Professional Documents
Culture Documents
SABS
BOOKLET
Auditor's Checklist/Guideline
for auditing
1 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
10 Did the organization address the "new" and enhanced requirements ? ALL J
2 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
ANNEXURE A
"Limiting the SCOPE of a QMS"
3 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
♦ Certificates issued to ISO 9001:2000 shall state clearly in words the scope of the quality
management system (QMS) in a way that will not mislead customers, and shall ensure that
information is available for the USER to determine which categories of product and product
realization processes are included within the scope of certification/registration.
♦ In particular, scope statements shall be explicit in stating the responsibility for product design
and development and other principal realization processes such as manufacturing, sales, and
service.
a) The exclusion of clause 7 requirements may relate to all or only some of the product
categories that are within the scope of the organization’s QMS. Justification for the exclusion
of any requirement must be given in the organization’s quality manual, and the certification
/registration body shall review the validity of any such exclusion during certification and
surveillance audits.
b) If the organization has responsibility for and realises or outsources the design and
development process, the scope statement for certification/registration shall include the words
'Design of ....', 'Development of ...', or 'Design and development of ....'.
4 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
ANNEXURE B
"Verification of Exclusions"
5 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
Verification of Exclusions
1 Rules for Exclusions
1.1 It is intended that organizations seeking to implement ISO 9001:2000 will comply with all the
requirements of the standard that are applicable to the "products" within the scope of the
QMS.
1.2 However, even when an organization includes all its products in the scope of its QMS, it may
be found that some of the specific requirements of ISO 9001:2000 clause 7 Product
realization cannot be applied. This could be due to the nature of the organization, and that
of its products or realization processes. In such circumstances, the organization may limit
the application of the requirements of ISO 9001:2000, in accordance with clause 1.2.
1.3 Exclusions can be made of an entire clause, a whole sub-clause or just a very specific
requirement within a sub-clause. An example would be clause 7.3 Design and development,
which could be excluded in its entirety if no part of the design and development process is
performed by the organization and the organization has no responsibility for this process.
2 Justification of Exclusions
Where an organization finds that it cannot apply certain requirements of ISO 9001:2000, this has to
be defined and justified in the organization's Quality Manual. Any publicly available documents,
such as certification/registration documents or marketing materials, should be carefully phrased in
order to avoid confusing or misleading customers and end users regarding the application of ISO
9001:2000 requirements within the organization’s QMS.
4 Outsourced Processes
Where the overall responsibility for product realization belongs to an organization, the fact that
a specific product realization process (such as product design and development or manufacturing) is
outsourced (or “sub-contracted”) to an external organization is not an adequate justification for the
exclusion of this process from the QMS. See the DIAGRAM below for a clarification of this
matter.
Instead, the organization has to be able to demonstrate that it exercises sufficient control to ensure
that such processes are performed according to the relevant requirements of ISO 9001:2000. The
nature of this control will depend on the nature of the outsourced process and the risk involved. It
may include, for example, the specification and/or validation of processes as part of the contractual
agreement with the supplier, requirements for the supplier’s QMS, on-site inspections or
6 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
verifications, and/or audits. ISO 9001:2000 clause 7.4 Purchasing should be applied to monitor the
output of these outsourced or sub-contracted processes.
In these circumstances, the organization should include such processes in the scope of its QMS and
make it clear in its Quality Manual and any other publicly available documents that the QMS covers
the management of these outsourced or subcontracted activities for which the organization retains
overall responsibility.
---------------------------------------------------------------------------------
7 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
QMS
SUB-CONTRACTOR
(OUTSOURCE)
C
QMS YOUR ORGANIZATION
U
S
T
SUPPLIERS
PCON
O
M
QMS E
R
POUT
QMS
OUTSOURCE
(SUB-CONTRACTOR)
ANNEXURE C
"Identification of Processes"
9 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
IDENTIFICATION of PROCESSES
1 DIRECT REQUIREMENTS for PROCESSES
The table below lists the sub-clauses in which the standard itself directly requires specific
processes to be implemented and documented. These specific processes must be included in the
QMS, subject to rules of “application” for those in clause 7.
