MODERN INTERNAL AUDITS

- compliance -
- improvement -

ISO 9001:2000

1
THE PURPOSE OF INTERNAL AUDITS

AUDIT (ISO 9000:2000 VOCABULARY)

Systematic, independent and documented

process for obtaining audit evidence and
evaluating it objectively to determine the
extent to which audit criteria are fulfilled

Audit criteria; Set of policies, procedures or

requirements used as a reference

2
ISO 19011 COMBINES THE QMS AND EMS AUDIT PROCEDURES
 THE PURPOSE OF INTERNAL AUDITS

ISO 9000:2000 2.8.2 Auditing the Quality Management System

”Audits are used to determine the extent to which the quality

management system requirements are fulfilled. Audit findings
are used to assess the effectiveness of the quality management
system and to identify oppurtunities for improvement”

2.8.1 Evaluating processes within the QMS

a) Is the process identified and appropriately defined?

b) Are responsibilities assigned?
c) Are the procedures implemented and maintained?
d) Is the process effective in achieving the required results?
3
ISO 9001:2000 8.2.2 Internal audit ISO 9004:2000 8.2.1.3 Internal audit
• transformed into positive claims:
Internal audit
Examples of subjects for consideration
We conduct audits at planned intervals to determine by internal auditing:
whether our QMS conforms to the planned
arrangements and to the requirements of the ISO
9001 standard and to check that it is effectively • effective and efficient implementation of processes
implemented and maintained.
• oppurtunities for continuous improvement
Planning of audit program • capability of processes
We plan an audit program taking into consideration
the status and importance of the processes and areas
• effective and efficient use of statistical techniques
to be audited, as well as the results of previous • use of information technology
audits. • analysis of quality cost data
• effective and efficient use of resources
Documented audit procedure • processes and product performance results
We have established a documented procedure for • adequacy and accuracy of performance measurements
the planning, conducting, criteria, scope, frequency
and methods of audits including reporting of results • improvement activities
and maintenance of audit records. • relationships with interested parties
Auditors
We select our auditors and conduct audits in such a
way that the objectivity and impartiality of our
audits is ensured.

Responsibility of corrective actions

Our management responsible for the area audited
ensures that actions are taken without undue delay
to eliminate any detected nonconformities and their
causes.

Follow up
We perform follow-up activities to verify that
actions are taken to eliminate nonconformities and
their causes, and we report the results of our
verification activities. 4
 SELF ASSESSMENT MODEL OF ISO 9004

Performance level Guidance

1 No formal approach No systematic approach evident, no results, poor

results or unpredictable results

2 Reactive approach Problem- or corrective based systematic approach,

minimum data on improvement results available

Stable formal system approach Systematic process-based approach, early stage of

3 systematic improvements, data available on conformance
to objectives and existence of improvement trends
4 Continuous improvement emphasized Improvement process in use, good results and
sustained improvement trends

5 Best-in-class performance Strongly integrated improvement process, best-in-class

benchmarked results demonstrated

PERFORMANCE MATURITY LEVELS (A.2 ISO 9004:2000) 5

 CIRCUMSTANCES FOR EFFECTIVE AUDITING?

Change willingness – organization is willing to implement reasonable audit findings

Attitudes support improvement – without that auditing work in mainly lost!

Top management briefs auditors – what special themes they want the auditors to verify

Members of top management work as auditors in some extent – shows the importance
of audits to organization and gives them an oppurtunity to interact with people

Feedback to auditors – what really happened with nonconformities and recommendations

6
 AUDIT ”LIFE - CYCLE” PROCEDURE
Annual audit Individual
schedule of Monday

Tues day

Wednesday
00

00

00
Month and year
00

00

00
00

00

00
00

00

00
00

00

00
audit
the whole
Thursda y

Friday

Saturday

Sunday
00

00

00

00
00

00

00

00
00

00

00

00
00

00

00

00
00

00

00

00
plans Product audit Purpose – why and what?
QMS System audit
Process audit Documents and records - reading
Competence
Qualifications Planning
Preparing of Questionnaires
Planning
skills Procedures single audit visit
and records
Interactive
Interviews, follow up of
skills
processes and inspections
Independency Auditors
Verification of essential
Conduct of ”must - be” points, records
audits
Compliance with Purpose Identification of improve-
standards, norms, ment needs
legistlation, QMS, Corrective Reporting
contracts etc. actions
(ISO 9001) Audit records
Strengths
Identification of (ISO 9004)
areas of improvement Recommendations
(ISO 9000, 9004) (ISO 9004) Nonconformities
Management Scheduled (ISO 9001)
reviews Follow up and closing corrective
of the corrective actions
actions

7
WHAT IS A MODERN AUDIT?

How rules and requirements are followed in practice?

