ASQ Certified Quality Auditor Exam Preparatory Course
Module 1 – Auditing Fundamentals
Lance B. Coleman, ASQ Senior Member, CQA, CBA
Quality Engineer and Lean Leader Full Moon Consulting
www.fullmoonconsulting.net [email protected]
(C) 480-677-5009
FULL MOON CONSULTING
Catalysts for transformative change Catalysts for transformative change Catalysts for transformative change
(C) Lance Coleman
(c) 2012 Lance Coleman
This module is copyrighted material. Please
do not further copy or distribute without
written permission from Lance Coleman.
How this whole thing works…
This presentation is module one of a five module ASQ-CQA exam preparatory course. The format follows closely, with some logical deviations, the listing of the ASQ CQA body of knowledge (BOK). Case-In-Point covers a situation which illustrates a concept covered on the preceding slide(s) Key Thoughts are that one point on a particular slide which merits either clarification or highlighting Further Discussion summarizes the concepts covered within the module and expands upon key concepts. Each module will contain subthemes relating to sections of the BOK, and will conclude with a test to ensure that students have firmly grasped the concepts discussed. A passing test grade of 85% or higher will be required to move on to the next module. A final comprehensive exam will be given upon passing of the last module test. Also presented with the final exam will be strategies for successful test taking and how to deploy them during the CQA exam. Passing the course is considered achieving a passing grade of 85% or better on the final untimed exam.
(C) Lance Coleman
The History of Auditing
An audit is thought to be a formal, methodical
review or investigation. Auditing started as a
means of government accountancy, moved
into the financial arena then expanded to the
various types of audits that we encounter
today. Though the subject of the audit may
vary and auditor qualifications may differ
drastically depending on the type of audit,
many of the tools and techniques remain
the same, regardless of the audit being
performed.
(C) Lance Coleman
Why do we audit?
Key Thought: The audit program should not be
static. It should be periodically reviewed for
continued effectiveness and relevance.
Philosophically the audit function is a vehicle to assess
whether or not an organization is meeting its obligations,
both stated and implied. It should serve as a focusing lens
on areas of noncompliance as well as, a compass for
continuous improvement efforts.
Operationally, the purpose of the audit function should be
determined by audit program management as a reflection of
company or site needs, goals and objectives.
(C) Lance Coleman
Audit Program Goals & Objectives
You cannot have an effective audit program without clearly
defined goals and objectives. These goals should be aligned
with organizational goals and objectives and should look to
answer the questions – who, what, where, when, why and
how?
• Who is being audited?
• What do we hope to accomplish?
• When will the audit take place
• Where will the audit take place?
• Why are we conducting the audit?
• How and with what resources are we conducting
the audit?
(C) Lance Coleman
Audit Program Goals & Objectives
The purpose of the specific audit function varies according
to the type of audit:
1st party audits are conducted to ensure that an
organization’s internal procedures and controls, are
adequate, effective and followed
2nd party audits are conducted to ensure that suppliers are
monitored for continued quality of product and operations
3rd party audits are conducted by a registrar to ensure
continued compliance by an organization to the
standard to which they are registered. Also by the
FDA.
(C) Lance Coleman
Audit Purpose and Scope
Key Thought: Purpose and scope should be
identified before any further audit planning
takes place.
Purpose Scope
What type of audit –
follow up to prior audit
scheduled audit
initial supplier assessment
Where will the audit take place
Facility location
Specific area within a facility
What will be audited
What department or program
Against what criteria
When will the audit take place:
Single shift
Across multiple shifts
Two terms that are critically important in classifying the
individual audit are purpose and scope. The purpose tells
us the “what & why” while the scope tells us the “where &
when”. See below for examples.
(C) Lance Coleman
a
Case-In-Point
Authority, purpose and scope are three things that need be confirmed up
front, or the audit can go seriously awry. Let’s look at the example of a
supplier Z who has three manufacturing sites – 1,2 and 3, and customer Z.
Recently Z has been having quality problems with widgets received from Z
site number two. Supplier Z is already on customer A’s audit schedule for
the year, so A decides to pull that audit forward on the schedule and
requests to be able to conduct an audit at Z during the upcoming month,
before the next shipment of widgets is due. Now let’s look at why we would
want to confirm audit authority, purpose and scope before going any
farther.
