Download free ISO 9001 materials
※ Download: Iso 19001 version 2015
The auditor should accompany the person, or perhaps arrangements can be made to get it later. The standard should be thought of as a business management tool an organization can use to drive value, improve its operations and reduce its risks.
People may sometimes be very well meaning, but if they spend a lot of time explaining things that the auditors have not asked them for, they must be politely stopped. Each data base record has five columns, one each of following: 1. How serious is it?
What is ISO 9001:2015 – Quality management systems? - Anything that uses up time that was otherwise planned for auditing can be included here.
ISO 9001:2015 Clause 9. In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited. External audits include those generally termed second- and third-party audits. Second-party audits are conducted by parties having an interest in the organization, such as customers, or by other persons on their behalf. When two or more management systems are audited together, this is termed a combined audit. When two or more auditing organizations cooperate to audit a single auditee, this is termed a joint audit. Introduction: An audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. Audits are structured and formal evaluations. The term systematic means the company must plan and document its system for auditing. It must have management support and resources behind it. Audits must be performed in an impartial manner, which requires auditors to have freedom from bias or other influences that could affect their objectivity. For example, having responsibility for the work, or a vested interest or shares in a supplier or third party company they are assigned to audit, would be conflicts of interest. Internal audits must be carried out to a procedure according to requirements given in clause 9. The procedure must address the responsibilities for conducting the audits, ensuring independence, recording results, and reporting to management. Audits obtain objective evidence of conformity with requirements. The evidence must be based on fact and may be obtained through observation, measurement, test, or by other means. Evaluating the extent to which audit criteria are fulfilled involves an assessment of both implementation and effectiveness. Is the organization practicing what it described in its documentation? Are the practices being carried out well? The presence of nonconformities in a department or process may indicate the system is ineffective for those areas. While making an audit program, consideration must be given to the importance of concerned processes, changes impacting the organization and the results of previous audits. It must define audit criteria and scope for each audit. It must select auditors and conduct audits for impartial and objective audit process. It must ensure results of audits are reported to relevant management. It must retain evidence of audit program implementation and audit results. Internal audit is the one of the important tool required by this standard used to gauge the health of your QMS. How effective is it in meeting ISO 9001, your own QMS, customer and regulatory requirements. You must have a documented procedure for your internal audit process. In determining the time frame for your audit program, you should consider organization size, complexity of product and processes, health of the QMS, customer, registrar and regulatory requirements, etc. The most common time frame is six months. Audit criteria may relate to the whole audit program as well as each individual audit. Audit methods refer to the specific techniques that auditors use to gather objective audit evidence that can be evaluated to determine conformity to audit criteria. Examples of audit methods include interview of personnel, observation of activities, review of documents and records, etc. You must define the minimum qualification requirements for internal auditors. These requirements include knowledge of QMS processes and their interaction, related QMS controls, customer requirements, applicable regulatory requirements, the ISO 9001 standard, the audit process and audit techniques. Internal auditors needs to be trained in the ISO 9001 standard as they generally audit for conformity to organizational requirements and also for conformity to ISO 9001 requirements. Additionally, the ISO 19011:2002 Guidelines for quality and environmental auditing says that auditors should have knowledge of quality management system standards and their application to the organization. You must have appropriate resources for your annual audit program. These include having sufficient trained auditors available to conduct scheduled audits, sufficient time to perform audits, availability of department or process personnel to be audited, time and tools to prepare audit records and reports, etc. Auditor should be Independence. During the audit Auditors should ensure that the objectivity and impartiality of the audit is not compromised. Auditors cannot audit their own work. Auditor independence must be ensured when assigning personnel to specific audits. Process owners must take timely corrective action on nonconformities found in their area. They should use the corrective action procedure to determine root cause, take appropriate action and follow-up to determine if results indicate that the root cause has been eliminated. Audit results must be summarized and reported for management review. The Process manager must also report any opportunities for QMS improvement. The Process manager must analyze the results of each audit as well as the annual audit program to determine strengths and weaknesses in QMS processes, interactions, functions, products, etc. Audit records include annual audit schedule, audit planning such as criteria, scope, frequency, methods, auditor selection and assignment, etc. Performance indicators should be used to measure the effectiveness of your internal audit process and monitor trends in these indicators, to continually improve your audit program. Performance indicators may include reducing the number of — late or delayed audits, incomplete audits, incomplete audit records and late reports, auditor errors, auditee complaints, and use of untrained auditors, etc. Audit Objectives Always establish the objectives of the audit. Audit objectives are not limited to the ISO 9001 standard. Clear audit objectives help determine the scope and depth of the audit, as well as, the resources needed. Being clear on the objectives provides focus and helps the auditor from being distracted and going off on unnecessary detours beyond the scope of the audit. This type of audit requires the auditor to use a fair degree of judgement to establish whether controls are adequate. Many second and third party audits are carried out as Quality System Audits, as are many audits for the purpose of consultancy. Audits that are carried out against specifically defined practices, procedures, and instructions, and that are perhaps but not necessarily more limited in their scope, are termed conformity audits. Many internal audits and many contract related audits between two parties are carried out as conformity audits. Process and product audits are subsets of QMS conformity audits and therefore limited in scope. Process audits may include the following processes, as well, as related sub-processes — Context of organization; Leadership; Planning; support; Operations; Performance evaluation; Improvement. For the purposes of this discussion, however, there are two basic types, further sub-divided according to different emphases and objectives. The two types are external audits and internal audits. Second Party Audits These audits, carried out by one company on another, originally came from the idea of an organization auditing its suppliers. There are a number of reasons why an organization may wish to audit its suppliers. It can also highlight likely additional costs. Third Party Audits As a result of the growth in interest in Quality Assurance during the 1960s and 1970s, more and more second party audits were being carried out. Some companies in certain fields had to employ people whose sole task was to accompany visiting auditors around the company! Clearly this state of affairs was helping nobody, particularly the supplier. After considerable discussions at national levels, the ISO 9000 scheme was introduced to rationalize all the assessment schemes as a third party audit operated by an independent body that would certify companies as conforming with the Standard or not, as the case may be. Various bodies became registration bodies Registrars and BSI, UL, SGS, DNV are prominent examples. On payment of an initial fee to the Registrar, they will assess your Quality Management System to ISO 9001 and, depending on the results of the assessment, the organization would become registered. Internal audit or First Party Audits First party audits are carried out by an organization on itself to confirm to management that their documented quality management system is working effectively. By establishing an internal audit program, management is making available an extremely useful and powerful tool for improving business, and for assessing the effectiveness of the quality management system. Of course, in considering 3 above, it means that if an organization is to find for itself the kinds of nonconformities that external bodies are likely to find, it should, if possible, carry out its audits in a similar way to the Registrars. It must be remembered that all audits are based on sampling; therefore, there is no guarantee that all nonconformities will be found during the internal audit process. Management must take appropriate actions based on the review of quality system strengths, weaknesses, and opportunities for improvement. The allocated time and for conducting internal audits demonstrates top management commitment. If the purpose of the audit is properly communicated, and employees realize that the audit is not an evaluation of personal performance, they are more likely to discuss weak areas and opportunities for improvement. This should lead to improvement in operational performance and improved customer