* means this process(es) can be excluded BUT only under the rules stated in sub-
clause 1.2 !
"PROCESS"
MANAGEMENT
INPUT(S) OUTPUT(S)
ACTIVITIES
ENABLERS
NOTE: The term “activity” has not been defined in ISO 9000:2000, however the Terminology
Guide N526R defines it as follows:
“The state of being active”
“The exertion of energy”
“Action”
Every process has inputs. The outputs are the results of the process. The outputs are products -
tangible or intangible. The process itself is (or should be) a transformation that adds value. Every
process involves people and/or other resources (also called ENABLERS) in some way.
An OUTPUT may be, for example, an invoice, computing software, liquid fuel, a clinical device, a
banking service or a final or intermediate product of any generic category. There are opportunities
to make measurements on the inputs, at various places in the process, as well as on the outputs.
These measurement points are called “control points”.
5 See APPENDIX 1 for a list of questions that can be asked to verify that the
organization have addressed the requirements of clause 4.1 adequately.
11 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
APPENDIX 1
CHECKLIST
for
“CLAUSE 4.1"
12 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
13 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
ANNEXURE D
"Process Mapping"
14 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
PROCESS MAPPING
1 INTRODUCTION
Process mapping is the name given to the practice of graphically describing how
processes interact with each other. A Process map, on the other hand, is a graphical
representation (a flowchart type document) of the activities that make up the process.
Process
Process
Process
Process
Process Process
Process
15 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
NOTE: See APPENDIX 1 for this type of map that starts with the "Management
Review Process" in the QMS.
This type of map describes the sequence of the key steps or activities within
the process for the transformation of the inputs into outputs. These process
maps (also called procedures) can be used to comply with the following
requirement of standard ISO 9001:2000:
EXPLANATORY PARAGRAPH
The primary purpose of the explanatory paragraph is to explain WHY a
procedure or work instruction is specified in a certain way. People will
conform to procedural guidelines or work instructions if they understand the
purpose of the guidelines or instructions. Additional detail and clarification of
any possible misconceptions can also be included in this paragraph.
NUMBERED LISTS OF VARIABLES
The lists that are most frequently included in these types of process maps
include the following:
Materials lists that specifies the process inputs;
Product lists that specifies the process outputs;
Process lists that specifies the CONTROL variables;
Failure Modes lists.
When appropriate, lists such as Safety, Environmental Concerns and
Regulatory Requirements can be included. A well-prepared process map can
serve as the skeleton of a standard operating procedure or work instruction
at each CONTROL POINT.
16 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
4 FLOWCHARTING CONVENTIONS
Any flowcharting convention can be used, so long as chart formats are kept as simple
as possible and any charting conventions are clearly explained on the chart itself – See
nomenclature used for the flowchart in the example below.
------------------------------------------
17 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
APPENDIX 1
LEVEL 1 TYPE PROCESS MAP
for the
“MANAGEMENT REVIEW
PROCESS”
18 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
19 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
Customer Requirements
Internal Communication
?
Continual Improvement Recommendations for Process
Analysis of Data Improvements
Process
(clause 8.4) Clause 5.5.3
(5.6.2(g))
Clause 8.5.1
Improve
MANAGEMENT effectiveness of Continual Improvement
Infrastructure Provision QMS
Process ?
?
Process ? ) Top Management
(5.6.3(a))
) Management Representative Clause 8.5.1
Clause 6.3
ACTIVITIES Improve
effectiveness of Product Realization
Resources Provision ? ) “PDCA” Processes Planning Process
? ?
Process ) Analysis (5.6.3(a))
) Evaluations Clause 7.1
Clause 6.1
) Decisions
) Actions
QMS Planning Design & Development
Quality Policy and Improve Product ?
Process Process
Analysis of Data Quality Objectives ENABLERS (5.6.3(b))
(clause 8.4) Clause 7.3
Clause 5.4.2 (5.4.2(b)) ) Documents, Records
) Reports
? ? ?
