effective internal auditing to iso 9001:2008

Effective Internal Auditing To ISO 9001:2008

Presented ByMunir Ahmad FCMA - MBA

Course Outline

Principles of Management System Auditing

Managing the Internal Audit ProgramPlanning the Internal AuditConducting the Internal AuditReporting the Audit FindingsPost-Audit Activities


Why Audit is essential?• A management tool for monitoring and verifying the

effective implementation of an organization’s Quality Management System

• To identify areas of conformity and nonconformity against customer requirements, applicable statutory and regulatory requirements, and established planned arrangements in the QMS

• To provide a systematic discipline for corrective or preventive actions if actual or potential nonconformities are found


Why Audit is essential?

• To provide information on which an organization can act to improve its performance (identify opportunities for continual improvements)

• It is an essential part of conformity assessment activities such as 3rd party certification


Internal Quality Audits are essential…

… to determine, by an unbiased means and through factual information on quality performance, whether the quality system is effective in maintaining control by checking that prescribed quality objectives are being achieved and the resultant products and services meet specified customer and regulatory requirements.


Likely effects on QMS of a weak IQA System

Inadequate review of the Quality Management System vs. the requirements

Conclusions not reliable basis for Top Management to evaluate the effectiveness of QMS implementation

Diminished people’s full support to the Quality Management System.


Important terms and definitions:

Audit

A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.


Audit Criteria – Set of policies, procedures or requirements used as a reference against which audit evidence is compared.

Audit Evidence – Records, statements of fact or other information, which are relevant to the audit criteria and verifiable.


Audit findings – results of the evaluation of the collected audit evidence against audit criteria

Audit Conclusion – outcome of an audit provided by an audit team after consideration of the audit objectives and all audit findings

Auditor – person with competence to conduct an audit


Audit Scope – extent and boundaries of an audit; generally includes a description of the physical locations, organizational units, activities and processes, as well as the time period covered.

Audit Program – set of one or more audits, planned for a specific timeframe and directed towards a specific purpose.


Audit Plan – description of the activities and arrangements for an audit

Auditee – organization being audited

Audit client – organization or person requesting an audit

Competence – demonstrated personal attributes and demonstrated ability to apply knowledge and skills


Types of Audit

Internal Audit

-Conducted by, or on behalf of the organization itself for internal purposes and can form the basis for an organization’s self-declaration of conformity.

-Also called first party audit


External Audit

- Conducted by any interested party (e.g. by customers or other persons in their behalf), by a regulatory body or by a 3rd party certification body

- Can be conducted as combined audit, joint audit, or integrated audit


5 Principles of Auditing

1. Ethical Conduct : the foundation of professionalism

- Trust

- Integrity

- Confidentiality

- Discretion

These are essential to auditing.


2. Fair presentation : the obligation to report truthfully and accurately

- Audit reports, audit conclusions must reflect accurately the audit activities.

- Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee should be reported.


3. Due professional care : the application of diligence and judgment in auditing

- Auditors exercise care in accordance with the importance of the task they perform and the confidence placed in them by the audit client and other interested parties.

- Having the necessary competence is an important factor.


4. Independence : the basis for impartiality of the audit and objectivity of the audit conclusions

- Auditors are independent of the activity being audited and are free from bias and conflict of interest.

- Auditors maintain an objective state of mind throughout the audit process to ensure that the audit findings and conclusions will be based only on objective evidence.


5. Evidence-based approach : the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process.

- The audit evidence is verifiable.

- The audit evidence is based on available information during the audit.

- Appropriate use of sample related to the confidence that can be placed to the audit conclusions.

Managing the Internal Audit Program

1. Authority for the Audit Program- granted by Top Management

Management Representative

- Establish, implement, monitor, review and improve the audit program

- Identify the necessary resources and ensure they are provided.

- Appointed by Top Management and is a member of the organization’s management.


