ISO 9001 - QMS LA Delegate Course Notes

Download as pdf or txt
Download as pdf or txt
You are on page 1of 176

Edu/QMS_LA/DCN/v1.

0 September, 2019 Page 1 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 2 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 3 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 4 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 5 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 6 of 176
1. CUSTOMER FOCUS
Statement
The primary focus of quality management is to meet customer requirements and to strive to
exceed customer expectations.

Rationale
Sustained success is achieved when an organization attracts and retains the confidence of
customers and other relevant interested parties. Every aspect of customer interaction
provides an opportunity to create more value for the customer. Understanding current and
future needs of customers and other interested parties contributes to the sustained success
of the organization.

Key benefits
Some potential key benefits are:
• increased customer value; increased customer satisfaction;
• improved customer loyalty;
• enhanced repeat business;
• enhanced reputation of the organization;
• expanded customer base;
• increased revenue and market share.

Possible actions

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 7 of 176


Possible actions include:
• recognize direct and indirect customers as those who receive value from the
organization;
• understand customers’ current and future needs and expectations;
• link the organization’s objectives to customer needs and expectations;
• communicate customer needs and expectations throughout the organization;
• plan, design, develop, produce, deliver and support products and services to meet
customer needs and expectations;
• measure and monitor customer satisfaction and take appropriate actions;
• determine and take action on relevant interested parties’ needs and appropriate
expectations that can affect customer satisfaction;
• actively manage relationships with customers to achieve sustained success.

2. LEADERSHIP
Statement
Leaders at all levels establish unity of purpose and direction and create conditions in
which people are engaged in achieving the organization’s quality objectives.

Rationale
Creation of unity of purpose and the direction and engagement of people enable an
organization to align its strategies, policies, processes and resources to achieve its
objectives.

Key benefits
Some potential key benefits are:
• increased effectiveness and efficiency in meeting the organization’s quality
objectives;
• better coordination of the organization’s processes;
• improved communication between levels and functions of the organization;
• development and improvement of the capability of the organization and its people
to deliver desired results.

Possible actions
Possible actions include:
• communicate the organization’s mission, vision, strategy, policies and processes
throughout the organization;
• create and sustain shared values, fairness and ethical models for behaviour at all
levels of the organization;
• establish a culture of trust and integrity;
• encourage an organization-wide commitment to quality;
• ensure that leaders at all levels are positive examples to people in the
organization;
• provide people with the required resources, training and authority to act with
accountability;
• inspire, encourage and recognize the contribution of people.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 8 of 176


3. ENGAGEMENT OF PEOPLE
Statement
Competent, empowered and engaged people at all levels throughout the organization
are essential to enhance the organization’s capability to create and deliver value.

Rationale
In order to manage an organization effectively and efficiently, it is important to respect
and involve all people at all levels. Recognition, empowerment and enhancement of
competence facilitate the engagement of people in achieving the organization’s
quality objectives.

Key benefits
Some potential key benefits are:
• improved understanding of the organization’s quality objectives by people in the
organization and increased motivation to achieve them;
• enhanced involvement of people in improvement activities;
• enhanced personal development, initiatives and creativity;
• enhanced people satisfaction;
• enhanced trust and collaboration throughout the organization;
• increased attention to shared values and culture throughout the organization.

Possible actions
Possible actions include:
• communicate with people to promote understanding of the importance of their
individual contribution;
• promote collaboration throughout the organization;
• facilitate open discussion and sharing of knowledge and experience;
• empower people to determine constraints to performance and to take initiatives
without fear;
• recognize and acknowledge people’s contribution, learning and improvement;
• enable self-evaluation of performance against personal objectives;
• conduct surveys to assess people’s satisfaction, communicate the results and take
appropriate actions.

4. PROCESS APPROACH
Statement
Consistent and predictable results are achieved more effectively and efficiently when
activities are understood and managed as interrelated processes that function as a
coherent system.

Rationale
The QMS consists of interrelated processes. Understanding how results are produced
by this system enables an organization to optimize the system and its performance.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 9 of 176


Key benefits
Some potential key benefits are:
• enhanced ability to focus effort on key processes and opportunities for
improvement;
• consistent and predictable outcomes through a system of aligned processes;
• optimized performance through effective process management, efficient use of
resources and reduced cross-functional barriers;
• enabling the organization to provide confidence to interested parties related to its
consistency, effectiveness and efficiency.

Possible actions
Possible actions include:
• define objectives of the system and processes necessary to achieve them;
• establish authority, responsibility and accountability for managing processes;
• understand the organization’s capabilities and determine resource constraints prior
to action;
• determine process interdependencies and analyse the effect of modifications to
individual processes on the system as a whole;
• manage processes and their interrelations as a system to achieve the
organization’s quality objectives effectively and efficiently;
• ensure the necessary information is available to operate and improve the
processes and to monitor, analyse and evaluate the performance of the overall
system;
• manage risks which can affect outputs of the processes and overall outcomes of
the QMS.

5. IMPROVEMENT
Statement
Successful organizations have an ongoing focus on improvement.
Rationale
Improvement is essential for an organization to maintain current levels of
performance, to react to changes in its internal and external conditions and to create
new opportunities.

Key benefits
Some potential key benefits are:
• improved process performance, organizational capability and customer
satisfaction;
• enhanced focus on root cause investigation and determination, followed by
prevention and corrective actions;
• enhanced ability to anticipate and react to internal and external risks and
opportunities;
• enhanced consideration of both incremental and breakthrough improvement;
• improved use of learning for improvement;
• enhanced drive for innovation.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 10 of 176


Possible actions
Possible actions include:
• promote establishment of improvement objectives at all levels of the organization;
• educate and train people at all levels on how to apply basic tools and
methodologies to achieve improvement objectives;
• ensure people are competent to successfully promote and complete improvement
projects;
• develop and deploy processes to implement improvement projects throughout the
organization;
• track, review and audit the planning, implementation, completion and results of
improvement projects;
• integrate improvement consideration into development of new or modified products
and services and processes;
• recognize and acknowledge improvement.

6. EVIDENCE-BASED DECISION MAKING


Statement
Decisions based on the analysis and evaluation of data and information are more
likely to produce desired results.

Rationale
Decision-making can be a complex process and it always involves some uncertainty.
It often involves multiple types and sources of inputs, as well as their interpretation,
which can be subjective. It is important to understand cause and effect relationships
and potential unintended consequences. Facts, evidence and data analysis lead to
greater objectivity and confidence in decision making.

Key benefits
Some potential key benefits are:
• improved decision making processes;
• improved assessment of process performance and ability to achieve objectives;
• improved operational effectiveness and efficiency;
• increased ability to review, challenge and change opinions and decisions;
• increased ability to demonstrate the effectiveness of past decisions.

Possible actions
Possible actions include:
• determine, measure and monitor key indicators to demonstrate the organization’s
performance;
• make all data needed available to the relevant people;
• ensure that data and information are sufficiently accurate, reliable and secure;
• analyse and evaluate data and information using suitable methods;
• ensure people are competent to analyse and evaluate data as needed;
• make decisions and take actions based on evidence, balanced with experience

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 11 of 176


and intuition.

7. RELATIONSHIP MANAGEMENT
Statement
For sustained success, organizations manage their relationships with relevant
interested parties, such as providers.

Rationale
Relevant interested parties influence the performance of an organization. Sustained
success is more likely to be achieved when the organization manages relationships
with all of its interested parties to optimize their impact on its performance.
Relationship management with its provider and partner networks is of particular
importance.

Key benefits
Some potential key benefits are:
• enhanced performance of the organization and its relevant interested parties
through responding to the opportunities and constraints related to each interested
party;
• common understanding of objectives and values among interested parties;
• increased capability to create value for interested parties by sharing resources and
competence and managing quality related risks;
• a well-managed supply chain that provides a stable flow of products and services.

Possible actions
Possible actions include:
• determine relevant interested parties (such as providers, partners, customers,
investors, employees or society as a whole) and their relationship with the
organization;
• determine and prioritize interested party relationships that need to be managed;
• establish relationships that balance short-term gains with long-term considerations;
• gather and share information, expertise and resources with relevant interested
parties;
• measure performance and provide performance feedback to interested parties, as
appropriate, to enhance improvement initiatives;
• establish collaborative development and improvement activities with providers,
partners and other interested parties;
• encourage and recognize improvements and achievements by providers and
partners.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 12 of 176


A copy of relevant pages of annex SL attached for further reading.
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 13 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 14 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 15 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 16 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 17 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 18 of 176
The PDCA cycle can be applied to all processes and to the quality management system as a
whole.

The PDCA cycle can be briefly described as follows:


— Plan: establish the objectives of the system and its processes, and the resources needed to
deliver
results in accordance with customers’ requirements and the organization’s policies, and
identify
and address risks and opportunities;
— Do: implement what was planned;
— Check: monitor and (where applicable) measure processes and the resulting products and
services
against policies, objectives, requirements and planned activities, and report the results;
— Act: take actions to improve performance, as necessary.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 19 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 20 of 176
This International Standard promotes the adoption of a process approach when
developing,
implementing and improving the effectiveness of a quality management system, to
enhance customer
satisfaction by meeting customer requirements. Specific requirements considered
essential to the
adoption of a process approach are included in 4.4.
Understanding and managing interrelated processes as a system contributes to the
organization’s
effectiveness and efficiency in achieving its intended results. This approach enables
the organization
to control the interrelationships and interdependencies among the processes of the
system, so that the
overall performance of the organization can be enhanced.
The process approach involves the systematic definition and management of
processes, and their
interactions, so as to achieve the intended results in accordance with the quality
policy and strategic
direction of the organization. Management of the processes and the system as a

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 21 of 176


whole can be achieved
using the PDCA cycle (see 0.3.2) with an overall focus on risk-based thinking (see
0.3.3) aimed at taking
advantage of opportunities and preventing undesirable results.
The application of the process approach in a quality management system enables:
a) understanding and consistency in meeting requirements;
b) the consideration of processes in terms of added value;
c) the achievement of effective process performance;
d) improvement of processes based on evaluation of data and information.
Figure gives a schematic representation of any process and shows the interaction of
its elements. The
monitoring and measuring check points, which are necessary for control, are specific
to each process
and will vary depending on the related risks.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 22 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 23 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 24 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 25 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 26 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 27 of 176
4. Context
4.1 Understand your organization and its unique context
• Identify and understand your organization's context.
• Identify and understand your organization's context before you establish its quality
management system (QMS).
• Consider the external issues that are relevant to your organization's purpose and
strategic direction and think about the influence these issues could have on its QMS
and the results it intends to achieve.
• Consider the internal issues that are relevant to your organization's purpose and
strategic direction and think about the influence these issues could have on its QMS
and the results it intends to achieve.
• Monitor information about your organization's context.
• Consider the impact changes in context could have on your organization's quality
management system (QMS).

4.2 Clarify the needs and expectations of interested parties


• Identify the parties who affect or could affect your QMS.
• Consider how interested parties affect or could affect your ability to provide
products and services that meet customer requirements.
• Consider how interested parties could affect your ability to provide products and

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 28 of 176


services that meet statutory and regulatory requirements.
• Clarify and understand their unique needs and expectations.
• Monitor and review information about your interested parties.