(C) Lance Coleman
Case-In-Point cont’d
Authority – usually the authority to audit a supplier facility is included in the
purchase contract. If it is not, then A would have to state the reasons that they
wanted to conduct the audit and request permission from Z in writing to conduct it. If
permission is not given either contractually or subsequently in writing, than A cannot
conduct an audit of Z. They can stop ordering, but cannot force an audit to take
place. Preparing for an audit for which there is not authority to conduct, will waste
both valuable time and resources.
Purpose – An audit should look at the overall supplier QMS for areas of concern, it
should be a focusing lens on areas of concern. The auditor should be clear on what
the problem is that A is having with Z. The focus of the audit would shift for example,
if the problems seen were related to on-time-delivery as opposed to quality.
Scope – Problems have only been seen on parts received from Z location 2. The scope
of the audit should be focused on that site. If they were auditing one of the other
sites, they might not see a duplication of the issues at site 2 that are causing the
quality problems with their parts. So site 2 should be the scope of the
audit, even if scheduling or location is more problematic.
Now you see how a misstep with anyone one of these three important steps
could cause an audit to go awry and be ineffective.
(C) Lance Coleman
What is an audit?
Key Thought: Independent means that an
auditor should not audit someone they report to,
nor should they audit work that they have done,
nor have the ultimate responsibility for.
Audit
Systematic, independent and documented process for obtaining audit
evidence and evaluating it objectively to determine the extent to which
audit criteria are fulfilled
ISO 19011:2002
Audit
A planned, independent, and documented assessment to determine
agreed-upon requirements are being met.
ASQ CQA Handbook, Third Edition
(C) Lance Coleman
Findings vs. Observations
Key Thought: Although many companies think of
and refer to findings as negative, a finding can be
EITHER negative or positive. Observations are
also neither negative nor positive.
Finding
A conclusion of importance based on an observation
Observation
Information or evidence (including witnessed actions) used
to support conclusions
(C) Lance Coleman
Objective Evidence
Data supporting the existence or verity of something.
Some examples of objective evidence are:
• Documents
• Records
• Finished Goods and Services
• Witnessed actions
• Observed results of stated actions
• Corroborating Statements
o Same statement made by one operator to
two different auditors
o Same statement made by two different
operators to one auditor
(C) Lance Coleman
Objective Evidence
One good way to remember the types of acceptable
objective evidence is to remember the acronym D.O.R.S.
Documents
Observations
Records
Statements
(C) Lance Coleman
a
Case-In-Point
To examine how objective evidence is used, let’s look at an example where a
documented company procedure requires that the southeast wall of each room of
building “A” be painted blue as part of an improvement project. The painting is to be
completed by the end of June. An auditor comes to the company site in mid-July of
the year in which the painting was to be completed. What objective evidence would an
auditor seek to confirm compliance with this procedure?
Observation: They could go to one of the rooms in building “A” and confirm that the
SE Wall was painted blue.
Records: They could review records, properly completed in full per company
procedures, of the work being done.
Statements: Two different staff members state that the painting of all of the rooms
SE walls were completed by “Bob” before the end of June. One staff member
consistently tells different auditors the same response in answer to the same question
posed in different ways.
Documents: The procedure itself could be used as partial evidence of the
implementation of a corporate improvement program. It CAN NOT be used
as proof of completion of the act. That would have to come from records,
observations or statements.
(C) Lance Coleman
Audit Criteria
Key Thought: Criteria can be either internal,
external or both.
Audit Criteria
Set of policies, procedures or requirements. Audit
criteria are used as a reference against which audit
evidence is compared.
(C) Lance Coleman
Reference vs Performance Standards
Reference standards are external documents such
as regulations, contracts and iso standards that
establish minimum requirements
Performance standards are internal documents
such as SOPs, work instructions and drawings and
other similar documents that describe HOW
requirements will be met and that personnel
performance must be audited against
(C) Lance Coleman
The Audit Process
Key Thought: See a visual depiction and
reminder of this on the following “W” Factor
slide.
When conducting an audit, the auditor should first
assess the company documentation against the
related reference documents. Any findings would
then be against company documentation.
Then the auditor should match employee actions and
records (performance) against what is stated in their
own internal documentation. Any findings noted
would be against performance of actions as required.
(C) Lance Coleman
(C) Lance Coleman
* Thanks to Erik
Myhrberg of Moorhill International
Validation Verification
Reference Performance Actions Standard Standard Standard Document
The “W” Factor*
Assessment Terms
Adequacy
The state of being sufficient for a specified requirement
Compliance
The affirmative indication or judgment that the supplier of
goods or services has met the requirements of the relevant
specifications, contract or regulation.
