried out at the organization's premises. The duration is typically 1 auditor day, but
can be less for small organizations and more for large or complex organizations.
Surveillance
During the initial three year certification cycle, surveillance audit duration for a given
organization should be proportional to the time spent at initial certification audit (stage
1 + stage 2) with the total amount of time spent annually on surveillance not less than
1/3 of the time spent on the initial certification audit. The planned surveillance time
shall be reviewed from time-to-time to account for changes in the organization, system
maturity, etc., and at a minimum at the time of recertification. In the case that remote
auditing techniques are utilized, the certification organization's controlling location
shall be physically visited for surveillance audit at a minimum of once per annum.
Recertification
The duration of the recertification audit should be approximately 2/3 of the time that
would be required for an initial certification audit (Stage 1 + Stage 2) of the organization
if such an initial audit were to be carried out the time of the recertification (i.e. not 2/3 of
the original certification duration).
31
Auditor Guide
K.G. Garg
Table 1:
ASSESSMENT MANDAY CALCULATION SHEET ISO 9001-2008
(Refer IAF MD 5:2009)
CERTIFICATION
No. of
employ
ee
Total
Initial
Audit
With design
With design
Without design
Without design
Less 10% of B
towards planning
and reporting
rounded upwards to
0.5 or whole number
Less 20% of B
rounded upwards to 0.5 or
whole number
Less 20% of B
rounded upwards to
0.5 or whole number
Less 30% of B
rounded upwards to
0.5 or whole number
Complex
Simple
Complex
Simple
(A)
(B)
(C)
(D)
(E)
(F)
1-5
6-10
11-15
16-25
26-45
46-65
66-85
86-125
126-175
176-275
276-425
426-625
626-875
8761175
11761550
15512025
20262675
26763450
34514350
43515450
1.5
2
2.5
3
4
5
6
7
8
9
10
11
12
1.5
2
2.5
3
4
4.5
5.5
6.5
7.5
8.5
9.0
10.0
11.0
1.5
2
2
2.5
3.5
4.0
5.0
6.0
6.5
7.5
8.0
9.0
10.0
1.5
2
2
2.5
3.5
4.0
5.0
6.0
6.5
7.5
8.0
9.0
10.0
13
12.0
10.5
10.5
1.5
1.5
2
2.5
3
3.5
4.5
5.0
6.0
6.5
7.0
8.0
8.5
9.5
14
13.0
11.5
11.5
15
13.5
12.0
12.0
16
14.5
13.0
13.0
17
15.5
14.0
14.0
18
16.5
14.5
14.5
19
17.5
15.5
15.5
20
18.0
16.0
16.0
21
19.0
17.0
17.0
10.0
10.5
11.5
12.0
13.0
13.5
14.0
54516800
68018500
850110700
22
20.0
18.0
18.0
15.0
15.5
- 10% to 20% reduction for time spent on audit planning and report writing for complex to simple organization.
- 20% to 30% reduction for exclusion of the design and development clause for complex to simple organization.
- Up to 30% reduction from total initial audit days is allowed (maximum) for organizations having few processes,
small scope, repetitive processes etc.
- Assessment mandays have been rounded upwards to 0.5 or whole number.
- Annual surveillance audit onsite time shall be 1/3 of initial audit onsite time.
- Renewal audit onsite time shall be 2/3 of initial onsite time for number of employees at the time of audit.
32
- Organization Distribution +
Auditor Guide
K.G. Garg
Large Simple
Large Complex
Multi-site
Multi-site
Few
processes
Many
processes
Repetitive
processes
Large scope
Unique
processes
Small scope
Design
responsible
Starting point from Auditor Time Chart
Few
processes
Many
processes
Small scope
Design
responsible
Repetitive
processes
Large scope
Small Simple
Unique
processes
Small Complex
Organization System Complexity
Figure 6
33
Auditor Guide
K.G. Garg
Notes to Figure 6:
Once the general starting point for determining the required Auditor Time has been
made for the typical organization with the number of employees indicated, some
adjustments need to be considered to account for the differences that could affect the
actual Auditor Time required to perform an effective audit for the specific organization
to be audited.
Some factors requiring additional auditor time could be, as examples:
Complicated logistics involving more than one building or location where work is
carried out. e.g., a separate Design Centre shall be audited
Staff speaking in more than one language (requiring interpreter(s) or preventing

individual auditors from working independently)
Very large site for number of employees (e.g., a forest)
High degree of regulation (food and drugs, aerospace, nuclear power, etc.)
System covers highly complex processes or relatively high number of unique

activities
Activities that require visiting temporary sites to confirm the activities of the
permanent site(s) whose management system is subject to
certification/registration. (see xxx Temporary Sites)
Some factors permitting less auditor time could be, as examples:
Organization is not Design Responsible and/or other Standard elements are not
covered in the scope
No/low risk product/processes
Prior knowledge of organization system (e.g., already certified/registered to

another Standard by the same Certification Body)
Very small site for number of employees (e.g., Office complex only)
Organization preparedness for registration (e.g., already registered or recognized

by another 3rd party scheme)
34
Auditor Guide
K.G. Garg
Combined audit of an integrated system of two or more compatible management
systems (according to the compatibility definition developed by ISO/TC 176 and

ISO/TC 207)
Low complexity activities, e.g.
Processes involve a single generic activity (e.g., Service only)
Identical activities performed on all shifts with appropriate evidence of

equivalent performance on all shifts based on prior audits (internal audits and
certification/registration body audits)
Maturity of management system
Where a significant proportion of staff carry out a similar simple low risk function
sampling the activities of approximately 10% of such staff can be considered.
Where staff include a number of people who work off location e.g. salespersons,
drivers, service personnel, etc. and it is possible to substantially audit compliance
of their activities with the system through review of records, Appropriate
documentation available on constantly positive outputs and results of the
management system.
All attributes of the organization's system, processes, and products/services should be
considered and a fair adjustment made for those factors that could justify more or less
auditor time for an effective audit. Additive factors may be off-set by subtractive
factors.Auditor Guide
Effective Number of Employees
A Certification Body should agree with the organization to be audited the timing of the
audit which will best demonstrate the full scope of the organization. The consideration
should include the effective number of employees present by season, month, day/date
and shift as appropriate.
Part-time employees should be treated as full-time-equivalent employees. This
determination will depend upon the number of hours worked as compared with a fulltime employee.
Second and subsequent assessment cycles
For the second and subsequent assessment cycles, the Certification Body may
choose to design an individualized surveillance and recertification programme
35
Auditor Guide
K.G. Garg
Temporary Sites
Temporary sites could range from major project management sites to minor
service/installation sites. The need to visit such sites and the extent of sampling
should be based on an evaluation of the risks of the failure of a product or service to
meet needs/expectations due to system nonconformity. The sample of sites selected
should represent the range of the organization's competency needs and service
variations having given consideration to sizes and types of activities, and the various
stages of projects in progress. Typically on-site evaluations of temporary sites should
be performed. However, the following methods could be considered as alternatives to
replace some physical on-site visits.
- Interviews or progress meetings with the organization organization and/or its
customer in person or by teleconference
- Document review of temporary site activities
- Remote access to electronic site(s) that contains records or other information that is
relevant to the assessment of the management system and the temporary site(s)
- Use of video and teleconference and other technology that enable effective auditing
to be conducted remotely. In each case the method of evaluation should be fully
documented and justified in terms of its effectiveness.Auditor Guide
2.5
AUDIT SCOPES
Scopes of Accreditation
This list of scopes of accreditation is based on NACE classification revision 1 1994.
The auditors are required to be qualified based on qualification and technical
experience in the respective scope sector.
No Description NACE Class
NACE
01 Agriculture, Hunting, Forestry & Fishing
A, B
Growing of crops; market gardening; horticulture
A 01.1
Farming of animals
A 01.2
Growing of crops combined with farming of animals (mixed farming)
A 01.3
Agricultural and animal husbandry service activities, except veterinary activities A 01.4
Hunting, trapping and game propagation including related service activities A 01.5
36
Auditor Guide
K.G. Garg
Forestry, logging and related service activities
A 02.0
Fishing, operation of fish hatcheries and fish farms;

service activities incidental to fishing
B 05.0
02 Mining and Quarrying
Mining and agglomeration of hard coal
CA 10.1
Mining and agglomeration of lignite
CA 10.2
Extraction and agglomeration of peat
CA 10.3
Extraction of crude petroleum and natural gas
CA 11.1
Service activities incidental to oil and gas extraction excluding surveying
CA 11.2
Mining of uranium and thorium ores
CA 12.0
Mining of iron ores
CB 13.1
Mining of non-ferrous metal ores, except uranium and thorium ores
CB 13.2
Quarrying of stone
CB 14.1
Quarrying of sand and clay
CB 14.2
Mining of chemical and fertilizer minerals
CB 14.3
Production of salt
CB 14.4
Other mining and quarrying n.e.c.
03 Food Products, Beverages and Tobacco
CB 14.5
DA
Production, processing and preserving of meat and meat products
DA 15.1
Processing and preserving of fish and fish products
DA 15.2
Processing and preserving of fruit and vegetables
DA 15.3
Manufacture of vegetable and animal oils and fats
DA 15.4
Manufacture of dairy products
DA 15.5
Manufacture of grain mill products, starches and starch products
DA 15.6
Manufacture of prepared animal feeds
DA 15.7
Manufacture of other food products
DA 15.8
Manufacture of beverages
DA 15.9
Manufacture of tobacco products
DA 16.0
04 Textiles and Textile Products
DB
Preparation and spinning of textile fibers
DB 17.1
Textile weaving
DB 17.2
37
Auditor Guide
K.G. Garg
Finishing of textiles
Manufacture of made-up textile articles, except apparel
DB 17.3
DB 17.4
Manufacture of other textiles
DB 17.5
Manufacture of knitted and crocheted fabrics
DB 17.6
Manufacture of knitted and crocheted articles
DB 17.7
Manufacture of leather clothes
DB 18.1
Manufacture of other wearing apparel and accessories
DB 18.2
Dressing and dyeing of fur; manufacture of articles of fur
DB 18.3
05 Leather and Leather Products
DC
Tanning and dressing of leather
DC 19.1
Manufacture of luggage, handbags and the like, saddlery and harness
DC 19.2
Manufacture of footwear
DC 19.3
06 Wood and Wood Products
DD
Sawmilling and planning of wood, impregnation of wood
DD 20.1
Manufacture of veneer sheets; manufacture of plywood, Laminated board,

particle board, fiber board and other panels and boards
DD 20.2
Manufacture of builders' carpentry and joinery
DD 20.3
Manufacture of wooden containers
DD 20.4
Manufacture of other products of wood, manufacture of articles of cork,

straw and plaiting materials
DD 20.5
07 Pulp, Paper and Paper Products
DE
Manufacture of pulp, paper and paperboard
DE 21.1
Manufacture of articles of paper and paperboard
DE 21.2
08 Publishing Companies
DE
Publishing of books; publishing of newspapers, journals, periodicals,

sound recordings and other publishing
09 Printing Companies
Printing of newspapers; printing n.e.c.; bookbinding and finishing;
composition and plate making; other activities related to printing
DE 22.2
Reproduction of recorded media
DE 22.3
10 Coke and Refined Petroleum Products

Manufacture of coke oven products
38
DE 22.1
DE
DF
DF 23.1
Auditor Guide
Manufacture of refined petroleum products

11 Nuclear Fuel
Processing of nuclear fuel
12 Chemicals, Chemical Products and Fibers
K.G. Garg
DF 23.2
DF
DF 23.3
DG
Manufacture of basic chemicals
DG 24.1
Manufacture of pesticides and other agro-chemical products
DG 24.2
Manufacture of paints, varnishes and similar coatings, printing ink and mastics DG 24.3
Manufacture of soap and detergents, cleaning and polishing preparations,
perfumes and toilet preparations
DG 24.5
Manufacture of other chemical products including: explosives, glues and
gelatins, essential oils, photographic chemical material, prepared
unrecorded media, and other chemical products n.e.c.
DG 24.6
Manufacture of man-made fibers
DG 24.7
13 Pharmaceuticals
DG
Manufacture of pharmaceuticals, medicinal chemicals and botanical products DG 24.4

14 Rubber and Plastic Products
Manufacture of rubber products
DH
DH 25.1
Manufacture of plastic products DH 25.2 2

15 Non-metallic Mineral Products
DI
Manufacture of glass and glass products
DI 26.1
Manufacture of non-refractory ceramic goods other than for

construction purposes; Manufacture of refractory ceramic products
DI 26.2
Manufacture of ceramic tiles and flags
DI 26.3
Manufacture of bricks, tiles and construction products, in baked clay
DI 26.4
Cutting, shaping and finishing of stone
DI 26.7
anufacture of other non-metallic mineral products, including production of

abrasive products
16 Concrete, Cement, Lime, Plaster, etc.
DI 26.8
DI
Manufacture of cement, lime and plaster
DI 26.5
Manufacture of articles of concrete, cement or plaster
DI 26.6
39
Auditor Guide
K.G. Garg
17 Basic Metals and Fabricated Metal Products
DJ
Manufacture of basic iron and steel and ferro-alloys
DJ 27.1
Manufacture of tubes (cast iron and steel)
DJ 27.2
Other first processing of iron and steel and production of ferro-alloys
DJ 27.3
Manufacture of basic precious and non-ferrous metals
DJ 27.4
Casting of metals
DJ 27.5
Manufacture of structural metal products
DJ 28.1
Manufacture of tanks, reservoirs and containers of metal; manufacture of

central heating radiators and boilers
DJ 28.2
Manufacture of steam generators, except central heating hot water boilers DJ 28.3
Forging, pressing, stamping and roll forming of metal; powder metallurgy
DJ 28.4
Treatment and coating of metals; general mechanical engineering
DJ 28.5
Manufacture of cutlery, tools and general hardware
DJ 28.6
Manufacture of other fabricated metal products
DJ 28.7
18 Machinery and Equipment
DK
Manufacture of machinery for the production and use of

mechanical power, except aircraft, vehicle and cycle engines
DK 29.1
Manufacture of other general purpose machinery
DK 29.2
Manufacture of agricultural and forestry machinery
DK 29.3
Manufacture of machine-tools
DK 29.4
Manufacture of other special purpose machinery
DK 29.5
Manufacture of weapons and ammunition DK 29.6 2

Manufacture of domestic appliances n.e.c. (electric and non-electric)
19 Electrical and Optical Equipment
DK 29.7
DL]
High-risk NACE codes are labeled based on technicallycomplex processes

(manufacturing and design) with-in the specific NACE codes.
40
Manufacture of office machinery and computers
DL 30.0
Manufacture of electric motors, generators and transformers
DL 31.1
Manufacture of electricity distribution and control apparatus
DL 31.2
Manufacture of insulated wire and cable
DL 31.3
Manufacture of accumulators, primary cells and primary batteries
DL 31.4
Manufacture of lighting equipment and electric lamps
DL 31.5
Auditor Guide
K.G. Garg
Manufacture of other electrical equipment n.e.c.

