ISO 9001:2015

BACK TO BASICS –
INTERNAL AUDITING

Martin Graham Principal Assessor - QMS

 OUR
PURPOSE
IS TO HELP
CUSTOMERS
DELIVER PRODUCTS
THE WORLD CAN

TRUST LONDON

BOSTON

SHANGHAI

NQA is a world
BANGALORE
leading certification
body with
global operations.

NQA specialises in
certification in high
AMERICA’S NO.1 TOP 3 IN THE UK CHINA’S NO.1
Certification body in ISO 9001, ISO 14001, Certification body in
technology and
Aerospace sector ISO 45001, ISO 27001 Automotive sector
engineering sectors.

GLOBAL NO.1 GLOBAL NO.3 UK’S NO.2

Certification body in Certification body in Certification body in
telecommunications and Aerospace sector Aerospace sector
Automotive sector
 CERTIFICATION AND TRAINING SERVICES

We specialize in management systems certification for:

QUALITY AEROSPACE AUTOMOTIVE ENVIRONMENT ENERGY

(QUALITY) (QUALITY)

HEALTH AND INFORMATION RISK MEDICAL

FOOD SAFETY DEVICES
SAFETY RESILIENCE MANAGEMENT
NATIONWIDE
TRAINING RANGE OF COURSES
SERVICES
ACCREDITED
COURSES
QUALITY ENVIRONMENT ENERGY HEALTH AND INFORMATION
SAFETY SECURITY

Virtual
Learning
MEDICAL BUSINESS AEROSPACE INTEGRATED
DEVICES CONTINUITY MANAGEMENT

e-Learning /
Live Webinars • e-Learning Introduction
• 1 day Introduction Courses
• 2 day Implementation Courses
In-house • 2 day Internal Auditor – NQA or IRCA
Training • 5 day Lead Auditor – NQA or IRCA

Public Training
Nationwide
Locations
 YOUR PRESENTER

KEY INFO

• 45 minute webinar

• Questions in the
chat box

• Q&A at the end

• Recording of
webinar circulated
shortly
 WHAT WILL BE DISCUSSED?

• What is an internal audit?

• Audit objectives
• Programme
• Planning
• Outputs
WHAT IS AN AUDIT?
 DEFINITION

‘systematic, independent and documented process for obtaining

objective evidence and evaluating it objectively to determine the
extent to which the audit criteria are fulfilled’

ISO 19011:2018
 DEFINITION

Systematic – programmed, planned, under control

Independent – impartial, objective

Documented – does not mean you need a procedure

WHAT IS AUDIT CRITERIA?
 WHAT IS AUDIT CRITERIA?

Set of policies, procedures or requirements used as a reference against which objective

evidence is compared.
Ref: ISO 9000:2015
e.g.:
• Policies
• Objectives
• Procedures
• Standards
• Contractual requirements
• Statutory and regulatory requirements
 AUDIT OBJECTIVES –
WHY DO AN INTERNAL AUDIT?
 WHY…

• Identify risks
• Identify opportunities
• Identify improvements
• Identify inefficiencies
• Spread the word
• Add value
• Support engagement
• Meet the standard!
• Why not…
 AUDIT OBJECTIVES

• Conformance with planned arrangements

• Conformance with the standard

• Effectiveness of the system

• Not just to show a third party auditor…ensure you schedule, plan, execute,
act and report to get value for your organisation
OBJECTIVE EVIDENCE
 OBJECTIVE EVIDENCE

