Effective Internal Auditing To

ISO 9001:2008

Welza D. Gazo
DTI-XI
Course Outline

 Principles of Management System

Auditing
 Managing the Internal Audit Program
 Planning the Internal Audit
 Conducting the Internal Audit
 Reporting the Audit Findings
 Post-Audit Activities
Principles of Management System
Auditing
Why Audit is essential?
• A management tool for monitoring and verifying the
effective implementation of an organization’s Quality
Management System
• To identify areas of conformity and nonconformity
against customer requirements, applicable statutory
and regulatory requirements, and established planned
arrangements in the QMS
• To provide a systematic discipline for corrective or
preventive actions if actual or potential
nonconformities are found
Principles of Management System
Auditing
Why Audit is essential?

• To provide information on which an organization can

act to improve its performance (identify opportunities
for continual improvements)

• It is an essential part of conformity assessment

activities such as 3rd party certification
Principles of Management System
Auditing
Internal Quality Audits are essential…
… to determine, by an unbiased means and
through factual information on quality
performance, whether the quality system is
effective in maintaining control by checking
that prescribed quality objectives are being
achieved and the resultant products and
services meet specified customer and
regulatory requirements.
Principles of Management System
Auditing
Likely effects on QMS of a weak IQA System
 Inadequate review of the Quality Management System
vs. the requirements
 Conclusions not reliable basis for Top Management to
evaluate the effectiveness of QMS implementation
 Diminished people’s full support to the Quality
Management System.
Principles of Management System
Auditing
Important terms and definitions:

Audit

A systematic, independent and documented

process for obtaining audit evidence and
evaluating it objectively to determine the
extent to which audit criteria are fulfilled.
Principles of Management System
Auditing

Audit Criteria – Set of policies, procedures or

requirements used as a reference against which
audit evidence is compared.

Audit Evidence – Records, statements of fact or

other information, which are relevant to the audit
criteria and verifiable.
Principles of Management System
Auditing

Audit findings – results of the evaluation of the

collected audit evidence against audit criteria

Audit Conclusion – outcome of an audit provided

by an audit team after consideration of the audit
objectives and all audit findings

Auditor – person with competence to conduct an

audit
Principles of Management System
Auditing
Audit Scope – extent and boundaries of an audit;
generally includes a description of the physical
locations, organizational units, activities and
processes, as well as the time period covered.

Audit Program – set of one or more audits,

planned for a specific timeframe and directed
towards a specific purpose.
Principles of Management System
Auditing
Audit Plan – description of the activities and
arrangements for an audit
Auditee – organization being audited

Audit client – organization or person requesting

an audit
Competence – demonstrated personal attributes
and demonstrated ability to apply knowledge and
skills
Principles of Management System
Auditing
Types of Audit
Internal Audit

-Conducted by, or on behalf of the organization itself for

internal purposes and can form the basis for an
organization’s self-declaration of conformity.

-Also called first party audit

Principles of Management System
Auditing
External Audit

- Conducted by any interested party (e.g. by customers

or other persons in their behalf), by a regulatory body
or by a 3rd party certification body

- Can be conducted as combined audit, joint audit, or

integrated audit
Principles of Management System
Auditing
 5 Principles of Auditing

1. Ethical Conduct : the foundation of

professionalism

- Trust
- Integrity
- Confidentiality
- Discretion
These are essential to auditing.
Principles of Management System
Auditing
2. Fair presentation : the obligation to report
truthfully and accurately

- Audit reports, audit conclusions must reflect

accurately the audit activities.

- Significant obstacles encountered during the audit

and unresolved diverging opinions between the audit
team and the auditee should be reported.
Principles of Management System
Auditing
3. Due professional care : the application of
diligence and judgment in auditing

- Auditors exercise care in accordance with the

importance of the task they perform and the
confidence placed in them by the audit client and
other interested parties.

- Having the necessary competence is an important

factor.
Principles of Management System
Auditing
4. Independence : the basis for impartiality of
the audit and objectivity of the audit
conclusions

- Auditors are independent of the activity being audited

and are free from bias and conflict of interest.
- Auditors maintain an objective state of mind
throughout the audit process to ensure that the audit
findings and conclusions will be based only on
objective evidence.
Principles of Management System
Auditing
5. Evidence-based approach : the rational
method for reaching reliable and reproducible
audit conclusions in a systematic audit
process.
- The audit evidence is verifiable.