(including for engines and vehicles n.e.c.)
DL 31.6
Manufacture of electronic valves and tubes and other electronic components DL 32.1
Manufacture of television and radio transmitters and apparatus
or line telephony and line telegraphy
DL 32.2
Manufacture of television and radio receivers, sound or video

recording or reproducing apparatus and associated goods
DL 32.3
Manufacture of instruments and appliances for measuring, checking, testing,

navigating and other purposes, except industrial process control equipment DL 33.2
Manufacture of industrial process control equipment
DL 33.3
Manufacture of optical instruments and photographic equipment
DL 33.4
Manufacture of watches and clocks
DL 33.5
Manufacture of medical and surgical equipment and orthopedic appliances DL 33.1

Manufacture of active medical devices (ISO 13485/13488) Manufacture of
active implantable medical devices (ISO 13485/13488) Manufacture of
implantable medical devices (ISO 13485/13488) Sterilization of medical devices
20 Ship Building
Building and repairing of ships and boats
21 Aerospace
Manufacture of aircraft and spacecraft
22 Other Transport Equipment
DM
DM 35.1 3
DM
DM 35.3 3
DM
Manufacture of motor vehicles
DM 34.1
Manufacture of bodies (coachwork) for motor vehicles;

manufacture of trailers and semi-trailers
DM 34.2
Manufacture of parts and accessories for motor vehicles and their engines DM 34.3
Manufacture of railway and tramway locomotives and rolling stock
DM 35.2
Manufacture of motorcycles and bicycles
DM 35.4
Manufacture of other transport equipment n.e.c.
DM 35.5
23 Manufacturing Not Elsewhere Classified
DN
Manufacture of furniture
DN 36.1
Manufacture of jewelry and related articles
DN 36.2
Manufacture of musical instruments
DN 36.3
41
Auditor Guide
K.G. Garg
Manufacture of sports goods
DN 36.4
Manufacture of games and toys
DN 36.5
Miscellaneous manufacturing n.e.c.
DN 36.6
24 Recycling
DN
Recycling of metal waste and scrap
DN 37.1
Recycling of non-metal waste and scrap
DN 37.2
25 Electricity Supply
Production and distribution of electricity
E 40.1
26 Gas Supply
Manufacture of gas; distribution of gaseous fuels through mains
E 40.2
27 Water Supply
Steam and hot water supply
E 40.3
Collection, purification and distribution of water
E 41.0
28 Construction
Site preparation
F 45.1
Building of complete constructions or parts thereof; civil engineering
F 45.2
Building installation
F 45.3
Building completion
F 45.4
Renting of construction or demolition equipment with operator
F 45.5
29 Wholesale and retail trade; repair of motor vehicles, motorcycles and

personal and household goods
Sale of motor vehicles
G 50.1
Maintenance and repair of motor vehicles
G 50.2
Sale of motor vehicle parts and accessories
G 50.3
Sale, maintenance and repair of motorcycles and related parts and accessories G 50.4
42
Retail sale of automotive fuel
G 50.5
Wholesale on a fee or contract basis
G 51.1
Wholesale of agricultural raw materials and live animals
G 51.2
Wholesale of food, beverages and tobacco
G 51.3
Wholesale of household goods
G 51.4
Wholesale of non-agricultural intermediate products, waste and scrap
G 51.5
Auditor Guide
K.G. Garg
Wholesale of machinery, equipment and supplies
G 51.6
Other wholesale
G 51.7
Retail sale in non-specialized stores
G 52.1
Retail sale of food, beverages and tobacco in specialized stores
G 52.2
Retail sale of pharmaceutical and medical goods, cosmetics and toilet articles G 52.3
Other retail sale of new goods in specialized stores
G 52.4
Retail of second-hand goods in stores
G 52.5
Retail sale not in stores
G 52.6
Repair of personal and household goods
G 52.7
30 Hotels and Restaurants
Hotels
H 55.1
Camping sites and other provision of short-stay accommodation
H 55.2
Restaurants
H 55.3
Bars
H 55.4
Canteens and catering
H 55.5
31 Transport, Storage and Communications
Transport via railways
I 60.1
Other land transport
I 60.2
Transport via pipelines
I 60.3
Sea and coastal water transport
I 61.1
Inland water transport
I 61.2
Scheduled air transport
I 62.1
Non scheduled air transport
I 62.2
Space transport
I 62.3
Cargo handling and storage
I 63.1
Other supporting transport activities
I 63.2
Activities of travel agencies and tour operators;

tourist assistance activities n.e.c.
I 63.3
Activities of other transport agencies
I 63.4
Post and courier activities
I 64.1
Telecommunications (service providers)
I 64.2
32 Financial Intermediation, Real Estate, Renting

Monetary intermediation
J, K
J 65.1
43
Auditor Guide
K.G. Garg
Other financial intermediation
J 65.2
Insurance and pension funding, except compulsory social security
J 66.0
Activities auxiliary to financial intermediation, except insurance

and pension funding
J 67.1
Activities auxiliary to insurance and pension funding
J 67.2
Real estate activities with own or leased property
K 70.1
Letting of own property
K 70.2
Real estate activities on a fee or contract basis
K 70.3
Renting of automobiles
K 71.1
Renting of other transport equipment
K 71.2
Renting of other machinery and equipment
K 71.3
Renting of personal and household goods n.e.c.
K 71.4
33 Information Technology
Hardware consultancy
K 72.1
Software consultancy and supply
K 72.2
Data processing
K 72.3
Data base activities
K 72.4
Maintenance and repair of office, accounting and computing machinery
K 72.5
Other computer related activities
K 72.6
34 Engineering Services
Research and experimental development on natural sciences and engineering K 73.1

Research and experimental development on social sciences and humanities K 73.2
Architectural and engineering activities and related technical consultancy
35 Other Services
K 74.2
K
Legal, accounting, bookkeeping and auditing activities;

tax consultancy; market research and public opinion polling;
44
business and management consultancy; holdings
K 74.1
Technical testing and analysis
K 74.3
Advertising
K 74.4
Labor recruitment and provision of personnel
K 74.5
Investigation and security activities
K 74.6
Industrial cleaning activities
K 74.7
Other business activities n.e.c.
K 74.8
Auditor Guide
K.G. Garg
36 Public Administration
Administration of the State and the economic and

social policy of the community
L 75.11
Provision of services to the community as a whole
L 75.21
Compulsory social security activities
L 75.31
37 Education
Primary education
M 80.1
Secondary education
M 80.2
Higher education
M 80.3
Adult and other education
M 80.4
38 Health and Social Work

Human health activities
N
N 85.11
N 85.12
N 85.13
N 85.14
Veterinary activities
N 85.2
Social work activities
N 85.3
39 Other Social Services
Sewage and refuse disposal, sanitation and similar activities
O 90.0
Activities of business, employers and professional organizations
O 91.1
Activities of trade unions
O 91.2
Activities of other membership organizations
O 91.3
Motion picture and video activities
O 92.1
Radio and television activities
O 92.2
Other entertainment activities
O 92.3
News agency activities
O 92.4
Library, archives, museums and other cultural activities
O 92.5
Sporting activities
O 92.6
Other recreational activities
O 92.7
Other service activities
O 93.0
Note: Certification body could follow other system of scope classification as per their
procedures and approved by accreditation board.
45
Auditor Guide
2.6
K.G. Garg
MATURITY ASSESSMENT
2.6.1 Introduction
Organizations should use an assessment tool, to determine their maturity level, i.e.
how well their essential capabilities are developing and growing towards the
achievement of sustainability.
The use of such a tool should enable an organization to identify specific areas for
improvement and to establish any action plans needed for the organization's further
development.
The results of an organization's assessments should be a valuable input into its
management review process, for both strategic and operational issues; consequently
such assessments should be conducted periodically.
Experience demonstrates that the results of assessment are more balanced and
complete when the assessments are conducted by teams.
2.6.2 Description of the maturity levels
Prior to carrying out this assessment, users should familiarize themselves with the
maturity levels described in table 1 below.
The maturity levels describe the degree of development of the capabilities of an
organization and are given on a rising scale from 1 to 5..
Table 1 Description of the maturity levels
Level 1
Beginner
organization
Level 2
Proactive
organization
Management focus
on production and
rendering the
service.
No systematic
approach and
planning of
activities.
Unpredictable
results.
Improvements as
reactions to request
or complaints
Customer
oriented
management.
Quality Mgt
System
implemented.
Some results are
predictable.
Corrective and
preventive
actions
systematically
performed.
Level 3
Flexible
organization
The strategic
plan addresses
customers and
stakeholders.
Process based
approach.
Effective and
agile
Management
Systems.
Results are
predictable.
Level 4
Innovative
organization
Balanced focus on
stakeholders
Effective interrelated
process approach.
Consistent, positive, results
and sustained trends.
Continual improvement
based on learning and
culture of sharing.
Level 5
Sustainable
organization
Ability to maintain
and develop its
performance in the
long term.
Note: For complete details refer ISO 9004:2007 (Draft).

46
Auditing Guide
K.G. Garg
CHAPTER-3
AUDITING GUIDE
3.0
PROCESS CLASSIFICATION
MANAGEMENT
PROCESS
Required processes
(Group 1)
Management
involvement
(Clause 5 & 6 all sub
clauses except 6.2.2)
Customer focus
(Clause 5.2)
Improvement processes
(Clause 8.4 & 8.5 all
sub clauses)
BUSINESS PROCESS MAP

REALIZATION
SUPPORT PROCESS
PROCESS
Required processes
Required processes (Group 3)
(Group 2)
Customer process
Document control
- Contract order
(Clause 4.2.3)
management
(Clause 7.2.1 & 7.2.2)
Design and
Customer focus: Customer complaints
development
and satisfaction
(Clause 7.3)
(Clause 8.2.1, 8.5.2)
Internal audit
Purchasing
(Clause 8.2.2)
- Supplier management
(Clause 7.4.1)
Product manufacturing
Sample processes, Support
processes
processes (Group 4)
(Clause 7.5.1, 7.5.2,
7.5.3, 8.3)
Service delivery process
(Clause 7.5.1, 7.5.2,
7.5.3, 8.3)
Records management (Clause 4.2.4)
Training (Clause 6.2.2)

Employee development (Clause 6.2.2)
Maintenance (Clause 6.3)
Work Environment (Clause 6.4 )
- Planning for product realization
(Clause 7.1) OR
- Planning for service realization(Clause 7.1)
- Purchasing process (Clause 7.4.2)
- Process validation (Clause 7.5.2)
Customer process
- Customer communication (Clause
7.2.3)
- Customer supplied product (Clause
7.5.4)
- Inspection
- Receiving inspection (Clause 7.4.3)
- Process inspection (Clause 8.2.3)
- Stage inspection (Clause 8.2.4)
- Final inspection (Clause 8.2.4)
- Calibration (Clause 7.6)
- Stores management (Clause 7.5.5)
- Packing, shipping/delivery (Clause
7.5.5)
47
Auditing Guide
K.G. Garg
Note:Applicable in all audits:

1. In addition address clauses 4.2.3, 4.2.4, 5.4.1, 5.4.2, 5.5.1, 6.2, 8.4, 8.5.1, 8.5.2,
8.5.3 as applicable
2.
In case process owner is responsible for document issue address clause 4.2.3
3.
During certification audit, all processes group1 to 4 shall be audited to cover all
clauses of the standard however within a clause/ sub clause, sampling of activities
could be followed. During surveillance audit, all processes of group 1 to 3 shall be
audited. For group 4 only few of the processes could be audited.
4.
During 3 years of certification cycle ensure that all processes as per audit program
are audited.
5.
Wherever possible refer/ use appendix C quality management system

questionnaire.
6.
Value adding clauses are with respect to realization processes and improvement
processes
7.
Value-Added Work:
-
Customer is willing to pay for it
It physically alters the product or service
It's done right the first time
e.g.: Entering order, Ordering materials, Designing the Product, Manufacturing &
Assembling, Legally mandated testing, Packaging and Shipping to customer.
Nonvalue-Added Work:
-
Is not essential to produce output.
Does not add value to the output.
e.g.: Waiting, Storing, Stacking, Counting, Inspecting, Re-recording, Obtaining

many approvals, Testing, Reviewing, Copying, Filing, Repairing/Reworking and
Tracking.
Value-Added
Work
Waste
Other
Necessary
Work
Important: Above process classification and notes are of recommendatory nature.

