ISO Auditor Training

ISO 9000 Lead auditor Training of 96

ISO 9001 Lead Auditor Training

Module 0 Introduction

About The Course

Course Learning Objectives Student Assessment

Module 6 Audit Activities – Conducting On-site Audits

Opening Meeting

Communicating During The Audit Collecting And Verifying Information

Generating Audit Evidence Recording Non-Conformities

Reaction Of Auditees

Audit Conclusions Closing Meeting

Closing Meeting Scenarios Module 1 Fundamentals Of Quality Management Systems

Quality

Quality Management Quality Management Principles

Module 7 Audit Activities - Reporting

Audit Reports And Records

Approving And Distributing The Audit Report Close Out

Module 2

QMS Standards And ISO 9001:2000 Overview

Quality Management Standards Process Model And Continual Improvement

The Systems Approach To Quality Management ISO 9001:2000 Requirements

Quality System Documentation

Module 8

First, Second And Third Party Audits – A

Perspective First Party Audits

Second Party Audits Third Party Audits

Module 3 QMS Audits

Key Audit Definitions And Concepts

Types Of Audits The Auditor Within The Audit System

Principles Of Auditing

RAB Accreditation Program RAB/IATCA Code Of Conduct

Registration Process

Audit Perspectives

Module 9 Auditor Competence Requirements

Personal Attributes

Knowledge And Skills Education, Work, Training And Audit Experience

Maintenance And Improvement Of Competence

Module 4

Managing An Audit Program

Audit Program Process Flow - Plan, Do, Check, Act Authority For Audit Program

Establishing The Audit Program Implementing The Audit Program

Program Monitoring And Review

Appendices

Appendix A – Glossary Of Terms

Appendix B – References Practice Exam Questions And Exercises Exercise 1 - Multiple Choice Questions Exercise 2 - Multiple Choice Questions Exercise 3 - Multiple Choice Questions Exercise 4 - Short Essay Questions Exercise 5 - Long Essay Questions Exercise 6 - Handling Audit Situations Exercise 7 - Writing Nonconformities http://www.askartsolutions.com

Module 5 Audit Activities

Initiating The Audit

Local Customs And Culture Conducting Documentation Review

Preparing For On-Site Activities

Audit Strategies And Audit Plan Checklist Preparation – Process Approach


Module 0 - Introduction 0.1 About the course

This online ISO 9001 Lead Auditor training is provided free. It reflects what you will typically learn at any formal accredited lead auditor training course provided by a Registrar or certification body. What is

missing is the direct interaction between the instructor and the student which is vital to such training.

Direct interaction provides explanation of details, finer points and answers to questions.

Should you take this course? To learn more about who should take this course read - ISO 9001 Lead Auditor Training FAQ

However, should you decide to become an ISO 9001 Lead Auditor and take a formal accredited course, the online ISO 9001 auditor training material provided here will give you significant insight and detail

to ensure your success. Formal ISO 9000 Lead Auditor training covers five days (40 hours in-class time) and is designed for

students who have had a prior review of the ISO 9001:2000 standard and some audit experience. This

background will enable students to better appreciate and learn the principles and practices of effective quality management system auditing in accordance with ISO 19011, which is the ISO auditing

standard for quality and environmental management systems.

It is equally suitable for personnel wishing to carry out first party (internal auditing), second party

(external auditing - suppliers) and third party (on behalf of one organization on another) audits.

The accredited ISO 9001 Lead Auditor training formal course typically requires formal classroom

sessions, exercises in small teams and open forum discussions. In order to gain the greatest benefit from the formal course, it is recommended that students reside at the course venue for the duration of

the course. The closest similar experience, this online training will provide is plenty of exercises to test

your learning

While some specific industrial examples may be utilized, the course places no particular emphasis on

any industry. It is as relevant to service as it is to the manufacturing industry. I

The course is prepared in nine modules within an overall framework that complies with the requirements of ISO 19011. To get the most out of this on-line ISO 9001 Lead Auditor training course,

you should take notes and reread each module more than once. Don't forget to do all the exercises

provided at the end of this course.

Throughout this ISO 9001 lead auditor training material, reference is made to the ISO 9001

Standard and other supporting standards. It is very important that you read these reference documents as they go hand in hand with this course and essential to passing the formal ISO 9000

Lead Auditor Course should you take it.

0.2 Course Learning Objectives

0.2.1 ISO 9000 Quality Management System (QMS) Standards:

Upon successful completion, you should understand:

• The purpose and intent of ISO 9000 series of standards.

• The concept of “consistent pair” (ISO 9001 and ISO 9004).

• Key audit concepts and definitions. • How to correctly interpret ISO 9001 requirements and related audit evidence

• How to evaluate the effectiveness of a QMS, processes, customer focus and continual improvement • The eight Quality Management Principles and how they relate to ISO 9001

• The documentation required by ISO 9001 and their application to a variety of situations.

• The interrelationship between quality documentation, planning, policy and objectives.


• The difference and significance between legal conformity and conformity with ISO standards, when

conducting audits. • The effective evaluation of product realization and supporting processes.

• The concept of processes, their controls and interrelationships.

• The purpose and intent of management review, internal quality auditing and monitoring of the QMS. • The development of the ISO 9000 series and ISO 19011.

• The impact of these developments on the audit process. • The need for auditors to keep up to date. I.SO 9000 Lead Auditor Training

0.2.2 - Audit Process

Upon successful completion of the ISO 9001 Lead Auditor Training , you should understand:

• Systems for accredited registration and how accreditation bodies, registrars, training and auditor

registration bodies operate.

• The registration process for an organization’s QMS. • The different types of audits and the roles and responsibilities of participants.

• The need for auditors to be sensitive to local customs and obey auditee rules and regulations. • The need for confidentiality during the audit process.

• The roles and responsibilities of audit team participants.

• The RAB registration criteria and Auditors’ Code of Conduct.

0.2.3 Audit Planning

Upon successful completion of the ISO 9000 Auditor Training , you should understand:

• How to plan and organize all aspects of the audit • The importance of scope relative to accreditation, registration, QMS structure and content, audit plan

and audit team selection

• The benefits of pre-audits and information and resources to effectively plan such audits g • The benefits and risks of checklists and how to prepare one. 0.2.4 Performing the Audit

Upon successful completion of the ISO 9000 Training, you should understand how to:

• Manage and perform all aspects of an audit.

• Explain the purpose of opening, closing and interim meetings. • Apply communication and interpersonal skills.

• Know and apply the structure and intent of documentation.

• Identify auditor attributes and qualifications. • Take notes and write nonconformity reports.

• Explain the risks and benefits of sampling during audits. • Collect and evaluate evidence effectively.

0.2.5 Audit Reporting and Follow-up

Upon successful completion ISO 9000 Lead Auditor Training, you should understand how to:

• Summarize, record and present clear and concise audit and nonconformity reports.

• Evaluate and classify nonconformities.

• Explain the difference between corrective and preventive action. • Evaluate proposals and implementation of corrective and preventive action

• Make recommendations on QMS systems for registration. • Explain the role and responsibility of auditor and auditee during all stages of the corrective action

process.

• Explain the purpose of ongoing surveillance audits.


0.3 ISO 9000 Lead Auditor Training - Student Performance Evaluation In order to pass the formal ISO 9001 Lead Auditor Training course, students must pass daily continual

evaluation and a written exam. Students must obtain the minimum marks required for each assessed

activity. Here is an example of a typical Student Evaluation System:

• Daily continual assessment • Daily module exercises - role playing, interviewing and situation handling; etc. • Presentation exercises

• Opening and Closing meeting exercises • QMS Audit Summary Report

• Written examination 0.3.1 ISO 9000 Lead Auditor Training

The formal accredited Lead Auditor Training Course is designed to be at least 50% interactive, as auditing is a highly interactive activity. Students will be evaluated daily on a number of areas such as -

attendance, punctuality, class participation, attitude, time keeping, auditing capability, performance as team members, written assignments, role playing and written and verbal communication and

interactive skills. The instructor will record the student’s contribution to, and participation in, all course activities. These

notes will be used to assign daily marks for student performance. If an individual student’s

performance on any of the above criteria is not satisfactory, the instructor(s) will discuss these concerns privately with the student and arrange additional coaching where appropriate. The continual

assessment marks and specific feedback comments or concerns will be considered in the overall

assessment of the students.

0.3.2 Daily Assessment Scoring

The score is determined by reference to the following scale:

A score of 1 = Very Poor.

A score of 2 = Poor.

A score of 3 = Satisfactory. A score of 4 = Good

A score of 5 = Very Good.

The scores will be entered on the student assessment record.

Scoring is completed when the instructors have sufficient evidence to make a reasonable

assessment. The assessment is worth 25 marks; minimum pass 15 0.3.2.1 Attendance Policy

Students are expected to be in attendance for the full duration of the ISO 9000 Lead Auditor Training course including evening workshops. Failure to do so will be reflected in the continuous evaluation.

0.3.3 ISO 9000 Lead Auditor Training - Written Examination (final day)

The instructor will explain the exam format towards the end of the week. Sample exercises are

provided at the end of this online course for you to get to practice applying your knowledge and learn examination time management. The exams are typically 2 hours long and have a variety of questions.

These include multiple choice; true or false; short essay; long essay; and evaluating audit findings.

The exam is usually open book, meaning that you will be allowed the use of the ISO 9001 Standard as

well as any course materials given to you as part of the Lead Auditor course, including any notes you make on them. However, you will not be allowed to use any other books or materials or your laptop.


Most students have difficulty managing their time answering exam questions. One reason is that

students waste time rifling through their course binder trying to find the answers instead of logically trying to answer the question. You should use or post-it tabs during the course whenever the

instructor provides hints about important material/topics. This will save a lot of valuable time when

writing the exam.

It is also important for you scan through the exam and put approximate times beside each question or set of questions and move on when you use up the time for that question. Also decide on your exam

strategy - do you answer high mark questions first or easy questions first, etc., and stick to it. Lead

Auditor training exams are usually worth 1 00 marks with a minimum pass of 70 marks.

0.3.3.1 Facilities for Re-sit A student, who failed the written examination, but has passed the continual evaluation, is allowed one

re-examination. A different exam paper is used for the re-examination. The re-examination is taken in

the presence of an approved instructor as described in the course procedures. The complete ISO 9000 Lead Auditor Training course must be retaken to become eligible for another examination, if a student

fails the re-examination.

0.3.4 ISO 9000 Lead Auditor Training - Complaints and Appeals Appeals or complaints can be communicated to the training instructor or the Registrar providing the

training. All issues will be documented and responses will be provided in a timely manner. If an

appropriate resolution cannot be reached between the student and the Registrar, the RABQSA may be requested to arbitrate.


MODULE 1 - Fundamentals Of Quality Management Systems 1.1 Meaning Of the term - Quality

Quality has many meanings ---- many of them are subjective, such as the term “excellent” or “outstanding” quality. In the quality management field, quality has a more specific meaning.

Definitions

According to ISO 9000:2000, quality is defined as “the degree to which a set of inherent

characteristics fulfills requirements”.

Requirements that need to be fulfilled in a contractual situation typically relate to the provision of a specific product, service or intangible item such as intellectual property. Requirements may be stated

or implied. In a contractual situation, stated needs are specified in contract requirements and

translated into specific product or service features, functions and characteristics with specified acceptance criteria.

Implied needs on the other hand are basic features and characteristics that are identified and defined by the manufacturer, based on knowledge of the marketplace expectations. For example, the implied

characteristic of a watch is its basic ability to provide accurate time. Stated characteristics may be

“options” stated by the marketplace, such as being waterproof, serving as a stopwatch, and having light, alarm, month and day features. The ISO definition goes further in that it may include related characteristics beyond product or service

such as delivery, packaging, labeling, billing, as well as, processes and systems within the supplier’s

organization. A customer may specify some or all these characteristics.

A problem or nonconformity in any of these areas may lead to customer dissatisfaction. An

organization must ensure that it has systems and controls to assure that it can consistently fulfill all these requirements and enhance customer satisfaction.

The needs of customers vary and change over time. Therefore, companies should review quality requirements periodically. Requirements may also come from regulatory, statutory, industry and other

sources. An organization must be aware of and ensure that all these diverse requirements are defined and met.

It could therefore be stated that ‘quality’ includes all of the characteristics of an organization’s products, services, processes, support and management system that contribute to meeting

requirements and enhancing customer satisfaction. An organization applying this broader definition would then have to consider the following four facets

of quality due to:

• Defining marketplace requirements and opportunities

• Designing the product to meet marketplace requirements

• Consistently conforming to product design • Providing product support throughout the product’s life cycle.

An effective ISO 9001 quality management system must address all four facets of quality.

Also see ISO 9000 Lead Auditor Training - Appendix for Key Definitions

1.2 ISO 9000 Lead Auditor Training - Quality Management The principal objective of any business is to make money and stay in business. It accomplishes this by

providing a product or service that meets the demands and requirements of the marketplace. In order


to ensure its share of marketplace demand, a company must ensure its ability to retain repeat

business.

Customers provide repeat business to those companies that can consistently meet its quality

expectations: delivery of the right product and quantity; in the right packaging; at the right time and place; at the right price; that meets requirements and satisfies the customer. Customers demand assurance that its suppliers can measure up to this expectation for consistency and will take active measures to provide this assurance. ISO

9000 Lead Auditor Training Senior management must ensure that its management of quality - organizational structure, responsibilities, processes, documentation of processes, controls, training and resources are

determined and available to the organization in order to achieve quality assurance in the manner described above.

Having established what is meant by quality, some consideration must be given to the various quality management tools that are available for implementing an effective quality management system. The definition of Quality Management is “coordinated activities to direct and control an

organization with regard to quality”. A management system developed and implemented based on the ISO 9001:2000 quality management system standard provides assurance through applying the

following four tools: • Planning activities (Quality Planning) • Prevention activities (Quality Assurance)

• Conformity activities (Quality Control)

• Continual improvement activities (Quality Improvement) In order to meet the broader definition of quality described in section 1.0, an organization must control

the processes it uses to meet (customer and other stakeholder) requirements. ISO 9000 Lead Auditor

Training To apply the four tools, an organization may use the controls (requirements) of the ISO 9001 standard

and the eight quality management principles. Managing the organization’s processes in this way

significantly improves customer confidence and assurance of the organization’s ability to consistently meet requirements. It also provides the objective evidence that customers seek for an effective quality

management system. 1.3.1 Quality Planning – is defined as the part of quality management focused on setting quality

objectives and specifying necessary operational processes and resources to fulfill quality objectives.

An organization must identify the processes, resources and controls needed to meet defined quality

objectives (customer and organization). Specific requirements from the ISO 9001 standard, coupled with the customers’ and organization’s requirements, are used to plan for meeting quality planning

requirements. Quality planning will also include planning for the quality assurance, quality control and quality

improvement activities. 1.3.2 Quality Assurance - is defined as the part of quality management focused on providing

confidence that quality requirements will be fulfilled. It includes all the proactive controls to prevent

problems, associated cost and customer dissatisfaction.

The intent of prevention is to look at requirements, design, processes, activities, etc, and define controls at the source (the design and planning stages). Controls should address structure,

organization and resources to prevent or minimize the occurrence of problems in product, processes

and activities.

Examples of preventive controls include employee training, supplier qualification, preventive

maintenance on equipment, process capability studies, etc.


1.3.3 Quality Control – is defined as the part of quality management focused on fulfilling quality requirements. Ideally, prevention based controls should prevent problems from occurring, but in

reality, no system is foolproof and problems do occur. Accordingly, controls to detect quality problems

must be established so that customers receive only products that meet their requirements. ISO 9000 Lead Auditor Training Detection based controls are reactive – the problem and cost have already occurred and the company is resorting to damage control. The intent of detection is to evaluate output from processes and

activities by implementing controls to catch problems when they do occur. For example, final

inspection to catch defective product before it gets shipped.

1.3.4 Quality Improvement – is defined as the part of quality management focused on increasing

the ability to fulfill requirements. Continual improvement results from ongoing actions taken to enhance product characteristics or increase process effectiveness and efficiency. This is one of the key

characteristics that differentiate a quality management system from a quality assurance system, i.e.,

being able to improve the effectiveness and efficiency and of a process or activity by setting measurable objectives and using performance data to manage the achievement of these objectives. Effectiveness is defined as the extent to which planned activities are realized and planned results are

achieved. In determining the effectiveness of quality assurance and quality improvement activities, the

following questions should be asked:

– To what extent have problems in product or processes been prevented?

– To what extent have planned objectives for quality been met?

Efficiency is defined as the relationship between result achieved and resources used. The measure of

efficiency is determined by asking the following:

– Can we get the same output using fewer resources?

– Can we get more output without adding resources?

These questions may be applied to the output of any activity within the quality management system of an organization.

It should be noted that ISO 9001 requires organizations to achieve QMS effectiveness through quality assurance and continual improvement activities. QMS efficiency is desirable, but not currently required

by ISO 9001. ISO 9004 provides guidelines that consider both the effectiveness and efficiency of the

QMS.

Quality improvement actions may include:

• Measuring and analyzing situations

• Establishing improvement objectives • Searching for possible solutions

• Evaluating these solutions

• Implementing the selected solution • Measuring, verifying, and analyzing results

• Formalizing the changes


MODULE 2 - History Of ISO 9000 QMS Standards 2.0 ISO 9000 Quality Management Standards

As a result of many lessons learned during the 2nd World War about the quality of ordnance, some basic principles were formulated, such as, the MIL-Q-9858A military quality standard published by the

US Department of Defense. NATO later published similar standards as the AQAP series of documents. In England, the British

Standards Institution (BSI) developed the first “commercial” quality assurance standard in 1979.

These standards were designated as BS 5750 series, Part 1, 2, and 3.

Despite the commonality among these early quality standards, there was no consistency until ISO Technical Committee 176 issued the ISO 9000 series of standards in 1987.

The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies (ISO member bodies). The American National Standards Institute (ANSI) is the US

member body to ISO. The American Society for Quality (ASQ) administers the technical advisory group

(TAG) to TC 176 on behalf of ANSI.

In 1987, the Standard was produced in five parts: ISO 9000 was a guide to the selection and use of the appropriate part of the ISO 9000 series of

standards.

ISO 9004 was a guide to overall Quality Management and the Quality System elements within the ISO

9000 series. It also provided guidance in other areas, such as, marketing and quality costing.

ISO 9001 related to Quality System Requirements for design, development, production, installation,

and servicing.

ISO 9002 related to Quality System Requirements for production, installation, and servicing, in other

words, where the design is externally done or is static.

ISO 9003 specified the Quality System to be used for final inspection and test.

The ISO 9000 series of standards were reissued in 1994 to include clarifications and again in 2000 to

reflect a new process approach and expand on the requirements and guidance.

Time Line: The development of quality standards can be summarized as: 1963 MIL Q9858A US Military 1969 NATO AQAP NATO

1970 US10 CFR 50 US Federal Regulation

1971 ASME Boiler Code Mechanical Engineering 1979 BS 5750 British Standard

1985 CSA Z.299 Revision Canadian Standard – sector specific

1987 ISO 9000 International Standard 1991 ISO 10011 International Standard

1994 ISO 9000 Revision International Standard 2000 ISO 9000 (New Structure) International Standard

2002 ISO 19011 International Standard The current ISO 9000 family is a coherent set of quality management system standards consisting of:

ISO 9000:2000 Describes fundamentals and terminology for a quality management system.


ISO 9001:2000 Specifies requirements for a quality management system and can be used to

demonstrate an organization’s capability to provide products that fulfill customer and applicable regulatory requirements and aims to enhance customer satisfaction.

ISO 9004:2000 Provides guidance on improving the performance (effectiveness and efficiency) of an organization and satisfaction of customers and other interested parties. ISO 19011 Provides guidance on auditing quality and environmental management systems and forms

the basis for this ISO 9000 lead auditor training course 2.1 Year 2000 Revisions

The ISO 9000 series of standards are subject to continuous review. This course uses the ISO 9001:2000 standard. The changes in this standard were based on the results of a global survey

conducted by ISO Technical Committee 176 in 1997, which suggested to:

• Use simple language and terminology • Describe business activities using a process model approach • Address continuous improvement • Improve compatibility with other standards • Address customer satisfaction more strongly • Ease ISO 9000 and ISO 14000 integration

Other suggestions from the survey were to:

• Make standards more business oriented • Provide guidance on omitting requirements • Make suitable for all size organizations • Remove the manufacturing orientation • Make suitable for any industry sector • Facilitate self-assessment of quality system • Provide easy transition to new standard

2.2 ISO 9001 Quality System Documentation

Two of the most important objectives in the revision of the ISO 9000 2000 series of standards have been to develop a simplified format that address:

• Small, as well as, medium and large organizations • The need for the amount and detail of documentation required must be more relevant to the desired

results of the organization’s process activities. Organizations (and in particular small organizations) may be able to demonstrate conformity without the need for extensive documentation This training course emphasizes an analysis of the processes as the driving force for defining the

amount of documentation needed for the quality management system, taking into account the

requirements of ISO 9001:2000. It should not be the documentation that drives the processes.

Management should define the documentation needed to implement, maintain, and improve the quality management system. This documentation may include: • Policy documents (including the quality manual)

• Documentation for the control of processes

• Work instructions for specific job tasks • Standard formats for data collection and reporting Level 1: ISO 9001 Quality Manual


The quality manual, sometimes referred to as the policy manual, typically includes: • Organization quality policy and objectives

• Policies related to the ISO 9001 requirements

• Any exclusions of ISO 9001 requirements and related justification • Overview of the organization and its functions

• Overview of its products, services, and sites

• Sequence and interaction of the processes • Management responsibility for policies and processes

• Marketing or promotional information

• Inclusion or references to the next documentation level (procedures) The quality manual is useful to:

• Customers - provides assurance • External auditors - facilitates the audit

• Employees - useful as a training aid The quality manual must be approved by management and placed under document control.

It may be structured: • In the order of the ISO 9001 clauses

• In the way the company does business (With references to where the ISO 9001 requirements are addressed) Level 2: ISO 9001 Quality System Procedures

• Describes the who, what, when, and where of the quality system processes

• Describes the inter-departmental controls that address the ISO 9001 requirements

• May be in ISO 9001 order or any order practical to the company • Should describe the process flow, linkages, combination and interaction among departments

• Should reference the lower level documentation (operational documentation)

• Should involve participation of department personnel in writing them • Must be available, known, and used by pertinent personnel

• Must be kept up to date and changes controlled Level 3: Operational documentation

• Explains details of specific tasks or activities – the how of performing a specific task, making or

verifying process and product activities

• Includes documents such as quality plans, forms, drawings, flowcharts, workmanship standards, work instructions, product or service specifications, machine manuals, visual displays, computer

templates, photographs, and illustrations

• Need for documentation may be based on the complexity of products or processes, skills, training,

education, stability of the work force, past problems, customer and regulatory requirements, industry

standards, and requirements

• Must be available, known, and used by pertinent personnel

• Must be kept up to date and changes controlled

Level 4: Records

• Provide objective evidence that quality activities were carried out and results achieved in accordance with levels 1, 2, and 3 documentation.


• May be mandatory or implied for each ISO 9001 clause

• May have records beyond ISO 9001 requirements • Examples are records of inspection, calibration, management review, training, audit reports, design

review, purchasing, and nonconforming product reports 2.3 ISO 9001 Quality Planning

Quality planning is an integral part of the quality management system. It is performed for the

activities and resources necessary to satisfy the quality policy and objectives (see sub-module 1.2). Quality planning considers:

• Customer needs and expectations • Resources and competencies

• Design and operation compatibility

• Lessons from prior experiences • Verification and validation activities

• Measuring and monitoring devices • Acceptance criteria and records

• Product and process performance

• Opportunities for improvement • Risk assessment and mitigation

Quality planning should be done in conjunction with the review of requirements related to the product, and through all phases of designing and producing a new product or service. Quality planning may

reference existing controls, procedures, processes, and criteria. The output of quality planning is a

quality plan, which may exist in many forms such as planning minutes or a completed planning checklist. Evidence of quality planning will be discussed later in this ISO 9001 Lead Auditor Training

Course. 2.3.1 ISO 9001 Quality Plan

• May relate to a specific product (or group of similar product), service, contract or project.

• Specifies the sequence of processing activities; quality requirements and resources; acceptance

criteria; frequency, scope and responsibility for measuring, monitoring, inspections and tests; measuring devices to be used; and records kept.

• Used by operational personnel to ensure specific quality requirements are met

• May make reference to other procedures and specifications • May become a record if verification or inspection results are recorded on the document. 2.4 Application of ISO 9001 QMS Documentation

The documentation hierarchy described in section 2.2 should be applied with flexibility.

The format of the manual is a decision for each organization, and will depend on the organization’s size, culture and complexity.

A small organization may find it appropriate to include the description of its entire QMS within a single manual, including all the documented procedures required by the standard.

A large, multi-national organization may need several manuals at the global, national or regional level, and a more complex hierarchy of documentation. Other factors that might affect the extent of documentation, include:

• Some organizations (particularly larger organizations, or those with more complex processes) may

require additional documented procedures in order to implement an effective QMS.


• Other organizations may require additional procedures, but the size and/or culture of the

organization could enable these to be effectively implemented without necessarily being documented.

In order to demonstrate conformity with ISO 9001:2000, however, the organization must be able to

provide objective evidence that its QMS has been effectively implemented.

Top management commitment is paramount to successful implementation and registration. This is perhaps the most frequent reason for failure to obtain successful registration. Management must

provide the leadership, organization, resources, and their involvement to ensure success. Lack of

management commitment will be noticed by employees and affect their own attitude and support of the system.

