ISO 9001 - QMS LA Delegate Course Notes
ISO 9001 - QMS LA Delegate Course Notes
ISO 9001 - QMS LA Delegate Course Notes
Rationale
Sustained success is achieved when an organization attracts and retains the confidence of
customers and other relevant interested parties. Every aspect of customer interaction
provides an opportunity to create more value for the customer. Understanding current and
future needs of customers and other interested parties contributes to the sustained success
of the organization.
Key benefits
Some potential key benefits are:
• increased customer value; increased customer satisfaction;
• improved customer loyalty;
• enhanced repeat business;
• enhanced reputation of the organization;
• expanded customer base;
• increased revenue and market share.
Possible actions
2. LEADERSHIP
Statement
Leaders at all levels establish unity of purpose and direction and create conditions in
which people are engaged in achieving the organization’s quality objectives.
Rationale
Creation of unity of purpose and the direction and engagement of people enable an
organization to align its strategies, policies, processes and resources to achieve its
objectives.
Key benefits
Some potential key benefits are:
• increased effectiveness and efficiency in meeting the organization’s quality
objectives;
• better coordination of the organization’s processes;
• improved communication between levels and functions of the organization;
• development and improvement of the capability of the organization and its people
to deliver desired results.
Possible actions
Possible actions include:
• communicate the organization’s mission, vision, strategy, policies and processes
throughout the organization;
• create and sustain shared values, fairness and ethical models for behaviour at all
levels of the organization;
• establish a culture of trust and integrity;
• encourage an organization-wide commitment to quality;
• ensure that leaders at all levels are positive examples to people in the
organization;
• provide people with the required resources, training and authority to act with
accountability;
• inspire, encourage and recognize the contribution of people.
Rationale
In order to manage an organization effectively and efficiently, it is important to respect
and involve all people at all levels. Recognition, empowerment and enhancement of
competence facilitate the engagement of people in achieving the organization’s
quality objectives.
Key benefits
Some potential key benefits are:
• improved understanding of the organization’s quality objectives by people in the
organization and increased motivation to achieve them;
• enhanced involvement of people in improvement activities;
• enhanced personal development, initiatives and creativity;
• enhanced people satisfaction;
• enhanced trust and collaboration throughout the organization;
• increased attention to shared values and culture throughout the organization.
Possible actions
Possible actions include:
• communicate with people to promote understanding of the importance of their
individual contribution;
• promote collaboration throughout the organization;
• facilitate open discussion and sharing of knowledge and experience;
• empower people to determine constraints to performance and to take initiatives
without fear;
• recognize and acknowledge people’s contribution, learning and improvement;
• enable self-evaluation of performance against personal objectives;
• conduct surveys to assess people’s satisfaction, communicate the results and take
appropriate actions.
4. PROCESS APPROACH
Statement
Consistent and predictable results are achieved more effectively and efficiently when
activities are understood and managed as interrelated processes that function as a
coherent system.
Rationale
The QMS consists of interrelated processes. Understanding how results are produced
by this system enables an organization to optimize the system and its performance.
Possible actions
Possible actions include:
• define objectives of the system and processes necessary to achieve them;
• establish authority, responsibility and accountability for managing processes;
• understand the organization’s capabilities and determine resource constraints prior
to action;
• determine process interdependencies and analyse the effect of modifications to
individual processes on the system as a whole;
• manage processes and their interrelations as a system to achieve the
organization’s quality objectives effectively and efficiently;
• ensure the necessary information is available to operate and improve the
processes and to monitor, analyse and evaluate the performance of the overall
system;
• manage risks which can affect outputs of the processes and overall outcomes of
the QMS.
5. IMPROVEMENT
Statement
Successful organizations have an ongoing focus on improvement.
Rationale
Improvement is essential for an organization to maintain current levels of
performance, to react to changes in its internal and external conditions and to create
new opportunities.
Key benefits
Some potential key benefits are:
• improved process performance, organizational capability and customer
satisfaction;
• enhanced focus on root cause investigation and determination, followed by
prevention and corrective actions;
• enhanced ability to anticipate and react to internal and external risks and
opportunities;
• enhanced consideration of both incremental and breakthrough improvement;
• improved use of learning for improvement;
• enhanced drive for innovation.
Rationale
Decision-making can be a complex process and it always involves some uncertainty.
It often involves multiple types and sources of inputs, as well as their interpretation,
which can be subjective. It is important to understand cause and effect relationships
and potential unintended consequences. Facts, evidence and data analysis lead to
greater objectivity and confidence in decision making.