For this purpose each certification body should develop their process classification
and auditing procedures duly approved by accreditation body.
48
Auditing Guide
3.1
K.G. Garg
Required Processes - Management processes (Group 1)

- Management involvement
(Clause 5 & 6 all sub clauses except 6.2.2)
- Customer focus
(Clause 5.2)
- Improvement processes
(Clause 8.4 & 8.5 all sub clauses)
3.1.1 Required processes - Management processes (Group 1)

Management involvement & Customer focus - (Clause 5 & 6 all sub clauses except
6.2.2, 6.3 & 6.4)
A.
Purpose
Top management commitment is required not only to develop the quality
management system but also to continually improve it.
Top management shall communicate to the organization the importance of
meeting customer requirements, regulatory and legal requirements and shall
ensure that customer needs an expectations are determined and converted into
internal requirements
Organizations wanting successful quality management systems should align the
quality policy with the overall strategies and needs of their business.
The term objective is to be interpreted broadly the same as goal, target, or aim.
The objectives should be SMART i.e. Specific, Measurable, Achievable, Realistic,
& Time bound. Basically they should include those needed to meet requirements
of product i.e. how customer perceives. In addition, for business strategy they
should also include financial, internal business process and learning & growth
perspectives. For the purpose of deployment use of balanced scorecard (as
recommended by Mr. Kalpan & Mr. Norton) could be used. The steps include
communicating & Linking, Business planning & Feedback.
The various roles of personnel in the organization shall be defined so that their
responsibility, authority, and interactions are clear.
The communication structure within the organization needs to be defined.
Management review shall identify opportunities to improve the quality
management system and its processes. This could include actions to simplify or
foolproof processes, to develop improve methods, to improve documentation,
and so on.
49
Auditing Guide
K.G. Garg
The resources include personnel, time, equipment, materials, supplies,

instruments, and facilities.
The organization shall identify, provide, and maintain appropriate infrastructure
for all of the processes within the quality management system.
Quality management system records should indicate that the requirements of this
clause have been considered and addressed.
The human factors in the work environment include work methods, safety rules
and guidance, including use of protective equipment's and, ergonomics. The
physical factors include heat, noise, light, hygiene, humidity, cleanliness,
vibration, pollution, electrostatic discharge, radiation and airflow.
B.
Requirements (refer clause 5 & 6 all sub clauses except 6.2.2, 6.3 & 6.4 of
ISO 9001:2008 standard)
C.
Audit at Management level (compliance audit as per clause 5 & 6 except

6.2.2, 6.3 & 6.4 of ISO 9001:2008)
D.
In addition address following subjects for performance improvement and

sustainability for value addition.
1. Does the management ensure?
- Meeting targets (production, schedules, cost)
- Employee motivation
- Growth
- Performance improvement- System improvement
2. Leading the organizations by example - is it true?
3. How added value provided into the processes by the management?
4. Creating an environment that encourages the involvement & deployment of
people?
5. Measurements for financial, process performance, bench marking, third party
evaluations, satisfaction of customer, people, perception of other interest
parties?
50
Auditing Guide
K.G. Garg
6. Strategic planning for future?

7. Understanding needs & expectation of customers including potential
customers (conformity, dependability, availability, delivery, post activities,
procedure, life cycle costs, product safety product liability, environmental
impact?
8. Detecting key product characteristics for its customers & end-users?
Note: This audit involves:
-
Objective deployment at top management level
Auditing management review
Auditing of management of resources
Auditing of internal communication and its effectiveness
3.1.2 Required processes - Management processes (Group 1)

Improvement processes - (Clause 8.4 & 8.5 all sub clauses)
A.
Purpose:
The organization is required to analyze data to identify areas where
improvements can be made. The analysis shall provide information in four
specific areas; customer satisfaction and/or dissatisfaction; conformance to
customer requirements; characteristics of processes, product and their trends;
and suppliers. The information may differ based on type and size of the
organization as well as the product category.
This clause requires that the organization plan the processes for continual
improvement of quality management system through deployment of quality
objectives, effective internal audit, and analysis of data leading to proper controls
on processes and identifying improvement projects, and effective management
reviews.
It involves taking actions to eliminate the causes of non-conformities in order to
prevent recurrence.
It involves finding potential causes of possible problems to eliminate the cause of
potential non-conformities.
B.
Requirements (refer clause 8.4 & 8.5 all sub clauses of ISO 9001:2008
standard)
51
Auditing Guide
C.
K.G. Garg
Audit at Management level (compliance audit as per clause 8.4 & 8.5 all sub
clauses of ISO 9001:2008)
D.
In addition address following subjects for performance improvement and

1. Does the process owner ensure?
- Meeting objective targets related to improvement projects
- Performance improvement
- System improvement
2. Has the organization identified and implemented any improvement projects
using statistical techniques such as process FMEA, Six sigma etc?
3. Valid analysis methods/appropriate statistical techniques?
4. Improvements - small step improvements & strategic break through
improvement projects?
3.2
REQUIRED PROCESSES - REALIZATION PROCESSES (GROUP 2)

- Customer process
- Contract order management
- Design and development
(Clause 7.2.1 & 7.2.2)

(Clause 7.3)
- Purchasing
- Purchasing process
- Product manufacturing processes
(Clause 7.4.2)
(Clause 7.5.1, 7.5.3, 8.3)
OR
- Service delivery process
(Clause 7.5.1, 7.5.3, 8.3)
3.2.1 Required processes - Realization processes (Group 2)

Customer process - Contract/order management
52
(Clause 7.2.1 & 7.2.2)

Auditing Guide
A.
K.G. Garg
Purpose:
It is important that determination and review of customer requirements gets full
attention on the management since it is survival issue for the organization. This
has an enormous impact of the quotation and order process and on ultimate
customer satisfaction.
The acceptance of order or the submission of a quote or a tender by an
organization creates an obligation on the organization to meet the conditions
stated in the order and to provide goods and services included in the scope of
quotation or tender.
The complexity of the order/quote review process is highly dependent on the
business of organization.
B. Requirements (refer Clause 7.2.1 & 7.2.2 of ISO 9001:2008 standard)
C. Audit at operational level (compliance audit as per clause 7.2.1 & 7.2.2 of
ISO 9001:2008)
D. Audit of process owner(s) level for compliance to 7.2.1, 7.2.2 and other
applicable clauses of ISO 9001:2008
E. In addition address following subjects for performance improvement
and sustainability for value addition.
1.
Does the process owner ensure:

- Meeting objective targets
2. Has the organization identified and implemented any improvement projects?

3. Does the organization ensure adequate understanding of the needs and
expectations of its interested parties, and for translation into requirements for
the organization? This includes market research, competitor analysis, and
bench marking.
53
Auditing Guide
K.G. Garg

Design and development (Clause 7.3)
A.
Purpose:
Planning is required to the level of detail necessary to achieve the design
objectives-not to generate an excessive amount of paper work. A typical
approach that is used to effectively address the planning requirement is to
generate project flowchart that incorporates the pertinent personnel, timing and
interrelationship information.
It is intended to assure the development and documentation of a requirements
specification or an equivalent statement of the general and the specific
characteristics of a product to be developed, including the suitability of the
product to meet the market place, customer needs and statutory and/or
regulatory requirements.
This provision of the standard requires the availability of objective evidence that
the design and/or development has been executed in accordance with
requirements that would defined at the inception of the project.
In addition to documenting that the output results need the input requirements, the
standard requires that information be provided to facilitate product realization.
The design and development review is used to assure timely release of a new
product that fully needs the needs of the customer. The design and development
reviews are required to be recorded.
Verification makes a determination, by any reasonable means, that the product
does meet the standard requirements. Verification can be done by review and
analysis of test data, by making alternative calculations, by additional testing of
the product or its components or by any other means.
Verification addresses conformance to requirements, while validation addresses
meeting defined user needs and the product is capable of meeting the
requirements for the intended use in an environment that approximates as closely
as possible the operating conditions that will exist in actual use. The results of
validation should be recorded.
Changes to a product should be considered to be like mini projects within a
project. All changes should be exercised through design review, verification, and
validation processes including evaluation of the effect of changes and follow-up
actions.
54
Auditing Guide
K.G. Garg
B. Requirements (refer Clause 7.3 of ISO 9001:2008 standard)

C. Audit at operational level (compliance audit as per Clause 7.3 of ISO
9001:2008)
D. Audit of process owner(s) level for compliance to 7.3 and other
E. Audit of process owner(s) level for performance improvement and
1.
Does the process owner ensure:

- Meeting targets
2.
Has the organization identified and implemented any improvement

projects?
3.
Has organization considered

Life cycle, safety & health, testability, usability, user friendliness,
dependability, durability, ergonomics, environment, product disposal &
identified risks (through fault tree analysis, simulation techniques etc).

Purchasing -Supplier management (Clause 7.4.1)
A. Purpose:
The organization to decide the "type and extent of control" which should be based
on the effect of purchase material on the product realization processes and on the
products produced. e.g.: Bolt used on aircraft engine mount and bolt used in
sub-assembly of an aircraft will have different types of controls. The organization
shall maintain data of evaluations of suppliers with a focus on obtaining
confirming materials.
B. Requirements (refer Clause 7.4.1 of ISO 9001:2008 standard)
55
Auditing Guide
K.G. Garg
Audit at operational level (compliance audit as per Clause 7.4.1 of ISO

9001:2008)
D. Audit of process owner(s) level for compliance to 7.4.1 and other applicable
clauses of ISO 9001:2008
1. Does the process owner ensure:
- Growth
2. Does Organizations supplier process controls includes evaluation of relevant
experience, performance of suppliers against competitors, review of purchase
quality, price, delivery performance and response to problems, audits of
suppliers, financial assessment, supplier awareness of and compliance with
relevant statutory and regulatory requirements, supplier logistics capability
including locations and resources?
Product manufacturing processes (Clause 7.5.1, 7.5.2, 7.5.3, 8.3)
OR
Service delivery process (Clause 7.5.1, 7.5.2, 7.5.3, 8.3)
A. Purpose:
The processes need to be carried out under controlled conditions. Appropriate
criteria and controls for these processes need to be determined and implemented
to maintain process capability and to prevent non-conformities from occurring. In
determining the extent of documentation needed, the organization should
consider the criticality of the product, training level of its people, and complexity as
well as size of the organization.
The degree of product identification and traceability depends upon the nature of
56
Auditing Guide
K.G. Garg
product, the nature and complexity of process, industry practice, and whether
identification is required in a contract.
The primary requirement is to assure the effective implementation of processes
that prevent unintended use or delivery of product that does not conform to
requirements.
B. Requirements (refer Clause 7.5.1, 7.5.2, 7.5.3, 8.3 of ISO 9001:2008
standard)
C. Audit at operational level (compliance audit as per Clause 7.5.1, 7.5.2, 7.5.3,
8.3 of ISO 9001:2008)
D. Audit of process owner(s) level for compliance to 7.5.1, 7.5.2, 7.5.3, 8.3and
other applicable clauses of ISO 9001:2008
- Meeting targets (production, schedules, cost)
3. Improving effectiveness & efficiency of process by reducing waste, training of
people, communication and recording information, developing supplier
capabilities, improving infrastructure, preventing problems, process yields &
methods of monitoring?
3.3
REQUIRED PROCESSES, SUPPORT PROCESSES - (GROUP 3)

- Document control/document changes
(Clause 4.2.3)
- Customer focus
- Customer complaints and satisfaction
(Clause 8.2.1, 8.5.2)
- Internal audit
(Clause 8.2.2)
57
Auditing Guide
K.G. Garg
3.3.1 Required processes - Support Processes (Group 3)

Document control/document changes (Clause 4.2.3)
A. Purpose:
Documents that are part of quality management system shall be controlled to
ensure correct requirements are available & latest issue documents are available
at all required locations
C. Audit at operational level (compliance audit as per Clause 4.2.3 of ISO
9001:2008)
2. To satisfy documentation /controls, the needs & expectation of interested
parties' management should consider?
- Contractual requirements, international/ national/ industry sector standard,
relevant statutory & regulatory requirements, decisions by the organization?
- Functionality, user friendliness, & interfaces?
Customer focus, Customer complaints and satisfaction (Clause 8.2.1, 8.5.2)
A. Purpose:
The organization shall think about how to gather information and what will be done
with the information after it is gathered from the customer. Although organization
typically has many sources of information the standard encourages organizations
to better utilize "gold mine" of information available/obtained by them. It involves
taking actions to eliminate the causes of non-conformities in order to prevent
recurrence
58
Auditing Guide
K.G. Garg
B. Requirements (refer Clause 8.2.1, 8.5.2 of ISO 9001:2008 standard)

C. Audit at operational level (compliance audit as per Clause 8.2.1, 8.5.2 of ISO
9001:2008)
2. Has the organization identified sources of customer and user information?
Information sources are: Customer & user surveys, feedback, market needs,
service delivery data, customer complaints, reports of various media, sector
and industry studies, goods returned by the customer, warranty claims,
revised invoices, credit notes etc?
3. How the data is analysed and used as feedback to improve organizational
processes?
Internal audit (Clause 8.2.2)
A. Purpose:
Internal quality audits are to be performed on elements of quality management
system or on the entire system including contract, statutory and regulatory
requirements. Main objective of internal quality audit is to find whether processes
of quality management system are identified, appropriately described,
responsibilities assigned, procedures implemented and maintained, processes
are effective in achieving the required results including effectiveness and
efficiency of the quality management system with respect to quality policy and
objectives.
59
Auditing Guide
K.G. Garg