satisfaction. The Auditor within the Audit System All systems in an organization have to be designed and made to work by people. The audit system is no different. It must have procedures and training to advise the auditor what the role requires, and also what and who qualifies or authorizes the auditor to do the work. An auditor is defined by ISO 19011 as a person with the competence to perform an audit. To perform an audit, the auditor must be authorized for that particular audit. Auditee The Auditee is an department or the process of the organization to be audited. The auditee could be one of its manufacturing or service facilities. It includes auditor behavior that reflects trust, integrity, confidentiality and discretion. Auditors must exercise care related to the importance of the task and the confidence placed in them by the auditee and other interested parties. Having the necessary competence is an important factor. Auditors must be open-minded and base decisions on objective evidence. They cannot assume, feel, or impose their views. Remember that ISO 9001 is interpretative, not prescriptive. There are many ways to implement a requirement to achieve effective control. Keep an open mind. Be mature, have sound judgement, be tenacious, be perceptive and realistic. Sound judgment and analytical skills are gained through research and experience in interpreting and applying the requirements of the standard. Learn from experienced auditors. Take notes of their audit evaluation techniques. It refers to your ability to stay focused to the audit objective and scope, in spite of distractions. Perceptive means being alert to changing circumstances or concerns. Realistic is being pragmatic. How serious is it? What is the probability of occurrence? Very few organizations are alike. They have different products, processes, management structures, culture, and environment. Auditors must learn to quickly gage these factors to determine to what extent they will facilitate or hinder conducting the audit. They must be selected to perform impartial and objective audits. From a second or third party perspective, independence may be jeopardized if the auditors have a business or other association with the second or third party company that may influence their objectivity, or they own shares in the company to be audited, or their spouse or relative works there. Role of an Internal Auditor The Internal auditors may have many roles depending upon whether they perform as Lead auditor or team member. The scope and objective of the assignment must also be taken into consideration. Internal auditors report audit findings to top management so the system can be improved. Internal auditors may facilitate in the communication, documentation, and implementation of the system and communicate with the registrar or customers. They may also act as guides during audits by external auditors or customers. They know the facility and audit process, plus it provides a good learning opportunity. They may consult as a resource for interpretation, as well as, facilitate in implementation of the requirements through provision of training and review of implementation steps. If they are directly involved in implementation, or take corrective actions, they should not audit the areas they implemented. The Registrar would likely view such activity as a conflict of interest. Internal auditors cannot audit their own work and must remain impartial and objective. They must behave professionally and maintain confidentiality of information. Managing An ISO 9001 Audit Program Authority for Audit Program An ISO 9001 audit program may include of one or more audits, depending on the size, nature and complexity of the organization to be audited. These audits may have a variety of objectives and may also include joint multiple auditing organizations or combined QMS and EMS audits. An audit program also includes all activities necessary for planning and organizing the types and number of audits, and for providing resources to conduct them effectively and efficiently within the specified time frames. An organization may establish more than one audit program. If the organization to be audited operates both quality management and environmental management systems, combined audits may be included in the audit program. In such a case, special attention should be paid to the competence of the audit team. Two or more organizations may cooperate, as part of their audit programs, to conduct a joint audit. In such a case, special attention should be paid to the division of responsibilities, the provision of any additional resources, the competence of the audit team and the appropriate procedures. Agreement on these considerations should be reached before the audit commences. An audit program also includes appropriate planning, the provision of resources and the establishment of procedures to conduct the audits within the program. Establishing the ISO 9001 Audit Program Audit program objectives Objectives should be established for an audit program to direct the planning and conduct of audits. Importance — Refers to the criticality of the process or activity to the quality of the product or service critical internal or external suppliers. Audits — refers to the results of previous internal and external audit results. You must consider past audit findings and coverage in setting audit frequency. The complete quality management system must be audited at least once a year. Weak areas or activities must be audited more often. Top management determines the frequency of internal audits with the help of the Management Representative. Audit frequency is also determined by contractual or regulatory requirements, as well as, significant changes in ownership, policies, products, processes, technology, control systems, documentation, or the organization. Audit Program Responsibilities, Resources And Procedures ISO 9001 Audit Program Responsibilities The responsibilities for managing an audit program should be assigned to one or more individuals with a general understanding of audit principles, of the competence of auditors and the application of audit techniques. They should have management skills, as well as, technical and business understanding relevant to the activities to be audited. Audit Program monitoring and reviewing The implementation of the audit program should be monitored and at appropriate intervals, reviewed to assess whether its objectives have been met and to identify opportunities for improvement. The results should be reported to top management. Audit Activities The extent audit activities are applicable depend on the scope and complexity of the specific audit and intended use of the audit conclusions. Where a joint audit is conducted, agreement should be reached between the audit organizations, before the audit commences on the specific responsibilities of each organization, particularly with regard to the authority of the team leader appointed for the audit. The leader has responsibility for planning, conducting, and reporting the audit, following these rules and guidelines. The leader is briefed on the objectives and scope of the audit and is then required to specify the resources necessary to carry out the audit, in terms of staff days, and the number of auditors required, including any with special technical expertise. This latter point about technical expertise merits some discussion. There are some schools of thought that say that an auditor does not need technical knowledge of the area they have to audit. The auditor needs knowledge of quality management systems and the Standard. This is, of course, partly true. However, auditors will be required to use all applicable senses during an audit. Familiarity with the kinds of processes going on around the audit will allow auditors to determine conformity, or otherwise, quicker and with probably less doubt, than if they have little experience of that particular process. With lack of knowledge or experience, it will take auditors longer to reach the same decision based on the same evidence than it would take an experienced auditor. The team leader may be chosen on the basis of particular experience or it may be decided to include a member in the team who has particular expertise. The objectives can be many and diverse, but it is essential to be clear on the objectives at the beginning of the audit process. Any team of auditors is likely to split up to audit individually. Each auditor will need an escort and each auditor will take up auditee management time. Although the auditors are working separately, they share a common objective and will meet regularly to review progress. If the teams were in there for a short time only, there would be little chance to do this. It can be seen, therefore, that either two people for four days, or four people for two days, is likely to be the optimum. The choice will depend on auditor availability, auditee preference, and cost. In second party audits, the Auditor Company is paying for the audit. They employ the auditors. However, as costs have risen, it has become more typical for audits to be carried out by individual auditors. In internal audits it has been typical, and remains so, to have one person auditing alone. Much information can be gathered and benefit derived from a preliminary visit. In summary, the purpose of preliminary visits is to clarify the scope and objective of the audit, agree on the procedures to be adopted during the audit, and to resolve any misunderstandings. These visits may not always be practical and such factors such as time, costs, distance and availability of personnel to send may need to be considered. The documentation may include relevant management system documents and records and previous audit reports. The review should take into account the size, nature and complexity of the organization, and the objectives and scope of the audit. In some situations, this review may be deferred until the on-site activities commence, if this is not detrimental to the effectiveness of the conduct of the audit. If the documentation is found to be inadequate, the audit team leader should inform the program manager and auditee. A decision should be made as to whether the audit should be continued