4.3 Define the scope of your quality management system


• Clarify boundaries and think about what your QMS should apply to.
• Use boundary and applicability information to define your scope.
• Consider your organization's context when you define your scope.
• Document the scope of your quality management system (QMS).
• Use your scope document to describe the boundaries of your organization's QMS
and to explain what it applies to.
• Use your scope document to identify the types of products and services that will be
included in your organization's QMS.
• Use your scope document to explain that every ISO 9001 requirement must be
applied unless you can explain why it does not apply.
• Maintain the document that defines the scope of your QMS.
• Control your organization's QMS scope document.

4.4 Develop a QMS and establish documented information


4.4.1 Establish a QMS that complies with this standard
• Develop a process-based quality management system (QMS).
• Determine the processes that your QMS needs.
• Determine methods needed to manage processes.
• Determine resources needed to support processes.
• Determine process responsibilities and authorities.
• Determine risks and opportunities for each process.
• Determine methods needed to evaluate processes.
• Implement your process-based quality management system.
• Apply criteria needed to operate and control your processes.
• Apply methods needed to operate and control your processes.
• Maintain your process-based quality management system.
• Improve your process-based quality management system.
4.4.2 Maintain QMS documents and retain QMS records
• Maintain documents needed to support process operations.
• Control documents which support process operations.
• Retain records which show that plans are being followed.
• Control records which show that plans are being followed.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 29 of 176


4.3 Define the scope of your quality management system
• Clarify boundaries and think about what your QMS should apply to.
• Use boundary and applicability information to define your scope.
• Consider your organization's context when you define your scope.
• Document the scope of your quality management system (QMS).
• Use your scope document to describe the boundaries of your organization's QMS
and to explain what it applies to.
• Use your scope document to identify the types of products and services that will be
included in your organization's QMS.
• Use your scope document to explain that every ISO 9001 requirement must be
applied unless you can explain why it does not apply.
• Maintain the document that defines the scope of your QMS.
• Control your organization's QMS scope document.

4.4 Develop a QMS and establish documented information


4.4.1 Establish a QMS that complies with this standard
• Develop a process-based quality management system (QMS).
• Determine the processes that your QMS needs.
• Determine methods needed to manage processes.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 30 of 176


• Determine resources needed to support processes.
• Determine process responsibilities and authorities.
• Determine risks and opportunities for each process.
• Determine methods needed to evaluate processes.
• Implement your process-based quality management system.
• Apply criteria needed to operate and control your processes.
• Apply methods needed to operate and control your processes.
• Maintain your process-based quality management system.
• Improve your process-based quality management system.
4.4.2 Maintain QMS documents and retain QMS records
• Maintain documents needed to support process operations.
• Control documents which support process operations.
• Retain records which show that plans are being followed.
• Control records which show that plans are being followed.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 31 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 32 of 176
5. Leadership – A Refresh
5.1 Provide leadership by focusing on quality and customers
5.1.1 Provide leadership by encouraging a focus on quality
• Accept responsibility for your QMS.
• Demonstrate a commitment to your QMS.
• Ensure that a quality policy is developed.
• Ensure that quality objectives are established.
• Ensure that requirements are built into processes.
• Ensure that your QMS achieves all intended results.
• Communicate your commitment to the QMS.
• Explain why quality management is important.
• Expect managers to be accountable for their QMS.
• Encourage your personnel to support their QMS.
• Promote the use of risk-based thinking.
5.1.2 Provide leadership by encouraging a focus on customers
• Expect personnel to focus on customers.
• Expect personnel to manage all relevant requirements.
• Expect personnel to manage relevant risks and opportunities.
• Expect personnel to focus on enhancing customer satisfaction.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 33 of 176


5.2 Provide leadership by establishing a suitable quality policy
5.2.1 Provide leadership by formulating your quality policy
• Develop an appropriate quality policy.
• Make sure that it supports your organization's purpose.
• Make sure that it deals with your organization's context.
• Formulate your organization's quality policy.
• Make a commitment to satisfy applicable requirements.
• Make a commitment to continual QMS improvement.
• Implement your organization's quality policy.
• Maintain your organization's quality policy.
5.2.2 Provide leadership by implementing your quality policy
• Document your organization's quality policy.
• Communicate your organization's quality policy.
• Apply your organization's quality policy.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 34 of 176


5.3 Provide leadership by defining roles and responsibilities
• Assign QMS roles, responsibilities, and authorities.
• Communicate QMS roles, responsibilities, and authorities.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 35 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 36 of 176
6. Planning – A Refresh
6.1 Define actions to manage risks and address opportunities
6.1.1 Consider risks and opportunities when you plan your QMS
• Plan the development of your organization's QMS.
• Identify the risks and opportunities that could influence the performance of your
organization's QMS or disrupt its operation.
• Consider how your organization's context could affect how well its QMS is able to
achieve intended results.
• Consider how your organization's interested parties could affect how well its QMS is
able to achieve intended results.
• Figure out what you need to do to address the risks and opportunities that could
influence the performance of your organization's QMS or disrupt its operation.
6.1.2 Plan how you’re going to manage risks and opportunities
• Consider your organization's risk treatment options.
• Define actions to address risks and opportunities.
• Define actions that you can take to address the risks and opportunities that could
influence the performance of your QMS or disrupt or damage its operation.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 37 of 176


6. Planning – A Refresh
6.1 Define actions to manage risks and address opportunities
6.1.1 Consider risks and opportunities when you plan your QMS
• Plan the development of your organization's QMS.
• Identify the risks and opportunities that could influence the performance of your
organization's QMS or disrupt its operation.
• Consider how your organization's context could affect how well its QMS is able to
achieve intended results.
• Consider how your organization's interested parties could affect how well its QMS
is able to achieve intended results.
• Figure out what you need to do to address the risks and opportunities that could
influence the performance of your organization's QMS or disrupt its operation.
6.1.2 Plan how you’re going to manage risks and opportunities
• Consider your organization's risk treatment options.
• Define actions to address risks and opportunities.
• Define actions that you can take to address the risks and opportunities that could
influence the performance of your QMS or disrupt or damage its operation.

6.2 Set quality objectives and develop plans to achieve them


6.2.1 Establish quality objectives for all relevant areas

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 38 of 176


• Clarify criteria for setting quality objectives.
• Set quality objectives in all relevant areas.
• Communicate your quality objectives.
• Document your quality objectives.
• Monitor your quality objectives.
• Update your quality objectives.
6.2.2 Develop plans to achieve objectives and evaluate results
• Establish plans to achieve quality objectives.
• Plan how you're going to evaluate your results.

6.3 Plan changes to your quality management system


• Plan changes to your quality management system.
• Consider the purpose of the changes you intend to make.
• Consider responsibilities and authorities whenever you make changes.
• Consider the consequences that changes could potentially produce.
• Consider the availability of resources whenever you make changes.
• Consider the integrity of your QMS whenever you make changes.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 39 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 40 of 176
7. Support – A Refresh
7.1 Support your QMS by providing the necessary resources
7.1.1 Provide internal and external resources for your QMS
• Determine the resources that your QMS needs.
• Provide the resources that your QMS needs.
7.1.2 Provide suitable people for your QMS and your processes
• Provide the people that your QMS needs to be effective.
• Provide the people that you need in order to operate processes.
• Provide the people that you need in order to control processes.
7.1.3 Provide the infrastructure that your processes must have
• Determine the infrastructure that your processes need.
• Identify the infrastructure that your organization needs in order to support process
operations and achieve conformity of products and services.
• Provide the infrastructure that your processes need.
7.1.4 Provide the appropriate environment for your processes
• Determine the environment that your processes need.
• Identify the environment that your organization needs in order to support process
operations and achieve conformity of products and services.
• Provide the environment that your processes need.
7.1.5 Provide monitoring, measuring, and traceability resources

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 41 of 176


7.1.5.1 Provide suitable monitoring and measuring resources
• Determine monitoring and measuring resource requirements.
• Identify the monitoring and measuring resources that you need in order to be sure
that you can provide products and services that meet all relevant requirements.
• Provide suitable monitoring and measuring resources.
7.1.5.2 Provide suitable measurement traceability resources
• Determine your measurement traceability requirements.
• Provide suitable measurement traceability resources.
7.1.6 Provide knowledge to facilitate process operations
• Determine the knowledge that your organization needs to have.
• Acquire the knowledge that your organization needs to have.
• Make organizational knowledge available to the extent necessary.
• Monitor relevant trends and changes in knowledge and information.
• Maintain the organizational knowledge that has been acquired.

7.2 Support your QMS by ensuring that people are competent


• Identify those under your control who do work that affects quality.
• Clarify your organization's quality competence requirements.
• Acquire competence whenever shortcomings are discovered.
• Document the competence of those whose work affects quality.
• Evaluate the effectiveness of actions taken to acquire competence.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 42 of 176


7.3 Support your QMS by explaining how people can help
• Make personnel aware of your organization's QMS.
• Share information about your QMS with the people who carry out work that is
under your organization's control.

7.4 Support your QMS by managing your communications


• Support your QMS by managing QMS communications.
• Figure out how internal communications will be handled.
• Figure out how external communications will be handled.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 43 of 176


7.5 Support your QMS by controlling documented information
7.5.1 Include the documented information that your QMS needs
• Figure out how extensive documented QMS information should be.
• Consider activities when you establish documents and records.
• Consider personnel when you establish documents and records.
• Consider processes when you establish documents and records.
• Consider products when you establish documents and records.
• Consider services when you establish documents and records.
• Consider size when you establish documents and records.
• Select all the documents and records that your QMS needs.
• Select all internal documents and records that your QMS needs.
• Select all external documents and records that your QMS needs.

7.5.2 Manage the creation and revision of documented information


• Manage the creation and updating of documented information.
• Make sure that your organization’s QMS documents and records are properly identified
and described.
• Make sure that your organization’s QMS documents and records are properly formatted
and presented.
• Make sure that your organization’s QMS documents and records are properly reviewed
and approved.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 44 of 176


7.5.3 Control the management and use of documented information
7.5.3.1 Control your organization's QMS documents and records
• Select the QMS documents and records that you need.
• Select all the documentation that you need in order to protect the confidentiality,
integrity, and use of information.
• Select all of the documentation that is required by ISO 9001.
• Control the QMS documents and records that you need.
• Control all the internal documentation that your QMS needs.
• Control all the external documentation that your QMS needs.
7.5.3.2 Control how QMS documents and records are controlled
• Control how QMS documents and records are controlled.
• Control how QMS documents and records are created.
• Control how QMS documents and records are identified.
• Control how QMS documents and records are distributed.
• Control how QMS documents and records are accessed.
• Control how QMS documents and records are retrieved.
• Control how QMS documents and records are stored.
• Control how QMS documents and records are used.
• Control how QMS documents and records are changed.
• Control how QMS documents and records are protected.
• Control how QMS documents and records are preserved.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 45 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 46 of 176
8. Operations – A Refresh
8.1 Develop, implement, and control your operational processes
• Plan the implementation and control of operational processes.
• Prepare operational process implementation and control plans.
• Use your plans to implement and control operational processes.
• Control planned operational process changes and modifications.
• Retain suitable operational process documents and records.

