07/10/04

SABS

BOOKLET
Auditor's Checklist/Guideline
for auditing

standard ISO 9001:2000

Compiled by William H Graham

South African representative to ISO/TC176/SC2

Version 1 Date of this issue: 2001-07-12

1 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

GENERIC CHECKLIST for AUDITING STANDARD ISO 9001:2000

No. QUESTION Cls. no. Annex No.

1 Is the SCOPE of the organization's QMS limited in any way what so ever ? 4.2.2(a) A
4.1(a)
2 Did the organization exclude any requirements of the standard from their QMS ?
4.2.2(a)
B
3 Which specific processes have the organization identified for their QMS ? 4.1(a) C
Did the organization compile a description of the interaction (including their sequence) between the identified 4.2.2(c)
4
processes of the QMS ? 4.1(b)
D
Which specific criteria and methods have the organization identified to ensure that both the operation and
5
control of the identified QMS processes is effective ?
4.1(c) E
4.2.1
6 Which specific documentation categories ("documents") were identified by the organization ?
7.5.1(b) F
7 Is the control of these "documents" described in a 'documented procedure' ? 4.2.3 G
Is there documented evidence that the planning, operation and control of the identified QMS processes are
8
effective ?
4.2.1(d) H
Did the organization identify any applicable statutory and regulatory requirements that are related to the 5.1(a)
9
product and/or service that they provide through the organization's QMS ? 7.2.1(c) I

10 Did the organization address the "new" and enhanced requirements ? ALL J

2 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

ANNEXURE A
"Limiting the SCOPE of a QMS"

3 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

"Limiting the SCOPE of a QMS "

1 Defining the SCOPE of a Quality Management System
ISO 9001:2000 clause 1 Scope defines the scope of the standard itself. This should not be confused
with the scope of the QMS, which is a term commonly used within the context of QMS
certification/registration to describe the organization and products to which the QMS applies.
The scope of the QMS should be based on:
1. the nature of the organization's products and their realization processes,
2. the result of risk assessment,
3. commercial considerations, and
4. contractual, statutory and regulatory requirements.
If an organization chooses to implement a QMS with a limited scope, this should be clearly defined
in the organisation's Quality Manual and any other publicly available documents to avoid confusing or
misleading customers and end users (this includes, for example, certification/registration documents
and marketing material).

2 SPECIFIC IAF GUIDANCE (Refer to Annex C of Guidance Document N524R2)

IAF Guidance 3

♦ Certificates issued to ISO 9001:2000 shall state clearly in words the scope of the quality
management system (QMS) in a way that will not mislead customers, and shall ensure that
information is available for the USER to determine which categories of product and product
realization processes are included within the scope of certification/registration.
♦ In particular, scope statements shall be explicit in stating the responsibility for product design
and development and other principal realization processes such as manufacturing, sales, and
service.
a) The exclusion of clause 7 requirements may relate to all or only some of the product
categories that are within the scope of the organization’s QMS. Justification for the exclusion
of any requirement must be given in the organization’s quality manual, and the certification
/registration body shall review the validity of any such exclusion during certification and
surveillance audits.
b) If the organization has responsibility for and realises or outsources the design and
development process, the scope statement for certification/registration shall include the words
'Design of ....', 'Development of ...', or 'Design and development of ....'.

4 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

ANNEXURE B
"Verification of Exclusions"

5 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

Verification of Exclusions
1 Rules for Exclusions
1.1 It is intended that organizations seeking to implement ISO 9001:2000 will comply with all the
requirements of the standard that are applicable to the "products" within the scope of the
QMS.
1.2 However, even when an organization includes all its products in the scope of its QMS, it may
be found that some of the specific requirements of ISO 9001:2000 clause 7 Product
realization cannot be applied. This could be due to the nature of the organization, and that
of its products or realization processes. In such circumstances, the organization may limit
the application of the requirements of ISO 9001:2000, in accordance with clause 1.2.
1.3 Exclusions can be made of an entire clause, a whole sub-clause or just a very specific
requirement within a sub-clause. An example would be clause 7.3 Design and development,
which could be excluded in its entirety if no part of the design and development process is
performed by the organization and the organization has no responsibility for this process.

2 Justification of Exclusions
Where an organization finds that it cannot apply certain requirements of ISO 9001:2000, this has to
be defined and justified in the organization's Quality Manual. Any publicly available documents,
such as certification/registration documents or marketing materials, should be carefully phrased in
order to avoid confusing or misleading customers and end users regarding the application of ISO
9001:2000 requirements within the organization’s QMS.