or suspended until documentation concerns are resolved. Some auditors favor starting at the point in a company where inquiries from clients are received. The auditors then follow the process through confirming an order, going through technical, procurement, inventory, production, test, shipping, and service, plus taking in specialized areas along the way. The auditors follow a specific order or set of processes through the system and examine controls of each process along the way. Yet another strategy is to consider all the activities in a particular department without reference to overall workload. Internal audits in each department often take this approach. There are some ISO 9001 clauses that are applied across the board in all departments such as clause 7 support and clause 10 improvement. These can be audited by themselves or in combination with process, product, department, or contract strategies. Audits must always be planned. Audits that are not planned are likely to reflect worst practices. The auditors need to be sure that the plan gives them enough time in each area for sharing of information within the team and to advise the auditee of where they are likely to be at any given time. The plan should facilitate scheduling and coordination of audit activities. The amount of detail in the audit plan should reflect the scope and complexity of the audit. The details may differ, for example, between initial and subsequent audits. The plan should be sufficiently flexible to permit changes in the audit scope, which can become necessary as the on-site audit activities progress. It is up to the team leader to determine how much flexibility to allow so the achievement of the audit objective and scope within the agreed time is not compromised. It should be reviewed and accepted by the process manager, and presented to the auditee and communicated to the audit team members, before the on-site the on-site activities begin. Any objections by the auditee should be resolved between the audit team leader and the auditee. Any revised audit plan should be agreed to among the parties before continuing the audit. A typical plan might look like the one below based on a two-day audit with two groups. Some of the information above may be included in a cover letter with the audit plan. Such assignment should take into account the need for the independence and competence of auditors and the effective use of resources, as well as, the different roles and responsibilities of auditors, auditors-in-training and technical experts. Changes to the work assignments may be made as the audit progresses, to ensure the achievement of audit objectives. The audit team members should review the information relevant to their assignments and prepare work documents as necessary for reference and for recording audit proceedings. Such work documents may include a copy of the ISO 9001: 2015 Standard, checklists, sampling plans, forms for recording information such as supporting evidence, audit findings and records of meetings. Work documents, including records resulting from their use, should be retained at least until audit completion. Confidential and proprietary documents should be suitably safeguarded at all times by the audit team members. Documents pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with the audit program procedures and applicable statutory, regulatory and contractual requirements. The use of checklists and forms should not restrict the extent of audit activities, which can change as a result of information collected during the audit. Always go prepared with them. They are designed to facilitate your audit by keeping observations and objective evidence organized and easy to retrieve. The auditor tools make you look and perform as a professional. The company conducting the audit usually defines the format of the checklist THE Checklist defines the Sample. The checklist must, therefore, be as representative as the auditors can make it, bearing in mind the objectives of the audit. There will be a considerable number of checklists prepared for a large audit; probably one for each department, and where different responsibilities exist within a large department, perhaps further checklists for each group. The checklists are not meant to be that at all. In developing suitable checklists, another factor must be considered. Not all audits 1st and 2nd party only are carried out on organizations with quality manuals and comprehensive formal procedures. Many small companies may operate very well, profitably, and consistently satisfy their customers without extensive quality documentation. Any company, in fact, that stays in business has a quality system. At this stage, you might give thought as to how you would plan the steps to audit an organization that does not have a formal documented system. Auditors may find it necessary to ask both very broad questions and some of a much more specific nature. The two types of questions indicate two types of checklists: Process criteria checklists and audit checklists. Process Criteria checklists convert clauses of the standard into questions related to the process characteristics — inputs, outputs, interactions, value added activity, controls etc. Many of the more detailed questions are those for use on an audit checklist. It might be reasonable for an auditor to start off with a criteria question in mind, but then select a sample and ask many other questions.. Less experienced auditors are advised to frame in full the points to probe on a checklist, while a more experienced auditor may use keywords instead. It may be decided to look at documents, records, product, or equipment, and look for approval, completeness, status, and condition. It may be decided to look at the Internal Audit System and look for a statement of its authority, comprehensive coverage of the system, training of auditors, timely action on findings, and follow up. Clarity of mind concerning audit objectives and scope is therefore a must. The other point made in preparing checklists concerns making the sample representative. How can the auditor do this? There is no simple answer. Always using the same checklist is not to be recommended, although this is widely practiced. What are the inputs and outputs, the sequence and interaction with other processes? If a representative sample is to be selected, then it is reasonable to look at what the process spends most of its time doing. Therefore, an engineering office process may be mainly preparing drawings and parts lists, a merchandiser in a retail organization may be mainly assessing products and negotiating prices, and a laboratory may be mainly making up standard formulations. If the purpose of the audit is to establish the degree of conformity with specified requirements, then the representative sample on the checklist should reflect these major activities. However, consider some of the other duties. Engineering personnel may carry out onsite troubleshooting, provide technical advice, prepare sales and service literature, and take technical customer calls. Purchasing agents may also influence outlet stock levels, pricing, display, and safety policy. Laboratories may carry out special studies, development tests, and fault analysis, as well as, provide specialist advice. Perhaps some of these aspects should be considered in the audit and, therefore, be added to the checklist. There is a further aspect to be considered by the auditor. The systems in any organization are fine when key personnel are there and no one is absent, ill, or on vacation. The systems are fine until some pressure is put onto them, such as: the end of the month rush for invoicing, the major failure of equipment for an important customer, or a flood of warranty claims. What happens when the systems fail? How does the department react to put things right and keep them that way? There is, therefore, considerable choice open to the would be auditors. The selection of subjects is up to them. Neither is right or wrong. It would be impossible to predefine the sample. There is no shortage of material for the auditor to examine. But there are disadvantages with checklists: they can be standardized and stifle any initiative and analysis of the process; they may become nothing more than a tick list. Very careful planning before the audit is essential. It pays considerable dividends during the audit. Bearing in mind the limited time on any audit, the auditor wants to spend it auditing, not wondering what to look at next. There is now considerable evidence that audits done this way are ineffective and all such auditors have done the profession a disservice. The audit conclusion is based on scant information and usually unrelated to the audit objectives. There is a school of thought that says the checklists should be sent to the auditee prior to the audit. This may have the advantage of saving time during the audit, as certain information can be made available. Other schools of thought are opposed to such an idea and, of course, it does depend on what the checklist contains. In principle, it should not matter that the checklists are sent if the auditee understands them and if this contributes to the achievement of audit objectives. The main purpose of the checklist remains as a memory aid for the auditor. This point is related to another. Some auditors prefer not to advise the auditee that an audit is going to be carried out. There is little merit in this, as having auditors suddenly leap out and take people by surprise is not generally sound policy, nor is it considered to be professional. Successful and effective audits are somewhat dependent on a good and trusting relationship between auditor and auditee. Surprise audits project the image of the auditor as a secret agent and, therefore, add nothing to the trust. This can be a good thing; there is nothing wrong in that. The auditor, if capable, needs to be considering more important potential improvements. Conducting The Opening Meeting The opening meeting, sometimes called the entry meeting, pre-audit conference, or start up meeting, is typically held at the location of the audit. Good practice demands the auditors arrive together, neither early nor late, otherwise it can be embarrassing