Conformity
Synonymous with compliance though in regulated
industries compliance and noncompliance are the
preferred terms.
(C) Lance Coleman
Assessment Terms
Key Thought: In some international circles an
argument is being made that compliance refers
to legal or regulatory concerns while
conformity/ nonconformity refers to
specifications and performance
Noncompliance
A finding of something – product, service, documentation,
actions etcetera, not being in compliance.
Nonconformity
Synonymous with noncompliance
(C) Lance Coleman
ANSI/ISO/ASQ QE19011S Five Principles
ANSI/ISO/ASQ QE19011S identifies five principles of auditing that are “prerequisites for providing audit conclusions that are relevant for enabling auditors working independently from one another to reach similar conclusions”. Though “ethical conduct” is singled out as its own line item, there are elements of ethical and moral behavior in each of the other principles as well. These principles are seen on the following slide.
(C) Lance Coleman
ANSI/ISO/ASQ QE19011S Five Principles
Ethical Conduct – the auditor will neither participate in nor
facilitate unsafe, illegal, or unethical conduct
Fair presentation – fair and unbiased reporting of the facts
Due professional care – diligence taken in developing the
audit plan and in obtaining objective evidence prior to
drawing conclusions
Independence – auditor not responsible for the work being
audited or reporting to the head of the department being
audited
Evidence-based approach – auditor conclusions based on
the facts and evidence observed, and not opinions
(C) Lance Coleman
Professional Code of Ethics
Key Thought: Most companies will have auditors
read, understand and sign a code of ethics as
part of their training, prior to auditing.
Just about every auditing body and auditing standard has
a code of ethics that they refer to, and rightfully so. You
can visit http://www.asq.org/about-asq/who-we-
are/ethics.html to view the ASQ code of ethics
On the following slide are what I call my “sacred seven” of
auditing ethics. These are my day-to-day spiritual and
operational guideposts. You will notice that most of them
apply to every day living as well.
(C) Lance Coleman
My “Sacred Seven” Tenets
Key Thought: It is more important to develop
your own moral code that you live and work by,
than to memorize someone else‟s code that you
can cite „chapter and verse‟ but don‟t follow.
1. Immediately report any unsafe, illegal or unethical
activities
2. Do not engage in any unsafe, illegal or unethical
activities
3. Avoid even the appearance of impropriety
4. Don’t audit an area outside your realm of expertise
5. Don’t audit an area for which you are responsible
6. Be honest and fair in your dealings
7. Strive to advance the profession as well as, your
own knowledge and skill
(C) Lance Coleman
Examples of Unethical Behavior
•Knowingly facilitating unsafe, illegal or unethical
conduct
•Benefiting financially from knowledge gained during an
audit
•Discussing proprietary or confidential information
outside of the audit
•Soliciting or accepting gifts
•Crafting false reports for any reason
(C) Lance Coleman
Case-In-Point
An auditor completes a new supplier assessment of company “B”. Whereas several
opportunities for improvement were identified, overall, the assessment was positive
and it was recommended that the supplier be added to the Approved Supplier List
(ASL). As a thank you for the feedback and the approval, company B sends the
auditor a gift. Since the gift was not overly expensive and the auditor had planned to
recommend the addition of company B to the ASL anyway, they accepted the gift. This
falls into the category of “appearance of impropriety”. An outsider looking at this
transaction might think this to have been an example of “quid quo pro”.
An auditor conducts an audit at an up and coming company in their industry. The
audit goes well and while there, the auditor learns that everyone at the company is
excited about an upcoming announcement of an expansion, financed by new
contracts that would double their production capacity. Upon returning home, the
auditor thinks that it would be a wise investment to purchase some stock in the
company audited and instructed their investment broker to add fifty shares of
that company’s stock to their portfolio. This auditor made an error in
Potentially profiting based on information discovered during an audit that
was not yet public knowledge.
(C) Lance Coleman
Audit Program Participation
Key Thought: Depending on the organization,
often one individual will play multiple roles.