☯ relevant instructions, procedures, norms, standards. . .
☯ objectives, action plans, values, policies, environmental programs...
☯ customer- and delivery contracts and conditions, purchase contracts
☯ laws, acts, regulatory requirements, permissions, eco-labelling criterias….
 what deviations do we find out in fulfilling the requirements

Should something be done more effectively and more efficiently to

improve customer satisfaction and profitability?
☯ what could be done better to achieve the expectations?
☯ the people working in the process know best the weak points
 recommendations and identification of potential risks of not to
fulfill the requirements, things that could be done better!
8
 WHAT - HOW - RESULTS - IMPROVEMENT
The basic formula of any work and modern
audit

WHAT?
- content
+ HOW?
- process
RESULTS
- indicators -
Right things Right things right,
- criterias efficiently without
- laws, acts,,, wasting of resources
- expectations What has been achieved?
- objectives What do the results indicate?
- requirements Improvement - level of results?
- etc. - trends of results
More accurate Learning - fulfilling of specification limits
definition of - learning from the results
”must be”
things

Do we find any sign

of utilization of results?
Any sign of learning?
Any sign of improvement?
9
ASSIGNMENT OF MODERN AUDITORS
 • Personal

• Understands systems

• Plans in advance

• Problem centric – what’s behind the problems

• Investigator – remember the superindent Columbo!

• Gets along with bosses as well as with workers

• Constructive – sees problems as oppurtunities to some better

• Good listener – makes people discuss and tell their story

• Creates confidence, is frank and honest

”Not the huge number • Competent and professional

of questions but good
listening and active
scanning!”
10
PROFILE OF AN EFFECTIVE AUDITOR
 AUDIT TEAM (ISO 19011)
Lead auditor:
• total responsibility
• leader of the audit team

Auditors:
• experts
• appropriate competence
• independent
• knowledge of applicaple requirements

Team:
• planning of the audit (audit program)
• choice of the audit approach (product or system or process audit)
• planning of audit questions
• carrying out of audit (interviews, verifications, information collections, clarifying of backgrounds)
• reporting (judgement, conclusions, compiling of audit report)
• close up of audit (presenting of audit report)
• follow up of completing of corrective actions, if agreed

Auditee:
• works in cooperation with the audit team
• gives open information to the audit team
• reserves the key persons to be present during the audit
• commits to perform the corrective actions needed
11
 WHAT COULD BE CONSIDERED IN AUDIT PLANNING?

Personnel Supplier Specifications

expectations? expectations Quality Manual
Shareholder
expectations? Work instructions
Society Contracts
expectations? ISO 9001
Customer ISO 14001
expectations? GMP, GLP etc.
Needs and expec- Documented
tations of stake- requirements? What are the most critical
holders? requirements in fulfilling
Audit Rough customer expectations?
Planning

Results and their

trends, level, history
Continuous => Hints for the audit?
improvement?
Any violations,
trends, peaks
etc?
What do they
express?

12
 ISO 9001:2000 SHORTLY
7 Processes
• process planning
4 QMS • customer related processes
• documents 6 Resources • design and development
LKK

MEO • structure • provision of resources • purchasing

TO
• records • competence, training, awareness • production / service delivery
• infrastructure • calibration
• work environment - reasonable process description
- process measures
- process improvement

5 Management responsibility
• commitment, regulatory req.
• customer focus 8 Measurement, analysis, improv.
• quality policy (success factors) • measurement (customer, product, process,
• measurable quality objectives, deployment supplier)
• communication • internal audits
• organization, responsibilities, • nonconforming products
authorities • analysis, conclusions, corrective and
• reviews preventive actions, continuous improve-
ment 13
 ISO 9001:2000 TAKES A NEW APPROACH TO AUDITING
(There are a lot of requirements which are not explicitely required
to be documented, but which have to be implemented and applied)

Does there exist any approach required by the ”shall be”? Find out evidence!