for both parties and, what is more, it is unprofessional. This meeting, as any other, requires preparation by the team leader. The audit team has prepared an agenda to ensure that all necessary points are covered quickly and efficiently. The way the opening meeting is carried out can set the style or tone for the remainder of the audit. The opening meeting is the place to establish the rules of conduct for the audit. It is normally a requirement to record the attendees at this meeting. Passing around an attendance sheet and asking everyone present to record their name and position is a practical solution. However, plans may have to be altered slightly and these possibilities should be covered at this stage. The plan should have enabled the company to ensure that someone represents them in each department and has been made aware of the audit and will therefore be available as defined by the plan. The team leader should confirm the intention to keep to the plan to the extent possible. Both conforming and nonconforming aspects will be seen and missed. The team leader should assure management, however, that they will make samples as representative as possible and draw only reasonable conclusions. Such restrictions include clean areas or hazardous areas where particular arrangements for protective clothing have to be made. The team leader also needs to confirm the current issue status of the key documents in the quality management system. When all the above and any other matters have been dealt with, the team leader should bring the opening meeting to a close by thanking management and confirming the date, time, and location of the closing and any interim end of day management briefings meetings. Communicating During the Audit Depending upon the scope and complexity of the audit, it can be necessary to make formal arrangements for communication within the audit team and with the auditee during the audit. The audit team should confer periodically to exchange information, assess audit progress and to reassign work between the audit team members as needed. During the audit, the audit team leader should periodically communicate audit progress and any concerns to the auditee and top leadership, as appropriate. Evidence collected during the audit that suggests that an immediate and significant e. Any concern about an issue outside the audit scope should be noted and reported to the audit team leader, for possible communication to the auditee. Where the available audit evidence indicates that audit objectives are unattainable, the audit team leader should report the reasons to the auditee to determine appropriate action. Such action may include reconfirmation or modification of the audit plan, changes to the audit objectives or audit scope or termination of the audit. Any need for changes to the audit scope that can become apparent as on-site audit activities progress should be reviewed with and approved by the process manager and, as appropriate, the auditee. Auditing deals with people. People are unpredictable in their behavior, emotions, and dispositions. A good auditor must know how to interact and get the information from people in an effective manner. Within a very short time of meeting someone, the auditor needs to have developed a degree of rapport with that person to obtain the facts essential to the investigation, while remaining objective. If these facts are indicative of a lack of management control in the area, then the auditor needs to be tactful in the way these findings are presented. The main method of soliciting information is by asking questions in a series of interview situations. Though it is not always appreciated, the best interviewers are those who say the least and have an ability to listen or hear what is being said. By combining this with the right kind of attitude and tone, the auditors generate the kind of atmosphere in which good communication can take place. It has been noted that the auditor needs to interview the right people, that is the people who have control over the aspect of the system being audited. Thus it would be wrong to ask the Purchasing Manager how Design is managed unless of course the manager was responsible also for that. The interviewee the auditee must not feel threatened by the auditor. Many people are easily intimidated by auditors. The auditor can avoid generating this kind of feeling by being polite, patient, slightly informal, and not afraid to smile. Showing interest in what people say is essential. There are no recommended facial expressions or head movements recommended to obtain information; each auditor will develop their own style. It often happens that the auditee, because most of them are human, misunderstands a question or is determined to tell the auditor about some other matter. They may even say something that the auditor knows not to be true. If the auditor interrupts abruptly, or directly contradicts the auditee, easy communication will not continue. At the end of the interview, the auditor should thank all the auditees for their help and time, regardless whether it was beneficial or otherwise. Auditors who lose sight of this will not be effective. They are better off asking two questions than lose their way because they asked only one. The quality of the audit can be considered in terms of achieving the audit objectives. The ability to discover information of relevance facts related to the audit objective is dependent on the ability to ask the right questions. Although a clumsy description, the idea is the same. Questions beginning with these words will elicit more than just Yes or No answers and are, therefore, called open questions. It takes longer to answer such a question than it does to ask, so the auditor also gets some thinking time. Auditors can control the tone of discussions to their advantage with the use of these questions since the questions demand meaningful answers. It is impossible to correctly answer an open question with a Yes or No response. They can also encourage junior people in an organization to say more. The auditee can feel at ease and the auditor is able to clarify a point without embarrassing the auditee. For example, the raising of the eyebrows while maintaining eye contact can indicate a wish for the auditee to continue. Also, remaining silent after you have been given an answer and continuing to look at the auditee in an expectant manner often encourages people to carry on talking without verbal interruption. Such a technique must be used with care to avoid the appearance of an interrogation. No question should be considered too stupid for the auditor to ask if the audit objectives are going to be met. However, repetitive or dumb questions should be used sparingly. If overused, the repetitive questions can be seen as an inability to communicate, and too many dumb questions may cause the auditee to wonder whether it is deliberate or not. It is reasonable to ask people what they would do if an instruction is not received or if key individuals were unavailable. It is not reasonable to add together a complicated set of possibilities in the remote chance that this would possibly cause a problem. There is usually enough material in actual current practices without overdoing hypotheses. They are assumptive and can be very powerful. They should only be used in audits where the Yes and No answer can quite definitely be given because of what has gone before. They should be used to verify that the auditor has clearly understood what has been explained. Such questions can also save time, although they should not be used for this reason alone on an audit. Another type of closed question is the leading question that is used when a quick reply is required and the auditor wishes to suggest the right answer. Leading questions are common in bad audits and rare in good ones. The auditor should not lead the auditee to an answer except perhaps after exhaustive attempts have been made to reach a conclusion by other means. It is taken for granted as a management skill, but auditors must learn to identify and use the appropriate techniques. In this way, they will improve communications and conduct more effective audits. The team leader manages the audit team and also shares in the auditing workload. They can only watch the audit, take notes as necessary, and clarify issues at the audit team meetings. Their role is not to audit, but to provide technical guidance on products, processes, and activities. They should ensure that the audit team is aware of and conform to the safety and security rules of the organization. They should not participate in the audit interview unless invited to do so by the auditor, perhaps to clarify a question or assist in collecting information. They should take notes and witness the audit observations. Observers and trainees must not participate in the audit interview, but should take notes to witness or learn. Collecting and verifying information During the audit, information relevant to the objectives, scope and criteria, including information relating to the interfaces between functions, activities and processes, should be collected by appropriate sampling and should be verified. Only information that is verifiable may be audit evidence. Audit evidence should be recorded. The audit evidence should be based on samples of the available information. Therefore, there is an element of uncertainty in auditing, and those acting upon the audit conclusion should be aware of this uncertainty. Auditors must not allow their opinions or prejudices to influence decisions. Audit evidence supports the existence or conformity of an element of the quality management system. Audit findings can indicate either conformity or nonconformity with audit criteria. When specified by audit objectives, audit findings can identify an opportunity for improvement. The audit team should meet as needed to review the audit findings at appropriate stages during the audit. Conformity with audit criteria should be summarized to indicate locations, functions or processes that were audited. If included in the audit plan, individual audit findings of conformity and their supporting evidence should also be recorded. Nonconformities and their supporting audit evidence should