Evidence of adequate QMS documentation be discussed later in this ISO 9001 Auditor Training Course.

The system must be formal, which means it must be documented, approved, communicated, available,

and personnel trained in its consistent use.

The ISO 9001 standard specifies requirements that emphasize prevention. Methods employed to implement the quality system must focus on controlling and managing processes on a proactive basis,

rather than a reactive basis. Planning and proving controls and processes prior to full implementation is a big part of a successful

prevention based approach. Personnel must be trained to ensure their understanding and use of the

quality management system. • Proper channels of communication must be established to ensure active participation, teamwork,

and cooperation of all personnel. In the quality system development and implementation process,

top management must frequently review progress and take steps to resolve any hurdles and conflicts.

2.5 ISO 9001 Documentation Review

Generally the following questions need to be addressed:

• Are all requirements addressed?

• Does the documentation scope match the audit scope?

• Is top management commitment defined? • Have the responsibilities been defined?

• Has the documentation structure been defined?

• Are methods described consistent with the requirements? • Are documentation levels referenced?

• Is there adequate documentation control?

Most Registrars conduct a review (stage 1) of a company’s readiness and documentation, weeks or months in advance of the stage 2 implementation audit. This is done for a number of reasons. If there

are any omissions or deficiencies in the documentation, the auditor must point these out to the

company, through the issue of a (documentation) nonconformity.

The company will have the opportunity to correct these, as well as, implement the corrected

requirements.

Some Registrars may require anywhere from 1 to 3 months after the stage 1 review before they will

conduct the stage 2 implementation audit.

If the review reveals that the organization's readiness and documentation is inadequate, the auditee and client must be notified. Further resources should not be spent on the audit until all shortcomings

are addressed to the satisfaction of the auditor and client.


2.6 Benefits of an Effective ISO 9001 Quality Management System

Documents are an important part of a quality management system since they communicate intent and

initiate consistent action. The benefits of a documented and conforming quality management system

include:

External

• Improves customer confidence and satisfaction

• Improves conformity to quality requirements • Increases competitive edge and market share

Internal

• Improves efficiency and productivity

• Reduces waste, inefficiencies, and defects • Facilitates continual improvement

• Improves process consistency and stability • Provides basis for training programs

• Improves employee motivation and participation

• Contributes to provision of objective evidence • Improves supplier performance

• Increases profitability


Module 3 ISO 9001 Quality Management System Audits 3.1 What is an ISO 9001 Quality Management System Audit?

An audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.

Audits are structured and formal evaluations. The term systematic means the company must plan and document its system for auditing. It must have management support and resources behind it.

Audits must be performed in an impartial manner, which requires auditors to have freedom from bias or other influences that could affect their objectivity. For example, having responsibility for the work,

or a vested interest or shares in a supplier or third party company they are assigned to audit, would be conflicts of interest.

Internal audits must be carried out to a documented procedure according to clause 8.2.2 of ISO 9001. The procedure must address the responsibilities for conducting the audits, ensuring independence,

recording results, and reporting to management. All of these topics will be covered in this ISO 9000

Lead Auditor Training. Audits obtain objective evidence of conformity with requirements. The evidence must be based on fact

and may be obtained through observation, measurement, test, or by other means. Evaluating the extent to which audit criteria are fulfilled involves an assessment of both

implementation and effectiveness. Is the organization practicing what it described in its

documentation? Are the practices being carried out well? The presence of nonconformities in a department or process may indicate the system is ineffective for those areas. These issues will be

addressed in later pages of this ISO 9001 Lead Auditor training Course. 3.2 ISO 9001 Audit Objectives

Always establish the objectives of the audit. Audit objectives are not limited to the ISO 9001 standard.

Clear audit objectives help determine the scope and depth of the audit, as well as, the resources

needed. Being clear on the objectives provides focus and helps the auditor from being distracted and going off on unnecessary detours beyond the scope of the audit.

Audit objectives include:

• Evaluating conformity of documentation to ISO 9001

• Judging conformity of implementation to documentation • Determining effectiveness in meeting requirements and objectives

• Meeting any contractual or regulatory requirements for auditing

• Providing an opportunity to improve the quality management system • Permitting registration and inclusion in a list of registered companies

• Qualifying potential suppliers

ISO 9000 Lead Auditor Training - Certification Audit Stages The stage 1 readiness audit includes a documentation review (or audit of intent) compares the quality

management system documentation to the ISO 9001 standard. If an auditee does not have a

documented system for a required part of ISO 9001, a nonconformity is issued.

At the stage 2 audit the auditor must then establish the extent to which that intent has been put into

practice, in other words, implemented. Next, and equally important, the audit must assess and evaluate whether the practice is effective in achieving the defined objectives. This (implementation) and (effectiveness) stage is the active part of the audit where the auditor

checks practices against the documentation. This is commonly termed the conformity audit. If a


procedure states that a process will operate in a particular way, and the auditor finds that the process

is operating in another way, then the nonconformity will be issued against the procedure. Since the overall assessment is against the Standard, the relevant clause of ISO 9001 will also be referenced.

Contract Requirements: The requirements placed on one organization by another take priority and such requirements may be considered during an audit. Regulatory Requirements: These requirements are mandatory and cannot be avoided by contract or

any other means. The requirements are audited only to the extent that the organization has evidence

to show compliance. The external quality systems auditor does not do an in-depth audit of such requirements.

Quality Management System Improvements: Audits generally uncover weaknesses in the system requiring corrective action. However, there may be several areas where controls may be barely

adequate, leaving plenty of opportunity for improvement. These opportunities may come to light

during the audit or may be pointed out by the auditee. Management must be made aware of all such opportunities so that decisions may be made to take appropriate actions if warranted to improve the

system.

Many companies either because of contractual requirements, or for performance improvements,

pursue quality system registration. The consequence of successful registration leads to the Registrar listing the company on a Register of Certified Companies. This register is made available to the

public as a reference for sourcing of registered suppliers and for purchasing decisions. Thus,

registration may provide a competitive edge for many companies.

Although not a mandatory requirement, many companies choose to audit their suppliers as a basis for

qualifying them as an approved source of supply. This may be done by the company itself or may be subcontracted to a consultant.

3.3 Audit Stages

An audit requires three distinct evaluations of an organization's QMS against the ISO 9001 standard. These evaluations are required to be performed on-site at two different stages.

The first stage evaluates the organization's QMS intent and state of readiness. The ISO 9001 Lead Auditor needs information from them explaining how they conform to the Standard. This evidence may

be produced in the form of a Quality Manual and related documentation that has to be evaluated by

the auditor to see whether the system outlined in the document conforms to the Standard. The auditor will also determine if key review tasks have been completed by the organization, such as internal

audits and management review of the QMS. This is the first stage of audit - the evaluation of readiness and intent as expressed in the QMS

documentation. The ISO 9001 Registrar will usually require the auditee to correct any stage 1 nonconformities and allow sufficient time for implementation (1-3 months) before conducting the

Stage 2 Audit. In the Stage 2 audit, The auditor then needs to determine the degree to which actual practice

conforms to the QMS documentation, customer and any applicable regulatory requirements. Based on

the evidence gathered, the ISO 9000 Lead Auditor will assess QMS effectiveness. All the audit findings are recorded and analyzed to assess the extent to which the planned QMS activities are realized and

planned results achieved. A significant number of minor nonconformities, particularly if they are

recorded against just one clause of the standard, will give an indication that the system is not effective. Likewise, the recording of a major nonconformity indicates a lack of adequate

implementation or effectiveness.

Each stage must be allocated time, systematically carried out, and carefully analyzed.


3.4 Audit Types

Research of various quality management publications will yield much information about audits. At first

glance, there appears to be an endless list of different types of audit. Audits that are carried out to determine whether an organization conforms to a quality Standard may

be termed Quality System Audits. This type of audit requires the auditor to use a fair degree of judgement to establish whether controls are adequate. Many second and third party audits are carried

out as Quality System Audits, as are many audits for the purpose of consultancy. Audits that are carried out against specifically defined practices, procedures, and instructions, and that

are perhaps (but not necessarily) more limited in their scope, are termed conformity audits. Many

internal audits and many contract related audits between two parties are carried out as conformity audits. Ongoing Surveillance audits (different from a surveillance inspection) refer to post-registration

QMS audits. Registrars typically conduct a partial audit every 6 or 12 months to ensure ongoing

system conformity. Therefore, they are also known as conformity audits.

Process and product audits are subsets of QMS conformity audits and therefore limited in scope.

An ISO 9001 process audit evaluates the controls and characteristics of a specific process, as well, as

its relationship with other processes and may include using some or all of the following approaches:

• Individual processes in terms of:

- Input / Output / Value-added activity - Plan / Do / Check / Act

• Relationship to other processes in terms of: - Flow / Sequence / Linkage / Combination

- Interaction / Communication

• Customer contract for conformity to contractual requirements through the various processes used to

fulfill the customer’s order

• Audit trails – following concerns or unresolved issues to processes or departments, that are be

beyond the scope of a specific audit.

Process audits may include the following processes, as well, as related sub-processes – quality

management system; management responsibility; resource management; product realization; measurement, monitoring and improvement.

A product audit is a process audit that focuses on the processes needed for product realization. Remember the definition of product includes service. A product audit would also apply to provision of a

service, a project or a contract.

A QMS registration audit is conducted by a Registrar to evaluate a company’s quality system

documentation, as well as, implementation, for the purpose of registering it as a registered company.

A pre-assessment audit usually refers to a quality management system audit (documentation and

implementation) done a few months prior to a formal registration audit. It helps a company determine the degree of readiness and focus on weak areas.

For the purposes of this discussion, however, there are two basic types, further sub-divided according to different emphases and objectives. The two types are external audits and internal audits. 3.4.1 External Audits

These are audits done outside one's own organization and there are at least two distinct types of external audit second and third party.


3.4.2 Second Party Audits

These audits, carried out by one company on another, originally came from the idea of an organization

auditing its suppliers. There are a number of reasons why an organization may wish to audit its suppliers. 1. One method to satisfy clause 7.4.1 of the Standard

2. Input to selecting, grading, and approving suppliers 3. Help to improve supplier Quality Management Systems

4. Mutual understanding of quality requirements Many major organizations carry out second party audits to advise user departments of areas of weakness in suppliers so appropriate contract and/or surveillance mechanisms can be instigated if the

supplier is to be given work. It can also highlight likely additional costs. 3.4.3 ISO 9001 Third Party Audits

As a result of the growth in interest in Quality Assurance during the 1960s and 1970s, more and more

second party audits were being carried out. Some companies in certain fields had to employ people whose sole task was to accompany visiting auditors around the company! Clearly this state of affairs

was helping nobody, particularly the supplier. After considerable discussions at national levels, the ISO 9000 scheme was introduced to rationalize all

the assessment schemes as a third party audit operated by an independent body that would certify

companies as conforming with the Standard (or not, as the case may be). Various bodies became registration bodies (Registrars) and BSI, UL, SGS, DNV, and NQA are prominent examples.

It was also recognized there should be a body overseeing the activities, principles, and policies of the Registrars. In the USA, that body is the RABQSA. RABQSA International, Inc. was formed January 1st,

2005 from the merger of the Registrar Accreditation Board and The Quality Society of Australasia International. In Canada, it is the Standards Council of Canada.

The RAB/QSA has developed a National Accreditation Program (NAP) for accrediting Registrars. Any organization wishing to become a Registrar needs to satisfy the various requirements of initial and

periodic assessments by the RAB/QSA. There are different types of registration, but the main interest here is on the Registrar’s Quality

Management System assessment and registration. On payment of an initial fee to the Registrar, they

will assess your Quality Management System to ISO 9001 and, depending on the results of the assessment, the organization would become registered.

This is an indication that, at the time of assessment, the organization had the management systems in place to potentially supply product (within the scope of the assessment) in conformity with customer

requirements. Thereafter, the organization pays an annual fee for the continuing assessment visits by the Registrar.

Accredited Registrars also publish a ‘Register of Certified Companies’ that includes all Registered Firms. This means that other organizations could use it and might not, in many cases, feel the need to audit

those companies. This scheme has grown steadily and many organizations are beginning to take

advantage of the benefits.

For example, buying organizations may use the Registrar’s ‘Register of Certified Companies’ to provide

some assurance about their suppliers, and selling organizations can use it as a marketing feature. Certainly it saves buying organizations the cost of carrying out audits, and selling organizations the

cost and disturbance of undergoing audits.


3.4.4 First Party Audits

First party audits are carried out by an organization on itself to confirm to management that their

documented quality management system is working effectively. An organization’s own defined and

documented system forms the basis for this audit.

Reasons for a first party audit:

1. ISO 9001 clause 8.2.2 requires it

2. Control and feedback mechanism for management 3. Correction of nonconformities before external bodies find them

4. Systematic improvement of the organization Some thought would, of course, generate further reasons. As in second party, if the audits are done

only for reason (1) or (3) above, the value is going to be limited. By establishing an internal audit

program, management is making available an extremely useful and powerful tool for improving business, and for assessing the effectiveness of the quality management system. Of course, in considering (3) above, it means that if an organization is to find for itself the kinds of

nonconformities that external bodies are likely to find, it should, if possible, carry out its audits in a

similar way to the Registrars. It must be remembered that all audits are based on sampling; therefore, there is no guarantee that all nonconformities will be found during the internal audit process.

3.5 Benefits of Quality Management System Audits

• Provides information for management review

• Demonstrates senior management commitment • Improves personnel awareness, participation, and motivation

• Provides opportunities for continual improvement

• Improves customer confidence and satisfaction • Increases operational performance Audit results are a major input to the management review process. Management must take

appropriate actions based on the review of quality system strengths, weaknesses, and opportunities

for improvement.

The allocated time and ISO 9001 auditor training for conducting internal audits demonstrates top

management commitment. If the purpose of the audit is properly communicated, and employees realize that the audit is not an

evaluation of personal performance, they are more likely to discuss weak areas and opportunities for

improvement. This should lead to improvement in operational performance and improved customer satisfaction. 3.6 The Auditor within the Audit System

All systems in an organization have to be designed and made to work by people. The audit system is no different. It must have procedures and training to advise the auditor what the role requires, and

also what and who qualifies or authorizes the auditor to do the work.

An auditor is defined by ISO 19011 as a person with the competence to perform an audit. To perform

an audit, the auditor must be authorized for that particular audit. An ISO 9001 lead auditor is an auditor designated to manage an audit. 3.6.1 Auditor Responsibilities

The Auditor has the following responsibilities:


• Support the team leader

• Be prepared • Participate at opening and closing meetings

• Carry out assigned tasks

• Keep to the timetable and audit scope • Document and support all findings

• Keep team leader and auditee informed • Safeguard all documents

• Maintain confidentiality

• Be objective and ethical • Verify corrective actions (if assigned as the auditor) 3.6.2 Lead Auditor Responsibilities

In addition to the auditor’s responsibilities, the ISO 9000 lead auditor must possess management capabilities that include: • Assisting in team selection and briefing the team

• Responsibility for planning and managing all phases of the audit • Representing the audit team with auditee

• Controlling conflicts and handling difficult situations

• Conducting and controlling all meetings with team and auditee • Making decisions on audit issues and quality system

• Reporting audit results without delay • Reporting major obstacles encountered

• Reporting critical nonconformities immediately

• Possessing effective communication skills

The Lead Auditor must balance the on-site audit workload so that there is sufficient time to conduct

these managerial tasks. 3.6.3 Client

The client is a person or organization requesting the audit. The client may be: • The auditee wishing to have its quality system audited • A customer wishing to audit the quality system of a supplier

• The Registrar selected to carry out an independent audit

• A regulatory body authorized to determine conformity 3.6.4 Auditee

The Auditee is an organization to be audited. The auditee could be a company or one of its manufacturing or service facilities. The client determines the audit scope and objective. 3.7 Principles of ISO 9000 Auditing

QMS auditors must adhere to the following principles and attributes, based on ISO 19011: Principles

relating to auditors: 3.7.1 Ethical Conduct is the foundation of professionalism. It includes auditor behavior that reflects

trust, integrity, confidentiality and discretion. 3.7.2 Fair Presentation is the obligation to report truthfully and accurately:

• Audit activities through – audit findings, conclusions and reports • Significant obstacles encountered

• Unresolved diverging opinions between auditee and audit team


3.7.3 Due Professional Care is applying diligence and judgment in auditing, Auditors must exercise

care related to the importance of the task and the confidence placed in them by the auditee and other interested parties. Having the necessary competence is an important factor.

3.7.4 Independence forms the basis for impartiality of the audit and objectivity of the audit conclusions. Auditors must:

• Be independent of the activity being audited

• Be free from bias and conflict of interest

• Maintain an objective state of mind throughout the audit process • Ensure that audit findings and conclusions will be based only on the audit evidence 3.7.5 Evidence based approach is the rational method for reaching reliable and reproducible audit

conclusions in a systematic audit process. Audit evidence must:

• Be verifiable

• Be based on samples of the information available (since the audit is conducted during a finite period of time and with finite resources)

• Ensure that proper use of sampling is made, to contribute to the confidence that can be placed on

the audit conclusions Additionally, ISO 9001 QMS Auditors must be:

• Be open-minded and mature • Possess sound judgement, analytical skills, and tenacity

• Have the ability to perceive situations in a realistic way

• Understand the role of individual units within the overall organization • Understand complex situations from a broad perspective

The auditor must be able to apply these attributes in order to:

1. Fairly obtain and assess objective evidence. 2. Remain true to the purpose of the audit without fear or favor.

3. Constantly evaluate the effects of audit observations and personal interactions.

4. Treat participating personnel in a way that will best achieve the audit objective. 5. React with sensitivity to conventions of the area where the audit is performed.

6. Perform the audit process without deviating due to distractions.

7. Commit full attention and support to the audit process. 8. React effectively in stressful situations.

9. Arrive at generally acceptable conclusions based on audit observations.

10. Remain true to the conclusion despite pressure to change not based on evidence. Auditors must be open-minded and base decisions on objective evidence. They cannot assume, feel, or

impose their views. Remember that ISO 9001 is interpretative, not prescriptive. There are many ways

to implement a requirement to achieve effective control. Keep an open mind. Don’t jump to conclusions.

Other useful attributes:

Other desirable personal attributes that an ISO 9000 auditor may possess include being polite, punctual, practical, principled, persevering, industrious, positive, and prepared. Be mature, have

sound judgement, be tenacious, be perceptive and realistic. Maturity comes from education, understanding, and experience. Sound judgment and analytical skills

are gained through research and experience in interpreting and applying the requirements of the

standard. Learn from experienced auditors. Take notes of their audit evaluation techniques.

Tenacious does not mean digging until you find a nonconformance. It refers to your ability to stay


focused to the audit objective and scope, in spite of distractions. Perceptive means being alert to

changing circumstances or concerns; Realistic is being pragmatic. Evaluate the risk. How serious is it? What is the probability of occurrence? Very few organizations are alike. They have different products, processes, management structures,

culture, and environment. Auditors must learn to quickly gage these factors to determine to what extent they will facilitate or hinder conducting the audit.

3.7.6 Auditor “Independence” - Supplementary notes

• Auditors must be free from bias and influence

• They cannot audit their own work • All participants in an audit must respect the integrity and independence of the auditors

From a first party perspective, internal auditors cannot audit their own work. They must be selected to perform impartial and objective audits.

From a second or third party perspective, independence may be jeopardized if the auditors have a

business or other association with the second or third party company that may influence their

objectivity, or they own shares in the company to be audited, or their spouse or relative works there.

Some Registrars require auditors to sign a Non-Conflict of Interest statement. This is done generally or

specifically for each audit assignment.

3.8 ISO 9001 QMS Auditor Role

The auditors may have many roles depending upon whether they perform as an internal or external

auditor. The scope and objective of the assignment must also be taken into consideration. Some of the key roles and issues are discussed below:

3.8.1 ISO 9001 3rd Party Auditor

• Must abide by Code of Conduct

• Cannot consult • Maintain confidentiality

3.8.2 1st and 2nd Party Auditor

• Is the management interface • May facilitate the documentation and implementation process

• May act as a guide during audits

• May interface with customer and external auditors

3.8.3 All Auditors

• Must maintain “independence” and confidentiality

• Exhibit professional behavior 3.8.4 External Auditors

The role of an external auditor is much more limited. They may provide interpretations of ISO 9001, but cannot consult on implementation or corrective action solutions. They can report audit findings and

suggest opportunities for improvement.

3.8.5 ISO 9001 QMS Internal Auditors


Internal auditors are the management interface. They follow management’s directives and conduct

internal audits on behalf of management. Internal auditors report audit findings to top management so the system can be improved.

Internal auditors may facilitate in the communication, documentation, and implementation of the system and communicate with the registrar or customers. They may also act as guides during audits

by external auditors or customers. They know the facility and audit process, plus it provides a good learning opportunity.

They may consult as a resource for interpretation, as well as, facilitate in implementation of the requirements through provision of training and review of implementation steps. If they are directly

involved in implementation, or take corrective actions, they should not audit the areas they

implemented. The Registrar would likely view such activity as a conflict of interest.

Internal auditors cannot audit their own work and must remain impartial and objective. They must

behave professionally and maintain confidentiality of information.

3.9 RAB/QSA Accreditation Program

Many countries operate their own auditor registration scheme and most of them have entered into

‘memorandum of understanding’ arrangements with other countries for mutual recognition. At the highest level, the quality management business is governed by national, governmental, semi-government or trade association bodies. In the USA, it is the Registrar Accreditation Board.

The RAB accredit the Registrars to an ISO standard called Guide 62. Registrars certify organizations to ISO quality management systems. The process is called registration, because it involves listing

successful companies in a public register of registered companies.

Customers demand that suppliers provide assurance of product quality through quality system

registration. On the training side, the same bodies such as the RAB, accredit training organizations.

The IATCA (International Auditor and Training Registration Association) was formed to facilitate the

international recognition of registered quality management system auditors.

3.9.1 RABQSA/IATCA Criteria for QMS Auditor Registration

In the USA, the RABQSA program registers three types of auditors: (QMS-PA) quality management

system provisional auditor, (QMS-A) quality management system auditor, and (QMS-LA) quality management system lead auditor, each with its own set of qualification requirements.

The purpose of auditor registration is to provide assurance that auditors possess the necessary qualifications to audit quality systems against recognized standards. Other reasons are to improve the

consistency of audits, while establishing the competency, integrity, and proficiency of auditors. In order to overcome hurdles in recognizing auditors registered in other countries, the IATCA auditor

registration program was established. The IATCA program does not have a provisional category and its

lead auditors are referred to as Senior Auditors.

To become a RABQSA registered Auditor, an individual must meet certain criteria. These include the following:

• Education • Work experience

• Quality experience

• Auditing experience • Managing audits

• Communication skills


• Training and examination

• Maintenance of proficiency

3.9.1.1 Education

• Bachelor’s, Associate, or Secondary

• More education; less work experience • Diploma or equivalent documentation 3.9.1.2 Workplace and Quality Experience

• Must demonstrate current experience • Bachelor’s requires at least 4 years

• Associate’s must have at least 6 years

• Secondary needs at least 8 years • Two of last four years in “QA” activities

• Submit resume as objective evidence • Identify up to 6 fields of experience

3.9.1.3 Training

• Complete an RAB accredited training course

• Pass a test on auditing basics and ISO 9001 • Course provider’s course satisfies RAB requirements

• Apply for RAB registration within 3 years 3.9.1.4 Audit Experience for QMS-Auditor:

Audits Days On-Site

QMS-A 6 30 3 QMS-LA 5 25 3 All five audits for the QMS-LA grade must be performed as the lead auditor. At least two of the overall

audits (for QMS and QMS-LA grades) must be “witnessed” by a registered QMS-LA (with one of the

two audits with the applicant performing as the lead auditor).

3.9.1.5 Nature of Audit Experience • Must be full audits for initial registration

• Audits must include an evaluation report • Audits can be 2nd or 3rd party audits

• 1st party audits must be independent of own QMS

• Offsite time limited to 1 day per onsite day • ISO 9001 or other acceptable quality system standard

• List audit details and verification names 3.10 RAB/IATCA Code of Conduct

• Act professionally • Increase competence

• Assist subordinates • Avoid any role or activity that may cause a conflict of interest

• Disclose conflict of interest

• Don’t accept bribes • Be truthful, accurate, fair and responsible to the public

• Don’t communicate false or misleading information

• Maintain confidentiality of audit • Support Registrar’s reputation


• Disclose who you represent

• Faithfully represent employer or client in professional matters • Give credit to others

• Don’t misrepresent credentials

• Don’t charge multiple parties for the same service without everyone’s consent • Not seek employment or consult with a competitor without written approval of both parties All accredited auditor programs have a professional code of conduct.

The above list provides a framework of moral and ethical behavior. It contributes significantly to maintaining personal professional integrity and upholding the status of the profession. All RAB/IATCA

registered auditors must abide by this code. 3.11 Registration Process

• Registrar selection • Application submission

• Objective, scope, and date • Documentation review

• Pre-assessment (optional)

• Assessment • Registration

• Surveillance audits

• Re-registration

Select your Registrar on the following basis: reputation; international recognition; accreditation; scope

of services; knowledge of your industry or business; proximity; overall costs; support and service; knowledge and experience of the auditors to be assigned; availability; flexibility; and confidentiality.