Have people understood it? Find out evidence!

Is the approach implemented and deployed? Find out evidence!

Is it effective? Are there any positive feedback? Find out evidence!

Is there any evidence of improvement of the approach? Find out evidence!

14
 Improvement
Commitment Between
functions,
Internal organzations
3. Role of management
2. Focus on customers increases
4. Communication

1. Emphasis from documented 5. People development

procedures to measurable (competence, effectiveness)
objectives, feedback analysis ISO 9001:2000
and continous improvement
challenges
for 6. Work environment
auditors - suitability

11. ISO 9004

7. Suitability and maintenance
of machines, rooms, systems,
10. Continuos support services
improvement
Data, feedbac
information,
8. Fulfillment of legal and regulatory
analysis, conclusions, 9. Process
requirements
actions, follow up Improvement approach
processes
15
 Plan whom to meet during the audit and the
order of interviews

Process owner
or functional
manager

Either or Supervisor or
team leader

People performing
the work

PLAN WHOM TO MEET AND IN WHICH

ORDER 16
 PREPARING FOR THE AUDIT
Identification of stakeholder needs and expectations
to find out what is crucial for the business to be audited
Quality, environmental and Relevant manuals, procedures
safety policy and instructions - prioritize!
Company vision, goals, Organizational and process changes,
objectives and programs investment programs concerning products

Get acquainted with the Reports of earlier audits

information systems Organization structure and
of the company essential responsibilities and
authorities
Critical human, material, DECIDE WHAT IS THE
equipment etc. resources ”RED THREAD” OF Most critical standards, norms
YOUR FORTHCOMING and legistlation e.g. GMP, GLP
needed to meet customer AUDIT AND THEN
and other requirements PRIORITIZE YOUR Process flow sheets
SOURCE READINGS!
Particular substance and / Customer complaints, feedback,
or material requirements quality control summaries, process
Product changes measure trends, supplier delivery
and change control data and trends etc.
17
 5.6 Management review

Quality Policy 5.3 8.2.2

Quality Objectives 5.4.1

QMS Planning (5.4.2)

Resources 6.0 C
U
N
S
E
T
E Inputs PROCESS 7.0 Outcomes O
D
M
S
Monitoring E
R
8.2.3/4
8.5 Special Requirements 4.2.3

Plan reasonable audit programs

8.4 4.2.4
8.2.1 5.5.1 18
 Management responsibility 5.1 – 5.6
Documentation Human Resources Product &
audit audit Process audits
7.2
6.1 7.3
5.4.2 7.4
4.2.3 6.2 7.5.3
5.5.1 7.5.5
7.1 8.2.4
7.5.1 5.5.3
8.3
4.2.4
PROCESS
5.2
5.3
6.1 5.4.1 6.4
6.3 7.5.2
7.6 8.2.3
8.4
8.5.1

Infrastructure Performance & Work Environment

audit Records audit audit

ISO 9001:2000 GIVES YOU POSSIBILITIES

TO PLAN AUDIT PROGRAMS ACCORDING TO
19
DIFFERENT NEEDS AND ASPECTS
 Auditors have to understand the value generating systems

Enterprise architecture and infrastructure

C Management of structures, functions and processes
K O Human resource management
N M C
O P
Technology development and innovation
u
W E Financial management s
VALUE t
L T GENERATION
o
AND VALUE
E E Logistics ADDITION m
Procurement Marketing e
D N
Strategic
manage- and supply and sales
Operations and distri-
manage- bution r
G C ment chain mana-
gement
manage-
ment
ment manage- s
ment
E E
Quality
Service

REVISED VALUE CHAIN BY T Morden, 1999

20
CHALLENGE FOR THE AUDITORS- SYSTEM AUDITING
 BROAD PERSPECTIVE OF AUDIT

Supplier Organization’s Distribution Customer

value chains value chain channel value chains
value chains

Enterprise architecture and infrastructure

C Management of structures, functions and processes
K O Human resource management
N M
O P
Technology development and innovation
W E Financial management
VALUE
L T GENERATION
AND VALUE
E E Logistics ADDITION
Procurement Marketing
D N
Strategic
manage- and supply and sales
Operations and distri-
manage- bution
G C ment chain mana-
gement
manage-
ment
ment manage-
ment
E E
Quality
Service