Objective Evidence is data (generally consists of records, statements of fact, or other

information) supporting the existence or verity of something

Ref:
• ISO 9000:2015
• ISO 19011:2018

Can be obtained through review of documentation/records, observation, interview and

following the audit trail
 OBJECTIVE EVIDENCE

Objective evidence is data (generally consists of records, statements of fact, or other

information) supporting the existence or verity of something

You can collect evidence use the following methods

• Interviewing Sales

• Review of documents and records Training

Production
planning

• Observation

• Following the audit trail…… Calibration Manufacturing

Quality Control
CLAUSE 9.2
 CLAUSE 9.2

The organization shall conduct internal audits at planned intervals to provide

information on whether the quality management system:

a) Conforms to:
1) the organization’s own requirements for its quality management
system;
2) the requirements of this International Standard;

b) Is effectively implemented and maintained

 CLAUSE 9.2

The organization shall:

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities,
planning requirements and reporting, which shall take into consideration the importance of the processes concerned,
changes affecting the organization, and the results of previous audits;

b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant management;

e) take appropriate correction and corrective actions without undue delay;

f) retain documented information as evidence of the implementation of the audit programme and the audit results.
PROGRAMME
 PROGRAMME – SIMPLE BUT…

frequency,

methods, (remote?)

responsibilities,

planning requirements and reporting,

shall take into consideration the importance of the processes concerned, (risk?)

changes affecting the organization, (people / process / material)

and the results of previous audits;

 PROGRAMME

Audit Programme to Consider:

Auditees :
• Organisational Objectives
• Relevant external and internal issues
• The needs and expectations of relevant interested parties
• Information security and confidentiality requirements
• Locations and logistics
• Outsourced functions

Note: Changes to the programme should be monitored and maintained,

revisions made when changes happen with findings disseminated to all relevant
interested parties
PLAN
 PLAN – NOT A PROGRAMME

• Detail what you wish to audit (areas, documents, records and activities)

• Who to select for interview

• Where and when (locations, sequence, audit trails etc.)

• What methods to use to obtain objective evidence (e.g. observation interview,

review of documents and records etc.)

• Communicate it
 PLAN

• Agree dates / times and personnel availability

• Agree scope and objectives

• Obtain necessary procedures and associated documents

• Familiarise yourself with the process to be audited

• Prepare / obtain checklists

• Prepare the team

AUDIT PREPARATION - INPUTS

Contract
External audit
Previous audits

QMS Audit Audit standard

Preparation

Regulatory
Audit scope
requirements

Audit
EXECUTION
 EXECUTION - CHECKLISTS

• Professional approach

• Ensures structured, thorough preparation

• Acts as a guide/aide memoir

• Provides evidence of what was planned and checked

• Assists note taking

• Assists preparation for reporting and the closing meeting

 EXECUTION - INITITAITON

• Appointing a team leader

• Establishing contact with the auditee and information gathering

• Defining the scope, objectives and criteria

• Selecting the audit team

 EXECUTION - PRINCIPLES

• Integrity: Auditors exhibit a “professional” approach

• Fair Presentation: Truthful and accurate reporting
• Due Professional Care: Exercising diligence and judgement
• Confidentiality: Security of information
• Independence: A basic impartiality and objectivity of conclusions
• Evidence-based Approach: The evidence is verifiable and based on appropriate
sampling
• Risk-based Approach: an audit approach that considers risks and opportunities

Ref: ISO 19011:2018

 EXECUTION - OPENING

• Confirm the agreement of all participants (e.g. auditee, audit team) to the audit plan;
• Introduce the audit team and their roles
• Confirm the audit plan
• Confirm scope and audit criteria
• Confidentiality arrangements
• Gradings of NCR’s and findings
• Communication channels
• Confirm time, place and attendees for closing meeting
• Invite questions
 EXECUTION - CLOSING

• Lead Auditor chairs the meeting

• To include auditee (those responsible), management, audit team, interested
parties (identified by client)
• Introductions
• Confirm the scope and objectives of the audit
• Confirm audit standard and any exclusions
• Statement of confidentiality & Disclaimer (audit was only a sample)
• Summary of findings (including good points) effectiveness of the MS
• Presentation of nonconformities and OFI’s
• Invite discussion of points raised
• Explain corrective action process
THE 6 STAGE AUDIT PROCESS
 SAMPLING METHODS AND TIPS

• What to sample?
• Risk factors to consider? Sample

• How many samples to take?