Determine the scope – what facilities, products, processes, and departments should be included in the system. Based on your organization’s implementation schedule, agree on a tentative audit date. This can be

changed depending on your state of readiness. Your documentation will be reviewed for conformity with ISO 9001. This review may take more than

one iteration. A few months following the documentation review, a pre-assessment may be conducted. This will

provide an indication of your state of readiness for the formal assessment. Organizations that undergo

pre-assessment generally have a much higher success rate of achieving registration.

If non-conformities are found during an assessment or implementation audit, you will be given time to address them. Registration is obtained on clearing all nonconformities to the Registrar’s satisfaction. A

certificate is issued and your organization is listed on the Registrar’s public directory of registered

firms.

Surveillance audits are conducted every year to ensure ongoing conformity. Re-audit of an organization’s QMS is a requirement of Guide 62. The purpose of re-audit is to verify

the overall effectiveness of an organization’s QMS in its entirety. In most cases, it is unlikely that

periodic re-audit will extend beyond three years. The re-audit should provide for a review of past performance of the QMS over the period of certification and may include a regular or extended

surveillance visit.

3.12 Audit Perspectives 3.12.1 Second Party (External)


A second party system of auditing can be planned on a long-term basis if the company auditing knows what suppliers it is likely to use over that period. This may be the case, but again, there are various

forces at work that may upset those plans. Organizations are constantly seeking new markets and new customers. Suppliers are bombarding

potential customers, and if it appears there is a commercial benefit in opening up a new source of supply, the company may want to audit that potential new supplier. In the competitive bidding

situation, a company may wish to audit all bidders as an input to the ultimate purchasing decision. Having made that decision, the company may wish to carry out surveillance type visits to ensure

contract requirements are fully understood and are being complied with. But not all suppliers have a

formal documented system. In this case, the auditor would have to decide the scope of the audit, and as mentioned, the company already has some customers.

Therefore, some form of contract would be in place; this would help the ISO 9001 auditor to show if the company meets contract requirements, for example, on time delivery. Usually a supplier will have

some procedures, instructions, or a quality plan. If possible, a pre-audit visit would be an advantage. From all this information, the auditor would prepare an audit checklist to be used on the actual audit.

The results of all these audits combine to form a grading and perhaps also a performance rating into which are combined other quality features of the supplier delivery, results of inspection of received

lots, service, etc. Those suppliers who gain a high or the best rating deserve some commercial

advantage if it is considered that audits and inspections of them can be minimized.

3.12.2 Third party (external)

Third party ISO 9001 audits can be planned on a fairly exact basis and the number of likely audits in a

given time can be predetermined. Over a year, for example, essential visits to the auditee will have

included a preliminary visit, an initial assessment, and a predetermined number of continuing audits.

These visits are of varying duration and demand different levels of staffing, but can be predetermined. This assumes that the auditee gains registration on the initial assessment and that is not as unusual as

one might think. However, the staffing levels necessary can be pre-planned much more easily than

those for a flexible first or second party audit.


Module 4 - Managing An ISO 9001 Audit Program 4.1 Authority for Audit Program

An ISO 9001 audit program may include of one or more audits, depending on the size, nature and complexity of the organization to be audited. These audits may have a variety of objectives and may

also include joint (multiple auditing organizations) or combined (QMS and EMS) audits. An audit program also includes all activities necessary for planning and organizing the types and number of audits, and for providing resources to conduct them effectively and efficiently within the

specified time frames. An organization may establish more than one audit program. The organization’s top management

should grant the authority for managing the audit program. Those assigned the responsibility for

managing the audit program should:

a) Establish, implement, monitor, review and improve the audit program

b) Identify the necessary resources and ensure they are provided.

If the organization to be audited operates both quality management and environmental management systems, combined audits may be included in the audit program. In such a case, special attention

should be paid to the competence of the audit team. Two or more organizations may cooperate, as part of their audit programs, to conduct a joint audit. In

such a case, special attention should be paid to the division of responsibilities, the provision of any

additional resources, the competence of the audit team and the appropriate procedures. Agreement on these considerations should be reached before the audit commences.

Examples of ISO 9001 audit programs include the following:

a) A series of internal audits covering an organization-wide quality management system for the current year.

b) Second-party management system audits of potential suppliers of critical products to be conducted

within six months. c) Registration and surveillance audits conducted by a registrar on a quality management system

within an agreed time period.

An audit program also includes appropriate planning, the provision of resources and the establishment

of procedures to conduct the audits within the program. 4.2 Establishing the ISO 9001 Audit Program

4.2.1 Audit program objectives

Objectives should be established for an audit program to direct the planning and conduct of audits. These objectives should be based on consideration of:

a) Management priorities b) Commercial intentions

c) Management system requirements

d) Statutory, regulatory and contractual requirements e) Need for supplier evaluations

f) Customer requirements

g) Needs of other interested parties h) And risks to the organization 4.2.1.1 Examples Of Audit Program Objectives:


a) To meet requirements for registration to a management system standard

b) To verify conformance to contractual requirements c) To obtain and maintain confidence in the capability of a supplier

d) To contribute to the improvement of the management system 4.2.2 Extent Of An Audit Program

The extent of an audit program can vary and will be influenced by the size, nature and complexity of

the organization to be audited, as well as, by the following:

a) The scope, objective and duration of each audit to be conducted

b) The frequency of audits to be conducted

c) The number, importance, similarity and locations of the activities to be audited d) Standards, statutory, regulatory and contractual requirements and other audit criteria

e) The need for accreditation or registration

f) Conclusions of previous audits or results of a previous audit program review g) Any language, cultural or social issues

h) The concerns of interested parties i) Significant changes to an organization or its operations

4.2.2.1 Audit Frequency

The client determines the audit frequency for 3rd party audits. Factors that may cause the frequency

to increase include:

• Significant change in management, organization, policy, techniques, or technology

• Requests by the customer or regulatory body • Changes to the quality management system

• Results of recent audits

• Status and importance - internal audit results

4.2.2.2 Audit Frequency for Internal Audits

Clause 8.2.2 Internal audits are scheduled on the basis of the status and importance of the activity to

be audited, as well as, previous audit results.

Status - Refers to the past history of weakness, problems, and customer complaints. Increase the

audit frequency to improve control and confidence.

Importance - Refers to the criticality of the process or activity to the quality of the product or service

(critical internal or external suppliers). Also reflects top management’s priorities.

Audits - refers to the results of previous internal and external audit results. You must consider past audit findings and coverage in setting audit frequency.

- The complete quality management system must be audited at least once a year. Weak areas or activities must be audited more often. Top management determines the frequency of internal audits

with the help of the Management Representative.

- Audit frequency is also determined by contractual or regulatory requirements, as well as, significant

changes in ownership, policies, products, processes, technology, control systems, documentation, or

the organization.


MODULE 5 Audit Activities The extent audit activities are applicable depend on the scope and complexity of the specific audit and

intended use of the audit conclusions. The planning and conducting of audit activities involve the

following process flow or lifecycle:

5.1 Initiating The Audit

5.1.1 Appointing the audit team leader

5.1.2 Defining audit objectives, scope and criteria

5.1.3 Determining the feasibility of the audit 5.1.4 Selecting the audit team

5.1.5 Establishing initial contact with the auditee

5.2 Conduct Document Review

5.3 Prepare For On-Site Audit Activities 5.3.1 Determining Audit Strategies

5.3.2 Preparing the audit plan

5.3.3 Assigning work to the audit team 5.3.4 Preparing work documents

5.1 Initiating The Audit

5.1.1 Appointing the audit team leader

Those assigned the responsibility for managing the audit program should appoint the audit team leader

for the specific audit. Where a joint audit is conducted, agreement should be reached between the audit organizations, before the audit commences on the specific responsibilities of each organization,

particularly with regard to the authority of the team leader appointed for the audit. Registrars have defined rules and guidelines for audit planning derived from Guide 62 and ISO 19011. The leader has responsibility for planning, conducting, and reporting the audit, following these rules

and guidelines. The leader is briefed on the objectives and scope of the audit and is then required to

specify the resources necessary to carry out the audit, in terms of staff days, and the number of auditors required, including any with special technical expertise. This latter point about technical expertise merits some discussion. There are some schools of thought

that say that an auditor does not need technical knowledge of the area they have to audit. The auditor needs knowledge of quality management systems and the Standard. This is, of course, partly true.

However, auditors will be required to use all applicable senses during an audit. Familiarity with the

kinds of processes going on around the audit will allow auditors to determine conformity, or otherwise, quicker and with probably less doubt, than if they have little experience of that industry. With lack of knowledge or experience, it will take auditors longer to reach the same decision based on

the same evidence than it would take an experienced auditor. The team leader may be chosen on the basis of particular experience or it may be decided to include a member in the team who has particular

expertise.

5.1.2 Defining Audit Objectives, Scope And Criteria

Within the overall objectives of the audit program, an individual audit should be based on documented objectives, scope and criteria. The audit objectives define what is to be accomplished by the audit

and may include the following:

a) Determining degree of conformity of the QMS, or parts of it with audit criteria


b) Evaluating the capability of the QMS to ensure compliance with statutory, regulatory and

contractual requirements c) Evaluating effectiveness of the QMS in meeting specified objectives

d) Identifying areas for potential improvement of the QMS The objectives can be many and diverse, but it is essential to be clear on the objectives at the beginning of the audit process. The client should define audit objectives. The audit scope describes the extent and boundaries of the audit, such as:

• Applicable requirements of ISO 9001 • Physical locations - facilities, plants, offices

• Organizational activities - products, processes, departments, functions • Date the quality management system was formally in effect

The Client initiates the audit (2nd and 3rd party) and decides the scope with help from the Lead Auditor. The Auditee may be contacted, if necessary. The Client, with help of the Lead Auditor, must

determine what resources are needed and ensure that adequate resources are provided to achieve the

objectives for the scope of the audit.

The client decides the frequency. Remember the client may be the auditee, customer, or registrar or

regulatory body.

The audit criteria are used as a reference against which conformity is determined and may include:

• Applicable policies and procedures

• Standards, laws and regulations • ISO 9001 and organization management system requirements

• Industry requirements

• Business sector codes of conduct

The audit scope and criteria should be defined between the audit client and the audit team leader in

accordance with audit program procedures. The same parties should agree to any changes to the audit objectives, scope or criteria.

Where a combined audit is to be conducted, the audit team leader should ensure that the audit

objectives, scope and criteria are appropriate to the nature of the combined audit. 5.1.3 Determining Feasibility Of The Audit

Audit feasibility should be determined taking into account such factors such as:

a) Sufficient and appropriate information for planning the audit b) Adequate cooperation from the auditee

c) Adequate time and resources

The team leader, through the initial appointment and briefing by the Registrar or program manager,

will have some idea of the scale of the audit. For the sake of example, assume eight staff days are required to actually carry out the audit. The team leader could decide to do the audit alone and spend

eight days in a company, or they could have a team of two and spend four days, or a team of four and

spend two days (that may be preferred by the auditee management). The objective is normally to complete the audit in the shortest possible time.

In a second party audit, the auditing organization will decide the resources and time. In a third party audit, the auditee (who has to pay all the costs) will seek assurances that the costs are justified. Where the audit is not feasible, an alternative should be proposed to the audit client, in consultation

with the auditee.


5.1.4 Selecting The Audit Team

The Registrar and the team leader will select the audit team, following criteria defined by the

Registrar. Selection criteria may include the following:

a) Audit objectives, scope, criteria and estimated duration of the audit

b) Whether it is a combined or joint audit c) Overall competence of audit team to achieve audit objectives

d) Statutory, regulatory, contractual and accreditation/registration requirements, as applicable

e) Independence of the audit team and avoiding conflict of interest f) Ability of audit team to interact with each other and with auditee

g) Language of the audit and an understanding of auditee’s social and cultural characteristics

h) The need for a technical expert i) Availability of competent audit team members Auditors-in-training may be included in the audit team, but should not audit without direction or

guidance.

Both the audit client and auditee can request the replacement of particular audit team members on

reasonable grounds based on the principles of auditing described earlier. Examples of reasonable grounds include conflict of interest (such as audit team being a former employee of auditee or

providing consultancy services to the auditee) and previous unethical behavior. The team leader or

program manager should be made aware of such grounds and they should resolve the issue with the audit client and auditee before making any decision to replace the audit team member.

Any team of auditors is likely to split up to audit individually. Each auditor will need an escort and each auditor will take up auditee management time.

Although the auditors are working separately, they share a common objective and will meet regularly

to review progress. At these points, one auditor may ask another to check on specific areas,

documents, records, or systems, and in this way, the team will “cross fertilize”. If the teams were in there for a short time only, there would be little chance to do this. It can be seen, therefore, that either two people for four days, or four people for two days, is likely to

be the optimum. The choice will depend on auditor availability, auditee preference, and cost. In the ISO 9001 registration audit, the auditee generally pays for the resources needed to audit them. The Registrar therefore needs to be competitive and yet still effective. Current trends are for two or

three people to audit as separate groups of one. In second party audits, the Auditor Company is paying for the audit. They employ the auditors. In the past, it has been common for audit groups to have two people auditing together since there are a

number of advantages in having two people working together, for example, corroboration, some

“independence” of the second person, timekeeper, special expertise, note taking, can take over from the leader, etc. However, as costs have risen, it has become more typical for audits to be carried out

by individual auditors. In internal audits it has been typical, and remains so, to have one person auditing alone.

5.1.5 Establishing Contacting With The Auditee

The initial contact with the auditee may be formal or informal and should be made by the program

manager or audit team leader. The purpose is to:

- Obtain information relating to company size, product range and key processes

- Establish communication channels with the auditee’s representative

- Confirm the authority to conduct the audit - Inform auditee on proposed timing and audit team composition

- Request access to relevant documents, including records


- Determine applicable site safety rules

- Make arrangements for the audit - Agree on attendance of observers and availability of guides

5.1.5.1 Preliminary Visit

These visits can be of great value since they allow the team leader to meet members of the organization. Much information can be gathered and benefit derived from a preliminary visit. Some of

these may include:

• Clarification of the scope of the audit

• Agreement on procedures to be used during audit

• Resolution of communication and any misunderstandings • Quick tour to appreciate its scale, layout, and geography

• Perform documentation review

• Degree of readiness and cooperation • Identification of any special needs - skills, protective clothing

• Provides the auditee with an opportunity to ask the team leader about the way the audit will be conducted. In summary, the purpose of preliminary visits is to clarify the scope and objective of the audit, agree

on the procedures to be adopted during the audit, and to resolve any misunderstandings. These visits

may not always be practical and such factors such as time, costs, distance and availability of personnel to send may need to be considered. 5.1.5.2 Local Customs and Culture

A number of extraneous factors may also need to be considered in arranging an audit that may impact

the audit plan, audit duration, checklist, team selection, and auditor behavior. These factors include:

• Country - practices, culture, and values

• Language issues

• Organizational health, safety and environmental requirements • Corporate environment and culture

• Industry issues - automotive, aerospace, services

1. Many countries have very different practices, traditions, and values. Not being aware of these when

conducting an audit in the country, may prove quite embarrassing, for example, introductions, greetings, gifts, attitude towards and role of women, and the nature and timing of meals.

2. The language of the audit must be established. Even with a translator, the intent and meaning may be lost or be diluted. The auditor must make allowances for additional time during the audit for

translated questions and responses.

3. Depending the industry it is in, an organization may have very formal systems governing health,

safety and environmental requirements. The audit team must become familiar with and comply with all

these requirements.

4. The corporate environment and culture may vary significantly between industries. For example, the high tech industry is quite different from a more mature steel industry. The structure, practices, and

interrelationships are far more structured and formal in the latter.

5. Sector specific application of the ISO 9001 standard generally tends to be more prescriptive, such

as, the automotive QS-9000, AS9100 for the aerospace industry, and TL 9000 for the

telecommunications industry. Specific industry issues may also have a bearing. For example, QS-9000 requires all shifts to be audited. There may be more regulatory control and legal risks related to the

aerospace or food and drug industry.


5.2 Conducting Document Review

The auditee’s documentation should be reviewed to determine the conformity of the system, as

documented with the audit criteria. The documentation may include relevant management system

documents and records and previous audit reports. The review should take into account the size, nature and complexity of the organization, and the objectives and scope of the audit. In some

situations, this review may be deferred until the on-site activities commence, if this is not detrimental to the effectiveness of the conduct of the audit. In other situations a preliminary site visit may be

conducted to obtain an overview of available information (see coverage above on preliminary site

visit).

If the documentation is found to be inadequate, the audit team leader should inform the audit client,

program manager and auditee. A decision should be made as to whether the audit should be continued or suspended until documentation concerns are resolved.

See module 2 for details of how a documentation review should be done. Note: The Documentation Review is now done as Stage One of the Registration Audit. The scope of

the On-site stage one audit includes:

-Review conformity of the organization's QMS documentation to ISO 9001 requirements.

- Review completion of full cycle of internal audits and management review processes Based on the evaluation of Stage One audit findings, the ISO 9001 Lead Auditor will then determine whether the organization is ready for the Stage Two Implementation Audit.

5.3 Preparing for the on-site audit activities 5.3.1 Audit Strategies

In preparing the plan, the team leader in consultation with the audit team will decide the strategy for

the audit, and there are a number of options. Some auditors favor starting at the point in a company where inquiries from clients are received. The auditors then follow the process through confirming an

order, going through technical, procurement, inventory, production, test, shipping, and service, plus

taking in specialized areas along the way.

This approach may be termed a “process audit ”. The auditors follow a specific order or set of

processes through the system and examine controls of each process along the way. The process audit approach will require the auditor to look at the following aspects of process management:

a) Controls over inputs, outputs and the value-added activities within a process

b) Controls related to the utilization of resources in converting inputs to outputs

c) Use of the PDCA methodology in applying the clauses of the ISO 9001:2000 standard to each process

d) Reviewing the controls related to the interaction, linkage and combination with other processes,

both on the input and output sides e) Evidence of measurable objectives for each process and metrics to track performance to them

Reference should be made to clause 4.1 and 8.2.3 of the ISO standard for the process approach. Also see sections 2.2 – 2.4 of Module 2 and section 3.4 of these Course Notes. Another strategy would be to do a product audit where the auditor would look for all the controls

required by clause 7.1 for fulfilling the requirements of a specific product, service, project or contract

or category of products (see section 3.4 of Module 3 of these Course Notes).

Yet another strategy is to consider all the activities in a particular department without reference to

overall workload. This would be termed “departmental” audit and may include a number of processes within a department. Internal audits in each department often take this approach.


There are some ISO 9001 clauses that are applied across the board in all departments such as 4.2.3 for document control and 6.2.2 for training. These can be audited by themselves or in combination

with process, product, department, or contract strategies. Audits must always be planned. Audits that are not planned are likely to reflect worst practices. Audits

may be termed “random”, but without an objective or a plan, then perhaps “unprofessional” should be the preferred term.

The plan, therefore, is likely to be a reflection of combined approach of both “up” and “down” and some “across” the organization. The auditors need to be sure that the plan gives them enough time in

each area for sharing of information within the team and to advise the auditee organization of where

they are likely to be at any given time.

Keeping the organization informed will allow them to ensure they have a member of management

available in each department to meet the auditors and also to ensure that there is a guide available for the auditors for going from one department to the next. Few organizations allow external people to

wander around their facilities unaccompanied. In any case, third party auditors must always have a guide.

5.3.2 Preparing the Audit Plan

After having been in contact with the organization to be audited, and perhaps made a preliminary visit,

the audit team leader will prepare an audit plan, which provides the basis for the agreement among

the audit client, audit team and the auditee regarding the conduct of the audit. The plan should facilitate scheduling and coordination of audit activities.

The amount of detail in the audit plan should reflect the scope and complexity of the audit. The details may differ, for example, between initial and subsequent audits and also between internal and external

audits. The plan should be sufficiently flexible to permit changes in the audit scope, which can become necessary as the on-site audit activities progress. It is up to the team leader to determine how much

flexibility to allow so the achievement of the audit objective and scope within the agreed time is not

compromised.

The audit plan should cover the following:

• Audit objectives, criteria and reference documents

• Audit scope, including organizational and functional units and processes to be audited

• Dates and places where the on-site activities are to be conducted • Expected time and duration of on-site activities, including all meetings with auditee or audit team

• The roles and responsibility of audit team members and accompanying persons

• Allocation of appropriate resources to critical areas of the audit

The audit plan should also cover, as appropriate:

• Identification of the auditee’s representative for the audit

• Working and reporting language of the audit • Audit report topics

• Logistics arrangements

• Matters relating to confidentiality • Any audit follow-up actions

• Confidentiality requirements

• Audit report distribution and issue date

The ISO 9000 Lead Auditor prepares the Audit Plan as the output of the planning activities. It should be reviewed and accepted by the audit client, and presented to the auditee and communicated to the

audit team members, before the on-site the on-site activities begin.


Any objections by the auditee should be resolved between the audit team leader, the auditee and the

audit client. Any revised audit plan should be agreed to among the parties before continuing the audit.

A typical plan might look like the one below based on a two-day audit with two groups. Some of the

information above may be included in a cover letter with the audit plan.

5.3.2.2 Auditee’s Responsibility

The auditee has a responsibility to: • Agree with or clarify the planned arrangements

• Communicate the plans to all departments

• Request top management to attend meetings • Arrange for personnel to be available

• Request full cooperation from all personnel

• Arrange for guides as escorts • Arrange office facilities for auditors

• Arrange for any safety equipment

The auditee, usually the Management Representative, is in regular contact with the Registrar from the

time the Registrar is contracted. As the date of the audit approaches, the auditee has a responsibility to communicate the audit plans within the organization.

If all relevant information is communicated, it should prevent surprises and delays. Internal preparation for the audit also eases employee stress and facilitates cooperation. From the Registrar’s

standpoint, it makes for a more effective and pleasant audit. 5.3.3 Assigning Work To The Audit Team

The audit team leader, in consultation with the audit team, should assign to each team member, responsibility for auditing specific processes, functions, sites, areas or activities. Such assignment

should take into account the need for the independence and competence of auditors and the effective use of resources, as well as, the different roles and responsibilities of auditors, auditors-in-training and

technical experts. Changes to the work assignments may be made as the audit progresses, to ensure

the achievement of audit objectives. 5.3.4 Preparing work documents

Auditors need to go forward armed with the tools of the trade in order to conduct an efficient and professional audit. The audit team members should review the information relevant to their

assignments and prepare work documents as necessary for reference and for recording audit

proceedings. Such work documents may include a copy of the ISO 9001: 2000 Standard, checklists, sampling plans, forms for recording information such as supporting evidence, audit findings and

records of meetings. Work documents, including records resulting from their use, should be retained at least until audit

completion. Confidential and proprietary documents should be suitably safeguarded at all times by the audit team members. Documents pertaining to the audit should be retained or destroyed by agreement between the

participating parties and in accordance with the audit program procedures and applicable statutory, regulatory and contractual requirements.

The use of checklists and forms should not restrict the extent of audit activities, which can change as a result of information collected during the audit.

Always go prepared with them. They are designed to facilitate your audit by keeping observations and

objective evidence organized and easy to retrieve. The auditor tools make you look and perform as a

professional.


5.5 Checklist Preparation

Although it has been mentioned already in these notes, the auditors will constantly keep clear in their

minds the audit purpose, scope and objectives. The purpose will be something like: To collect objective evidence for an informed judgement about the documentation, implementation, and effectiveness of the organization’s quality management system. The primary aim of the checklist is to help the auditor to ensure the depth and continuity of the audit,

plus it will save time during an audit and the auditor to come to an informed judgement. The company

conducting the audit usually defines the format of the checklist. One sample checklist is shown on the next page. 5.5.1 Audit Checklist

The checklist must, therefore, be as representative as the auditors can make it, bearing in mind the

objectives of the audit. Depending on whether the audit is first, second, or third party, the information

available to the auditors could comprise: - Information from previous audits

- Known quality problems

- Management priorities - Quality Manual

- Procedures and other system documents

- Product/service specifications and information - Auditor’s own considerations based on experience, knowledge, and preliminary visits

The preparations must advise the auditors how the auditee's system is meant to operate and with

what documents. There will be a considerable number of checklists prepared for a large audit; probably one for each

department, and where different responsibilities exist within a (large) department, perhaps further checklists for each group. The word “checklist” has an unfortunate connotation and smacks of ticks and crosses or “yes” and “no”

answers. The checklists are not meant to be that at all. It is becoming more popularly known as an “aide memoire”, or memory aid. In developing suitable checklists, another factor must be considered. Not all audits (1st and 2nd party

only) are carried out on organizations with quality manuals and comprehensive formal procedures. Many small companies may operate very well, profitably, and consistently satisfy their customers

without extensive quality documentation. In third party situations, the production of a manual that

addresses all the applicable ISO 9001 clauses in an acceptable way is a mandatory prerequisite. Any company, in fact, that stays in business has a quality system. At this stage, you might give thought as to how you would plan the steps to audit an organization that does not have a formal

documented system. Auditors may find it necessary to ask both very broad questions and some of a much more specific nature. The two types of questions indicate two types of checklists: Process criteria checklists and

audit checklists. Process Criteria checklists convert clauses of the standard into questions related to the process characteristics – inputs, outputs, interactions, value added activity, controls etc.