3 Claims of conformity, and requirements that may NOT be excluded

If an organization excludes from its QMS ISO 9001:2000 requirements that do not meet the criteria
established in clause 1.2 Application, then conformity to ISO 9001:2000 may not be claimed or
implied. This includes the following situations:
• Where an organization fails to comply with the requirement in clause 4.2.2(a) Quality manual to
provide justification for the exclusion of specific clause 7 Product realization requirements.
• Where requirements in clause 7 have been excluded because they are NOT required by
regulatory bodies, but the requirements affect the organization’s ability to meet customer
requirements.
• Where an organization decides not to apply a requirement in clause 7 based only on the
justification that this was NOT a requirement of either ISO 9001:1994, ISO 9002:1994 or ISO
9003:1994, and had not been previously included in the organization’s QMS.

4 Outsourced Processes
Where the overall responsibility for product realization belongs to an organization, the fact that
a specific product realization process (such as product design and development or manufacturing) is
outsourced (or “sub-contracted”) to an external organization is not an adequate justification for the
exclusion of this process from the QMS. See the DIAGRAM below for a clarification of this
matter.
Instead, the organization has to be able to demonstrate that it exercises sufficient control to ensure
that such processes are performed according to the relevant requirements of ISO 9001:2000. The
nature of this control will depend on the nature of the outsourced process and the risk involved. It
may include, for example, the specification and/or validation of processes as part of the contractual
agreement with the supplier, requirements for the supplier’s QMS, on-site inspections or

6 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

verifications, and/or audits. ISO 9001:2000 clause 7.4 Purchasing should be applied to monitor the
output of these outsourced or sub-contracted processes.
In these circumstances, the organization should include such processes in the scope of its QMS and
make it clear in its Quality Manual and any other publicly available documents that the QMS covers
the management of these outsourced or subcontracted activities for which the organization retains
overall responsibility.

5 For further assistance and clarification Please consult:

ISO 9000 Introduction and Support Package

Guidance on ISO 9001:2000 clause 1.2 'Application'

---------------------------------------------------------------------------------

7 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

CONCEPT DIAGRAM FOR “OUTSOURCING” and “SUB-CONTRACTING” RELATIONSHIPS

QMS

SUB-CONTRACTOR
(OUTSOURCE)

C
QMS YOUR ORGANIZATION
U
S
T
SUPPLIERS
PCON
O
M
QMS E
R
POUT

QMS

OUTSOURCE
(SUB-CONTRACTOR)

— Process POUT — Process “outsourced” to a sub-contractor.

PCON — Process to control the “outsourced” process

— Organization with a QMS 8 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

ANNEXURE C
"Identification of Processes"

9 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

IDENTIFICATION of PROCESSES
1 DIRECT REQUIREMENTS for PROCESSES
The table below lists the sub-clauses in which the standard itself directly requires specific
processes to be implemented and documented. These specific processes must be included in the
QMS, subject to rules of “application” for those in clause 7.

CLAUSE TYPE of PROCESS

5.5.3 Communication processes
5.6 Management review
5.6.1 General
5.6.2 Review input
5.6.3 Review output
7.1 Product realization processes
7.2* Customer-related processes
7.3* Design and development
7.3.2* Design and development inputs
Design and development outputs
7.3.3*
7.4.1* Purchasing process
7.6* Monitoring and measuring processes
Monitoring, measuring, analysis & continual
8.1
improvement processes
8.2.2 Audit process

* means this process(es) can be excluded BUT only under the rules stated in sub-
clause 1.2 !

2 How to recognize a process

„ The first activity in a process is always initiated as a response to an event;
„ The activities which make up the process move from the initiating event to achieving
the result;
„ The final activity in a process must produce a result;
„ There should be identifiable inputs and outputs to the process. Although there may be
inputs and, sometimes, several outputs there is only one result.

3 How to recognize a GOOD process

„ The initial event should be clear;
„ The result should be clear;
„ Specific inputs should be clear;
„ Specific outputs should be identifiable;
„ The process will cross organizational boundaries to achieve its result;
10 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

„ Each activity is undertaken once (and only once);

„ The process is documented;
„ The process is easily understood (especially by its participants);
„ The process will contribute to the organization’s mission.

4 CONCEPTUAL DIAGRAM of a “PROCESS”

The 2000 version of the International Standards in the ISO 9000 family is (now) based upon the
understanding that all WORK (activities) is accomplished in a process. For an organization to
function effectively, it has to identify and manage these numerous linked activities.

