session 1 – concepts of qms - cii-iq -...

COURSE NOTES

LEAD AUDITOR/AUDITOR COURSE FOR QUALITY MANAGEMENT

SYSTEMS ISO 9001:2008

CONFEDERATION OF INDIAN INDUSTRY

LEAD AUDITOR/AUDITOR COURSE FOR QUALITY MANAGEMENT SYSTEMS

ISO 9001:2008

IRCA Registration No. : A17392 NABET Registration No. : LQ81 102

No part of this publication may be reproduced, stored in retrieval system or transmitted in any form or by any means; electronic, mechanical, photocopying, recording or other wise without prior written permission of Head, Institute of Quality, Confederation of Indian Industry

LAC Course Notes Apr 2010

2 of 131

COURSE NOTES

CII Institute of Quality

Near Bharat Nagara, II Phase, Magadi Main RoadVishwaneedam Post, Bangalore - 560 091Tel : 080-23289390-91Fax : 080-23289388

Gurgaon Office

CII Institute of Quality Plot 249 – F, Udyog Vihar Phase IV, Sector 18, Gurgaon - 122 101 Tel: 0124-4014060–67/4014051 /4309447, Fax: 0124 4014051

CONTENTS

Session Title Page No

1 Concepts of QMS4

2A Purpose, content & interrelationship of ISO 9000 family of standards

17

2B Terminology of QMS23

2C Requirements of ISO 9001:200826

2D Documentation for ISO 9001 : 200830

3A Certification and Accreditation36

3B Role of IRCA & Auditor Certification and Competence & Evaluation Of Auditors

45

3C Introduction to Auditing51

3D Audit Responsibilities59

3E & F Audit Programmes & Planning of Audit63

3G Checklists81

3H Opening Meeting84

3I On-site auditing and Audit Skills87

3J Audit Reporting98

3K Closing meeting106

3L Audit Follow up112


3 of 131

QMS AUDITOR/LEAD AUDITOR TRAINING COURSE

Session 1 – Concepts of QMS

0 Overview

This session introduces the participants to the fundamental and underlying principles of a Quality Management System. The Year 2000 revisions to the ISO 9000 family of standards had brought in key conceptual inputs into the QMS, eg. the Process Model, the P-D-C-A approach and the eight Principles of Quality Management. These approaches have continued in the latest revision published as ISO 9001:2008

1 Purpose

Quality management systems can assist organizations in enhancing customer satisfaction.Customers require products with characteristics that satisfy their needs and expectations. These needs and expectations are expressed in product specifications and collectively referred to as customer requirements Customer requirements may be specified contractually by the customer or may be determined by the organization itself. In either case, the customer ultimately determines the acceptability of the product. Because customer needs and expectations are changing, and because of competitive pressures and technical advances, organizations are driven to improve continually their products and processes.The quality management system approach encourages organizations to analyse customer requirements, define the processes that contribute to the achievement of a product which is acceptable to the customer, and keep these processes under control. A quality management system can provide the framework for continual improvement to increase the probability of enhancing customer satisfaction and the satisfaction of other interested parties. It provides confidence to the organization and its customers that it is able to provide products that consistently fulfill requirements

2 Requirements for QMS and requirements for products

The ISO 9000 family distinguishes between requirements for quality management systems and requirements for products.


4 of 131

Requirements for quality management systems are specified in ISO 9001. Requirements for quality management systems are generic and applicable to organizations in any industry or economic sector regardless of the offered product category. ISO 9000 itself does not establish requirements for products.Requirements for products can be specified by customers or by the organisation in anticipation of customer requirements, or by regulation. The requirements for products and, in some cases, associated processes can be contained in, for example, technical specifications, product standards, process standards, contractual agreements and regulatory requirements.

3 Quality management systems approach

An approach to developing and implementing a quality management system consists of several steps including the following:

a) determining the needs and expectations of customers and other interested parties;

b) establishing the quality policy and quality objectives of the organization;

c) determining the processes and responsibilities necessary to attain the quality objective;

d) determining and providing the resources necessary to attain the quality objectives;

e) establishing methods for monitoring, measurement and analysis of these processes ;

f) applying these measures to determine the effectiveness and efficiency of these processes;

g) determining means of preventing nonconformities and eliminating their causes;

h) establishing and applying a process for continual improvement of the quality management system.

Such an approach is also applicable to maintaining and improving an existing quality management system.An organization that adopts the above approach creates confidence in the capability of its processes and the quality of its products, and provides a basis for continual improvement. This can lead to increased satisfaction of customers and other interested parties and to the success of the organization.


5 of 131

4 Process Model and P-D-C-A Approach

ISO 9001 : 2008 promotes the adoption of a process approach when developing, implementing and improving the effectiveness of a quality management system, to enhance customer satisfaction by meeting customer requirements.For an organization to function effectively, it has to identify and manage numerous linked activities. An activity using resources, and managed in order to enable the transformation of inputs into outputs, can be considered as a process. Often the output from one process directly forms the input to the next.The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management to produce the desired outcome, can be referred to as the “process approach”.A major advantage of the process approach, when compared to other approaches, is in the management and control of the interactions between these processes and the interfaces between the functional hierarchies of the organization When used within a quality management system, such an approach emphasizes the importance of

a) understanding and meeting requirements,b) the need to consider processes in terms of added value,c) obtaining results of process performance and effectiveness,

andd) continual improvement of processes based on objective

measurement.The model of a process-based quality management system which is an integral part of ISO 9001, illustrates the process linkages presented in clauses 4 to 8. This illustration shows that customer play a significant role in defining requirements as inputs. Monitoring of customer satisfaction requires the evaluation of information relating to customer perception as to whether the organization has met the customer requirements. The model covers all the requirements of ISO 9001 but does not show processes at a detailed level.

In addition, the methodology known as “Plan-Do-Check-Act” (PDCA) can be applied to all processes. PDCA can be briefly described as follows:


6 of 131

Plan: establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organization’s policies.

Do: implement the processes.Check: monitor and measure processes and product against

policies, objective and requirements for the product and report the results.

Act: take actions to continually improve process performance.

5 Eight Quality Management Principles

To lead and operate an organization successfully, it is necessary to manage it in a systematic and visible manner. The use of Quality Management Principles is considered to provide direction. The eight quality management principles have been adopted and incorporated by the ISO 9000 standards, for use by Top Management to lead the organization towards current and future performance.

A Quality Management Principle is a comprehensive and fundamental rule or belief, for leading and operating an organization, aimed at continually improving performance over the long term, by focussing on customers while addressing the needs of all the stakeholders.

The eight Quality Management Principles are discussed below

Principle 1 – Customer-Focused Organisation

“Organisations depend on their customers and therefore should understand current and future customer needs, meet

customer requirements and strive to exceed customer expectations”.

Applying the principle of customer-focused organisation leads to the following actions:

• understanding the whole range of customer needs and expectations for products, delivery, price, dependability, etc.

• ensuring a balanced approach among customers’ and other stakeholders’ (owners, people, suppliers, local communities and society at larger) needs and expectations.


7 of 131

• communicating these needs and expectations throughout the organisation,

• measuring customer satisfaction and acting on results, and

• managing customer relationships

Principle 2 – Leadership

“Leaders establish unity of purpose and direction of the organisation.

They should create and maintain the internal environment in which people can become fully involved in achieving the

organisation’s objectives.”

Applying the principle of leadership leads to the following actions:

• being proactive and leading by example,

• understanding and responding to changes in the external environment,

• considering the needs of all stakeholders including customers, owner, people, suppliers, local communities and society at large,

• establishing a clear vision of the organisation’s future,

• establishing shared values and ethical role models at all levels of the organisation,

• building trust and eliminating fear,

• providing people with the required resources and freedom to act with responsibility and accountability,

• inspiring encouraging and recognizing people’s contributions,

• promoting open and honest communication,

• educating, training and coaching people,


8 of 131

• setting challenging goals and targets, and

• implementing strategy to achieve these goals and targets,

Principle 3 – Involvement of People

“People at all levels are the essence of an organisation and their full involvement enables their abilities to be used for the

organisation’s benefit”

Applying the principle of involvement of people leads to the following actions by the people:

• accepting ownership and responsibility to solve problems,

• actively seeking opportunities to make improvement,

• actively seeking opportunities to enhance their competencies, knowledge and experience,

• freely sharing knowledge and experience in teams and groups,

• focusing on the creation of value for customers,

• being innovative and creative in furthering the organisations objectives,

• better representing the organisation to customers, local communities and society at large,

• deriving satisfaction from their work, and

• be enthusiastic and proud to be part of the organisation.

Principle 4 – Process Approach

“A desired result is achieved more efficiently when relatedresources and activities are managed as a process.”

Applying the principle of process approach leads to the following actions:


9 of 131

• defining the process to achieve the desired results,

• identifying and measuring the inputs and outputs of the process,

• identifying the interfaces of the process with the functions of the organisation,

• evaluating possible risks, consequences and impacts of processes on customers, suppliers and other stakeholders of the process,

• establishing clear responsibility, authority, and accountability for managing the process,

• identifying the internal and external customers, suppliers and other stakeholders of the process, and

• when designing processes, consideration is given to process steps, activities, flows, control measures, training needs, equipment, methods, information, materials and other resources to achieve the desired result.

Principle 5 – Systems Approach to Management

“Identifying, understanding and managing a systemof interrelated processes for a given objective improves the

organisation’s effectiveness and efficiency”

Applying the principle of system approach to management leads to the following actions:

• defining the system by identifying or developing the processes that affect a given objective,

• structuring the system to achieve the objective in the most efficient way,

• understanding the interdependencies among the processes of the system,

• continually improving the systems through measurement and evaluation, and

• establishing resource constraints prior to action.


10 of 131

Principle 6 – Continual Improvement

“ Continual improvement should be a permanentobjective of the organisation.”

Applying the principle of continual improvement leads to the following actions:

• making continual improvement of products, processes and systems an objective for every individual in the organisation,

• applying the basic improvement concepts of incremental improvement and breakthrough improvement,

• using periodic assessments against established criteria of excellence to identify areas for potential improvement,

• continually improving the efficiency and effectiveness of all processes,

• promoting prevention based activities,

• providing every member of the organisation with appropriate education and training, on the methods and tools of continual improvement such as:

– the Plan-Do-Check-Act cycle,

– problem solving,

– process re-engineering, and

– process innovation,

• establishing measures and goals to guide and track improvements, and

• recognizing improvements.

Principle 7 – Factual approach to decision making


11 of 131

“Effective decisions are based on theanalysis of data and information.”

Applying the principle of factual approach to decision making leads to the following actions:

• taking measurements and collecting data and information relevant to objective,

• ensuring the data and information are sufficiently accurate, reliable and accessible,

• analysing the data and information using valid methods,

• understanding the value of appropriate statistical techniques, and

• making decisions and taking action based on the results of logical analysis balanced with experience and intuition.

Principle 8 – Mutually beneficial supplier relationships

“ An organisation and its suppliers are interdependent,and a mutually beneficial relationship enhances

the ability of both to create value.”

Applying the principle of mutually beneficial supplier relationship leads to the following actions:

• identifying and selecting key suppliers,

• establishing supplier relationships that balance short-term gains with long-term considerations for the organisation and society at large,

• creating clear and open communications,

• initiating joint development and improvement of production and processes

• jointly establishing a clear understanding of customer’s needs,

• sharing information and future plans, and


12 of 131

• recognizing supplier improvement and achievements.

6 Product

The result of a process is a product.

There are 4 generic product categories as follows:-

1. Hardware (example - engine, mechanical part)

2. Processed materials (example - lubricant)

3. Software (example - computer programme)

4. Services (example - transport)

The classification of the product depends on the dominant element. For example, automobile consists of hardware (tyres, engine, drive, etc), processed materials (fuel, cooling liquid), software (engine control software), service (operating instructions given by salesman). The dominant component is however, hardware.

7 Benefits

The application of quality management principles and systems not only provide direct benefits but also make an important contribution to managing costs and risks. Benefit, cost and risk management considerations are important for the organization, its customers and other interested parties. These considerations on overall performance of the organization may impact:

– customer loyalty,

– repeat business and referral,

– operational results such as revenue and market share,

– flexible and fast responses to market opportunities,

– costs and cycle times through effective and efficient use of resources,


13 of 131

– alignment of processes which will best achieve desired results,

– competitive advantage through improved organizational capabilities,

– understanding and motivation of people towards the organization’s goals and objectives, as well as participation in continual improvement,

– confidence of interested parties in the effectiveness and efficiency of the organization, as demonstrated by the financial and social benefits from the organization’s performance, products life cycle, and reputation,

– ability to create value for both the organization and its suppliers by optimization of costs and resources as well as flexibility and speed of joint responses to changing markets.


14 of 131

DOCUMENTATION FOR A QMS PROCESS

8 Process Approach

For organizations to function effectively, they have to identify and manage numerous interrelated and interactive processes. Often, the output from one process will directly form the input with the next process. The systematic identification and management of processes employed within an organization and the interactions can be referred to as “Process approach”.

9 Types of QMS processes

The Types of Processes in an organization can be classified as under:


15 of 131

a) Processes for management of an organization - These include processes relating to strategic planning, establishing policies, setting objectives, providing communication, ensuring availability of resources needed and management reviews.

b) Processes for managing resources - These include all those processes for the provision of the resources that are needed for the processes for managing an organization, for realization, and for measurement.

c) Realization processes - These include all processes that provide the intended output of the organization.

d) Measurement, analysis and improvement processes - These include those processes needed to measure and gather data for performance analysis and improvement of effectiveness and efficiency. They include measuring, monitoring and auditing processes, corrective and preventive actions and are an integral part of the management, resource management and realization processes.

10 Process Documentation

A typical process documentation includes the following:a) Identification of inputsb) Identification of resourcesc) Identification of desired outputsd) Activities and their sequencee) Monitoring and controlsf) Measurementsg) Records required to give evidence

11 Types of process documents

The ISO 9001 Standard brings in a flexibility in the organisation’s documentation in clause 4.2.1(d). The requirement specifies documents needed by the organisation to ensure effective planning, operation and control of its processes. This would mean that


16 of 131

documents, in any manner, which comply with this requirement will be acceptable. In practical terms, this would cover procedures, work instructions, process sheet, flow charts, quality plan, checklists, and many similar documents.The format of document would be as appropriate to suit the purpose. The format could be in text form with proper headings or it could be in a tabular form. The format could also be as process diagrams graphical representations, visual media, or electronic methods or any other suitable form.In all the types mentioned or in a combination of these, the essential features of a process, identified in 10 above, need to be made evident.

12 Benefits of process approach to documentation

The process approach of managing emphasises effectiveness of activities as against merely operation of the activities. Conventionally, a “Procedure” or a “Work Instruction” describes the operational details of an activity. In other words, these describe the “Do” part of P-D-C-A. A process documentation, on the other hand, describes the complete cycle of P-D-C-A of the activity.

13 Evaluating processes within the quality management system

When evaluating quality management systems, there are five basic questions that should be asked in relation to every process being evaluated.a) Is the process identified and appropriately defined?b) Are responsibilities assigned?c) Are the procedures implemented and maintained?d) Is the processes being analysed, and/or monitored, and/or measured ?e) Is the process effective in achieving the required results?The collective answers to the above questions can determine the result of the evaluation. Evaluation of a quality management system can vary in scope and


17 of 131

encompass a range of activities, such as auditing and reviewing the quality management system, and self-assessments.


18 of 131


SESSION 2A – PURPOSE, CONTENT & INTERRELATIONSHIP OF ISO 9000 FAMILY OF STANDARDS

0 Overview

This session introduces the ISO 9000 family of standards, background and development specifically of the ISO 9000 and ISO 19011 and Quality system specifications versus guidance standards.

1 Background

ISO (the International Organisation for Standardisation) is a world-wide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees, which are supported by Sub Committees and Working Groups. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

Draft International Standards adopted by the technical committees are circulated to the member bodies for approval before their acceptance as International Standards by the ISO Council. They are approved in accordance with ISO procedures requiring at least 75% approval by the member bodies voting.

Preparation and periodic revision of the ISO 9000 series International Standards is the responsibility of ISO Technical Committee 176, Quality management and quality assurance. ISO/TC 176 adopted, in 1990, a strategy for revision of the ISO 9000 series, originally published in 1987. The first revision was in 1994. The second revision was in 2000. The latest release has been published in November 2008.