9001:2008)
- Auditors motivation
2. In addition to management process, realization processes and supporting
process organization could carryout audit for the following activities:
- Capability of processes, use of SPC & IT, analysis of quality cost data,
resource management and relationship with interested parties, statutory
and regulatory requirements.
3.4
SAMPLE PROCESSES, SUPPORT PROCESSES - (GROUP 4)

- Records Management
(Clause 4.2.4)
- Training
(Clause 6.2.2)
- Employee development
(Clause 6.2.2)
- Maintenance
(Clause 6.3)
- Planning for product realization
(Clause 7.1)
OR
60
- Planning for service realization
(Clause 7.1)
- Purchasing process
(Clause 7.4.2)
- Process validation
(Clause 7.5.2)
- Customer process
(Clause 7.2.3 & 7.5.4)

Auditing Guide
K.G. Garg
- Customer communication
(Clause 7.2.3)
- Customer supplied product
(Clause 7.5.4)
- Inspection
- Receiving inspection
(Clause 7.4.3)
- Process inspection
(Clause8.2.3)
- Stage inspection
(Clause 8.2.4)
- Final inspection
(Clause 8.2.4)
- Calibration
(Clause 7.6)
- Stores management
(Clause 7.5.5)
- Packing, shipping/delivery
(Clause 7.5.5)
3.4.1 Sample processes, Support Processes (Group 4)

Records Management (Clause 4.2.4)
A. Purpose:
Records are a special type of documents, and they have their own control
requirements. Records are documents that provide evidence that an activity has
been accomplished or that an event has happened. The record management
shall also include records given by suppliers.
9001:2008)
D. Audit of process owner(s) level for compliance to 4.2.4and other applicable
61
Auditing Guide
K.G. Garg
2. Access to records is ensured to people in the organization and other

interested parties based on the organization communication policy?
Training (Clause 6.2.2)
A. Purpose:
The intend of the standard is to relate this requirement to the personnel assigned
responsibilities defined in the quality management system. This clause includes
personnel involved in top management, resource management, product
realization, and measurement-analysis-improvement processes. All these
personnel are required to be competent based on education, training, skills and
experience.
9001:2008)
- Competence assessment:
2. Planning for training considers:
Leadership & management skills, team building, problem solving,
communication skills, culture & social behavior and knowledge of markets.
62
Auditing Guide
K.G. Garg

Employee development (Clause 6.2.2)
A. Purpose:
The intend of the standard is to relate this requirement to the personnel assigned
responsibilities defined in the quality management system. This clause includes
personnel involved in top management, resource management, product
realization, and measurement-analysis-improvement processes. All these
personnel are required to competent based on education, training, skills and
experience.
9001:2008)
2. Consider - Future demands relation to strategic & operational plans &
objectives?
- Changes to the organization processes?
Maintenance (6.3)
A. Purpose:
The organization shall identify, provide, and maintain all facilities of the
organization.
Quality management system records should indicate that the requirements of this
clause have been considered and addressed
63
Auditing Guide
K.G. Garg

9001:2008)
D. Audit of process owner(s) level for compliance to 7.1 and other applicable
3. Does the organization consider the type and frequency of maintenance
required and verification of operation of each of the element, based on its
criticality and users?
Planning for product realization (Clause 7.1)
OR
Planning for service realization (Clause 7.1)
A. Purpose:
The planning activity for realization processes shall address the quality objectives
for the product, project, or contract; the need to establish appropriate processes
and documentation; they need to provide resources and facilities specific to the
product; and the consideration of verification and validation activities and the
criteria for acceptability. The organization is required to determine what records
are necessary to provide confidence that the processes and resulting product
conform to requirements. Perhaps flowcharts/or process mapping could define
these aspects.
64
Auditing Guide
K.G. Garg

9001:2008)
3. Has the organization for planning of processes (planning for production,
planning for methodizing, planning for scheduling etc. considers - Processes
are considered as sequence of activities, processes are documented to the
extent necessary, role of people within the process is evaluated, drive for
continual performance improvement?
Customer processes - Customer communication (Clause 7.2.3)
Customer supplied product (Clause 7.5.4)
A. Purpose:
The arrangements for customer communication identified and implemented
should be appropriate for the organization in terms of its products, its orders or
contracts, and the approaches to be used to obtain customer feedback.
It is the organization responsibility to safeguard the customer product (as
customer property in all respects) while it is in the organizational possession.
65
Auditing Guide
K.G. Garg
B. Requirements (refer Clause 7.2.3, 7.5.4 of ISO 9001:2008 standard)

C. Audit at operational level (compliance audit as per Clause7.2.3, 7.5.4 of ISO
9001:2008)
3. The customer property includes ingredients or components supplied for
inclusion the product, product supplied for repair, maintenance or upgrading,
packaging materials supplied by customers, customer intellectual property
including data, specifications, drawing and proprietary information. Has the
organsiation considered all these as a part of customer property?
Purchasing process (Clause 7.4.2)
A. Purpose:
This clause requires a process to assure that the purchasing process is controlled
and complete purchasing information is provided to the supplier to ensure that the
requirements are complied by the suppliers.
9001:2008)
66
Auditing Guide
K.G. Garg

- Meeting objective targets (schedules, cost)
2. Has the organization identified and implemented any improvement?
3. Use of electronic linkage with suppliers?
4. Involvement of suppliers?
Process validation (Clause 7.5.2)
A. Purpose:
There is a requirement for defining the conditions and criteria for validation and
revalidation.
9001:2008)
2. Criteria for revalidation are defined?
67
Auditing Guide
K.G. Garg

Stores management (Clause 7.5.5)
Packing, shipping/delivery (Clause 7.5.5)
A. Purpose:
The organization shall safeguard and protect the product during and between all
processing steps through to delivery. It should have a system for appropriately
identifying, handling, packaging, storing, and delivering the product, including its
components.
9001:2008)
3. Has the organization identified any special requirements based on nature of
the product?
4. Has the organization identified resources needed to maintain the product
through out its life cycle to prevent damage, deterioration or misuse?
Calibration (Clause 7.6)
68
Auditing Guide
K.G. Garg
A. Purpose:
Measuring and monitoring devices that are required to assure conformity of
product need to be controlled. It requires achieving and maintaining a capable
measurement system and the concept of achieving and maintaining a stable
measurement system.
9001:2008)
2. Does the organization considers to eliminate potential errors from processes,
such as fool proofing, for verification of process outputs in order to minimize
the need for calibrations, and to add value for interested parties since
calibration is a costly process?
Inspection - Receiving inspection (Clause 7.4.3)
Process inspection (Clause 8.2.3)
Stage inspection (Clause 8.2.4)
Final inspection (Clause 8.2.4)
A. Purpose:
Whatever methods are used, the verification activities for purchased products
shall be planned and effectively implemented. The measurements that are used
to assure conformity and achieve improvement need to be defined based on
scientific principles (analysis of data, statistical techniques, FMEA etc). The
process management results should indicate fulfillment of requirements and
69
Auditing Guide
K.G. Garg
conform the continuing suitability for each process to satisfy its intended purpose.
This includes all measurement activities from receiving inspection to product
delivery. It covers the actual measurements used to verify that the requirements
are met for the incoming materials and up to the final product. Conformity to
requirements needs to be documented and release controlled.
B. Requirements (refer Clause 7.4.3, 8.2.3, 8.2.4 of ISO 9001:2008 standard)
C. Audit at operational level (compliance audit as per Clause 7.4.3, 8.2.3, 8.2.4 of
ISO 9001:2008)
D. Audit of process owner(s) level for compliance to 7.4.3, 8.2.3, 8.2.4 and other
E. Audit of process owner(s) level for performance improvement and sustainability
for value addition.
2. Measurement of process performance includes capability, reaction time, cycle
time, yield, waste reduction, cost reduction. Does organization considers
these (as applicable) for the purpose of process performance
measurements?
3. Does the organization reviews methods used for measuring products and the
plan records of verification, to consider opportunities for performance
improvements. Typical example of product measurement records. That could
be considered for performance improvement include inspection and test
reports, material release reports, product acceptance reports, certificate of
conformity as required.
70
Auditing Guide
K.G. Garg
Template 1
AUDIT PROGRAMME
Organization
Location(s):
Organization A
Certificate Nr.:
New
Total ftes/shifts:
650/1
IAF / EAC Code:
17
Standard(s) &
Exclusion(s):
ISO 9001:2008
7.3 (Design and development)
Revised by / on:
A1/16.09.08 for S1
Scope: Manufacture of machined componets
Clause No.
Process Owner
4 to 8
Process
Documented Management
System
Required Processes
Management process Group 1
5&65&6
except
Management Involvement
6.2.2, 6.3 &
6.4
5.2
Customer focus
8.4, 8.5 Improvement processes

Required Processes
Realization Process Group 2
7.2.1 &
7.2.2
7.3
7.4.1
Customer process Contract

order management
Design and development
(Not applicable)
Purchasing, Supplier
management
7.5.1, 7.5.2, Product manufacturing

7.5.3, 8.3 processes
71
Auditing Guide
K.G. Garg
Required Processes Support Processes - Group 3

4.2.3
Document control
Customer focus: customer
8.2.1, 8.5.2
complaints and satisfaction
8.2.2
Internal audit
Sample Processes, Support
Processes Group 4
6.2.2
Training
6.2.2
Employee development
6.3
Planning for product

realization
7.2.3
Customer communication
7.4.2
Purchasing process
7.4.3
Receiving inspection
7.5.2
Process validation
7.5.4
Customer supplied product
7.5.5
Stores management
7.5.5
Packing and shipping and

delivery
7.6
72
Maintenance
7.1
Calibration
8.2.3
Process inspection
8.2.4
Stage inspection
8.2.4
Final inspection
Auditing Guide
K.G. Garg
Template 2
AUDIT TIMETABLE
Organization / Location(s)
Certificate Nr.
Total ftes/shifts
IAF / EAC Code
Organization A
New
650/1
17
ISO 9001:2008
Standard(s) & Exclusion(s)
7.3. (Design and development)
Scope
ManufactureRIPDFKLQHGFRPSRQHQWV.
Audit type
Assessor 1: (A1)
Date
Time
16.09.2008
Certification Audit Stage 1

Assessor 2:
Assessor 3:
Assessor
Expert:
Process/Process owner
08.30
A1
Opening Meeting
09.00
A1
MR
- Organization structure
- Review of the management system documents
- Internal audits including corrective action closure
- Management review
- Control of documents
- Records management
- Finalization of timetable and audit program
13.00
A1
CEO & HODs (Not mandatory)

- Customer satisfaction processes
- Continual improvement processes
15.00
A1
MR
- Review of audit findings
73
Auditing Guide
K.G. Garg
Organization / Location(s)
Certificate Nr.
Total ftes/shifts
IAF / EAC Code
Organization A
New
650/1
17
ISO 9001:2008
Standard(s) & Exclusion(s)
7.3. (Design and development)
Scope
Manufacture of machined components,
Audit type
Assessor 1: (A1)
Date Time
14.10.2008
Certification Audit Stage 2

Assessor 2: (A2)
Assessor 3:
Assessor
Expert:
Process/Process owner
08.30
All
Opening Meeting
09.00
A1
MR
- Corrective actions on Stage 1 audit findings
CEO & HODs (If not carried out during Stage 1
audit)
- Customer satisfaction processes
- Continual improvement processes
74
11.00
A1
PROCESS OWNER
- Manpower planning, MIS
14.00
A1
PROCESS OWNER
- Contract review
- Customer complaints, customer feedback
09.00
A2
PROCESS OWNER
- Control of documents
11.00
A2
PROCESS OWNER
- Stage & final inspection
Auditing Guide
15.10.2008
K.G. Garg
09.00
A1
PROCESS OWNER
- Training
10.30
A1
PROCESS OWNER
- Supplier Management
- Outsourcing, Purchasing
14.00
A1
PROCESS OWNER
- Calibration
09.00
A2
PROCESS OWNER
- Manufacturing process 1
11.00
16.10.2008
14.00
PROCESS OWNER
14.00
A2
PROCESS OWNER
09.00
A1
PROCESS OWNER
- Calibration (shops)
10.30
A1
PROCESS OWNER
- Receiving inspection
14.00
A1
PROCESS OWNER
- Stores
09.00
A2
PROCESS OWNER
- Methods
- Tooling
- Progress
A2
PROCESS OWNER
- Maintenance
15.30
All
Review of findings
16.30
All
Closing Meeting
75
Auditor Guide
K.G. Garg
Template 3
NONCONFORMANCE DEFINITIONS:
Whenever it is found that a requirement of the standard or of the organization's management
system is not fully conformed to, the nonconforming condition is documented in a Corrective
Action Request, and included in the report. The Nonconformance is classified according to
risk, as major and minor:
MAJOR NONCONFORMANCE:
The requirement has not been met. Evidence indicates one or more of the following:
A)
Systemic failure of the Management System
B)
Conditions that could result in the delivery of nonconforming product
C)
Conditions that could result in the failure or reduced usability of products or services
MINOR NONCONFORMANCE:
The requirement has not been fully met. Evidence indicates the finding is:
A)
Non-systemic
B)
An isolated occurrence
C)
Not likely to result in the failure of the Management System
CORRECTIVE ACTION:
Closed loop Corrective Action by the organization is required to be initiated, carried out, and
completed in a timely manner whenever a requirement of the standard or of the
organization's management system has not been met. Corrective action analysis by the
organization shall include determination of applicability to other parts and processes of the
organization.
Minor/Major Nonconformances are required to be settled effectively by the organization.
Lead auditor is required to monitor and evaluate the effective implementation of the actions
taken by the organization. The time frame to settle these nonconformances will depend on
certification bodies procedures as approved by accreditation boards.
All open major and minor nonconformances shall be closed by the Lead Auditor prior to a
recommendation for certification.
77
Auditor Guide
K.G. Garg
STRENGTHS AND OPPORTUNITIES FOR IMPROVEMENT:

Additionally, Lead Auditor/ auditors may identify strengths and opportunities for
improvement in areas where requirements of the standard and of the organization's
management system have been met. In these cases, no corrective action is required, and
there is no formal review by the Lead Auditor/ auditors.
78
Auditor Guide
K.G. Garg
CORRECTIVE ACTION REQUEST
Template 3
Organisation: Organization A,
Bangalore, India.
Audit: Surveillance 1
CAR number: KGG/S1/01
process owner: Mr. John
Process: Maintenance
Date: MM/DD/YY
Auditor:A1
Auditee: Mr. John
Standard:ISO 9001:2008 requirement clause #: 6.3
DESCRIPTION OF FINDING............................................................................................................................
There is no evidence of carrying out routine and preventive maintenance of CNC machine (No. CA/765) since
installation 3 years back.
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
ASSESSMENT
NON-CONFORMITY (MAJOR \ MINOR) / OPPORTUNITIES FOR IMPROVEMENT
...........................
..............................
...........................
signature of auditor
signature of Lead auditor
signature of auditee
CONTAINMENT ACTION
- Procedure for maintenance of all machines established.