Key benefits
Some potential key benefits are:
• improved decision making processes;
• improved assessment of process performance and ability to achieve objectives;
• improved operational effectiveness and efficiency;
• increased ability to review, challenge and change opinions and decisions;
• increased ability to demonstrate the effectiveness of past decisions.
Possible actions
Possible actions include:
• determine, measure and monitor key indicators to demonstrate the organization’s
performance;
• make all data needed available to the relevant people;
• ensure that data and information are sufficiently accurate, reliable and secure;
• analyse and evaluate data and information using suitable methods;
• ensure people are competent to analyse and evaluate data as needed;
• make decisions and take actions based on evidence, balanced with experience
7. RELATIONSHIP MANAGEMENT
Statement
For sustained success, organizations manage their relationships with relevant
interested parties, such as providers.
Rationale
Relevant interested parties influence the performance of an organization. Sustained
success is more likely to be achieved when the organization manages relationships
with all of its interested parties to optimize their impact on its performance.
Relationship management with its provider and partner networks is of particular
importance.
Key benefits
Some potential key benefits are:
• enhanced performance of the organization and its relevant interested parties
through responding to the opportunities and constraints related to each interested
party;
• common understanding of objectives and values among interested parties;
• increased capability to create value for interested parties by sharing resources and
competence and managing quality related risks;
• a well-managed supply chain that provides a stable flow of products and services.
Possible actions
Possible actions include:
• determine relevant interested parties (such as providers, partners, customers,
investors, employees or society as a whole) and their relationship with the
organization;
• determine and prioritize interested party relationships that need to be managed;
• establish relationships that balance short-term gains with long-term considerations;
• gather and share information, expertise and resources with relevant interested
parties;
• measure performance and provide performance feedback to interested parties, as
appropriate, to enhance improvement initiatives;
• establish collaborative development and improvement activities with providers,
partners and other interested parties;
• encourage and recognize improvements and achievements by providers and
partners.
The audit scope should not be confused with the scope of the management system.
The audit scope should be consistent with the audit programme and audit objectives. It
includes such factors as for example, the locations, the organizational units, the activities to
be audited, asset management related assumptions, process(es) and/or procedure(s),
methods, tools and techniques, as well as the time period covered by the audit.
The audit scope does not necessarily include all the organization’s processes, products,
locations, departments, or divisions, etc. covered by the management system. Taking into
account the limited duration of the audit, the auditor determines which divisions, processes,
systems, etc. he will audit. It is very important that the audit scope chosen by the auditor be
For example, to prepare an audit on the overall activities of a bank with a head office,
4 processing centres, 20 regional offices and 1,500 branches, an auditor could
include only the head office, one data processing centre, five regional offices and 25
branches in the ongoing audit scope. From one year to the next, he will select an new
audit scope within the limits of the management system.
EXTERNAL AUDITS
include audits known as second and third party:
a. Second party audit: The second party audits are conducted by parties having an
interest in the audited organization, such as customers, or other persons acting on their
behalf.
b. Third party audit: Third party audits are conducted by external and independent audit
organizations such as the organizations that grant the registration or conformity
certification of management systems.
Important note: Third party audits are performed by auditors who are external to and
independent of the auditee.
Remote audit activities are performed at any place other than the location of the auditee,
regardless of the distance.
Some instances for choosing remote audit approach would be
- Cost considerations
- Travel constraints
- Time constraints
Normally temporary sites and associated locations to primary entity can be considered for
remote auditing
When choosing remote audit prevailing regulations / laws of land relating to information
security needs due consideration broadly based on IAF MD4
The respect of audit principles is a major success factor for an auditor. The respect of these
principles allows him to gain and preserve the trust of the audit client and the auditee. It is
difficult to gain trust and almost impossible to regain it in case of failure.
A good way to ensure compliance with the code of conduct is to correctly assess the
qualifications and performances of each auditor. At the end of the audit, sending a customer
satisfaction questionnaire to the auditee is common practice by the certification body at the
end of the audit.
In a country, if customers and the general public lose confidence in the certification
system (for example, thinking that organizations obtain certificates of conformity by
paying bribes), certificates lose much of their usefulness. For example, a customer
who doesn’t want to rely on the certificate of conformity will, instead send an audit team to
validate conformity to the requirements.
The necessity to comply with the principle of confidentiality remains even after the
end of the relationship between a professional auditor and an audit client and an
auditee. When a professional auditor changes jobs or acquires a new client, he can use his
previous experience. However, the professional auditor should not use or reveal
confidential information acquired or received during a professional or business relationship.