The standards in the ISO 9000 family describe what elements quality systems should encompass but not how a specific organization implements these elements. It is not the purpose of these standards to enforce uniformity of quality systems. Needs of organizations vary. The design and implementation of a quality system must necessarily be influenced by the particular


19 of 131

organization objectives, products and processes, and specific practices.

2 Background and need for the Year 2008 changes

The ISO protocol requires a systematic review of standards every 5 years Prior to the commencement of a revision (or amendment) to a management system standard, a “Justification Study” is prepared to present a case for the proposed project. In relation to the development of ISO 9001:2008 user needs were identified from the following:

the results of a formal “Systematic Review” on ISO 9001:2000 that was performed by the members of the Standard Drafting Sub committee ISO/TC 176/SC2 during 2003-2004

feedback from the ISO/TC 176/Working Group on “Interpretations”

the results of an extensive worldwide “User Feedback Survey on ISO 9001 and ISO 9004” by ISO/TC 176/SC 2/WG 18 and similar national surveys.

The Justification Study identified the need for an amendment, provided that the impact on users would be limited and that changes would only be introduced when there were clear benefits to users.

The key focuses of the ISO 9001:2008 amendment were to enhance the clarity of ISO 9001:2000 and to enhance its compatibility with ISO 14001:2004.

The following decision making principles were applied:

1) No changes with high impact would be incorporated into the standard;

2) Changes with medium impact would only be incorporated when they provided a correspondingly medium or high benefit to users of the standard;

3) Even where a change was low impact, it had to be justified by the benefits it delivered to users, before being incorporated.

The following were considered as impacts

No changes or minimum changes on user documents, including records

No changes or minimum changes to existing processes of the organization


20 of 131

No additional training required or minimal training required

No effects on current certifications

The benefits identified for the ISO 9001:2008 edition fall into the following categories:

Provides clarity Increases compatibility with ISO 14001. Maintains consistency with ISO 9000 family of standards. Improves translatability.

3 The Revision Process

The revision process is the responsibility of ISO’s Technical Committee TC-176, and is conducted on the basis of consensus among quality experts from member countries around the world. For the “Year 2008” revision, TC-176 adopted a project management approach in order to cope with the complexity of the task. Initial project specifications and goals were established after extensive User Feedback Survey on ISO 9001 and ISO 9004 by ISO/TC 176/SC 2/WG 18 and similar national surveys were carried out, to determine needs and expectations for the new revisions. Furthermore an essential part of the revision was the user verification and validation process, which ensured that the standards produced actually responds to user needs. The work of the committee has resulted in publication of Year 2008 revisions to the ISO 9001 Standard while revision of ISO 9004 and ISO 9000 are underway. The project schedule was as follows, enabling further comments to be made:2nd quarter 2007 – Draft International Standard (DIS) for vote by Member Countries2nd quarter 2008 – Final Draft International Standard (FDIS) for vote by Member Countries13 Nov 2008 – Publication of International Standard (ISO)Changes to the detailed content of the standards are possible during the revision process (prior to the “FDIS” phase), and it is for this reason that organisations are recommended not to act prematurely based on speculation as to what the new standards may or may not require.


21 of 131

4 Changes to the ISO 9001 Standard

ISO has clarified that ISO 9001:2008 does not introduce additional requirements, nor does it change the intent of the ISO 9001:2000 standard. However the changes have been made to improve both the understanding of the intent as well as level of compliance by re-emphasizing certain key aspects.

Some of the important aspects affected in the revision are :a) The term ‘conformity to product requirements’ has been added

at several places to clarify that management of the systems and processes are not the end in themselves but the means to achieve product standards and customer satisfaction

b) The term ‘statutory’ has been added to ‘regulatory’ signifying that both types of legal obligations apply as part of product requirements.

c) Whenever an organization outsources any activity or part of its business, it is obligatory to exercise control on these so that product conformity can be maintained in all circumstances

d) Controls on the processes, including system processes should be decided based on their impact on the product conformance.

e) Whenever an organization takes corrective or preventive actions, it now has to ensure that these actions have a long term impact. Internal audits shall require verification of the long term impact.

f) Management Representative, the key person who manages the quality system, should be from the organization’s own management and cannot be an outside person.


22 of 131

g) IT based processes and information need to be managed and controlled both as part of infrastructure & equipment as well as in terms of resource.

h) Customer measuring and monitoring can be done in several ways such as customer satisfaction through data analysis, surveys claims, warranties, dealer reports as long as the information can be analysed.

i) The purpose of training is to achieve the level of competence required to do a job

5 ISO 9000 Family of Standards

The current ISO 9000 family currently consists of 17 international quality management standards and guidelines. As a whole, the ISO 9000 family forms a strong base for establishing effective and efficient quality management systems. Three important standards in the series are :• ISO 9000: 2005 Quality management systems -Fundamentals

and vocabulary• ISO 9001: 2008 Quality management systems - Requirements• ISO 9004: 2009 Managing for sustained development – a

quality management approachThe Standard ‘ISO 9001:2008 Quality management systems – Requirements’ is applicable to all organizations, regardless of type, size and product produced. It may be used for the certification of QMS and may also be the basis for contractual agreements.The revised version of ISO 9004:2009 has been developed to maintain consistency with ISO 9001 and be compatible with other management system standards. Such standards complement each other, but can also be used independently.

ISO 9004 provides guidance to management for achieving sustained success for any organization in a complex, demanding, and ever changing, environment. ISO 9004 provides a wider focus on quality management than ISO 9001; it addresses the needs


23 of 131

and expectations of all interested parties and their satisfaction, by the systematic and continual improvement of the organization’s performance. However, it is not intended for certification, regulatory or contractual use..

ISO 9000 has been developed in parallel with ISO 9001 and ISO 9004 to achieve a coherent terminology in the ISO 9000 Family, ISO 14000 Family and other management standards.

ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing provides guidance on the principles of auditing, managing audit programmes, conducting quality management system audits and environmental management system audits, as well as guidance on the competence of quality and environmental management system auditors.It is applicable to all organizations needing to conduct internal or external audits of quality and/or environmental management systems or to manage an audit programme.ISO 19011 can also be applied for auditing of other management systems.

6 Statutory and Regulatory Requirements

ISO 9001:2008 requires an organization to identify and control the statutory and regulatory requirements applicable to its products (including services). The term ‘Regulatory’ is defined as ‘required, permitted or enacted by a rule or directive passed by an authority’. Orders issued by Regulatory Bodies fall in this category. The term ‘Statutory’ is defined as ‘required, permitted or enacted by a written law passed by a body having the power to make laws’. This distinction makes it clear that legal requirements for products could be based on directives by an authority or through legislative means but both have to be honoured. The organization should demonstrate that the statutory and regulatory requirements applicable to its products / services have been properly identified, maintained and updated. Statutory and Regulatory requirements are however different from are voluntary standards made by National/International Bodies. The distinction between a regulation and voluntary standard lies essentially in the consequence attached to failure in meeting the requirements. Whereas violation of Statutory or


24 of 131

Regulatory requirement could lead to prosecution, seizure, financial penalties etc, failure to meet voluntary standards could lead to loss of business, credibility etc.


25 of 131


SESSION 2B — TERMINOLOGY OF QMS

0 Overview

This session introduces the delegates to some selected terminology relating to Quality Management

1 Quality

The term Quality has many faceted meanings. Many great Gurus in Quality Management have tried to define this word. Many are of the opinion that term refers to experience by the user or customers. Another view is that it refers to fitness for use. Still others feel that it is compliance to requirements.

The focus has been the satisfaction of customers. The ISO 9000:2005 standard defines Quality as “degree to which a set of inherent characteristics fulfill requirements”. Inherent characteristics and requirements refer to customers requirements or requirements in use or even fitness for purpose.

Most people understand and relate to Quality as a degree of excellence. A Rolls Royce car is often regarded as a “quality” car, a Rolex as a “quality” watch, etc. The term is used synonymously with words such as luxurious, upmarket, exclusive, prestigious, etc. This dimension is, however, called “Grade”.

2 Customer satisfaction

Customers require product with characteristics that satisfy their needs & expectations. These needs & expectations are expressed as specification and collectively referred to as customer requirements. Ultimately customer determines the acceptability of the product. The perception of acceptability may cover the stated, declared or specified needs and also the implied needs. An organization has to determine the stated and implied needs to focus towards customer satisfaction. The customers’ perception of the extent to which these needs and expectations have been fulfilled should also be measured by the organization.

3 Quality Policy and Objectives


26 of 131

Quality policy & quality objectives are established by the organization to provide a focus to direct the organization towards customer satisfaction. Both determine the desired results and assist the organization to apply its resources to achieve these results. The quality policy has to provide a framework for establishing and reviewing quality objectives. The quality objectives need to flow out of quality policy and their achievement needs to be measurable. The achievement of quality objectives can have a positive impact on product quality, operational effectiveness and financial performance. Thereby it has an impact on the satisfaction and confidence of interested parties.

4 Top Management

The term “management” refers to people. A person or group of people with authority and responsibility for the conduct and control of an organization is the Management. Top Management is at the highest level in the organization.

Top Management have an important role to play if the organization has to survive and grow. By setting the policies, directions and goals of the organization and by providing the resources needed, Top Management can ensure a steady progress.

5 Quality Management, Quality Control and Quality Assurance

Quality management is to co-ordinate activities to direct & control an organization with regard to quality and achievement of customer satisfaction. Direction and control with regard to quality generally includes establishment of the quality policy & quality objectives, quality planning, quality control, quality assurance and quality improvement.

There is a subtle difference between the term Quality Control and Quality Assurance, which the delegates have to assimilate.

6 Quality Management System

Leading and operating an organization successfully requires managing it in a systematic and visible manner. Success should result from implementing and maintaining a management system that is designed to continually improve the effectiveness and efficiency of the organization’s performance, by considering the needs of interested parties. Managing an organization


27 of 131

includes quality management, among other management disciplines. The general requirement of a quality management system is to establish, document, implement and maintain a system and continually improve its effectiveness in accordance with the requirement of the Standard.

7 Conformity, Non–conformity and Defect

During the course of Quality Control and Quality Assurance, it may happen that products or services may fall short of the specified requirement. The standard requires the organization to take cognizance of the non conformities and act on the same.

The term “defect” is associated with the use of the product or service. The identification of defects and the proper rectification can lead to useful feedback towards development and improvements.

8 Quality documentation

A set of documents like specifications, quality plan, quality manual and record, frequently called documentation, give meaningful data. A quality plan is generally one of the results of quality planning. Quality plan is a document, which specifies the application of various procedures and associated resource. These procedures generally include those referring to quality management processes and to product realization processes.

Quality manual is a document specifying quality management system of an organization. Quality manuals can vary in detail and format to suit the size and complexity of an individual organization.

A document providing evidence of activities performed and results achieved is a record. Records can be used to provide traceability and to provide evidence of verification. The concept of revision control applies to the documents, but not to records.

9 Correction, Corrective action and Preventive action

Correction basically eliminates a detected non-conformity via rework or regrade. Corrective action aims at eliminating the cause of a detected non conformity. Preventive action aims at eliminating the cause of a potential non-conformity.

Corrective action prevents recurrence; whereas, preventive action prevents first time occurrence.


28 of 131


SESSION 2C – REQUIREMENTS OF ISO 9001:2008

0 Overview

This session details the requirements specified in ISO 9001 : 2008

1 General

This International Standard specifies requirements for a quality management system where an organization

a) needs to demonstrate its ability to consistently provide product that meets customer and applicable regulatory requirement, and

b) aims to enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable regulatory requirements.

2 The Scope of a Quality Management System

ISO 9001:2008 clause 1 (“Scope”) defines the scope of the standard itself. This should not be confused with the scope of the QMS, which is a term commonly used within the context of QMS certification/registration to describe the products and product realization processes to which the QMS is applied. The remainder of this text will refer to the scope of the QMS.

The scope of the QMS should be based on the nature of the organization’s products and their realization processes, the result of risk assessment, commercial considerations, and contractual, statutory and regulatory requirements. An organisation is not obliged to include all the products that it provides within the scope of its QMS, or to address the realization processes for products that are not included within the QMS.

If an organization chooses to implement a QMS with a limited scope, however, this should be clearly defined in the organisation’s Quality Manual and any other publicly available documents to avoid confusing or misleading customers and end


29 of 131

users (this includes, for example, certification/registration documents and marketing material).

3 Application of ISO 9001:2008

It is intended that organizations seeking to implement ISO 9001:2008 should comply with all the requirements of the standard that are applicable to the products and product realization processes within the scope of the QMS.

However, even when an organization includes all its products and processes in the scope of its QMS, it may be found that some of the requirements of clause 7 of ISO 9001:2008 (“Product realization”) cannot be applied. This could be due to the nature of the organization, or that of its products or realization processes. In such circumstances, the organization would need to limit the application of the requirements of ISO 9001:2008 in accordance with clause 1.2.

Clause 1.2 of ISO 9001:2008 states:-

“1.2 Application

All requirements of this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size and product provided.

Where any requirement(s) of this International Standard cannot be applied due to the nature of an organization and its product, this can be considered for exclusion.

Where exclusions are made, claims of conformity to this International Standard are not acceptable unless these exclusions are limited to requirements within clause 7, and such exclusions do not affect the organization’s ability or responsibility, to provide product that fulfils customer and applicable regulatory requirements.”

It should be noted that clause 1.2 of ISO 9001:2008 is not intended to apply only to entire clauses; there may be circumstances where specific requirements within one of the sub-clauses 7 are applicable, whilst others can be excluded. An


30 of 131

example would be within sub-clause 7.5.3, where traceability requirements may be considered for exclusion but not the requirements regarding identification.

4 Justification of exclusions

Where an organization finds that it is necessary to limit the application of the requirements of ISO 9001:2008, this must be defined and justified in the organization’s Quality Manual. As with the case of a reduced scope of the QMS, the application of ISO 9001:2008 requirements must also be clear in any other publicly available documents, such as certification/registration documents or marketing materials, to avoid confusing or misleading customers and end users.

Clause 4.2.2 (a) of ISO 9001:2008 (“Quality Manual”) requires that:

“The organization shall establish and maintain a quality manual that includes the following:

a) the scope of the quality management system, including details of and justification for any exclusions (see 1.2);...”

5 Requirements that may not be excluded, and claims of conformity

If an organization excludes from its QMS ISO 9001:2008 requirements that do not meet the criteria established in clause 1.2 (“Application”), then conformity to ISO 9001:2008 may not be claimed, or implied. This includes the following situations.

Where an organization fails to comply with the requirement in clause 4.2.2 (a), (“Quality Manual”) to provide justification for the exclusion of specific clause 7 (“Product realization”) requirements.

Where requirements in clause 7 have been excluded because they are not required by regulatory bodies, but this affects the organization’s ability to meet customer requirements.

6 Subcontracted or “Outsourced” processes

Where the overall responsibility for product realization belongs to an organization, the fact that a specific product realization process (such as product design and development or


31 of 131

manufacturing) is outsourced or subcontracted to an external organization is not an adequate justification for the exclusion of this process from the QMS. Instead, the organization must be able to demonstrate that it exercises sufficient control to ensure that such processes are performed according to the relevant requirements of ISO 9001:2008. The nature of this control will depend on the nature of the outsourced or subcontracted process and the risk involved. It may include, for example, the specification and/or validation of processes as part of the contractual agreement with the supplier, requirements for the supplier’s QMS, shared controls, on-site inspections or verifications, and/or audits. Clause 7.4 of ISO 9001:2008 (“Purchasing”) must be used to monitor the output of these outsourced or subcontracted processes.

In these circumstances, the organization should include such processes in the scope of its QMS and make it clear in its Quality Manual and any other publicly available documents that the QMS covers the management of these outsourced or subcontracted activities for which the organization retains overall responsibility.

7 Regulated industries and other regulatory situations

For organizations with products or realization processes that are subject to regulation, it must be emphasized that where a regulatory body allows the organization to exclude requirements of ISO 9001:2008 beyond those exclusions permitted in clause 1.2 of the standard, and the organization chooses to make those exclusions, conformity to ISO 9001:2008 must not be claimed.


32 of 131


SESSION 2D — DOCUMENTATION FOR ISO 9001 : 2008

0 Overview

This session introduces the delegates to the documentation requirements of ISO 9001 standard.