be recorded. Nonconformities may be graded or classified. They should be reviewed with the auditee to obtain acknowledgement that the audit evidence is accurate and that they are understood. Evidence gathering process In order to gain the facts, and enough of them from which to come to a conclusion, auditors have to examine samples of documents, items, products, etc. Only the auditors can decide how many samples should be taken. It would obviously be dangerous to see one example of a system in correct operation when there are hundreds of examples that could also be looked at and assume that because one had been seen the system was correct all the time. Similarly, it would also be wrong, particularly if a minor aspect is being considered, to look at every single example. Typically, samples size can vary between 6 —30 items. In most cases, this small number will be sufficient as long as some attempt has been made to make it representative. To make a sample representative, it needs to be chosen at random. One way to do this is for the auditor to make the choice of sample with management permission. The smaller the set of evidence, the smaller the sample. However, in some cases, a 100% sample might be appropriate. For example, if quarterly management reviews and semi-annual surveillance audits, both meeting minutes would be examined. The audit will continue in this vein. The auditor asks the departmental representative how something is done and confirms what has been said by examining samples or talking to someone else. Certain systems, for example, those for documentation control, are company wide and every department has examples of documents. The auditor needs to be clear about who is responsible for what when verifying the correctness of the documents seen in any given department. Auditors should always seek the help of local personnel affected by the system in question in understanding the evidence. Naturally, the kind of evidence often being produced is that which will show a failure of the system or a lack of management control. Provided that the auditor has remained objective, has been open with the people contacted, and has invariably been polite in requests for information, there should be no difficulty in reaching agreement on such points with the responsible persons. Taking Notes Only the most experienced auditors make sufficient notes of all the relevant things seen and heard during an audit. It is obviously an extremely important technique to develop. The auditors must record enough information to make an informed judgement based on an adequate set of notes containing considerable facts. Notes need to be taken of references to documents, item identification, batch numbers, job numbers, statements, who said them, job titles, relevant questions asked, etc. This information needs to be legible and needs to be retrievable. Much of it might be referenced in subsequent audits, either in the next department to be visited, or in a department to be visited by another member of the audit team. It will also be used in the verbal and written reports to the auditee for the purpose of defining areas of nonconformity or raising points for discussion. Clearly, they need to be usable and understandable if there is a subsequent need to reference them perhaps months or years afterwards. The format of notes, and the medium on which to write them, are matters for each auditor to decide. Many use clipboards with loose sheets that are then clipped together; others find a notebook more practical. Whichever format they use, auditors must safeguard the confidentiality of the information they gain during the audit. Control of the Audit At all times, the team leader is responsible for maintaining control of the audit. Experience helps auditors to develop their own way of working in an area and then adapting various techniques as each situation demands. On entering an area and being introduced to the departmental representative, the team leader should go over the audit plan for that area with the departmental representative and the guide. Their advice as to the best sequence to follow can usually be taken. The items on the checklist are then worked through in a systematic manner. The amount of time the auditor has to spend talking to management in each area about their system will vary according to how much information was originally made available to the auditors. Where there was very little detail, then more time may have to be spent determining some of the basic controls. In order to understand some of these controls, the auditor will not only speak to management, but also to the people doing the work. If the auditors find no evidence of nonconformities, they can and should proceed quickly. Having covered their sample, they should move on. Auditors should never continue the investigation in one area until something wrong is found. Doing that is adding bias to the sample; it is making a sample less representative than the one that was chosen during the planning stage. The checklist outlines what the auditors want to look at and what they are looking for. The auditors have an audit objective in mind. As the audit proceeds, situations arise where the auditor has to decide whether to continue the investigation or whether to leave it there. If the team leader thinks continuing the investigation will be useful as far as achieving objectives is concerned, then the checklist can be ignored and the desired audit trail followed. In doing that, a longer period may be spent than was originally planned to examine a particular aspect. This means the rest of the audit must be compressed or parts removed, otherwise the auditors will not finish within the allocated time. If there are problems, the auditors must examine the evidence to the depth necessary to gain objective evidence. In the context of audits, the concept of objective evidence is very similar to the concept of the expert witness in a court of law. When a witness is called as an expert in a given technology or skill, their evidence in that specific area is taken as being objective. However, when people are talking about their area of responsibility for action or decision, then their evidence is admissible. Statements made outside their areas of responsibility are viewed as hearsay. It is good auditing practice to seek out documented support where possible, for all stated evidence. Objective evidence is also that which is seen. It is possible to observe the lack of status, signature, protection, or a label. It is possible to see records, or lack of them, and to examine items or material. The senses of sight and sound are probably the ones most used in audits. Many situations arise during an audit with the potential to become nonconformities. As soon as the facts are indicative of nonconformity, the auditors should immediately voice their thoughts to the departmental representative. This is certainly not a cause for rejoicing, but total openness from auditors will encourage the same from the auditee. It is essential that both parties fully understand the problem and how serious it is. Auditors will often need a little help from the auditee to do that. Once the facts of the matter are established, they should be written down by the auditor and agreed to by the auditee. It is generally not good practice to complete the form during the interview, as it might break the flow of the interview, as well as, to avoid rushing the writing of the nonconformity statement. The auditee should agree with the facts at this point and certainly before the auditors leave the area for another part of the audit. The statement of nonconformity needs to be in a format understandable both to people in the audit and to those who were not. People who were not present at the audit will often be assigned to take the necessary corrective action. Only the facts are needed and the reporting of them needs to be exact. The statement needs to identify exactly where it was found, otherwise it may not be found again. It needs to be clear so that people understand what aspect of the system is nonconforming. The statement needs to make it clear what specified requirement has not been met. What audit evidence do we have — records, documents, statements or observations for our nonconformity findings. The statement often has no need to involve specific people, but where the objective evidence was based on a statement, then the statement and the originator s need to be clear. Job titles rather than names should be used. Industry has its own names for certain activities, documents, etc. These unique terms should be used for clarity. Someone has to go back after the audit and put it right, possibly after a considerable period of time. To be helpful, nonconformity statements should be complete, correct, concise and clear. Some examples of typical nonconformities will allow at least some of the above points to be made, assuming these are from audits to ISO 9001. The number of nonconformities that can arise during an audit can be numerous. However, it is unlikely that they are all equally serious. The auditor needs to be able to differentiate between those that are serious and those that are less so. It is also common practice for auditors to raise opportunities for improvement that are points of concern, but for which there is insufficient objective evidence to raise a nonconformity. Opportunities for improvement are an additional way by which auditors can be seen as being helpful. It does indicate that there are occasional lapses that must be formally addressed through corrective action. It puts the business at risk with customers and the Registrar. In internal audit many organization do not differentiate between major and minor nonconformance. The auditors need to consider all the evidence available to see whether there a process or sub-system of the QMS is failing. It is the combination of all the evidence that will contribute to the informed judgement that the auditors will be required to present to the organization. Some Examples of Major Non Conformance, Minor Non conformance and Opportunities for improvement. The auditor was told that these are important Standard Operating He promptly glanced through work procedure No. There was no control