) Visual Aids Resources Provision
Clause ? Resource Needs ?
Process
? Clause 5.6 (5.6.3(c))
? ? Clause 6.1
Clause ?
20 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
APPENDIX 2
LEVEL 2 TYPE PROCESS MAP
for the
“MANAGEMENT REVIEW
PROCESS”
21 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
2.6 Follow-up on resolutions taken If applicable, the audit database can be Management
updated (audits closed). Representative
END
22 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
ANNEXURE E
"PROCESS IMPROVEMENT
METHODS"
23 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
1 REQUIREMENT
Clause 4.1(c) requires that criteria and methods be determined that will "ensure that both the
operation and control of these processes are effective”.
♦ 6 SIGMA Analysis
------------------------------------------------------------
24 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
ANNEXURE F
"DOCUMENTS & RECORDS"
25 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
1 Introduction
Two of the most important objectives in the revision of the ISO 9000 series of standards have been
a) to develop a simplified set of standards that will be equally applicable to small as well as
medium and large organizations, and
b) for the amount and detail of documentation required being more relevant to the desired
results of the organization’s process activities.
2 What is a “document”? - Definitions and references
The following are some of the main objectives of an organization’s documentation, independent of
whether or not it has implemented a formal QMS:
2.1 Communication of Information
Documentation that serves as a tool for information transmission and communication in an
organization. The type and extent of the documentation will depend on the:
• nature of the organization’s products and processes,
• degree of formality of communication systems,
• level of communication skills within the organization, and
• organizational culture.
2.2 Evidence of conformity
Documentation that provides evidence that what was planned has actually been done.
2.3 Knowledge sharing
Documentation that can be used to disseminate and preserve the organization’s experiences. A
typical example would be a technical specification, which can be used as a base for design and
development of a new product.
3 Terms and Definitions relating to "documents"
A list of commonly used terms (taken from ISO 9000:2000) relating to documentation is presented
in the table below.
ISO 9000:2000
Term Definition
Clause
NOTE: The term ‘document’ is used to cover the information contained in the document as well
as the various forms that documents might take, such as written documents, computer
hard disks, diskettes or CD-ROM, video, audio tapes or graphic posters.
26 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
27 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
ANNEXURE G
"CONTROL of DOCUMENTS"
28 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
CONTROL of DOCUMENTS
29 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
ANNEXURE H
"PROCESS DOCUMENTATION"
30 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
PROCESS DOCUMENTATION
The requirement for "process documentation" is stated in clause 4.2.1(d) and it requires that the
organization must decide which "documents" they need to ensure the effective planning,
operation and control of the processes that they have identified for their QMS.
The extent and nature of such "documents" is NOT prescribed by the standard. The standard
however uses the term "documents" in this clause to cover HOW the organization must provide
the information they need to perform the activities in their business. The term is used to
differentiate between "documented procedures" and other types of documentation that will include
"procedures".
-------------------------------------------------
31 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
ANNEXURE I
"STATUTORY & REGULATORY
REQUIREMENTS"
32 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
The terms statutory and regulatory are unfortunately NOT defined in ISO 9000:2000 or in the
"Guidance document on Terminology" (document N526R)
STATUTORY REQUIREMENTS
Statutory requirements are those specific requirements that are "required, permitted or enacted
by a written law that was passed by a legislative body";
REGULATORY REQUIREMENTS
Regulatory requirements are those specific requirements that have been formulated to:
• ensure control by certain specific rules (called regulations that are derived from statutes and
laws);
• impose specific restrictions;
• adapt written legal requirements for specific applications.
PRELIMINARY ANSWER: NO
GUIDANCE:
1 Many clauses of ISO 9001 refer to "regulatory requirements", and clause 7.2.1(c)
specifies which requirements, i.e. "statutory and regulatory requirements related
to the product".
2 Process-related regulatory requirements, which have an impact on a product (e.g.
welding, food cold chain), are also covered by clause 7.2.1(c), as they are related to
the product.