Many individuals come together to play various roles in
implementing a successful audit program. The most
prevalent of those roles are seen below:
• Client
• Audit Program Manager
• Lead Auditor
• Auditor
• Auditee
• Subject Matter Expert
• Administrative Staff
(C) Lance Coleman
Audit Program Management
Audit Program Management provides organizational
structure, sets policy and provides resources for the audit
program. Specific responsibilities are:
• Establishes audit policies and procedures
• Publishes audit schedule
• Provides resources for audits
• Establishes auditor requirements
• Selects Lead Auditor
• May select audit team or delegate to Lead
• Provides for auditor training
• Maintains records
• Liaison with client
• Resolves any complaints or issues
(C) Lance Coleman
Client
The client is the driving force for initiating an audit. It is at
the client’s request that the audit process begins. This
request can come in the form of a communication
requesting a specific audit or in the form of established
requirements for periodic audits. Client responsibilities are:
•Provide authority for audit
•Select auditee
•Select auditing body
•Set audit purpose and scope
•May attend opening and closing meeting
•Receives and approves final audit report
Key Thought: Clients can be either external or
internal to an organization (C) Lance Coleman
Audit Team
The audit team may be made up of the Lead Auditor,
Auditor, Subject Matter Experts (SME) and
administrative staff. It is not necessary that every
audit team include all of these functions. The audit
team need only consist of one person.
(C) Lance Coleman
Audit Team
Lead Auditor Responsibilities Planning
Confirm authority for audit
Develop audit plan
Ensure availability of resources
Ensure logistical concerns are
addressed
May assist in selection of team
Request any needed documents and
records
Review previous audit results
Contact Auditee to schedule audit
Execution
Liaison with auditee and client
Conduct audit opening and closing
meetings
Assign auditor tasks and coordinate
audit activities
Ensure that audit remains on
schedule
Issue audit report
Resolve any conflicts that may arise
Conduct audit
Key Thought: When there is only one auditor,
that auditor is considered the Lead Auditor and
has all of those responsibilities
(C) Lance Coleman
Audit Team
Auditor Responsibilities
• Prepare for audit
• Conduct audit duties as assigned by Lead
• Provide input to audit team
• Report results to Lead
Subject Matter Expert is a professional with a particular
technical expertise that is needed to ensure that a
comprehensive and effective audit is conducted. The SME
may or may not be an auditor.
Administrative Staff are occasionally needed to translate,
transcribe or perform other administrative duties.
(C) Lance Coleman
Auditee
The auditee is the organization, department, function or
individual being audited. Responsibilities of the Auditee are:
• Make auditors aware of site safety requirements
• Supply a meeting space for the opening/closing
meeting
• Provide needed logistical support – computer
connections, phones, copiers, etc.
• A room for auditors to meet and work privately
• Provide documents and records as requested
• Provide guides, staff for interviews and SME as needed
• Attend the opening and closing meeting
• Respond to audit report as necessary
• Initiate root cause investigation and corrective
action as required by audit
(C) Lance Coleman
Classifying Audits
Key Thought: Both the auditor‟s goals and
authority vary, depending on the type of audit
that they are conducting
Audits can be classified in several ways, depending on the
purpose and the organization:
• Internal vs. external
• 1st party, 2nd party or 3rd party
• Classification by purpose
• Classification by scope
(C) Lance Coleman
Internal vs. External Audits
Internal audits (also called 1st party audits) are conducted
by organizational staff on the organization itself to ensure
that its procedures and controls are effective and followed.
Audits conducted on behalf of the organization by
contractors, on the organization itself, are also considered
internal audits
External audits are audits conducted by an organization
on an outside entity. These can be either 2nd party (supplier)
or 3rd party (ISO registration/surveillance or FDA) audits.
(C) Lance Coleman
1st, 2nd and 3rd Party Audits
Key Thought: A registrar is a certifying body
that certifies an organization compliant with a
particular ISO standard and monitors that
organization for continued compliance
1st party audit – internal audit as earlier defined
2nd party audit – audit by an organization of one of its
suppliers
3rd party audit – audit by a registrar or other certificating
body for the purposes of certifying (or maintaining the
certification of) the organization being audited to a specific
standard or audit by the FDA
(C) Lance Coleman
Purpose & Scope
Compliance audit - conducted for the purpose of
confirming compliance against a set of requirements
Performance audit – conducted to assess performance
against a predetermined standard (internal or external
benchmark) or goal.
Scope – Sometimes audits are classified according to where
they are conducted. This is usually done for the purposes of
analyzing data, for the purposes of a specific assessment
(C) Lance Coleman
Special Purpose Audits
Desk or Document Audit: An off-site audit done of an
organization’s documentation against specified criteria
Follow Up Audit: Audit that focuses specifically on issues
raised in a previous audit, to confirm implementation and
effectiveness of corrective action. Also, the follow up audit
can be used to review areas of concern that may not have
been cited as noncompliances previously to ensure that the
concerns had not escalated.
Surveillance Audit: A special type of audit conducted by a
registrar to ensure an organization’s continued
compliance to the ISO standard to which it is
registered.