Context of the term “activity” in a “PROCESS”

"PROCESS"
MANAGEMENT
INPUT(S) OUTPUT(S)
ACTIVITIES

ENABLERS

NOTE: The term “activity” has not been defined in ISO 9000:2000, however the Terminology
Guide N526R defines it as follows:
„ “The state of being active”
„ “The exertion of energy”
„ “Action”
Every process has inputs. The outputs are the results of the process. The outputs are products -
tangible or intangible. The process itself is (or should be) a transformation that adds value. Every
process involves people and/or other resources (also called ENABLERS) in some way.
An OUTPUT may be, for example, an invoice, computing software, liquid fuel, a clinical device, a
banking service or a final or intermediate product of any generic category. There are opportunities
to make measurements on the inputs, at various places in the process, as well as on the outputs.
These measurement points are called “control points”.
5 See APPENDIX 1 for a list of questions that can be asked to verify that the
organization have addressed the requirements of clause 4.1 adequately.

6 For further assistance and clarification Please consult:

ISO 9000 Introduction and Support Package

Guidance on the "Process Approach" to QMSs

11 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

APPENDIX 1
CHECKLIST
for

“CLAUSE 4.1"

12 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

CHECKLIST for Clause 4.1

The requirements for processes are defined in clause 4.1 of ISO 9001:2000. Below is checklist of
questions that the auditor can ask in order to verify that these requirements have been adequately
addressed by the organization. It is stressed that these questions are only examples, and should not
be interpreted as the only way to meet the requirements:
a) Identify the processes needed for the quality management system, and their application
throughout the organization.
- What are the processes needed for the organization's quality management system?
- Who are the customers of each process (internal and/or external customers)?
- What are the requirements of these customers?
- Who is the “owner” of the process?
- Are any of these processes outsourced?
- What are the inputs and outputs for each process?
b) Determine the sequence and interaction of these processes.
- What is the overall flow of the organization's processes?
- How have the organization described this? (Process maps or flowcharts?)
- What are the interfaces between the processes?
- What documentation have the organization used?
c) Determine criteria and methods required to ensure that both the operation and control of
these processes are effective
- What are the characteristics of intended and unintended results of the process?
- What are the criteria for monitoring, measurement and analysis?
- How have the organization incorporated this into the planning of their QMS and product
realization processes?
- What are the economic issues (cost, time, waste, etc.)?
- What methods are appropriate for data gathering?
d) Ensure the availability of resources and information necessary to support the operation and
monitoring of these processes
- What are the resources needed for each process?
- What are the communication channels?
- How have the organization provided external and internal information about the process?
- How does the organization obtain feedback?
- What data have the organization collected?
- What records are kept by the organization?
e) Measure, monitor and analyze these processes.
- How does the organization monitor process performance (Process capability, customer
satisfaction)?
- What measurements are necessary?
- How have the organization analyzed the gathered information (Statistical techniques)?
- What does the result of this analysis tell them?
f) Implement action necessary to achieve planned results and continual improvement of these
processes
- How does the organization improve the processes?
- What corrective and/or preventive actions are necessary?
- Have these corrective/preventive actions been implemented?
- Are they effective?

13 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

ANNEXURE D
"Process Mapping"

14 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

PROCESS MAPPING
1 INTRODUCTION
Process mapping is the name given to the practice of graphically describing how
processes interact with each other. A Process map, on the other hand, is a graphical
representation (a flowchart type document) of the activities that make up the process.

2 MULTI-LEVEL PROCESS MAPPING

Process mapping is a systematic approach for documenting processes and their
related cycle times. It also provides a quick and effective way to develop a picture
of the specific:

1 sequence and interaction (linking) of processes (Level 1 – Macro Process

Maps);
2 activities (key steps) occurring within an existing process (Level 2 – Micro
Process Maps);
3 details of a process at defined control points (Level 3 – Detailed Process
Maps).
This Multi-level process mapping facilitates the analysis of operations from the
highest (macro) level processes down to specific procedures and work instructions. A
multi-level process map is a hierarchy of "flowchart documents" and lists used to
thoroughly define the processes in increasingly finer levels of detail.

LEVEL 1 - MACRO “PROCESS MAP”

The general approach in process mapping is to start with a broad overview of
the processes that will constitute the Quality Management System – see
diagram below. This will provide the macro process map that can be used to
comply with the following requirements of standard ISO 9001:2000:
„ 4.1(a) The organization shall identify the processes needed for the
QMS and their application throughout the organization,
„ 4.1(b) The organization shall determine the sequence and interaction
of these processes, and
„ 4.2.2(c) The organization shall establish and maintain a QMS that
includes a description of the interaction between the processes
of the QMS.

Quality Management System

Process

Process
Process

Process
Process Process
Process
15 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

NOTE: See APPENDIX 1 for this type of map that starts with the "Management
Review Process" in the QMS.