MODERN AUDITING IS VERIFYING THE REQUIRED IMPLEMENTATION

OF VALUE ADDING CHAINS. AS AN AUDITOR YOU HAVE TO UNDERSTAND
THE WHOLE BUSINESS SYSTEMS TO BE EFFECTIVE! 21
 DIFFERENT AUDITING TACTICS
Effective in revealing
Effective in revealing
systematic deficiencies
systematic deficiencies
From delivery to
From sales to sales
delivery
Downstream auditing Upstream auditing

Process auditing Verification of

product requirements

Product auditing

Horizontal auditing Departmental

Vertical auditing auditing

Identification of problems Vertical walk through Not so effective in

between departments the same department revealing systematic
deficiencies
Identification of
information flow, 22
commitment to objectives etc.
 PROCESS AUDIT TACTICS
Goals, budgets, strategy, procedures,
legistlation, instructions, standards etc.

CONTROL

Sales Engineering Production Delivery

Down stream Outputs

Inputs

Up stream

RESOURCES

PROCESS AUDITS CAN BE DONE EITHER IN DOWN STREAM

OR IN UP STREAM. UP STREAM IS MORE BENEFICIAL FOR
AUDITORS, IT GIVES PRACTICAL EXPERIENCES ALONG THE
ROUTE AND FINALLY AT SALES OFFICE YOU CAN ASK
23
VERY TIGHT QUESTIONS
 Usage
DOWN STREAM OR UPSTREAM Packing and
AUDITING AND FOLLOWING OF delivery logistics
Take an
TRACEABILITY IS ONE OF THE example,
MOST EFFECTIVE AUDIT TACTICS a certain
- traceability audit lot or batch
Information and trace
Systems Storage data and
procedures
to it through
the process

Maintenance
Human Resource Production - process capability
Administration

Production Purchase
planning - raw materials
- logistics
Specs

R&D

Marketing &Sales Take a specific product batch and follow its

path through the process and track essential data, 24
information and instructions linked to the same batch!
 Make questions concerning:
Plan the process
audit - Process planning and documentation, process intsructions, regulatory req.
- Process boundaries (functional and / or team boundaries)
- Process management, responsibilities, ownership, objectives, measures
- Customer definition and identification of their needs and expectations
- Supplier selection criterias, purchasing, feedback and re-evalution procedures
- Product specifications
- Quality control, measurement, calibration, test status requirements
- Corrective and preventive and process improvement procedures

Control

Customers
Suppliers INPUTS E.G. SALES – DELIVERY
OUTPUTS
PROCESS

Make questions conserning:

- Input information and data RESOURCES Make questions concerning:
(orders, contracts, needs, ex-
- Product quality
pectations, experiences…)
- Delivery quality
- Raw materials, components etc.
- Nonconformities
- Supplier quality Make questions concerning: - Customer feedback
- Etc. - Resource management - Customer satisfaction
Choose and - People competence
trace some - Infrastructure 25
certain lot - Work environment
  capability of machines, yield
 skills, knowledge, qualifications  effectiveness, efficiency
 work content and order  maintenance
 motivation, attitudes, satisfaction  performance
 awareness of own role  degree of utilization  properties
 uniformity, stability
 environmental aggressiveness

Machines
Man Materials

WHAT IS  work flow

Marks  who, what, when, how
IMPORTANT Methods  unambiguity, clarity
in process control?  readability
 preventive costs
 variation control
 appraisal costs
Milieu Measurements  utilization of feedback
 defect and scrap costs
 updating of content
 complaint costs
 information flow
 environmental sanctions
 penalty costs
 working conditions  sampling methods, representativeness
 sampling conditions  repeatability, reproducibility
 analysis conditions  measuring uncertainty
 sample storing conditons  records
 working environment  conditions
 traceable calibration
26
PRACTICAL ITEMS FOR PROCESS AUDITS
 Additional
questions
THE ”RED THREAD” OF THE AUDIT
during ?
audit ?
? ?
? ?
? ?
?
? ? ?
? ? ? ? ?
? ?

? ? ? ? ?