8.2 Determine and document product and service requirements


8.2.1 Communicate with customers and manage customer property
• Communicate with customers.
• Provide information to customers.
• Obtain information from customers.
• Manage customer property.
• Control property supplied by customers.
8.2.2 Clarify all product and service requirements and capabilities
• Identify requirements for products & services offered to customers.
• Verify that you can actually meet product & service requirements.
8.2.3 Review product and service requirements and record results
8.2.3.1 Verify requirements before you accept orders from customers

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 47 of 176


• Study product & service requirements before accepting order.
• Clarify differences between original proposal and final order.
• Confirm that you can meet product and service requirements.
8.2.3.2 Document your review of product and service requirements
• Document results of product and service requirement reviews.
• Document new or changed product and service requirements.
8.2.4 Amend documents when product and service requirements change
• Amend all relevant documented information to reflect changes in customers'
product and service requirements.
• Retain and control documents and records that describe new or modified product
and service requirements.

8.3 Establish a process to design and develop products and services


8.3.1 Create an appropriate design and development process
• Establish an appropriate design and development process.
• Implement an appropriate design and development process.
8.3.2 Plan product and service design and development activities
• Plan your design and development stages and controls.
• Consider design and development process complexities.
• Consider design and development process requirements.
• Consider design and development process expectations.
• Consider design and development process participation.
• Consider design and development process interfaces.
• Consider design and development process responsibilities.
• Consider design and development process documentation.
• Consider design and development process resources.
8.3.3 Determine product and service design and development inputs
• Clarify your product and service design and development inputs.
• Define product and service design and development resource needs.
• Control your design and development input documents and records.
8.3.4 Specify how design and development process will be controlled
• Control product and service design and development activities.
• Control how design and development results are defined.
• Control how design and development reviews are carried out.
• Control how design and development validations are performed.
• Control how design and development verifications are done.
• Document product and service design and development activities.
8.3.5 Clarify how design and development outputs will be produced
• Control product and service design and development outputs.
• Ensure that outputs can be compared against input requirements.
• Ensure that outputs are capable of supporting product provision.
• Ensure that outputs include or refer to acceptance criteria.
• Ensure that outputs can be used to validate proposals.
• Control design and development output documents and records.
8.3.6 Review and control all design and development changes

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 48 of 176


• Identify changes during or subsequent to design and development.
• Review changes during or subsequent to design and development.
• Control changes during or subsequent to design and development.

8.4 Monitor and control external processes, products, and services


8.4.1 Confirm that external products and services meet requirements
• Establish controls for external processes, products, and services.
• Control your externally provided processes, products, and services.
• Determine criteria to select, evaluate, & monitor external providers.
• Use criteria to select external process, product, and providers.
• Use criteria to monitor the performance of your external providers.
• Use criteria to evaluate your organization's external providers.
8.4.2 Develop controls for externally provided products and services
• Consider controls for external providers, processes, products, and services.
• Consider the potential impact that externally provided processes, products, and
services could have on your organization's ability to consistently meet external
requirements.
• Consider the controls that external process, product, and service providers have
implemented and think about how effective their controls actually are.
• Develop controls for external providers, processes, products, and services.
• Implement controls for external providers, processes, products, and services.
8.4.3 Discuss your organization’s requirements with external providers
• Clarify what you expect from external providers.
• Clarify your organization's process requirements.
• Clarify your organization's product requirements.
• Clarify your organization's service requirements.
• Clarify your organization's equipment requirements.
• Clarify your organization's interaction requirements.
• Clarify your organization's competence requirements.
• Clarify your organization's methodological requirements.
• Clarify your organization's monitoring and control requirements.
• Clarify your organization's verification or validation requirements.
• Discuss your organization's requirements with external providers.

8.5 Manage and control production and service provision activities


8.5.1 Establish controls for production and service provision
• Implement controlled conditions.
• Implement controlled conditions for production.
• Implement controlled conditions for service provision.
• Implement controlled conditions for delivery process.
• Implement controlled conditions for post-delivery process.
8.5.2 Identify your outputs and control their unique identity
• Use suitable means to identify outputs.
• Identify outputs throughout production.
• Identify outputs throughout service provision.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 49 of 176


• Control the unique identify of your outputs.
• Control output identity if traceability is required.
8.5.3 Protect property owned by customers and external providers
• Identify property belonging to customers and external providers.
• Verify property belonging to customers and external providers.
• Protect property belonging to customers and external providers.
• Monitor property belonging to customers and external providers.
• Document property belonging to customers and external providers.
8.5.4 Preserve outputs during production and service provision
• Preserve outputs during production and service provision.
• Consider using identification methods to preserve outputs.
• Consider using packaging methods to preserve outputs.
• Consider using handling methods to preserve outputs.
• Consider using storage methods to preserve outputs.
• Consider using transmission methods to preserve outputs.
• Consider using transportation methods to preserve outputs.
8.5.5 Clarify and comply with all post-delivery requirements
• Clarify your organization's post-delivery requirements.
• Identify activities that must be carried out after product delivery.
• Identify activities that must be carried out after service delivery.
• Comply with your organization's post-delivery requirements.
8.5.6 Control changes for production and service provision
• Review changes in production and service provision.
• Document review results, actions taken, and authorizations.
• Control changes in production and service provision.

8.6 Implement arrangements to control product and service release


• Establish planned arrangements to verify products at each stage.
• Verify that product requirements were met at appropriate stages.
• Establish planned arrangements to verify services at each stage.
• Verify that service requirements were met at appropriate stages.

8.7 Control nonconforming outputs and document actions taken


8.7.1 Identify and control nonconforming output to prevent unintended use
• Identify outputs that do not conform to their requirements.
• Evaluate nonconforming outputs and examine their impact.
• Take appropriate action to control nonconforming outputs.
• Verify conformity when nonconforming outputs are corrected.
8.7.2 Document nonconforming outputs and the actions that are taken
• Document your organization's nonconforming outputs.
• Document the actions and decisions taken to prevent the unintended use or
delivery of nonconforming outputs.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 50 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 51 of 176
9. Evaluation – A Refresh
9.1 Monitor, measure, analyze, and evaluate QMS performance
9.1.1 Plan how to monitor, measure, analyze, and evaluate
• Plan how you're going to monitor, measure, analyze, and evaluate your
organization's QMS.
• Monitor, measure, analyze, and evaluate QMS performance and effectiveness.
9.1.2 Find out how well customer needs and expectations are being met
• Establish methods that can be used to monitor perceptions.
• Monitor how well customer needs and expectations are fulfilled.
9.1.3 Evaluate performance, effectiveness, conformity, and satisfaction
• Analyze your monitoring and measurement results.
• Analyze and evaluate appropriate data and information.
• Use your analytical results to evaluate performance.
• Use your analytical results to evaluate effectiveness.
• Use your analytical results to evaluate conformity.
• Use your analytical results to evaluate satisfaction.

9.2 Use internal audits to examine conformance and performance


9.2.1 Audit your quality management system at planned intervals
• Conduct internal conformance audits at planned intervals.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 52 of 176


• Determine if your organization's QMS meets requirements.
• Examine the effectiveness of your organization's QMS.
9.2.2 Develop an internal audit program for your organization
• Plan the development of your internal audit program (programme).
• Develop a program that can find out if QMS meets requirements.
• Develop a program that can determine if your QMS is effective.
• Establish your organization's internal audit program.
• Establish internal audit planning requirements.
• Establish internal audit reporting requirements.
• Establish internal audit responsibilities.
• Establish internal audit schedules.
• Establish internal audit methods.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 53 of 176


9.3 Carry out management reviews and document your results
9.3.1 Review suitability, adequacy, effectiveness, and direction
• Review your organization's QMS at regular intervals.
• Review the suitability of your organization's QMS.
• Review the adequacy of your organization's QMS.
• Review the effectiveness of your organization's QMS.
• Review the direction of your organization's QMS.
9.3.2 Plan and perform management reviews at planned intervals
• Plan your organization's management review activities.
• Schedule your organization's reviews at planned intervals.
• Review your organization's quality management system.
9.3.3 Generate management review outputs and document results
• Generate suitable management review outputs.
• Document the results of your management reviews.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 54 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 55 of 176
10. Improvement
10.1 Determine improvement opportunities and make improvements
• Consider ways of enhancing customer satisfaction.
• Consider opportunities to support innovation.
• Consider opportunities to take corrective action.
• Consider opportunities to transform your operations.
• Consider opportunities to make incremental changes.
• Determine and select opportunities for improvement.
• Identify opportunities to meet customer requirements.
• Consider opportunities to enhance customer satisfaction.
• Meet customer requirements and enhance satisfaction.

10.2 Control nonconformities and take appropriate corrective action


10.2.1 Correct nonconformities and address causes and consequences
• React to your organization's nonconformities.
• Control and correct your nonconformities.
• Evaluate the need to eliminate causes.
• Develop corrective actions to address causes.
• Implement corrective actions to address causes.
• Review the effectiveness of your corrective actions.
10.2.2 Document your nonconformities and the actions that are taken
• Document your organization's nonconformities.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 56 of 176


• Document the actions taken to address nonconformities.
• Document your organization's corrective action results.

10.3 Enhance the suitability, adequacy, and effectiveness of your QMS


• Consider evaluation, analytical, and management review outputs.
• Use results to confirm that unmet QMS needs must be addressed.
• Improve the suitability, adequacy, and effectiveness of your QMS.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 57 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 58 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 59 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 60 of 176
THE AUDIT OBJECTIVES DEFINE WHAT IS TO BE ACCOMPLISHED BY THE
INDIVIDUAL AUDIT AND MAY INCLUDE THE FOLLOWING:
determination of the extent of conformity of the management system to be audited, or parts
of it, with audit criteria;
determination of the extent of conformity of activities, processes and products with the
requirements and procedures of the management system;
evaluation of the capability of the management system to ensure compliance with legal and
contractual requirements and other requirements to which the organization is committed;
evaluation of the effectiveness of the management system in meeting its specified
objectives;
identification of areas for potential improvement of the management system.

The audit scope should not be confused with the scope of the management system.
The audit scope should be consistent with the audit programme and audit objectives. It
includes such factors as for example, the locations, the organizational units, the activities to
be audited, asset management related assumptions, process(es) and/or procedure(s),
methods, tools and techniques, as well as the time period covered by the audit.

The audit scope does not necessarily include all the organization’s processes, products,
locations, departments, or divisions, etc. covered by the management system. Taking into
account the limited duration of the audit, the auditor determines which divisions, processes,
systems, etc. he will audit. It is very important that the audit scope chosen by the auditor be

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 61 of 176


representative of the management system scope.