LEVEL 2 - MICRO “PROCESS MAP”

This type of map describes the sequence of the key steps or activities within
the process for the transformation of the inputs into outputs. These process
maps (also called procedures) can be used to comply with the following
requirement of standard ISO 9001:2000:

„ 4.2.1(d) The QMS documentation shall include documents needed by

the organization to ensure the effective planning, operation and
control of its processes.
NOTE: See APPENDIX 2 for this type of map for the "Management
Review Process" in the QMS.

LEVEL 3 - DETAILED “PROCESS MAP”

This type of map describes a specified CONTROL POINT in a process and

consists of the following two parts:
1 a brief explanatory paragraph that explains the details of the process at
the CONTROL POINT;
2 several numbered lists of variables (the control elements) that enumerate
the key quality measures associated with the specific CONTROL POINT.

EXPLANATORY PARAGRAPH
The primary purpose of the explanatory paragraph is to explain WHY a
procedure or work instruction is specified in a certain way. People will
conform to procedural guidelines or work instructions if they understand the
purpose of the guidelines or instructions. Additional detail and clarification of
any possible misconceptions can also be included in this paragraph.
NUMBERED LISTS OF VARIABLES
The lists that are most frequently included in these types of process maps
include the following:
„ Materials lists that specifies the process inputs;
„ Product lists that specifies the process outputs;
„ Process lists that specifies the CONTROL variables;
„ Failure Modes lists.
When appropriate, lists such as Safety, Environmental Concerns and
Regulatory Requirements can be included. A well-prepared process map can
serve as the skeleton of a standard operating procedure or work instruction
at each CONTROL POINT.

16 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

3 BENEFITS OF A PROCESS MAP

A Process Map is a visual model of a process - It
„ is intuitive;
„ is understood at every level of an organization;
„ is sophisticated enough to model complex activities;
„ prevents ambiguity;
„ makes effective use of time available to analyze a process;
„ identifies process-related issues;
„ provides a standard format from as-is analysis, to-be design and
implementation confirmation;
„ relates precisely to it systems modeling.

4 FLOWCHARTING CONVENTIONS
Any flowcharting convention can be used, so long as chart formats are kept as simple
as possible and any charting conventions are clearly explained on the chart itself – See
nomenclature used for the flowchart in the example below.

------------------------------------------

17 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

APPENDIX 1
LEVEL 1 TYPE PROCESS MAP
for the

“MANAGEMENT REVIEW
PROCESS”

18 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

MANAGEMENT REVIEW PROCESS ~ CONCEPT DIAGRAM

? Internal Audit Process Results of Audits
(5.6.2(a))
Clause 8.2.2 Internal Communication ?
Process
?
Customer Communication Customer Feedback
Process Clause 5.5.3
(5.6.2(b))
Clause 7.2.3(c)
MANAGEMENT Improve
Monitoring & Measurement of effectiveness of Continual Improvement
?
Processes Process
Process Performance
) Top Management ?
QMS Process
(5.6.2(c)) ) Management Representative (5.6.3(a))
Clause 8.2.3
Clause 8.5.1
ACTIVITIES
Control of NC Monitoring & Measurement
Product
of Product Process Product Conformity
) “PDCA” Improve effectiveness Product Realization
(clause 8.3) (5.6.2(c)) ) Analysis of Processes Planning Process ?
Clause 8.2.4
) Evaluations (5.6.3(a))
) Decisions Clause 7.1
? Preventive Actions Process Preventive Actions ) Actions
(5.6.2(d))
Design & Development
Clause 8.5.3 ENABLERS Improve Product
Process ?
(5.6.3(b))
? Corrective Actions Process ) Documents, Records Clause 7.3
Corrective Actions ) Reports
Clause 8.5.2 ) Visual Aids
(5.6.2(d))
Resources Provision
Resource Needs ?
? Continual Improvement Follow-up Actions
Clause 5.6 Process
from previous (5.6.3(c))
Process Management Review
Clause 6.1
Clause 8.5.1 (5.6.2(e))

19 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04
Customer Requirements

Statutory & Regulatory

Customer Related
Process Planned Changes
Requirements
Customer Complaints Clause 7.2 (5.6.2(f))

Internal Communication
?
Continual Improvement Recommendations for Process
Analysis of Data Improvements
Process
(clause 8.4) Clause 5.5.3
(5.6.2(g))
Clause 8.5.1
Improve
MANAGEMENT effectiveness of Continual Improvement
Infrastructure Provision QMS
Process ?
?
Process ? ) Top Management
(5.6.3(a))
) Management Representative Clause 8.5.1
Clause 6.3
ACTIVITIES Improve
effectiveness of Product Realization
Resources Provision ? ) “PDCA” Processes Planning Process
? ?
Process ) Analysis (5.6.3(a))
) Evaluations Clause 7.1
Clause 6.1
) Decisions
) Actions
QMS Planning Design & Development
Quality Policy and Improve Product ?
Process Process
Analysis of Data Quality Objectives ENABLERS (5.6.3(b))
(clause 8.4) Clause 7.3
Clause 5.4.2 (5.4.2(b)) ) Documents, Records
) Reports
? ? ?
) Visual Aids Resources Provision
Clause ? Resource Needs ?
Process
? Clause 5.6 (5.6.3(c))
? ? Clause 6.1
Clause ?