? ?
? ? ? ? ? ?
? ? ?
?
? ?
Don’t make the questionnaire too detailed
Follow your main themes, listen and make additional questions
Return to your main questions when you feel that the main
content to your earlier question has been achieved 27
 PLANNING OF AUDIT QUESTIONNAIRE

What is important Management

to customers, owners, responsibility Critical process
personnel, suppliers - what kind of phases?
and society? support? - what to observe?

Choose 1 …3 ”Must- Audit question-

Be” matters as drivers naire
of the audit

Support of Critical re- Feedback, measures

documents, sources? - corrective actions?
records, norms, - what kind - preventive actions?
(GMP, GLP, ISO,,,) of support? - continuous improvement?
standards, pro-
cedures etc.?
FIND OUT WHETHER THEY MANAGE THE MATTERS
EFFECTIVELY AND EFFICIENTLY IN THE AUDITED AREA 28
QUESTIONNAIRE Page:________

Questions Auditees Auditors Records OK NOT OK

Arrange the questions either

according to themes or accor-
ding to people to be audited

• Remember questions inspiring

improvement ideas

• Remember questions concerning

learning from feedback, results

• Rememeber to collect facts during

discussions

29
 THEMES FOR THE INTERVIEW OF ORDINARY PEOPLE

1 Who are your internal customers? What do they expect or require from your job?

2 How do you see that your bosses empasize the customer focus in practice?

3 With whom do you work together? What is crucial in this cooperation?

4 What work phases are critical in your work? What are the requirements?

5 How do you see that procedures, manuals, instructions etc. support you and your work?

6 How is the acceptability of your work phase assessed? How do you receive feedback?

7 What kind of records you are requested to fulfill? Are they clear?

8 How do you handle deviating parts, materials, products, situations etc.?

9 What would you like to specially improve in your work?

10 What kind of training or competence improvement needs do you have?

11 How well do you see that the infrastructure (facilities etc.) is supporting your work?

12 How well do you see that the work environment is supporting your work?

13 How well do you see that suppliers actions and deliveries support your work?
30
 COLLECTION OF OBSERVATIONS DURING AUDIT

Follow up of inspections and process phases,

use of clarifying questions
Interviews of personnel
(management, white and blue collar Review of files and records
people; awareness of their roles,
duties, authorities, QMS, awareness Order, tideness, hygiene
of process thinking…)
Status of materials, products, qualified
Implementation of processes, testing and measuring systems
rules and criteria
and relevant Skills and competences of personnel
documents
Training and qualifications of personnel

Identification of
non-conformities and
Follow up of the skills of
their handling, prevention
people to use computer
of reoccurrence, use of Identification of material systems in controlling
”early warning indicators”, markings and labels, operations
continuous improvement traceability of chemicals,
additives, analysis data,
calibrations chains, 31
acceptances etc.
SCHEDULING THE AUDIT DAY

Opening 5 - 10 min
• introductions (In practice auditors start
directly with interviews etc.
• objectives
and shortly introduce the
• program purpose and scope to everyone
• reporting met during the audit)

Auditing 2-5h
• interviews, observings, verifications
and additional tasks

Report compilation 1/2 - 2 h

Close up meeting 1/2 h

32
 CONDUCT OF AUDIT

ASK OBSERVE
Open ended questions Follow what
to receive the is occurring
best information in processes

RECORD VERIFY
Objective evidence, The compliance with
both positive and the documents and
negative points requirements
The existence of relevant
files and history of results

33
BACKGROUND INFORMATION FOR THE AUDITS

Clarify to yourself what are the objectives of this audit -

what do you want to find out?