to prevent unintended use of this obsolete document and apply suitable identification to this document. While sampling, the auditor selected 10 purchase orders and found that P. The materials manager explained that there is no need to incorporate these details since these are our regular suppliers and are well aware of material specifications. Company under Audit : XYZ Non Conformity Number: 6 Major NC Area under review: material procurement department ISO 9001 clause number: 8. The auditor examines the records, which are held in a computer database. Each data base record has five columns, one each of following: 1. Test Results, 4 Decision on next action, 5. In a representative sample of 20 records, 18 records are fully identified but on 2 records, the last two columns relating to decision are blank. There is no sufficient evidence of non conformity to indicate that the person authorizing release of the product has not been recorded. The Quality Manager explained that the corrective and preventive actions have been already initiated and six monthly interval of internal audit is being adhered to ever since the system is put in place 3 years ago. Sales department deals with review of product requirements. Company under Audit : XYZ Non Conformity Number: 6 Major NC Area under review: Internal audit ISO 9001 clause number: 9. The audit program was planned without taking into consideration the status as well as the results of the previous audits. Company under Audit : Food processing unit Non Conformity Number: 7 Minor NC Area under review: packing section ISO 9001 clause number: 7. Zzz Company had defined that if a person appointed by client through Zzz, resigns within three months, then such incidence is treated as non-conformity. When auditing the concerned officer, she asked what mechanism is used to obtain information about such resignations. She was told that this information is given by client in the feedback form. Auditor noted that the feedback form FCS-01R03 did not have any column or question related to this information. Also she noted that most of the feedbacks are received within two weeks of appointment of the person. Company under Audit :Zzz Non Conformity Number: 8 Major NC Area under review: Placement agency office ISO 9001 clause number: 8. There are no suitable methods for monitoring and measurement of the QMS processes. Company under Audit : — scheduled bank Non Conformity Number: 9 Minor NC Area under review: cheque clearance dept. ISO 9001 clause number: 7. Personnel performing work affecting conformity to product requirements is not competent on basis of appropriate training, skills and experience. While auditing the records of discharges in the ward, typical pattern was noted week after week Saturday Sunday Monday Tuesday Wednesday Thursday Friday 3 0 12 4 6 5 5 When asked for details, the Matron-in-charge of the ward told that senior doctors are not available on Sunday. Internees authorize discharge for some patients, which are then regularized by senior doctors on Monday. There is no sufficient evidence of non conformity to indicate that Patients were discharged without the approval of the senior doctors. Auditor asked for the qualification records of Mrs. He was told that Mrs. A is a renowned scholar and had offered her services free. Therefore the supervisor dared not ask for her qualification record. Company under Audit: — unaided school Non Conformity Number: 10 Minor NC Area under review: secondary school supervisor ISO 9001 clause number: 7. A was not recorded. When asked for the Quality policy the clerk pointed out at a board which showed information about RTI Act. The auditor then asked who is top management in the context of QMS and was told that the Chief Minister is top management. The auditor then asked what the product of their department is; the clerk replied that they are government department and not a manufacturing company. Company under Audit: — government of xxxx Non Conformity Number: 11 Major NC Area under review: revenue dept ISO 9001 clause number: 7. TM did not ensure that the Quality policy was communicated and understood within the organization. TM did not ensure that appropriate communication processes was established and communication regarding the effectiveness of the QMS took place Reaction of Auditees If an experienced auditor cares to look back over several different types of audits they have done, the likelihood is they will be able to recall a whole range of auditee reactions they have experienced, from outright hostility to willing cooperation. The auditor has to be prepared to meet and deal with this range of reaction. Although it must be said that as organizations realize more and more the full benefits of ISO 9001, auditee reactions are very much on the decline and normally occur when faced by a negative auditor. Lets look at some possible reactions. The auditor must insist firmly, but politely, on being given respect provided, of course, the auditor gives it first. The auditor must use patience and politeness, and where appropriate, be empathetic. Naturally, the auditor must ignore any rudeness from the auditee. However, they may have to spend slightly longer in the area using patience, firmness, and politeness as their main defenses. Anything that uses up time that was otherwise planned for auditing can be included here. People may sometimes be very well meaning, but if they spend a lot of time explaining things that the auditors have not asked them for, they must be politely stopped. Videos about the company can be very interesting and sometimes useful, but if not relevant to the audit, should be avoided as should the interesting machine or process. The auditor should accompany the person, or perhaps arrangements can be made to get it later. A lot of time can also be wasted while the auditee answers the telephone, or involves the employees in a lot of discussion about matters external to the audit. Sometimes, auditors are kept waiting for information, or for auditee representatives to appear, because they are on the telephone or in a meeting. If this does happen, then above all do not get angry, be firm yet polite, refrain from critical comments and confrontation, continue with the audit plan and point out that there are many areas still to be covered in the remaining time. If the problem arises again, speak to the management representative. They hope to get the information they want in an effective manner. Sometimes, people give them information they have not asked for, maybe about a failure in part of the quality system. The auditor is now in a quandary. Do they follow up that lead now, later, or do they ignore it? It may be important and relate to the audit objective. Only experienced auditors will tend to make the right decision here. There is no right answer and it is just one of the many things an auditor has to consider while performing an audit. The audit is not the place for this and the auditor needs to use a little tact in smoothing the situation, without getting involved, and continue with the audit. Seek objective evidence without being seen to take sides. This can happen where auditors are not fully briefed about contract conditions, product requirements, or where they stray from objective evidence. However, it is for the auditor to continually put up a strong and factual case for all conclusions reached so that the auditee accepts them. While not exactly volunteering information, the auditee is enlisting the powerful support of customer representatives. The auditors may use this information by gaining facts considering how to protect their sources so that any nonconformities found are indisputable. Audit Team Meeting: An audit team meeting should be held after the auditing process completes so the team leader can plan the closing meeting in detail, and ensure the team knows what is going to be presented to the organization in the way of nonconformities and a summary. The law of diminishing returns applies and very little will be gained by trying to rush through some more auditing. There is no set rule about who presents the information. The team leader may present everything all nonconformities and the summary or the team members may be asked to present the nonconformities they found. Are all the facts there? Is it clear it is a nonconformity? Can it be read easily? Is it grammatically correct? This summary reflects the degree to which a company is conforming to its own documented quality management system and the ISO 9001 standard. To answer these questions, the nonconformities raised will give some guidance. It is ideal, but no means possible on every audit, for the team leader to organize the seating arrangements for the closing meeting. This is not for any underhand reason, but they should try to ensure that the arrangements suit the purpose and no one is in an awkward position. Often, the closing meeting is in the very room the auditors used for their team meeting. This is the composite picture the auditors are required to present at the closing meeting and in their written report. The team leader has the responsibility for generating this composite picture as their audit conclusion of the degree to which working systems conform to stated requirements and objectives and the Standard , after consideration of all audit findings. However, this is not the only information the auditor should be considering. How much avoidable product scrap, rework, and concessions or waivers occur? Is there a large Returns department? Is the number of nonconformities rising, static, or falling? What techniques are used to establish the causes? Are they shown to work? Are they involved rather than only stated to be committed? What evidence is there, if any, that top management takes an interest in the quality management system? Are they proud of their system? Is there an open or closed-door style? Did the management representative have easy access to various managers during the audit? If auditors find information that indicates a distinct lack of management support for the system, then they should say so in their report. Their task is to collate the evidence as fairly and objectively as they can and highlight areas of the greatest risk and least assurance. As usual, there