20 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

APPENDIX 2
LEVEL 2 TYPE PROCESS MAP
for the

“MANAGEMENT REVIEW
PROCESS”

21 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

PROCEDURE FOR THE CORPORATE QUALITY MANAGEMENT

REVIEW PROCESS
1. PURPOSE & SCOPE
This procedure lays down the activities & responsibilities to review the SABS Quality Management System at the intervals
stipulated in the Quality Policy, CPO 120, to ensure its continuing suitability, adequacy & effectiveness in satisfying the
requirements of ISO 9001.
Quality Management
2. PROCEDURE: Breakdown of Policy
Process

STEP DESIGNATION REF ACTIVITY RESPONSIBILITY

DOC
2. Procedure to do To identify aspects in the Quality
Management Review CSP 125 Management System needing revision Chief Executive Officer
including Policy & Procedures.

Print relevant graphs & reports to enable

participants in the Management Review Secretariat
2.1 Use Audit Database Info meeting to inform & prepare themselves.

Relevant input from internal audits,

2.2 Select major business control of non-conforming product, Management
effectiveness points for inclusion corrective & preventative action, Representative
on the agenda customer complaints; etc., to be
included.

The graphs & reports from step 2.1 must

2.3 Organize the Management Review be attached to the agenda for the Secretariat
Meeting meeting (& minutes, if applicable).

Circulate minutes of the meeting in

2.4 Circulate meeting resolutions for accordance with the agreed circulation Management
approval list inviting written objections within 30 Representative
days.

The resolutions must be carried out as

close as possible as resolved at the
2.5 Implement Resolutions meeting, & deviations & delays must be
All Staff
reported at the next meeting.

2.6 Follow-up on resolutions taken If applicable, the audit database can be Management
updated (audits closed). Representative

2.7 Report on resolutions not carried

out, at the next meeting Management
Representative

The meeting must withdraw the

2.8 Decide on action to be taken, if resolution if execution thereof could not
necessary be carried out. If it was not executed for Chief Executive Officer
other reasons, the resolution must be
amended accordingly, and listed again.

END

22 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

ANNEXURE E
"PROCESS IMPROVEMENT
METHODS"

23 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

PROCESS IMPROVEMENT METHODS

1 REQUIREMENT
Clause 4.1(c) requires that criteria and methods be determined that will "ensure that both the
operation and control of these processes are effective”.

2 LIST of possible METHODS

♦ Plan, Do, Check and Act - PDCA

♦ Benchmarking – i.e. comparing “mine” with “yours”

♦ Quality Circles utilizing “small group activities”

♦ “Process Capability” grading – see documents:

• SABS ISO/IEC 12207:1995
• ISO/IEC TR 15504-2/5:1998/99

♦ Failure Mode Effect Analysis – FMEA

♦ 6 SIGMA Analysis

------------------------------------------------------------

24 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

ANNEXURE F
"DOCUMENTS & RECORDS"

25 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

DOCUMENTS and RECORDS

1 Introduction
Two of the most important objectives in the revision of the ISO 9000 series of standards have been
a) to develop a simplified set of standards that will be equally applicable to small as well as
medium and large organizations, and
b) for the amount and detail of documentation required being more relevant to the desired
results of the organization’s process activities.
2 What is a “document”? - Definitions and references
The following are some of the main objectives of an organization’s documentation, independent of
whether or not it has implemented a formal QMS:
2.1 Communication of Information
Documentation that serves as a tool for information transmission and communication in an
organization. The type and extent of the documentation will depend on the:
• nature of the organization’s products and processes,
• degree of formality of communication systems,
• level of communication skills within the organization, and
• organizational culture.
2.2 Evidence of conformity
Documentation that provides evidence that what was planned has actually been done.
2.3 Knowledge sharing
Documentation that can be used to disseminate and preserve the organization’s experiences. A
typical example would be a technical specification, which can be used as a base for design and
development of a new product.
3 Terms and Definitions relating to "documents"
A list of commonly used terms (taken from ISO 9000:2000) relating to documentation is presented
in the table below.
ISO 9000:2000
Term Definition
Clause

Document 3.7.2 information and its supporting medium

specified way to carry out an activity or a process (Note:

Procedure 3.4.5
Procedures can be documented or not)
document specifying the quality management system of an
Quality Manual 3.7.4
organization
document specifying which procedures and associated resources
Quality Plan 3.7.5 shall be applied by whom and when to a specific project, product,
process or contract
document stating results achieved or providing evidence of
Record 3.7.6
activities performed

Specification 3.7.3 document stating requirements

NOTE: The term ‘document’ is used to cover the information contained in the document as well
as the various forms that documents might take, such as written documents, computer
hard disks, diskettes or CD-ROM, video, audio tapes or graphic posters.