For example, to prepare an audit on the overall activities of a bank with a head office,
4 processing centres, 20 regional offices and 1,500 branches, an auditor could
include only the head office, one data processing centre, five regional offices and 25
branches in the ongoing audit scope. From one year to the next, he will select an new
audit scope within the limits of the management system.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 62 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 63 of 176
INTERNAL AUDITS
The internal audit, sometimes called first party audit, is an independent and objective
activity that gives an organization an assurance on the level of control over operations,
gives recommendations to improve operations, and contributes to creating added value.
Internal audits are conducted by or for the organization itself for the management review
and other internal needs. Independence must be demonstrated by the absence of
responsibility in the activity to be audited.

EXTERNAL AUDITS
include audits known as second and third party:
a. Second party audit: The second party audits are conducted by parties having an
interest in the audited organization, such as customers, or other persons acting on their
behalf.
b. Third party audit: Third party audits are conducted by external and independent audit
organizations such as the organizations that grant the registration or conformity
certification of management systems.
Important note: Third party audits are performed by auditors who are external to and
independent of the auditee.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 64 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 65 of 176
An audit can be performed using a range of audit methods. An explanation of commonly used audit
methods can be found in this annex. The audit methods chosen for an audit depend on the defined
audit objectives, scope and criteria, as well as duration and location. Available auditor competence
and any uncertainty arising from the application of audit methods should also be considered.
Applying a variety and combination of different audit methods can optimize the efficiency and
effectiveness of the audit process and its outcome.
Performance of an audit involves an interaction among individuals with the management system
being audited and the technology used to conduct the audit.

On-site audit activities are performed at the location of the auditee.

Remote audit activities are performed at any place other than the location of the auditee,
regardless of the distance.
Some instances for choosing remote audit approach would be
- Cost considerations
- Travel constraints
- Time constraints
Normally temporary sites and associated locations to primary entity can be considered for
remote auditing
When choosing remote audit prevailing regulations / laws of land relating to information
security needs due consideration broadly based on IAF MD4

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 66 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 67 of 176
INTEGRITY
Is a professional conduct that respects ethics. A code of conduct is a set of rights and
obligations that govern a profession, the conduct of those who exercise it, the relationship
between them and their customers or the public.
Ethics is set of principles that constitutes a system of moral standards and ideals. These
are values shared by society. Beyond legal compliance, an auditor must be irreproachable.

The respect of audit principles is a major success factor for an auditor. The respect of these
principles allows him to gain and preserve the trust of the audit client and the auditee. It is
difficult to gain trust and almost impossible to regain it in case of failure.

A good way to ensure compliance with the code of conduct is to correctly assess the
qualifications and performances of each auditor. At the end of the audit, sending a customer
satisfaction questionnaire to the auditee is common practice by the certification body at the
end of the audit.

In a country, if customers and the general public lose confidence in the certification
system (for example, thinking that organizations obtain certificates of conformity by
paying bribes), certificates lose much of their usefulness. For example, a customer
who doesn’t want to rely on the certificate of conformity will, instead send an audit team to
validate conformity to the requirements.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 68 of 176


FAIR PRESENTATION
Obligation to report honestly and precisely. The auditor represents the certifying
organization and pledges his responsibility and image, as well as that of the certifying
organization, and that of ISO. The fair presentation principle requires all professionals
to be frank and honest in all professional relationships. The audit findings, the audit
conclusions and the audit reports must reflect the audit activities in an honest and
precise way. The important obstacles encountered during the audit and the
unanswered questions or differences of opinion between the audit team and the
auditee shall be recorded.
Clause 5.1 of the ISO/PAS 17001 standard (Conformity evaluation – Impartiality –
Principles and requirements) indicates that impartiality is characterized by one or
more of the following elements: objectivity, independence, neutrality, justice,
open mindedness, fairness, detachment, balance in the judgement, absence of
conflicts of interest, absence of bias and absence of prejudice. A professional
auditor should not be associated to reports, or any other communication where he
believes that the information:
• Contains a report that is materially false or falsified;
• Contains reports or information provided with negligence;
• Omits or casts a shadow on the required information to falsify the conclusions of a
report.

Fair presentation also requires a commitment in terms of objectivity. The principle of


objectivity requires that all professional auditors not compromise their professional or
business judgments on the grounds of prejudices, conflicts of interests or other unfair
influences. A professional auditor can be exposed to situations that can alter his
objectivity. It is impossible to define every situation. Situations that can lead to
judgment bias or unfair influence should be avoided.

DUE PROFESSIONAL CARE


Diligent and attentive attitude during the audit. The conduct of an audit is never
perfect, but the auditor shall act with caution and in accordance with the professional
standards and applicable techniques during the performance of professional services.
In addition, he should have the appropriate qualifications based on the duties
assigned to him. For example, an auditor who has no experience in the financial
sector has the obligation to request to include in the audit team a person who is
familiar with this field of activity, or to turn down the audit mission if he has to conduct
it solo. To conduct a professional audit, the auditor will have to consider beforehand:
• The objectives;
• The complexity of the organization;
• The critical processes;
• The expectations of the customers;
• The complexity of the audit activities to be conducted to reach the audit objectives;
• The qualification needs and resources required for the audit activities;
• The communication needs.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 69 of 176


A professional auditor should always preserve confidentiality, even in his social
environment. The professional auditor should be conscious of the possibilities of
disclosure for reasons of negligence, in particular in circumstances involving long standing
business relationships or a family member. A professional auditor should also maintain
confidentiality of information revealed by an audit client, an auditee or possible employer. A
professional auditor should take all reasonable measures to ensure that the personnel
under his control, as well as the persons who advise and help him, respect the
confidentiality obligation of the professional auditor.

The necessity to comply with the principle of confidentiality remains even after the
end of the relationship between a professional auditor and an audit client and an
auditee. When a professional auditor changes jobs or acquires a new client, he can use his
previous experience. However, the professional auditor should not use or reveal
confidential information acquired or received during a professional or business relationship.

A professional auditor should always preserve confidentiality, even in his social


environment. The professional auditor should be conscious of the possibilities of
disclosure for reasons of negligence, in particular in circumstances involving long standing
business relationships or a family member. A professional auditor should also maintain
confidentiality of information revealed by an audit client, an auditee or possible employer. A
professional auditor should take all reasonable measures to ensure that the personnel

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 70 of 176


under his control, as well as the persons who advise and help him, respect the
confidentiality obligation of the professional auditor.

The necessity to comply with the principle of confidentiality remains even after
the end of the relationship between a professional auditor and an audit client
and an auditee. When a professional auditor changes jobs or acquires a new client,
he can use his previous experience. However, the professional auditor should not use
or reveal confidential information acquired or received during a professional or
business relationship.

An evidence is any information used by the auditor to determine if the organization or


data audited follow the criteria or audit objectives put in place: a policy, a list of assets
and their owners, an internal audit report, the observation of a process in operation, a
photo of a room with servers, etc. Audit evidence must be verifiable. An audit
evidence is either: qualitative or quantitative.

• Qualitative evidence: Evidence stemming from the analysis of a non quantified


characteristic of an information related to the determination of an audit criteria. It
usually aims at determining if the process design complies with the audit
criteria. For example, an interview with the people responsible for quality
assurance and the quality assurance procedures manual serve as evidence to
validate if the quality assurance process complies with the requirements.

• Quantitative evidence: Evidence stemming from the analysis of an information


sample related to the determination of an audit criterion whose quantified results
are then projected to the whole of the studied population. It generally aims to
determine if a process in operation is functional and effective. For example,
by analysing 5 reports out of the 25 follow-up reports on non-conformities drafted
by the audited organization during the past year, the auditor will be able to
determine if the organization is conform to the follow-up process that it has
implemented.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 71 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 72 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 73 of 176
THE INITIAL CONTACT WITH THE AUDITEE CAN BE FORMAL OR INFORMAL, BUT
SHOULD BE CARRIED OUT BY THE PERSON RESPONSIBLE FOR THE AUDIT TEAM.
The purposes of the initial contact are the following:
a. establish communications with the auditee’s representatives;
b. confirm the authority to conduct the audit;
c. provide information on the audit objectives, scope, methods and audit team
composition, including technical experts;
d. request access to relevant documents and records for planning purposes;
e. determine applicable legal and contractual requirements and other requirements
relevant to the activities and products of the auditee;
f. confirm the agreement with the auditee regarding the extent of the disclosure and the
treatment of confidential information;
g. make arrangements for the audit including scheduling the dates;
h. determine any location-specific requirements for access, security, health and safety or
other;
i. agree on the attendance of observers and the need for guides for the audit team;
j. determine any areas of interest or concern to the auditee in relation to the specific audit

AUDIT OBJECTIVE
Why the audit is being conducted and could be for
a. determining the readiness of organization (stage 1);
b. determining the implementation and effectiveness of system (Stage 2);

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 74 of 176


c. determining continued compliance and ability to achieve improvements
(Surveillance / Recertification).

AUDIT SCOPE
The audit scope generally includes a description of the physical locations,
organizational units, activities and processes, as well as the time period covered

AUDIT CRITERIA
The basis on which audit is performed such as
a. Requirements of the standard
b. Requirements of law
c. Requirements of interested parties
d. Requirements of the system developed by the client organization

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 75 of 176


DETERMINING AUDIT TIME
• Initial certification audit is carried out in two stages (stage 1 and stage 2, as explained
later).
• Guidance for audit durations (in days) for initial certification audit (stage 1 + stage 2) is
available in IAF Mandatory Document for duration of FSMS, EMS, OHS Audits, in
respect of:
i. complexity categories (High, Medium, Low and Limited) and
ii. effective number of personnel.

(Ref: International Accreditation Forum Doc. No. IAF MD 5:2009, Issue 1)

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 76 of 176


MULTI-SITE SAMPLING
• Where multi-site sampling is used for the audit of a client’s management system
covering the same activity in various locations, a sampling programme need to be
developed to ensure an effective audit. The rationale for the sampling plan need to be
documented for each client, where multi-site sampling is adopted.

AUDIT TEAM SELECTION AND ASSIGNMENTS


The process for selecting and appointing the audit team (including the audit team leader)
takes into account the competence needed to achieve the objectives of the audit. Types of
audit may vary (e.g. single system, combined or integrated audit. Certification requirements
may include regulatory or contractual requirements. The necessary skills of the audit team
can be supplemented by technical experts, translators and interpreters. The audit team
leader assigns (to each team member) responsibility of auditing specific processes,
functions, sites, areas and activities.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 77 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 78 of 176
During the feasibility analysis of an audit, the audit team should also take into consideration
the normative and legislative frameworks applicable to the organization. When the audit is
not feasible, an alternative should be proposed to the auditee and the audit client.
The feasibility of the audit should be determined before accepting an audit mission.
The feasibility of the audit should be determined to provide reasonable confidence that the
audit objectives can be achieved.

The determination of feasibility should take into consideration such factors as the
availability of the following:
- sufficient and appropriate information for planning and conducting the audit;
- adequate cooperation from the auditee;
- adequate time and resources for conducting the audit.