The necessity to comply with the principle of confidentiality remains even after
the end of the relationship between a professional auditor and an audit client
and an auditee. When a professional auditor changes jobs or acquires a new client,
he can use his previous experience. However, the professional auditor should not use
or reveal confidential information acquired or received during a professional or
business relationship.
AUDIT OBJECTIVE
Why the audit is being conducted and could be for
a. determining the readiness of organization (stage 1);
b. determining the implementation and effectiveness of system (Stage 2);
AUDIT SCOPE
The audit scope generally includes a description of the physical locations,
organizational units, activities and processes, as well as the time period covered
AUDIT CRITERIA
The basis on which audit is performed such as
a. Requirements of the standard
b. Requirements of law
c. Requirements of interested parties
d. Requirements of the system developed by the client organization
The determination of feasibility should take into consideration such factors as the
availability of the following:
- sufficient and appropriate information for planning and conducting the audit;
- adequate cooperation from the auditee;
- adequate time and resources for conducting the audit.
Where the audit is not feasible, an alternative should be proposed to the audit client, in
agreement with the auditee.
GUIDES
Guides and observers (e.g. regulator or other interested parties) may accompany the audit
team. They should not influence or interfere with the conduct of the audit. If this cannot be
assured, the audit team leader should have the right to deny observers from taking part in
certain audit activities.
Guides, appointed by the auditee, should assist the audit team and act on the request of the
audit team leader. Their responsibilities should include the following:
• assisting the auditors in identifying individuals to participate in interviews and confirming
timings;
• arranging access to specific locations of the auditee;
• ensuring that rules concerning location safety and security procedures are known and
respected by the audit team members and observers.
AUDITOR-IN-TRAINING
• After obtaining the theoretical knowledge in auditing, one has to acquire adequate
practical experience in auditing before being permitted to carry out audits independently.
OBSERVERS
• The presence and justification of observers during an audit shall be agreed to by the
certification body and client prior to the conduct of the audit. The audit team shall ensure
that the observers do not influence or interfere in the audit process or outcome of the
audit.
• Facility personnel should be adequately briefed to face the audit ; attendees should
make it convenient to attend the meetings and the audits.
Auditors should possess the necessary qualities to enable them to act in accordance with
the principles of auditing as described earlier (pages 24-25 refer)
Auditors should exhibit professional behaviour during the performance of audit activities,
including being:
• ethical, i.e. fair, truthful, sincere, honest and discreet;
• open-minded, i.e. willing to consider alternative ideas or points of view;
• diplomatic, i.e. tactful in dealing with people;
• observant, i.e. actively observing physical surroundings and activities;
• perceptive, i.e. aware of and able to understand situations;
• versatile, i.e. able to readily adapt to different situations;
• tenacious, i.e. persistent, focused on achieving objectives;
Stage 2
The purpose of this audit is to confirm that the management system has been fully
implemented and conforms to the requirements of the chosen Standard in practice. The
auditor will:
1. undertake random samples of the processes and activities defined in the scope of
certification
2. document how the system complies with the standard by using objective evidence
3. report any non-compliances or opportunities for improvement
4. produce a surveillance plan and agree to a date for the first annual surveillance audit
• The audit findings to include identification of any areas of concern that could be
classified as nonconformity during the stage 2 audit.
• The results of stage 1 audit help the organization to carry out the necessary corrective
actions to eliminate the gaps identified, and hence to achieve conformity to audit criteria
during stage 2 audit.
• The time needed (and agreed to) for resolving the areas of concern, and also the time
needed by the CB, would be factors, determining the interval between stage 1 and stage
2 audits
b) on-site activities:
- avoid any unnecessary disturbance of the operational processes;
- ensure that the audit team is using PPE properly;
- ensure emergency procedures are communicated (e.g. emergency exits, assembly
points);
- schedule communication to minimize disruption;
- adapt size of the audit team and the number of guides and observers in accordance with
Audit team briefings should be held, as appropriate, by the audit team leader in order to
allocate work assignments and decide possible changes. Changes to the work assignments
can be made as the audit progresses in order to ensure the achievement of the audit
objectives.
It is to be noted, that even though a confidentiality agreement is signed, an auditee has the
right to require that the document review takes place on-site and that no document may
be carried off-site
Important note: Checklists do not replace all the other information collection methods and
procedures. At best, checklists should help an auditor during the execution of an audit
process and not replace his professional judgment.