Many of the more detailed questions are those for use on an audit checklist. It might be reasonable for an auditor to start off with a criteria question in mind, but then select a

sample and ask many other questions. It is these other questions that concern this section of the

course notes. (Some Registrars have criteria checklists as part of their operating procedures). The


style and format of a checklist are at the organization’s (1st and 2nd party audits) discretion. Less

experienced auditors are advised to frame in full the points to probe on a checklist, while a more experienced auditor may use key words instead. A good guide to the preparation of a checklist is to think in terms of “what to look at”' and “what to

look for”. It may be decided to look at documents, records, product, or equipment, and look for approval, completeness, status, and condition. It may be decided to look at the Internal Audit System and look for a statement of its authority,

comprehensive coverage of the system, training of auditors, timely action on findings, and follow up.

Clarity of mind concerning audit objectives and scope is therefore a must. The other point made in preparing checklists concerns making the sample representative. How can the

auditor do this? There is no simple answer. Always using the same checklist is not to be

recommended, although this is widely practiced. For a given department, the auditor should look to see what is the “mainstream” activity of that

process what is its main function? What are the inputs and outputs, the sequence and interaction

with other processes? If a representative sample is to be selected, then it is reasonable to look at what the process spends most of its time doing. Therefore, an engineering office process may be mainly preparing drawings and parts lists, a

merchandiser in a retail organization may be mainly assessing products and negotiating prices, and a

laboratory may be mainly making up standard formulations. If the purpose of the audit is to establish the degree of conformity with specified requirements, then the representative sample on the checklist

should reflect these major activities. However, consider some of the other duties. Engineering personnel may carry out onsite troubleshooting, provide technical advice, prepare sales and service literature, and take technical

customer calls. Purchasing agents may also influence outlet stock levels, pricing, display, and safety

policy. Laboratories may carry out special studies, development tests, and fault analysis, as well as, provide specialist advice. Perhaps some of these aspects should be considered in the audit and,

therefore, be added to the checklist. There is a further aspect to be considered by the auditor. The systems in any organization are fine when key personnel are there and no one is absent, ill, or on vacation. The systems are fine until some

pressure is put onto them, such as: the end of the month rush for invoicing, the major failure of

equipment for an important customer, or a flood of warranty claims. What happens when the systems fail? How does the department react to put things right and keep them that way? Perhaps audits in

some organizations should look at this aspect and no other! There is, therefore, considerable choice open to the would be auditors. The selection of subjects is up to them. The management and/or team leader may, of course, insist that certain samples are taken,

but another team of auditors with the same purpose in mind may make a different selection. Neither is

right or wrong. It would be impossible to predefine the sample (though some believe they can). There is no shortage of material for the auditor to examine. But there are disadvantages with

checklists: they can be standardized and stifle any initiative and analysis of the process; they may

become nothing more than a tick list. Very careful planning before the audit is essential. It pays considerable dividends during the audit. Bearing in mind the limited time on any audit, the auditor wants to spend it auditing, not wondering

what to look at next. Planning is the secret; silence is golden, but costly and embarrassing too! Some auditors believe they can conduct a good audit by arriving at the auditee with a blank piece of paper then “following their nose”. There is now considerable evidence that audits done this way are

ineffective and all such auditors have done the profession a disservice. These audits are generally

biased, providing good material for that auditor's obsession. The audit conclusion is based on scant information and usually unrelated to the audit objectives.


There is a school of thought that says the checklists should be sent to the auditee prior to the audit.

This may have the advantage of saving time during the audit, as certain information can be made available. Other schools of thought are opposed to such an idea and, of course, it does depend on

what the checklist contains. In principle, it should not matter that the checklists are sent if the auditee

understands them and if this contributes to the achievement of audit objectives. The main purpose of the checklist remains as a memory aid for the auditor. This point is related to another. Some auditors prefer not to advise the auditee that an audit is going to be carried out. In this

way, it is argued the auditee area is seen as it really operates and there is no “tidying up” for the

audit. There is little merit in this, as having auditors suddenly leap out and take people by surprise is not generally sound policy, nor is it considered to be professional. Successful and effective audits are

somewhat dependent on a good and trusting relationship between auditor and auditee. Surprise audits project the image of the auditor as a secret agent and, therefore, add nothing to the trust. It is also true that pre-knowledge of an audit may instigate at least some improvement because people

do “tidy up”. This can be a good thing; there is nothing wrong in that. It's a shame of course, if the

area needs to be in its tidy state when there is an audit due. However, it is also true that the kinds of nonconformities that can be cleared by a quick “tidy up” are of a very minor nature and often not

worth any major audit effort. The auditor, if capable, needs to be considering more important potential improvements. To return to the preparation, however, the team leader and auditors have received various pieces of

information from the auditee, for example, the quality manual and other forms of documentation for

use in preparing checklists. The examination of the quality manual will have been carried out with another purpose in mind to

establish whether or not the described system addresses all the points in the ISO 9001 standard being

used as the basis of the audit. If the quality manual does not address all the points, then the team leader must determine at the planning stage how the company addresses the points. Perhaps there is further information available

that has been omitted by the auditee. It may be an error. If the documentation is found to be inadequate, the audit team leader should inform the audit client, program manager and auditee. A decision should be made as to whether the audit should be continued

or suspended until documentation concerns are resolved. Checklist Benefits

1. Identifies relevant samples

2. Defines a formal audit process 3. Requires helpful research

4. Helps maintain the pace of audit

5. Keeps audit objectives clear 6. Gives historical reference as audit record

7. Reduces workload on auditor during audit

8. Assures auditee of auditor professionalism 9. Provide space for audit notes

Checklist Disadvantages

1. Can become a tick list

2. May be full of yes-no questions 3. If not on checklist, will not look at area

4. May stifle initiative and process analysis


Module 6 Conducting On-site Activities 6.1 Conducting On-Site Activities

Having made all the preparations with the auditee and confirmed all arrangements, it is proper etiquette for the team leader to contact the auditee a few days in advance of the audit to verify all the

arrangements are in place. The audit team will then visit the organization’s facility on the scheduled

date, to conduct the on-site audit activities. If you recall from our earlier notes, the ISO 9001 audit is conducted in two stages. Please review these

stages before continuing. The on-site activities include a number of distinct activities:

6.1.1 Conducting the opening meeting 6.1.2 Communicating during the audit

6.1.3 Defining roles and responsibilities of audit participants

6.1.4 Collecting and verifying information 6.1.5 Generating audit findings

6.1.6 Preparing audit conclusions 6.1.7 Conducting the closing meeting 6.1.1 Conducting The Opening Meeting

The opening meeting, sometimes called the entry meeting, pre-audit conference, or start up meeting, is typically held at the location of the audit. Good practice demands the auditors arrive together,

neither early nor late, otherwise it can be embarrassing for both parties and, what is more, it is unprofessional. This meeting, as any other, requires preparation by the team leader. The meeting is usually held in a

manager's office or the company's conference room. It will usually begin with a welcome and

introductions by a member of the auditee management. The audit team has prepared an agenda to ensure that all necessary points are covered quickly and efficiently.

It should be remembered that this meeting may be the first time the two parties (auditor and auditee) have met, therefore, it is an opportunity to make introductions and maybe “break the ice” since many

of the auditees may be feeling tense. The way the opening meeting is carried out can set the style or tone for the remainder of the audit. The opening meeting is the place to establish the rules of conduct

for the audit. Matters to be addressed include: a) Introduction of personnel

The lead auditor should introduce the team and explain the way they are organized if there is more

than one group, particular specialists in the group, etc. It is normally a requirement to record the attendees at this meeting. Passing around an attendance sheet and asking everyone present to record

their name and position is a practical solution. b) Audit purpose and scope

Just in case there is any doubt about why the audit is being carried out, and the extent to which the

company is going to be examined, the team leader needs to restate these points. In certain situations,

the auditee may require evidence or a statement about the team's authority, although matters such as these tend to be covered during the preparation stage. The team leader may also tell the auditee

about the audit organization, e.g., the Registrar. c) Review of the audit plan

The plan will have been discussed, developed, and agreed with the auditee. However, plans may have

to be altered slightly and these possibilities should be covered at this stage. The plan should have


enabled the company to ensure that someone represents them in each department and has been

made aware of the audit and will therefore be available as defined by the plan. The team leader should confirm the intention to keep to the plan to the extent possible. d) Guide(s) for the Auditor(s)

The team leader will determine, if they have not been advised already, who the guides are and whom

they will accompany. The roles of the guide should be discussed. Is the guide to have the authority to

agree to the facts surrounding audit findings? Is the guide there merely to provide the auditor an escort from one part of the facility to another? e) Audit Methods

Describe briefly the methods that the auditors will use to gather objective evidence, such as

interviews, observations, document and record reviews, and trend analysis. f) Reporting methods

The method of recording nonconformities, and of presenting the audit report that will be left by the

auditors at the end of the audit, will need to be explained by the team leader. When facts are to be agreed with a company representative during the audit, will the guide or the departmental representative be required to sign for acknowledgment and understanding of the facts?

If it is the auditor's procedure to gain a signature at this point, the team leader needs to explain the

approach to the company representatives. g) Audit is a Sample

The team leader should make it clear that the audit is a sampling activity and subject to those limitations. A good statement to make is “This assessment is based on representative samples and,

therefore, nonconformities may exist that have not been identified”. Both conforming and

nonconforming aspects will be seen and missed. The team leader should assure management, however, that they will make samples as representative as possible and draw only reasonable

conclusions. h) Confidentiality

The audit is confidential between the two parties, as well as, the information gained before, during, or

after the audit. This confidentiality binds third party auditors. RAB registered auditors and lead auditors are bound by the Code of Conduct. The lead auditor should make a statement to this effect. i) Logistics

Logistics covers all the other arrangements transport, protective clothing, lunch arrangements, and

facilities for use by the auditors (office). Lunch arrangements need to be confirmed. Typically these

take the form of a working lunch onsite or a short lunch off premises. Audit legend contains all the usual stories of huge three or four-hour banquets laid on for the auditors, usually at a considerable

distance from the company. These are not practical and should be avoided. Again, many of these

points would have been raised at the preliminary meeting and the arrangements are confirmed at this opening meeting. j) Restrictions

Although any major restrictions to the auditors will tend to have been made clear during the planning

stage, these may need confirmation or discussion during the opening meeting. Such restrictions

include clean areas or hazardous areas where particular arrangements for protective clothing have to be made.


The restrictions may include sensitive union areas where there has in the past been conflict or layoffs.

Usually there is no problem in such areas if the reasons for the audit are explained to the staff. There may be “no go” areas or secret areas. Sometimes companies maintain certain areas as restricted

because the work going on there is concerned with development of considerable importance to their

market position.

Companies involved in certain types of government work may have areas covered by the Official Secrets Act and appropriate (and lengthy) clearance is necessary for these areas. The various

restrictions, if any, should be considered by the team leader and complied with, if legitimate. Other points that can arise might unsettle an inexperienced team leader. Auditors find that each audit

is different and a degree of flexibility is essential. For example, an audit carried out on an organization

used to being audited by customers will not require a great deal of explanation about the audit, although they will want certain assurances. On the other hand, if the company is not used to being

visited in this way, it may need extensive explanations and the auditors, therefore, need to be flexible. Sometimes, the auditors might find that the auditee representatives are not particularly senior. While

the team leader might have expected to find some top management at the opening meeting, they need not be concerned if all the correct preparations have been carried out beforehand. The auditors

cannot insist on meeting anyone in particular or someone in a senior position. Some auditors consider

that this shows interest and commitment by top management. This may be true. Other auditors are more guided by the evidence of action and involvement by top management in the working of the

system. k) Clarification

There may be questions or points the auditees wish to raise and the team leader should deal with these items during the opening meeting. The team leader also needs to confirm the current issue

status of the key documents in the quality management system. When all the above and any other matters have been dealt with, the team leader should bring the

opening meeting to a close by thanking management and confirming the date, time, and location of the closing and any interim (end of day management briefings) meetings. 6.1.2 Communicating During the Audit

Depending upon the scope and complexity of the audit, it can be necessary to make formal arrangements for communication within the audit team and with the auditee during the audit.

The audit team should confer periodically to exchange information, assess audit progress and to reassign work between the audit team members as needed.

During the audit, the audit team leader should periodically communicate audit progress and any concerns to the auditee and audit client, as appropriate. Evidence collected during the audit that suggests that an immediate and significant (e.g., safety,

environmental or quality) should be reported without delay to the auditee and as appropriate to the audit client. Any concern about an issue outside the audit scope should be noted and reported to the

audit team leader, for possible communication to the audit client and auditee. Where the available audit evidence indicates that audit objectives are unattainable, the audit team

leader should report the reasons to the audit client and the auditee to determine appropriate action.

Such action may include reconfirmation or modification of the audit plan, changes to the audit objectives or audit scope or termination of the audit.

Any need for changes to the audit scope that can become apparent as on-site audit activities progress

should be reviewed with and approved by the audit client and, as appropriate, the auditee.


Auditing deals with people. People are unpredictable in their behavior, emotions, and dispositions. A

good auditor must know how to interact and get the information from people in an effective manner.

6.1.2.1 Auditor Communication Skills:

• Put auditee at ease before interviewing

• Ask and listen • Ask short questions • Show interest in people; what they say

• Reflect right attitude and tone of voice • Be tactful and polite

• Watch body language and facial expressions • Show patience and understanding • Smile and show eye contact • Turn off your own problems

• Avoid interruptions and contradictions • Remember to say please and thank you

• Avoid off-cuff or condescending remarks • Ask the right person • Give praise when appropriate • Don’t say you understand if you don’t

6.1.2.2 The Audit Interview

Perhaps the biggest challenge for the auditor is that finding out information depends, among other things, on communication skills. Within a very short time of meeting someone, the auditor needs to

have developed a degree of rapport with that person to obtain the facts essential to the investigation,

while remaining objective. If these facts are indicative of a lack of management control in the area, then the auditor needs to be tactful in the way these findings are presented. The main method of soliciting information is by asking questions in a series of interview situations.

Though it is not always appreciated, the best interviewers are those who say the least and have an

ability to listen or hear what is being said. By combining this with the right kind of attitude and tone, the auditors generate the kind of atmosphere in which good communication can take place. It has been noted that the auditor needs to interview the right people, that is the people who have

control over the aspect of the system being audited. Thus it would be wrong to ask the Purchasing Manager how Design is managed (unless of course the manager was responsible also for that). The interviewee (the auditee) must not feel threatened by the auditor. Many people are easily

intimidated by auditors. The auditor can avoid generating this kind of feeling by being polite, patient, slightly informal, and not afraid to smile. Showing interest in what people say is essential. Holding a degree of eye contact, along with small verbal acknowledgements, “I see”, “ah”, “yes”, and

so on, will show that the transmission is being received, as will the right facial expression and head

movement. There are no recommended facial expressions or head movements recommended to obtain information; each auditor will develop their own style. It often happens that the auditee, because most of them are human, misunderstands a question or is

determined to tell the auditor about some other matter. They may even say something that the auditor knows not to be true. If the auditor interrupts abruptly, or directly contradicts the auditee,

easy communication will not continue. At the end of the interview, the auditor should thank all the auditees for their help and time,

regardless whether it was beneficial or otherwise.

6.1.2.3 Questioning Techniques

Any audit carried out anywhere has an objective. Auditors who lose sight of this will not be effective.

They are better off asking two questions than lose their way because they asked only one. The quality

of the audit can be considered in terms of achieving the audit objectives. The ability to discover information of relevance (facts related to the audit objective) is dependent on the ability to ask the

right questions.

The apt quotation below, though in danger of being over quoted, so suitably and elegantly

encapsulates the basis of all successful questioning:


"I keep six honest serving men, they taught me all I knew, their names are What and

Why and When and How and Where and Who."

(Rudyard Kipling, "The elephant child.").

Elsewhere, particularly in quality training, they are called 5 W's and an H. Although a clumsy

description, the idea is the same.

Questions beginning with these words will elicit more than just Yes or No answers and are, therefore,

called open questions. It takes longer to answer such a question than it does to ask, so the auditor

also gets some thinking time.

Auditors can control the tone of discussions to their advantage with the use of these questions since the questions demand meaningful answers. It is impossible to correctly answer an open question with

a Yes or No response.

There are different types of questions:

Themed questions set a theme quite clearly before posing a question, e.g., “Talking of software validation, how do you … ?”

Expansive questions expand the conversation and create a high level of empathy because they show the auditor is interested in the points the auditee has put forward. It can often clear up vague areas

for the auditor, as well as, clarify the auditee's perception, e.g.,

“How important is it for you to be advised of this type of procedure?” “Why do you feel there is a need for … ?”

“How can you be certain the supplier can deliver … ?” “What areas are you thinking of?”

Opinion questions are often neglected. There is a danger in straying too far from fact, but this type of question can be very useful for gaining someone's attention or for gaining new approaches to

problem solving. They indicate that the auditor regards the auditee's view as important, thereby

raising the auditee's self image, plus they encourage the auditees who regard themselves as the local expert to say more. They can also encourage junior people in an organization to say more.

“What do you think would be the most effective … ?”

“How would you go about … ?”

Investigative questions are most useful when the auditor is not sure whether the auditee has fully understood what has been said, but avoids making it obvious that the auditor realizes the lack of

understanding. The auditee can feel at ease and the auditor is able to clarify a point without

embarrassing the auditee. “Can you tell me why this unit marked with a red tag is on the pallet of finished goods tested OK?” Non-verbal questions may seem to be a contradiction in terms, but questions do exist in this form.

For example, the raising of the eyebrows while maintaining eye contact can indicate a wish for the

auditee to continue. Also, remaining silent after you have been given an answer and continuing to look at the auditee in an expectant manner often encourages people to carry on talking without verbal

interruption. Such a technique must be used with care to avoid the appearance of an interrogation.

Repetitive questions are used to gain time since they keep the conversation going. For example, an

auditee might say, “I don't think a written procedure is necessary”, and the auditor asks, “You don't think a written procedure is necessary?” The auditee is obliged to answer the question.

This type of question should be used like the “dumb” question. No question should be considered too stupid for the auditor to ask if the audit objectives are going to be met. However, repetitive or dumb

questions should be used sparingly. If overused, the repetitive questions can be seen as an inability to

communicate, and too many dumb questions may cause the auditee to wonder whether it is deliberate or not.


Hypothetical questions should also be used with care. It is reasonable to ask people what they

would do if an instruction is not received or if key individuals were unavailable. It is not reasonable to add together a complicated set of possibilities in the remote chance that this would possibly cause a

problem. (We have all heard about the proverbial bus that seems to keep running people over!) There is usually enough material in actual current practices without overdoing hypotheses. It can, however, be a good way of finding out what the priorities are and what sort of contingency planning

has taken place in the system, for example,

“What if no calculations satisfied this equation?” “Suppose the power failed?”

Closed questions are ones that can be answered Yes or No. They are assumptive and can be very powerful. They should only be used in audits where the Yes and No answer can quite definitely be

given because of what has gone before. They should be used to verify that the auditor has clearly

understood what has been explained. If an auditor wants a commitment from someone, for example, “Ha the rate of customer complaints

has risen” (Yes). “So if we examined the causes of these complaints and took action we could reduce

them?” (Yes). Such questions can also save time, although they should not be used for this reason alone on an audit. Another type of closed question is the leading question that is used when a quick reply is required

and the auditor wishes to suggest the right answer. For example, “So you will go ahead with this corrective action and report back within two weeks?” In this way, the auditor leads the question to an

obvious answer and (probably) gets commitment to the preferred line of action. Leading questions are common in bad audits and rare in good ones. The auditor should not lead the

auditee to an answer except perhaps after exhaustive attempts have been made to reach a conclusion

by other means.

A number of organizations find that an understanding of these questioning techniques is particularly useful prior to undergoing an external audit by a second or third party. While making no

recommendation here of such a practice, it is true to say that if an auditee answers precisely and only

the question the auditor asks, the auditor has to work very hard. Some auditors complain of such a tactic. Who is at fault?

Without doubt, the ability to ask questions of the right type is one of the most powerful tools in the auditor's toolbox. It is taken for granted as a management skill, but auditors must learn to identify and

use the appropriate techniques. In this way, they will improve communications and conduct more

effective audits.

6.1.3 Defining The Roles And Responsibilities Of Audit Participants

The audit proper can now begin. At any point in the audit, the number of people participating in an

audit group may be quite numerous and include:

6.1.3.1 Audit Team

• Leader and member(s)

• Trainee Auditor and trainee Lead Auditor

• RAB Provisional Auditor, Observer • Interpreter, Expert

• Witness 6.1.3.2 Auditee

• Guide

• Department manager and staff


• Observers, Trainees

• Consultant

1. It is in the team leader's interest to keep the number of people in such a group to a minimum, but

with patience, good management and a clear idea of the audit objectives, the auditors can carry out the audit with even a large following. 2. It must be made quite clear to all in the party that only two people should speak during the audit:

the auditor and the person being interviewed at the time. 3. The team members carry out the audit as per the audit plan and support the lead auditor. The team

leader manages the audit team and also shares in the auditing workload. 4. Observers do not participate in the audit. They can only watch the audit, take notes as necessary,

and clarify issues at the audit team meetings. 5. If interpreters are needed, then the Registrar should preferably bring them in. Caution should be

exercised when the auditee provides the interpreter.

6. Experts may be used when auditing a highly specialized business. Their role is not to audit, but to

provide technical guidance on products, processes, and activities.

7. Witnesses may be from the RAB, regulatory, customer, or legal agencies. Their role is not to audit

the auditee, but to witness the audit process conducted by the Registrar audit team and provide relevant feedback.

8. From the auditee side, guides take audit team members to the specific parts of the organization and introduce auditors to various auditees at the scheduled times. They should ensure that the audit team

is aware of and conform to the safety and security rules of the organization. They should not

participate in the audit interview unless invited to do so by the auditor, perhaps to clarify a question or assist in collecting information. They should take notes and witness the audit observations. Observers

and trainees must not participate in the audit interview, but should take notes to witness or learn.

9. Consultants must declare their relationship with the auditee and must not participate in any of the

audit activities, unless permitted to do so by the team leader.

6.1.3.3 One/Two Person Teams

One auditor carries out most audits, yet these audits are quite successful and satisfactory to all

parties. It is very typical in internal audits (first party) for the audit to be performed by one person. It

is just as typical in third party audits carried out for the purposes of registration for the auditors to be operating individually. Keep in mind that using one-person teams is more cost effective for the client. In the past, in many 2nd party and 3rd party audits, it was more typical to have two or more persons

in a team. In a typical audit situation, the team leader has to direct his or her attention to the

department representative and at the system being audited, while following a particular line of questioning. The second person in an audit has more freedom. They can watch what is going on, not

just at the point of audit, but also in peripheral areas. Their perception of events will often be broader

than that of the team leader. They are, therefore, often able to comment to the team leader on the expressions and reactions of the auditees, on the value or otherwise in pursuing a particular line of questioning, and possibly on other

aspects outside the team leader's range of vision, that would merit a follow up. Both auditors will take notes, and can therefore compare them. If need be, they can corroborate one another's notes in highly

political audits. Auditing can also be quite tiring. At selected periods during an audit, a good second

auditor can take over as team leader and give the team leader a rest. Using more than one person may also be of value to the auditee. Interplay during an audit between two auditors working together can be very effective in gaining information. Audits can also be very


time consuming and the second person can act as timekeeper, reminding the team leader periodically

of the time allocated to a given area. Where the team leader is not familiar with the industry or technology, the second auditor may be

chosen on the basis of experience in that kind of environment. In cases where groups of two or more

auditors are used, it is advisable for one of those group members to be appointed team leader who will be responsible for the overall planning of the audit, as well as, for the control of the opening and

closing meetings. This person would also prepare the audit summary report. Auditors are often credited with being incredibly “lucky”. This is often not luck, but good auditing. Pairs

of good auditors tend to cover more ground because they complement and support each other.

6.1.4 Collecting and verifying information During the audit, information relevant to the objectives, scope and criteria, including information

relating to the interfaces between functions, activities and processes, should be collected by appropriate sampling and should be verified. Only information that is verifiable may be audit evidence.

Audit evidence should be recorded. The audit evidence should be based on samples of the available

information. Therefore, there is an element of uncertainty in auditing, and those acting upon the audit

conclusion should be aware of this uncertainty. Process for collecting information to reaching audit conclusions: 6.1.4.1 Audit Evidence

The purpose of an audit is to collect audit evidence to permit audit findings and by evaluating the evidence against audit criteria and then reviewing all individual findings to reach an overall audit

conclusion about the degree of conformity and effectiveness of the quality management system.

Auditors must not allow their opinions or prejudices to influence decisions. Audit evidence supports the existence or conformity of an element of the quality management system.

The evidence must be capable of being verified and may be:

• Information, records, or statements of fact

• Qualitative (non-numerical) or quantitative (numerical)

• Based on observation, measurement, or test Audit information can exist in a variety of forms:

1. It may be quantitative, such as numerical performance data on products, processes and the QMS. 2. It may be qualitative, such as from interview, observations and documents.

3. The auditor must decide if the information is relevant to the product or quality system.

4. Statements can be used as objective evidence when made by those responsible for the activity being audited - known as “admissible statements”.