(C) Lance Coleman
Other Types of Audits
Following the chronological sequence of events of a process is called Tracing. Tracing can start at the beginning, middle or end of a process, and can go forward (downstream) or backward (upstream) from point of origin. Tracing is helpful when a process is unclear, evidence is elusive or when evaluating performance.
Element Audits, audit aspects of a company quality management system against elements of an ISO standard.
Random Audits select randomly departments and items for review, for a true randomized sampling. This method is easy to do and less time consuming but could be affected by unintentional bias, or might miss areas of concern.
Systems Audit reviews the interrelated processes that comprise the quality management systems, for compliance, effectiveness and continuous improvement, against an established criteria.
(C) Lance Coleman
L.O.C.S.
There are four types of criteria against which to audit:
Legal – federal, state or local laws
Organizational – internal procedures, work
instructions and specifications
Contractual – those requirements imposed by the
customer in their contract
Standards – those requirements imposed by ISO
standards on those organizations that are registered to
or seeking to be compliant with them
Key Thought: The audit cannot be conducted
without criteria to audit against. The very
definition of audit includes comparison against
some criteria
(C) Lance Coleman
Hierarchy
Key Thought: Auditors should be aware of the
hierarchal structure of documents within the
organization being audited as well.
The auditor should also be aware of the hierarchy of
requirements. The requirements higher on the hierarchal
scale supersede those below. In the case audit criteria, the
hierarchy is as follows:
1. Legal
2. Contractual
3. Standards
4. Organizational
(C) Lance Coleman
a
Case-In-Point
A contract cannot be written that is against the law, thus government
regulations sit atop the hierarchy of requirements. Contracts can impose
all of the requirements of a particular standard, parts of a standard, or the
standard requirements plus additional customer specific requirements. So
basically the contract between customer and supplier supersedes any
requirements imposed by the standard when there is a conflict.
Internal documents can add requirements to those imposed by the
standard, but cannot allow anything less than required by the standard.
When an auditor comes across a situation that violates more than one of
the audit criteria, the highest ranking criteria violated is cited as the
noncompliance.
(C) Lance Coleman
An audit is a planned and documented assessment against a pre-
determined set of criteria. The roles that participate in the
implementation of the audit program are – audit program management,
lead auditor, auditor, subject matter experts, administrative staff, the
auditee and the client. In smaller organizations, or for less complex
audits, often multiple roles are played by one individual.
Audits can be classified in multiple ways – internal vs. external, 1st, 2nd
or 3rd party also by purpose or scope. Audits result in findings which are
conclusions based on observations and backed by objective evidence.
Examples of objective evidence are documents, observations, records
and statements (D.O.R.S.). Examples of audit criteria, and often the
authority to conduct the audit, are legal, organizational, contractual and
standards (L.O.C.S.). The acronyms D.O.R.S. and L.O.C.S. are a good
way to remember the types of evidence and criteria. During the audit,
the concept of adequacy is explored with respect to the audited items.
Adequacy is defined as suitable to meet requirements.
Reviewed items are assessed as compliant or noncompliant.
(C) Lance Coleman
ANSI/ISO/ASQ QE19011S identifies five principles of auditing that are
“prerequisites for providing audit conclusions that are relevant for
enabling auditors working independently from one another to reach
similar conclusions”. These are:
• Ethical Conduct – the auditor with neither participate in or facilitate
unsafe, illegal, or unethical conduct
• Fair presentation – fair and unbiased reporting of the facts
• Due professional care – diligence taken in developing the audit plan
and in obtaining objective evidence prior to drawing conclusions
• Independence – auditor not responsible for the work being audited or
reporting to the head of the department being audited
• Evidence-based approach – auditor conclusions based on the facts and
evidence observed, and not opinions
(C) Lance Coleman
ASQ is one of many organizations that require a code of ethics of their
members. Auditors must be respectful, honest and fair in their dealings
with those whom they encounter during audits – auditee, audit program
management, fellow auditors and the client. Auditors cannot attempt to
benefit from information gained or activities performed during and audit.
This statement refers both monetary and non-monetary gifts as well as,
trading on insider information. An auditor has a further obligation to
respect the confidentiality and proprietary information they may
encounter whether internal or external to their organization. The auditor
must also refrain from participating in and report any illegal, unsafe, or
unethical practices. Finally, the auditor has an obligation to continue to
expand on their knowledge and advance the profession whenever
possible.
(C) Lance Coleman
Top Related