1 Introduction

Two of the most important objectives in the year 2000 revision of the ISO 9000 series of standards were

a) to develop a simplified format that will address small as well as medium and large organizations, and

b) the amount and detail of documentation required should be relevant to the desired results of the organization’s process activities.

ISO 9001:2008 (“Quality management systems - Requirements”) has achieved these objectives, and the purpose of this text is to explain the intent of the new standard with specific regard to documentation.

ISO 9001:2008 allows an organization flexibility in the way it chooses to document its quality management system (QMS). This enables each individual organization to develop the minimum amount of documentation needed in order to demonstrate the effective planning, operation and control of its processes and the implementation and continual improvement of its QMS.

It must be stressed that ISO 9001 requires (and always has required) a “Documented quality management system”, and not a “system of documents”.

2 What is a “document”? - Definitions and references

According to ISO 9001:2008 clause 4.2 (“Documentation requirements”) documents may be in any form or type of medium, and the definition of “document” in ISO 9000:2005 clause 2.7.2 gives the following examples:


33 of 131

– paper (“hard copy”)

– magnetic

– electronic or optical computer disc

– photograph

– master sample

Students are also referred to ISO/TR 10013 (“Guidelines for quality management systems documentation”) for further guidance.

3 ISO 9001:2008 Documentation Requirements

Clause 4.1 of ISO 9001:2008 (“General Requirements”) requires an organization to “establish, document, implement, maintain and continually improve the effectiveness of a quality management system in accordance with the requirements of this International Standard”

Clause 4.2 “Documentation requirements” explains that the quality management system documentation shall include:

a) documented statements of a quality policy and quality objective;

b) a quality manual

c) documented procedures and records required by the standard

d) documents including records determined by the organization to be necessary to ensure the effective planning, operation and control of its processes;

The notes after Clause 4.2 make it clear that where the standard specifically requires a “documented procedure”, the procedure has to be established, documented, implemented and maintained. A single document may address the requirements for one or more procedures. A requirement for a documented procedure may be covered by more than one document. It also emphasizes that the


34 of 131

extent of the QMS documentation may differ from one organization to another due to:

– size of organization and type of activities;

– complexity of processes and their interactions;

– competence of personnel.

All the documents that form part of the QMS must be controlled in accordance with clause 4.2.3 of ISO 9001:2008, or, for the particular case of records, according to clause 4.2.4.

4 Guidance on Clause 4.2 of ISO 9001:2008

a) Quality Policy and Objectives:

– Requirements for the quality policy are defined in clause 5.3 of ISO 9001:2008. Because the quality policy is a document, it must be controlled according to the requirements of clause 4.2.3.

– Requirements for the quality objectives are defined in clause 5.4.1 of ISO 9001:2008. They are also subject to the document control requirements of clause 4.2.3.

b) Quality Manual:

– Clause 4.2.2 of ISO 9001:2008 specifies the minimum content for a quality manual. The format of the manual is a decision for each organization, and will depend on the organization’s size, culture and complexity.

– A small organization may find it appropriate to include the description of its entire QMS within a single manual, including all the documented procedures required by the standard.

– Large, multi-national organisations may need several manuals at the global, national or regional level, and a more complex hierarchy of documentation.


35 of 131

c) Documented procedures:

– ISO 9001:2008 specifically requires the organisation to have “documented procedures” for the following six activities:

– 4.2.3 Control of documents

– 4.2.4 Control of quality records

– 8.2.2 Internal audit

– 8.3 Control of nonconformity

– 8.5.2 Corrective action

– 8.5.3 Preventive action

– Some organisations (particularly larger organisations, or those with more complex processes) may require additional documented procedures in order to implement an effective QMS.

– Other organizations may require additional procedures , but the size and/or culture of the organization could enable these to be effectively implemented without necessarily being documented.

– In order to demonstrate compliance with ISO 9001:2008, however, the organization must be able to provide objective evidence that its QMS has been effectively implemented.

d) Documents required by the organization to ensure the effective planning, operation and control of its processes;

– In order for an organization to demonstrate the effective implementation of its QMS, it may be necessary to develop documents other than documented procedures. However, the only documents specifically mentioned in ISO 9001:2008 are:


36 of 131

– Quality policy (clause 4.2.1a)

– Quality objectives (clause 4.2.1a)

– Quality manual (clause 4.2.1b)

– There are several requirements of ISO 9001:2008 where an organization could add value to its QMS and demonstrate conformity by the preparation of other documents, even though the standard does not specifically require them. Examples may include:

– Organization charts

– Internal communications

– Production schedules

– Approved supplier lists

– Quality plans

e) Records

– There are records specifically required by ISO 9001:2008. These are indicated in the respective clauses.

– Organizations are free to develop other records that may be needed to demonstrate conformity of their processes, products and quality management system.

– Requirements for the control of records are different from those for other documents, and all records must be controlled according to clause 4.2.4 of ISO 9001:2008.

5 Organizations wishing to adapt an existing QMS

– An organization with an existing QMS should not need to rewrite all of its documentation in order to meet the requirement of ISO 9001:2008. This is particularly true if an organization has structured its QMS based on the way it effectively operates,


37 of 131

using a process approach. In this case, the existing documentation may be adequate and can be simply referenced in the revised quality manual.

– An organization that has not used a process approach in the past will need to pay particular attention to the definition of its processes, their sequence and interaction, and it may be appropriate to document these as process maps. It must be emphasized, however, that documented process maps are not a requirement of ISO 9001:2008.

– Because ISO 9001:2008 is flexible in terms of documentation, an organization may be able to carry out some streamlining and/or consolidation of existing documents, in order to simplify its QMS.

6 Organizations preparing to implement a QMS

– For organizations that are in the process of implementing or have yet to implement a QMS, ISO 9001:2008 emphasizes a process approach. This includes:

– determining the processes necessary for the effective implementation of the quality management system

– understanding the interactions between these processes.

– documenting the processes to the extent necessary to assure their effective operation and control.

– These processes include the management, resource, product realization and measurement processes that are relevant to the effective operation of the QMS.

– Analysis of the processes should be the driving force for defining the amount of documentation needed for the quality management system, taking into account the requirements of ISO 9001:2008. It


38 of 131

should not be the documentation that drives the processes.

7 Demonstrating compliance with ISO 9001:2008

– In order to claim conformity with ISO 9001:2008, the organization must provide objective evidence of the effectiveness of its processes and its quality management system. This may not necessarily depend on documented procedures or records, except where specifically mentioned in ISO 9001:2008.

– Organizations (and in particular small organizations) may be able to demonstrate compliance without the need for extensive documentation.


39 of 131


SESSION 3A — CERTIFICATION AND ACCREDITATION

0 Overview

This session explains the Accreditation, Certification and Registration processes. It also explains the role of IRCA and NABET in auditor registration.

1 Accreditation

Accreditation reduces risk for business and its customers by assuring them that accredited certification bodies are competent to carry out the work they undertake. ISO 17021 has laid down acceptable norms as a standard applicable for accreditation of certification bodies. This sets the ground-rules for mutual recognition amongst accreditation bodies, and also provides confidence to the customer of the company who gets certified by an accredited certification agency. The European Norme EN45000 has also been a set of standards for the same purpose. Its reference here is only for the sake of continuity from the earlier standards.Within India, the Quality Council of India, oversees four accreditation boards:1. National Accreditation Board for Certification Bodies

(covers Management Systems and Product Certification Bodies, Inspection Bodies)

2. National Accreditation Board for Laboratories (covers testing and calibration laboratories)

3. National Accreditation Board for Education and Training (covers personnel certification, registration of training courses, accreditation of schhols)

4. National Accreditation Board for Hospitals and Health Services (covers Hospitals, Blood Banks)

This Council also oversees the National Information Enquiry Service and a National Quality Campaign.In the United Kingdom, the UKAS (United Kingdom Accreditation Service) also oversees accreditation of certification agencies for Quality Management and Environment Management Systems, Laboratories and test


40 of 131

houses, and Quality and Environment Management Personnel. This is a private organisation, and is the only national level body offering accreditation services.In Germany, the TGA is the accreditation board for certification bodies for Quality Management Systems, and this accredits certification bodies operating in Germany. DQS and TUV are two of the agencies from Germany operating in India.

In the United States, accreditation is offered by two agencies: ANSI-ASQ Accreditation Board and ANSi

The ANSI-ASQ National Accreditation Board provides accreditation services under the ACLASS and ANAB brands.

Under the ACLASS brand, the organization accredits ISO/IEC 17025 testing and calibration laboratories, ISO/IEC 17020 inspection bodies, and ISO Guide 34 reference material producers.

Under the ANAB brand, the organization is the U.S. accreditation body for management systems and accredits certification bodies

American National Standards Institute (ANSI) grants accreditation for Product Certification Bodies

The auditor certification and auditor training provider programs are operated by RABQSA International

In most cases accreditation granted to a certification agency is for a scope of products/processes/services only. During selection of a certification agency, consideration needs to be given to this aspect. There is no legal limitation to a certification agency issuing a non-accredited certificate where the scope of business is not included in their scope of accreditation. Onus to find this information rests with the company seeking certification. The certificate issued by some of these certification bodies show a distinction between an accredited and a non-accredited certificate.

The International Accreditation Forum (IAF) is a global association of Accreditation Bodies, Certification Body


41 of 131

http://www.aclasscorp.com/

http://www.rabqsa.com/

http://www.ansi.org/

Associations and other organisations involved in conformity assessment activities in a variety of fields including management systems, products, services and personnel.

Accreditation bodies which are members of IAF are required to operate at the highest standard and require the bodies they accredit to comply with appropriate international standards. Certificates issued by bodies accredited by members of the IAF Multilateral Recognition Arrangement (MLA) are relied upon all over the world because the MLA assures customers that the certificate is credible.

Accreditation body members of IAF are admitted to the MLA only after stringent evaluation of their operations by a peer evaluation team. It is the responsibility of this team to assess that the applicant member complies fully with both the international standards and IAF guidelines.

Once an accreditation body is amember of the MLA it is obligated to recognise the competence and impartiality of accreditations of Conformity Assessment Bodies by all other members of the MLA.

IAF has granted Special Recognition to the MLA programs of four Regional Accreditation Groups, the European co-operation for Accreditation (EA), the Pacific Accreditation Cooperation (PAC) the InterAmerican Accreditation Cooperation (IAAC) and Southern African Development Community in Accreditation (SADCA ) on the basis of the acceptance of the mutual recognition arrangements established within these organisations.

IAF has a membership of more than 50 Accreditation bodies.

Laboratory accreditation is the third essential leg of accreditation, and in India, the NABL (National Accreditation Board for Laboratories) presently under the Department of Science and Technology, but eventually to get linked to QCI is in place already to provide this service. A list of accredited laboratories is available from them with defined scope, which can help identify laboratories in proximity to companies seeking assistance in testing and calibration with traceability to national standards.


42 of 131

http://www.compad.com.au/cms/iaf/articles/111

2 Certification

A certification body is an organisation which sets itself up as a supplier of product or process certification against established specifications or standards. In the case of Quality Systems this is generally related to ISO 9000 series. There are also some industry sectors which have supplementary criteria agreed by the industry, e.g. ISO 9000-3 in case of computer software industry.

A certificate issued by a certification body attests that the assessed organisation is operating a Quality System compliant with given standards.

3 Re-assessment and Re-Certification

ISO 17021 requires that Quality System certification be re-assessed at periodic which includes surveillance audits in the first and second years, and a recertification audit in the third year prior to expiration of certification. The three-year certification cycle begins with the certification or recertification decision.

The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification.

The recertification audit shall consider the performance of the management system over theperiod of certification, and include the review of previous surveillance audit reports.

Recertification audit activities may need to have a stage 1 audit in situations where there havebeen significant changes to the management system, the client, or the context in which the management system is operating (e.g. changes to legislation)

4 Registration

4.1 IRCA 602 : Criteria for Certification as a Quality Auditor

The general requirements for a Quality System Auditor set by the IRCA Criteria are:


43 of 131

Secondary education awarded by an institution, recognized by a national governmental body or accredited by a national professional body, or degree

Successful completion of an IRCA certified ISO 9001:2008 Auditor/ Lead Auditor course (or an acceptable alternative)

Four years work experience minimum Two years experience in quality related work

4.2 The Registration Requirements

The registration requirements for five grades of auditors, i.e. QMS 2008 Provisional Auditor QMS 2008 Auditor QMS 2008 Lead Auditor QMS 2008 Principal Auditor Internal Auditor

are given in IRCA/602 by the International Register of Certificated Auditors, London.

This document defines: Provisional Auditor as a person who meets all the

requirements for registration, except for assessment experience.

Auditor as one who is qualified and is authorised to perform all or any portion of a quality system assessment.

Lead Auditor as one who is qualified and is authorised to manage a quality system assessment.

Principal Auditor - same as Lead Auditor, except it is held by persons who are independent, such as consultants

Registration requirements are based upon:

Educational Qualification Training


44 of 131

Work Experience Assessment Experience

A copy of IRCA/602 has been provided in your delegate kit.

4.3 The Auditor’s Log

The auditor is required to maintain a log of audits on a form provided by the IRCA. The Lead Auditor should arrange for the management representative of the auditee organisation to sign all auditor’s logs at the end of the closing meeting. The auditee may raise any concerns regarding the performance of auditors with the IRCA. The audit log gives the information necessary for the auditee to take such action.

4.4 Code of Conduct

All auditors are expected to comply with a code of conduct which emphasises the need for professionalism, confidentiality and behaviour which will harm neither the auditor’s company nor the IRCA’s public image. Any breach of this should be reported by the auditee to the IRCA. The UKAS also monitors auditor performance and this includes compliance with the code of conduct. The Code of Conduct is given in Appendix III of IRCA 602 - reproduced in 6 below)

4.5 Audit Principles

Auditing is based on five principles. It is a prerequisite to adhere to these principles for providing audit conclusions that are relevant to the management policies & control, thus providing information upon which the organization can act to improve performance. The principles also help reaching similar conclusions under similar circumstances.

The 5 Principles are :

1) Ethical Conduct : (Trust, integrity, confidentiality & discretion)

2) Fair Presentation : (Audit findings, audit conclusions & audit reports to be accurate & truthful. Unresolved diverging opinions & significant


45 of 131

obstacles between audit team & auditee to be reported)

3) Due Professional care : Diligence & judgement in auditing

4) Independence : The basis for impartiality & objectivity of audit conclusion

5) Evidence based Approach : The rational method when audit findings & conclusions are based on audit evidence (verifiable & based on appropriate sampling)

4.6 UKAS / NABCB Witnessing

The UKAS and NABCB as part of their role in monitoring Certification Bodies, witness assessments and when doing so study the practices of the auditors. They are concerned with such points as: Coverage of the standard both on assessment and

surveillance Keeping to the programme Knowledge of the clients Quality System Relevance of auditor’s experience Questioning skills How the auditor selects samples Handling unforeseen or difficult situations Raising non-compliances Number of company staff interviewed

6 IRCA Code of Conduct

It is a condition of IRCA certification that all certified auditors comply with the following:

1. To act in a strictly trustworthy and unbiased manner in relation to both the organization to which you are employed, contracted or otherwise formally engaged (the audit organization) and any other organization involved in an audit performed by you or by personnel under your direct control.


46 of 131

2. To disclose to your employer any relationships you may have with the organization to be audited before undertaking any audit function in respect of that organization.

3. Not to accept any inducement, gift, commission, discount or any other profit from the organizations audited, from their representatives, or from any other interested person nor knowingly allow personnel for whom you are responsible to do so.

4. Not to disclose the findings, or any part of them, of the audit team for which you are responsible or of which you are part, or any other information gained in the course of the audit to any third party, unless authorized in writing by both the auditee and the audit organization to do so.

5. Not to act in any way prejudicial to the reputation or interest of the audit organization.

6. Not to act in any way prejudicial to the reputation, interests or credibility of IRCA.

7. In the event of any alleged breach of this code, to co-operate fully in any formal enquiry procedure.

7 Criteria for QMS Auditor Registration with NABET

Quality Council of India is the top level body responsible for formulating the strategy, general policy and related issues, constitution and monitoring of various components of QCI including the accreditation boards to ensure a transparent accreditation system, monitoring the progress of activities & appeal mechanisms set by the respective boards. Second level bodies are the executive bodies (board/committees) that implement the strategy, policy and operational guidelines set by the Quality Council of India with a view to achieve international acceptance and recognition of various components including the accreditation systems.


47 of 131

Each Board has a Chairman and a representative voluntary group of stakeholders who monitor the activities and progress of their respective Boards. Each Board has a panel of trained Assessors who evaluate applicants by review of documents and / or by site visits. Chairman of the respective Board grants accreditation based on the recommendation made by the evaluation committees, after review of the reports of assessors.

NRBPT is offering the scheme for Registration of QMS (ISO 9001:2008) Auditors. This scheme has been prepared based on International Personnel Certification Association (IPC) Guidance so as to bring it in uniformity with the global requirements. Local Requirements have also been kept into consideration while formulating the scheme.As part of the Registration Process, the applicant will be evaluated against requirements which reflects the key skills, knowledge and experience that define competence and which a QMS 2008 Auditor need to have and demonstrate during an Audit.Registration under this scheme is available, without restriction, to all applicants who satisfy the registration


48 of 131

requirements. The scope of registration is general, i.e. it does not include nor does it require any industry sector specific competencies. For further details one may log on to www.qcin.org.


49 of 131


SESSION 3B – ROLE OF IRCA & AUDITOR CERTIFICATION AND COMPETENCE & EVALUATION OF AUDITORS

0 Overview

This session explanes the Competence and Evaluation of Auditors

1 Compliance

A competent Auditor is one who demonstrates personal attributes (as tested below) and the ability to apply the appropriate generic & specific knowledge & skill gained thorough education, work experience, auditor training & audit experience.The concept of competence is illustrated below.

2 Personal Attributes:

a) An auditor needs to possess the following personal attributes:

b) ethical, i.e. fair, truthful, sincere, honest and discreet


50 of 131

c) open-minded, i.e. willing to consider alternative ideas or points of view

d) diplomatic, i.e. tactful in dealing with peoplee) observant, i.e. actively aware of physical surroundings

and activitiesf) perceptive, i.e. instinctively aware of and able to

understand situationsg) versatile, i.e. adjusts readily to different situationsh) tenacious, i.e. persistent and focused on achieving

objectivesi) decisive, i.e. reaches timely conclusions based on

logical reasoning and analysisj) self-reliant, i.e. acts and functions independently while

interacting effectively with others

3 Generic knowledge & skills of auditors:

Auditors should possess the generic knowledge & skills in the following areas:(i) Audit principle, procedures & techniques.

- To apply the same- To plan & organize- Time management- Prioritize

- Collect information through effective interviewing, listening, observing & receiving documents, records, data.

- Appropriateness & consequences of using sampling techniques.

- Verifying accuracy of collected information.- Adequacy & reliability of audit evidence to support

audit findings & conclusions.- Prepare audit report.


51 of 131

- Confidentiality- Communicate effectively.

(ii) Comprehend scope of audit & apply audit criteria.- Application of management system- Knowledge of student- Interaction between various processes- Application of reference documents- Document control procedures

(iii) Organizational situations- Organizational size, structure, functions- General business processes- Cultural aspects

(iv) Applicable laws, regulations & other requirements.- Codes, laws, regulations- Contracts, agreements- International treaties & conventions

4 Specific knowledge & skills of QMS Auditors

(i) Quality related methods & techniques:- Quality terminologies- Principles & application- Quality tools & techniques

(ii) Process & products / services- Sector specific terminology- Technical characteristics- Specific process & practices

5 Generic knowledge & skills of Lead Auditors


52 of 131

Over & above the generic & specific knowledge & skills required by Auditors, Lead Auditors should be able to:- Plan the Audit- Utilize resources effectively- Communication- Guide auditors in learning- Lead the team towards Audit conclusions.- Prevent & resolve conflicts.- Audit reports.

6 Education, Work Experience, Auditors Training & Audit Experience of Auditors.

Education to provide the generic & specific knowledge & skills Work experience in a technical, managerial & / or professional position involving judgment, problem solving, communication. This may be in the field of :- Quality Management- Completion of Auditor Training- Audit experience as an Audit Team Member.

7 Education, Work Experience, Auditor Training & Audit Experience of Lead Auditors.

Additional Audit Experience required to be gained while acting in the role of an Audit Team Leader under the direction & guidance of another Auditor who is competent as an Audit Team Leader. Depending on the Audit programme higher or lower level trainings for Auditors & Lead Auditors may be appropriate.

8 Maintenance & improvement of competence

This is done through continual professional development & maintenance of Auditing ability. Continual professional development.

– This is concerned with maintenance & improvement of knowledge, skills & personal attributes. This can be


53 of 131

achieved through additional work experience, training, private study, coaching, attending conferences and seminars and others.

Maintenance of auditing ability– Through regular participation in audits.–

9 Auditors Competence evaluation

This process is planned, implemented & recorded in accordance with the audit programme procedures. The evaluation process should identify training & others skills enhancement needs. The process occurs at the following different stages:

- Initial evaluation- Evaluation as part of the audit team selection

process- Continual evaluation & identification of training &

skill

10 The Competence Evaluation Process

The 4 main stages are:(1) Identifying the personal attributes & the knowledge & skills to meet the needs of the Audit Programme(2) Setting the evaluation criteria

- Years of work experience- Education - No. of audits- Auditors training hours

(3) Selecting the appropriate evaluation method (refer to page 30 of ISO 19011:2002).

Some methods of evaluation are listed below:(i) Review of records


54 of 131

(ii) Interview(iii) Testing(iv) Post audit review(v) Positive or negative feedback(vi) Observation

(4) Conducting the evaluationCollect information about the person & compare against

the criteria set. In case, a person does not meet the criteria, additional training, work & / or audit experience may be required following which there should be a re-evaluation.


55 of 131


SESSION 3C — INTRODUCTION TO AUDITING

0 Overview

This session introduces the management of an audit programme & the stages of Audit activities with focus on document review.

1 Quality Audit – What is it?

ISO 9000:2005 defines Audit as: Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled

Notes:1. The Quality Audit typically applies, but is not

limited, to a quality system or elements there of, to process, to product, or to services. Such audits are often called “quality system audits”, “process quality audits”, “product quality audit”, “service quality audit”.

2. Quality Audit are carried out by staff not having direct responsibility in the areas being audited but, preferably, working in cooperation with the relevant personnel.

3. One purpose of a quality audit is to evaluate the need for improvement or corrective action. An audit should not be confused with “surveillance” or “inspection” activities performed for the sole purpose of process control or product acceptance.

4. Quality Audits can be conducted for internal or external purposes.

Quality audits are to determine compliance with the requirement specified in the documented Quality System, which in turn should meet the requirements defined in: the Quality System Standard the Contract


56 of 131

relevant legislation.

1.1 Quality Audit – What it is not?

The quality audit is NOT an alternative to an inspection operation and CANNOT serve as a crutch to an ineffective inspection or Quality System.

The quality audit is a fact-finding process used to determine the suitability of and conformity to, the various Quality System elements or requirements associated with the overall organization or company, elements of that organization, its products, service, or process output, etc. When evaluating inspection or test activities, it must be concerned with both accept and reject decisions; however, an audit must not be concerned with making these actual decisions.

The quality audit should not be involved in carrying out any verification activities leading to the actual acceptance or rejection of the product or service. It should be involved with the evaluation of the process and controls covering the production and verification activities.

1.2 Need for Quality Audit

The Quality System of any organization is an integrated programme of activities introduced by management usually in accordance with the requirements of Quality System Standard. Management therefore must have some means of determining the effectiveness of the system in existence and identifying areas requiring correction or improvement.

The Quality Audit is a management tool for determining the effectiveness of a Quality System. The Quality System may be that of the management’s own organization, a potential supplier, an existing supplier, or an independent organization.

The results of the audit provide an assessment of the adequacy of the existing system. They can provide a benchmark against which system improvements can be developed and evaluated.


57 of 131

Quality audits provide objective evidence to the management of the organization being audited and of the organization requesting the audit about the suitability, conformity to requirements and effectiveness of the various elements of the Quality System.

1.3 The relevance of ISO 19011:2002

This standard addresses the staffing, performance and conduct of an audit. All auditors should be aware of its content. The main roles in an audit are defined thus:Auditor

A person who has the competence to conduct an quality audits.Note : To perform a quality audit, the auditor must be

authorised for that particular audit. An auditor designed to manage a quality audit is called a ‘Lead Auditor’.

Client

A person or organisation requesting the auditNote : The Client may be:

(a) The auditee wishing to have its own quality system audited against some quality system standard;

(b) A customer wishing to audit the quality system of a supplier using his own auditors or a third party;

(c) An independent agency authorised to determine whether the quality system provides adequate control of the products or services being provided (such as food, drug, nuclear or other regulatory bodies);

Auditee

An organisation to be auditedAudit team :

One or more auditors conducting an audit supported if needed by technical experts.


58 of 131

Technical Experts :

A person how provides specific knowledge or expertise to the audit team.

1.4 The Audit Party

Each auditing party may consist of: the auditor the nominated guide the manager or supervisor of the area or

department being visited technical experts or observers accompanying the

auditing party

The normal role of the guide is to conduct the auditors from department to department and introduce them to the managers and supervisors responsible for the various activities. Unless, as sometimes happens in the case of a small company, the guide is one of the senior managers, the guide should not be regarded by the auditors as a source of authoritative information about the functioning of the Quality System.

If anyone is joining the audit party as an observer, it should only be with the Lead Auditor’s agreement. The Leader Auditor should make it clear that the observer is not to take part in the audit in any way.

2 Stages of Audit

In accordance with ISO 17021, there are two Stages of Audit – Stage 1 and Stage 2. The main activities under the two Stages are given as under :

2.1 Stage 1 Audit:

a) to audit the client's management system documentation (Documentation Review)

b) to evaluate the client's location and site-specific conditions and to undertake discussions with the client's personnel to determine the preparedness for the stage 2 audit;


59 of 131

c) to review the client's status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;

d) to collect necessary information regarding the scope of the management system, processes and location(s) of the client, and related statutory and regulatory aspects and compliance (e.g. quality, environmental, legal aspects of the client's operation, associated risks, etc.);

e) to review the allocation of resources for stage 2 audit and agree with the client on the details of the stage 2 audit;

f) to provide a focus for planning the stage 2 audit by gaining a sufficient understanding of the client's management system and site operations in the context of possible significant aspects;

g) to evaluate if the internal audits and management review are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for the stage 2 audit.

For most management systems, it is recommended that at least part of the stage 1 audit be carried out at the client's premises in order to achieve the objectives stated above.

Relevant management system documents, including records, from the auditee, including any previous audit reports, should be reviewed to determine the conformity of the system components or processes, as documented, with audit criteria. The review, by the audit team leader or by one or more auditors assigned by the audit team leader, should take into account the size, nature and complexity of the organization, and the objectives and scope of the audit. If the auditee’s management system documentation is found to be inadequate, such that it is not commensurate with the audit scope or criteria, the audit client, those responsible for managing the audit


60 of 131

programme and the auditee should be informed. Audit programme can proceed only after resolving these concerns.

Stage 1 audit findings shall be documented and communicated to the client, including identification of any areas of concern that could be classified as nonconformity during the stage 2 audit.

2.1.1 Documentation Review (Adequacy Audit)

Documentation Review (Adequacy audit) is usually carried out) as a first step of the assessment process. The purpose of Documentation Review is to establish the extent to which documented Quality System meets the requirements of Quality System Standard e.g. ISO 9001.

Normally an adequacy audit is a desk-top exercise and can be conducted ‘off-site’. Some certification bodies prefer to conduct documentation review ‘on-site’ for the following reasons :

(i) Access to entire documentation is possible. If the review is done away from the site, the supplier organisation may be sending only Quality Manual as other documents may contain proprietary/confidential information.

(ii) Some of the issues emerging out of documentation review may require clarification from the auditee. On-site review gives immediate answer to such issues while some time would be required for resolution of these issues in case of off-site documentation review.

Besides compliance to the ISO 9001 requirements, an auditor also checks the clarity of documentation, consistency in procedures and cross-linkages between different documents (both horizontal, i.e. between one procedure and another; and vertical, i.e. between one level of document to the next level of document).

Two approaches may be adopted for Documentation review :


61 of 131

(i) Pick-up a clause/requirement of ISO 9001 and look for which documents addresses/covers this requirement.

(ii) Pick-up a document and check which clause of ISO 9001 it addresses.

Irrespective of the approach, a documentation review matrix may be used to ensure the completeness of the review.

2.2 Stage 2

The purpose of the stage 2 audit is to evaluate the implementation, including effectiveness, of the client's management system. The stage 2 audit shall take place at the site(s) of the client. It shall include at least the following:

a) information and evidence about conformity to all requirements of the applicable management system standard or other normative document;

b) performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);

c) the client's management system and performance as regards legal compliance;

d) operational control of the client's processes;

e) internal auditing and management review;

f) management responsibility for the client's policies;

g) links between the normative requirements, policy, performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document), any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and internal audit findings and conclusions


62 of 131

3. Process Approach to Auditing

The process approach concept must be so well understood by auditors that they are not limited by the terminology in the standard; however, auditees may use their own “in-house” terminology. Auditors must be aware that the application of the process approach will be different from organisation to organisation, depending on the size and complexity of the organisation and its activities. Special consideration should be given to the situation in small and medium enterprises (SME’s), so that auditors should not expect so many processes in their QMSs.

If an auditee cannot distinguish between the concepts of a process and an activity, the auditor can briefly explain the differences by using the guidance (clause 2.4) and definition ((3.4.1) in ISO 9000:2005 as background information. The auditor must be able to adapt to the auditee’s situation. It is the auditor’s responsibility to understand the auditee’s systems and approach

During the audit, the auditor should determine whether there is a problem of difference of terminology only, or whether there is a lack of real implementation of the process approach by the auditee. There may be a need to issue an NCR if the auditee is not fully implementing the requirements stated in ISO 9001:2008, Clause 4.1. If this is simply a terminology problem, there should be no need to issue an NCR, if all the requirements of in Clause 4.1 are satisfied.

If the auditee does not understand that a process must have defined (but not necessarily measurable) objective(s), input(s), output(s), activities, and resources, the auditor should try reformulating the questions to the auditee avoiding the use of QM jargon, e.g. Can you explain to me your operations here? What are the basic jobs carried out in your department? What information do you need to start your work? Where does it come from? Who receives the result of your work? How do you know if you’ve done your job correctly? etc..

This should help the auditor to establish whether the processes (as per ISO 9001: 2008) are already defined, have clear inputs, outputs, objectives and so on.


63 of 131

If after applying the audit techniques outlined above, there is an absence of any records or other proof to demonstrate that the processes are analysed, and/or monitored, and/or measured, and/or improved, there would appear to be non-conformity with part of ISO 9001:2008 Clause 4.1.


64 of 131


SESSION 3D – AUDIT RESPONSIBILITIES

0 Overview

This session examines the roles & responsibility of auditors, lead auditors, auditee, guidence & observers

1 The Role of the Lead Auditor

The Lead Auditor is responsible for all aspects of the audit. This responsibility includes: Negotiating the audit scope (3rd party/2nd party) Selecting the audit team Directing the audit team members Planning the audit & make effective use of

resources Representing the team Managing the team The preparation of the report Lead the audit team to reach audit conclusions Control of the opening and closing meetings Submission of the report Audit records Review of the audit team’s work Prevent & resolve conflictsAt the same time, the Lead Auditor also carries out the duties of an auditor.

2 The Role of the Auditor

The auditor is responsible to the Lead Auditor for an allocated segment of the audit programme. This includes:

Communicating audit requirements to the auditee Auditing in accordance with the relevant checklists


65 of 131

Where time permits, examining discovered areas of concern

Documenting observations Recording evidence Verifying the effectiveness of the Quality System Reporting results to the Lead Auditor Co-operating with and assisting the Lead AuditorAbove all, the auditor exercises judgement on the compliance, implementation and effectiveness of the Quality System.

The auditor’s job is to assess the quality system and not to advise on how it may be improved, thus the auditor is not acting as a consultant. He should not offer opinions or suggest that there may be better ways of doing things. However if specified by audit objectives, audit conclusions can lead to recommendations regarding improvements. An auditor who has acted as a consultant to an organisation cannot be a member of the certification audit team assessing that organisation.

QMS auditor should additionally have knowledge on - quality technology- quality management principles & their application- quality management tools & their application

3 The Role of the Auditee

Before the audit activity begins:1. Select auditing agency, based on experience,

accreditation in countries of interest and reputation.2. Liaise with auditing/certifying agency to provide

required information (verbal and written)3. Agree on scope for audit and the nominated team.4. Agree on suitable dates for the audit activity and sites to be visited.


66 of 131

During the pre-audit visit or through other means of communication :1. agree to provide guides and prepare them for that

role2. agree to provide logistic assistance during audit3. provide any information required by the auditors,

relevant to scope and the quality management system

4. agree on those who will attend the opening and closing meetings

5. agree to inform all staff regarding the audit6. seek clarifications regarding audit procedures7. provide logistic support during pre-audit visit

During the audit1. provide office facilities for opening and closing

meetings, and also for liasion meetings of auditors amongst themselves

2. provide guides3. witness any observations4. seek clarifications, in case observations, attributions

or explanations of the auditors are not clearly understood

5. ensure relevant people from management are punctual for all meetings

6. inform management of any major non-conformances observed by the auditors

7. Cooperate with the auditors8. agree to non-conformances and commit to timely

corrective actions

Post – audit1. propose time-bound corrective actions, and seek

agreement of auditors (in case required)2. initiate and identify causes for the non-conformity3. identify the counter-measure/corrective action on

the causes of the non-conformity


67 of 131

4. implement the corrective action5. verify the effectiveness of the actions, through

Internal Audits6. inform auditors about satisfactory completion of

corrective actions

4 Guide to the Guide

The Audit team consists of Auditors, Guides and Observers. Guides are required in an audit as the auditors are not familiar with the organisation and they may not be aware of the contact persons. The company, on request of auditors, arrange for guides. The request must be sent by the Lead Auditor during preparation phase and reconfirmed in the opening meeting. The following guidelines may help select the guide by the company and to explain the role of guides in audit :

Guides must have detailed knowledge of the quality systems operating in the area

Guides must understand company’s policy and operating procedures

Guides should never volunteer opinions Acknowledge not knowing an answer Good knowledge of the standard is generally useful Witness to the observation in Non-conformance

report may be done by the guide Tactful and courteous Build a rapport with the auditor Never argue with the auditor Be brief and precise Auditors should find non-compliances, it is not the

responsibility of guides to supply them

5 Roles & Responsibilities of Guides & Observers

Guides and observers should not in any way interfere with the conduct of the audit. They assist the audit team


68 of 131

& act on request of the audit team leader. In addition to this they

Establish contacts & interview timings Organize visits to the areas to be audited Ensure that safety rules are followed by the audit team Witness the audit on behalf of the auditee Providing the clarification if required.


69 of 131


SESSION 3E & F — AUDIT PROGRAMMES & PLANNING OF AUDIT

0 Overview

This session introduces the different types of Quality System audits and the need for conducting them and explains the planning and preparation for an on-site audit.

1 Management of an Audit Programme

An audit programme comprises activities related to planning, organizing (type & number of audits) & providing necessary resources. The programme may include one or more audits, may include a variety of objectives & include joint or combined audits. When a quality management & an environment management system are audited together, this is termed as combined audit. When two or more auditing organizations cooperate to audit a single auditee, this is termed as joint audit.

The top management of an organization grants authority to a person or a group of persons for managing an audit programme.

The responsibilities for managing an audit programme are as follows :

1) Establish, implement, monitor, review & improve the audit programme

2) Identify & provide necessary resources.

2 Audit Programme Objectives

Audit programme objectives may include

1) Meeting certification requirements against a management system standard like ISO 9001

2) Verifying conformance to contractual standards

3) Assessing potential or an existing supplier


70 of 131

4) Contributing to the improvement of the management system

Audit programme objectives can be based on management priorities, commercial intentions, contractual requirements, management system requirements, statutory & regulatory requirements, supplier evaluation, risks to the organization, customer requirements & needs of other interested parties.

3 Audit objectives, scope and criteria

Within the overall objectives of an audit programme, an individual audit should be based on defined objectives, scope and criteria.

Examples of objectives for an audit are:

a) Determining the extent of conformity of the auditee’s management system, or parts of it, with audit criteria;

b) Evaluating the capability of the management system to ensure compliance with laws, regulations and contractual requirements;

c) Evaluating the effectiveness of the management system in meeting specified objectives;

d) Identifying areas of potential improvement of the management system.

The audit scope describes the extent and boundaries of the audit in terms of factors such as physical locations, organizational units, activities and processes to be audited and, where relevant, the time period covered by the audit.

The audit criteria can include applicable policies, procedures, standards, including those relating to laws and regulations, management system requirements, contract requirements, industry/business sector codes of conduct, or environmental guidelines.

The audit objectives, scope and criteria should be defined by the audit client. Any subsequent changes to these should be agreed by the audit client, and, as appropriate,


71 of 131

by those responsible for managing the audit programme and the auditee, after consultation with the audit team leader.

4 Extent of Audit Programme

The extent of an audit programme is governed by the size, nature, complexity of the organization, the scope, objectives, duration, frequency, location to be audited, audit criteria, previous audit conclusions, significant change to the organization, language, cultural & social issues, the concerns of interested parties & others.

5 Feasibility of the Audit

Those responsible for managing the audit programme should determined the feasibility of the audit, taking into consideration such factors as :

a) sufficient and appropriate information for planning the audit;

b) adequate cooperation from the auditee;

c) availability of time & adequate resources.

Where the audit is not feasible, an alternative should be proposed to the audit client by those responsible for the audit programme management in consultation with the auditee.

6 Types of Audit

First/Second/Third Party Audits: based on who is doing the audit.

External/Internal Audits: based on who is doing the audit.

Document Review/On-site Audit: based on what is being audited.

Product/Process/System Audit: based on what is being audited.


72 of 131

6.1 First/Second/Third Party Audit [Ref : IRCA 602]

First Party Audit is an audit within an organization by that organization’s own auditing resources.

This is also called Internal Audit

Second Party Audit is an audit of contractors/suppliers undertaken by, or on behalf of, a purchasing organization. This may include the audit of companies or divisions supplying goods or services to others within the same group. Also referred to as a supplier audit.

This is an example of External Audit

Third Party Audit is an audit of an organization performed by a body that is independent of the organization being audited, e.g. certification body or registrar.

This is also an example of External Audit.

6.2 Product/Process/System Audits

Product Audit is an audit of a product against specified product requirements

Process Audit is an audit of a process against specified process norms/parameters.

System Audit is an audit of a Quality System against specified standard/requirement.

7 Scheduling Audits

Third Party (Certification Body) Audits

The initial assessment is normally planned well in advance. In order for the audit to provide sufficient evidence of compliance to justify whether or not certification is to be granted, it must cover all aspects of the Quality System Standard relevant to the scheme and associated guides; moderated by the organization’s


73 of 131

declared scope. All the requirements specified in ISO 9001 need to be assessed.

In some cases a pre-certification audit may be conducted to determine the organizations ‘state of readiness’ for the full assessment. This may be performed by the certification body, or consulting organization.

As per ISO 17021, Surveillance visits are to be conducted within 12 months of Stage 2 Initial Audit and thereafter at least once per year. Certification Bodies may conduct more surveillance audits say, twice per year. A notice of one or two weeks’ is given before the audit. The certification body will schedule audits so as to cover the standards over the course of a year, taking experience on previous audits into account.

The surveillance audit programme shall include, at least

a) internal audits and management review,

b) a review of actions taken on nonconformities identified during the previous audit,

c) treatment of complaints,

d) effectiveness of the management system with regard to achieving the certified client's objectives,

e) progress of planned activities aimed at continual improvement,

f) continuing operational control,

h) review of any changes, and

i) use of marks and/or any other reference to certification.

A periodic re-assessment or a re-certification audit would cover the whole of the standard and scope. This would take place at intervals of three years, but before expiration of certification according to ISO 17021


74 of 131

External (Customer-Supplier) Audits

The whole auditing activity must be planned in a formal and systematic manner and it is necessary to formulate a forward programme or schedule of vendor/subcontractor audits. This should be documented so that it can be shown to and discussed with visiting auditors. Some type of chart showing the month within which each planned audit will be carried out is usual.

Surveillance visits are conducted on suppliers to give added reassurance that their quality system is being maintained so as to assure the quality of products being purchased from them. Since the whole point of third party certification is to give such re-assurance to customers, regular surveillance visits would probably, only be made if:

There is concern about the quality of products being received

Specific requirements of a contract demand extra vigilance

The supplier does not have a certified Quality Management System

The products/services procured are outside the scope of the ISO 9001 registration

There are a number of factors to consider when formulating a schedule of audits on suppliers:

The requirements of current and pending contracts. It may be desirable to carry out audits early during a major contract to assure effective control during the design and procurement phase.

Value of current and pending contracts. The time which has elapsed since a particular

supplier/sub-contractor was last audited and the number and nature of the findings of previous audits.

The resources available for auditing.


75 of 131

When formulating the schedule of audits there should be consultation between the department responsible for auditing and departments such as Contractors, Purchasing and Management Services. When planning a supplier surveillance visit, due notice must be given to the supplier and the audit plan must address the specific areas of concern so as to make best use of the time available.First Party (Internal) Audits

Internal audits are required to be carried out according to a planned schedule, which must be appropriately authorized and issued by the management. All the company activities comprising the Quality System must be audited. The frequency of these audits should be determined by the management in accordance with the needs of the Quality System and or the business. All activities need to be audited at least once a year.The audit schedule may be designed so that more than one function in the organization is audited simultaneously; this ensures that the interface activities get audited which may otherwise not be covered adequately, such as production and the quality control.Management should be prepared to review and revise audit schedules in the light of changes in the business or of particular quality problems.

8 Responsibilities for Managing the Audit Programme

The responsibility of managing an audit programme should be assigned to a person or a group of persons who has following attributes :

• Understands the audit principles• Competent auditor• Management skills• Technical & business understanding relevant to the

areas to be auditedThe job comprises :

• Establishing audit programme objectives & extent


76 of 131

• Establishing the responsibilities, procedures• Ensuring provision of resources• Ensuring implementation of audit programme• Maintenance of records• Monitoring, reviewing & improving the audit programme

9 Audit programme Resources & Procedures

When identifying audit programme resources consideration needs to be given to the following :

1) Financial resources

2) Audit techniques

3) Processes to achieve, maintain & improve competence & auditor performance

4) Appropriate auditors & technical experts (if required)

5) Extent of audit programme

6) Logistics

The audit programme procedures needs to address the following

1) Planning

2) Ensuring competence of audit team

3) Assigning responsibilities

4) Conducting audits

5) Conducting follow ups, if applicable

6) Maintenance of records

7) Monitoring the performance & effectiveness of audit programme


77 of 131

8) Reporting to top management

10 What the auditor is looking for?

The auditor, whether external or internal, is seeking to assess essentially three things :

Does the Quality System meet the requirements of the relevant Quality System Standard or contract ? (Existence of Quality System)

Does the supplier do what the Quality System requires, in every respect? (Operation of Quality System)

Is the Quality System as implemented effective in ensuring maintenance and improvement of the quality of the supplies products and services and effective to meet stated quality policy and objectives? (Effectiveness of Quality System)

In order to assess this, the auditor must investigate the Quality System as defined and as put into practice and the organization’s results in line with their plans.

11 Obtaining Information

In order to plan an external audit the auditors require a considerable amount of information about the company – its activities, organization, policies and procedures.

The company's quality manual supported by questionnaires is the usual source of this information. A number of certification bodies have prepared a questionnaire for soliciting this information.

When making the initial approach to a company to arrange for an audit, the auditor should consider the possibility that the company quality manual may not contain all the information necessary for proper planning of the audit. The auditor should therefore request in detail the information required. If the information required is not in the quality manual, the company will need to provide additional documents. The documents received, whatever they are called, should describe the Quality System for the relevant contract (or possible future contract).


78 of 131

If this information cannot be provided in documents, the Lead Auditor has the option to pay a preliminary visit to the company to obtain the information necessary for the planning of the audit.

Even if the information can be obtained from documents, it is often advantageous to both parties to have a preliminary meeting between the Audit Team Leader and the company’s quality management representative. An audit programme can be drafted and agreed at this meeting.

12 Initial contact with the auditee

The initial contact with the auditee can be informal or formal. Depending on the audit situation, those responsible for managing the audit programme or audit team leader should consider the following, as appropriate:

a) Contacting the auditee to establish communication channels;

b) Providing information on proposed timing and audit team composition;

c) Requesting documents, including records, if needed, and

d) Making arrangements for the audit.

Any need for accompanying persons such as observers or guides for the audit team should be mutually agreed.

13 Pre-Audit Visits/Meeting

The requirement to make a pre-visit will be determined by a number of factors :

Because the organization is large or complex Because the organization is geographically spread The need to ensure that the proposed scope reflects

the nature of the business


79 of 131

Similarly there may be a range of benefits from such a visit both for the Audit Team and for the auditee. These may include :

The opportunity to ensure that the auditee understands the audit process more clearly

The chance to assess the maturity of the Quality System – whether it is being maintained if well established, or whether it had only recently been introduced.

The opportunity to ensure that as much of the documented quality system as is needed has been reviewed before the audit. Certification bodies sometimes prefer to carry out the documentation review on site.

ISO 17021 recommends that for most management systems, at least a part of Stage 1 audit be carried out at the client’s premises

Typical Pre-Audit visit agenda may include :

Explain the process of audit to the company Introduction with key personnel Confirm scope of assessment Confirm date of audit and other details Identify the need for special knowledge or skill required for

auditing Quick, short visit of site to have a ‘feel’ of the company to

be audited Outline plan/programme of audit On-site documentation review, wherever possible Clarify doubts of auditee organization

Verify aspects of Stage 1 Audit

Care should be taken not to indicate likely success, or otherwise, of the assessment. In the case of a third party pre-registration assessment, however, an indication of


80 of 131

whether the proposed date for carrying out the audit is realistic, should be given. Similarly, it is not acceptable practice to suggest alternative methods or procedures which the Auditor finds preferable. The auditor must be aware that the purpose of the QMS is for ease of use by the organization not for the ease of the auditor.

14 Establishing the audit team

When the audit has been declared feasible, an audit team should be established and an audit team leader is appointed taking into account the competence needed to achieve the objectives of the audit. When there is only one auditor, the auditor should perform all applicable duties of an audit team leader.

Those responsible for managing the audit programme and/or the audit team leader, in consultation with the audit client and, if necessary, the auditee, should identify the resources necessary.

When deciding the size and composition of the audit team, consideration should be given to the following:

a) Audit objectives, scope, criteria, location(s) and estimated duration;

b) The overall competence of the audit team needed to achieve the objectives of the audit;

c) Requirements from accreditation/certification bodies, as applicable;

d) The language of the audit and understanding of the auditee’s social and cultural characteristics either through their own skills or through the support of a technical expert;

e) The need to assure the independence of the audit team from the activities to be audited and to avoid conflict of interest;

f) The ability of the audit team members to interact effectively with the auditee and to work together.

The process of assuring the competence of the audit team should comprise the following steps:


81 of 131

1. Identifying the knowledge and skills needed to achieve the objectives of the audit;

2. Defining the criteria by which knowledge and skills are to be evaluated;

3. Selecting the audit team such that all of the knowledge and skills needed to conduct the audit and to achieve the audit objectives are present in the audit team. If not fully covered by the auditors in the team, the overall competence may be satisfied by including technical experts in the team. Technical experts should operate under the direction of an auditor.

Both the audit client and auditee have a right to request the replacement of particular team members on reasonable grounds which should be communicated to those responsible for managing the audit programme. Any decisions to replace team members should be taken by those responsible for managing the audit programme. Examples of reasonable grounds can be conflict of interest situations (such as an audit team member having been a former employee of the auditee or having provided consultancy services) or previous unethical behavior.

15 Documentation review (Adequacy audit)

This has been dealt with in Session 3 c of these Course Notes.

16 Audit team work assignments

When an audit is conducted by an audit team comprising more than one auditor, the audit team leader, in consultation with the audit team, should assign to each team member responsibility for auditing specific management system processes, functions, sites, areas or activities. Such assignments should take into account the need for auditor independence, competence and efficient use of resources as well as different roles and responsibilities of auditors, auditors-in-training, and technical experts. Changes to the work assignments can be made to ensure the achievement of the audit objectives.


82 of 131

The audit team members should review the relevant information related to their audit assignments and prepare any work documents necessary for those assignments.

17 Work documents

Work documents used by the audit team for the purpose of reference and/or recording the proceedings of the audit can include:

a) Audit procedures, checklists and audit sampling plans;

b) Forms for recording information, supporting evidence, records of audit findings and meetings.

The use of work documents, such as checklists and forms, should not restrict the extent of audit activities.

Work documents, and any records resulting from their use, should be retained, at least until audit completion. Retention of documents, including records, after audit completion is also essential. Those involving confidential or proprietary information should be suitably safeguarded at all times by the audit team members.

18 Preparing for the on-site audit activities

18.1 Planning the on-site audit activities

The audit team leader should prepare a plan for the on-site audit activities. This plan should provide necessary information to the audit team, auditee and audit client. It also facilitates scheduling and co-ordination of the audit activities.

The level of detail provided in the audit plan, should be adapted to suit the scope and complexity of the audit. The details can for example differ between initial and subsequent audits and also between internal and external audits.

The audit plan should include:

a) The audit objectives and scope;


83 of 131

b) The audit criteria and any reference documents;c) The dates and places where the on-site audit

activities are to be conducted;d) The identification of the organizational and

functional units and processes to be audited;e) The expected time and duration for audit on-site

activities, including meetings with the auditee’s management and audit team meetings.

The audit plan can also include, as appropriate:

f) The identification of the sites, activities, and management system processes that are essential to meeting audit objectives in order to allocate appropriate resources to critical areas of the audit;

g) The identification of the auditee’s key representative participating in the audit;

h) The working and reporting language(s) of the audit where this is different from the native language of the auditor(s) and/or the auditee;

i) The identification of roles and responsibilities of the audit team members and any accompanying persons;

j) The audit report topics (including any methods of nonconformity gradings), format and structure, expected date of issue and distribution;

k) Logistic arrangements (travel, on-site facilities etc.);

l) Matters related to confidentiality;m) Any arrangements for audit follow-up actions.

The plan should be reviewed and accepted by the audit client and presented to the auditee before the audit.

Any objections by the auditee should be resolved among the audit team leader, the auditee and the audit client before continuing the audit.


84 of 131

The audit plan should be sufficiently flexible to permit changes, such as any changes in emphasis which can become necessary as the on-site audit activities progress. Any revised audit plan should be agreed among the parties concerned before continuing the audit.

Audit team assignments take into account the needs for competence, independence & effective use of resources. Changes to work assignments may be made as the audit progresses to ensure the achivement of audit objectives.

18.2 Time Estimating

In preparing the audit programme, the Lead Auditor has to consider the time which will be required to carry out the audits in the areas selected for the audit sample. This will depend on the complexity of the function being investigated.The Lead Auditor needs therefore to allocate a sensible amount of time for the areas concerned. The auditors preparing the check lists can then determine what questions can reasonably be expected to be answered within that time. To ask and get an answer to a closed question may take only ten or fifteen seconds, to ask and get an answer to an open question may take several minutes. Time must be allowed for looking at documentation, computer files and records (in answer to ‘show me’ type questions), but also for moving from one place to another, waiting time and interruptions.The calculation of the size of audit team required and the time it will need, must take into account the scope, the number of locations and the organization’s complexity. The documented quality system is an essential input to this calculation.Document titled IAF Guidance on the Application of ISO/IEC Guide 62:1996 provides in Annex 2,an indicative time chart for audit time estimation based on strength of employees. Certification bodies use this table to determine actual audit time required after providing for other factors such as locations and sites, process complexity etc. Even though the Guidance document has been withdrawn following publication of ISO 17021, the Annex is still valid. The indicative time chart is as under:

Number of Auditor Time for


85 of 131

Employees Initial Audit (auditor days)

1-10 211-25 326–45 446-65 566-85 686-125 7126-175 8176-275 9276-425 10426-625 11626-875 12876–1175 131176–1550 141551-2025 152026-2675 162676-3450 173451-4350 184351-5450 195451-6800 206801–8500 218501-10700 22> 10700 Follow progression

above

18.3 Audit Strategy

All activities covered under the scope need to be audited. A programme will be prepared and time and effort spent in a department or function will depend upon the importance of this department. This puts sufficient stress on the need for good time management.

18.4 The Audit Sample

There is enough time during an audit to investigate all the quality activities of a company.

At the same time, there could never be time to examine more than a small part or the sample of factual information which could be gathered on the effectiveness of management control on each on these activities.


86 of 131

Quality System auditing involves examining only a limited SAMPLE of activities or evidence. The selection of the Audit Sample is obviously a matter of great importance.

The purpose of the audit is to come to a data-based judgement about the degree of compliance of a company’s Quality System with specified requirements and the audit sample must be planned to obtain information which provides a balanced picture of the quality management of the company.

Knowing the total time available for the audit the Lead Auditor must decide how much time to allocate to assessing the Quality System in each department/work area. The Lead Auditor’s decision on this will determine the programme for the audit.

18.5 The Audit Team Briefing

If it is a major audit involving two or more auditors, the Lead Auditor will require to get the team members together in good time for a briefing. The purpose of this meeting will be to communicate information to the team members and assign tasks to each. The meeting will cover :

The objectives and scope of the audit The applicable Quality System Standard, contract

requirements, regulatory requirements, reports of previous audits, information about quality problems etc.

Consideration of the audit programme and the assignment of responsibilities to each auditor

Provision of copies of the company’s Quality System Documentation and any other relevant documents

Arrangements for preparation of audit check lists and their review by the Lead Auditor


87 of 131

18.6 Audit Programme Records

Audit plan

Audit reports

Non conformity reports

Corrective & preventive action reports

Audit follow up reports

Reports of audit programme review

Audit personnel record

- auditor competence- performance evaluation- maintenance & improvement & competence

19 Audit Programme Monitoring & Review

Audit programmes need to be monitored at appropriate intervals, reviewed to assess whether audit objectives have been met & to identify opportunities for improvement.

The performance indicators for monitoring could be :

- ability of audit teams to implement the audit plan

- conformity to programmes & schedules

- feedback from clients, auditees, auditors

The audit programme review may include monitoring trends, conformity with procedures, evaluating needs & expectations of interested parties, audit programme records, new auditing practices & consistency of performance of auditors under similar circumstances.


88 of 131

The results of audit programme reviews can lead to corrective & preventive action & the improvement of the audit programme.

20 Preparation of Check list

This is dealt with in Session 3 g of the Course Notes.


89 of 131


SESSION 3G – CHECKLISTS

0 Overview

This session covers the purpose, preparation and benefits of using a checklist for an on-site audit.

1 Purpose

The purpose of auditor checklists is to provide a reference document for use during the audit process which helps the auditor keep to the prepared plan for the audit both in terms of time and content.

In preparing a checklist the auditor should:

be conversant with the Quality System relate the checklist to the department or Quality

System area to be audited relate the work to be done to the time available

The style of the checklist is at the auditor’s discretion.

2 Preparation of Checklists

With the agreed audit programme, the audit team can complete the planning of the audit by deciding what aspects of the Quality System shall be examined in each work area to be visited. This is done by preparing checklists.

In preparing checklists, an auditor is defining the sample of activities which is to be examined in the part of the audit for which he/she is responsible. While auditing a department, the checklist will be used by the auditor as an aide memoire to provide a reminder of what the auditor had planned to examine in that area.To reach an informed judgement about the degree to which the organisation complies with the Quality System


90 of 131

requirements, the auditor must obtain factual evidence. The audit sample must be selected so that appropriate factual evidence can be obtained. Carrying out this difficult task effectively requires skill which will only be developed with experience of auditing.Guidance points for the preparation of audit checklists are : Before preparing the checklists, the auditor should

become fully conversant with the objectives and scope of the audit and the documents specifying the Quality System requirements.

There should be a separate checklist for each department or work area to be visited. Sometimes it may be advantageous to have more than one checklist for a single area where there is more than one function applicable to that area, e.g. production and inspection.

Time allocated for an audit will depend on number of items on the checklist and their importance.

The amount of detail included in the checklist about the activities for examination should suit needs of the auditor. The auditor may write out a series of questions, or simply list headings.

The checklists should be a good servant but never be the ‘master’ of the auditor. The auditor may come across information which, if followed up, may provide a valuable insight into the way the company manages quality. However, deviation from a pre-prepared checklist should only be permitted if time allows and the overall objective of the audit is not jeopardised. In general, if an audit has been well planned and the checklist carefully prepared, deviation from the checklist will not be necessary.

The following documents can be used / referred while preparing a check-list: Legal/Statutory sector specific requirements/mandatory in

law Quality System standard e.g. ISO 9001 Customer requirements


91 of 131

Company’s Quality system documentation Personal experience (not personal bias)

In a situation, wherein there is no documentation for an activity, a checklist can still be prepared, based on the above points.

3 The Benefits of checklists

Pre-planning the audit by preparing checklists is one of the techniques of effective auditing. The use of checklists:

helps to ensure that ‘scope’ gets covered in the allotted time frame.

helps to ensure the audit sample is well balanced. helps to ensure that the auditors are well briefed

about the objectives and the contractual background.

permits the Lead Auditor to evaluate the preparatory work carried out by other members of the team.

helps the auditors control the ‘pace’ of the audit. is useful if there is need to reassign part of the

audit from one auditor to another. provides a record of the specific areas and activities

examined during the audit. becomes a base for improvement.

4 Essential features of a Process Based Checklist

The PDCA Approach

Process Performance Measures (Plan) Expected results (Plan) Process map (Plan) Process owner (Plan)


92 of 131

Sequence of activities (Plan) SOPs \ WIs (Plan) Implementation (Do) Monitoring (Do/Check) Reviewing process measures (Check) Analysis of data (Check \ Act) Improvements activities (Act)


SESSION 3H – OPENING MEETING

0 Overview

This session covers the purpose, significance and conduct of an opening meeting.

1 The Opening Meeting

The performance phase of an audit begins with an ‘opening meeting’ at which the objectives of the audit are explained to the auditee’s managers and arrangements for the audit confirmed. The auditors then carry out their assessments.

The opening meeting is held at the location at which the audit is to be performed and is chaired by the Leader Auditor. The meeting enables the Auditors to confirm the scope and method of the audit, to put the company at ease, to create the right atmosphere and to give the auditors an insight into the Management’s commitment to quality.

2 Agenda

The opening meeting provides the opportunity to establish the general rules for the conduct of the audit


93 of 131

and should follow the agenda set by the Lead Auditor. Matters to be covered include :

Introduction of the participants, including an outline of their roles; (an attendance sheet may be circulated).

Confirmation of the audit objectives, scope and criteria; and, if necessary, a statement about the authority for conducting it.

Confirmation of the audit timetable and other relevant arrangements with the auditee, such as the date and time for the closing meeting, any interim meetings between the audit team and the auditee’s management, and any late changes;

Methods and procedures to be used to conduct the audit, advising the auditee that the audit evidence will only be a sample of the information available and that therefore there is an element of uncertainty inherent in all audits;

Confirmation of formal communication links between the audit team and the auditee;

Confirmation of the language to be used during the audit;

Confirmation that during the audit, the auditee will be kept informed of audit progress

Confirmation that any resources and facilities needed by the audit team are available;

Confirmation of matters relating to confidentiality; Confirmation of relevant work safety, emergency

and security procedures for the audit team; Confirmation of availability, roles and identities of

any guides; Method of reporting including any grading of non-

conformities; Information about conditions on which the audit can

be terminated;


94 of 131

Information about any appeal system on the conduct or outcome of the audit.

Response to any questions put by the auditee management.

3 Conduct

Many companies adopt the policy of having their management strongly represented at opening meetings to demonstrate to the auditors the company’s commitment to their Quality System.

Other companies send managers also to opening meetings as a means of communicating the quality message and gaining commitment to the Quality System. However, it is a matter for the auditee company to decide who will be present.

The Lead Auditor should go into the opening meeting well prepared with a written agenda and should conduct the meeting in a business like and professional manner.

The auditors may have questions of a general nature to ask about the Quality System of the company. It is sometimes appropriate to ask these during the opening meeting. However, if there are a large number of people attending the meeting, it is better to keep the questions for a subsequent discussion with the Management representatives to avoid keeping managers away from their work longer than is necessary. Also, if the auditor asks for information about the Quality System during the opening meeting there is a risk that lengthy explanations by the auditee’s management will extend the meeting and upset the audit programme. The auditors should ask questions in less formal settings when they can, without discourtesy, interrupt if an explanation becomes unnecessarily long or irrelevant.

The Lead Auditor should ensure that a record is kept of those attending and particular concerns raised.

The meeting should be short and to the point. Presentations by the company – such as slide shows – should be politely declined as they would take time out of the audit programme.


95 of 131


SESSION 3I – ON-SITE AUDITING AND AUDIT SKILLS

0 Overview

This session covers on-site auditing and the skills required to gather objective evidence during an on-site audit.

1 On-site Audit

After opening meeting, auditor(s) proceed(s) to the agreed upon departments for compliance audit. The auditor basically looks for

(i) Existence of Quality System, including(a) clearly defined responsibilities and authorities

and(b) an adequate level of documentation in the

system(ii) Correct operation of a system covering

(a) knowledge and understanding of all personnel of their roles, interfaces and procedures and

(b) provision of adequate resources(iii) Effectiveness of the documented system for

(a) achievement of declared aims and objectives and

(b) suitable corrective action based on observed deviations and omissions.

Information relevant to the audit objectives, scope, and criteria, including information relating to interfaces between functions, activities, and processes should be collected during the audit. It should be verified by the auditor(s) and can then be considered to be audit evidence. Audit evidence should be identified as such and recorded.

The audit evidence will inevitably be only samples of the information available, since an audit is conducted during


96 of 131

a finite period of time and with limited resources. There is thus an element of uncertainty inherent in all audits, and those acting upon the audit conclusions should be aware of this uncertainty.

It is to be ensured that the scope of the quality management system is covered and objectivity is achieved during the Audit. The Auditors essentially look for compliance to the requirements and in doing so they also identify the non-compliance of the requirements. These non-compliances or partial fulfilment of a compliance are termed as non-conformity and may result in non-conformity reports. The Lead Auditor reviews all the non-conformances for objectivity and clarity.If a serious non-conformity, in other words major non-conformity is evident, the leader of the team would inform the same to the Auditee management.The Audit team conducts regular review meetings within themselves and regular liaison meetings with the Auditee representative. Hence, communication during Audit is important.The auditor may use several techniques and skills to gather maximum information about the Quality System. Details on these skills is available in the following pages.

Any distractions from the task advertently or inadvertently befalling the auditors’ progress should be handled carefully and diplomatically. At all times the objective and criteria for doing audits and role of a good auditor should be kept in mind.

2.1 Collecting & verifying Information

The audit evidence is based on samples & hence there is a degree of uncertainty in auditing. Those acting on audit conclusions should be aware of this uncertainty. The methods of collecting information are:

- interviews- observation of activities- review of documents.


97 of 131

2.2 Collecting Information for reaching Audit Conclusions

When audit evidence is evaluated against audit criteria it generates audit findings which can either indicate a conformity or a nonconformity. When specified by audit objectives, audit findings can identify an opportunity for improvement, nonconformities & their supporting evidence should be recorded.

Prior to the closing meeting, the following actions need to be taken :

- review audit findings

- agree to audit conclusions

- prepare recommendations

- discuss audit follow up

The audit conclusions could include the following :

- Extent of conformity

- Effective implementation, maintenance & improvement of the system

- Capability of the management review process

- if specified by audit objectives, audit conclusions can lead to recommendations regarding improvement, business relationship, certification or future auditing actions.

3 Communication during the audit

Dependent upon the scope and complexity of the audit, it can be necessary to make formal arrangements for communication during the audit.

An audit team should confer at least daily in order to exchange information, assess audit progress, and reassign work between auditors as needed.


98 of 131

During the audit, the audit team leader should periodically communicate the status of the audit and any concerns to the auditee and audit client, as appropriate. Any evidence collected in the audit that suggests a significant risk exposure should be reported immediately to the auditee and, as appropriate, to the audit client.

Where the available audit evidence indicates that the audit objectives are unattainable, the audit team leader should report the reasons to the audit client and the auditee to determine the appropriate action. Such action can include reconfirmation of the audit plan, termination of the audit or a change in the audit objectives.

Any concern about an issue outside the audit scope should be noted and reported to the audit team leader, for possible communication to the audit client and auditee. Any need for changes in the audit scope which may become apparent as on-site auditing activities progress should be reviewed with and approved by the audit client and, as appropriate, the auditee.

4 Audit Trails

For an effective and purposeful Audit, the Auditor should follow a well-defined Audit trail. Generally, it is advantageous to follow a set pattern.The Audit trail needs to be tailored depending on the process or activity being audited, for example Management process, realization process etc.The Audit trail generally starts with the policy and company level objectives, from which the functional level objectives are deployed. The process documentation provides data on process inputs, resources, desired output, monitoring and measurement. If performance indicators are established, then data analysis and use of data for improvements become evident. These points establish a general trail for Auditing of processes.

5 The Process Approach

Using the Audit trail described in 10.3 above, the Auditor has to Audit an activity or a process which may or may not be documented on the process approach. Processes, which are not defined by documentation, may require


99 of 131

additional audit time. Every process has inputs and outputs and may depend on another process. Hence, the process to be audited is to be understood properly and it is verified whether the inputs, outputs and interactions have been properly established. This leads us to define the responsibilities and the scope and extent of process. Once these are established, the Auditor proceeds to audit the monitoring methods and measurables.In this way, the process approach to auditing can be achieved.

6 Auditing of Management Commitment

Top management has a major role to play in the quality management systems based on ISO 9001 standards. Through leadership and appropriate actions, top management can create an environment where people are fully involved. In these situations, a quality management system can operate effectively.The role of top management as required by ISO 9001 Standard and their active involvement is to be understood by the Auditor. These include, establishment of quality policy and objectives, efficient communication within the organisation, availability of resources, conduct of management review, etc.To audit the top management commitment, the Auditor has to first identify who all constitute top management. The top management involvement is evident at all places during the audit. In deciding on the top management commitment, the Auditor has to look for results and effects rather than records only.During the Audit process, Auditors at different locations will obtain different views on the top management commitment. These views are to be exchanged during Auditor meetings.To conclude on Top Management Commitment, the Lead Auditor has to take a comprehensive and considered judgement based on all the findings at different locations through the different Auditors.


100 of 131

7 Auditing skills

During the process of auditing, the auditor maintains control over conduct and reporting of the audit through the use of various skills which can be categorised into three different groups:

i) Time Management

ii) Fact Finding

iii) Reporting

8 Time Management

Auditor has to complete the audit in agreed time frame. Time Management will involve:

i) Better planning and preparation for audit purposes. Auditor should prepare by reviewing the documents and also preparing checklist/aides memoire.

ii) Being punctual in starting the audit

iii) Avoid time wasters, which could be intentional or unintentional. These time wasters can be

Repeated / long introductions in each department

Long presentation by the company on its activity and profile

A walk round the plant which is very large. Auditor should plan audit in such a way to minimise to and fro movements or request for transport arrangements

Offer for lunch/tea/coffee

False trails/red herrings put by the auditee. e.g. An auditee may keep some obsolete drawings/ uncalibrated instruments in the front to divert auditor’s attention away from more important issues.


101 of 131

Auditor concentrates on trivial issues like looking at signature on each record and forgets about more important matters.

Top Management of the company may start telling auditors some detailed stories about the organisation’s growth and the auditor loses focus of audit.

9.1 Fact Finding

Purpose of any audit is to find fact supported by objective evidence, which can be in the form of

Documents like plans, specifications, computer files, etc.

Observations, i.e. what the auditor sees with his own eyes

Records such as records of reviews, tests and meetings

Sometimes, even statements of informed personsAuditor uses various skills to find the facts like:

Reading : Auditor needs to read the procedures, other system related documentation and the relevant Quality System standard before and during the audit. Lots of records will be read by the auditor to get the objective information.

Observation : Auditor needs to observe what is happening around the place of audit. An auditor should not observe things superficially but should go little deeper into the subject. For example, if the production supervisor shows you tools or document from the first drawer of filing cabinet, you may request the supervisor to open the third drawer. Auditor should keep in the background the fact that auditee might have done some quick fixing or window dressing before the audit. As a possibility, the auditee might have removed all unidentified


102 of 131

and suspecting objects lying in front of the machine and kept them behind the machine.

Communication: Effective Communication is key to the success of an audit. Communication is required in every phase of the audit starting from ‘Information Gathering’ to the phase of ‘Reporting’.Communication should be in line with the Purpose Audience and SituationCommunication should be in simple language so that the receiver of the communication can easily understand. The message should be properly structured and organised. Use of local language should be preferred particularly when interacting with lower level staff.It is now a proven fact that impact of any communication/message is given. 7% verbally (the words we write) 38% vocally (the volume, pitch and intonation) 55% by body language (facial expression and gestures)Auditor, thus has to not only listen to what is being said but also understand what is being hidden/concealed/suppressed by observing body language.

Body Language : Body Language is the message being conveyed through our gestures and facial expressions. It is said that “Truth can not be hidden”. If words don’t tell the truth, it oozes from other parts of the body and is reflected in our unconscious gestures like : Eye Contact


103 of 131

Clenched fists Crossed Arms and Legs Handshake Eye movements

Direction of feet and legs

Care about personal space

Silence at the end of a question

Questioning : Information in an audit situation is generally sought by asking questions to the auditees. Questions can be of three types :

Leading Questions like

‘You do ... Don’t you?

Closed Questions like

Do you ... ?

Can you ... ?

Will you ... ?

Open Questions like those starting with:

What

When

How

Where

Who

Why (with caution)

Most of the auditor’s questions should be open questions because only these questions can bring detailed information about the


104 of 131

organizations’ or departments’ activities. These six questions, plus ‘Show me’ are the Auditor’s good friends.

Other things to be taken care of, while asking questions are: Questions should be relevant to the

department/activity being audited. Ask only one question at a time. If you

ask multiple questions, you may end up getting answer to most comfortable question.

Listening : The word Audit has been derived from the word ‘Audio’ which means listening. An auditor has to be an active and careful listener.Some of the barriers observed in listening are: Deciding in advance that the subject is

not interesting Evaluating the speaker Becoming emotionally involved with what has

been said Listening only for facts and not for ideas Taking copious notes Faking attention and pretending to be

listening Getting distracted easily Avoids difficult listening Failing to capitalise on ‘Thought Speed’

Use of Thought Speed : Average person speaks about 120 words per minute while our brain can process about 450-500 words per minute. A good listener can use this excess capacity to:


105 of 131

anticipate what the person is going to say next analyse what he is saying summarise what has been said mentally frame the next question appreciate and understand any emphasis

being made understand body language of the speaker

First Question : First question in any audit should be very simple so as to ‘break the ice’ or break all communication barriers. Auditee should be in a position to answer this first question very easily. So questions like ‘What are the activities of your department or work area’, and ‘What are your key responsibilities?’ are recommended.

Unasked Question : The auditor can use his/her body language to convey the message without really putting it into the words. For example, you can pick up an object (for which you need some information or you’ve some doubt on this object), raise your eyebrow and may be just scratch your head, the other person may be under pressure and start giving you all the necessary details.

Use of Checklist : As discussed in Session 9, check list should be used to ensure that you do not miss out any aspect of the department’s working.

To-and-Fro Checking : If you find two drawings for which you are not certain about the revision status, you should not rush to the drawing offices to find out this status. All you have to do is to just note down the number and give this feedback to other team member in liaison meeting who is going to the drawing office or alternately you can go to the drawing office after you have completed all the points on your check list.


106 of 131

Take Notes : During audit, it is strongly recommended to keep taking relevant notes of what has been observed. Auditor should not rely only on his memory to prepare the report.

Select Samples Yourself : Auditing is a sampling exercise and auditor should select random sample himself and not rely on the sample provided by the auditee. Sample selection should be on the spot.

9.2 Interviews

Interviews are one of the important means of collecting information and should be carried out in a manner adapted to the situation and person interviewed. However, the auditor should consider the following:a) Interviews should be held with persons from

different levels and functions, and especially with persons performing activities or tasks within the scope of the audit;

b) Whenever possible, the interview should be conducted during normal working hours and at the normal workplace of the interviewed person;

c) Every attempt should be made to put the interviewed person at ease prior to the interview;

d) The reason for the interview and any note taking should be explained;

e) Interviews can be initiated by asking the persons to describe their work;

f) The results from the interview should be summarized and reviewed with the interviewed person;

g) Questions that bias the answers (leading questions) should be avoided;

h) The interviewed persons should be thanked for their participation and co-operation.


107 of 131

10 Audit Reporting

Audit report should be clear, concise and crisp and should always be based on objective evidence. This is covered in Session 3 k of these Course Notes.


108 of 131


SESSION 3J – AUDIT REPORTING

0 Overview

This session covers evaluation of audit findings and audit reporting including valid, factual and value adding non-conformities. The basis of grading non-conformities is also included.

1 Related Terminology (ISO 9000:2005)

a) Audit Evidence: “Records, statements of fact or other information, which are relevant to the audit criteria and verifiable.”

b) Objective Evidence: “Data supporting the existence or verity of something.”

Note: Objective evidence may be obtained through observation, measurement, test or other means.

2 Audit findings

Collected audit evidence should be evaluated against the audit criteria to generate the audit findings. An audit finding can indicate either conformity or nonconformity with audit criteria and/or identify an opportunity for improvement. If so decided, audit findings can be graded in accordance with the audit plan.An audit team should meet as needed to review the audit findings at appropriate stages during the audit.Conformities should be summarized to at least indicate locations, functions, processes, or requirements that were audited, where no nonconformities were observed. If within the agreed scope, individual audit findings of conformity should also be recorded and supported with audit evidence. Nonconformities should be recorded and supported by audit evidence. Nonconformities should be reviewed with an appropriate auditee representative to obtain acknowledgement of the audit evidence. The


109 of 131

acknowledgement indicates that the audit evidence is accurate, and that the nonconformity is understood. Every attempt should be made to resolve any divergence of opinion concerning the audit evidence and/or findings, and unresolved points should be recorded.

3 Nonconformity report

The non conformity report consists of individual incidences of non-conformance. Non-conformance report consists of :

Observation: A statement of fact made during an audit and substantiated by objectives evidence. Difference between objective and subjective observation is illustrated by the following examples: Subjective Observation

The testing of welders is the responsibility of the production manager whereas it would be more sensible if it were the responsibility of the welding engineer.

Objective Observation

An unqualified welder Mr A is working on a contract for work order 0201 which calls for a welder to be qualified to BS 4781.

Attribution : Reference to Quality System document and/or relevant clause of ISO 9001 against which the observation is a non-conformance

Explanation : A brief explanation of why the stated observation is a non-conformances. It could, at times, be a repetition of the procedure or standard’s requirement.

Non-conformance Reports are also called CORRECTIVE ACTION REQUESTS (CAR).

3a What a Non-Conformance Report contains1. A unique identification, i.e. NCR no. out of a total

no. of NCRs2. Name of the company audited3. Name of the department audited


110 of 131

4. Name of the auditor5. Date of the Audit6. A precise and clear description of the observation

supported by objective evidence7. A clear attribution to one clause of company’s

manual/procedure and/or one clause of ISO 90018. Explanation to clarify non-conformance9. Non-conformance clearly categorised as Major/Minor10. Non-conformance report is signed by auditor and

dated4 Major/Minor Non-Conformances

The gradation of non-conformance as Minor and Major Non-conformance is generally done in third-party situations. This may not be necessary in first-party audits and sometimes in second party audits.

A Major Non-conformance is :

Complete absence of a statement or procedure to meet a requirement of the standard

Breakdown or non-observance of a specified procedure or requirement

A Minor non-conformance is a single observed lapse in the use of a defined procedure or requirement.

A number (which is not specified) of minor NCs against one procedure or requirement, around the organisation or in a single department, proving a breakdown, can become a major N.C.

5 Implications of NCR grading

The grading of NCR as major and minor has a bearing on the outcome of the audit.A single NCR of Major grading can prevent the audit team from making a positive recommendation. In addition, to verify the effectiveness of corrective actions, a follow-up visit by the Auditor(s) is required.


111 of 131

In the event of a Minor grading, the audit team makes its decision depending on the seriousness and extent of the nonconformities. The closure of the NCR in this case may be carried out through documentary evidence or even in subsequent surveillance audits.If specified by audit objectives, audit conclusions can lead to recommendations regarding improvements, business relationships, certification or future auditing activities

6 Opportunities for Improvement & Audit Conclusions

Audit conclusion are prepared, prior to the closing meeting. It is based on reviewing the audit findings against audit objectives. The uncertainty inherent in the audit process should be taken into account before agreeing an audit conclusions. Audit conclusions may also include recommendations opportunities for improvement, if specified by audit objectives & to discusses audit follow-up, if include in the plan.Examples of issue addressed in audit conclusions are :The extent of conformity of the management system with the audit criteria. The effective implementation, maintenance & improvement of the management system.The capability of the management review process to ensure its functions.

7 Reporting on the Audit:

A good report has to be :

Complete : It should contain all the information necessary for subsequent verification of the audit findings by the auditee. In general, non-conformance report should cover : WHERE the non-conformance was observed WHO was involved WHAT was observed


112 of 131

The report must include all applicable document references, location codes, equipment number, etc. to allow verification.

Accurate : This is important because inaccuracy may invalidate the non-conformance, as it will not be accepted by the auditee, and may also damage the credibility of the auditor and cast doubt on the accuracy of other findings.

Concise : Audit report should be as concise as possible but cover all relevant information.

Effective : Audit report should be written in such a way that the auditee can initiate suitable corrective action based on the report.

Appropriate in Tone : Audit report should highlight clearly the facts but care should be taken to avoid finger pointing in the report. Report should not in any way hurt the auditee.

Audit report is prepared under the direction of Lead Auditor and ultimate responsibility for accuracy and completeness of report rests with Lead Auditor.

8 Audit report preparation and content

The audit team leader should be responsible for the preparation and contents of the audit report.

The audit report should provide a complete, accurate, concise and clear record of the audit and should contain audit conclusions on issues such as the following, if within the audit objectives and scope:• extent of conformance of the management system

to the audit criteria;• The effective implementation and maintenance of

the management system• the ability of management review process to ensure

the continuing suitability, adequacy, and effectiveness of the management system.

The audit report should also include, or make reference to the following:


113 of 131

a) the identification of the organization and functional units or processes audited;

b) the identification of the audit client;c) the identification of audit team members;d) the date(s) and places(s) the on-site audit activities

were conducted;e) the audit criteria, and, if applicable, a list of

reference documents, against which the audit was conducted;

f) the audit findings.The audit report can also include or reference, as appropriate:

g) the agreed audit objectives, scope and plan;h) the time period covered by the audit;i) the identification of the auditee’s key

representatives participating in the audit;j) a summary of the audit process including any

obstacles encountered;k) a statement of the confidential nature of the

contents;l) a distribution list for the audit report;m) confirmation that the audit objectives have been

accomplished within the audit scope in accordance with the audit plan;

n) any agreed follow-up action plans;o) any unresolved diverging opinions between the

audit team and the auditee;p) recommendations for improvement, if specified in

the audit objectives;q) areas not covered, although within the audit scope.

9 Audit follow up

The need for corrective, preventive or improvement actions as indicated in the audit conclusions are usually decided & undertaken by the auditee within an agreed time frame & are not considered as part of the audit.


114 of 131

The completion & effectiveness of corrective action may be verified through subsequent audits. This is covered in section 3 L of these Course notes.

10 Report approval and distribution

The audit report should be issued within the agreed time period. If this is not possible, the reasons for the delay should be communicated to the audit client and a revised issue date should be agreed.

The audit report should be dated, and reviewed and approved as defined in audit programme procedures.

The audit report should then be distributed to recipients designated by the audit client.

The audit report is the property of the audit client and confidentiality should be respected and appropriately safeguarded by the audit team members and all report recipients.

11 Retention of documents

Work documents, including records, and reports pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with audit procedures and any applicable legal and contractual requirements.

Unless required to do so by law, the audit team and those responsible for managing the audit programme should not disclose the contents of documents, any other information obtained during the audit, or the audit report, to any other party without the explicit approval of the audit client and, where appropriate, the approval of the auditee. If disclosure of the contents of the audit document is required, the audit client and auditee should be informed as soon as possible.


115 of 131

Appendix A

Summary Statement – Example(Audit Report)

This Company has a Quality System which is well documented and generally in compliance with the requirements of ISO 9001. However, the systems and procedures have not been fully implemented in the contract, planning and product shipment areas. The audit found 33 deficiencies

Particular concern is felt for :

(a) Interaction of processes between Laboratory & Engineering Section regarding control of monitoring & measuring devices.

(b) Lack of quality awareness on the part of project and senior management personnel.

(c) Although there are systems of collecting data in Production & Customer related processes, the analysis and utilizations of these data towards continual improvement is not evident.

(d) Quality objectives for some important sections/functions i.e. Heat Treatment Section and Machine Shop have not been established.

No significant problems were found in systems for Design & Purchasing Processes.

There is a need for more frequent review of the Quality Management Systems and related Process Documents.

It will therefore be necessary for the company to undertake corrective action on the deficiencies raised and for a further audit to be carried out to verify that it had been taken before the company can be awarded a certificate. Corrective action should be effected within three months from today.


116 of 131


SESSION 3K — CLOSING MEETING

0 Overview

This session covers the purpose, preparation, the agenda and conduct of the closing meeting.

1 Purpose

A closing meeting should be held to present audit findings and conclusions in such a manner as to ensure that they are understood and acknowledged by the auditee, and to agree, if appropriate, on the time period for the auditee to present any corrective action plan.

In many instances, for example, internal audits in a small organization, the closing meeting can consist of simply communicating the results of the audit.

For other audit situations, the meeting should be formal and minutes, including records of attendance, should be kept. The meeting chaired by the audit team leader should be held with the auditee’s management and those responsible for the functions audited.

Any unresolved diverging opinions relating to audit findings and/or conclusions between the audit team and the auditee should be discussed and if possible resolved. If not resolved, both opinions should be recorded.

If specified by the audit objectives, the audit team leader should present the audit team’s recommendations for improvements. It should be emphasized that recommendations are not binding. It is normally the responsibility of the auditee to determine the extent and nature of improvement actions.

2 The Closing Meeting

The audit team will meet before the closing meeting, typically for an hour or so, to prepare and review the non-compliance statements (if not already done). Each non-compliance statement is written by the auditor


117 of 131

finding the deficiency and checked by the Lead Auditor or another team member.

On receiving the non-compliance statements, the Lead Auditor may combine some and omit others if it is felt either that they are too minor or not supported by the necessary evidence. The Lead Auditor must also prepare a summary statement representing the overall result of the audit.

While preparations for the closing meeting are being made, the Lead Auditor may ask the company’s Quality Management representative to remind management of the meeting and arrange for sufficient copies of the agenda to be available. The company’s Board representative for quality is expected to attend the closing meeting for assessment and re-assessment.

With some Certification Bodies it is normal practice to write the full report before leaving the Auditee’s premises and provide it in handwriting, commonly on previously designed forms. Where this is the practice, due time needs to be allowed during the pre-closing meeting for the Audit Team to carry out this work.

3 Preparation

The audit team should confer prior to the closing meeting in order to:a) review the audit findings and any other appropriate

information collected during the audit;b) prepare a list of audit findings, if appropriate;c) reach consensus on the audit conclusions;d) agree on roles and tasks for the closing meeting;e) prepare recommendations, if specified by the audit

objectives;f) discuss subsequent audit follow-up, if appropriate.In many instances a simplified approach can be taken for the audit team review, depending on the audit objectives and scope and the audit team size.


118 of 131

4 Agenda and conduct of the meeting

Audit findings will have been informally declared to representatives of the auditee organisation when they were found. They are formally reported to the company management at the closing meeting.The closing meeting will be chaired (controlled) by the Audit Team Leader.Representation of the auditee company is, of course, at the discretion of their management. However, if the audit has disclosed many significant deficiencies in the Quality System, the Audit Team Leader should urge that senior management attend the meeting so that they can hear the verbal report of the findings. As far as the auditee company is concerned the presence of their senior managers at the closing meeting demonstrates their commitment to the Quality System. The auditors should note who attends the closing meeting and include this information in the audit report.In the case of a major audit with a large audit team it is a good idea to intersperse auditors with auditee personnel round the conference table to minimise any ‘them against us’ feelings. The agenda for the closing meeting should include the following items :Introductions

Even though introductions were made during the opening meeting, it is likely that the closing meeting will be attended by representatives of the auditee company who were not at the opening meeting and therefore this should be included as an agenda item.

ThanksThe Audit Team Leader should thank the auditee company for assistance and hospitality received.Purpose and ScopeThe Audit Team Leader should briefly restate the purpose and scope of the audit and the Quality System Standard, etc. against which the Quality System has been assessed. e.g. ISO 9001.

Sample


119 of 131

An explanation should be given of the implications of the fact that the audit involved the examination of only a limited sample of the company’s activities. The auditee management should be reminded that in so far as non-compliances have been disclosed by the audit there may be other deficiencies both in areas which have and have not been visited during the audit. The auditee management should look for and correct such deficiencies, as part of the corrective action process.

Emphasis on Negative Reporting

Due to time constraints, the positive aspects system may not get the emphasis the negative aspects get and whenever possible, the organisation should be recognized.

Findings

The non-compliance statements should be read in a firm clear voice without interruption. The auditor should not deviate from the written statements or sound defensive or apologetic. If there are many deficiencies it is helpful to the auditee to distribute photocopies of them (hand written) during the preliminary stages of the closing meeting. However, even though this has been done, every statement should be read out.

If there are many non-compliances and the audit has taken place over two or more days, they may have read or shown to the auditee at end of day ‘wash-up/review’ meetings.

Note that the categorisation criteria for non-compliances must be reiterated before giving the detail.

Scope

Prior to reading the summary statement and assuming the audit has been successful, the Lead Auditor will read out the final agreed scope and explain any changes from the draft. It is possible that some of the company functions were not demonstrable during the audit due to a lack of work. Here the Lead Auditor may have decided to restrict the function that has been seen in operation. An example is small scale manufacture in a systems house. Generally, scope must not be restricted if a


120 of 131

function has failed just to enable the company to be registered.

Summary Statement

The salient conclusions to be drawn from the audit findings should be stated in ‘summary statement’. It should be explained that this statement may be modified when the auditors have had more time to consider the significance of the findings.Clarification

The auditee management should be given any explanations they request to clarify the findings. However there should be no debate about the facts or their significance.Withdrawals (not to be included on the written agenda)If during the closing meeting evidence is provided to show that a finding is in error, it should be there and then withdrawn – and an apology expressed. If refuting evidence is too massive or involved to be reviewed during the closing meeting consideration of it should be left until after the meeting. (Since it is anticipated that all non-compliance statements will be accepted by the auditee, “withdrawals” should not be included as an item on the “written agenda”)If the auditee refuses to sign for receipt of non-compliances, they should nonetheless be left as part of the audit report. The auditee Management should be advised that they may contest the matter with the management of the Certification Body or client company.Diverging Opinions

Any diverging opinions regarding the audit findings &/or conclusions between the audit team & the auditee should be discussed & if possible resolved. If not resolved, all opinions should be recorded.Recommendation

If specified by the audit objectives, recommendations for improvement should be presented. However, it should be emphasized that recommendations are not binding.


121 of 131

Acknowledgements

If it is the policy of the auditors’ company or client, each non-compliance report should be signed by a representative of the auditee company, to indicate acknowledgement and understanding of the finding. If the auditee declines to sign, restate the purpose of the signature but do not press the matter.Audit Report Availability

State when the formally typed report may be expected and explain briefly the response expected. Hand-written report should be handed over in the closing meeting.Auditee’s Response

The auditee management may wish to make a brief statement to the effect that they have noted the findings of the audit and will take such corrective action as is necessary as quickly as possible.

The Auditee should be informed that, if they are unsatisfied with the audit any way, or if they do not accept any non-compliances, the procedure is to contact the Headquarters staff of the Certification Body.

Departure

As soon as the essential business of the meeting is completed the auditors should thank the auditee again for their courtesy and depart.

A registered auditor is required to maintain a log of audits conducted and a representative of the organisation is required to sign the log. This should be done after the closing meeting by the Quality Management representative or a senior manager.


122 of 131


SESSION 3L — AUDIT FOLLOW UP

0 Overview

This session explains the difference between correction, corrective action and preventive action. This also covers the corrective action process, its evaluation and follow-up, in situations of first, second and third party audits.

1 Related Terminology (ISO 9000:2005)

a) Correction : “Action to eliminate a detected non conformity.” A correction can be made in conjunction with a corrective action. Examples of correction are rework and regrade.

b) Corrective action : “Action to eliminate the cause of a detected non-conformity or other undesirable situation.” There can be more than one cause of non-conformity. Corrective action is taken to prevent recurrence.

c) Preventive action : “Action to eliminate the cause of a potential non-conformity or other undesirable potential situation.” Preventive action is taken to prevent occurance.

2 Audit follow-up

Completion of the audit can result in the need for corrective, preventive and/or improvement actions, as applicable. These follow-up actions are normally not considered to be part of an audit and are usually undertaken by the auditee within agreed timescales. The auditee should keep the audit client informed of the status of follow-up actions, if appropriate.Corrective action should be verified in accordance with an appropriate procedure. This can form part of a subsequent audit.Although follow-up actions are not a part of many audits, the audit program objectives may include follow-up by the audit team. Such follow-up is often an objective of


123 of 131

internal audits and is considered value added by using the expertise of the audit team members. In such cases, care should be taken to avoid any conflict of interest in subsequent audit activities.

3 The Corrective Action Process

It is usual for corrective action to be initiated by a company’s Management representative or quality department, sending out the ‘Corrective Action Request Form’ (CAR) or by completing the copy of the noncompliance report (NCR) submitted by the auditor.

Stage 1

The information to be provided by the auditor during or immediately after the audit is: Reference number To identify the audit and

the non- compliance report.

Date The date on which the non-conformance was identified.

Department/area Identification of the work-area evidence of the non-conformance was obtained.

Non-conformance The non-conformance report (NCR).

Department Responsible The name(s) of the department(s) responsible for the activity to which the deficiency relates.

Signatures Of the auditor at time the non-conformance was identified.Of the person designated to acknowledge receipt of the non-compliance.

Stage 2


124 of 131

On receipt, the auditee staff need to identify the root cause of the problem so that they can identify and eliminate potential causes of non-compliance. They need to assess the risk of recurrence and identify the action required to prevent this. Stages two and three therefore generally follow this form:

The information provided by the auditee when requesting corrective action is: Recommendation Suggestions as to what

corrective action might be appropriate.

Authorising Signature An authorising signature and a date to show when the corrective action plan was issued.

Stage 3

The information provided by the auditee after consideration of the corrective action required is:

Proposed action A brief description of the action which the responsible management proposes to take to correct and prevent recurrence of the non-conformance.

Target date for The date by which the responsible implementation management commit

themselves to have the

corrective action implemented. Signature Responsible The authorising signature

of the responsible manager.

Stage 4

Approval Signature The approving signature of the auditor after


125 of 131

reviewing the corrective action

Stage 5

Provided by the auditee after verification of corrective action: Verification Information provided by a

representative of the auditor’s organisation (or in the case of an internal audit, representatives of the quality department) will record the result of follow up action taken to verify that the corrective action has been taken and is effective.Verification mechanism covers Regular or special

follow-up audits in first party situation

As per contractual requirement or as decided in the closing meeting in case of second party audit

Submission of documentary evidence and/or specific follow-up audit or during regular surveillance audit in case of third-party audit

Close Out A signature and date to signify that the non-compliance has been dealt with and the matter is closed.

While they may make recommendations, it is not advisable for the Management representative or the quality department to take it on themselves to decide


126 of 131

what corrective action will be taken in areas outside their direct authority. Determination of the root cause of the deficiency and the decision as to appropriate corrective action is the responsibility of the management of the relevant department or departments.Having reached decision, the responsible manager will complete the appropriate section of the Corrective Action Request form and return a copy to the Management representative.The Management representative should review the corrective actions proposed to ensure that the solution proposed does not dilute the requirements of the organisation’s Quality Policy.Complete flow-chart starting from raising of NCRs to closure of NCR is enclosed.

4 Corrective ActionThe auditee management has the responsibility for deciding on and implementing corrective action.However, corrective action may involve much more than the action designed to correct the actual deficiency found. Firstly, since every audit is a sample, each non-compliance reported may only be an example of other similar non compliances. The auditor reminds the auditee of this fact at the Closing Meeting. The auditee management must therefore first of all conduct an examination to see whether other non-compliances of a similar nature exist. If they do, then the corrective action proposed must take into account the additional information obtained.Secondly, corrective action must identify the root cause of the non-compliance so that appropriate action to prevent recurrence may be taken.Corrective actions should be consistent with the assessed risk of recurrence of the deficiency. The auditee management need to give some thought therefore as to what action is appropriate.Since it is not uncommon to be processing quite substantial numbers of corrective actions at any time, this process should be carried out in a systematic manner following a documented procedure.


127 of 131

5 Corrective Action Monitoring

It is important that the system for follow-up shall make provision for monitoring progress and expediting action if necessary.

To be effective, expediting may require referring problems of disagreement or tardy action to progressively higher levels of management – right to the top if necessary. It must be recognised that it is a serious matter to fail to implement a formal undertaking to correct an admitted non-compliance in the Quality System disclosed by the audit.

It is useful, in the management follow-up activities to keep a record of the status reached in the corrective actions being dealt with, especially when there is a considerable number of such actions arising from an audit, or where an auditor is responsible for the follow up of a number of audits each of which may have produced several requests for corrective action.

A corrective action status log may be kept as a means of controlling follow-up activities and a typical log form for this is shown at the end of this section.

6 Corrective Action Review Meeting

An organisation may decide to hold a specific meeting to review CARs raised as a result of internal and external audits.

The meeting, which should be chaired by a senior manager, should consider the progress of corrective actions to ensure that they are completed in a timely manner. In addition, the meeting should consider the nature of proposed corrective action to ensure that it will not compromise the objectives of the organisation’s Quality Policy. The meeting should discuss problem of departmental interfacing, wherever required.

The minutes of these meetings should provide a useful input into subsequent management reviews of the Quality System.


128 of 131

7 Third-Party SurveillanceCertificate issued by third-parties are valid for three years subject to continued compliance to Quality Systems. Certification bodies have a system of periodic surveillance (general frequency is once a year) to ensure that certified organisation is maintaining its Quality Systems in accordance with the terms of certification.The surveillance is generally announced but may also be done without any prior notice to the organization. Announced surveillance has advantage of ensuring availability of key persons and is unlikely to be aborted. Unannounced surveillance, on the other hand, does not leave any opportunity for window-dressing by the auditee and is perceived as more demanding.

Surveillance audit is of smaller duration than the regular audit and may include:

Auditing a limited selection of areas/systems Analysis of key records like internal quality audit

reports, customer complaints/feedback, internal rejection trends etc.

Analysis of major changes introduced in Quality system since the last audit/surveillance.

Verification of non-conformances raised in previous audit/last surveillance

General examination of areas of weak performanceSurveillance frequency may be changed depending upon the status of compliance observed in previous surveillance audits and certification bodies keep a provision for withdrawal of certification if status is not satisfactory.


129 of 131

STEPS TAKEN BY AN AUDITEE TO CARRY OUT CORRECTIVE ACTIONS (External Audit : II / III Party)

ACTIONS RESPONSIBILITYNCR IDENTIFIED AUDITOR

OBSERVATION WITNESSED GUIDE/AUDITEE

NCR FORMAT FILLED AUDITOR

NCR CATEGORISED AUDITOR/LEAD AUDITOR

NCR PRESENTED IN CLOSING MEETING AUDITOR/LEAD AUDITOR

TARGET DATE COMMITTED AUDITEE

CAUSE IDENTIFICATION AND DETAILED PLAN OF ACTION AUDITEE

IMPLEMENT ACTION AUDITEE

INFORM COMPLETION OF CORRECTIVE ACTION TO M.R. AUDITEE

INTERNAL QUALITY AUDIT M.R./INTERNAL AUDITORS

IS STATUS OK? NO M.R./INTERNAL AUDITORS

YESINFORM EXTERNAL BODY FOR

COMPLETION OF ACTION


130 of 131


131 of 131