26 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

4 Records required by ISO 9001:2000

Clause Record required

5.6.1 Management reviews
6.2.2 (e) Education, training, skills and experience
7.1 (d) Evidence that the realization processes and resulting product fulfil
requirements
7.2.2 Results of the review of requirements related to the product and actions
arising from the review
7.3.2 Design and development inputs relating to product requirements
7.3.4 Results of design and development reviews and any necessary actions
7.3.5 Results of design and development verification and any necessary actions
7.3.6 Results of design and development validation and any necessary actions
7.3.7 Results of the review of design and development changes and any necessary
actions
7.4.1 Results of supplier evaluations and any necessary actions arising from the
evaluations
7.5.2 (d) As required by the organization to demonstrate the validation of processes
where the resulting output cannot be verified by subsequent monitoring or
measurement
7.5.3 The unique identification of the product, where traceability is a requirement
7.5.4 Customer property that is lost, damaged or otherwise found to be unsuitable
for use
7.6 (a) Basis used for calibration or verification of measuring equipment where no
international or national measurement standards exist
7.6 Validity of the previous measuring results when the measuring equipment is
found not to conform to requirements
7.6 Results of calibration and verification of measuring equipment
8.2.2 Internal audit results and follow-up actions
8.2.4 Indication of the person(s) authorizing release of product.
8.3 Nature of the product nonconformities and any subsequent actions taken,
including concessions obtained
8.5.2 Results of corrective action
8.5.3 Results of preventive action

27 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

ANNEXURE G
"CONTROL of DOCUMENTS"

28 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

CONTROL of DOCUMENTS

1 Purpose of document control

Document control is basically about making sure that the "document" that is in use is the ‘right’
document, and that is has been formally approved as necessary. That is, it is the applicable
document (normally the latest issue) for the work being done. This is important if the people are to
have the 'right' information they need to do the job.

2 Scope of document control

Control of documentation includes the control of "documents" from internal sources, such as:
• formal statements (e.g. quality policy and quality objectives),
• procedures,
• work instructions,
• drawings,
• lists,
• registers,
• job desriptions
• acceptance criteria,
• minutes of meetings,
• circulars,
• manuals (OEM, quality manual etc.), and
from external sources, such as:
• statutory regulations,
• standards,
• codes of practice, and
• specifications.

3 Control of Electronic Documentation

With the rapid development of computer networks, it has become relatively easy to comply with the
requirements of document control. (Traditionally document control has accounted for more that
half the noncompliance to the ISO 9000 series of standards.)
The simplest way to control electronic documents is to make them available only on the internal
computer network. If a computer-based system is used remember to always have a backup. If the
computer approach is used, then the version on the network is the latest version. A statement can be
added to the effect that any paper copy is uncontrolled and it is up to the reader to ensure that it is
the latest copy by checking on the network.
It is impossible to control all documents received electronically from external sources. It is
therefore important that everyone has the “right” information before starting work.
4 Scope of the "Documented Procedure" for the Control of Documents
This "procedure" should describe how the organization exercises control of those documents for
which they consider control to be necessary. The organization should try to avoid complex
arrangements for the updating and retrieval of documents.
The standard requires "documented information" to be up-to-date, but does NOT specify HOW
this should be done. By taking advantage of the flexibility allowed in clause 4.2.3 and adopting the
simplest and most practical methods, unnecessary bureaucracy and costs can be avoided.

29 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

ANNEXURE H
"PROCESS DOCUMENTATION"

30 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

PROCESS DOCUMENTATION

The requirement for "process documentation" is stated in clause 4.2.1(d) and it requires that the
organization must decide which "documents" they need to ensure the effective planning,
operation and control of the processes that they have identified for their QMS.
The extent and nature of such "documents" is NOT prescribed by the standard. The standard
however uses the term "documents" in this clause to cover HOW the organization must provide
the information they need to perform the activities in their business. The term is used to
differentiate between "documented procedures" and other types of documentation that will include
"procedures".