3 Other process-related regulatory requirements may be addressed in other specific
management systems, such as EMS and the Occupational Health and Safety
Management System.
33 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
ANNEXURE J
"NEW & ENHANCED
REQUIREMENTS"
34 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
The following documents should be consulted to verify clause by clause WHAT these "new" and
"enhanced " requirements actually are:
• the Australian handbook HB90.0:2000 - The ISO 9001 Comparison 2000 vs 1994
• the ISO 9001:2001 Handbook for Small Businesses - Working Draft 2 can be used until the
final version is released during December 2001;
• the Transition Planning Guidance for ISO 9001:2000, section 5 on pages 15 to 29;
• Annexures B.1 and B.2 in standard ISO 9001:2000.
NOTE: See APPENDIX 1 for a summarized list of these "new" and "enhanced "
requirements.
--------------------------------------------------------
35 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
APPENDIX 1
What has changed?
36 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
37 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
Customer satisfaction
A Greater focus on the interaction between the organization and the customer - before,
during and after the product and/or service delivery, is now required. Customer
satisfaction takes a more significant role now in the new standard due to a requirement
that information on customer perception must be monitored about HOW well the
organization has met the customer 's requirements.
Internal Communication
There is now a brand new requirement for an organization to have internal
communication processes in place to provide information on the Quality Management
System and HOW effective it is.
Competence
In assessing human resources and in training, the issue of competence has been
introduced and will have to be addressed within the organization in future.
The organization must now ensure that "people " in an organization
is competent to perform their assigned work, and
knows HOW their jobs impact on the management of quality within the
organization as a whole.
There is now also considerable more flexibility within the new standard, which requires a
balance between documenting a process and the competence of the staff involved.
Less documented procedures to be demanded by auditors
The standard has shifted the emphasis on the need for documentation of procedures
from the standard to the organization. The 2000 version now requires your organization to
take responsibility for identifying and developing the "documents" (i.e. not necessarily
procedures anymore) you need for your business.
The standard now requires only six documented procedures to be formally compiled
by an organization in future. SMME's might want to address these six requirements in
only THREE documented procedures.
The organization itself will need to decide WHAT other documentation is needed for it to
control its operations and processes.
Interaction between processes
The standard now more clearly defines that the production processes and the resultant
product(s) are part of the Quality Management System i.e. organizations needs to
understand that production of conforming product and/or delivery of conforming
service is included in and is part of the quality management system.
There is a requirement for the organization to describe all its processes and HOW
they interact.
Outsourcing
The standard now recognizes that organizations do outsource activities and has now a
requirement for the organization to ensure control over those processes, which provide
"outsourced" product and/or processes - see attached Concept Diagram for
"outsourcing " and "sub-contracting" relationships.
38 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
Other changes
There are a number of other changes, which are either a new requirement within a
clause or an extension of the requirement(s) of the 1994 version. Below are a few
EXAMPLES of these -- more detailed information can however be obtained in the
Australian Handbook mentioned below. This unique handbook compares the 2000 version
with the 1994 version on a clause by clause basis by utilizing the full text of both
versions, and NOT just by using a cross reference index as in ISO 9001:2000:
HB90.0: 2000 - The ISO 9001 Comparison 2000 vs 1994
• The need to identify applicable statutory and regulatory requirements related to
the product.
• The need for more involvement by "Top Management" in the Quality Management
System.
• Greater compatibility has been achieved with
ISO 14000:1996 - Environmental Management System standard, and the
OHSAS 18001:1999 - Occupational Health and Safety Management
System specification.
• The need to understand the so-called Eight Quality Management Principles that
forms the foundation on which the new ISO 9000 series of standards have been
built.
------------------------------------------------
39 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
07/10/04
QMS
SUB-CONTRACTOR
C
QMS U
YOUR ORGANIZATION
S
T
SUPPLIERS
PCON
O
M
QMS E
R
POUT
QMS
— Process
OUTSOURCE
POUT — Process “outsourced” to a sub-contractor.
40 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC