IQA TO ISO 9000:2000

4
Audit Terms and
Definitions
Ref: ISO/CD.3 19011
1

 Audit: systematic, independent and documented

process for obtaining audit evidence and evaluating it
objectively to determine the extent to which audit criteria
are fulfilled
Audit Criteria: set of policies, procedures or
requirements used as a reference
Audit Evidence: records, statements of fact or other
information, relevant to the audit criteria and which are
verifiable (can be quantitative or qualitative)

 Audit Finding(s): result(s) of the evaluation of the

collected audit evidence against audit criteria
Audit Conclusion(s): outcome of an audit,
reached by the audit team after consideration of the
audit objectives and all audit findings
Auditee: organization being audited
Auditor: person with the competence to conduct an
audit

 Audit Team: one or more auditors conducting an

audit (one being appointed as audit team leader)
Technical Expert: person who provides specific
knowledge or expertise with respect to the subject
to be audited
Audit Program: set of one or more audits
planned for a specific time frame and directed
toward a specific purpose

 Audit Plan: description of the on-site activities

and arrangements for an audit
Audit Scope: extent and boundaries of an audit
(typically includes a description of physical
locations, organizational units, activities and
processes, as well as the time period covered
Competence: demonstrated capability to apply
knowledge and skills

IQA TO ISO 9000:2000

5
Principles of Auditing
Ref: ISO/CD.3 19011
6

Five Principles of Auditing

1
2
3
4
5

Ethical Conduct

the foundation of professionalism

Fair Presentation

the obligation to report truthfully and accurately

Due Professional Care

application of reasonable care in auditing

Independence

impartiality and objectivity of the audit conclusion

Evidence

the rational basis for reaching audit conclusions

Trust, integrity,
confidentiality, discretion

Accurate and complete

Priorities of stakeholders
necessary competence
Free from bias and
conflict of interest
Proper sampling
verifiable

IQA TO ISO 9000:2000

6
Competence of Auditors
Ref: ISO/CD.3 19011
8

Elements of Competence

Work
Experience

Personal
Attributes
Auditor
Training

Education

Audit
Experience

 There should be an evaluation process that should

first be used for initial evaluation of a person who
wishes to become an auditor
Even in case where he/she doesnt, the
development process of an auditor should be
clearly defined to ensure a sound and professional
function in the organization
Providing competent auditors is only the first step
towards ensuring the reliability of the audit process

General Guidelines

EDUCATION: minimum high school, preferably

graduation
TOTAL WORK EXPERIENCE: minimum 5 years
TOTAL QUALITY EXPERIENCE: at least 2 years
from the 5 years general
AUDITOR TRAINING: two days for internal auditor,
5 days (Lead Auditor) for the External Auditors
AUDIT EXPERIENCE: 4 complete audits or 20
days of audit

Auditors Personal Attributes

Mature
unbiased and fair
ethical
open minded
diplomatic
observant
decisive
self-reliant

IQA TO ISO 9000:2000

7
Managing An Audit
Program

What is being Audited ?

Processes

Product

Machinery

Facilities

People

Procedures

Why an organization is being

audited?

it is an ISO 9000s requirement

no trust on employees
check and balance is a human nature
people tend to forget and/or neglect
managers are not competent
a sort of an external and internal
pressures to run systems
or anything else

How the extent of an audit

vary?
Large
LargeTextile
Textile
Spinning
Spinning
1000
1000persons
persons
44processes
processes

Automobile
Automobile
Plant
Plant
400
400person
person
3355processes
processes

Scope ?
Objective?
Duration?
Expertise?
Frequency of Audit?
Complexity of Product and Processes?
Legal Requirements?
Standards?
Audit Criteria?
Social Environment?
Educational Environment?

Dental
DentalClinic
Clinic
33person
person
Many
ManyComplex
Complex
Treatment
Treatment
Processes
Processes

What resources are required to

audit?
Large
LargeTextile
Textile
Spinning
Spinning
1000
1000persons
persons
44processes
processes

Automobile
Automobile
Plant
Plant
400
400person
person
3355processes
processes

Dental
DentalClinic
Clinic
33person
person
Many
ManyComplex
Complex
Treatment
Treatment
Processes
Processes

Number of Auditor(s)?
Competence of Auditor(s)?
Technical Expertise?
Duration?
Administration?
Documentation?
Stationary?

Can you identify companys

Product ?
Shoe company
Pharmacy
Hospital
Airline
University
Primary School
Insurance Company

What does it mean to Audit a

Process Model ?

to audit every process

to audit departments in a certain sequence
to audit people in a certain sequence
to audit QMS in a certain sequence and logic

Discussion Exercise - Process

Model
You are auditing a purchase dept. that buys
material for the company. How would you apply the
QMS Process Model on the activities of the
department? Identify the sequence of your check
points / from the requirements of ISO 9000:2000.

Audit Process

1
2
3
.

Initiating the Audit

Definition of scope, objective and

criteria
Establish audit team and contacts

Document Review

Review the documents of the QMS and

establish their completeness and correctness (relevance to their processes)

Site Audit
Preparation

Planning
Team assignments
Preparing working documents

Audit Process (cont.)

Site Audit

Opening Meeting
Verification Process (collecting and
verifying information), audit findings,
communicating findings, closing meeting.

Audit Reporting

audit report preparation

report review, approval and distribution
retention of documents

Audit Completion

confirmation of completion as per the

audit plan

Audit Follow-up

Verification of Corrective, Preventive

and/or Improvement Action

Key Points of the Audit Process

Audit Objectives, scope, and criteria

to be defined by the auditee
Objectives: compliance to all applicable ISO 9001 QMS
requirements, legal obligations (illegality) for product
conformity, contractual obligations to clients, and
consumer protection (in general)
scope: boundaries of audit, I.e. location, organizational
units, activities and processes to be audited
criteria: applicable policies, procedures, standards, laws,
QMS requirements, contractual requirements, industry
codes,

Audit Teams Requirement

GENERAL
independence, process familiarity, mature personality,
good communicator and analyzer, motivated, physically fit,
socially disciplined, free from conflict of interest, honest,
capable to write objective audit findings/reports, not
submissive, and interactive

APPROPRIATE COMPETENCE
relevant technical expertise or take assistance of technical
experts with appropriate technical knowledge, skills and
experience.

Auditees Right on acceptability

of Auditors
Both the audit client and auditee have a right to
request the replacement of particular team
members on reasonable grounds, which should be
communicated to those responsible for managing
the audit program.
Examples of reasonable grounds can be conflict of
interest situation (formal employees, consultant),
unethical behavior, lacking appropriate professional
background of the audit team, non-professional
behavior (e.g. violating confidentiality), etc.

Document Review

A necessary step before site audit

Should be reviewed in light of audit objectives,
scope and criteria
A preliminary on-site visit may be necessary to be
able to carry out the document review
Document Review should be done very carefully,
and is most effectively done with the support of
relevant records.

Planning for On-Site Audit

Parameters of plan: auditor(s), departments /

sections, time (usually hours), applicable QMS
processes (clauses), applicable criteria (standards,
legal, contractual, etc.), locations / sites, logistics,
language limitations, technical expertise (doctors,
computer specialists, pharmacists, architecture,
etc.)

Working Documents

Audit procedure
audit checklist(s)
sampling plan
forms / papers for recording information and
supporting evidence
NCR forms

On-Site Activities

Opening Meeting
Investigation

Observation
Interviews
confirmations
Communication

Audit Findings
Closing Meeting

Opening Meeting

Establish an Audit Environment and Communication

links with the management
Inform about the audit plan and methodology
confirm the audit criteria (contractual, legal,
industrial, and companys obligations and
standards)
confirm the sampling plan (number of samples to
be used in the width and depth of audit)
confirmation of relevant work safety, emergency
and security procedures for the audit team

Investigation

Main objectives:
what are the contractual and legal requirements
Does the company products meets the contractual and
legal requirements
Is consistency ensured in the standards
Are company policies and procedures followed as a
routine activity
Is the company following the standards and procedures
genuinely
Is there any serious discrepancy between what is
produced and the test results

(cont.)