- Checklist for routine/preventive maintenance prepared and used
- Record of maintenance instituted.
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
79
Auditor Guide
K.G. Garg
Root cause analysis

RECTIFICATION .............................................................................................................................................
PROPOSED ....................................................................................................................................................
ROOT CAUSES IDENTIFIED:
- CNC machine CA/765 was under AMC contract with supplier which has not been effective.
- Required spares were demanded but not received.
CORRECTIVE ACTION PROPOSED..............................................................................................................
- Spares will be prepared and maintenance procedures will be established or new maintenance contract will
be agreed upon................................................................................................................................................
PROPOSED COMPLETION DATE.................................................................................................................
.........................................................................................................................................................................
Implementation of corrective action

Evidences......................................................................................................................................................
- Spares for CNC machine CA/765 have been procured from M/s. -----vide PO no. 1265.
- Maintenance procedure no. CA/MP/008.
- Records of maintenance of machine CA/765 from April 07 to date.
- Record of maintenance of other machines gives as CA/558, CA/486 verified, evidenced.
........................................................................................................................................................................
Verification of corrective action

Evidences......................................................................................................................................................
Verified that the proposed action has been implemented. Ref. Production of MM/DD/YY
........................................................................................................................................................................
Verification evidences with respect to prevent recurrences Implemented in the line
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
SIGNATURE OF AUDITEE/ MR
A1
MM/DD/YY
DATE
Signature of lead auditor
Date
80
Auditor Guide
K.G. Garg
Appendix A:
OPENING MEETING AGENDA
(For Certification /Surveillance)
1.
Thanks to the organization (Lead Auditor)
2.
Introduction (Auditor & Auditees)
3.
Circulate attendance sign-in-document
4.
State the scope of registration
5.
Review of audit schedule [Time table] [day / time / process owner (auditee) / auditor]
6.
Audit procedure
- Define nonconformity (major / minor)
- Define opportunities for improvement
- Define responsibilities and consequences of Corrective Action Requests (CARs)
for Certification
for Surveillance
7.
Describe role of guide
8.
Logistics requirements transport, protective clothing, restrictions if any, lunch, office

facility etc.
9.
Language of communication [if translators required]
10.
Statement of confidentiality
11.
Ask for clarifications (if any)
12.
Thank the management and announce date and time of closing meeting.
81
Auditor Guide
K.G. Garg
Appendix B
CLOSING MEETING AGENDA
1.
Thank organization (Lead Assessor)
2.
Introduction of Participants [any participants is other than

in opening meeting
3.
Circulate attendance sign-in-document
4.
Scope (redefined)
5.
Findings / results:
- summary of nonconformity (major / minor) /
opportunities for improvement
- Strengths as appropriate from results
6.
Review the necessary steps for closing any findings
7.
Express confidentiality of information
8.
State the audits is a sample of data, people and process.

Disclaimer: other non-conformances may exist.
State the findings cited should be evaluated for the

entire system, not just in the departments where the
findings were cited:
10.
Recommendation [in writing / oral]
11.
State limitations of recommendations
12.
Describe appeal process briefly
13.
State condition for use of certificates and logos
14.
Verify with team everything is covered
15.
Final handing over of CAR's with recommendation

[written / oral]
16.
Invite questions from the organization
17.
Thank the organization once more
9.
Certification
Surveillance
[Note: for closing meeting during stage 1 state that please resolve
all NC's before stage 2 audit]
83
Auditor Guide
K.G. Garg
Appendix C
Quality System Questionnaire
ASSESSMENT QUESTIONS
KEY
Requirements
QUALITY MANAGEMENT SYSTEM

4.1
General requirements
01
Has the organization established, documented, implemented and

maintained a quality management system and continually improved its
effectiveness in accordance with the requirements of this International
Standard?
02
Does the organization:

a)
identify the processes needed for the quality management system and
their application throughout the organization?
b)
determine the sequence and interaction of these processes?
c)
determine criteria and methods needed to ensure that both the

operation and control of these processes are effective?
d)
ensure the availability of resources and information necessary to

support the operation and monitoring of these processes?
e)
monitor, measure and analyze these processes?
f)
implement actions necessary to achieve planned results and continual

improvement of these processes?
03
Are these processes managed by the organization in accordance with the

requirements of this International Standard?
04
Where an organization chooses to outsource any process that affects

product conformity with requirements, does the organization ensure control
over such processes?

05
Is the control of such outsourced processes identified within the quality

management system?
Note:Processes needed for the quality management system referred to above

should include processes for management activities, provision or resources,
product realization and measurement.
Note: The type and extent of control to be applied to the outsourced process is
influenced by different factors.
85
Auditor Guide
4.2
K.G. Garg
DOCUMENTATION REQUIREMENTS
4.2.1 General
06 Does the quality management system documentation include:
a) documented statements of a quality policy and quality objectives?
b) a quality manual?
c) documented procedures required by this International Standard?
d) documents needed by the organization to ensure the effective
planning, operation and control of its processes?
e) records required by this International Standard (see 4.2.4)?
Note 1:
Where the term "documented procedure" appears within this

International Standard, this means that the procedure is established,
documented, implemented and maintained.
Note 2:
The extent of the quality management system documentation can differ

from one organization to another due to
a) the size of organization and type of activities,
b) the complexity of processes and their interactions, and
c) the competence of personnel.
Note 3:
The documentation can be in any form or type of medium.
4.2.2 Quality manual

07 Has the organization established and maintained a quality manual that
includes :
a) the scope of the quality management system, including details of,
and justification for, any exclusions?
b) the documented procedures established for the quality
management system, or reference to them
c) a description of the interaction between the processes of the quality
management system?
4.2.3 Control of documents
8
Are the documents required by the quality management system

M
controlled?
Are records controlled according to the requirements given in 4.2.4?
10 Has a documented procedure been established to define the controls

needed to:
a) approve documents for adequacy prior to issue?
86
Auditor Guide
K.G. Garg
b) review and update as necessary and re-approve documents?

c) ensure that changes and the current revision status of documents
are identified?
d) ensure that relevant versions of applicable documents are available
at points of use?
e) ensure that documents remain legible and readily identifiable?
f) ensure that documents of external origin are identified and their
distribution controlled?
g) prevent the unintended use of obsolete documents, and to apply
suitable identification to them if they are retained for any purpose?
Note: The documents of external origin that affect the quality management system
have to be controlled.
4.2.4 Control of records
11 Are records established and maintained to provide evidence of
conformity to requirements and of the effective operation of the quality
management system?
12 o records remain legible, readily identifiable and retrievable?
13 Has a documented procedure been established to define the controls
needed for the identification, storage, protection, retrieval, retention
time and disposition of records?
P: Product related - M: Management related
5
MANAGEMENT RESPONSIBILITY
5.1
Management commitment
01 Has top management provided evidence of its commitment to the M
development and implementation of the quality management system
and continually improving its effectiveness by:]
a) communicating to the organization the importance of meeting
customer as well as statutory and regulatory requirements? M
b) establishing the quality policy?
c) ensuring that quality objectives are established?
d) conducting management reviews?
e) ensuring the availability of resources?
5.2
Customer focus
02 Has top management ensured that customer requirements are
determined and are met with the aim of enhancing customer
satisfaction (see 7.2.1 and 8.2.1)?
87
Auditor Guide
5.3
K.G. Garg
Quality policy
03 Has top management ensured that the quality policy:
a) is appropriate to the purpose of the organization?
b) includes a commitment to comply with requirements and continually
improve the effectiveness of the quality management system?
c) provides a framework for establishing and reviewing quality
objectives?
d) is communicated and understood within the organization?
e) is reviewed for continuing suitability?
5.4
PLANNING
5.4.1 Quality objectives

04 Has top management ensured that quality objectives, including those
needed to meet requirements for product [see 7.1 a)] are established at
relevant functions and levels within the organization?
05 Are the quality objectives measurable and consistent with the quality M
policy?
5.4.2 Quality management system planning
06 Has top management ensured that:
a) the planning of the quality management system is carried out in
order to meet the requirements given in 4.1, as well as the quality
objectives?
b) the integrity of the quality management system is maintained when
changes to the quality management system are planned and
implemented?
5.5
RESPONSIBILITY, AUTHORITY AND COMMUNICATION
5.5.1 Responsibility and authority

07 Has top management ensured that the responsibilities and authorities
are defined and communicated within the organization?
5.5.2 Management representative
08 Has top management appointed a member of management who, M
irrespective of other responsibilities, has responsibility and authority
that includes:
a) ensuring that processes needed for the quality management system
are established, implemented and maintained?
88
Auditor Guide
K.G. Garg
b) reporting to top management on the performance of the quality

management system and any need for improvement?
c) ensuring the promotion of awareness of customer requirements
throughout the organization?
Note 1:
The responsibility of the management representative can include

liaison with external parties on matters relating to the quality
management system.
Note 2:
Management representatives shall be a member of the Organisation's

own management.
5.5.3 Internal Communication

09) Has the Organisation ensures that the appropriate communication
processes are established and are effective.
5.6
MANAGEMENT REVIEW
5.6.1 General
10 Has top management reviewed the organization's quality management
system, at planned intervals, to ensure its continuing suitability,
adequacy and effectiveness?
11 Does this review include assessing opportunities for improvement and
the need for changes to the quality management system, including the
quality policy and quality objectives?
12 Are records from management reviews maintained (see 4.2.4)?
5.6.2 Review input
13 Does the input to management review include information on :
a) results of audits?
b) customer feedback?
c) process performance and product conformity?
d) status of preventive and corrective actions?
e) follow-up actions from previous management reviews?
f) changes that could affect the quality management system?
g) recommendations for improvement?
5.6.3 Review output
14 Does the output from the management review include any decisions and M
actions related to :
a) improvement of the effectiveness of the quality management
system and its processes?
89
Auditor Guide
K.G. Garg
b) improvement of product related to customer requirements?

c) resource needs?
6
RESOURCE MANAGEMENT
6.1
Provision of resources
01 Has the organization determined and provided the resources needed:
a) to implement and maintain the quality management system and
continually improve its effectiveness? and
b) to enhance customer satisfaction by meeting customer
requirements?
6.2
HUMAN RESOURCES
6.2.1 General
02 Are personnel performing work affecting product quality competent on
the basis of appropriate education, training, skills and experience?
6.2.2 Competence, awareness and training
03 Does the organization:
a) determine the necessary competence for personnel performing

work affecting product quality?
b) provide training or take other actions to satisfy these needs?
c) evaluate the effectiveness of the actions taken?
d) ensure that its personnel are aware of the relevance and importance
of their activities and how they contribute to the achievement of the
quality objectives?
e) maintain appropriate records of education, training, skills and
experience (see 4.2.4)?
Note: It requires organizations to ensure necessary competencies have been
achieved.
6.3
INFRASTRUCTURE
04 Does the organization determine, provide and maintain the
infrastructure needed to achieve conformity to product requirements?
Infrastructure includes, as applicable:
a) buildings, workspace and associated utilities?
b) process equipment (both hardware and software)?
c) supporting services (such as transport or communication)?
90
Auditor Guide
6.4
K.G. Garg
WORK ENVIRONMENT
05 Does the organization determine and manage the work environment
needed to achieve conformity to product requirements?
Note: Factors that may affect the conformity of the product include temperature,
humidity, lighting, cleanliness, protection from electrostatic discharge, etc.
7
PRODUCT REALIZATION
7.1
Planning of product realization