Inform the organization to be audited

Be positive even in the case that things are not so well looked after

Prepare, prepare and once more prepare thoroughly before your audit visit

Collect and record the facts from the company, not your opinions

Be systematic

Never loose the product and customer requirements from your sight

Never accuse the interviewee

Record what the interviewee himself is saying, not your interpretations

If you have made wrong conclusions, be correct and change your decisions
34
 2 …You have to
focus on the
essential features
1 …You have to 3 …You have to have
understand the scope the ”red thread” and logics
and the objectives of in your audit assignment
every audit

To be a good
auditor . . .
4 …You have to be
frank, confident and
6 …You have to keep make people to discuss
your timetables with you

5 …You have to make

reasonable conclusions
from your observations

35
 AUDIT RECORDS
1. Identifications:
• auditor names
• auditee names and positions
• date
• company, functios and / or products & processes

2. Main items of interviews:

• records from the main items discussed

3. Checked examples - recording of facts:

• reports, protocols and other documents reviewed - take copies with you!
• identifications of rules, procedures, criterias applied during audit
• information concerning processes, equipment, tests etc. followed

4. If necessary:
• recording of conditions like temperature, moisture, dust etc.
• order and tideness, hygiene, ventilation, illumination ...
• attitudes among personnel to control and react production conditions,
process and product deviations, disturbances
• awareness of their own roles, motivation, working atmosphere…

36
 A GOOD OBSERVATION?

Is based on facts

Gives such a clear description that it can be

understood even after years

A complete sentence

Does not use streching words as ”sufficiently, well enough etc.”

Unambiguous and precise

Not an opinion

Does not refer to a person

Valuable for the corrective actions and improvement

Expresesses the situation as clearly as possible

Encourages and supports the receiver

37
 • Verified documents (date, title, identification, version)
Background of the
observation • Verified equipment, systems, rooms etc.
- random or systematic?
- linking to what ISO 9001, • Verified records and files (reports, files, memos,,,)
GMP, GLP etc. element?
- linking to quality objectives?
- where in the QMS? • Interviewed persons (position, name, department,,,)
- situation where observed?
- area in charge? • Verified products (product id, drawing, specification, place, lot,,,)
- evidence received??
• Verified production lines, infrastructure ,,,

OBJECTIVE EVIDENCE 38
Nonconformity
Report

• Specify the problem accurately and unambiguosly

• Link the verified facts to your report

• Give information what kind of risks the problem

may cause to the auditee

• Give a clear ”address” of the problem (where, when, with whom,

machines etc.)

• Refer to the documented requirement which has been violated

(procedure, instruction, ISO 9001 element etc.)

WRITING A NONCONFORMITY REPORT 39

 REPORTING OF AUDIT RESULTS

Strengths; things that show strong

positive influence on product or service
Audit quality, work atmosphere, profitability,
Summary customer satisfaction etc.

Recommendations; things where

you are not completely sure whether they
are nonconformities, things which
were raised during the audit to be
improved etc.
Non-fulfilment of Nonconformity
a requirement Report (ISO 9001) Strengths and
Recommendations
- based on objective
(ISO 9004)
evidence

40
Consider thoroughly your findings before reporting!
CLOSE UP MEETING

Introduction:
– where and when
– main items of audit
– auditors
– people met during audit
Audit approach:
– execution
– report structure
Report:
– strengths and recommendations
– nonconformities

Internal discussion within the audit team:

– What did we learn from this audit?
– What should we learn for the future audits?

41
CORRECTIVE ACTIONS AND CONTINUOUS IMPROVEMENT

Nonconformities:
• immediate actions
• plans and schedules
• follow up of the effectiveness
• closing
Cause
Impact

Recommendations:
Small
• prioritization
Not
• evaluation, decision and known
communication
Known
Large
Resource needs
Strengths:
• how to exploit strengths Minor Extensive
to improve customer sa-
tisfaction and competitiveness?

42
 • Self assessment models (ISO 9004:2000)

• Special questions asked literally during audit

• Problem mapping during audits (e.g. with help of process flow sheets)

• Cross-functional boundary problem identifications

• Quality Award questions

• Questionnaires to be fulfilled by the personnel during audits

• Bottleneck analysis, lead time analysis etc. as a group work

during audits

DEVELOPING OF INTERNAL AUDITS 43

Improvement of internal audits
Viewpoint What to improve next time?

Preparing for the audit?

• available material – sufficiency?
• information from the auditee organization?
• compiling of questions?

Audit plan in practice - functionality?

• possible deficiencies
• accuracy?
• time schedule – tight or loose?

Audit interviews, verification?

• interactiveness?
• questioning technics?
• ability to make additional questions?
• looking for facts, evidences?
• follow up of your ”red thread”?

Competence of the audit team in substance matters?

Recording of audit findings?

Compilation of audit report?

Close up meeting – clarity, additional value?

44