Interviews:
relevant people must be interviewed directly at all levels
auditor should go to the relevant people to interview; they
should not be called to answer the auditor
tone must be respectful and genuine
objective of interview must be clarified to the interviewee
Types of questions: Open-ended, Closed-ended, Leadingquestions, Personal -questions, Interrogative-questions,
taunting-questions. Certain types must be avoided.
The results from the interview should be summarized and
reviewed with the interviewed person
End must be with thanks

(cont.)

Observations and Confirmations

actual products
actual processes (operators, skill levels, equipment,
material)
actual operators
actual environment
actual records
external documents (customers, vendors, legal, and
referenced standards)
computerized data bases
effectiveness of procedures

Audit Findings
Auditors should review all facts and the overall
situation
Conformities should be summarized to at least indicate
locations, functions, processes, or requirements that
were audited, where no nonconformities were
observed
Nonconformities should be recorded and supported by
audit evidence. It should be reviewed by the auditee
to ensure accuracy and understanding.
Difference of opinions should be resolved before
finalizing

Nonconformity Statement a critical output of an Auditor

Few auditors write accurate, clear, and complete
statements of non-conformity
Example of a good non-conformity statement

One of the voltmeters, number 389000, used for the

testing of generators at the final test bench of the
main assembly shop was not calibrated, as required
by the Quality Procedure No. QSP4.11/2000. All
test equipment which affect product quality shall be
calibrated to ensure accuracy of results

(cont.)

Poor way of writing NC statements:

Examples

quality objectives were not defined

test equipment was not calibrated
there were no training programs
identifications were missing
the procedure for SPC was wrong
Can you identify why the above statements are not good?

(cont.)

Statements blaming to wrong people !

An operator was repairing the machine with wrong
method
OR
The operator was not properly trained to repair the
machines
who is to be blamed in the same incident above?

Preparing for the Closing

Meeting

Review the overall audit findings

Prepare the list of audit findings
reach consensus on the audit conclusions
agree on the roles and tasks for the closing
meetings (for more than one auditors)
prepare recommendations
discuss subsequent audit follow-up

Closing Meeting

Present overall conclusion and findings. Address

your summary of Conformity and Non-conformity,
both.
Present non-conformities in order of priority (from
more important findings to less important)
Provide direction to management on Corrective,
Preventive and Improvement actions. It is auditee's
responsibility to identify C/A or P/A; however they
normally do not understand the difference.
Confirm follow-up audit

AUDITEE

AUDITOR

Auditor-Auditee Roles

Audit

Audit
Report

Identify
Rootcause &
Suggest
C/A

Approve
C/A

Take
C/A

Verify
C/A

Improvement

Audit Report

Should provide a complete, accurate, concise and

clear record of the audit and should contain audit
conclusions on the following issues:
extent of conformance of the management system to the
audit criteria
effective implementation and maintenance of the
management system, and
the ability of management review process to ensure the
continuing suitability, adequacy, and effectiveness of the
management system

Contents of Audit Report

The second/third party reports are formal, whereas,

first party audit can be less comprehensive and
may include just nonconformance reporting.

Audit Follow-up
Focus should be on whether the auditee has gone into the
root cause of the nonconformance, and whether solution
provided by the auditee eliminate the root cause(s)
Auditee tend to neglect timely corrective actions.
Therefore, auditor should ensure timely corrective actions.
Appropriate time should be ensured, as most often daily
or weekly solutions are projected into monthly tasks.
Just recorded answers to solutions are not sufficient.
Physical verification of effectiveness of the solution is
necessary

Audit Completion

An audit is completed when all activities in the audit

plan have been finalized and the approved audit
report has been distributed

Normal Problems in Audits

Lack of Product Orientation

Lack of Process Orientation
Non-technical audits in technical areas
Incomplete audits
depth
width

Final Words ...

Audits driven by professional programs can be highly valuable

in improving the Quality of organizations. On the other hand,
if conducted unprofessionally, the same can be damaging
Auditors and audit programs should also be subject to
checking and improvements
Progressive development of auditors is generally neglected,
resulting in poor value
Technical competence and personal attributes are both
important parts of the auditors
Announced audits can be mixed with unannounced ones