Where the audit is not feasible, an alternative should be proposed to the audit client, in
agreement with the auditee.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 79 of 176


PURPOSE OF AUDIT PROGRAMS
• A set of instructions to the audit team
• Assist with planning and performance of the audit.
• A means to control and record the proper execution of the audit work & also to review
the audit work.
• A record of the audit procedures to be adopted, the audit objectives, timing, sample size
and basis of selection of each criterion.
• Audit evidence to support the auditor opinion.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 80 of 176


AUDIT APPROACH BASED ON EVIDENCE AND RISK
Inherent Risk: Corresponds to the possibility that, without taking into account the internal
processes that could exist in the organization, a significant defect occurs in the
management system. This is the risk related to the industrial sector in which the audited
organization evolves.
Control Risk: Corresponds to the risk that a significant defect will not be prevented, nor
detected by the internal environment (all the organization’s processes), and therefore not be
corrected in the time required. Generally speaking, an auditor considers that risks are
higher in an organization that has ill-defined processes and where processes are mainly
manual. Automated processes are considered as having a lesser risk of failure on the
condition that they are well configured.
Detection Risk: Corresponds to the risk that the auditor is not able to detect a significant
defect. To reduce the detection risk, the auditor applies the audit principles based on risks
(see the following slides) or on materiality.
Acceptable Detection Risk: Corresponds how far the auditor is willing to go to accept that
his conclusions can be substantially erroneous. If the auditor decides to reduce the risk of
audit, this implies that the auditor wants to have a higher level of certainty in his
conclusions. This is why some auditors request more audit days than the minimum days
required for a certification audit.
Audit Risk = Inherent Risk + Control Risk + Detection Risk

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 81 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 82 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 83 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 84 of 176
AUDIT TEAM MEMBER (AUDITOR)
• An auditor should ensure that he/she arrives on time and is decently dressed (as per
applicable dress code, if any). The auditor attends the opening meeting (conducted by
the team leader) and participates (as and when desired by the team leader); carries out
the site tour (as a team), reviews significant observations (if any) and commences
auditing activities, as per audit plan, along with the guide ( and TE, Auditor-in-training,
observer, if relevant)
• It is extremely important to manage the time to ensure general adherence to the audit
plan.
• The auditor should perform document review, while auditing and referring to relevant
documents; collect necessary information and evidences, verify them and communicate
audit findings with auditee; relevant information may be shared with other auditors.
• Audit findings should be periodically discussed with the team leader and approval/
endorsement obtained.
• During the audit, the auditor is likely to come across some confidential information of the
auditee organization. By agreement, the auditor must maintain confidentiality of such
information.
• The auditor attends the closing meeting; assists TL, as may be required and hands over
audit documents to TL.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 85 of 176


TECHNICAL EXPERT (TE)
• If all the necessary competence is not covered by the auditors in the audit team.
Technical experts with additional competence should be included in the team. Technical
experts supplement the collective competence of the audit team, in specialized areas of
technology, processes, activities, language or culture.
• TE is a resource person, available to the audit team to provide specific knowledge and
expertise, relating to the organization, as and when needed.
• TE should operate under the direction of an auditor and should not act as an auditor.

GUIDES
Guides and observers (e.g. regulator or other interested parties) may accompany the audit
team. They should not influence or interfere with the conduct of the audit. If this cannot be
assured, the audit team leader should have the right to deny observers from taking part in
certain audit activities.

Guides, appointed by the auditee, should assist the audit team and act on the request of the
audit team leader. Their responsibilities should include the following:
• assisting the auditors in identifying individuals to participate in interviews and confirming
timings;
• arranging access to specific locations of the auditee;
• ensuring that rules concerning location safety and security procedures are known and
respected by the audit team members and observers.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 86 of 176


The role of the guide may also include the following:
• witnessing the audit on behalf of the auditee;
• providing clarification or assisting in collecting information

AUDITOR-IN-TRAINING
• After obtaining the theoretical knowledge in auditing, one has to acquire adequate
practical experience in auditing before being permitted to carry out audits independently.

• An auditor-in-training acquires the necessary audit experience, under the supervision of


an auditor.

OBSERVERS
• The presence and justification of observers during an audit shall be agreed to by the
certification body and client prior to the conduct of the audit. The audit team shall ensure
that the observers do not influence or interfere in the audit process or outcome of the
audit.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 87 of 176


AUDITEE ORGANIZATION
• The organization should assign the responsibilities (for hospitality, guides, transport,
safety and security arrangements etc.), relating to the audit, including managing the
venue of opening and closing meetings and attendees thereof.

• Facility personnel should be adequately briefed to face the audit ; attendees should
make it convenient to attend the meetings and the audits.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 88 of 176


“Confidence in the results of an audit depends on the competence of the individuals
conducting the audit.”

Three components of auditor competence:


• Personal behaviour
• Auditing Knowledge and Skills
• Technical Knowledge and Skills
Auditors need to possess the appropriate qualities, knowledge and skills in all three of
these areas.

Auditors should possess the necessary qualities to enable them to act in accordance with
the principles of auditing as described earlier (pages 24-25 refer)

Auditors should exhibit professional behaviour during the performance of audit activities,
including being:
• ethical, i.e. fair, truthful, sincere, honest and discreet;
• open-minded, i.e. willing to consider alternative ideas or points of view;
• diplomatic, i.e. tactful in dealing with people;
• observant, i.e. actively observing physical surroundings and activities;
• perceptive, i.e. aware of and able to understand situations;
• versatile, i.e. able to readily adapt to different situations;
• tenacious, i.e. persistent, focused on achieving objectives;

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 89 of 176


• decisive, i.e. able to reach timely conclusions based on logical reasoning and
analysis;
• self-reliant, i.e. able to act and function independently whilst interacting effectively
with others;
• acting with fortitude, i.e able to act responsibly and ethically even though these
actions may not always be popular and may sometimes result in disagreement or
confrontation;
• open to improvement, i.e. willing to learn from situations, striving for better audit
results;
• culturally sensitive, i.e. observant and respectful to the culture of the auditee;
• collaborative, i.e. effectively interacting with others, including audit team members
and the auditee's personnel.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 90 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 91 of 176
INITIAL CERTIFICATION AUDIT
Stage 1
The purpose of the Stage 1 audit is to confirm that your organization is ready for the Stage
2 certification audit. The auditor will:
1. make verification that the management system conforms to the requirements of the
standard
2. make verification its implementation status
3. make verification the scope of certification
4. check legislative/regulatory compliance
5. produce a report that identifies any non-compliance or opportunities for improvement
and agree to corrective action plan if required
6. produce an assessment plan and confirm a date for the Stage 2 audit visit

Stage 2
The purpose of this audit is to confirm that the management system has been fully
implemented and conforms to the requirements of the chosen Standard in practice. The
auditor will:
1. undertake random samples of the processes and activities defined in the scope of
certification
2. document how the system complies with the standard by using objective evidence
3. report any non-compliances or opportunities for improvement
4. produce a surveillance plan and agree to a date for the first annual surveillance audit

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 92 of 176


STAGE I AUDIT
• Keeping in view the objectives of stage 1 audit, as indicated above, it is imperative that
the objectives cannot be fully achieved by gathering information and reviewing them,
sitting at a distance (remote review). For instance, evaluation of the client’s location and
site-specific conditions can be carried out only at the client’s premises.

• The audit findings to include identification of any areas of concern that could be
classified as nonconformity during the stage 2 audit.

• The results of stage 1 audit help the organization to carry out the necessary corrective
actions to eliminate the gaps identified, and hence to achieve conformity to audit criteria
during stage 2 audit.

• The time needed (and agreed to) for resolving the areas of concern, and also the time
needed by the CB, would be factors, determining the interval between stage 1 and stage
2 audits

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 93 of 176


To minimize interference between audit activities and the auditee’s work processes and to
ensure the health and safety of the audit team during a visit, the following should be
considered:

a) planning the visit:


- ensure permission and access to those parts of the auditee’s location, to be visited in
accordance with the audit scope;
- provide adequate information (e.g. briefing) to auditors on security, health (e.g.
quarantine), occupational health and safety matters and cultural norms for the visit including
- requested and recommended vaccination and clearances, if applicable;
- confirm with the auditee that any required personal protective equipment (PPE) will be
available for the audit team, if applicable;
- except for unscheduled ad hoc audits, ensure that personnel being visited will be informed
about the audit objectives and scope;

b) on-site activities:
- avoid any unnecessary disturbance of the operational processes;
- ensure that the audit team is using PPE properly;
- ensure emergency procedures are communicated (e.g. emergency exits, assembly
points);
- schedule communication to minimize disruption;
- adapt size of the audit team and the number of guides and observers in accordance with

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 94 of 176


the audit scope, in order to avoid interference with the operational processes as far as
practicable;
- do not touch or manipulate any equipment, unless explicitly permitted, even when
competent or licensed;
- if an incident occurs during the on-site visit, the audit team leader should review the
situation with the auditee and, if necessary, with the audit client and reach agreement
on whether the audit should be interrupted, rescheduled or continued;
- if taking photographs or video material, ask for authorization from management in
advance and consider security and confidentiality matters and avoid taking
photographs of individual persons without their permission;
- if taking copies of documents of any kind, ask for permission in advance and
consider confidentiality and security matters;
- when taking notes, avoid collecting personal information unless required by the audit
objectives or audit criteria.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 95 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 96 of 176
The audit team leader, in consultation with the audit team, should assign to each team
member responsibility for auditing specific processes, activities, functions or locations. Such
assignments should take into account the independence and competence of auditors and
the effective use of resources, as well as different roles and responsibilities of auditors,
auditors-in-training and technical experts.

Audit team briefings should be held, as appropriate, by the audit team leader in order to
allocate work assignments and decide possible changes. Changes to the work assignments
can be made as the audit progresses in order to ensure the achievement of the audit
objectives.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 97 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 98 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 99 of 176
AUDITING MANAGEMENT SYSTEM DOCUMENTATION (CONDUCTING
DOCUMENT REVIEW)
• It is intended to determine whether the documentation, as evolved by the
organization is adequate (containing all expected information) and correct (ie
conforms to other reliable sources, such as the applicable standard and
regulations)
• The documents need to be consistent in itself and with related other documents.
• The documents reviewed must be of current version.
• Management system documents need to cover the entire audit scope and
provide sufficient information to support the audit objectives.
• ISO 19011 only refers to document review (clause 6.3.1). During a certification audit, the
document review is one of the activities that are performed during a phase 1 audit. A
phase 1 audit includes other audit activities such as interviews with key actors and an
on-site visit (ISO 17021-1, clause 9.3.1.2).