5. If possible, auditors should gather documented support for the admissible statements.

6. Nonconformities, when found, must be quantified for communication to the auditee. 6.1.4.2 Techniques to obtain objective evidence include: Interview People:

- that manage, perform, and verify activities - with responsibility and authority for work

Observe Operations:

- for identification, status, condition, flow, and operation of: - facilities, materials, product, equipment, processes, and tasks


Review Documents:

- pertaining to processes and activities

- for details of why, who, what, when, and where

Examine Records:

- for objective evidence of implementation of:

- processes, activities, controls, inspections, and tests

Evaluate Results:

- to summarize and analyze the audit observations

- to determine the effectiveness of the quality system 6.1.4.3 Audit Sampling

• Objective evidence is obtained by sampling processes, people, documents, and records

• It is based on a small representation of the audited activities • Not finding nonconformities does not equate to total assurance of control

• Determine sample size and selection based on:

- complexity

- volume

- risk - past problems

- audit time span

• Collect the sample on a random basis (ask permission of the auditee)

• Don’t let the auditee select the samples and possibly bias the representation • Don’t dig deeper, or select another sample, if first sample doesn’t find nonconformities

• If no nonconformities are found, move on to the next area of the audit

• Review and agree on conformity with the auditee, guide, and department head • Deviate from the audit checklist, if appropriate

• Follow unexpected audit trails only if warranted (consult Management Representative or team leader)

• Consider minimal sample size guidelines of: 4/10; 10/100; 20/1000 6.1.5 Generating Audit Findings

Audit evidence should be evaluated against the audit criteria to generate the audit findings. Audit

findings can indicate either conformity or nonconformity with audit criteria. When specified by audit

objectives, audit findings can identify an opportunity for improvement. The audit team should meet as needed to review the audit findings at appropriate stages during the audit. Conformity with audit criteria should be summarized to indicate locations, functions or processes

that were audited. If included in the audit plan, individual audit findings of conformity and their supporting evidence should also be recorded. Nonconformities and their supporting audit evidence should be recorded. Nonconformities may be

graded or classified. They should be reviewed with the auditee to obtain acknowledgement that the

audit evidence is accurate and that they are understood. Every attempt should be made to resolve any diverging opinions concerning the audit evidence and/or findings and unresolved points should be

recorded. 6.1.5.1 Evidence gathering process

In order to gain the facts, and enough of them from which to come to a conclusion, auditors have to

examine samples of documents, items, products, etc. Only the auditors can decide how many samples


should be taken. It would obviously be dangerous to see one example of a system in correct operation

(when there are hundreds of examples that could also be looked at) and assume that because one had been seen the system was correct all the time. Similarly, it would also be wrong, particularly if a minor

aspect is being considered, to look at every single example. Typically, samples size can vary between 6 –30 items. In most cases, this small number will be sufficient as long as some attempt has been made to make it representative. To make a sample

representative, it needs to be chosen at random. One way to do this is for the auditor to make the

choice of sample with management permission. The “sample” may even be the people to interview.

The smaller the set of evidence, the smaller the sample. However, in some cases, a 100% sample

might be appropriate. For example, if quarterly management reviews and semi-annual surveillance audits, both meeting minutes would be examined. The auditor may wish to confirm the manager's understanding of a system is the same as that of the

operator. Again, provided the auditor asks for and receives permission, it is good practice to “audit where the action is” and speak to the people doing the work. The audit will continue in this vein. The auditor asks the departmental representative how something is

done and confirms what has been said by examining samples or talking to someone else. Certain systems, for example, those for documentation control, are company wide and every

department has examples of documents. The auditor needs to be clear about who is responsible for

what when verifying the correctness of the documents seen in any given department. Auditors should always seek the help of local personnel affected by the system in question in understanding the

evidence.

Naturally, the kind of evidence often being produced is that which will show a failure of the system or a

lack of management control. Provided that the auditor has remained objective, has been open with the

people contacted, and has invariably been polite in requests for information, there should be no difficulty in reaching agreement on such points with the responsible persons. 6.1.5.2 Taking Notes

Only the most experienced auditors make sufficient notes of all the relevant things seen and heard

during an audit. It is obviously an extremely important technique to develop. The auditors must record

enough information to make an informed judgement based on an adequate set of notes containing considerable facts. Notes need to be taken of references to documents, item identification, batch numbers, job numbers,

statements, who said them, job titles, relevant questions asked, etc. This information needs to be legible and needs to be retrievable.

Much of it might be referenced in subsequent audits, either in the next department to be visited, or in a department to be visited by another member of the audit team. It will also be used in the verbal and

written reports to the auditee for the purpose of defining areas of nonconformity or raising points for

discussion. Notes will form part of the Registrar’s customer record file and might also be referenced by auditors on subsequent audits. The auditor’s notes during an audit remain part of the record system and as such should be retained

for a given period. Clearly, they need to be usable and understandable if there is a subsequent need to reference them (perhaps months or years afterwards). The format of notes, and the medium on which to write them, are matters for each auditor to decide.

Many use clipboards with loose sheets that are then clipped together; others find a notebook more practical. Whichever format they use, auditors must safeguard the confidentiality of the information

they gain during the audit.

6.1.5.3 Control of the Audit


At all times, the team leader is responsible for maintaining control of the audit. Experience helps auditors to develop their own way of working in an area and then adapting various techniques as each

situation demands. On entering an area and being introduced to the departmental representative by the guide, the team leader should go over the audit plan for that area with the departmental representative and the guide.

Their advice as to the best sequence to follow can usually be taken. The items on the checklist are

then worked through in a systematic manner. The amount of time the auditor has to spend talking to management in each area about their system will vary according to how much information was originally made available to the auditors. Where

there was very little detail, then more time may have to be spent determining some of the basic controls. In order to understand some of these controls, the auditor will not only speak to

management, but also to the people doing the work. If the auditors find no evidence of nonconformities, they can and should proceed quickly. Having

covered their sample, they should move on. Auditors should never continue the investigation in one area until something wrong is found. Doing that is adding bias to the sample; it is making a sample

less representative than the one that was chosen during the planning stage. However, a word of warning: the checklist outlines what the auditors want to look at and what they are looking for. The auditors have an audit objective in mind. As the audit proceeds, situations arise

where the auditor has to decide whether to continue the investigation or whether to leave it there. If the team leader thinks continuing the investigation will be useful as far as achieving objectives is concerned, then the checklist can be ignored and the desired audit trail followed. In doing that, a

longer period may be spent than was originally planned to examine a particular aspect. This means the

rest of the audit must be compressed or parts removed, otherwise the auditors will not finish within the allocated time. If there are problems, the auditors must examine the evidence to the depth

necessary to gain objective evidence. In the context of audits, the concept of objective evidence is very similar to the concept of the expert witness in a court of law. When a witness is called as an expert in a given technology or skill, their

evidence in that specific area is taken as being objective. On an audit, people are not being put on a

“witness stand”. However, when people are talking about their area of responsibility for action or decision, then their evidence is admissible. Statements made outside their areas of responsibility are

viewed as hearsay. As mentioned previously, it is good auditing practice to seek out documented support where possible, for all stated evidence. Objective evidence is also that which is seen. It is possible to observe the lack of status, signature, protection, or a label. It is possible to see

records, or lack of them, and to examine items or material. The senses of sight and sound are

probably the ones most used in audits. 6.1.5.4 Recording Nonconformities

As the audit proceeds, there might arise situations where the facts indicate there is a failure, either partially or wholly, of the quality management system. This is called many names in auditing. For the

purposes of consistency in these notes, such a situation is called “a nonconformity”. What is nonconformity? • a condition adverse to Quality

• the non-fulfillment of a requirement Examples of requirements: • Conditions of contract

• ISO 9001 standard


• QMS documentation

• Regulatory and industry There may be nonconformity for one of three reasons: 1. the procedure or defined process does not conform to ISO 9001 requirements

2. the procedure or process has not been put into practice in the described way

3. the practice, what is actually done, is not effective (planned results not achieved).

Many situations arise during an audit with the potential to become nonconformities. As soon as the

facts are indicative of nonconformity, the auditors should immediately voice their thoughts to the departmental representative. This is certainly not a cause for rejoicing, but total openness from

auditors will encourage the same from the auditee. It is essential that both parties fully understand the problem and how serious it is. Auditors will often need a little help from the auditee to do that. Once the facts of the matter are established, they should

be written down by the auditor and agreed to by the auditee. It is generally not good practice to complete the form during the interview, as it might break the flow of the interview, as well as, to avoid rushing the writing of the nonconformity statement. The auditee

should agree with the facts at this point (and certainly before the auditors leave the area for another

part of the audit).

The statement of nonconformity needs to be in a format understandable both to people in the audit

and to those who were not. People who were not present at the audit will often be assigned to take the necessary corrective action. This need alone defines some rules for the recording of nonconformities: Exact observation of the facts. Only the facts are needed and the reporting of them needs to be

exact. Where was it found? The statement needs to identify exactly where it was found, otherwise it may not be found again. What was found? It needs to be clear so that people understand what aspect of the system is

nonconforming. Why it is a nonconformity? The statement needs to make it clear what specified requirement has

not been met. What is the objective evidence of the nonconformity? What audit evidence do we have -

records, documents, statements or observations for our nonconformity findings. Who was involved? The statement often has no need to involve specific people, but where the

objective evidence was based on a statement, then the statement and the originator(s) need to be clear. Job titles rather than names should be used.

Use local terminology. Industry has its own names for certain activities, documents, etc. These unique terms should be used for clarity. Make it retrievable. Someone has to go back after the audit and put it right, possibly after a

considerable period of time. Make it helpful. To be helpful, nonconformity statements should be complete, correct, concise and clear. Suggestions, particularly on external audits, are not recommended, nor are they the auditor’s

duty. Some examples of typical nonconformities will allow at least some of the above points to be

made, assuming these are from audits to ISO 9001.


Example 1

Requirement: Procedure OPT869 requires that all system specifications be under configuration

control and included in the CON master list. Finding: System Specification ISS420 is not included in the CON master list for Contract 946x90 and

there is no procedure to ensure its current issue status is known.

This example is factual, the evidence can be found again, and it is clear that it is a nonconformity. It is

obvious to put this right at least two aspects need to be considered.

There are two reasons why it is nonconformity. First, the specification should be in the master list, so

that is a lack of implementation of a procedure. Second, there is no method to know its issue status, so this is a lack of a system for document and data control. It violated two specified requirements: the

procedure (OPT869) and, therefore, ISO 9001.

A further purely practical consideration is that of brevity. The nonconformities have to be prepared

during the audit (written down) and presented in the review sessions and at the closing meeting. It can aid effective understanding if they are kept as short as practical.

Nonconformity Example 2

In Clean Room B4, a technician was preparing a standard formulation SF35 on the Lab workbench. Various files and documents and uncovered food were seen on the workbench in violation of

department procedure CP-001. It is not always possible to make statements brief. It is more important to get all the facts. The

example above is a breach of an internal procedure and is an implementation nonconformity (there is

a procedure, but it is not being implemented).

Nonconformity Example 3 Requirement: Contract 89530 requires the prior approval by the client for all changes to welding

procedures. Finding: Welding procedures WP-994/C, WP-179/E and WP-758/U, used to complete contract 89530,

have been changed without this approval. This statement could be made even briefer, but all the facts are there and it is retrievable. It is a violation of the prime specified requirement, “the contract”, and is a nonconformity of implementation.

Nonconformity Example 4 Requirement: The Chief Draftsman stated that all draftsmen and engineers based their choice of

limits and fits on Newall only. Finding: A draftsman calculating tolerances on a collar box bush, part number CBB 88, for contract

APH/49/D0, stated that he used BS 1916 because Newall did not work for this application.

The objective evidence here is all based on what people have said. However, it is admissible in both

cases because the persons are talking about their responsibility. It is partly a nonconformity of implementation. There is a procedure, but at least one person is not working to it. It is also a

nonconformity of effectiveness because the procedure as stated by the manager is not effective for all

applications.

Nonconformity Example 5

The relevant version of the document is not available where the work is done. For completeness, an unacceptably written nonconformity is included. We do not know what

documents, what issues, or where the documents are supposed to be. There is a conclusion reached without any evidence to back it up. It is a partial quote from the Standard, which in general, should be

avoided unless it adds information. In other words, it was a total waste of time for the auditor to write

it.


The number of nonconformities that can arise during an audit can be numerous. However, it is unlikely

that they are all equally serious. The auditor needs to be able to differentiate between those that are serious and those that are less so.

In order to help with this analysis, there are three questions the auditor can ask:

1. What could go wrong if the deficiency remains uncorrected?

2. What is the likelihood of such a thing going wrong? 3. Is it likely the system would detect it before the customer is affected? Most Registrars classify nonconformities as either major or minor and have their own defined criteria

for each severity level. It is also common practice for auditors to raise opportunities for improvement that are points of concern, but for which there is insufficient objective evidence to raise a nonconformity. Opportunities

for improvement are an additional way by which auditors can be seen as being helpful. Minor Nonconformity

The definition of a MINOR nonconformity:

• Failure to conform to a requirement which (based on judgment and experience) is not likely to result

in QMS failure

• A single observed lapse or isolated incident • Minimal risk of nonconforming product or service Examples:

• A drawing marked up with unauthorized changes

• A purchase order released without review and approval

• An inspection instrument past its calibration date • A training record not available

Minor nonconformities have little likelihood of allowing nonconforming product or service to be delivered or causing a breakdown of system control. It does indicate that there are occasional lapses

that must be formally addressed through corrective action.

Major Nonconformity

The definition of a MAJOR nonconformity:

• Total breakdown of system, control, or procedure • Absence of an ISO 9001 requirement

• A number of minors related to the same clause

• An nonconformity that would result in probable shipment of nonconformity or un-inspected product • A condition that may result in the failure or materially reduce the usability of product for intended

purpose; • A nonconformity that experience and judgment indicate will likely result in QMS failure or materially

reduce its ability to assure controlled processes and products Examples:

• No documented procedure for any required element of the standard

• Document changes routinely carried out in an unauthorized manner

• Critical purchases made from unevaluated suppliers • Product shipped without required inspection and tests


Majors represent serious problems in the system that must be addressed with attention and resources

on a priority basis. It puts the business at risk with customers and the Registrar.

Registrars will not certify a company if Majors exist. These must be addressed in a timely manner and

to the Registrar’s satisfaction.

On surveillance audits, the registrar may threaten to suspend an organization’s certificate and later revoke it, if the organization fails to address the major, does not address it in a timely manner, or just

superficially corrects it. Between these two extremes a number of less serious nonconformities, when considered together,

may identify a system failure and hence a Major nonconformity. The auditors need to consider all the evidence available to see whether there a process or sub-system

of the QMS is failing. It is the combination of all the evidence that will contribute to the informed

judgement that the auditors will be required to present to the organization.

6.1.5.5 Review with Auditee

ISO 9001 clause 5.5.2 states the Management Representative must have the responsibility and

authority to ensure that the processes of quality management system are established and maintained.

The Quality Manager handles this role in some companies. In other companies, a different position is

given the above specific duty along with many other functional responsibilities. Whoever it is will probably be that person with whom the auditors made original contact to set up the audit and the one

who organized the various arrangements in the company. It is good practice, and is becoming customary, to allocate some time at the end of each day or at the beginning of the next day, in which to bring that person up to date with “nonconformities raised”,

doubts, progress of the audit, and proposed changes to plan. Such meetings generate rapport between the auditors and the management representative and can

develop into useful a relationship where information can be exchanged that is of benefit to both parties. Remember that audits are not designed to find just nonconformities. Where conformity has

been witnessed, this should also be reported. 6.1.5.6 Reaction of Auditees

If an experienced auditor cares to look back over several different types of audits they have done, the

likelihood is they will be able to recall a whole range of auditee reactions they have experienced, from outright hostility to willing cooperation. The auditor has to be prepared to meet and deal with this

range of reaction. In general, top management will set the “tone” by their general interest and

involvement in quality assurance (or lack of it). Although it must be said that as organizations realize more and more the full benefits of ISO 9001, auditee reactions are very much on the decline and

normally occur when faced by a negative auditor. Lets look at some possible reactions. Authority - This can work both ways. Some auditees become protective of their departments or company and try to “browbeat” the auditor. The auditor must insist firmly, but politely, on being given

respect (provided, of course, the auditor gives it first). Some auditees feel “inferior” to the auditors, and because the auditors are a representation of

authority, become nervous. The auditor must use patience and politeness, and where appropriate, be empathetic. Antagonism - For whatever reason, auditees may occasionally become hostile and aggressive

towards the auditor. Naturally, the auditor must ignore any rudeness from the auditee. However, they

may have to spend slightly longer in the area using patience, firmness, and politeness as their main defenses.


Diversionary tactics - These tactics can be many and varied. Anything that uses up time that was

otherwise planned for auditing can be included here. People may sometimes be very well meaning, but if they spend a lot of time explaining things that the auditors have not asked them for, they must be

politely stopped. Videos about the company can be very interesting and sometimes useful, but if not relevant to the audit, should be avoided (as should the interesting machine or process). Auditees will sometimes

appeal to your curiosity and want to show the “latest thing”. Long lunches should also be avoided. They take up time to no great benefit to the audit, and most

certainly, alcoholic beverages must be declined.

It is not always a deliberate ploy, but the guide or the departmental representative can waste a lot of time “just going off to get what you want”. The auditor should accompany the person, or perhaps

arrangements can be made to get it later. A lot of time can also be wasted while the guide answers the telephone, or involves the departmental

representative in a lot of discussion about matters external to the audit. Sometimes, auditors are kept

waiting for information, or for auditee representatives to appear, because they are on the telephone or in a meeting.

If this does happen, then above all do not get angry, be firm yet polite, refrain from critical comments and confrontation, continue with the audit plan and point out that there are many areas still to be

covered in the remaining time. If the problem arises again, speak to the management representative.

Volunteered information

Auditors receive a lot of data during an audit. They hope to get the information they want in an

effective manner. Sometimes, people give them information they have not asked for, maybe about a

failure in part of the quality system. The auditor is now in a quandary. Do they follow up that lead now, later, or do they ignore it? It may be a “red herring”, taking up a lot of time and leading

nowhere. It may be important and relate to the audit objective. Only experienced auditors will tend to

make the right decision here. There is no right answer and it is just one of the many things an auditor has to consider while performing an audit. Internal conflicts

Audits can be stressful on all involved and sometimes findings during an audit provoke an argument

between members of the organization. The audit is not the place for this and the auditor needs to use

a little tact in smoothing the situation, without getting involved, and continue with the audit. Seek objective evidence without being seen to take sides.

Continual challenge

The auditee has the right, and indeed the duty, to challenge auditors that reach conclusions on the basis of unsound information. This can happen where auditors are not fully briefed about contract

conditions, product requirements, or where they stray from objective evidence. However, it is for the

auditor to continually put up a strong and factual case for all conclusions reached so that the auditee accepts them. Enlisting help

In some companies, the Quality Assurance staff often guides external auditors around during an audit

and frequently a good rapport is developed. If the Quality Assurance people are having difficulty in

getting the corrective action taken, they may “lead” the auditors to deficient areas. While not exactly volunteering information, the auditee is enlisting the (powerful) support of customer representatives.

The auditors may use this information by gaining facts (considering how to protect their sources) so that any nonconformities found are indisputable.


6.1.5.7 Audit Team Meeting

An audit team meeting should be held after the auditing process completes so the team leader can

plan the closing meeting in detail, and ensure the team knows what is going to be presented to the

organization in the way of nonconformities and a summary. The team leader chairs the audit team meeting and has some points that must be covered:

a) To complete the recording of all nonconformities with supporting audit evidence

b) To review the audit findings, and any other appropriate information collected during the audit, against the audit objectives

c) To agree on the audit conclusions, taking into account the uncertainty inherent in the audit process d) To prepare the Audit Summary Report

e) To prepare recommendations, if specified by the audit objectives and

f) To discuss audit follow-up, if included in the audit plan The team meeting needs to be at least an hour before the closing meeting, or less if some of the work has already been previously completed (for example, the night before). Some auditors try to “squeeze in” a bit more auditing at this point. The law of diminishing returns

applies and very little will be gained by trying to rush through some more auditing.

There is no set rule about who presents the information. The team leader may present everything all

nonconformities and the summary or the team members may be asked to present the nonconformities they found. The review of nonconformities is important and members should be rigorous in their

review of one another's statements. Are all the facts there? Is it clear it is a nonconformity? Can it be read easily? Is it grammatically correct? As a result of the “review team” findings, the team leader prepares an audit summary. This summary

reflects the degree to which a company is conforming to its own documented quality management

system and the ISO 9001 standard.

As a suggestion, a team leader should answer three questions asked about the quality management

system in any audit:

1. Is there a documented (and defined) system addressing the clauses of ISO 9001? - to what extent? (audit of documentation)

2. Has this documented system been put into practice? - to what extent? (audit of implementation)

3. Is the quality management system achieving objectives? - to what extent? (audit of effectiveness).

- Are nonconformities being prevented by the existing controls?

To answer these questions, the nonconformities raised will give some guidance.

Further questions may be answered by the summary:

4. Do the nonconformities indicate weakness in any particular department, process or, ISO 9001

clause within the audit scope?

5. Do the nonconformities indicate weakness in any particular part of the QMS? The team leader also prepares an agenda for the closing meeting and arranges, either through a team

member or a guide, for copies of all nonconformities to be passed over to the company's management

at the appropriate time. It is ideal, but no means possible on every audit, for the team leader to organize the seating arrangements for the closing meeting. This is not for any underhand reason, but


they should try to ensure that the arrangements suit the purpose and no one is in an awkward

position. Often, the closing meeting is in the very room the auditors used for their team meeting. 6.1.5.8 Audit Conclusions – QMS Effectiveness

As the audit comes towards the end, the auditors should be gradually building up a picture of the organization’s QMS strengths and weaknesses. This is the composite picture the auditors are required

to present at the closing meeting and in their written report. The team leader has the responsibility for generating this composite picture as their audit conclusion of

the degree to which working systems conform to stated requirements and objectives (and the Standard), after consideration of all audit findings. This information comes from the findings during the

audit, but it is necessary to “sort” this so that a reasonable conclusion can be reached (assuming nonconformities have been found):

• number of major nonconformities raised • number of nonconformities raised during the audit of defined processes and documentation (intent)

• number of nonconformities raised during the audit of implementation (practices)

• number of nonconformities related to the effectiveness of the system • number of nonconformities raised against each clause of the Standard

• number of nonconformities in each department or area of responsibility

• The capability of the management review process to ensure the continuing suitability, adequacy, effectiveness and improvement of the management system Based on this, a picture emerges of the kinds of failure found, relative frequency, where found in the

company, and the quality management system requirement (clause of the standard) that is weakest. However, this is not the only information the auditor should be considering. A further picture can

emerge from examining the following:

Internal failures

How many modifications to drawings, specifications, or purchase orders were made that should have

been avoided? How much avoidable product scrap, rework, and concessions or waivers occur? External failures

How often do customers complain and/or return product? Is there a large Returns department?

Past Audits

Have recent internal and external audits established many nonconformities?

Trends

Do they consider any or all the above in reviews to establish how their quality management system

should be changed to prevent such events in the future? Is the number of nonconformities rising,

static, or falling?

Corrective action

Has there been any evidence to show that a strong and consistently effective system operates to

correct things that are wrong and monitor it to ensure it stays that way? What techniques are used to establish the causes? Are they shown to work?

Management attitude

Does top management know the results of audits, the level of product defects, and the cost of poor

quality? Are they involved rather than only stated to be committed? What evidence is there, if any,


that top management takes an interest in the quality management system? Are they proud of their

system?

Staff attitude to management

Are the employees positive about their management? Is there an open or closed-door style? Did the

management representative have easy access to various managers during the audit? Does the staff have to “dress up” nonconformities for presentation to management? If auditors find information that

indicates a distinct lack of management support for the system, then they should say so in their

report. Their task is to collate the evidence as fairly and objectively as they can and highlight areas of the greatest risk and least assurance.

As usual, there is no substitute for experience, and even experienced team leaders are very careful about their conclusions, and about the way they present them. 6.1.5.9 Options for recommendation

Once the audit team has completed their agenda, it remains for the audit team leader to prepare the

recommendation of the team. 1. Recommend registration unconditionally, since no nonconformities were found. 2. Recommend registration conditionally, subject to the receipt of an acceptable corrective action plan and follow-up. Where a number of minor nonconformities have been identified, the audit team leader would probably

present this option to the auditee. When doing so, the team leader will stipulate the time by which the corrective action plan must be submitted to the registration body. More emphasis will be placed on the time required by the auditee to implement the corrective action

rather than to focus on the planned corrective action itself. After all, in some instances it is possible

that the auditor would not know the best corrective action to be taken, but by focusing on the time required a commitment to quality is being sought. Follow-up options may include:

• Verification at the next surveillance audit • Evaluation of the mailed evidence

• Special visit to verify the corrective action

3. Unable to recommend registration

Due to a major nonconformity or a significant number of minor nonconformities

In situations where a major nonconformity or a significant number of minor nonconformities are

reported, the audit team leader would not recommend registration. Follow-up options in such situation would include:

• Partial Re-audit - a large number of minor nonconformities, or perhaps when a single major nonconformity has been identified, a partial re-assessment might be appropriate. A partial re-audit of

the QMS would focus only on the reported nonconformities • Full Re-audit - where a large number of connected minor nonconformities, or perhaps more than one

major nonconformity has been identified, then a full re-audit of the QMS might be the only option

available. There is no ‘magic’ number of nonconformities or formula used to decide on the options available;

each case will be decided on its own merits.