is no substitute for experience, and even experienced team leaders are very careful about their conclusions, and about the way they present them. Options for recommendation In the case of internal or second party audits, audit conclusions can lead to recommendations regarding improvements, business relationships or future auditing activities. Closing Meeting The closing meeting is the concluding meeting of the audit and is the formal presentation by the team of the findings and conclusions of the audit. Participants should include the auditee top management and may also include other parties such as outsourced processes in case they have been audited. In many instances, for example internal audits in a small organization, the closing meeting may consist of just communicating the audit findings and conclusions. For other audit situations, the meeting should be formal and minutes, including records of attendance, should be kept. If not resolved, all opinions should be recorded. If specified by audit objectives, recommendations for improvements should be presented. It should be emphasized that recommendations are not binding. The way the meeting is carried out is by conventions developed over the years in which audits have been carried out. As long as the auditee management understands the findings and agrees to the facts surrounding them before the team leaves, the team leader and team have done their job. Promptly, at the agreed time, the team should make themselves available for the meeting. The team leader chairs the meeting. The team leader should take the initiative and work through the agenda as prepared during the audit team meeting. The team leader should also thank the guides for their assistance. This is for a number of practical reasons. There is usually no real doubt about this in the organization because it has been discussed and agreed before the audit took place. However, some of the people attending the closing meeting may not have been present at the opening meeting and are not necessarily aware of everything that has happened in between. Audits cover a lot of ground, some of it irrelevant not too much in a well-planned audit. The objectives can become hazy. Therefore, the statement by the team leader of the objective and scope resets the context of the audit. Not every conforming or nonconforming area was seen, only a representative selection. Therefore, the possibility exists that there are additional nonconformities in areas not covered by this audit. It is recommended that the auditors develop a standard statement covering the essence of the above in their own words. Any documents provided to the audit team will be returned before the auditors leave the premises. Based on your audit, provide sincere and factual feedback on the QMS strengths — departments, processes, resources, controls, documentation, etc. Nonconformity findings may be grouped by functional area department , clause of the standard, and severity level major, minor, or concern. Findings could also be categorized by type of failure, for example, intent defined processes and documentation , implementation practices , or effectiveness results. In some cases, the auditee representatives will have copies of the nonconformities, if some were agreed earlier. There are different schools of thought about giving copies of the nonconformities to the auditees at the time of the closing meeting. Generally, there are few disadvantages, and it is recommended here as good practice. There is then no need for auditees to try to make notes. It is also recommended that the nonconformities be read from the report rather than trying to describe them. This limits the tendency to add unnecessary words and comments that should not be necessary if the nonconformity statement is complete in all respects. Reading the statements also encourages less experienced auditors to present the nonconformities in a clear, firm voice and not apologetically. Nonconformities may be agreed with the authorized person. Signature usually designates acceptance, however, there will be times when the auditee may disagree with a particular nonconformity and not accept it. In this case, the signature may simply denote acknowledgment of receipt of the nonconformity. Although agreement was reached at that time, the wording of the nonconformity is unlikely to have been at its most complete and concise. Either at review meetings, or at the Closing Meeting, these nonconformities are signed by the auditee to acknowledge receipt and understanding of the content. It must consider the seriousness of any nonconformities and whether they indicate a departmental or company wide breakdown of the system. The conclusion must be balanced with positive findings made during the audit. The facts as stated should not be in dispute. Assuming the auditee accepts all the nonconformities or the summary, the auditor may be asked what response is necessary for the points raised. The auditors would expect the auditee to propose some corrective action in a given timeframe. The closing meeting is not the place to discuss actual corrective action. That should be given very careful consideration by the auditee. The team leader should, therefore, state that a proposed plan of corrective action is necessary within a number of days or weeks after receipt of the report. However, if the recommendation is for a full re-audit, then it will not be necessary to submit a corrective action plan. However, at various times in the past, and perhaps also to be expected in the future, audit teams are faced with the meeting not going to plan for some reason or another. By the very nature of the closing meeting, most companies want to have someone in senior management represent them at the closing meeting. However, the auditors cannot demand the presence of top management, but can certainly ask why they are unable to attend. If the team leader thinks that the auditee representation is not senior enough, someone senior can be requested to be available. If it was arranged for top management to be there and they do not arrive, then it is reasonable for the team leader to delay the meeting for a short time to wait for them. A telephone call will probably be necessary to check. After a reasonable time has elapsed perhaps half an hour , the team leader should hold the meeting with whoever is there. Under no circumstances should the meeting be canceled. But, remember to add this to your audit report. The fact that it was found during the audit remains noted in the report. If corrective action taken for a major nonconformity is presented, the team leader should politely point out that the closing meeting is not the forum to discuss such issues and the corrective action will be audited during the next audit for effectiveness. The team leader should explain that the auditors would consider the evidence produced, but not at the closing meeting. If the evidence shows there is no nonconformity, then they will withdraw it. Most closing meetings normally are over within half an hour. The team leader, therefore, may need to be firm in closing the meeting after the necessary points have been covered. Audit Reporting The report of an external should provide a complete, accurate, concise and clear record of the audit. It is the major output of the audit process and may be read and used by people who were not at the audit and have no other information about the audit. It is, therefore, important that the audit report give a balanced picture of the whole audit not merely the nonconformities found. The whole reason for preparing a report is for the use by various people to initiate corrective actions and evaluate and address any recommended opportunities for improvement. The audit team leader should be responsible for the preparation and contents of the audit report. This summary provides the informed judgement of the auditors. If there is a classification system, such as Major or Minor, then this is used. There may also be a reference to a clause in the Standard. However, certain companies require auditors to include suggestions for correction of nonconformities. This is difficult, time consuming, and risky; it may also be nonconforming with registrar policy and procedures for reasons previously discussed. Their ability to make valued criticism is so limited, in fact, that in many cases, it is useless and best omitted. It should be understood that the organization has no obligation to implement such suggestions, but it must be aware of the risks of not doing so. Some organizations require a further signature of a senior person before the report is issued. It is important to prepare and issue an audit report within a reasonable timeframe. As with any record, audit reports should be retained on file for a prescribed time. All the other records from the audit should also be retained. Approving and distributing the audit report The audit report should be issued within the agreed time period. The audit report should be dated, reviewed and approved in accordance with audit program procedures. The approved report should then be distributed to auditee and other recipients as designated by the organization. The audit report is the property of the organization. The audit team members and all report recipients should respect and maintain the confidentiality of the report. Completing the audit The audit is completed when all activities described in the audit plan have been carried out and the approved audit report is distributed. Documents pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with the audit program procedures and applicable statutory, regulatory and contractual requirements. Unless required by law, the audit team and those responsible for managing the audit program should not disclose the contents of documents, any other information obtained during the audit, or the audit report, to any other party without the explicit approval of the top leadership of the organization and, where appropriate the approval of the auditee. Conducting audit follow-up The conclusions of the audit may indicate the need for corrective, or improvement actions, as applicable. Such actions are usually decided and taken by the auditee within an agreed timeframe and are not considered