It is to be noted, that even though a confidentiality agreement is signed, an auditee has the
right to require that the document review takes place on-site and that no document may
be carried off-site

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 100 of 176


DOCUMENT REVIEW
The auditors should consider if:
- the information in the documents provided is:
- complete (all expected content is contained in the document);
- correct (the content conforms to other reliable sources such as standards and regulations);
- consistent (the document is consistent in itself and with related documents);
- current (the content is up to date);
- the documents being reviewed cover the audit scope and provide sufficient information to
support the audit objectives;
- the use of information, depending on the audit methods, promotes efficient conduct of the
audit:

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 101 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 102 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 103 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 104 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 105 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 106 of 176
The use of checklists is not required when conducting an audit. Checklists are only a tool
in the “auditor’s toolbox”. Many organizations use them to ensure a minimum coverage
during the audit. A checklist allows to ensure the coverage of the minimum requirements
such as defined by the audit scope. Thus, they help to ensure that an audit is conducted in
a systematic and global manner and that appropriate evidence is obtained. An audit
checklist can include a list of definitions to ensure the uniformity of responses. A checklist
should provide suitable space for answers, comments, and observations. The items
included in the checklist should include the reference to the related standard. A well-
prepared checklist will include a procedure on the way the checklist must be used, and the
auditors should be trained in its use.
The auditee can receive the checklist before the start of the audit. The checklist allows the
auditee to be adequately prepared for the audit.

To limit subjectivity, the auditor should use checklists or observation checklists to


guide him.

Important note: Checklists do not replace all the other information collection methods and
procedures. At best, checklists should help an auditor during the execution of an audit
process and not replace his professional judgment.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 107 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 108 of 176
• The stage 2 audit is mainly focused on verifying implementation of the system as per
the documented management system and ascertaining effectiveness of the system.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 109 of 176


• For achieving stage 2 audit objectives, the audit has to include the salient features of the
QMS in the audit programme, carry out the audit as per the programme, in order to
obtain the relevant audit evidences, in support of the audit conclusions.
• QMS performance monitoring as per the defined performance indices, including
achievement data relating to objectives and targets provide a measure of effectiveness
of the management system.
• Status of legal compliance, as appropriate, evidences of ongoing adherence to stipulated
operational controls of the processes (involving significant risks), results of internal
audits and follow-up actions resulting from management reviews are significant
indicators of system-effectiveness.
• The series of commitments contained/reflected in the QMS and other policies, need to
be implemented in practice. Audit should look for defined responsibilities, in this regard.
• In fact, the audit should establish the links between the specified requirements of the
management system, as a whole, and the mechanism of implementation and
maintenance of the same in the respective areas of activities.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 110 of 176


Audit activities are normally conducted in a defined sequence as indicated n above slide.
This sequence may be
varied to suit the circumstances of specific audits.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 111 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 112 of 176
At the beginning of the on-site audit, it is fitting to hold an opening meeting with the
representatives of the auditee and the persons responsible for the operations or
processes to be audited. In certification audits, it is fitting that the meeting be formal
and that attendance records be kept. The audit team leader customarily chairs the
meeting. The opening meeting objectives are:
1. To introduce the audit team.
2. To confirm the audit plan.
3. To briefly explain the way the audit activities will be conducted.
4. To confirm the communication channels.
5. To allow the auditee to ask questions.
6. To identify the potential audit problems.

The opening meeting should be interactive with the auditee to answer all the
questions. It is a unique way to establish a good relationship between the audit team
and the auditee. ISO 17021-1, clause 9.4.2: Conducting the opening meeting A
formal opening meeting, shall be held with the client’s management and, where
appropriate, those responsible for the functions or processes to be audited. The
purpose of the opening meeting, usually conducted by the audit team leader, is to
provide a short explanation of how the audit activities will be undertaken.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 113 of 176


ISO 19011, clause 6.4.2: Conducting opening meeting The meeting should be chaired
by the audit team leader, and the following items should be considered, as appropriate:
a. introduction of the participants including observers and guides, and an outline of their
roles;
b. confirmation of the audit objectives, scope and criteria;
c. confirmation of the audit plan and other relevant arrangements with the auditee, such as
the date and time for the closing meeting, any interim meetings between the audit team
and the auditee's management, and any late changes;
d. presentation of the methods to be used to conduct the audit, including advising the
auditee that the audit evidence will be based on a sample of the information available;
e. introduction of methods to manage risks to the organization, products, services,
personnel and/or infrastructure associated with the audit;
f. confirmation of formal communication channels between the audit team and the
auditee;
g. confirmation of the language(s) to be used during the audit;
h. confirmation that, during the audit, the auditee will be kept informed of audit progress;
i. confirmation that the resources and facilities needed by the audit team are available;
j. confirmation of matters relating to confidentiality and information security;
k. confirmation of relevant health and safety, emergency and security procedures for the
audit team;
l. information on method of reporting audit findings including any grading;
m. information about conditions under which the audit may be terminated;

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 114 of 176


n. information about the closing meeting;
o. information about how to deal with possible findings during the audit;
p. information about any system for feedback from the auditee on the findings or
conclusions of the audit, including complaints or appeals.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 115 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 116 of 176
• Auditing is a verification process, based on audit evidence gathered during the
audit.

• A successful audit largely depends on effective communication between the


auditor and the auditee.

• We need to know the possible barriers of communication and attempt to eliminate


or reduce them, to the extent feasible.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 117 of 176


SPOKEN WORDS ARE ONLY A PART OF THE OVERALL COMMUNICATION
PROCESS; OTHERS ARE
• Our spoken words are supplemented by our body language, like body posture and
movement, facial expression, gestures. Communication is also influenced by associated
factors like vocal characteristics and interpersonal distance. For instance, we feel
uncomfortable if a stranger comes too close and invade our comfort zone during
conversation.

TECHNIQUES OF EFFECTIVE COMMUNICATION


• An auditor should try to put the auditee at ease, free from undue tension, so that the
auditee is comfortable in receiving a communication and responding to the same.

• The question should be carefully worded so that it easily understood.

• The responses of the auditee to be listened attentively, free from any personal judgment.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 118 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 119 of 176
OPEN QUESTIONS
• Of all the types of questions, given an opportunity, an auditor should preferably ask open
questions, as far as feasible. This is because, by asking one open question, the auditor
is likely to be rewarded with a rather large volume of responses, voluntarily offered by
the auditee, some of which may be very useful. However, at some situations, we are
constrained to ask other types of questions, despite their known limitations

OPEN QUESTIONS EXAMPLES


• Answers to these open questions are most likely to be elaborative ones, containing
detailed information. Thus, it is said that obtaining information by asking open questions,
renders the process more efficient, as it yields higher quantum of information.

CLOSED QUESTIONS
• Closed questions are relatively less productive in nature as they provide smaller
quantum of information.
• Closed questions are asked when it is intended to obtain a specific (often significant)
information.

CLOSED QUESTIONS EXAMPLES


• Such closed questions will have a short and very specific answer, e.g. ‘yes’ or ‘no’.
• But, at times, we need to ask such closed questions, when we need specific information.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 120 of 176


CLARIFYING QUESTIONS
• An auditor should ensure clear understanding (without any ambiguity)of the responses of
the auditee so as to arrive at the right conclusions. Clarifying questions are aimed at
achieving this objective.

CLARIFYING QUESTIONS EXAMPLES


• The questions seek to firm up understanding to facilitate the audit process.

LEADING QUESTIONS
• At times, an auditee is found to be persistently dodging a question. Putting a leading
question, in such a situation, is an attempt to guide the responses in the expected
channel to facilitate audit conclusion.
• Leading questions are to be sparingly used, to eliminate the possible bias.

LEADING QUESTIONS EXAMPLES


• Leading questions are framed in such a way that the auditee is prompted to agree or
confirm and is often ‘trapped’ by the following question.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 121 of 176


ANTAGONISTIC QUESTIONS
• The auditor’s job is to obtain necessary information/evidence through interactions with
the concerned personnel. This objective can truly be achieved by carrying out the
interactions in a congenial and relaxed environment. Asking antagonistic questions will
spoil the environment and the auditee is likely to go into shell and would be
uncooperative.

ANTAGONISTIC QUESTIONS EXAMPLE


• An auditor should interact with the auditee politely.
• Treat the auditee as equal and the auditor must not take the auditee into task for any
eventual failure.
REMEMBER, YOU ARE ONLY AN AUDITOR AND NOT THE BOSS OF THE AUDITEE.

SILENCE
• Human being is uncomfortable with silence.
• For instance, when you are in the midst of a prolonged interactions (possibly obtaining
some fabricated information) and you suddenly become silent for a longish duration, the
auditee may find it unbearable and would ultimately feel the urge of dishing out the
correct information to gain normalcy.

VOCAL CHARACTERISTICS
• What you are saying is important.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 122 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 123 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 124 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 125 of 176
The auditors use audit procedures to collect evidence in sufficient quantity and quality to
validate the conformity of the management system of an organization. The use of audit
procedures in a systematic way reduces the audit risk and reinforces the objectivity of the
auditor. The auditor usually use a combination of evidence collection procedures to create
his audit test plan. Several audit procedures exist, which the auditor can use to collect
evidence in a systematic way. Names of procedures may vary depending on the authors.
We have grouped the most frequently used audit procedures in seven major categories.
Please note that the categories are mutually not exclusive. In fact, it is generally
expected to use a combination of procedure categories to obtain the most precise
conclusion. For example, the auditor can interview the auditee to collect information on how
the backups are performed, but can also obtain the written procedure that describes the
steps followed or, even still, observe the backup with the operator. It is to be noted that
ISO 19011 and ISO 17021-1 do not indicate specific procedures to be followed to
comply to the requirements of the standard. Each team must establish its own test
strategy and test plans based on the processes to be audited and the audit objectives.
Professional judgement is important in the establishment of test strategies and the
evaluation the collected audit evidence.

METHODS OF GATHERING AUDIT EVIDENCE


• The auditor can observe the activities being carried out in his/her presence and verify
conformity of the same with the requirements.
• Information/data relating to the previous activities can be checked for conformity by

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 126 of 176


examining the relevant records.
• If necessary further information can be gathered through interactions with the
concerned personnel.
• Only information that is verifiable should be accepted as audit evidence. Audit
evidence leading to audit findings should be recorded, If, during the collection of
evidence, the audit team becomes aware of any new or changed circumstances or
risks, these should be addressed by the team, as appropriate.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 127 of 176


DURING SITE TOUR, AUDITORS ARE EXPECTED TO
• While on site tour, an auditor should not indulge in prolonged discussion and probing on
a specific point. Such a discussion may yield some information but thereby, one stands
to miss many other important inputs/benefits of the tour and also be out of tune with the
audit team, as a whole.
• The auditors are expected to be keen observers. Site tour provides an opportunity to
look around objectively and identify evidences relating to the conformity (or
nonconformity) of the QMS operations and performances.
• Evidence of inadequate allocation of resources, resulting in operational lapses and lack
of monitoring/measurement (for instance, because of non-provisioning of measuring
devices/instruments) may come to light during site tour.

STAGE 2 AUDIT : POST-TOUR


• The site tour may identify some critical operational areas, which was probably not
included in the audit plan.
• Likewise, it may be realized that the time period allotted for an audit-area is inadequate,
requiring review and change.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 128 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 129 of 176
Statistically speaking, a sample is a set of units extracted from an initial population to
represent this population. Sampling allows the auditor to obtain and evaluate audit evidence
objectively and in a reliable way based on the characteristics of the data selected.
Sampling can use a probabilistic approach (based on chance) or a non-probabilistic
(based on judgement). The difference between the two lies in the belief that in the case of
probabilistic sampling each element has a “chance” of being selected and that this chance
can be quantified, which is not true for non-probabilistic sampling.