No team leader likes to be the bearer of bad news. An auditee might have allocated significant

resource over a long period of time to install the Quality System. But if major nonconformities have


been identified, it is likely that the audit team leader has no alternative but to recommend a full re-

assessment. In this situation, the auditee may take the news badly, and perhaps personally. The team leader could take the option of not waiting until the closing meeting was under way to

present such a recommendation, but advise the management representative prior to the closing

meeting. In the case of internal or second party audits, audit conclusions can lead to recommendations regarding improvements, business relationships or future auditing activities. 6.1.5.10 Closing Meeting

The closing meeting is the concluding meeting of the audit and is the formal presentation by the team

of the findings and conclusions of the audit. Participants should include the auditee and may also

include the audit client and other parties. In many instances, for example internal audits in a small organization, the closing meeting may consist of just communicating the audit findings and

conclusions. For other audit situations, the meeting should be formal and minutes, including records of

attendance, should be kept. Any diverging opinions regarding the audit findings and/or conclusions between the audit team and the

auditee should be discussed and resolved. If not resolved, all opinions should be recorded. If specified by audit objectives, recommendations for improvements should be presented. It should be

emphasized that recommendations are not binding.

The way the meeting is carried out is by conventions developed over the years in which audits have been carried out. As long as the auditee management understands the findings and agrees to the facts

surrounding them before the team leaves, the team leader and team have done their job. Promptly, at the agreed time, the team should make themselves available for the meeting. The team

leader chairs the meeting. The team leader should take the initiative and work through the agenda as prepared during the audit team meeting. The following points need to be covered in some form: 1. List of Attendees

The team leader or the second auditor passes around an attendance list with name and position to be entered by each attendee. 2. Thanks

The team leader should thank the company on behalf of the team for their help, time, etc. If the organization participated in the audit in an open fashion, the team leader should say so and thank

them for it. If this was not the case, then silence on the subject is preferred. The team leader should

also thank the guides for their assistance. 3. Objectives, Scope, and Criteria

As a formality, and to ensure that the basis for the audit is not in doubt, the objectives, scope, and criteria should be restated. This is for a number of practical reasons. There is usually no real doubt

about this in the organization because it has been discussed and agreed before the audit took place.

However, some of the people attending the closing meeting may not have been present at the opening meeting and are not necessarily aware of everything that has happened in between. Audits cover a lot

of ground, some of it irrelevant (not too much in a well-planned audit). The objectives can become

hazy. Therefore, the statement by the team leader of the objective and scope resets the context of the audit.


4. Report

The audit conclusions on system effectiveness will be formally reported and the results to be given to

the auditee should be described.

5. Limitations

It bears repetition that the audit was a sample of activities and is, therefore, subject to the risks

associated with sampling. Not every conforming or nonconforming area was seen, only a

representative selection. Therefore, the possibility exists that there are additional nonconformities in areas not covered by this audit.

It is recommended that the auditors develop a standard statement covering the essence of the above in their own words, although many Registrars include the appropriate wording in their report

documents. 6. Confidentiality

The lead auditor should reassure the auditee that everything seen or heard during the audit is kept in

strict confidence. Any documents provided to the audit team will be returned before the auditors leave the premises.

7. Audit Summary

The audit results should be summarized for presentation to management. Do not forget to start your

presentation with ‘accentuating the positive’. Based on your audit, provide sincere and factual feedback on the QMS strengths – departments, processes, resources, controls, documentation, etc.

Nonconformity findings may be grouped by functional area (department), clause of the standard, and

severity level (major, minor, or concern). Findings could also be categorized by type of failure, for

example, intent (defined processes and documentation), implementation (practices), or effectiveness (results). 8. Presentation of Nonconformities

It is recommended that the nonconformities be read out one after the other until they have all been

presented, although it might be necessary to give a summary. In some cases, the auditee representatives will have copies of the nonconformities, if some were

agreed earlier. There are different schools of thought about giving copies of the nonconformities to the auditees at the time of the closing meeting. Generally, there are few disadvantages, and it is

recommended here as good practice. There is then no need for auditees to try to make notes. It is also

recommended that the nonconformities be read from the report rather than trying to describe them. This limits the tendency to add unnecessary words and comments that should not be necessary if the

nonconformity statement is complete in all respects. Reading the statements also encourages less experienced auditors to present the nonconformities in a clear, firm voice and not apologetically.

Nonconformities may be agreed with the Management Representative or authorized person. Signature usually designates acceptance, however, there will be times when the auditee may disagree with a

particular nonconformity and not accept it. In this case, the signature may simply denote acknowledgment of receipt of the nonconformity. 9. Agreement

Each of the nonconformities presented was based on the facts agreed to earlier by a departmental representative. Although agreement was reached at that time, the wording of the nonconformity is

unlikely to have been at its most complete and concise. Either at review meetings, or at the Closing


Meeting, these nonconformities are signed by the auditee to acknowledge receipt and understanding of

the content. 10. Recommendation

The team leader is responsible for presenting the conclusion reached by the team based on the audit results. This is the “informed judgement” of the auditors. It must consider the seriousness of any

nonconformities and whether they indicate a departmental or company wide breakdown of the system.

The conclusion must be balanced with positive findings made during the audit. The recommendation must also reflect what effect the results of the audit will have on the future relationship between the two organizations. Thus, if it is a second party audit, the auditors will have to

make recommendations to their own company about business with the auditee. The auditors are often limited in what they are allowed to say to the auditee. Few auditors actually make the purchasing

decision, for example. However, they should leave the auditee with a clear idea where they stand. If it is a third party audit, the team leader has to state whether registration is recommended or not. A

copy of the audit report including any nonconformities is left with the auditee. The summary might need “tidying up”. The basic “sense” of the summary will not change, although

the layout and words may be revised in the report. 11. Clarification

The auditee must have an opportunity to ask questions about the nonconformities or the summary and

it would normally come at this point. The facts as stated should not be in dispute. Assuming the auditee accepts all the nonconformities or the summary, the auditor may be asked what response is

necessary for the points raised. The auditors would expect the auditee to propose some corrective

action in a given timeframe. The closing meeting is not the place to discuss actual corrective action. That should be given very careful consideration by the auditee. The team leader should, therefore, state that a proposed plan of

corrective action is necessary within a number of days or weeks after receipt of the report. However, if the recommendation is for a full re-audit, then it will not be necessary to submit a corrective action

plan. 12. Departure

Having presented the findings and discussed them to the auditee's satisfaction, the audit team can

depart, once again thanking the auditee for time, etc.

However, at various times in the past, and perhaps also to be expected in the future, audit teams are

faced with the meeting not going to plan for some reason or another. 6.1.5.11 Closing Meeting Scenarios:

Some possible situations encountered by an audit team relative to the closing meeting:

a) Senior person in the company is not present at the closing meeting

The auditors arranged the closing meeting as part of the audit plan agreed to by the auditee prior to

the audit. By the very nature of the closing meeting, most companies want to have someone in senior

management represent them at the closing meeting. However, the auditors cannot demand the presence of top management, but can certainly ask why they are unable to attend. If the team leader thinks that the auditee representation is not senior enough, someone senior can be

requested to be available. If it was arranged for top management to be there and they do not arrive, then it is reasonable for the team leader to delay the meeting for a short time to wait for them. A

telephone call will probably be necessary to check.


After a reasonable time has elapsed (perhaps half an hour), the team leader should hold the meeting

with whoever is there. Under no circumstances should the meeting be canceled. But, remember to add this to your audit report. b) Corrective action taken since a nonconformity was recorded

It may be that minor nonconformities can be corrected quite quickly and easily. If this is what has occurred, and the team leader is satisfied that effective corrective action has been taken, then the

nonconformity is noted as “closed out”. The fact that it was found during the audit remains noted in

the report. If corrective action taken for a major nonconformity is presented, the team leader should politely point

out that the closing meeting is not the forum to discuss such issues and the corrective action will be

audited during the next audit for effectiveness. c) Clear evidence produced that shows there is no nonconformity

If the auditors find they were mistaken about a nonconformity, and they are convinced of it based on the new information, they should withdraw the nonconformity. d) Bulky evidence produced that apparently shows there is no nonconformity

Such evidence should have been made available during the audit at the time the nonconformity was raised. The team leader should explain that the auditors would consider the evidence produced, but

not at the closing meeting. If the evidence shows there is no nonconformity, then they will withdraw it.

Care is needed if the nonconformity being removed is the only Major one and therefore, the

recommendation being made by the auditors might have to change. The team leader must decide whether to consider the information and, if necessary, postpone the closing meeting until later. e) Company wants to alter the scope of the audit

If the auditors are requested to alter the scope of the audit at the closing meeting, they are rarely able

to do so. Few auditors have this authority. They must follow their own procedures. Any alteration to

the scope is outside the activities of the audit. The auditee will need to discuss the proposed scope with the Registrar’s office. If the request is to assist with clarification of the scope, the team leader can

give this consideration. f) Auditee wants to extend the meeting

Once the nonconformities have been discussed, and some commitment to a plan of corrective action

has been given, there is no value in allowing the meeting to continue. Most closing meetings normally are over within half an hour. The team leader, therefore, may need to be firm in closing the meeting

after the necessary points have been covered.


Module 7 - Audit Reporting 7.1 Audit Reports and Records

The report of an external audit should provide a complete, accurate, concise and clear record of the audit. It is the major output of the audit process and may be read and used by people who were not at

the audit (and have no other information about the audit). It is, therefore, important that the audit

report give a balanced picture of the whole audit not merely the nonconformities found. Some organizations require their auditors to give a complete audit account, including all observations

made, all persons addressed, and all samples taken. This approach provides a complete picture of all

the conformities seen, not just the nonconformities. However, many organizations require fairly brief reports. Although shorter and less costly to prepare, they still provide an adequate amount of information. The whole reason for preparing a report is for

the use by various people to initiate corrective actions and evaluate and address any recommended opportunities for improvement.

The audit team leader should be responsible for the preparation and contents of the audit report. Essentially, the following points are to be addressed in an audit report:

• Unique audit identity (number/ letter, etc.) • Audit objectives and criteria

• The audit scope, particularly the organizational and functional units or processes audited and time

period covered • Identification of the audit client

• The dates and places where the on-site audit was conducted • The audit findings and conclusions The report may also include or refer to the following, as appropriate: • The audit plan

• A list of audit attendees • A summary of the audit process, including the uncertainty and/or any obstacles encountered that

could decrease the reliability of the audit conclusions

• Confirmation that the audit objectives have been accomplished within the audit scope in accordance with the audit plan

• Any areas not covered, although in the audit plan

• Any unresolved diverging opinions between the audit team and the auditee • Recommendations for improvement, if specified in the audit objectives

• Agreed follow-up actions if any

• A statement of the confidential nature of the contents • The distribution list for the audit report

• Applicable quality system requirements (the Standard) • Names and positions of team leader and team

• Summary There should be a summary statement the “polished up” version of the one presented at the closing

meeting. This summary provides the informed judgement of the auditors. • Nonconformities

All audit reports include the nonconformities exactly as they were written and presented to the auditee. If there is a classification system, such as Major or Minor, then this is used. There may also be

a reference to a clause in the Standard. If a nonconformity was “closed out” during the audit, then a

note is made to that effect.

• Suggestions for correction of nonconformities


This is becoming less typical as organizations recognize its futility. However, certain companies require

auditors to include suggestions for correction of nonconformities. This is difficult, time consuming, and risky; it may also be nonconforming with registrar policy and procedures (for reasons previously

discussed). The auditors have to be very careful about any suggestions because their knowledge of the

auditee's systems is so very limited. Their ability to make valued criticism is so limited, in fact, that in many cases, it is useless and best omitted. • Suggestions for improvement

As part of the value-added approach to auditing, the audit team should provide improvement

suggestions relating to:

- Areas of concern where controls are in place and conforming with requirements, but in the auditor’s

experience and judgement, appear weak and likely to lead to a nonconformity in the future

- Opportunities where organizations can more effectively or efficiently manage, perform or control an

activity or process, based on the auditors experience with similar situations in other organizations

It should be understood that the organization has no obligation to implement such suggestions, but it

must be aware of the risks of not doing so.

• Approval

The report should be signed and dated by the audit team leader as “approved”. Some organizations

require a further signature of a senior person before the report is issued. It is important to prepare and issue an audit report within a reasonable timeframe. Typically, the report should be issued within 1 2 weeks of the audit and include a letter defining the required

response. Another option, used by most registrars, is to leave the report with the auditee at the

conclusion of the closing meeting. The audit response must be considered confidential. Even the fact that an audit has taken place is

confidential between the two parties. The audit information must not be disclosed to another party

without the permission of both parties. As with any record, audit reports should be retained on file for a prescribed time. All the other records from the audit should also be retained. For example, checklists that are useful for re-audits, as well as,

the auditor's own notes made during the audit investigation. Records will also be kept of corrective

actions to satisfy the “close out” requirements of each nonconformity.

Internal audits may not require the same depth of documentation of reporting, but the records retained will include at least the following: • Reference and date of the audit

• Department/office/section audited

• Audit scope and objective • Names of auditor(s), audit plan, and audit checklists plus nonconformities

• Auditor notes • Audit summary and conclusions

• Corrective actions taken. 7.2 Approving and distributing the audit report

The audit report should be issued within the agreed time period. If this is not possible, the reasons for

the delay should be communicated to the audit client and a new issue date should be agreed. The audit report should be dated, reviewed and approved in accordance with audit program

procedures. The approved report should then be distributed to recipients designated by the audit


client. The audit report is the property of the audit client. The audit team members and all report

recipients should respect and maintain the confidentiality of the report. 7.3 Close out

7.3.1 Completing the audit

The audit is completed when all activities described in the audit plan have been carried out and the

approved audit report is distributed. Documents pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with the audit program procedures and applicable statutory,

regulatory and contractual requirements.

Unless required by law, the audit team and those responsible for managing the audit program should

not disclose the contents of documents, any other information obtained during the audit, or the audit report, to any other party without the explicit approval of the audit client and, where appropriate the

approval of the auditee. If disclosure of the contents of an audit document is required, the audit client

and auditee should be informed as soon as possible.

7.3.2 Conducting audit follow-up

The conclusions of the audit may indicate the need for corrective, preventive or improvement actions,

as applicable. Such actions are usually decided and taken by the auditee within an agreed timeframe and are not considered part of the audit. The auditee should keep the audit client informed of the

status of these actions. The completion and effectiveness of corrective action should be verified. This verification may be part

of a subsequent audit. The audit program may specify follow-up by members of the audit team, which adds value by using their expertise. In such cases, care should be taken to maintain the independence

in subsequent audit activities. 7.3.3 Auditee post-audit actions

The auditee might have a number of areas that were found to not conform to requirements. These

nonconformities must be corrected, the actions verified as effective, and some kind of monitoring implemented to ensure things stay conforming. If the company has only one set of audit results for which to verify corrective actions, its follow-up

system may be quite basic. However, some companies may have several nonconformities from external audits, and more from their own internal audits, product reports, and customer complaints. A

formal system is necessary to track each nonconformity as it goes towards “close out”. If the external

body is returning to check on corrective action taken, the auditee needs a good system to ensure the action has been taken and was effective. 7.3.4 Auditor post-audit actions

The auditing company needs a system for follow-up to monitor the auditee's progress. More external

systems lose their credibility due to lack of an effective follow-up system than for any other reason.

There are certain situations where there would be no follow up. If the audit was by a second party to

establish a degree of conformity with the Standard and found many major failures (and no likelihood of business), then there would be no follow-up requirement by the auditor. Another example would be if

the audit was by a third party for the purpose of registration and the auditee decided not to proceed.

More commonly, the nonconformities are followed up by the auditor to satisfactorily “close out” the audit.


When a follow-up visit is made, it is only the nonconformities that were identified that are re-audited.

If this were not the case, the process would never end and would not be logical. Often, the follow-up may be done without a visit. For a small number of minor nonconformities found during an internal audit, the follow-up may be left

until the next planned audit within that area, if practical.

For second party audits (and especially third party audits), a written response to minor

nonconformities is required. Based on an acceptable response, the nonconformities would be reviewed and closed out during the next surveillance visit. For some of the nonconformities that were purely documentary in nature, it might be possible to deal

with them by only a written response.

When a visit is necessary, for example, to follow up on a major nonconformity, it may not be the team

leader, or even a team member, but another suitably qualified person located near the auditee company that performs the audit. If the auditor is to use the nonconformity statements to follow up on

the corrective action, then the nonconformity statements must be very specific and traceable. A

summary of the follow-up process is: 1. Identification of nonconformities

2. Summary report prepared

3. Corrective action request (CAR) issued 4. Auditor evaluates response to CAR

5. Completion of corrective action by auditee

6. Evaluation of effectiveness by auditee 7. Verification of completion by auditor

8. Escalation (if necessary)

9. Records of each stage in this process Audit reports need to be read by various people in the company, so a distribution list can be helpful,

especially where confidentiality is a major concern. Within the system for third party registration, the audit is not the end of the story. Following the

granting of a certificate (which attests to the conformity of the system to the Standard at the time of the audit), the third party carries out some form of regular surveillance by visiting the company at

periodic intervals and checking that the system continues to operate effectively in terms of realizing planned activities and achieving planned results. After a number of these continuous assessment

visits, a complete re-audit or review of previous results is carried out, depending on the policy of the

Registrar. During the surveillance period (typically 2 3 years), the visits themselves (every 6-12 months) would normally cover the complete quality management system. 7.3.5 Corrective Action and Preventive Action

The auditor's responsibility is to make clear to the auditee that corrective action is necessary. The

auditor rarely specifies corrective action (that is the auditee's duty). Since the auditee is likely to

propose corrective action, the auditor must have a view about how effective, or otherwise, such an action might be in resolving the situation once and for all. Once a nonconformity is in the system, the auditee must ensure that effective and appropriate

corrective action has been taken. After clarifying with the auditor for a clear understanding of the

nonconformity, and certainly with people in the area where the nonconformity was found, the best corrective action can be decided. The process of taking, checking, and monitoring the action should be formal it is perhaps the most

important “Quality” activity that takes place in a company. It is certainly where the audit system takes a positive aspect rather than a negative one. However, the process of corrective action is not an easy

one.


The auditee has to get to the root cause of the problem if it is going to be corrected forever. It is very

easy to correct the effect of the nonconformance instead of the root cause, so in time the nonconformity will re-appear. The auditee also will have to consider the impact of the corrective action

on the rest of the process, as well as, the effect it might have on areas not considered during the

audit. The essential features of corrective action are as follows: 1. Identification of nonconformity

2. Establish responsibility for controlling the pertinent process

3. Collect data to establish root cause for the nonconformity 4. Analyze the data and establish corrective action

5. Monitor effectiveness of this action, including internal auditing 6. Revise the action if ineffective

7. Record all the actions taken

8. Amend system documentation, as necessary

All corrective action is not necessarily so involved. Some of the stages listed above are completed

rather easily. However, all corrective action follows this general path.

The forward-looking company will determine some criteria for success. If the company is going to be

involved in these activities, the business should improve after the audits and the corrective(s) have been taken. Has the error rate reduced? Do we now respond to our customer needs quicker? Have we

reduced the number of bad debts? Are we throwing out less waste every night, etc?

Sources of preventive actions may arise from analysis of data and from lessons learned from corrective

actions that may be applied to potential similar situations. Once identified, the process for addressing preventive actions may be similar to corrective action.


MODULE 8 - Perspective On First, Second and Third Party Audits 8.1 General

No matter whether an audit is to be carried out by an organization on itself or on its suppliers, or by a third party on behalf of someone else, the principles involved in setting it up, in planning it, carrying it

out, and reporting it are much the same. However, we should consider these situations and highlight

the similarities to be clear about the differences. There is also an overall picture that should be appreciated in order to establish the significance of each type of audit. 8.2 First Party

The first party audit is an audit carried out by a company on itself to determine whether its systems

and procedures are consistently improving products and services, and as a means to evaluate

conformity with the procedures and the standard.

Each second and third party audit should consider the first party audits carried out by the company in

question. Ultimately, the only systems that should need to be examined are those of internal audits and reviews. In fact, the second or third parties themselves have to carry out internal or first party

audits to ensure their own systems and procedures are meeting business objectives.

Within any company, therefore, the real benefit to be gained from auditing will come from these “self”

audits. The value of an internal auditor is as a representative of the quality assurance resource of the company. What is the point in someone “independent” doing the auditing, if all the auditing effort is

put into ensuring that the business has the right people, materials, resources, systems, etc.? If the

effort is put into providing the support necessary to do a good job, why do a bad one? However, it is accepted that some companies still have a long way to go before the above state is reached. The need for an audit system, whether for external or internal audit, is paramount. Audits will be

scheduled according to a plan, usually looking at various processes, their sequence and interaction with other processes within the QMS, with some flexibility built in to allow for realigning a particular

effort. There is a need to prepare for each audit with an audit plan and checklist.

Formal opening meetings are not typical, except in fairly large organizations. The auditor meets briefly

with the department manager and gets on with the audit. The auditor is examining the work and outputs of colleagues. This puts an added strain on the auditor and the auditee. The auditor will sometimes be in a difficult position because of this tension. How can

both the auditors and the system be protected? There are two aspects considered here the system that is installed in partnership with everyone in the

company - and the credibility of the auditor. 8.3 System

The system set up to carry out audits often has senior management's signature appended to it. That, of course, means that the manager knows precisely what has been signed and believes absolutely in

its value. That was not true of some managers in the past. They willingly signed such procedures and

expected the system to work properly without them. They called it “delegation”. Many other managers realized that the audit could be a very powerful and useful tool and applied it to

problem areas using people trained in investigative techniques. Because they wanted it to happen, they involved themselves in its operation; some of them even

underwent the training with their colleagues. Such managers are running successful departments and organizations. People could see by their management’s actions, as well as, their statements that they

meant what they said.


A second aspect of the system for internal audits is that of escalation. The previous point made

reference to management’s full interest in the system. There should no doubt of this in the company. It is so important that the operation of the internal audit system should be close to the policy

statement in the Quality Manual. The audit procedure should include a clause for escalation. Managers

get the system they deserve. Records of internal audits tend to be limited in comparison with those of external audits. There may

not be reports, as such, issued only the requests for corrective action (CAR) and a way of monitoring

them. The auditors should keep all their checklists so that over a period of time they can ensure that as comprehensive an audit program as possible is being carried out. They should also keep their notes

in a secure place. 8.4 ISO 9001 Auditor Credibility

A number of points are made here. It is not meant to be an exhaustive treatise on the subject, merely

recognition that the auditor is a human being dealing with human beings and that sets the highest qualifications for the would be auditor.

All auditors must be able to develop a rapport with auditees fairly quickly. Their real job is to facilitate improvement. Rarely do they have much real power, so they have to instigate change by other means.

The situation will frequently arise where there is a nonconformity against procedures and the auditor has the answer. As an external auditor, regardless of whether the auditee would find the suggestion

useful or not, they are unable to offer it (to avoid consulting). However, as an internal auditor working for the same company and having the same objectives as their colleagues, they are in a position

where they can be of help to the company. They should be prepared to throw away their checklist, roll

up their sleeves and help. Wouldn’t such an action meet with the approval of the auditee? The auditee might even tell the auditor some of the other problems they have so that those can be addressed too. That is the kind of openness that the internal auditor must try to encourage as a

natural result of their approach to auditing. Of course, the same degree of openness may not always be in the company’s interests where external auditors are concerned. It should also be recognized that helping out in the above manner will impact on the auditor’s

independence and they will be unable to audit the area for the corrected action and perhaps for an

extended period of time. A compromise approach may be to facilitate the discussion of corrective action options and leave the decision-making and implementation of the best option to the

organization’s management. This will enable auditors to provide value-added service and still maintain

their independence as auditors. The point has been made that the internal auditor and the auditees are working for the same

organization. This can be a double edged sword. As an external second party auditor with apparent

power in a (small) supplier, auditors can hide some of their less glorious attributes. When they are auditing their own colleagues, they have to be scrupulously fair, hard working, reasonable, objective,

polite, and respectful if they are to contribute anything to the company in the long term. It can be

summarized as being “professional”, possibly the best accolade for any auditor to be given. Perhaps a part of the latter point, but one that is important enough to merit specific mention, is that of

preoccupation with trivia. In external audits, auditees will put up with someone “prying” around their

company knowing that they will be gone tomorrow and they won't see them again for a good while. Not so, with the internal auditor. Nothing is more designed to ravage the credibility of auditors and all

they represent than the sight of them narrowly and trivially working their way through each

department. It’s the best way known to “destroy” the system.

So, the points are made. Internal auditing can provide companies with a valuable tool provided they

have at least three characteristics:


Internal Audits

STRONG MANAGEMENT DRIVEN SYSTEM

+

FULL UNDERSTANDING OF BENEFITS +

PROFESSIONAL, TRAINED, AND CREDIBLE AUDITORS =

EFFECTIVE AUDITS with VALUE ADDED

8.5 Second Party

A second party audit is carried out on a potential or current supplier by a purchasing organization,

usually to use the audit result as part of the purchasing equation. This is just one method of conforming to clause 7.4.1 of ISO 9001. Few companies, even in this age of quality enlightenment, decide to buy from another company on the

basis of a quality audit alone. Many purchasers place orders despite, rather than because of, the results of quality audits on suppliers.

Purchasers must consider how much assurance is necessary to get for a particular product or on a particular project. A number of aspects will need consideration:

• Degree of standardization • Quality history

• Ability to inspect the purchased product • Complexity

• Uniqueness

• Consequences of product failures • Special controls of the process, etc. Upon consideration of these and other similar factors, a decision can be reached on the relative

importance of the supplier having a fully conforming system. This should mean that even if a supplier

had a very attractive price and delivery, they would not be given a contract where risk was involved because of the weaknesses in their Quality System. The converse is also true. It should be the case that suppliers with good (proven) system should gain

commercial advantages over their competitors. Most typically, the situations revealed from audits are of some intermediate state. Purchasers then write into their contracts the requirements designed to

focus on the highlighted “weaknesses” – possibly through inspection or surveillance at the point where

work is being carried out. The described second party scenario is very typical of the way that quality assurance systems evolved

and began to be introduced into the supply chain. Auditors representing the major purchasers were

seen as very powerful by many of the (smaller) companies being audited. If a supplier did not conform to specified requirements, then they could lose the business of that customer. From this situation developed the need for a very strict code of ethics practiced by the

auditors.