01 Does the organization plan and develop the processes needed for
product realization
(see 4.1)?
02 Is planning of product realization consistent with the requirements of
the other processes of the quality management system (see 4.1)?
03 In planning product realization, does the organization determine the
following, as appropriate:
a) quality objectives and requirements for the product?
b) the need to establish processes, documents, and provide resources
specific to the product?
c) required verification, validation, monitoring, inspection and test
activities specific to the product and the criteria for product
acceptance?
d) records needed to provide evidence that the realization processes
and resulting product meet requirements (see 4.2.4)?
04 Is the output of this planning in a form suitable for the organization's

method of operations?
Note1:A document specifying the processes of the quality management system
(including the product realization processes) and the resources to be
applied to a specific product, project or contract, can be referred to as a
quality plan.
Note2:The organization may also apply the requirements given in 7.3 to the
development of product realization processes.
7.2
CUSTOMER-RELATED PROCESSES
7.2.1 Determination of requirements related to the product
05 Does the organization determine:

a) requirements specified by the customer, including the requirements
for delivery and post-delivery activities?
91
Auditor Guide
K.G. Garg
b) requirements not stated by the customer but necessary for specified

or intended use, where known?
c) statutory and regulatory requirements related to the product?
d) any additional requirements determined by the organization?
Note:Post delivery activities should be covered, such as warranties,
maintenance, recycling and so on.
7.2.2 Review of requirements related to the product
06 Does the organization review the requirements related to the product?
07 Is the review conducted prior to the organization's commitment to supply

a product to the customer (e.g., submission of tenders, acceptance of
contracts or orders, acceptance of changes to contracts or orders) and
does it ensure that :
a) product requirements are defined?
b) contract or order requirements differing from those previously
expressed are resolved?
c) the organization has the ability to meet the defined requirements?
08 Are records of the results of the review and actions arising from the
review maintained (see 4.2.4)?
09 Where the customer provides no documented statement of
requirement, are the customer requirements confirmed by the
organization before acceptance?
10 Where product requirements are changed, does the organization M
ensure that relevant documents are amended and that relevant
personnel are made aware of the changed requirements?
Note: In some situations, such as internet sales, a formal review is impractical for
each order. Instead the review can cover the relevant product information
such as catalogues or advertising material.
7.2.3 Customer communication
11 Does the organization determine and implement effective
arrangements for communicating with customers in relation to:
a) product information?
b) enquiries, contracts or order handling, including amendments?
c) customer feedback, including customer complaints?
92
Auditor Guide
7.3
K.G. Garg
DESIGN AND DEVELOPMENT
7.3.1 Design and development planning

12 Does the organization plan and control the design and development of M
product?
13 During the design and development planning, does the organization
determine:
a) the design and development stages?
b) the review, verification and validation that are appropriate to each
design and development stage?
c) the responsibilities and authorities for design and development?
14 Does the organization manage the interfaces between different groups
involved in design and development to ensure effective communication
and clear assignment of responsibility?
15 Is planning output updated, as appropriate, as the design and
development progresses?
7.3.2 Design and development inputs
16 Are inputs relating to product requirements determined and are records M
maintained (see 4.2.4)?
Do these inputs include:
a) functional and performance requirements?
b) applicable statutory and regulatory requirements?
c) where applicable, information derived from previous similar
designs?
d) other requirements essential for design and development?
17 Are these inputs reviewed for adequacy
18 Are requirements completed, unambiguous and not in conflict with each
other?
Design and development (continued)
7.3.3 Design and development outputs
19 Are the outputs of design and development provided in a form that
enables verification against the design and development input and
approved prior to release?
20 Do the design and development outputs:
a) meet the input requirements for design and development?

93
Auditor Guide
K.G. Garg
b) provide appropriate information for purchasing, production and for

service provision?
c) contain or reference product acceptance criteria?
d) specify the characteristics of the product that are essential for its
safe and proper use?
7.3.4 Design and development review
21 At suitable stages, are systematic reviews of design and development M
performed in accordance with planned arrangements (see 7.3.1) to:
a) evaluate the ability of the results of design and development to meet
requirements?
b) identify any problems and propose necessary actions?
22 Do participants in such reviews include representatives of functions
concerned with the design and development stage(s) being reviewed?
23 Are records of the results of the reviews and any necessary actions
7.3.5 Design and development verification
24 Is verification performed in accordance with planned arrangements
(see 7.3.1) to ensure that the design and development outputs have
met the design and development input requirements?
25 Are records of the results of the reviews and any necessary actions
7.3.6 Design and development validation
26 Is design and development validation performed in accordance with P
planned arrangements (see 7.3.1) to ensure that the resulting product
is capable of meeting the requirements for the specified application or
intended use, where known?
27 Wherever practicable, is validation completed prior to the delivery or
implementation of the product?
28 Are records of the results of validation and any necessary actions
7.3.7 Control of design and development changes
29 Are design and development changes identified and records
maintained?
30 Are the changes reviewed, verified and validated, as appropriate, and P
approved before implementation?
94
Auditor Guide
K.G. Garg
31 Does the review of design and development changes include M

evaluation of the effect of the changes on constituent parts and product
already delivered?
32 Are records of the results of the review of changes and any necessary
actions maintained (see 4.2.4)?
7.4
PURCHASING
7.4.1 Purchasing process

33 Does the organization ensure that purchased product conforms to M
specified purchase requirements?
34 Is the type and extent of control applied to the supplier and the
purchased product dependent upon the effect of the purchased product
on subsequent product realization or the final product?
35 Are criteria for selection, evaluation and re-evaluation established?
36 Are records of the results of evaluations and any necessary actions
arising from the evaluation maintained (see 4.2.4)?
7.4.2 Purchasing information
37 Does purchasing information describe the product to be purchased, M
including where appropriate:
a) requirements for approval of product, procedures, processes and
equipment?
b) requirements for qualification of personnel?
c) quality management system requirements?
38 Does the organization ensure the adequacy of specified purchase
requirements prior to their communication to the supplier?
7.4.3 Verification of purchased product
39 Does the organization establish and implement the inspection or other M
activities necessary for ensuring that purchased product meets
specified purchase requirements, they may include
40 Where the organization or its customer intends to perform verification
at the supplier's premises, does the organization state the intended
verification arrangements and method of product release in the
purchasing information?
95
Auditor Guide
7.5
K.G. Garg
PRODUCTION AND SERVICE PROVISION
7.5.1 Control of production and service provision

41 Does the organization plan and carry out production and service
provision under controlled conditions
Do these controlled conditions include, as applicable:
a) the availability of information that describes the characteristics of
the product?
b) the availability of work instructions, as necessary?
c) the use of suitable equipment?
d) the availability and use of monitoring and measuring devices?
e) the implementation of monitoring and measurement?
f) the implementation of release, delivery and post-delivery activities?
7.5.2 Validation of Processes for production and service provision
42 Does the organization validate any processes for production and P
service provision where the resulting output cannot be verified by
subsequent monitoring or measurement, including any processes
where deficiencies become apparent only after the product is in use or
the service has been delivered?
Note: These processes are frequently referred to as special processes.
43 Does validation demonstrate the ability of these processes to achieve
planned results?
44 Has the organization established arrangements for these processes M
including, as applicable:
a) defined criteria for review and approval of the processes?
b) approval of equipment and qualification of personnel?
c) use of specific methods and procedures?
d) requirements for records (see 4.2.4)?
e) and revalidation?
7.5.3 Identification and traceability
45 Where appropriate, has the organization identified the product by
suitable means throughout product realization?
46 Has the organization identified the product status with respect to
monitoring and measurement requirements?
96
Auditor Guide
K.G. Garg
47 Where traceability is a requirement, does the organization control and

record the unique identification of the product (see 4.2.4)?
Note: In some industry sectors, configuration management is a means by which
identification and traceability is maintained
7.5.4 Customer Property
48 Does the organization exercise care with customer property while it is
under the organization's control or being used by the organization?
49 Has the organization identified, verified, protected and safeguarded
customer property provided for use or incorporation into the product?
50 Does the organization define methods to identify and record (see 4.2.4)
customer products that are lost, damaged or otherwise made unusable
and report such to the customer?
Note: Customer property can include intellectual property, including customer
furnished data used for design, production and/or inspection.
7.5.5 Preservation of Product
51 Does the organization preserve the conformity of product during
internal processing and delivery to the intended destination?
52 Does the preservation include identification, handling, packaging,
storage and protection?
53 Does preservation also apply to the constituent parts of a product?
7.6
CONTROL OF MONITORING AND MEASURING EQUIPMENT

54 Does the organization determine the monitoring and measurement to P
be undertaken and the monitoring and measuring devices/equipments
needed to provide evidence of conformity of product to determined
requirements (see 7.2.1) ?
55 Does the organization establish processes to ensure that monitoring
and measurement can be carried out and are carried out in a manner
that is consistent with the monitoring and measurement requirements?
56 Where necessary to ensure valid results, is measuring equipment:
a) calibrated or verified at specified intervals, or prior to use, against
measurement standards traceable to international or national
measurement standards; where no such standards exist, the basis
used for calibration or verification shall be recorded?
b) adjusted or re-adjusted as necessary?
c) identified to enable the calibration status to be determined?
97
Auditor Guide
K.G. Garg
d) safeguarded from adjustments that would invalidate the

measurement result?
e) protected from damage and deterioration during handling,
maintenance and storage?
57 Does the organization assess and record the validity of the previous
measuring results when the equipment is found not to conform to
requirements?
58 Does the organization take appropriate action on the equipment and
any product affected?
59 Are records of the results of calibration and verification maintained (see
4.2.4)?
60 When used in the monitoring and measurement of specified
requirements, is the ability of computer software to satisfy the intended
application confirmed?
61 Is this undertaken prior to initial use and reconfirmed as necessary?
Note: See ISO 10012 for guidance.
8
MEASUREMENT, ANALYSIS AND IMPROVEMENT
8.2.1 Customer Satisfaction

01 Does the organization plan and implement the monitoring, P
measurement, analysis and improvement processes needed
a) to demonstrate conformity of the product?
b) to ensure conformity of the quality management system?
c) to continually improve the effectiveness of the quality management
system?
02 Does this include determination of applicable methods, including
statistical techniques, and the extent of their use?
03 As one of the measurements of the performance of the quality
management system, does the organization monitor information
relating to customer perception as to whether the organization has met
customer requirements?
04 Are the methods for obtaining and using this information determined?
Note:Monitoring customer perception can include obtaining input from sources
such as customer satisfaction surveys, customer data on delivered product
quality, user opinion surveys, lost business analysis, compliments, warranty
claims and dealer reports.
98
Auditor Guide
K.G. Garg
8.2.2 Internal Audit

05 Does the organization conduct internal audits at planned intervals to M
determine whether the quality management system:
a) conforms to the planned arrangements (see 7.1), to the
requirements of this International Standard and to the quality
management system requirements established by the
organization?
b) is effectively implemented and maintained?
06 Is an audit program planned, taking into consideration the status and
importance of the processes and areas to be audited, as well as the
results of previous audits?
07 Is the audit criteria, scope, frequency and methods defined?
08 Does the selection of auditors and conduct of audits ensure objectivity
and impartiality of the audit process?
09 Does the organization ensure internal auditors do not audit their own
work?
10 Are the responsibilities and requirements for planning and conducting
audits, and for reporting results and maintaining records (see 4.2.4)
defined in a documented procedure?
11 Does the management responsible for the areas being audited ensure M
that actions are taken without undue delay to eliminate detected
nonconformities and their causes?
12 Do follow-up activities include the verification of the actions taken and
the reporting of verification results (see 8.5.2)?
Note: See ISO 19011 for guidance.
Monitoring and measurement (continued)
8.2.3 Monitoring and measurement of processes
13 Does the organization apply suitable methods for monitoring and,
where applicable, measurement of the quality management system
processes?
14 Do these methods demonstrate the ability of the processes to achieve
planned results?
15 When planned results are not achieved, is correction and corrective
action taken, as appropriate, to ensure conformity of the product?
99
Auditor Guide
K.G. Garg
8.2.4 Monitoring and measurement of product

16 Does the organization monitor and measure the characteristics of the P
product to verify that product requirements have been met?
17 Is this carried out at appropriate stages of the product realization
process in accordance with the planned arrangements (see
7.1)?
18 Is evidence of conformity with the acceptance criteria maintained?
19 Do records indicate the person(s) authorizing release of product (see
4.2.4)?
20 Is product release and service delivery held until all the planned
arrangements (see 7.1) have been satisfactorily completed, unless
otherwise approved by a relevant authority and, where applicable, by
the customer?
8.3
CONTROL OF NONCONFORMING PRODUCT

21 Does the organization ensure that product which does not conform to P
requirements is identified and controlled to prevent its unintended use
or delivery?
22 Are the controls and related responsibilities and authorities for dealing
with nonconforming product defined in a documented procedure?
Note: The term "nonconforming product" includes nonconforming product

returned from a customer.
23 Does the organization deal with nonconforming product in one or more
of the following ways by:
a) taking action to eliminate the detected nonconformity?
b) authorizing its use, release or acceptance under concession by a
relevant authority and, where applicable, by the customer?
c) taking action to preclude its original intended use or application?
24 Are records of the nature of nonconformities and any subsequent
actions taken, including concessions obtained, maintained (see 4.2.4)?
25 When nonconforming product is corrected, is it subject to re-verification
to demonstrate conformity to the requirements?
26 When nonconforming product is detected after delivery or use has P
started, does the organization take action appropriate to the effects, or
potential effects, of the nonconformity?
100
Auditor Guide
8.4
K.G. Garg
ANALYSIS OF DATA
27 Does the organization determine, collect and analyze appropriate data M
to demonstrate the suitability and effectiveness of the quality
management system and to evaluate where continual improvement of
the effectiveness of the quality management system can be made?
28 Does this include data generated as a result of monitoring and
measurement and from other relevant sources?
29 Does the analysis of data provide information relating to:
a) customer satisfaction (see 8.2.1)?
b) conformity to product requirements (see 7.2.1)?
c) characteristics and trends of processes and products including
opportunities for preventive action?
d) suppliers?
8.5
IMPROVEMENT