The selection of a sampling method should be made based on characteristics of the


population to be analyzed. The auditor can use several sampling approaches. Following are
the main methods:

1. Random sampling
Description: Selecting a sample the probability of which is known (and not void) and of
which each element of the population has the same probability of being selected.
Advantages: This method is statistically the most reliable. It is possible to calculate the
inclusion probability of each element in a sample as well as estimate the error margins.
Disadvantages: More complex method and is usually more time consuming than the other
methods.

2. Systematic sampling (or interval sampling)


Description: Sample selection from a population of which the probability of selection is

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 130 of 176


known (and not void) using a defined interval between each element.
Advantages: This method is statistically reliable, simple to use and fast.
Disadvantages: Depending on the characteristics of the population to analyze, this
method can require more time than the other non-probabilistic methods.

3. Stratified (layered) sampling


Description: Stratified sampling is a method, which first consists of subdividing the
population into homogenous groups (layers) to then extracting a sample from each
layer.
Advantages: Stratified sampling provides the assurance of obtaining a sample size
sufficient to represent each subset of the population for which the auditor wants to
analyze the characteristics.
Disadvantages: This method assumes the knowledge of the population structure and
can lead to methodological biases.

4. Block selection sampling


Description: Sample selection from a subset of the population.
Advantages: This method avoids having to identify the set of elements of the
population.
Disadvantages: This method assumes that the selected block is representative of
the total population.

5. Judgement based sampling


Description: Sample selection fashioned based on the auditor’s judgement (based
on his experience and knowledge) to directly identify the units that adequately
represent the population.
Advantages: This method constitutes a net advantage when competent individuals
have a relevant experience because it is simple and fast. It also allows to directly
select elements from the population that could represent non-conformity risks.
Disadvantages: It is impossible to objectively evaluate up to what point the sample is
representative of the audited population.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 131 of 176


TYPES OF EVIDENCES
• Gathering objective evidences is the key to successful auditing.

• Physical and documentary evidences are preferred evidences which can be easily
verifiable. However, in the absence of physical and documentary evidences, one may
have to depend on circumstantial evidence or testimonials, which are rather indirect
evidences, needing careful verification and are sometimes open to debate.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 132 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 133 of 176
Audit evidence should be evaluated against the audit criteria in order to determine audit
findings. Audit findings can indicate conformity or nonconformity with audit criteria. When
specified by the audit plan, individual audit findings should include conformity and good
practices along with their supporting evidence, opportunities for improvement, and any
recommendations to the auditee.

Nonconformities and their supporting audit evidence should be recorded. Nonconformities


may be graded. They should be reviewed with the auditee in order to obtain
acknowledgement that the audit evidence is accurate, and that the nonconformities are
understood. Every attempt should be made to resolve any diverging opinions concerning
the audit evidence or findings, and unresolved points should be recorded.

The audit team should meet as needed to review the audit findings at appropriate stages
during the audit

Determining audit findings


When determining audit findings, the following should be considered:

• follow-up of previous audit records and conclusions;


• requirements of audit client;
• findings exceeding normal practice, or opportunities for improvement;
• sample size;

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 134 of 176


• categorization (if any) of the audit findings;

Recording conformities
For records of conformity, the following should be considered:

• identification of the audit criteria against which conformity is shown;


• audit evidence to support conformity;
• declaration of conformity, if applicable.

Recording nonconformities
For records of nonconformity, the following should be considered:

• description of or reference to audit criteria;


• nonconformity declaration;
• audit evidence;
• related audit findings, if applicable.

Dealing with findings related to multiple criteria


During an audit, it is possible to identify findings related to multiple criteria. Where an
auditor identifies, a finding linked to one criterion on a combined audit, the auditor
should consider the possible impact on the corresponding or similar criteria of the
other management systems.

Depending on the arrangements with the audit client, the auditor may raise either:
• separate findings for each criterion; or
• a single finding, combining the references to multiple criteria.

Depending on the arrangements with the audit client, the auditor may guide the
auditee on how to respond to those findings

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 135 of 176


MAJOR NONCONFORMANCE
• Nonfulfilment of legal requirements is graded as major nonconformance.
• Total breakdown of the system due to failure to address the requirements relating to any
of the clauses (may be one or more clauses) of the standard or any of the audit criteria is
also graded as major NC.
• Lastly, accumulation of a number/cluster of minor conconformances in one area/topic is
graded as major nonconformance.

MINOR NONCONFORMANCE
• The nonconformance are graded in two groups, major and minor. In a nonconformance
does not fall in the group of major NC, it will, obviously, fall in the group of minor NC.
• A minor NC does not cause a total breakdown of the system in respect of a specific
requirement, and it amounts to an occasional failure. This means, in the case of minor
NC, we have the evidence to conclude that the system is generally in place and it has
encountered an occasional failure due to some stray reason/s.
OBSERVATION/ OPPORTUNITY FOR IMPROVEMENT(OFI)
• If the auditor identifies an area of potential improvement and feels the same should be
raised (but do not warrant raising an NC), he may (if the system permits to do so) raise
an observation/OFI.
• The auditee may consider implementation of the OFI (suggestion for improvement) but is
not to do so compulsorily.
• The organization is under obligation to achieve continual improvement of the system and

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 136 of 176


as such, generally, would welcome an OFI/Observation.

Expressing non-compliances: Statements of non-compliances must be:


Non blaming statements of facts
Based upon recorded objective evidence
Directly related to specific documented requirements

Objective Evidence: The qualitative or quantitative information, records or


statements of facts, pertaining to the quality of an item or service or to the existence
and implementation of a Quality System element or documented requirement, that is
based on observation, measurement or test and which can be verified.
(Data supporting the existence or verification of something)

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 137 of 176


The NCRs are to be carefully written to ensure that these are :
a) factually correct
b) contains full information
c) easily and clearly understandable to the auditee to enable arriving at the appropriate
corrective action.

The three elements of a NCR are:


a) The statement of nonconformity expresses the nature and necessary details of the
conformity. The statement of nonconformity should be expressed in the language of the
requirement (stipulated in the standard or relevant system-documentation). This
provides a test for the validity of the nonconformity.
b) Evidence of nonconformity refers to objective evidence on which the nonconformity is
based
c) System requirement refers to the specific requirement which has not been fulfilled.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 138 of 176


The NCRs are to be carefully written to ensure that these are :
a) factually correct
b) contains full information
c) easily and clearly understandable to the auditee to enable arriving at the
appropriate corrective action.

The three elements of a NCR are:


a) The statement of nonconformity expresses the nature and necessary details of
the conformity. The statement of nonconformity should be expressed in the
language of the requirement (stipulated in the standard or relevant system-
documentation). This provides a test for the validity of the nonconformity.
b) Evidence of nonconformity refers to objective evidence on which the
nonconformity is based
c) System requirement refers to the specific requirement which has not been
fulfilled.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 139 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 140 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 141 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 142 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 143 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 144 of 176
AUDIT CONCLUSIONS CAN ADDRESS OTHER ISSUES SUCH AS THE FOLLOWING:
1. the extent of conformity with the audit criteria and robustness of the management
system, including the
2. effectiveness of the management system in meeting the stated objectives;
3. the effective implementation, maintenance and improvement of the management
system;
4. the capability of the management review process to ensure the continuing suitability,
adequacy, effectiveness and improvement of the management system;
5. achievement of audit objectives, coverage of audit scope, and fulfilment of audit criteria;
6. root causes of findings, if included in the audit plan;
7. similar findings made in different areas that were audited for the purpose of identifying
trends.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 145 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 146 of 176
The following is a summary of events that take place between the audit team and the auditee in the
course of closing an audit:

1.The auditor establishes his audit findings after having evaluated the evidence gathered and
presents the observations that can represent non-conformities in the audit conclusions to the
auditee.
2.The auditee confirms the findings and provides additional information if he is convinced that the
findings do not represent reality.
3.The auditor issues the audit conclusions and his recommendation or not for certification. After, he
presents the conclusions to the organization’s management for comments.
4.The auditee accepts the audit conclusions and recommendation or issues comments and/or
provides additional information.
5.The auditor presents the conclusions and recommendation formally during the closing meeting
and files the stage 2 audit report.
6.The auditee accepts or appeals the final audit report.
7.When the certification recommendation requires it, the auditee must submit action plans to
indicate how the organization will address the non-conformities.
8.The auditor evaluates the action plans submitted and shall follow up during the next surveillance
audit. In the case of major non-conformities, the auditor performs a follow-up audit, after the
action plan is submitted to validate the implementation of corrective or preventive actions.
9.The auditee implements the corrective or preventive actions proposed in the action plans. The
auditor shall validate on-site if it was agreed to in the audit conclusions (This is usually the case
when a major non-conformity is documented).
10.Following the initial audit, the auditor shall perform surveillance audits during the second
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 147 of 176
and third year of certification.
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 148 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 149 of 176
AUDIT TEAM LEADER (TL)
• For an on-site audit, the first assignment of the TL is : conducting opening meeting. This
is followed by a site tour (as a team) and briefing (if required) the audit team on any
significant observations, during the tour and commencement of auditing as per audit
schedule.
• During the audit, the TL is the official spokesperson and provides the official channel of
communication.
• TL ensures periodic feedbacks are given to the auditee and is responsible for conducting
the closing meeting, submission of audit report and follow-up actions.
• In addition, the team leader carries out the allocated audits, as per the audit plan
• In case of any controversy in audit conclusions, the final verdict is the responsibility of
the Team Leader.
• TL examines the audit findings of audit team members for acceptance.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 150 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 151 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 152 of 176
Here is a not exhaustive list of accreditation authorities for several countries (see complete
list on IAF website - www.iaf.nu):
•Argentina: Organismo Argentino de Acreditacion (OAA), www.oaa.org.ar
•Australia & New Zealand: Joint Accreditation System of Australia and New Zealand (JAS-
ANZ), www.jas-anz.org
•Austria: Federal Ministry of Economy, Family and Youth (BMWFJ), www.bmwfj.gv.at
•Belgium: Belgian Accreditation Structure (BELAC), www.belac.fgov.bg
•Brazil: General Coordination for Accreditation (CGCRE), www.inmetro.gov.br
•Canada: Standards Council of Canada (Conseil Canadien des Normes) (SCC), www.scc.ca
•Chile: Instituto Nacional de Normalizacion (INN), www.inn.cl
•China: China National Accreditation Service for Conformity Assessment (CNAS),
eng.cnas.org.cn
•Egypt: Egyptian Accreditation Council (EGAC), www.egac.gov.eg
•Finland: Finnish Accreditation Service (FINAS), www.finas.fi
•France: Comité Français d’Accréditation (COFRAC), www.cofrac.fr
•Germany: Deutsche Akkreditierungsstelle GmbH (DAkkS), www.dakks.de
•Hong Kong, China: Hong Kong Accreditation Service (HKAS), www.itc.gov.hk/hkas
•India: National Accreditation Board for Certification Bodies (NABCB), www.qcin.org
•Ireland: Irish National Accreditation Board (INAB), www.inab.ie
•Japan: The Japan Accreditation Board for Conformity Assessment (JAB), www.jab.or.jp