The growth of second party audits demands a more standardized approach and the ISO 9001 scheme

is designed to support audits of all types.

8.5.1 Process of a Second Party Audit

1. Purchaser considers purchasing

2. Sets up audit system

3. Considers risk 4. Decides to audit


5. Audit carried out

6. Audit reported 7. If outcome successful then,

8. Order placed

9. Level of control established 10. Rating

11. Follow-up. 8.6 Third Party

The third party ISO 9001 registration scheme is designed to reduce, and perhaps remove the need for,

many second party audits, by providing a list of companies whose systems have been assessed as conforming. This assurance to potential customers means they might not have to audit the suppliers

themselves if they can rely on the third party registration. The auditee pays for the audit by employing a Registrar to audit them on a regular basis. The auditee (if successful) is entered into the Registrar’s “Register of Licensees” and is able to use that recognition

in their marketing efforts. The purchaser may also use the “Register of Licensees” and possibly reduce

their second party audits. The supplier may not have to undergo as many audits by their customers as they had previously. The Registrar, in order to have its professionalism and integrity independently assessed, establishes a

quality system comprising policy, organization, and procedures. The Registrar is assessed in the USA against these and other criteria by the RAB (Registrar Accreditation Board). If successful, it is given

accredited status and recognition of this achievement is shown not only on the certificate given to the

Registrar, but also on the certificates issued by the Registrar to its clients. The symbol of the accreditation body appears on the certificate issued by the Registrar to indicate it is accredited for the

scope of the audit and its subsequent registration of the client. The Registrar has to maintain its accreditation by conforming to, and developing as necessary, its own quality management system. One of the activities it must undertake to maintain the accreditation is

first party auditing. The Registrar must look at its own policy, organization, and procedures to see

whether they continue to be conforming; whether they are defined, put into practice, and are effective.


MODULE 9 - Auditor Competence Requirements 9.1 General for ISO 9001 Lead Auditors

Confidence and reliance in the audit process depends on the competence of those conducting the audit. This competence is based on the demonstration of:

• Personal attributes • The ability to apply knowledge and skills

• The gaining of knowledge and skills through:

- Education - Work experience

- Auditor training - Audit experience

ISO 9001 Lead Auditors develop, maintain and improve their competence through continual professional development and regular participation in audits.

9.2 Personal Attributes an auditor should be:

• Ethical – fair, truthful, sincere, honest, discreet

• Open-minded – willing to consider alternative ideas • Diplomatic – tactful in dealing with people

• Observant – aware of surroundings and activities • Perceptive – instinctively aware of and understands situations

• Versatile – be able to adjust to different situations

• Tenacious – persistent, focused on achieving objectives • Decisive – reaches timely conclusions

• Self-reliant – functions independently 9.3 Knowledge and Skills

An auditor should have knowledge and skills in:

9.3.1 Audit principles, procedures and techniques:

• Apply audit principles, procedures and techniques

• Plan and organize work effectively • Conduct audit within agreed time schedule

• Prioritize and focus on matters of significance

• Collecting objective audit evidence • Understand sampling and its limitations

• Verify accuracy of collected information

• Evaluate adequacy of audit evidence and other factors affecting audit findings and conclusions • Use work documents to record audit activities

• Maintain confidentiality and security of information

• Communicate effectively

9.3.2 Management systems and reference documents:

• Apply management systems to different organizations

• Interact between components of the management system • Know QMS or EMS standards, applicable procedures and other documents

• Recognize difference and priority of reference documents

• Apply reference documents to different audit situations • Information systems and technology for control of documents, data and information


9.3.3 Organizational situations:

• Organizational size, structure, functions and relationships

• General business processes and related terminology

• Cultural and social customs of the auditee • Applicable laws, regulations and other requirements relevant to QMS or EMS disciplines

• Local, regional and national codes, laws and regulations • Contracts and agreements

• International treaties and conventions

• Other requirements applicable to organization

9.3.4 Applicable laws, regulations and other requirements relevant to QMS or

EMS disciplines:

• Local, regional and national codes, laws and regulations

• Contracts and agreements • International treaties and conventions

• Other requirements to which the organization subscribes 9.3.4 Generic Knowledge and Skills Of Team Leaders

The audit team leader should be able to:

• Plan the audit and make effective use of resources

• Represent audit team in communication 9.3.5 Specific Knowledge and Skills Of ISO 9001 QMS Lead Auditors

• Quality related methods and techniques

• Quality terminology

• Quality management principles and tools and their application • Processes, products, including services:

• Sector specific terminology, processes and practices

• Technical characteristics of products, processes and services

9.3.6 Specific Knowledge and Skills Of EMS Auditors

- In environmental management methods and techniques:

• Environmental terminology

• Environmental management principles and their application

• Environmental management tools and their application (aspect/impact evaluation; life cycle assessment; performance evaluation)

- In environmental science and terminology:

• Impact of human activities on the environment

• Interaction of ecosystems • Environment media (air, water, land)

• Management of natural resources

• General methods of environmental protection

- Technical and Environmental aspects of operations:

• Sector-specific terminology

• Environmental aspects and impacts • Methods for evaluating the significance of environmental aspects

• Critical characteristics of operational processes, products and services


• Monitoring and measuring techniques

• Techniques for the prevention of pollution ISO 9001 Lead Auditor - Competence 9.4 Education, Work, Training and Audit Experience Education - Auditors should have:

• Sufficient education to acquire generic and QMS/EMS specific knowledge and skills

• Completed generic and specific auditor training (QMS or EMS), internally or externally

Work experience – Auditors should have work experience that:

• Contributes to developing knowledge and skills as described above

• Relates to technical, managerial or professional positions involving judgment, problem-solving and

communication with various parties • Allows part of the work experience to be in position that contributes to knowledge and skills in:

o The quality management field for QMS auditors o The environmental field for EMS auditors Audit experience

• Auditors should have audit experience in audit life-cycle activities (see Module 5 of these Course Notes) gained under a audit team leader

• Audit Team leaders should have additional knowledge, skills and experience gained under a competent team leader

Note: The extent of direction and guidance needed during an audit is at the discretion of the audit team leader or person responsible for managing the audit program.

ISO 9001 Lead Auditors Who Audit Both QMS and EMS

QMS or EMS auditors who wish to become qualified in the second discipline should:

• Acquire knowledge, skills, training and experience in that discipline

• Conduct audits in that discipline under direction of a competent team leader in that discipline

• The team leader in one discipline must acquire the credentials for being the team leader in the second discipline 9.5 Maintenance and Improvement Of Competence

• Undergo continual professional development (CPD)

• Maintain and improve knowledge, skills and personal attributes

• Achieve through work experience, training, private study, coaching, attending meetings, seminars, conferences or other relevant activities

• Participate regularly in QMS and/or EMS audits

CPD should take into account changes in individual and organizational needs, auditing practices and

standards and other requirements


Glossary of ISO 9001 Auditing Terms Appendix A

Procedure - The specified way to carry out an activity or a process.

Process - A set of interrelated or interacting activities which transform inputs into outputs. Product - The result of a process.

Project - A unique process, consisting of a set of coordinated and controlled activities with start and finish dates, undertaken to achieve an objective conforming to specific requirements, including the

constraints of time, cost, and resources.

Quality - The degree to which a set of inherent characteristics fulfill requirements. Quality Assurance - The part of quality management focused on providing confidence that quality

requirements will be fulfilled. Quality Control - The part of quality management focused on fulfilling quality requirements. Quality Improvement - The part of quality management focused on increasing the ability to fulfill

requirements. Quality Management - The coordinated activities to direct and control an organization with regard to quality. Quality Management System - A management system to direct and control an organization with

regard to quality.

Quality Manual - A document specifying the quality management system of an organization. They

vary in detail and format to suit the size and complexity of an organization.

Quality Objective - Something sought, or aimed for, related to quality. The objectives should be

based on the quality policy of an organization. Another term for quality objective is quality target.

Quality Plan - A document specifying which procedures and associated resources shall to be applied

by whom and when to a specific project, product, process, or contract.

Quality Planning - The part of quality management focused on setting quality objectives and specifying necessary operational processes and related resources to fulfill the quality objectives.

Quality Policy - The overall intentions and direction of an organization related to quality as formally expressed by top management.

Record - A document stating results achieved or providing evidence of activities performed.

Release - The permission to proceed to the next stage of a process. Repair - The action on a nonconforming product to make it acceptable for the intended usage.

Requirement - A need or expectation that is stated, generally implied, or obligatory.

Review - An activity undertaken to ensure the suitability, adequacy, and effectiveness of the subject matter to achieve established objectives.

Rework - The action on a nonconforming product to make it conform to the requirements.

Scrap - The action on a nonconforming product to preclude its originally intended usage.


Specification - A document stating requirements. Supplier - The person or organization that provides a product.

System - A set of interrelated or interacting elements.

Test - The determination of one or more characteristics according to a specified procedure.

Top Management - The person or group of people who direct and control an organization at the

highest level.

Traceability - The ability to trace the history, application, or location of that which is under

consideration. Validation - The confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled. Verification - The confirmation, through the provision of objective evidence, that specified

requirements have been fulfilled. Work Environment - The set of conditions under work is performed.

The following additional definitions are offered for guidance during this course:

Accreditation - The act whereby, for example, the Registrar Accreditation Board (RAB) approves a

Registrar (within a defined scope) to operate an assessment and registration scheme and licenses that body to use a special RAB logo on certificates issued within the scope of accreditation.

Audit Scope - The extent and boundaries of a given audit.

Calibration - All the operations for the purpose of determining the values of errors of inspection, measuring or test equipment, and if necessary, to determine other metrological properties.

Registration - The authoritative act of documenting conformity with agreed requirements.

ISO Acronym - from the Greek “isos” (equal to) adopted by the International Organization for

Standardization.

Registrar - An independent, accredited, third party organization that conducts assessments of a

company’s quality management system to ensure it conforms to requirements. Now also known as a Certification Body.

Registration - When a quality management system conforms to ISO 9001, the registrar issues a certificate of registration and places the company’s name in a directory of registered firms. Registration Scope - The scope of registration defines the company sites, product lines, and

operations covered by an ISO 9001 certificate. Qualified Auditor - A combination of interacting personal attributes and education, training, work and

audit experience, and areas of competence that need to be demonstrated to enable a person to be

appointed as an auditor.

Quality Requirement - A requirement for inherent characteristics of a product, process, or system.


ISO 9001 Lead Auditor Training Audit Participants Role

Training Objectives Audit Evidence

Student Evaluation Audit Findings

Definition Of Quality Control of the Audit

Quality Management Recording Nonconformities

QMS Rationale Major & Minor Nonconformity

History - QMS Standards Auditee Reactions

QMS Documentation Audit Team Meeting

QMS Planning Audit Recommendations QMS Audits Audit Closing Meeting

Audit Stages & Types Audit Closing Meeting Scenarios

Types Of Audits Audit Reporting

Benefits of QMS Audits Audit Close Out

Auditing Principles Post Audit Actions

QMS Auditor Role First Party Audit Perspective

RABQSA Accreditation Program Adding Value To Audits

Auditor Code Of Conduct Second Party Audit Perspective

Audit Perspectives Auditor Competence Audit Program Management Auditor Experience

Audit Program Responsibilities Glossary Of Auditing Terms1

Audit Activities Glossary Of Auditing Terms 2

Audit Team Selection Multiple Choice Ex 1

Contacting The Auditee Multiple Choice Ex 2

Audit Strategies Multiple Choice Ex 3

Prepare Audit Plan Short Essay Ex 4

Audit Work Assignment Long Essay Ex 5

Audit Checklist Handling Audit Situations Ex 6

Audit Checklist 2 Writing nonconformities Ex 7

On-Site Audit Activities True/False Questions - Ex 8

Audit Communication True/False Questions - Ex 9

Audit Questioning Techniques True/False Questions - Ex 10


ISO 9001 Consulting, Training and Auditing Why Should Your Organization Get ISO 9001 Certified? The ISO 9001 Standard is a tool that can help you better manage your organization. Like any other business tool, how much it helps will depend on how well you put it to use. This requires your organization to be clear on the benefits to be gained and how it plans to use ISO 9001 to achieve them. ISO 9000 quality management standards has been around for over 30 years and the worldwide industry feedback on how it has helped companies is summarized below: External Benefits • Increases your competitive edge and market share • Improves customer confidence and satisfaction • Improves conformity to customer and regulatory quality requirements Internal Benefits • Improves operational efficiency and productivity • Improves process consistency and stability • Facilitates continual improvement • Improves focus and effectiveness of training programs • Improves employee motivation and participation • Leads to improved supplier performance • Increases business profitability The extent of these benefits obviously vary from one organization to another, but those organizations that planned and implemented ISO 9001 using external professional help gained far superior results, both in terms of speed of implementation and effectiveness of results. The payback on investment was recouped anywhere between 1-2 years, often sooner. How Can We Help You? Ask Art Solutions provides expert consulting, training and auditing services for ISO 9001, TS 16949, ISO 14001 and AS 9100 management system standards. Our focus is on providing timely and cost-effective solutions for your system development, implementation, training and auditing needs. Business management systems - whether for quality, automotive, environmental, or other, are generally not too difficult to implement and get certified. The difficulty arises in truly using it as a tool to improve your business and obtain the benefits listed above to the fullest extent. Our goal is to help you develop business management systems that besides getting certified, improve operational performance and customer satisfaction, reduce business risks and increase profitability.

Here Are Three Consulting Options To Consider:

Want To Do It Yourself? - For those that want to do it on their own, we provide a ton of resources on our

free resources page. You will find all the information you need to educate yourself on the standards; tools to implement what you learn; and useful articles to help solve problems and improve what you have implemented.

Need Onsite Consulting? - If you need onsite help we offer any combination of consulting, training and

auditing services at your site to suit your specific requirements. We are committed to providing you with effective solutions at cost-effective rates. We can help get certified faster and cheaper than any other avenue.

Prefer ISO 9001 Online Consulting?

In response to increasing requests, we are offering our services online to organizations worldwide. We will help you install internationally recognized online Quality Management System software; develop and implement your ISO 9001 or other business management system with all the documentation and controls necessary to get your organization ready for your certification audit by an accredited Registrar. All of this will be done online using MS Live Shared View and Skype over a period of five to twelve months depending upon the size of your organization. This is the most comprehensive online ISO 9001 quality management system software and consulting service available worldwide.


Exam Exercise 1 - Multiple Choice Questions ISO 9001 Lead Auditor Training - Typical multiple choice questions worth one mark each.

Only circle one answer for each question. 1 Planning for a QMS audit requires:

a. establishing an audit schedule.

b. determining the scope of the audit. c. considering prior audit results.

d. reviewing quality system documentation.

e. all of the above. 2 The information sought by a QMS auditor during an audit is:

a. Senior management commitment to the quality system

b. A list of nonconformities against the ISO 9001 standard c. Conformity to specified audit criteria

d. Product shipped met customer requirements

e. All of the above 3 An audit plan is: a. a facilities layout

b. a description of the activities and arrangements for an audit c. a checklist of questions to be asked during an audit

d. a) and b)

e. b) and c) 4 The main purpose of the program of scheduled QMS audits is to: a. resolve the problems in production.

b. reduce in process verification. c. verify the effective implementation of the quality management system.

d. all of the above.

e. b) and c). 5 The “degree to which a set of inherent characteristics fulfills requirements” is the definition of:

a. quality assurance. b. quality control.

c. quality.

d. all of the above. e. none of the above.

6 The management representative must: a. perform all tasks relating to the quality management system

b. chair the management review meetings

c. be a member of the organization’s own management d. b) and c)

e. none of the above. 7 The audit team members should meet frequently to exchange information during the audit

in order to:

a. ensure that all of the audit objectives are met. b. ensure that as many nonconformities as possible are found.

c. evaluate the performance of each member of the team.

d. all of the above. e. none of the above. 8 Internal audits are used to verify that:

a. products conform to technical specifications. b. the quality management system is effectively implemented.

c. no nonconformities exist in the quality management system.


d. all of the above.

e. none of the above. 9 The frequency of third QMS party audits is determined by:

a. the Registrar and auditee

b. the Registrar and customer c. the client

d. only a) and b) e. only b) and c) 10 The primary purpose of an opening meeting is to

a. develop the plan for the audit. b. introduce the audit team and confirm arrangements for conducting the audit.

c. determine what auditor and auditee resources are required to undertake the audit.

d. all of the above. e. none of the above. 11 The evidence of a nonconformity identified during an audit should be

a. recorded in the auditor’s notes or checklist. b. acknowledged by the management of the audited company.

c. capable of being checked later. d. all of the above.

e. none of the above. 12 The output from management reviews of a QMS based on ISO 9001 should lead to decisions or actions related to:

a. Improvement in the effectiveness of the quality management system

b. Improvement of product related to customer requirements c. Increased efficiency in use of resources

d. Only a) and c)

e. Only a) and b) 13 The number of auditors assigned to an audit and their related experience and

qualifications should be dependent on:

a. the scope of the audit. b. the time available to perform the audit.

c. the purpose of the audit. d. all of the above.

e. none of the above. 14 Opportunities to take preventive action may be found by analyzing: a)Records of internal and external audits

b)Market and service feedback c)Product nonconformities and returns

d)All of the above

e)Only a) and b) 15 As per ISO 9001 requirements, the purpose of QMS records is to provide objective

evidence of:

a)Product conformance b)Process capability and quality system conformance and effectiveness

c)Conformance with environmental, health and safety requirements

d)All of the above e)Only a) and b)


Only circle one answer for each question. 1 QMS audits are used to verify:

a. that employees are following procedures and work instructions.

b. that products passed all inspections and tests per the quality plans. c. that the quality system has been effectively implemented and maintained.


d. that all work is carried out by competent personnel.

e. all of the above. 2 The coordinated activities to direct and control an organization with regard to quality is

called:

a. management review. b. quality management.

c. total quality management. d. all of the above.

e. none of the above. 3 The non-fulfillment of a requirement is called: a. an observation.

b. a nonconformity.

c. an audit finding. d. all of the above.

e. none of the above. 4 If a major nonconformity is found during the audit, the QMS auditor should: a. Stop further production till the nonconformance is corrected.

b. Notify the Quality Manager as soon as possible. c. Notify customers that defective product is being shipped.

d. Call a meeting with senior management to address the problem.

e. All of the above. 5 The scope of a QMS audit is determined by: a. The program manager and auditee.

b. The customer and the auditee. c. The audit client and the audit team leader.

d. All of the above.

e. None of the above. 6 The Registrar auditor may verify completion of agreed corrective action by: a. acceptance of a written response.

b. evaluation of submitted evidence. c. partial re-audit of the corrective action at the auditee’s site.

d. all of the above. e. none of the above. 7 The person responsible for developing the audit plan, communicating with the auditee,

and directing team efforts in preparing for and conducting the audit is: a. the client.

b. the audit program manager.

c. the audit team leader. d. all of the above.

e. none of the above. 8 A requirement in selecting an audit team is: a. to select auditors who are impartial and objective.

b. to select only auditors who are certified by the RAB or equivalent body. c. to ensure that one of the team is in a management position.

d. to ensure that at least one team member has expertise in the activity audited.

e. all of the above. 9 QMS audits may be used to: a. assist in selecting suppliers and subcontractors.

b. verify conformity with contractual requirements. c. assess the effectiveness of quality management systems.

d. find opportunities to improve the quality system.

e. all of the above. 10 The purpose of the ISO 9001 QMS standard is to:

a. Enhance customer satisfaction. b. Continually improve the effectiveness of the quality management system.

c. Provide certification of product capability and conformance.

d. Only a) and c). e. Only a) and b).


11 If an audit finds no nonconformities, the external auditor should:

a. Conclude that there are no nonconformities existing in the quality system. b. Explain to the department manager that only a sample of activities was audited and there may be

nonconformities that the sample did not uncover.

c. Recommend to auditee management that future audits be restricted to follow-up of corrective actions on customer complaints and specific quality problems.

d. Only a) and c). e. Only b) and c). 12 A good approach when interviewing an auditee is to:

a. say notes will be taken of their responses as evidence that they are doing their job. b. put the auditee at ease and encourage them to mark out existing nonconformities.

c. establish a good rapport with the auditee; ask short questions and listen.

d. only a) and c). e. only b) and c). 13 Which of the following is a requirement of ISO 9001? a. to have a quality assurance manager. b. to have a documented procedure for determining quality system related costs.

c. to have a documented quality policy. d. all of the above.

e. none of the above. 14 It is important that the outcome of management reviews should lead to: a) Improvement in conformity with QMS requirements

b) Increased effectiveness of the QMS c) Increased effectiveness and efficiency of the QMS

d) Only a) and c)

e) Only a) and b) 15 The nature and degree to which a supplier may demonstrate conformance to an ISO

9001 based QMS may vary in accordance with:

a) The complexity and difficulty in designing and producing the product b) The past performance of the supplier

c) The ability to judge product quality on the basis of final inspection and test alone

d) All of the above e) Only a) and b)


Only circle one answer for each question. 1 "Focused on providing confidence that quality requirements will be fulfilled" is: a quality assurance.

b quality management. c quality control.

d all of the above.

e none of the above. 2 Lead auditors are responsible for: a conducting the opening and closing meetings.

b reporting audit findings and conclusion. c developing the audit program.

d only a) and b).

e all of the above. 3 The auditor has observed at least 8 purchase orders that were not reviewed and approved

prior to issue. The auditor should now: a draw a conclusion and prepare a nonconformity report.

b take another sample to confirm the audit observation.

c tell the audited company that something should be done about purchase orders. d all of the above.

e none of the above.


4 The document stating requirements related to activities or products is called: a the inspection procedure. b the specification.

c the quality plan.

d all of the above. e none of the above. 5 According to ISO 9001, data must be analyzed for information on: a customer satisfaction.

b employee satisfaction.

c supplier performance. d only a) and b).

e only a) and c).

6 The primary information sought by an internal auditor during an audit is: a senior management commitment to the quality system.

b a list of nonconformities against the ISO 9001 standard. c conformity to the ISO 9001 standard.

d product shipped meets customer requirements. e all of the above. 7 If a major nonconformance is found in an audit, the third party auditor should: a request further production be stopped until the nonconformity is corrected. b notify customers that defective product is being shipped.

c notify the Management Representative as soon as possible.

d call a meeting with senior management to address the problem. e all of the above. 8 The management representative: a is a director. b is the quality assurance manager.

c ensures the quality management system is maintained

d all of the above. e none of the above. 9 What records must be kept to comply with ISO 9001? a records of employee competence.

b records of the measurement and monitoring of processes.

c records of design reviews. d a) and c) above.

e b) and c) above. 10 The frequency of third party audits is determined by: a) the Registrar and auditee.

b) the Registrar and customer.

c) the client. d) only a) and b).

e) only b) and c). 11 If your company is ISO 9001 certified, this requires that your key suppliers: a also be certified to the ISO 9001 standard.

b must be audited by your company. c must have a quality management system.

d provide assurance that your company quality requirements are met.

e all of the above. 12 When evaluating quality management systems, essential questions that must be asked in

relation to processes being evaluated are:

a) Are the processes defined and their sequence and interaction determined? b) Are the processes fully deployed and effectively implemented?

c) Are the processes effective and efficient in achieving planned results? d) All of the above

e) Only a) and b) 13 At the closing meeting of a third party audit, the company’s General Manager asks about the outcome of the audit. The lead auditor should tell the company:


a they have passed or failed.

b it is not a decision for the audit team. c what recommendation will be made.

d all of the above.

e none of the above. 14 Any information pertaining to the quality of product or process, which can be verified

through observation, interview or review of records is called: a) An observation

b) A finding

c) Objective evidence d) A nonconformance

e) All of the above 15 The ISO 9000 family of standards and guidelines are intended to be used in the following situations:

a) Guidance for quality management

b) Contractual, between first and second parties c) Second party approval or third party certification

d) All of the above e) Only b) and c)


Exam Exercise 4 - Short Essay Questions Typical short essay type questions are worth 5 marks each. Your response should cover

a breadth of several points as opposed to going into depth on one or two points. (Tip: Provide bullet point answers covering 5-10 separate points)

1 Explain the characteristics of (and differences between) a first party, second party, and third party

QMS audit.

2 A complete audit of an organization's QMS consists of two distinct stages. Briefly describe each of

these stages.

3 An auditor is conducting a third party QMS audit and the guide that has been appointed to accompany him is called away by his supervisor. After five minutes, the guide has not returned. What

should the auditor do? What should the auditor not do?

4 Identify five clauses where planning of QMS activities is required by ISO 9001 and briefly explain

each planning activity.

5 State the typical objective evidence that could be gathered in order to verify conformity with the

requirements of clause 7.6 of the ISO 9001 Standard. Your answer should contain at least five specific examples in order to illustrate your understanding.

6 An experienced auditor has been instructed to carry out a QMS audit of a potential supplier. From initial contacts with the supplier, it is learned that a formal documented QMS does not exist. List five

steps the auditor could take in planning for such an audit.