2. Establishing the Audit Program

Define audit program objectives – to direct planning and conduct of audits

Define the extent of audit program – influenced by the size, nature and complexity of the organization

Define audit program responsibilities – assigned to one or more auditors who has general understanding of audit principles and has management skills as well as technical and business understanding relevant to activities to be audited.

Determine and provide audit program resources. Establish audit procedure(s)


3. Implementing the Audit Program

Schedule the audits Evaluating auditors Selecting audit teams Directing audit activities Maintaining records


4. Monitoring and reviewing the Audit Program

Monitoring and reviewing the program Identifying needs for corrective / preventive

action Identifying opportunities for improvement


5. Improving the Audit Program

Planning the Internal Audit

Requirements:

8.2.2 Internal Audit (ISO 9001:2008)

The organization shall conduct internal audits at planned intervals to determine whether the QMS:

a. Conforms to planned arrangements to the requirements of the standard, and the QMS requirements established by the organization, and

b. Is effectively implemented and maintained.



An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of the previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process.



Auditors shall not audit their own work.

A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results.

Records of the audits and their results shall be maintained (see 4.2.4)


8.2.2 Internal Audit (ISO 9001:2008)The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include verification of the actions taken and the reporting of verification results.


Audit procedure should address the ff: audit program preparation assuring auditors’ competence assigning roles and responsibilities for auditors and audit teams planning and conducting audits conducting audit follow-up and corrective action verification monitoring effectiveness of the audit program reporting to Top Management on the overall results and achievements of the audit program


Assigning the Auditors

-Check availability of auditor (must be independent of area to be audited)-Brief the auditor on the objectives of the audit-Define the limits of the area to be audited-Apprise auditor of any special requirements, e.g. follow-up of corrective action, priority areas for verification, etc.


Tasks of the Internal Auditor• Obtain and assess evidence in a fair manner• Preserve his independence and integrity• Be flexible to changing situations during the audit• Interact with auditees in a positive way• Add value to auditee’s process or activities• Perform the audit process fully and adhere to the audit plan• Arrive at acceptable conclusions based on audit findings and objective evidence• To stand his ground despite possible pressure of contrary views


Auditor planning for each Audit• Auditor reads and understands the QMS documentation and business process• Communication with the auditee to confirm audit schedule• Preparation of the audit agenda and checklists (should reflect Plan-Do-Check-Act approach)•Auditor checks that his audit kit is complete (with audit plan, previous audit reports, forms and note pads, references, pens)


Preparing the Checklist of Questions• Check which elements of the Standard apply to the area to be audited• Check key requirements in the document• Check for any problems which normally are known to occur in the process to be audited• If necessary, ask other people for advice• Refer to other previous audit checklists/reports• Sequence questions in a logical way and also to permit Plan-Do-Check-Act approach to auditing


Audit Using PDCA Approach

The IQA auditor may cover the following key points:

1. What are the key objectives for the function/ process?

• Are objectives, quantitative targets and programs defined?• Do they define desired outcomes of function?• Do they address customer requirements?• Do they relate to the organization’s Quality Policy?• Do they relate to the Eight QMPs?• Do they relate to legal requirements, if any?



2. Are resources available and managed, as planned, to achieve objectives?

• Is there a process for defining and allocating resources?• Are resource needs identified, adequate, accounted for?• Does this include financial, specialized skills, equipment,

technology and the like?



3. Are key activities and methods for achieving objectives identified, documented and controlled?

• Are plans, procedures, formula, etc. documented?• Are process and operating criteria defined?• Are responsibilities and authorities defined?


Audit Using PDCA Approach4. What measures are available to demonstrate

achievement of objectives, and what evidence is available to demonstrate continual improvement for the function / process?

• Review and assess, among others:• Process capability, equipment reliability• Waste rates, variance vs. budget and other metrics• Legal compliance (findings should be backed up by data and

company records)• Performance monitoring and monitoring results; analyses• Actions taken for un-met objectives, product nonconformities,

significant process deviations.