There is no “catalogue”, or list of processes that has to be documented. Each organization

should determine which processes are to be documented on the basis of:
• its customer and applicable regulatory or statutory requirements,
• the nature of its activities, and
• its overall corporate strategy.
In determining which processes should be documented the organization may wish to consider
factors such as:
• effect on quality,
• risk of customer dissatisfaction,
• statutory and/or regulatory requirements,
• economic risk,
• effectiveness and efficiency,
• competence of personnel, and
• complexity of processes.
Where it is found necessary to document processes, a number of different methods can be used,
such as graphical representations, written instructions, checklists, flow charts, visual media, or
electronic methods.
NOTE: It must be kept in mind that these "documents" will have to be controlled as per the
requirements of clause 4.2.3.

-------------------------------------------------

31 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

ANNEXURE I
"STATUTORY & REGULATORY
REQUIREMENTS"

32 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

STATUTORY and REGULATORY REQUIREMENTS

In order for auditors to be able to verify that an organization complies with the requirements of
clauses 5.1(a) and 7.2.1(c), they must themselves determine beforehand which specific statutory
and regulatory requirements can:
• have an affect on the quality of the product and/or service of the specific organization, and/or
• influence the specific industry sector within which the organization operates.

The terms statutory and regulatory are unfortunately NOT defined in ISO 9000:2000 or in the
"Guidance document on Terminology" (document N526R)

STATUTORY REQUIREMENTS
Statutory requirements are those specific requirements that are "required, permitted or enacted
by a written law that was passed by a legislative body";

REGULATORY REQUIREMENTS
Regulatory requirements are those specific requirements that have been formulated to:
• ensure control by certain specific rules (called regulations that are derived from statutes and
laws);
• impose specific restrictions;
• adapt written legal requirements for specific applications.

CLARIFICATION of the "APPLICATION" of STATUTORY and

REGULATORY REQUIREMENTS
Auditors must take note of the International Interpretation (see box below) by ISO/TC176 on this
matter.

CLAUSE 7.2.1 - Determination of requirements related to the product

QUESTION (INT 008):
Does the requirements to meet statutory and regulatory requirements (usually refers to
the product) refer also to the processes related to product realization ?

PRELIMINARY ANSWER: NO

GUIDANCE:
1 Many clauses of ISO 9001 refer to "regulatory requirements", and clause 7.2.1(c)
specifies which requirements, i.e. "statutory and regulatory requirements related
to the product".
2 Process-related regulatory requirements, which have an impact on a product (e.g.
welding, food cold chain), are also covered by clause 7.2.1(c), as they are related to
the product.
3 Other process-related regulatory requirements may be addressed in other specific
management systems, such as EMS and the Occupational Health and Safety
Management System.

33 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

ANNEXURE J
"NEW & ENHANCED
REQUIREMENTS"

34 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

NEW and ENHANCED REQUIREMENTS

Auditors must be very careful here as there are really many "new" and "enhanced" requirements.
These are requirements that was:
1 NOT addressed in the 1994 version at all,
2 in the 1994 version BUT has been “clarified” by specifying exactly what is required now; and
3 in the 1994 version BUT has been “enhanced” by adding additional requirements.

The following documents should be consulted to verify clause by clause WHAT these "new" and
"enhanced " requirements actually are:
• the Australian handbook HB90.0:2000 - The ISO 9001 Comparison 2000 vs 1994
• the ISO 9001:2001 Handbook for Small Businesses - Working Draft 2 can be used until the
final version is released during December 2001;
• the Transition Planning Guidance for ISO 9001:2000, section 5 on pages 15 to 29;
• Annexures B.1 and B.2 in standard ISO 9001:2000.

NOTE: See APPENDIX 1 for a summarized list of these "new" and "enhanced "
requirements.
--------------------------------------------------------

35 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

APPENDIX 1
What has changed?

36 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

WHAT HAS CHANGED ?