7 An auditor may experience delaying tactics while conducting an audit. Give two examples of such

tactics and describe three ways in which the auditor could deal with these situations.

8 State four advantages and one disadvantage of using checklists to perform a QMS audit.

9 At the closing meeting, the quality management representative (QMR) of the organization audited

informs the auditor that they have now written a procedure to correct a serious non-conformity that the Registrar auditor found on the first day of a two-day external audit. The QMR proposes that the

auditor examine the procedure during the meeting and then withdraw the nonconformity report. How

should the auditor respond?

10 List and briefly explain five different ways in which an auditor obtains objective evidence while

performing a QMS audit.

11 Explain the purpose and benefits of a preliminary visit to a company by the audit team leader prior to a QMS audit.

12 Arriving for the closing meeting, at the conclusion of an audit in which numerous nonconformities have been recorded, the auditor is told by the quality management representative that none of the

senior managers who were contacted are available to attend. What should the auditor do?

13 While in the warehouse during a third party QMS audit, the guide gets into a heated argument with

the warehouse clerk over the absence of inspection status labels on skids of paint pails being stored on the racks. The warehouse clerk claims labeling is not necessary because the racks are a designated

area for the paint pails to be kept until inspected and approved by the inspection department. The

guide turns to the auditor and asks for support. How should a third party auditor respond?

14 At the opening meeting of a third party QMS audit, the management representative (QMR) of the

audited company informs the auditor that a recent internal audit has disclosed numerous deficiencies in control of calibration. Corrective action is being planned. The QMR proposes the audit of the

calibration department be deleted from the audit plan. How should the auditor respond?

15 What objective evidence could be available in order to verify nonconformity with the requirements

of clause 7.4 of the ISO 9001 Standard?


Exam Exercise 5 - Long Essay Questions Typical long essay type questions are worth 10 marks each. Your response should cover

some depth on the subject matter. (Tip: Provide a combination of narrative and bullet points covering around 200-250 words in your response) 1 Describe the responsibilities of a QMS auditor who is a member of a third party QMS audit team.

2 An audit is being planned on an organization that carries out purchasing activities and verification of purchased products. Write an audit checklist of eight key controls that an auditor should cover during

an audit of those activities. State the relevant clauses of ISO 9001. (Hint: For full credit, students should use a process based approach and address at least three different clauses of ISO 9001)

3 Describe the typical levels of QMS documentation. What objective evidence should be looked at to verify that QMS documents are being controlled in conformity with clause 4.2.3 of ISO 9001? 4 List and explain the agenda items that a third-party QMS audit team leader should cover during the

closing meeting with the management of the organization being audited. 5 a) Clearly explain the steps that an auditee organization may take in responding with corrective

actions to nonconformities raised during a third party QMS audit.

5 b) What follow-up options are available to a third-party QMS auditor, to ensure that the auditee

organization has effectively carried out the corrective actions? 6 An audit is being planned on a company engaged in warehousing and distribution activities. Items

are moved from the receiving area and stored on racks in the warehouse using forklift trucks, until

required for shipment. Write an audit checklist of eight key controls that an auditor should cover during an audit of those activities. State the relevant clauses of ISO 9001. (Hint: For full credit, use a process based approach and address at least three different clauses of ISO 9001)

7 List and explain the agenda items that a third party QMS audit team leader should cover during the opening meeting with the management of the organization being audited.

8 An audit is being planned for a company that receives customer’s sales orders for products by telephone, fax, and e-mail. The products are shipped directly to the customer from a warehouse using

the company’s own trucks. Write an audit checklist of eight key controls that an auditor should cover

during an audit of those activities. State the relevant clauses of ISO 9001. (For full credit, students should use a process based approach and address at least three different

clauses of ISO 9001)

9 What are the benefits of implementing a QMS that meets the requirements of ISO 9001? Identify

and describe three clauses of ISO 9001 that provide opportunities to improve the quality system and overall business performance.


Exam Exercise 6 - Evaluation Of Audit Situations ISO 9001 Lead Auditor Training - During the course of ISO 9001 QMS audits of various

organizations, auditors will run into a variety of situations where they will have to determine whether they have sufficient objective evidence of a nonconformity or not, and

report their findings. Each of the situation questions listed below is worth 10 marks on the exam. Practice evaluation these situations to sharpen your auditing skills.

Based on the information given, if you think the situation represents a nonconformity, then complete a nonconformity form that includes the following information: Situation #; area/process being audited;

applicable ISO 9001 clause #; whether the nonconformity is major or minor; a clear description of

the specific requirement that the situation is nonconforming against; a clear description (finding) of the nonconformity itself, supported by relevant objective evidence.

OR, based on the information given, if you do not think there is a nonconformity, then clearly state

your reason(s), and also provide at least 3 further actions you would take to gather additional evidence of conformity or nonconformity (had you been there performing the audit).

Here is a list of some typical situations for you to practice on.

Situation number 1 During a Stage One - QMS document review, the auditor notes that a company procedure, QAP 05,

revision 3, states that when testing raw material RH 2005 for acceptance, the results will be unreliable if the test samples are taken closer than 20 inches apart on the material. In the Receiving Inspection

Lab, the auditor notices an inspector carrying out an acceptance test on material RH 2005. The auditor

asks the inspector how the sample position on the material is selected. The inspector replies that they are taken 6 inches apart to avoid wasting material. Upon inquiring about his procedure, the auditor

was shown the inspector’s copy of QAP 05, revision 2 on a shelf near the inspector’s desk. Situation number 2

In the ABC Inc, Medical Center, which is within the scope of QMS registration, the auditor asks to see the work instructions for a nurse. There are no written instructions on how to administer first aid

treatment for cuts and minor injuries, nor are there any written instructions of what to do if a patient's heart stops beating. The guide says that ABC employs three nurses all of whom have been

professionally trained as Registered Nurses and have certificates of competence issued by a recognized

university teaching hospital.

Situation number 3 In the Wardens office, the auditor notices a binder entitled “Penal Institution Administration Practices”

on the bookshelf and asked whether these contained departmental procedures for the penitentiary.

The warden confirms that the file does contain these procedures, but adds hesitantly that this document is now on computer available to all supervisors at their terminals for many of their activities.

After selecting A2, B5, C3 and D4 from the binder, the auditor notes that they are all at revision 1. The auditor asks the Warden to show them on the terminal. The computer version of B5, C3 and D4 are at

revision 3. The other sections are at revision 1.

Situation number 4 In the maintenance department, the auditor notes that contrary to the company’s work instruction,

TDWI 05 issue 3, which is clearly displayed at all work stations, three of the ten people in the

department are not wearing the company issued safety glasses when operating machining equipment.

Situation number 5

In the purchasing department, the auditor notes that the staff are placing orders over the phone with

suppliers using a computerized purchasing system. On inquiry, the auditor is told that the staff has


been fully trained and the database holds details of all supplier contract specifications and, therefore,

there is no need for an independent review of individual orders.

Situation number 6 In the quality manager’s office, the auditor asks to see the schedule for internal audits. This schedule

shows that each of the eight QMS processes are audited every six months. The auditor asks the quality manager how the frequency of audits was decided. The manager says that when the system was set

up three years ago, 6-month intervals were specified for all processes. The company has kept to this

original schedule. The auditor asks to see the file containing corrective action requests (CARs). It lists 85 CARs for the past two rounds of internal audits. Of these, 65 CARs are in the production

department and the remainder are spread evenly over five other departments. Two departments

received no CARs. Situation number 7 In the shipping area, the auditor stops to look at six finished products, serial numbers X245 to X250,

in individual cardboard cartons. The auditor asked the shipper why the items are packed in corrugated

cardboard instead of plastic containers as required by packaging work instruction PWI 6, revision 2. The shipper replied that the shipping supervisor had instructed them to use corrugated cardboard

when they ran out of plastic containers three weeks ago. Situation number 8 During the audit of the tool and die department of a major automotive component manufacturer, the auditor asked to see the work instructions for the turning and milling operations. The toolroom

foreman indicated that there were no work instructions for these operations other than a router indicating operation name and equipment to be used. He added that these operations were performed

by operators that were highly experienced and certified in their respective trades. Situation number 9 In the design department, the auditor sees three incomplete products on a desk. The design manager explains that these products came from the production department because of problems in

manufacture. There is no identification on any of the three incomplete products or any indication of

their inspection status. Further investigation by the auditor was unable to locate any inspection records relating to the incomplete products. Situation number 10

In the engineering department, the auditor is shown procedure SOP 7.3 which requires that all

engineering drawings must be signed off by the draftsman and the engineering manager prior to issue.

He randomly examines a drawing, DWG 1446 rev 3 on the manager’s desk and noticed that the “drawn by” and “approved by” boxes on it were not yet signed off.

Later, in the mail room, he comes across the same drawing with a distribution list attached. Situation number 11

In the receiving area, the auditor noticed a colour code chart for identifying raw steel bars used to

make finished product. Later in the storage area, he noticed a similar chart, but with an additional colour and a control block - C.C.Chart RM 2007 rev 2. When questioned, the material handler said

that the chart is useful for quickly pulling out the right bars.

On examining the document master list, the auditor could not find this chart listed. When asked about

this, the quality manager stated that they had moved to a computerized system for identifying steel bars and the colour code charts were no longer relevant. Situation number 12


In the final assembly area, the auditor observed operators installing laser printer cartridges into desk top printers. When asked about the inspection status of cartridges, the production foreman said that

the cartridges had just come in; the materials inspector had called in sick; this was a rush job and

delivery commitments must be met.

On further investigation, the auditor found that a shipment of 200 printers from the same order had been picked up by the customer just before noon that day. Situation number 13

In the production supervisors office, the auditor examined a copy of procedure SOP 7.5 covering

production control activities. When comparing against the master copy, she noticed that on page 2,

the organization chart had been changed, but not on the master copy.

When asked, the supervisor said that one of her material handlers had left the company and was not replaced. Overall workload was reorganized and the organization chart was amended to reflect this.

Situation number 14

In the Quality Management Representative’s (QMR) office, the auditor flips through the management review minutes for the past year. She noticed the last one was dated 28/11/08; the previous one

dated 13/06/08 which made reference to a 22/02/08 review.

When asked about the frequency of such reviews, the QMR said that they were done when senior

management is in town and definitely before an external audit. On reviewing 2007 records, the auditor

noticed that management reviews were held in May and October.


Exam Exercise 7 - Writing nonconformities The following statements were presented to management by a third party audit team at the

conclusion of the QMS audit. These statements are all nonconformities that have been poorly written by the auditors that found them. Requirement 1: Based on what you have learned in this ISO 9001 Lead Auditor Training

course, on collecting audit evidence and reporting of nonconformity findings, identify why

these statements are poorly written and how you would have written them.

Requirement 2: Identify the ISO 9001 clause number that you think would be the most

appropriate selection for the stated nonconformity.

1. A copy of a machine set-up instruction/checklist MSU 1201 on how to set up machine #1201 was

marked “not under change control”.

2. In the Storage Room, stocks of food additives were found to be contaminated by fumes from extraction ducts that were not airtight.

3. A written instruction requires the involvement of the quality department when labels need to be restored to course binders that have lost their labels. The temporary personnel who said they restored

labels were unaware of the approved instruction and the method they described did not comply with it

anyway.

4. No internal audit had been carried out on Human Resources, Maintenance, Sales Order Entry,

Information Technology. The Quality Manual (clause 4.2 states that audits will be carried out on all departments on a six-month basis as a minimum.

5. The work instructions for field service contracts JLL-0295/C, DCG-2596/A, and FG-18423/X did not communicate special requirements due to lack of space on the work instruction form. The sales entry

order clerk had been given no guidance as to how to deal with such a contingency.

6. Therma-Glo (a material critical to product quality) does not have a purchase specification and there

is no procedure for quality verification of incoming material.

7. The jig fixture used for checking stamped plates on the production lines was badly maintained.

Guide pins were unstable causing misalignment and the reflection surface for underside inspection was very dirty.

8. Although amendments to sales orders are recorded on receipt in Sales, there is no method to ensure the changes are implemented throughout the system.

9. It is a requirement that test containers used for the Avery weigh scale are approved and issued by

the laboratory. There were test containers being used on the filling lines that had not been so

approved.

10. On the drum filling line, the requirement of 50 drums per hour to be inspected was not being met.

An average of 10 drums per hour was inspected between 3 pm and 12 mid night.

11. Gel Sealant was being held longer than the 5 minutes allowed at pouring temperature and was

not filtered before being applied on the line.

12. The patient medical records for recent tests showed occasional hand-written alerations. These lacked an approving signature or date.


True/False Questions - Exercise 8

The following statements relate to various ISO guidelines and standards. Indicate whether these are true or false. As some of these statements are deliberately vague, you might

consider your supporting logic to defend your true/false determination.

You must read "Understanding ISO 9001" along with this ISO 9001 Lead Auditor training

course to do this exercise. These statements relate to an ISO 9001 certified organization or one planning to implement an ISO 9001 QMS.

1 Improvement in QMS systems and processes so that continual improvement of quality can be achieved is not a major purpose of quality management 2 Customer requirements are often incorporated in “specifications” 3 Use of specifications guarantee that a customer’s requirements will be met consistently.

4 QMS standards can substitute for relevant product requirements provided in technical specifications.

5 The QMS of an organization is influenced by its specific objectives, products, processes and

practices.

6 It is expected that organizations with similar products or services to have similar QMS's. 7 ISO standards and guidelines are intended to be specific to economic or industry sectors, whenever possible. 8 The ISO 9000 family of standards provides guidance for quality management and general

requirements for quality control. 9 An organization should strive to improve the quality of its products as well as its operations 10 Ensuring that product quality meets customer needs also ensures that internal management, employees and other stakeholders needs are met. 11 Because of varying stakeholder needs such as quality, health & safety, environment protection and

security, it is not required that management systems (to address these needs), be compatible. 12 The ISO family of quality system standards address quality system requirements as well as provide

technical standards for product quality. 13 The ISO 9000 family of quality standards provide quality system objectives to be met and guidance

on achieving them. 14 It is generally not typical for an organization to provide two or more generic product categories in

its product offering 15 Besides meeting requirements, a product must also provide value to customers and other

stakeholders. 16 Product value involves both quality and price and as such price is a facet of quality. 17 A process must have inputs and outputs which may only exist in tangible form 18 Every process involves people and/or resources in some way 19 Inputs, outputs and activities within the process are all capable of being measured and improved 20 A process serves no purpose if it does not add value to the output or organization


21 Not all work is accomplished by a process 22 Quality management is accomplished by managing the structure and operation of processes as well as the quality of product and information flowing through them. 23 Every organization exists to accomplish value-adding work through a network of processes. The

structure of the network is usually a simple sequential structure. 24 A fundamental basis of the ISO 9000 family of standards is for organizations to create, improve and provide consistent quality of product through its network of processes. 25 Every process should have an owner to clarify interfaces, responsibilities and authorities 26 To be effective, a QMS needs coordination and compatibility of its component processes and

definition of their interfaces. 27 Management reviews of QMS cannot take into account additional factors beyond the requirements of ISO 9001 28 First party internal audits may only be conducted by members of the organization 29 QMS audits should keep in mind the balance between the extent of documentation and the extent

of training 30 Documented standard operating procedures are essential for maintaining the gains from quality

improvement activities 31 The ISO 9004 standard is intended for use in interpreting the requirements of the quality assurance

standards ISO 9001. 32 ISO 9004 provides generic guidelines for the application and implementation of the clauses in the

ISO 9001 quality assurance standard.

33 When implementing an ISO 9001 based QMS, all of the requirements listed must be selected and

applied. 34 Organizations implementing a QMS based on ISO 9001 are required to be certified by a Registrar. 35 ISO 9004 can be used as a reference by an organization wishing to improve its effectiveness, but only after it has implemented a formal QMS. 36 ISO 19011 provides guidance on the education, training and experience requirements for

certification of QMS and EMS auditing. 37 Organizations using ISO 9001 based QMS must demonstrate adequacy and effectiveness of the QMS as well as capability to achieve product conformity to specified requirements.

38 Pre-contract and post-contract assessments of an organization's QMS may be conducted by the

customer, the customer’s agent or an agreed third party. 39 Organizations and their customers may not specify supplementary QMS requirements beyond those

specified by ISO 9001. 40 Quality control is defined as the part of quality management focused on ulfilling quality

requirements. 41 A service can have tangible as well as intangible components to it. 42 A product is generated by activities at the interface between an organization and the customer and by the organization's internal activities to meet the customers needs.


43 A service cannot be linked with the manufacture and supply of tangible product. 44 Product characteristics and/or quality characteristics are absolute and cannot be changed. 45 Product quality relates to its ability to satisfy stated as well as implied needs.

True/False Questions - Exercise 9 The following statements relate to various ISO guidelines and standards. Indicate whether

these are true or false. As some of these statements are deliberately vague, you might consider your supporting logic to defend your true/false determination.

46 According to the ISO 9000 family of standards, the terms nonconformity and defect can be used interchangeably. 47 Verification refers to checking conformance of product design; and validation refers to checking

conformance of the product design process – both to specified requirements. 48 A company’s quality policy may be stated in qualitative or quantitative terms. 49 Quality management is the responsibility of top management within the organization.

50 According to the ISO 9000 family of standards, the terms quality planning and quality plans can be used interchangeably.

51 A quality plan may be combined with a production plan to facilitate control of processes.

52 Where services are offered in combination with product, it is necessary to have separate quality

plans.

53 Quality control ensures adequate control of processes, whereas quality assurance ensures that no nonconforming product gets shipped to customers.

54 It is necessary that an organization use a QMS to implement quality management.

55 Corrective and preventive actions are important tools to achieve QMS improvement. 56 An audit observation may relate to either conformity or nonconformity to a specified requirement.

57 Actions taken to eliminate the causes of an existing nonconformity must include a corrective as well as preventive element. 58 Repair and rework can be used interchangeably as defined by the ISO 9000 family of standards.

59 A deviation authorization and a concession cannot be used interchangeably as defined by the ISO 9000 family of standards.

60 It is generally understood that if customer needs and expectations are taken care, the interests of other stakeholders will be also be addressed.

61 Only the inputs and outputs of processes can be measured.

62 All processes are measurable in terms of customer satisfaction. 63 In general, the extent of QMS documentation is inversely proportional to the education, training,

experience and stability of personnel within an organization.


64 An ISO 9001 certified organization must require some or all of its suppliers to also be certified to the ISO 9001 standard.

65 An organization may provide audit results from an audit done by a customer to the external Registrar auditor, as evidence of demonstrating an adequate and effective QMS. 66 Each requirement of ISO 9001 will vary in importance for different organizations depending

upon their products and processes. 67 Since ISO 9001 requirements are generic, it is expected that application of QMS requirements to different products and organizations will be uniform.

68 In demonstrating an effective QMS, an organization needs to meet both the customer’s needs and expectations as well as it’s own

69 Since cost is not a quality factor, only process benefits and risks should be considered by an organization in developing a well structured QMS. 70 The definition of nonconformity does not include product returned for repair or rework.

71 Activities contributing to quality, whether directly or indirectly, should be defined and documented.

72 Measures to control and coordinate the interface between different activities and processes should

be defined.

73 An organization’s QMS quality objectives should relate to product fitness for use, performance,

safety and dependability.

74 Resources to achieve QMS quality objectives must be planned but there is no necessity to provide

them on a timely basis.

75 The scope of management reviews under ISO 9001 should include the impact of new technology and market strategies on the QMS.

76 Management must regularly monitor quality costs and other benchmarks to determine if the QMS is achieving its quality policy and objectives

77 In structuring an ISO 9001 QMS to suit it’s needs, an organization can exclude selective phases in the life-cycle of its products and related processes

78 It is necessary that an organization’s QMS documentation include narrative procedures and work instructions for its operations. 79 In ISO 9001 based quality systems, quality planning should be viewed as the same as quality

plans. 80 An organization's quality policy must include policies and objectives related to products, processes,

QMS system and cost. 81 Quality plans should specify on one document the quality objectives, practices, criteria, resources,

operational sequence and quality activities related to a product or service. 82 All customer requirements must be documented and agreed to by the customer and supplier. 83 The capability of an organization under ISO 9001 clause 7.2 only relates to it’s ability to produce

and deliver quality product


84 In order to ensure consistency of control, it is necessary that all customer orders be subject to the

same contract review before acceptance

85 Verbal orders received from customers do not need to be documented by the organization. 86 ISO 9001 does not require marketing activities to be included within the scope of the QMS. 87 Product safety, environmental and other regulations should also be considered in designing new

product. 88 Design verification requires that the developed product be checked against the design input

requirements. 89 The design review activity should consider safety, cost, compatibility, quality acceptance criteria,

prototype test results, etc. 90 It is necessary that design changes be subjected to all design controls described in ISO 9001 clause

7.3.

True/False Questions - Exercise 10 The following statements relate to various ISO guidelines and standards. Indicate whether

these are true or false. As some of these statements are deliberately vague, you might consider your supporting logic to defend your true/false determination.

91 All design and development activities must be included in the project plan and cannot be changed.

92 Product validation cannot be completed until the customer approves the product. 93 The design review activity must be conducted by personnel assigned to the design project.

94 Service design verification, validation and review must address all three specifications – service design, service delivery and quality control of the design process. 95 Documents retained for legal and knowledge purposes must be controlled to the same extent as

active documents. 96 ISO 9001 requires that all QMS documentation be made available to personnel at their specific

work stations. 97 It is a nonconformity if an organization does not use a document master list to identify the current

status of it’s documents. 98 It is not a nonconformance if an organization does not use an approved supplier list to ensure

purchases affecting product quality, are made from approved suppliers. 99 ISO 9001 requires that the impact of document changes should be considered, on product, process

or quality system.

100 If a subcontractor to your organization is ISO 9001 certified, it is not necessary for your

organization to monitor the subcontractor's ongoing quality performance.

101 To ensure consistency of conformity of purchased product, clause 7.4 of ISO 9001 requires that

all suppliers be evaluated in the same manner.

102 Clause 4.2.3 of ISO 9001 requires that a record be kept of the reasons why a change to a

document was made.


103 If a organization accepts delivery of material based on conducting verification at source, it may not be necessary for it to conduct any receiving inspection.

104 According to clause 7.4 of ISO 9001, purchasing documents must clearly describe QMS requirements for all suppliers on it's approved supplier list. 105 A list of approved suppliers constitutes sufficient objective evidence of acceptable suppliers.

106 Where customers provide product certifications with customer supplied product, it is not necessary for the organization to conduct any further verification of such product.

107 It may not be necessary to use physical identification methods if computer records are used to control the identity of product

108 Product identification relates to details of manufacture to facilitate tracking of a nonconformity back to its source and containing the batch or lot 109 According to ISO 9001 it is not necessary to conduct in-process product verification if there is

adequate control of manufacturing processes. 110 According to ISO 9001, relationships should be developed between in-process controls, their specifications and final product specifications.

111 According to ISO 9001, it is expected that all products be subject to the same inspections and tests.

112 According to ISO 9001 it is required that acceptance criteria be described on the product inspection record.

113 There is no nonconformity if an organization is unable to provide any organization charts to show it’s organization structure. 114 It is a nonconformity if calibration status indicators are not affixed directly on measurement

devices used to verify product quality. 115 It is a nonconformity, if a customer is not notified when product is shipped to them, that was

inspected and passed using defective measurement devices. 116 There is no nonconformity if an ISO 9001 certified organization allows it’s operators to use

personally owned measurement devices. 117 It is a nonconformity if an ISO 9001 certified organization does not have a designated quarantine

area for nonconforming product

118 It is a nonconformance if an ISO 9001 certified organization does not perform any audits on any

of it’s suppliers.

119 There is no nonconformity if material is released for urgent production without any receiving

inspection being done.

120 Statistical techniques should be used to identify adverse trends for products and processes before

nonconformities actually occur.

121 Correction of product nonconformities should not compromise the quality of adjacent, attached or incorporated product.

122 Verification should be made as close as possible to the point of realization of the product characteristic.


123 Manufacturing jigs, fixtures, test software, comparative references and process instrumentation that can affect product or process characteristics do not need to be controlled.

124 Besides controlling measurement devices, the measuring process itself must be controlled.

125 For fully automated processes, physical location of product is an acceptable method of assuring the inspection and test status of product.

126 The inspection and test status of product is only required to be maintained as a control, until the time the product is shipped to the customer.

127 ISO 9001 requires that nonconforming product be segregated, identified and put in an designated quarantine area.

128 The ISO 9001 requirement for preventive action may be addressed by taking steps to prevent a root cause of a nonconformity from happening again. 129 The control requirements for storage in clause 7.5.5 of ISO 9001 includes both conforming and

nonconforming product. 130 As per ISO 9001, the organization is not responsible for the protection of product quality after shipment, if the terms of delivery are FOB the organization’s facility.

131 The retention times for QMS records required by clause 4.2.4 of ISO 9001 are minimal time periods and therefore QMS records never need to be disposed off.

132 As per clause 8.2.2 of ISO 9001, it is required that the frequency of audits of specific areas and processes be increased based on their status and importance.

133 As per ISO 9001, training of temporary and subcontract personnel is not required.

134 The use of statistical techniques has limited application and benefit to the service sector.

135 The use of statistical techniques is not applicable for the evaluation of qualitative data. 136 Since SPC is a tool to verify the output of processing, it is viewed as a detective control rather

than preventive. 137 ISO 9001 requires that the standard of acceptability of product characteristics that have a

subjective element, must be clarified.

ISO Auditor Training

Documents

Transcript of ISO Auditor Training