Auditor’s Final Check

• Notebook, writing instruments• Copy of relevant QMS documents• Copy of audit plan confirmed by the auditee• Copy of he standard (ISO 9001:2008)• Copy of Internal Audit procedure, work instructions• Copy of audit checklist, if any• Forms for audit findings/report preparation• Previous nonconformity reports for verification of

effectiveness of corrective actions

Conducting the Internal Audit

The Audit Agenda

• Opening Meeting• Audit Proper• Closing Meeting


The Opening Meeting

•What to say during the opening meeting?

Review / discuss the following Opening Meeting agenda for the audit program, to include:

• Objective and scope of audit and audit criteria• The schedule of events; other arrangements• Definition of nonconformities, major and minor• How you will report the audit results• Confidentiality of audit data• Resolve any questions and items for clarification from the auditees


The Opening Meeting

• Who should attend the opening meeting?

- Audit Team and Management Team to be audited

• Who should preside the opening meeting?

- Chaired and managed by the Lead Auditor or Team Leader


Audit Proper

• Interview the staff responsible for each task• Obtain audit evidence by:

• Asking questions: inquire about task details• Observing actual task: watch the task being done• Checking records: confirm if task done is

consistent with the documented procedure; cross check with what records reveal

• Follow the audit trail: sequence of process steps


Audit Proper

• Compare and evaluate practice against the documented QMS (conforming? At variance?)• Use checklists to guide you in completing audit• Define nonconformity where lapses of the practice against QMS documentation might be found• Record objective evidence/s of the NC• Confirm with the auditee the presence of NC• Point out observations; area for improvement


What key things to look for and where?

• Task - work methods defined, efficiency

• People - training, skills, competence and motivation

• Equipment; Work Environment- identification, capability, condition, safety, sanitation

• Documents / Records- identification, issue, content, correctness and

distribution- retention, preservation, legibility, accessibility

Reporting the Audit Findings

The Audit Reporting Cycle

• Discuss and agree on findings• Record Findings• Hold Closing Meeting• Issue Audit Report• Update Records• Agree to undertake follow-up audit, if needed• Carry out and record results of Follow-up Audit


Types of Audit Findings

1. Positive findings – good practice; conformities2. Negative findings – nonconformities3. Observations – opportunities for improvements


2 Types of Nonconformities

• Minor • A failure to meet one requirement of a clause of ISO

9001 or other reference document, or a single lapse in following the organization’s QMS.

• Major • The absence or the total breakdown of a System to meet

the requirements of a clause of ISO 9001 or other related documents. A number of minor NCs against one clause can represent a total breakdown and thus be considered as a major NC


The Closing Meeting

• Who should attend the opening meeting?

- Audit Team and Management Team to be audited

• Who should preside the opening meeting?

- Chaired and managed by the Lead Auditor or Team Leader


The Closing Meeting Agenda• Thank the auditees for their time and cooperation• Commend auditees for accomplishments• Present a balance summary; point out good points and areas for improvement• Report any nonconformity – invite the individual auditor to report their respective findings• Report the overall conclusions and recommendations• Invite comments from auditees• Resolve any inquiries, concerns• Obtain consensus from auditees on nonconformity reports (accepted)• Establish date of submission to auditor of corrective action• Reiterate confidentiality

Post-Audit Activities

What happens next?• For the concluded audit:

• Agree on the corrective actions• Agree on-site follow-up audit, if necessary• Compile the audit report and submit to Top

Management• Review the Audit Program• Improve the Audit Program• Prepare for the next audit


Follow-up Actions• Auditor verifies and evaluates corrective actions upon submission; approves, if OK

• Auditor records results of verification and evaluation

• Auditor escalates problems to the management, if corrective action not completed.


Post-Audit Actions• Audit reports submitted for management review

• Reports include corrective/preventive actions, Management Representative’s assessment of QMS effectiveness and efficiency, based on internal audit results

• Continual improvement plans, based on internal audit results

Thank you for your attention!

effective internal auditing to iso 9001:2008

Documents

audit objectives

quality system

audit team

management tool

internal audit programplanning

collected audit evidence

audit evidence records

audit findingsauditor