30 Does the organization continually improve the effectiveness of the
quality management system through the use of the quality policy,
quality objectives, audit results, analysis of data, corrective and
preventive actions and management review?
8.5.2 Corrective action
31 Does the organization take action to eliminate the cause of P
nonconformities in order to prevent recurrence?
32 Are corrective actions appropriate to the effects of the nonconformities
encountered?
33 Is a documented procedure established to define requirements for:
a) reviewing nonconformities (including customer complaints)?
b) determining the causes of nonconformities?
c) evaluating the need for action to ensure that nonconformities do not
recur?
d) determining and implementing action needed?]
e) recording of the results of the action taken (see 4.2.4)?
f) reviewing corrective action taken?
8.5.3 Preventive action
34 Does the organization determine action to eliminate the causes of M
potential nonconformities in order to prevent their occurrence?
101
Auditor Guide
K.G. Garg
35 Are preventive actions appropriate to the effects of the potential

problems?
36 Is a documented procedure established to define requirements for:
a) determining potential nonconformities and their causes?
b) evaluating the need for action to prevent occurrence of
nonconformities?
c) determining and implementing action needed?
d) recording of the results of the action taken (see 4.2.4)?
e) reviewing preventive action taken?
102
Auditor Guide
K.G. Garg
Appendix D
ISO 9001 AUDITING PRACTICES GROUP
1.
Scope of ISO 9001:2008, Scope of Quality Management System (QMS) and the
Scope of Registration/Certification
2.
Auditing Service Organisation
3.
How to add value during the audit process
103
Auditor Guide
1.
K.G. Garg
SCOPE OF ISO 9001:2008, SCOPE OF QUALITY MANAGEMENT SYSTEM (QMS)

AND THE SCOPE OF REGISTRATION/CERTIFICATION
The scope of ISO 9001:2008 is given in clause 1 Scope, and defines the scope of the
standard itself.
This should not be confused with the scope of the QMS, which is a term commonly
used to describe the organization's processes, products (and /or services), and
related sites, departments, divisions etc., to which the organization applies a formal
QMS. (Note: this does not necessarily include all the processes, products, sites,
departments, or divisions etc. of the organization).
The scope of the QMS should be based on the nature of the organization's products
and their realization processes, the result of risk assessment, commercial
considerations, and contractual, statutory and regulatory requirements.
While ISO 9001:2008 is generic and is applicable to all organizations (regardless of
their type, size or product category), under certain circumstances, an organization
may exclude complying with some specific ISO 9001:2008 requirements (from clause
7), while being permitted to claim conformity to the standard. This is because it has
been recognized that not all the requirements in this clause of the standard are
relevant to all organizations. ISO 9001:2008 itself makes allowance for such
situations, through clause 1.2 Application.
Consequently, the scope of registration/certification encompasses the scope of the
QMS, as well as describing any excluded ISO 9001 requirements.
As the terms scope of the QMS and scope of registration/certification are often used
interchangeably, this can lead to confusion when a customer or end user is trying to
identify what parts of an organization have been registered/certified to ISO 9001, what
product lines or processes are covered by the QMS, or what ISO 9001 requirements
have been excluded.
In order to dissipate such confusion and to enable identification of what has been
registered/certified, the scope of registration/certification should clearly define:
- the scope of the QMS (including details of the product lines and related sites,
departments, divisions etc. that are covered by it),
- the organization's main processes for its product realisation or service delivery
activities (such as design, manufacture and delivery), for the product lines that are
covered,
- any ISO 9001 requirement that has been excluded
(It should be noted that the scope of registration/certification is not the same as the
certificate that is awarded to the organization after successful demonstration of
105
Auditor Guide
K.G. Garg
conformity to ISO 9001. The certificate will usually include a synthesized description of
the scope of registration/certification, but not the details of the ISO 9001 requirements
that have been excluded; however, it may include a note to refer to the fact that the
exclusions are detailed in the organization's Quality Manual.)
It is essential that a scope of registration/certification be drafted by the organization
prior to applying for registration/certification. This should then be analysed by the CRB
during the Stage 1 audit, for appropriate planning of the Stage 2 audit.
It is responsibility of the auditor:
- to ensure that the final statement of the scope of registration/certification is not
misleading;
- to verify that this scope only refers to the processes, products, sites, departments, or
divisions etc. of the organization that were assessed during the registration/
certification audit; and
- to verify that this scope defines any excluded requirements from ISO 9001, and that
justification for such exclusions is provided and is reasonable.
As an additional measure to combat potential confusion among customers and end
users, the scope of registration/certification should be clearly defined in the
organisation's Quality Manual and any publicly available documents (this includes, for
example promotional and marketing material).
However, promotional statements should never be included in the scope of
registration/ certification itself.
106
Auditor Guide
2.
K.G. Garg
AUDITING SERVICE ORGANIZATIONS

Introduction
Although ISO 9001:2008 is intended to apply to all kinds of organizations, regardless of
type, size or product provided, there are a number of characteristics of service
organizations that require specific attention during a third party audit. Consequently,
this document aims to provide auditors with guidance on auditing the compliance of
service organizations to the requirements of ISO 9001:2000. Particular emphasis is
given to the requirements of clause 7.3 Design and development, clause 7.5.2
Validation of processes for production and service provision and clause 8.3 Control of
nonconforming product.
Service Organizations
According to ISO 9000:2008, clause 3.4.2 Product:
"Service is the result of at least one activity necessarily performed at the interface
between the supplier and customer and is generally intangible. Provision of a service
can involve, for example, the following:
- an activity performed on a customer-supplied tangible product (e.g. automobile to be
repaired);
- an activity performed on a customer-supplied intangible product (e.g. the income
statement needed to prepare a tax return);
- the delivery of an intangible product (e.g. the delivery of information in the context of
knowledge transmission);
- the creation of ambience for the customer (e.g. in hotels and restaurants)."
Most organizations have an element of service in their product. This may range from
almost 100% service (in the case of a law firm, for example), to a relatively small
service component in the case of a manufacturing organization providing, for example,
after-sales service.
Auditing Guidance
Design and development of the service
When considering the applicability or not of clause 7.3 of ISO 9001:2008 to a service
organization, it is important to remember the definition of "Design and development",
which, according to ISO 9000:2005 clause 3.4.4 is the "set of processes that
transforms requirements into specified characteristics". Again, according to ISO
9000:2005 requirements are "needs and expectations that are stated, generally
implied or obligatory", and characteristics of the service are distinguishing features
that can include:
107
Auditor Guide
K.G. Garg
sensory (e.g. related to smell, touch, taste, sight, hearing)
behavioral (e.g. courtesy, honesty, veracity)
temporal (e.g. punctuality, reliability, availability)
ergonomic (e.g. physiological characteristic, or related to human safety)
tangible (e.g. measurable characteristics; these may be either
the
characteristics of the physical means used to deliver the service, e.g. the
maximum speed of an aircraft, or of the environment in which the service is
provided, e.g. the interior temperature or facilities of an aircraft).
It is quite common for organizations to consider only the tangible component of their
product when addressing the requirements of clause 7.3, forgetting that the design
and development of the intangible product (the service itself) should be the main focus.
Additionally, the organization will need to design how the service will be delivered to its
customers.
If the organization proposes to justify the exclusion of design and development from its
QMS, the auditor should make a careful assessment of the justifications in light of the
above. The auditor should also examine whether the organization has an effective
design and development process that sufficiently defines the characteristics of its
service, and of its service delivery processes, that are needed to meet customer needs
and expectations.
Validation of processes for production and service provision
In terms of the processes needed to realize the service, we can identify two types of
service processes:
those involving the customer in the realization of the service itself (real time
delivery) and
those in which the output is delivered to the customer after the realization of the
process
Using the example of a hotel, the guest "check-in" and "check-out" processes would
probably involve "real-time" delivery of the service, whilst the cleaning of the guest's
room would generally be "delivered" to the guest only after completion of the process
(which could be subject to inspection and rework if necessary, to correct any
nonconformities).
Similar processes can also be found in manufacturing organizations providing
services related to their products, for example, the handling of claims and warranties;
the repair of products by the organization's service units; or product maintenance
108
Auditor Guide
K.G. Garg
activities performed at organizations' facilities.

Those processes that involve real time delivery, and are carried out directly at the
organization/customer interface can rarely (if ever) have their output ("the service")
verified by subsequent monitoring or measurement before they are "delivered" to the
customer. Therefore, such processes are indeed subject to validation according to the
requirements of ISO 9001:2008, clause 7.5.2. This is also essential in order to prevent
nonconformities from occurring.
In order to ensure adequate control over the quality of the service to be provided, the
auditor should:
- understand the service characteristics, the service provision processes, and their
acceptance criteria, as defined by the organization (this should be done during the
Stage 1 audit)
- determine whether validation of "real-time" service provision processes (or any other
process that requires validation) has been performed and if this has taken into
account the associated risks;
- assess if the appropriate tools, training and empowerment have been provided to the
personnel involved.
For many service industries, the service provided is instantaneous (i.e. via "real- time"
processes), which does not readily allow for inspection before delivery of that service.
Quality thinking says that the most cost-effective way of doing business is to apply the
philosophy of "special processes" to ALL processes: the more the organization gets its
processes right, the less the organization needs to worry about the outcome of their
processes. Therefore it is very unlikely that this clause can be excluded.
Control of nonconforming product
In the cases of service processes directly involving the customer, "the control of
nonconforming product" (clause 8.3) is the way the organization deals with
nonconformities in the service provision until the appropriate corrective action is
defined and implemented.
Where a nonconformity is identified, the auditor should examine:
whether the personnel involved are sufficiently empowered with the authority to
decide the disposition of the service, for example:
"
to immediately terminate the service
"
to replace the service provided
"
to offer an alternative
109
Auditor Guide
K.G. Garg
the organization's customer claims and complaints processes
any temporary corrections that are implemented to mitigate the effect of the
nonconformity (e.g. refund, credit, upgrade, etc.)
the identification, segregation and replacement of the relevant service

equipment, service providers and environment.
This will enable the auditor to judge whether the control of such nonconforming product
is effective.
Note: In such situations the quality management system should have provisions to
capture data on the nonconformities and to feedback information, at the appropriate
management level, for the effective definition and implementation of corrective
actions.
For cases in which the output of the service is delivered after the realization of the
process, "control of nonconforming product" may be based on usual monitoring and
inspection techniques. Evidence will need to be sought of the adequacy and effective
implementation of these techniques.
110
Auditor Guide
3.
K.G. Garg
HOW TO ADD VALUE DURING THE AUDIT PROCESS

What do we mean by "adding value"?
We hear so much about the importance of "adding value" during quality management
systems (QMS) audits, but what does this really mean? Is it possible to add value
without compromising the integrity of the audit or providing consultancy? In principle,
all audits should add value, but this is not always the case.
This document provides guidance on how an audit can add value for the different
parties involved, and the various situations that are likely to be encountered in the
context of second or third-party audits.
"Value-added" quality management systems
There are several dictionary definitions of "value", but all focus on the concept of
something being useful. "Adding value" therefore means to make something more
useful.
Some organizations have used the ISO 9000 series of standards to develop quality
management systems that are integrated into the way they do business, and are useful
in helping them to achieve their strategic business objectives - in other words they add
value for the organization. Conversely, other organizations may have simply created a
bureaucratic set of procedures and records that do not reflect the reality of the way the
organization actually works, and simply add costs, without being useful. In other
words, they do not "add value".
It is a question of approach:
A non-value-added approach asks "What procedures do we have to write to get the
ISO 9000 certification?"
A "value-added" approach asks the question "How can we use our ISO 9001:2008based quality management system to help us to improve our business?"
How to add value during the audit process?
How can we ensure that an audit is useful to an organization in maintaining and
improving its QMS? (We should recognize, however, that there may be other
perspectives that need to be taken into consideration.)
In order to "add value", a third-party audit should be useful:
to the certified organization

o by providing information to top management regarding the organization's
ability to meet strategic objectives
o by identifying problems which, if resolved, will enhance the organization's
performance.
111
Auditor Guide
K.G. Garg
o by identifying improvement opportunities and possible areas of risk
to the organization's customers by enhancing the organization's ability to provide

conforming product
to the certification body, by improving the credibility of the third party certification
process.
The approach to "adding value" is likely to be a function of the level of maturity of the
organization's quality culture and the maturity of its QMS, with respect to the
requirements of ISO 9001:2008.
Non--conforming Conforming
Non
Maturity of QMS
By referring to figure 7, we can conceptually separate organizations into four different

zones, as follows:
Zone 3
Zone 4
Zone 1
Zone 2
Low
High
Maturity of Quality culture
Figure 7
Zone 1: (Low maturity of "quality culture"; immature QMS, not conforming to
ISO 9001:2008)
Zone 2: (Mature "quality culture"; immature QMS, not conforming to ISO
9001:2008)
Zone 3: (Low maturity of "quality culture"; mature QMS, conforming to ISO
9001:2008)
112
Auditor Guide
K.G. Garg
Zone 4: (Mature "quality culture"; mature QMS, conforming to ISO 9001:2008)

It is important to note that in this context:
"Quality culture" refers to the degree of awareness, commitment, collective attitude
and behaviour of the organization with regard to quality.
"Conformity to ISO 9001:2008" relates to the maturity of the organization's QMS,
and the extent to which it meets the requirements of ISO 9001:2008. (It is recognized
that specific minor nonconformities might be detected even in organizations that show
an overall high degree of maturity and conformity to ISO 9001:2008).
Zone 1: (Low maturity of "quality culture"; immature QMS, not conforming to
ISO 9001:2008)
For an organization that has little or no "quality culture" and a QMS that does not
conform to ISO 9001:2008, the expectation of how an audit might add value could
mean that the organization would like to receive advice on "how to" implement the
quality management system and/or resolve any non-conformities raised.
Here the auditor has to take great care, because in a third party audit such advice
would certainly generate a conflict of interest, and would contravene the ISO 17021
requirements for the accreditation of certification bodies. What the auditor can do,
however, is ensure that whenever non-conformities are encountered, the auditee has
a clear understanding of what the standard requires, and why the non-conformity is
being raised. If the organization can recognize that resolving these nonconformities,
will lead to improved performance, then it is more likely to believe in and commit to the
certification process. It is important, however, that all identified non-conformities are
reported, so that the organization clearly understands what needs to be done in order
to meet the requirements of ISO 9001:2008.
While some organizations might not be totally satisfied with an audit outcome that does
not result in certification, the organization's customers (who receive the organization's
products) will certainly consider this to have been a "valuable" audit from their
perspective. From the perspective of the certification body, failing to report all
detected nonconformities and/or providing guidance on how to implement the quality
management system, adds no value to the credibility of the auditing profession or the
certification process.
We shall recognize that the above discussion relates mainly to third party (certification)
audits. There is no reason why a second party (supplier evaluation) audit should not
"add value" by providing guidance to the organization on how to implement its quality
management system. Indeed, under these circumstances, such guidance (if it is wellfounded), would undoubtedly be useful for both the organization and its customer.
113
Auditor Guide
K.G. Garg
Zone 2: (Mature "quality culture"; immature QMS, not conforming to ISO

9001:2008)
For an organization that has a mature "quality culture", but an immature QMS that does
not conform to the ISO 9001:2008 requirements, the basic expectation of how an audit
might add value will probably be similar to that of Zone 1. In addition, however, the
organization is likely to have a much higher expectation of the auditor.
In order to be able to add value, the auditor has to understand the way in which the
organization's existing practices meet the requirements of ISO 9001:2008. In other
words, understand the organization's processes in the context of ISO 9001:2008, and
not, for example, insist that the organization redefine its processes and documentation
to align to the clause structure of the standard.
The organization might, for example, base its management system on business
excellence models, or total quality management tools such as Hoshin Kanri
(Management by Policy), Quality Function Deployment, Failure Mode and Effect
Analysis, "Six-sigma" methodology, 5S programmes, Systematic Problem Solving,
Quality Circles and others. In order to add value during the audit process, the auditor
should, at a minimum, be aware of the organization's methodologies, and be able to
see to what extent they are effective in meeting the requirements of ISO 9001:2008 for
that particular organization.
It is also important that the auditor not be "intimidated" by the organization's apparent
high degree of sophistication. While the organization may be using these tools as part
of an overall total quality philosophy, there might still be gaps in the way the tools are
being employed. Therefore, the auditor shall be able to identify any systematic
problems and raise the appropriate non-conformities. In these situations, the auditor
might be accused of being pedantic or even bureaucratic, so it is important to be able to
demonstrate the relevance of the non-conformities that are being raised.
Zone 3: (Low maturity of "quality culture"; mature QMS, conforming to ISO
9001:2008)
An organization that has been certified to one of the ISO 9000 series of standards for a
significant period of time might be able to demonstrate a high level of conformity to ISO
9001:2008, but at the same time not have truly implemented a "quality culture"
throughout the organization. Typically, the QMS might have been implemented under
pressure from customers, and built around the requirements of the standard, rather
than on the organization's own needs and expectations. As a result, the QMS may be
operating in parallel with the way the organization carries out its routine operations,
generating redundancy and inefficiency.
114
Auditor Guide
K.G. Garg
In order to add value in these circumstances, the primary objective of the auditor
should be to act as a catalyst for the organization to build on its ISO 9000-based quality
management system, and to integrate the system into its day-to-day operations. While
the third party certification auditor cannot provide recommendations on how to meet
the requirements of ISO 9001:2008, it is acceptable and indeed good practice to
encourage and stimulate (but not require!) the organization to go beyond the
requirements of the standard. The questions the auditor asks (and the way he or she
asks those questions) can provide valuable insights for the organization into how the
QMS could become more efficient and useful. Identification of "Opportunities for
Improvement" by the auditor should include ways in which the effectiveness of the
QMS might be enhanced, but could also address opportunities for improved
efficiency.
Zone 4: (Mature "quality culture"; mature QMS, conforming to ISO 9001:2008)
For an organization that has a mature "quality culture", and has been certified to one of
the ISO 9000 series of standards for a significant period of time, the expectation of how
an audit might add value will be the most challenging for an auditor. A common
complaint among this kind of organization is that the "routine surveillance visits" by the
auditor may be superfluous, and do little to add value in the organization's eyes.
In these cases, top management becomes an important customer of the certification
process. It is therefore important for the auditor to have a clear understanding of the
organization's strategic objectives, and to be able to put the QMS audit within that
context. The auditor needs to dedicate time for detailed discussions with top
management, to define their expectations for the QMS, and to incorporate these
expectations into the audit criteria.
Some tips for the auditor on how to add value
1)
Audit planning:
a. Understand the auditee's expectations/corporate culture
b. Any specific concerns to be addressed (output from previous audits)?
c. Risk analysis of industry sector / specific to organization.
d. Pre-evaluation of statutory/regulatory requirements
e. Appropriate audit team selection to achieve audit objectives
f. Adequate time allocation
2)
Audit technique:
a. Focus more on the process, and less on procedures. Some documented
procedures, work instructions, check-lists etc. may be necessary in order for
115
Auditor Guide
K.G. Garg
the organization to plan and control its processes, but the driving force should
be process performance.
b. Focus more on results and less on records. In a similar fashion, some records
may be necessary in order for the organization to provide objective evidence
that its processes are effective (generating the planned results) but in order to
add value, the auditor should be aware of and give credit for other forms of
evidence.
c. Remember the 8 Quality Management Principles
d. Use the "Plan-Do-Check-Act" approach to evaluate the organization's
process effectiveness.
i.
Has the process been planned?
ii.
Is it being carried out according to plan?
iii.
Are the planned results being achieved?
iv.
Are opportunities for improvement being identified and implemented?

- By correcting non-conformities
- By identifying root causes of problems and implementing corrective
action
- By identifying trends, and the need for preventive action
- By innovation
e. Adopt a "holistic" approach to evidence gathering throughout the audit,

instead of focusing on individual clauses of ISO 9001:2008.
3)
Analysis and decision

a. Put the findings into perspective (Risk assessment / "common sense").
b. Relate findings to the effect on the organization's ability to provide conforming
product (see ISO 9001:2008 clause 1.1).
4)
Report and follow-up

a. Sensible reporting of audit findings
i.
Different approaches may be required depending on:
the organization's maturity (Zones 1, 2, 3 and 4)
the level of confidence in the organization's QMS
the risks involved
116
Auditor Guide
K.G. Garg
the auditee's attitude and commitment to the audit process
o Proactive
o Reactive
ii.
Ensure that any cultural aspects are taken into consideration
iii.
Emphasize positive findings as appropriate
iv.
Will the solution proposed by the organization in response to negative

findings be useful?
Reports should be objective and focused on the right "audience". (Top

management will probably have expectations that are different from those of
the management representative).
117
Auditor Guide
K.G. Garg
ABOUT THE AUTHOR
K.G. Garg is an expert in quality management system development and implementation. He

worked for 27 years in the discipline of quality management with Indian Aeronautical
Regulatory Body & Hindustan Aeronautics Limited. Currently he is Chairman
& CEO of
NVT Group (consisting of NVT Quality Certification Pvt. Ltd., & NVT Education Trust
Operating International School of Management Excellence).
Beginning with the year 1968, Garg has worked in the areas of manufacturing, processing,
casting, forging, electronics, electrical, software & engineering services related to
aerospace industry for civil & military aircrafts. He has carried out more than 200 audits for
ISO 9001, ISO 14001, and TL 9000 & AS 9100.
Born in India, Garg holds Bachelor and Master's Engineering degree from Indian Institute of
Technology (Roorkee University) and has honor of being the recipient of university Gold
Medal at IIT (Roorkee University). He is Graduate in Non-Destructive Inspection from AFTC,
Chanute, United States Air force securing 1st position in Graduate NDI AFTC, USA.
Garg has written/presented more than 50 papers in national/international journals/seminars.
Garg has been honored as Quality Guru at International Asia Pacific Quality World conference at
Mexico.
Contact Address :
NVT Quality Certification Pvt. Ltd.
Cap1, Export Promotion Industrial Park
Near ITPL, White Field, Bangalore-560066
Tel. ; +91-50-65343536/37, Fax : +91-50-28416767
Website : www.nvtquality.com, E-mail: nvtqc@vsnl.com
119
Auditor Guide
K.G. Garg
Dr Girdhar J. Gyani has been associated with the discipline of Quality since year 1980,
when he took up assignment on Airworthiness Assessment & Quality Certification of Military
Airplane (1980-90) with Defence Research & Development Organization at Hindustan
Aeronautics Limited, involving application of quality in state-of-art, multidisciplinary &
complex manufacturing sector.
Dr Gyani later joined Standardization, Testing & Quality Certification Directorate
(Department of Information Technology, Government of India) as CEO of a Test & Calibration
Laboratory & Founder Director of Indian Institute of Quality Management (1990-2003) and
during this period, Mr. Gyani as trainer & consultant facilitated large number of industries,
both in manufacturing as well as in service sector covering different facets of TQM. Mr.
Gyani is credited with designing & launching, country's first M.S. program in Quality
Management, which has been adapted by premier Indian university BITS Pilani
In year 2003, he took up prestigious assignment as Secretary General, Quality Council of
India (apex quality body of country), responsible for establishing & operating national
accreditation structure and promoting quality in all walks of life. Mr. Gyani is elected director
on board of IAF since 2004. He has worked extensively on improving effectiveness of QMS
certification process through actual field validation, findings of which have appeared in
prominent international quality journals. He is widely traveled and has been invited speaker
at several international seminars on quality. He has of late been active in pursuing quality in
health and education. He has been instrumental in establishing national accreditation
structure for healthcare and quality school governance.
Dr Gyani holds Master's Degree in Engineering and a Doctorate in Quality. He has been
conferred with 16th Lal C. Verman Award in year 2002 in recognition with distinguished
contribution in the field of standardization, precision measurement & quality control. He is
recipient of Rotary Centenary Award in year 2004 for Excellence in the field of Quality.
121

QMS-Auditing For Value Addition - Co.

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

QMS-Auditing For Value Addition - Co.

Uploaded by

Copyright:

Available Formats

ISO 9001:2008

Quality Management System;

Quality Management System;

@ All Rights Reserved

1.1 Quality management principles

1.1.1 Customer focus

1.1.3 Involvement of people

1.1.4 Process approach

1.1.5 System approach to management

1.1.6 Continual improvement

1.1.7 Factual approach to decision making

1.1.8 Mutually beneficial supplier relationships

1.2 Mission, vision, strategy, policy & Objectives

1.2.1 Mission & Vision

1.2.2 Aspects of strategy

1.2.3 Strategic planning

1.2.4 Policy and objectives

1.2.5 Objective deployment

1.3.1 Process approach

1.3.2 Types of processes

1.4 Measurement and analysis

1.4.1 Measurement approach

1.4.2 Performance matrix

1.4.3 Measuring achievements of objectives

1.4.4 Key indicators

1.6.2 Types of innovations

1.6.3 Factors influencing the effectiveness of the innovations

1.6.4 Planning of the innovation processes

2.1.2 Initial certification stage 1 audit

- Process audits during stage 1 audit

- Process audits during stage 2 audit

- Review of certification information & prior reports

- Surveillance audit planning

2.1.7 Corrective action audit

2.2 Auditors competence

2.3.1 Roles and responsibilities of top management

2.3.2 Roles and responsibilities of lead auditors

2.3.3 Roles and responsibilities of auditors

2.3.4 Roles and responsibilities of technical experts

2.3.5 Roles and responsibilities of trainee auditors/observers

2.4 Audit time

2.5 Audit scopes

2.6 Maturity assessment

2.6.2 Description of the maturity levels

3.0 Process classification

3.1 Required Processes Management processes (Group 1)

3.1.1 Management involvement & Customer focus

3.1.2 Improvement process

3.2 Required Processes Realization processes (Group 2)

3.2.1 Customer process contract/ order management

3.2.2 Design and development

3.2.3 Supplier Management

3.2.4 Product manufacturing process or Service delivery process

3.3 Required processes, Support Processes - (Group 3

3.3.1 Document control

3.3.2 Customer focus customer complaints and satisfaction

3.3.3 Internal audit

3.4 Sample processes, Support Processes - (Group 4)

3.4.1 Records management

3.4.3 Employee deployment

3.4.5 Planning for product realization or

3.4.6 Customer process - Customer communication

- Customer; supplied product