• How far back in time? Population

• Who should take the sample?

 GATHERING EVIDENCE

• Take more than 1 sample

• Link samples to an audit trail – follow the process
• Do not let the auditee select the all the samples
• The spoken word alone is not necessarily objective evidence of
conformance
• Respect the auditees documents
 QUESTIONING TECHNIQUES

• Think about the question before you ask it

• Keep your questions simple

• Do not start the audit with pre-conceived ideas or a ‘hidden agenda’

• Speak clearly – avoid code or jargon

• Clarify any points of misunderstanding as soon as possible

• Give the auditee chance to explain

• Don’t jump to hasty conclusions

 QUESTION TYPES

• Open “I kept six honest serving men, they

taught me all I knew, their names are
• Closed What and Why and When and How and
Where and Who”
• Multiple
Rudyard Kipling - The Elephant Child
• Leading
FINDINGS AND FOLLOW UP
NON-CONFORMANCE

‘Non-fulfilment of a requirement’
Ref: ISO 9000:2015
NONCONFORMITY

The ‘requirement’ in an internal audit situation will be the specific audit criteria
which apply e.g.

• Procedures = Operational issues

• Quality Manual = Management issues
• Standard = Policy issues
• Contract = Customer issues
• Legislation = Regulatory issues
REASONS TO RAISE NON-CONFORMITIES

• Practice does not comply with the documented system

• The system does not reflect actual practice
• Practice/system does not comply with ISO 9001 (or applicable standard)
• Breach of a legal or other requirement
• Breach in commitment to continual improvement
• Breach in commitment to prevent pollution
• Breach in commitment to prevent ill health or injury
• Not meeting policy
• Not meeting intended outcomes
DEFINING NON-CONFORMITIES

Requirements

Non- Conformance

Findings Evidence

The Non-Conformance ‘triangle’

 OPPORTUNITY FOR IMPROVEMENT

• Opportunity to refine the system

• May develop into a nonconformity
• Should benefit the system / organisation
• Don’t have to be acted upon
 ACTIONS –
CORRECTION AND CORRECTIVE
CORRECTION & CORRECTIVE ACTION

• Correction - Action to eliminate a detected nonconformity

• Corrective Action - To eliminate the cause of nonconformities in

order to prevent recurrence
CORRECTION & CORRECTIVE ACTION

• When a nonconformity occurs, including any arising from

complaints, the organization shall:

• a) react to the nonconformity and, as applicable:

• 1) take action to control and correct it;

• 2) deal with the consequences;
CORRECTION & CORRECTIVE ACTION

b) evaluate the need for action to eliminate the cause(s) of the

nonconformity, in order that it does not recur or occur elsewhere, by:

1) reviewing and analysing the nonconformity;

2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist, or could potentially
occur;
CORRECTION & CORRECTIVE ACTION

c) implement any action needed;

d) review the effectiveness of any corrective action taken;
e) update risks and opportunities determined during planning, if
necessary;
f) make changes to the quality management system, if necessary.
Corrective actions shall be appropriate to the effects of the
nonconformities encountered.
FOLLOW UP AND CLOSE OUT

• Verify effectiveness of actions and implementation

• Record examples of evidence seen
• Escalate if not addressed
• Agree new actions if not effective
• Close out nonconformity when cleared
• Feed back into programme / planning
• Management review
KEEP IT SIMPLE

• Don’t over plan

• Understand what an audit is for and what you are trying to achieve
• Keep record and act on results
• Communicate
• Get people involved
• Don’t see an audit as negative
Q&A
TAKE THE NEXT STEP
THANK YOU

Warwick House | Houghton Hall Park | Houghton Regis | Dunstable | LU5 5ZX | United Kingdom
0800 052 2424 | [email protected] | www.nqa.com