- The audit evidence is based on available information

during the audit.
- Appropriate use of sample related to the confidence
that can be placed to the audit conclusions.
Managing the Internal Audit
Program

1. Authority for the Audit Program

- granted by Top Management
 Management Representative
- Establish,implement, monitor, review and improve
the audit program
- Identify the necessary resources and ensure they are
provided.
- Appointed by Top Management and is a member of
the organization’s management.
Managing the Internal Audit
Program
2. Establishing the Audit Program
 Define audit program objectives – to direct planning
and conduct of audits
 Define the extent of audit program – influenced by
the size, nature and complexity of the organization
 Define audit program responsibilities – assigned to
one or more auditors who has general
understanding of audit principles and has
management skills as well as technical and business
understanding relevant to activities to be audited.
 Determine and provide audit program resources.
 Establish audit procedure(s)
Managing the Internal Audit
Program
3. Implementing the Audit Program

 Schedule the audits

 Evaluating auditors
 Selecting audit teams
 Directing audit activities
 Maintaining records
Managing the Internal Audit
Program
4. Monitoring and reviewing the Audit
Program

 Monitoring and reviewing the program

 Identifying needs for corrective / preventive
action
 Identifying opportunities for improvement
Managing the Internal Audit
Program
5. Improving the Audit Program
Planning the Internal Audit

 Requirements:

8.2.2 Internal Audit (ISO 9001:2008)

The organization shall conduct internal audits at
planned intervals to determine whether the QMS:
a. Conforms to planned arrangements to the
requirements of the standard, and the QMS
requirements established by the organization, and
b. Is effectively implemented and maintained.
Planning the Internal Audit

8.2.2 Internal Audit (ISO 9001:2008)

An audit program shall be planned, taking into
consideration the status and importance of the
processes and areas to be audited, as well as
the results of the previous audits. The audit
criteria, scope, frequency and methods shall
be defined. Selection of auditors and conduct
of audits shall ensure objectivity and
impartiality of the audit process.
Planning the Internal Audit

8.2.2 Internal Audit (ISO 9001:2008)

Auditors shall not audit their own work.
A documented procedure shall be established
to define the responsibilities and requirements
for planning and conducting audits,
establishing records and reporting results.
Records of the audits and their results shall be
maintained (see 4.2.4)
Planning the Internal Audit

8.2.2 Internal Audit (ISO 9001:2008)

The management responsible for the area
being audited shall ensure that any necessary
corrections and corrective actions are taken
without undue delay to eliminate detected
nonconformities and their causes. Follow-up
activities shall include verification of the
actions taken and the reporting of verification
results.
Planning the Internal Audit
Audit procedure should address the ff:
 audit program preparation
 assuring auditors’ competence
 assigning roles and responsibilities for auditors
and audit teams
 planning and conducting audits
 conducting audit follow-up and corrective action
verification
 monitoring effectiveness of the audit program
 reporting to Top Management on the overall
results and achievements of the audit program
Planning the Internal Audit

Assigning the Auditors

-Check availability of auditor (must be
independent of area to be audited)
-Brief the auditor on the objectives of the audit
-Define the limits of the area to be audited
-Apprise auditor of any special requirements, e.g.
follow-up of corrective action, priority areas
for verification, etc.
Planning the Internal Audit

Tasks of the Internal Auditor

• Obtain and assess evidence in a fair manner
• Preserve his independence and integrity
• Be flexible to changing situations during the audit
• Interact with auditees in a positive way
• Add value to auditee’s process or activities
• Perform the audit process fully and adhere to the
audit plan
• Arrive at acceptable conclusions based on audit
findings and objective evidence
• To stand his ground despite possible pressure of
contrary views
Planning the Internal Audit

Auditor planning for each Audit

• Auditor reads and understands the QMS documentation
and business process
• Communication with the auditee to confirm audit
schedule
• Preparation of the audit agenda and checklists (should
reflect Plan-Do-Check-Act approach)
•Auditor checks that his audit kit is complete (with audit
plan, previous audit reports, forms and note pads,
references, pens)
Planning the Internal Audit

Preparing the Checklist of Questions

• Check which elements of the Standard apply to the area
to be audited
• Check key requirements in the document
• Check for any problems which normally are known to
occur in the process to be audited
• If necessary, ask other people for advice
• Refer to other previous audit checklists/reports
• Sequence questions in a logical way and also to permit
Plan-Do-Check-Act approach to auditing
Planning the Internal Audit

Audit Using PDCA Approach

The IQA auditor may cover the following key points:
1. What are the key objectives for the function/
process?
• Are objectives, quantitative targets and programs defined?
• Do they define desired outcomes of function?
• Do they address customer requirements?
• Do they relate to the organization’s Quality Policy?
• Do they relate to the Eight QMPs?
• Do they relate to legal requirements, if any?
Planning the Internal Audit

Audit Using PDCA Approach

2. Are resources available and managed, as planned,
to achieve objectives?
• Is there a process for defining and allocating resources?
• Are resource needs identified, adequate, accounted for?
• Does this include financial, specialized skills, equipment,
technology and the like?
Planning the Internal Audit

Audit Using PDCA Approach

3. Are key activities and methods for achieving
objectives identified, documented and controlled?
• Are plans, procedures, formula, etc. documented?
• Are process and operating criteria defined?
• Are responsibilities and authorities defined?
Planning the Internal Audit