part of the audit. The completion and effectiveness of corrective action should be verified. This verification may be part of a subsequent audit. The audit program may specify follow-up by members of the audit team, which adds value by using their expertise. In such cases, care should be taken to maintain the independence in subsequent audit activities. Auditee post-audit actions The auditee might have a number of areas that were found to not conform to requirements. These nonconformities must be corrected, the actions verified as effective, and some kind of monitoring implemented to ensure things stay conforming. If the company has only one set of audit results for which to verify corrective actions, its follow-up system may be quite basic. However, some companies may have several nonconformities from external audits, and more from their own internal audits, product reports, and customer complaints. If the external body is returning to check on corrective action taken, the auditee needs a good system to ensure the action has been taken and was effective. Auditor post-audit actions For a small number of minor nonconformities found during an internal audit, the follow-up may be left until the next planned audit within that area, if practical. For second party audits , a written response to minor nonconformities is required. Based on an acceptable response, the nonconformities would be reviewed and closed out during the next visit. For some of the nonconformities that were purely documentary in nature, it might be possible to deal with them by only a written response. If the auditor is to use the nonconformity statements to follow up on the corrective action, then the nonconformity statements must be very specific and traceable. Since the auditee is likely to propose corrective action, the auditor must have a view about how effective, or otherwise, such an action might be in resolving the situation once and for all. Once a nonconformity is in the system, the auditee must ensure that effective and appropriate corrective action has been taken. After clarifying with the auditor for a clear understanding of the nonconformity, and certainly with people in the area where the nonconformity was found, the best corrective action can be decided. It is certainly where the audit system takes a positive aspect rather than a negative one. However, the process of corrective action is not an easy one. The auditee has to get to the root cause of the problem if it is going to be corrected forever. It is very easy to correct the effect of the nonconformance instead of the root cause, so in time the nonconformity will re-appear. The auditee also will have to consider the impact of the corrective action on the rest of the process, as well as, the effect it might have on areas not considered during the audit. Some of the stages listed above are completed rather easily. However, all corrective action follows this general path. If the company is going to be involved in these activities, the business should improve after the audits and the corrective s have been taken. Has the error rate reduced? Do we now respond to our customer needs quicker? Have we reduced the number of bad debts? Are we throwing out less waste every night, Perspective On Internal Audits The Internal audit or First party audit is an audit carried out by a company on itself to determine whether its systems and procedures are consistently improving products and services, and as a means to evaluate conformity with the procedures and the standard. Each second and third party audit should consider the first party audits carried out by the company in question. Ultimately, the only systems that should need to be examined are those of internal audits and reviews. In fact, the second or third parties themselves have to carry out internal or first party audits to ensure their own systems and procedures are meeting business objectives. The value of an internal auditor is as a representative of the quality assurance resource of the company. If the effort is put into providing the support necessary to do a good job, why do a bad one? However, it is accepted that some companies still have a long way to go before the above state is reached. The need for an audit system, whether for external or internal audit, is paramount. Audits will be scheduled according to a plan, usually looking at various processes, their sequence and interaction with other processes within the QMS, with some flexibility built in to allow for realigning a particular effort. There is a need to prepare for each audit with an audit plan and checklist. Formal opening meetings are not typical, except in fairly large organizations. The auditor meets briefly with the department manager and gets on with the audit. The auditor is examining the work and outputs of colleagues. This puts an added strain on the auditor and the auditee. The auditor will sometimes be in a difficult position because of this tension. How can both the auditors and the system be protected? There are two aspects considered here the system that is installed in partnership with everyone in the company — and the credibility of the auditor. That, of course, means that the manager knows precisely what has been signed and believes absolutely in its value. That was not true of some managers in the past. They willingly signed such procedures and expected the system to work properly without them. Many other managers realized that the audit could be a very powerful and useful tool and applied it to problem areas using people trained in investigative techniques. Because they wanted it to happen, they involved themselves in its operation; some of them even underwent the training with their colleagues. Such managers are running successful departments and organizations. A second aspect of the system for internal audits is that of escalation. There should no doubt of this in the company. It is so important that the operation of the internal audit system should be close to the policy statement in the Quality Manual. The audit procedure should include a clause for escalation. Managers get the system they deserve. Records of internal audits tend to be limited in comparison with those of external audits. There may not be reports, as such, issued only the requests for corrective action CAR and a way of monitoring them. The auditors should keep all their checklists so that over a period of time they can ensure that as comprehensive an audit program as possible is being carried out. They should also keep their notes in a secure place. ISO 9001 Auditor Credibility A number of points are made here. It is not meant to be an exhaustive treatise on the subject, merely recognition that the auditor is a human being dealing with human beings and that sets the highest qualifications for the would be auditor. All auditors must be able to develop a rapport with auditees fairly quickly. Their real job is to facilitate improvement. Rarely do they have much real power, so they have to instigate change by other means. The situation will frequently arise where there is a nonconformity against procedures and the auditor has the answer. As an external auditor, regardless of whether the auditee would find the suggestion useful or not, they are unable to offer it to avoid consulting. However, as an internal auditor working for the same company and having the same objectives as their colleagues, they are in a position where they can be of help to the company. They should be prepared to throw away their checklist, roll up their sleeves and help. The auditee might even tell the auditor some of the other problems they have so that those can be addressed too. That is the kind of openness that the internal auditor must try to encourage as a natural result of their approach to auditing. This will enable auditors to provide value-added service and still maintain their independence as auditors. The point has been made that the internal auditor and the auditees are working for the same organization. This can be a double edged sword. As an external second party auditor with apparent power in a small supplier, auditors can hide some of their less glorious attributes. When they are auditing their own colleagues, they have to be scrupulously fair, hard working, reasonable, objective, polite, and respectful if they are to contribute anything to the company in the long term. Perhaps a part of the latter point, but one that is important enough to merit specific mention, is that of preoccupation with trivia. Not so, with the internal auditor. Nothing is more designed to ravage the credibility of auditors and all they represent than the sight of them narrowly and trivially working their way through each department. So, the points are made. We hope our blog has helped in enhancing the knowledge of our readers and added value to organization and their implementers. We would request you to make donation large and small, so as to provide us the resources needed to distribute, collect, digitize as it is becoming extremely difficult for us to afford the full cost of updating and enriching our site content. Your contribution will ensure that we can keep our blog up-to-date and add more of the rich resources — such as video — that make a difference for so many worldwide. Your donation will demonstrate your commitment to knowledge as a public good and is an important part of our overall sustainability plan. Your donation is also important in demonstrating to us how much you value the site and motivates us to devote more of our time towards developing this blog.
The amount of time the auditor has to spend talking to management in each area about their system will vary according to how much information was originally made available to the auditors. In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited. Although the auditors iso 19001 version 2015 working separately, they share a common objective and will meet regularly to review progress. Each auditor will need an escort and each auditor will take up auditee management time. The auditor examines the records, which are held in a computer database. Auditee The Auditee is an department or the process of the organization to be audited. These unique terms should be used for clarity.