There are a number of fundamental changes that have taken place during the latest
revision of the ISO 9000 series of standards. The major changes which have been made
in ISO 9001:2000 (compared with the 1994 version) include:
A NEW STRUCTURE that utilizes the "PROCESS APPROACH"
A totally new structure, which no longer uses the so-called '20 elements', but now follows
a "process approach" which is more like the way most businesses operate.
This is a movement away from a "procedurally" based approach to management, i.e.
stating 'HOW' you control your activities, to a "process" based approach which is more
about 'WHAT' you do.
At a first glance, it would appear that the 2000 version has been completely rewritten,
what has actually happened is that the most of the content of the 1994 version has been
redistributed into the new process model structure. In doing so, the text may have
been changed but in many cases the intent of the original clause has not changed at all.
However it is true that some new requirements have been added and the major ones
are discussed briefly in section 5.4 of the TRANSITION PLANNING GUIDANCE for
ISO 9001:2000 that can be freely downloaded from:
www.iso.ch/iso/en/iso9000-14000/iso9000/transition.html
One beneficial outcome of this new "process approach" is that the weighting given to
the content via a main clause and sub-clause structure is now more appropriate to
business needs. In the 1994 version, the 20 clause numbering gave undue weight to some
aspects of relatively minor importance.
One STANDARD for CERTIFICATION
There is now only one management system "requirement" standard, i.e. ISO 9001,
where previously there were THREE requirement standards i.e. ISO 9001, ISO 9002 and
ISO 9003. In clause 1.2 of the new standard, provision has been made for those
organizations that have previously used ISO 9002 or ISO 9003 by permitting, under
certain conditions, some "requirements" to be excluded.
Terminology
A more logical use of terminology that is actually used in business practice has been
adopted, particularly in the description of the supply chain by the use of the following
terms:
supplier organization customer
It must be noted that the term "sub-contractor" no longer appears directly in the
standard and can now be used in the normal context of usage -- see attached Concept
Diagram for further clarification.
Continual Improvement
The need to link the various review and assessment activities to ensure that the Quality
Management System is continually improved is now a formal requirement. A continual
improvement process needs to build into the Quality Management System now.

37 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

Customer satisfaction
A Greater focus on the interaction between the organization and the customer - before,
during and after the product and/or service delivery, is now required. Customer
satisfaction takes a more significant role now in the new standard due to a requirement
that information on customer perception must be monitored about HOW well the
organization has met the customer 's requirements.
Internal Communication
There is now a brand new requirement for an organization to have internal
communication processes in place to provide information on the Quality Management
System and HOW effective it is.
Competence
In assessing human resources and in training, the issue of competence has been
introduced and will have to be addressed within the organization in future.
The organization must now ensure that "people " in an organization
 is competent to perform their assigned work, and
 knows HOW their jobs impact on the management of quality within the
organization as a whole.
There is now also considerable more flexibility within the new standard, which requires a
balance between documenting a process and the competence of the staff involved.
Less documented procedures to be demanded by auditors
The standard has shifted the emphasis on the need for documentation of procedures
from the standard to the organization. The 2000 version now requires your organization to
take responsibility for identifying and developing the "documents" (i.e. not necessarily
procedures anymore) you need for your business.
The standard now requires only six documented procedures to be formally compiled
by an organization in future. SMME's might want to address these six requirements in
only THREE documented procedures.
The organization itself will need to decide WHAT other documentation is needed for it to
control its operations and processes.
Interaction between processes
The standard now more clearly defines that the production processes and the resultant
product(s) are part of the Quality Management System i.e. organizations needs to
understand that production of conforming product and/or delivery of conforming
service is included in and is part of the quality management system.
There is a requirement for the organization to describe all its processes and HOW
they interact.
Outsourcing
The standard now recognizes that organizations do outsource activities and has now a
requirement for the organization to ensure control over those processes, which provide
"outsourced" product and/or processes - see attached Concept Diagram for
"outsourcing " and "sub-contracting" relationships.

38 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

Other changes
There are a number of other changes, which are either a new requirement within a
clause or an extension of the requirement(s) of the 1994 version. Below are a few
EXAMPLES of these -- more detailed information can however be obtained in the
Australian Handbook mentioned below. This unique handbook compares the 2000 version
with the 1994 version on a clause by clause basis by utilizing the full text of both
versions, and NOT just by using a cross reference index as in ISO 9001:2000:
HB90.0: 2000 - The ISO 9001 Comparison 2000 vs 1994
• The need to identify applicable statutory and regulatory requirements related to
the product.
• The need for more involvement by "Top Management" in the Quality Management
System.
• Greater compatibility has been achieved with
 ISO 14000:1996 - Environmental Management System standard, and the
 OHSAS 18001:1999 - Occupational Health and Safety Management
System specification.
• The need to understand the so-called Eight Quality Management Principles that
forms the foundation on which the new ISO 9000 series of standards have been
built.
------------------------------------------------

39 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC
 07/10/04

CONCEPT DIAGRAM FOR “OUTSOURCING” AND “SUB-CONTRACTING” RELATIONSHIPS

QMS

SUB-CONTRACTOR

C
QMS U
YOUR ORGANIZATION
S
T
SUPPLIERS
PCON
O
M
QMS E
R
POUT

QMS

— Process
OUTSOURCE
POUT — Process “outsourced” to a sub-contractor.

PCON — Process to control the “outsourced” process

— Organization with a QMS

40 of 40
BOOKLETS/AUDIT/CHECKLIST.DOC