Audit Using PDCA Approach

4. What measures are available to demonstrate
achievement of objectives, and what evidence is
available to demonstrate continual improvement
for the function / process?
• Review and assess, among others:
• Process capability, equipment reliability
• Waste rates, variance vs. budget and other metrics
• Legal compliance (findings should be backed up by data and
company records)
• Performance monitoring and monitoring results; analyses
• Actions taken for un-met objectives, product nonconformities,
significant process deviations.
Planning the Internal Audit

Auditor’s Final Check

• Notebook, writing instruments
• Copy of relevant QMS documents
• Copy of audit plan confirmed by the auditee
• Copy of he standard (ISO 9001:2008)
• Copy of Internal Audit procedure, work instructions
• Copy of audit checklist, if any
• Forms for audit findings/report preparation
• Previous nonconformity reports for verification of
effectiveness of corrective actions
Conducting the Internal Audit

The Audit Agenda

• Opening Meeting
• Audit Proper
• Closing Meeting
Conducting the Internal Audit

The Opening Meeting

•What to say during the opening meeting?
Review / discuss the following Opening Meeting agenda for the audit
program, to include:
• Objective and scope of audit and audit criteria
• The schedule of events; other arrangements
• Definition of nonconformities, major and minor
• How you will report the audit results
• Confidentiality of audit data
• Resolve any questions and items for clarification from the auditees
Conducting the Internal Audit

The Opening Meeting

• Who should attend the opening meeting?

- Audit Team and Management Team to be audited

• Who should preside the opening meeting?

- Chaired and managed by the Lead Auditor or Team
Leader
Conducting the Internal Audit

Audit Proper
• Interview the staff responsible for each task
• Obtain audit evidence by:
• Asking questions: inquire about task details
• Observing actual task: watch the task being done
• Checking records: confirm if task done is
consistent with the documented procedure; cross
check with what records reveal
• Follow the audit trail: sequence of process steps
Conducting the Internal Audit

Audit Proper
• Compare and evaluate practice against the documented
QMS (conforming? At variance?)
• Use checklists to guide you in completing audit
• Define nonconformity where lapses of the practice
against QMS documentation might be found
• Record objective evidence/s of the NC
• Confirm with the auditee the presence of NC
• Point out observations; area for improvement
Conducting the Internal Audit

What key things to look for and where?

• Task - work methods defined, efficiency
• People - training, skills, competence and motivation
• Equipment; Work Environment
- identification, capability, condition, safety, sanitation
• Documents / Records
- identification, issue, content, correctness and
distribution
- retention, preservation, legibility, accessibility
Reporting the Audit Findings

The Audit Reporting Cycle

• Discuss and agree on findings
• Record Findings
• Hold Closing Meeting
• Issue Audit Report
• Update Records
• Agree to undertake follow-up audit, if needed
• Carry out and record results of Follow-up Audit
Reporting the Audit Findings

Types of Audit Findings

1. Positive findings – good practice;
conformities
2. Negative findings – nonconformities
3. Observations – opportunities for
improvements
Reporting the Audit Findings

2 Types of Nonconformities
• Minor
• A failure to meet one requirement of a clause of ISO
9001 or other reference document, or a single lapse in
following the organization’s QMS.
• Major
• The absence or the total breakdown of a System to meet
the requirements of a clause of ISO 9001 or other related
documents. A number of minor NCs against one clause
can represent a total breakdown and thus be considered
as a major NC
Reporting the Audit Findings

The Closing Meeting

• Who should attend the opening meeting?

- Audit Team and Management Team to be audited

• Who should preside the opening meeting?

- Chaired and managed by the Lead Auditor or Team
Leader
Reporting the Audit Findings
The Closing Meeting Agenda
• Thank the auditees for their time and cooperation
• Commend auditees for accomplishments
• Present a balance summary; point out good points and areas
for improvement
• Report any nonconformity – invite the individual auditor to
report
their respective findings
• Report the overall conclusions and recommendations
• Invite comments from auditees
• Resolve any inquiries, concerns
• Obtain consensus from auditees on nonconformity reports
(accepted)
• Establish date of submission to auditor of corrective action
• Reiterate confidentiality
Post-Audit Activities
What happens next?
• For the concluded audit:
• Agree on the corrective actions
• Agree on-site follow-up audit, if necessary
• Compile the audit report and submit to Top
Management
• Review the Audit Program
• Improve the Audit Program
• Prepare for the next audit
Post-Audit Activities
Follow-up Actions
• Auditor verifies and evaluates corrective actions
upon submission; approves, if OK

• Auditor records results of verification and evaluation

• Auditor escalates problems to the management, if

corrective action not completed.
Post-Audit Activities
Post-Audit Actions
• Audit reports submitted for management review

• Reports include corrective/preventive actions,

Management Representative’s assessment of QMS
effectiveness and efficiency, based on internal audit
results

• Continual improvement plans, based on internal

audit results
Thank you for your attention!