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 153 of 176


•Korea: Korea Accreditation Board (KAB), www.kab.or.kr
•Malaysia: Department of Standards Malaysia, www.standardsmalaysia.gov.my
•Mexico: Mexican Accreditation Entity, (Entidad Mexicana de Acreditacion) (EMA),
www.ema.org.mx
•Netherlands: Dutch Accreditation Council (Raad Voor Accreditatie) (RvA),
www.rva.nl
•Norway: Norwegian Accreditation (NA), www.akkreditert.no
•Pakistan: Pakistan National Accreditation Council (PNAC), www.pnac.org.pk
•Philippines: Philippine Accreditation Office (PAO),
www.dti.gov.ph/dti/index.php?p=176
•Portugal: Portuguese Institute for Accreditation (IPAC), www.ipac.pt
•Spain: Entidad Nacional de Acreditacion (ENAC), www.enac.es
•Romania: Romanian Accreditation Association (Asociatia de Acreditare din Romania)
(RENAR), www.renar.ro
•Russian Federation: Scientific Technical Centre on Industrial Safety (STC-IS),
www.oaontc.ru
•Singapore: Singapore Accreditation Council (SAC), www.sac-accreditation.gov.sg
•Slovenia: Slovenska Akreditacija (SA), www.gov.si/sa
•South Africa: South African National Accreditation System (SANAS),
www.sanas.co.za
•Sweden: Swedish Board for Accreditation and Conformity Assessment (SWEDAC),
www.swedac.se/sdd/SwInternet.nsf
•Switzerland: State Secretariat for Economic Affairs, Swiss Accreditation Service
(SAS), www.sas.ch
•Taiwan: Taiwan Accreditation Foundation (TAF), www.taftw.org.tw
•Thailand: National Standardization Council of Thailand (NSC), www.tisi.go.th
•Tunisia: Tunisian Accreditation Council (Conseil National d'Accréditation, CNA)
(TUNAC), www.tunac.tn
•Turkey: Turkish Accreditation Agency (TURKAK:), www.turkak.org.tr
•United Arab Emirates: Dubai Accreditation Center (DAC), www.dac.gov.ae
•United Kingdom: United Kingdom Accreditation Service (UKAS), www.ukas.com
•United States: ANSI-ASQ National Accreditation Board (ANAB), www.anab.org
•United States: American National Standards Institute (ANSI), www.ansi.org
•Uruguay: Organismo Uruguayo de Acreditacion (OUA),
www.organismouruguayodeacreditacion.org
•Vietnam: Bureau of Accreditation (BoA), www.boa.gov.vn

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 154 of 176


ISO 17021: Introduction
Certification of a management system provides independent demonstration that the
management system of the organization:
a) conforms to specified requirements;
b) is capable of consistently achieving its stated policy and objectives;
c) is effectively implemented.
Conformity assessment, such as the certification of a management system, thereby provides
value to the organization, its customers and interested parties.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 155 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 156 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 157 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 158 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 159 of 176
• The audit team leader shall ensure that the audit report is prepared and is responsible
for its contents, as per CB’s requirements.

• The audit report shall provide an accurate, concise and clear record of the audit to
enable an informed certification decision to be made by the certification body.

• Ownership of the audit report shall be maintained by the certification body.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 160 of 176


PREPARING THE AUDIT REPORT
The audit team leader should report the audit results in accordance with the audit
programme procedures. The audit report should provide a complete, accurate, concise and
clear record of the audit, and should include or refer to the following:

1. the audit objectives;


2. the audit scope, particularly identification of the organizational and functional units or
processes audited;
3. identification of the audit client;
4. identification of audit team and auditee’s participants in the audit;
5. the dates and locations where the audit activities were conducted;
6. the audit criteria;
7. the audit findings and related evidence;
8. the audit conclusions;
9. a statement on the degree to which the audit criteria have been fulfilled.

The audit report can also include or refer to the following, as appropriate:
• the audit plan including time schedule;
• a summary of the audit process, including any obstacles encountered that may
decrease the reliability of the audit conclusions;
• confirmation that the audit objectives have been achieved within the audit scope
in accordance with the audit plan;

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 161 of 176


• any areas within the audit scope not covered;
• a summary covering the audit conclusions and the main audit findings that
support them;
• any unresolved diverging opinions between the audit team and the
auditee;
• opportunities for improvement, if specified in the audit plan;
• good practices identified;
• agreed follow-up action plans, if any;
• a statement of the confidential nature of the contents;
• any implications for the audit programme or subsequent audits;
• the distribution list for the audit report.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 162 of 176


DISTRIBUTING THE AUDIT REPORT
• The audit report should be issued within an agreed period of time. If it is delayed, the
reasons should be communicated to the auditee and the person managing the audit
programme.

• The audit report should be dated, reviewed and approved, as appropriate, in accordance
with audit programme procedures.

• The audit report should then be distributed to the recipients as defined in the audit
procedures or audit plan.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 163 of 176


COMPLETING THE AUDIT
• The audit is completed when all planned audit activities have been carried out, or as
otherwise agreed with the audit client (e.g. there might be an unexpected situation that
prevents the audit being completed according to the plan).

• Documents pertaining to the audit should be retained or destroyed by agreement


between the participating parties and in accordance with audit programme procedures
and applicable requirements.

• Unless required by law, the audit team and the person managing the audit programme
should not disclose the contents of documents, any other information obtained during the
audit, or the audit report, to any other party without the explicit approval of the audit client
and, where appropriate, the approval of the auditee. If disclosure of the contents of an
audit document is required, the audit client and auditee should be informed as soon as
possible.

• Lessons learned from the audit should be entered into the continual improvement
process of the management system of the audited organizations

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 164 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 165 of 176
CONDUCTING AUDIT FOLLOW-UP
• The conclusions of the audit can, depending on the audit objectives, indicate the need
for corrections, or for corrective, preventive or improvement actions. Such actions are
usually decided and undertaken by the auditee within an agreed timeframe. As
appropriate, the auditee should keep the person managing the audit programme and the
audit team informed of the status of these actions.

• The completion and effectiveness of these actions should be verified. This verification
may be part of a subsequent audit

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 166 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 167 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 168 of 176
WHAT IS A SURVEILLANCE AUDIT ?
• The initial audit to get an organisation’s system certified, is called the Registration
Audit. Subsequent audits by the registrar are referred to as Surveillance Audits.
• Surveillance Audits are the ongoing periodic review of an organisation’s quality
management system, by a third party registrar They generally occur every year.
This period may be changed to every 6 months, if the organisation expects a high
standard of compliance.
• With a system the size of organization, these audits are generally for a duration as
per IAF guidelines

WHAT IS THE PURPOSE OF THE SURVEILLANCE AUDIT ?


• The focus of Surveillance Audits, is to ensure continued compliance with the ISO
standard and the policies and processes of organization. Auditors look for
evidence that the quality system is being maintained in its entirety and improved
and corrected as needed.
• The Surveillance Audit also examines use of the ISO logos, in the stationery and
advertising materials.
• The outcome of the Surveillance Audit determines if we continue to hold
certification and acts as a vehicle for improvement ideas from an independent
body.
• The successful completion of a Surveillance Audit demonstrates to customers, that
we are capable of maintaining and improving our level of quality.
• Surveillance Audits supplement the two activities that we conduct internally, to
ensure continued conformance to ISO requirements - Internal Quality Auditing and
Management Review.
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 169 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 170 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 171 of 176
RE-CERTIFICATION AUDIT
The process of recertification would include a reassessment of the
organization’s documented quality management system including a review of
the Management System, where necessary, to be conducted before the expiry
of three years term of validity. The recertification audits planned and conducted
to evaluate the continued fulfilment of all of the requirements of the relevant
management system standard or other normative document. The Renewal
audit plan is verified to ensure that the majority of the audit time is given to
verify the effective implementation of the management system in the locations
where the organization’s activities takes place including on-site audits of
temporary sites for QMS (In Management System Audit 80% of the audit time
shall be given onsite).

The reassessment provides for a review of the past performance of the quality
management system over the period of previous certification, including
examination of the documents/records relating to the internal audits,
management review and effectiveness of corrective and preventive actions,
etc.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 172 of 176


It is the responsibility of the person assigned ( of Lead Auditor status) to
conduct the Reassessment and submit the report. The team leader also
ensures that any Technical Expert / Specialist are not allowed to function
independently and are always accompanied by auditor/ lead auditor.

Re- certification audit shall be planned and conducted three months prior to
the validity of the certificate to ensure continuity of certification in the likely
event of any non conformance found during the audit. In the case of 9/6
monthly surveillance frequency the Re-certification audit can be clubbed with
the Surveillance Audit.
The process of Re-certification is planned by the CAB. Advance notice is sent
to the client. If the client agrees for the recertification the sending
Questionnaire, quotation and application review is done as per procedure. If
there are changes like addition of new processes/services, regulatory
requirement or new product/services addition or change of location or change
of Top management Stage 1 audit is required to be conducted .Before
proceeding to client site, the team leader shall review all the previous reports
since certification audit/ last Reassessment by Performance Review and make
a note of relevant points.

The re assessment programme shall at least ensure the following:


1. The effective interaction between all elements of system & audit activities
have a stage 1 audit in situations where there have been significant
changes to the management system, the client, or the context in which the
management system is operating (e.g. changes to legislation) as identified
in the Application Questionnaire.
2. Overall effectiveness of the system in its entirety in the light of changes in
operations
3. Demonstrated commitment to maintain the effectiveness of the system
4. Summary of Previous Audit Reports
5. Whether all areas/ processes/ clauses have been audited at least once in
the last three year cycle
6. Any concentration of non-conformities against particular clauses/areas and
effectiveness of corrective actions taken on nonconformities identified by
TNV shall be closed within 15 days of recertification audit
7. Objectives and Continual Improvement
8. Whether the operation of the certified management system contributes to
the achievement of the organization's policy and objectives.
9. In the case of multiple sites or certification to multiple management system
standards being provided by the TNV, the planning for the audit ensure
adequate on-site audit coverage to provide confidence in the certification.
10. Verify the OHS for the respective objectives and targets

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 173 of 176


11. Hazard Identification & Assessment Controls
12. Compliance towards Legal & Other requirement including customer
requirements
13. Verify the Environmental management systems at the temporary site
14. Verify the Environmental management at the Multisite based on the Audit
Program

Re Certification Audit shall be conducted, if the client applies for re-certification


prior to expiry of certificate and there is no major change in client organization
(legal, scope etc.). How-ever if the client applies for recertification after expiry
date then stage I will also be conducted. If NC is identified the Re-Certification
audit the team leader shall ensure and communicate the client that the
Corrective Actions and the evidences are provided before the expiry of the
certificate.

Edu/QMS_LA/DCN/v1.0 September, 2019 Page 174 of 176


Edu/QMS_LA/DCN/v1.0 September, 2019 Page 175 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 176 of 176

You might also like