The opening meeting should be interactive with the auditee to answer all the
questions. It is a unique way to establish a good relationship between the audit team
and the auditee. ISO 17021-1, clause 9.4.2: Conducting the opening meeting A
formal opening meeting, shall be held with the client’s management and, where
appropriate, those responsible for the functions or processes to be audited. The
purpose of the opening meeting, usually conducted by the audit team leader, is to
provide a short explanation of how the audit activities will be undertaken.
• The responses of the auditee to be listened attentively, free from any personal judgment.
CLOSED QUESTIONS
• Closed questions are relatively less productive in nature as they provide smaller
quantum of information.
• Closed questions are asked when it is intended to obtain a specific (often significant)
information.
LEADING QUESTIONS
• At times, an auditee is found to be persistently dodging a question. Putting a leading
question, in such a situation, is an attempt to guide the responses in the expected
channel to facilitate audit conclusion.
• Leading questions are to be sparingly used, to eliminate the possible bias.
SILENCE
• Human being is uncomfortable with silence.
• For instance, when you are in the midst of a prolonged interactions (possibly obtaining
some fabricated information) and you suddenly become silent for a longish duration, the
auditee may find it unbearable and would ultimately feel the urge of dishing out the
correct information to gain normalcy.
VOCAL CHARACTERISTICS
• What you are saying is important.
1. Random sampling
Description: Selecting a sample the probability of which is known (and not void) and of
which each element of the population has the same probability of being selected.
Advantages: This method is statistically the most reliable. It is possible to calculate the
inclusion probability of each element in a sample as well as estimate the error margins.
Disadvantages: More complex method and is usually more time consuming than the other
methods.
• Physical and documentary evidences are preferred evidences which can be easily
verifiable. However, in the absence of physical and documentary evidences, one may
have to depend on circumstantial evidence or testimonials, which are rather indirect
evidences, needing careful verification and are sometimes open to debate.
The audit team should meet as needed to review the audit findings at appropriate stages
during the audit
Recording conformities
For records of conformity, the following should be considered:
Recording nonconformities
For records of nonconformity, the following should be considered:
Depending on the arrangements with the audit client, the auditor may raise either:
• separate findings for each criterion; or
• a single finding, combining the references to multiple criteria.
Depending on the arrangements with the audit client, the auditor may guide the
auditee on how to respond to those findings
MINOR NONCONFORMANCE
• The nonconformance are graded in two groups, major and minor. In a nonconformance
does not fall in the group of major NC, it will, obviously, fall in the group of minor NC.
• A minor NC does not cause a total breakdown of the system in respect of a specific
requirement, and it amounts to an occasional failure. This means, in the case of minor
NC, we have the evidence to conclude that the system is generally in place and it has
encountered an occasional failure due to some stray reason/s.
OBSERVATION/ OPPORTUNITY FOR IMPROVEMENT(OFI)
• If the auditor identifies an area of potential improvement and feels the same should be
raised (but do not warrant raising an NC), he may (if the system permits to do so) raise
an observation/OFI.
• The auditee may consider implementation of the OFI (suggestion for improvement) but is
not to do so compulsorily.
• The organization is under obligation to achieve continual improvement of the system and
1.The auditor establishes his audit findings after having evaluated the evidence gathered and
presents the observations that can represent non-conformities in the audit conclusions to the
auditee.
2.The auditee confirms the findings and provides additional information if he is convinced that the
findings do not represent reality.
3.The auditor issues the audit conclusions and his recommendation or not for certification. After, he
presents the conclusions to the organization’s management for comments.
4.The auditee accepts the audit conclusions and recommendation or issues comments and/or
provides additional information.
5.The auditor presents the conclusions and recommendation formally during the closing meeting
and files the stage 2 audit report.
6.The auditee accepts or appeals the final audit report.
7.When the certification recommendation requires it, the auditee must submit action plans to
indicate how the organization will address the non-conformities.
8.The auditor evaluates the action plans submitted and shall follow up during the next surveillance
audit. In the case of major non-conformities, the auditor performs a follow-up audit, after the
action plan is submitted to validate the implementation of corrective or preventive actions.
9.The auditee implements the corrective or preventive actions proposed in the action plans. The
auditor shall validate on-site if it was agreed to in the audit conclusions (This is usually the case
when a major non-conformity is documented).
10.Following the initial audit, the auditor shall perform surveillance audits during the second
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 147 of 176
and third year of certification.
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 148 of 176
Edu/QMS_LA/DCN/v1.0 September, 2019 Page 149 of 176
AUDIT TEAM LEADER (TL)
• For an on-site audit, the first assignment of the TL is : conducting opening meeting. This
is followed by a site tour (as a team) and briefing (if required) the audit team on any
significant observations, during the tour and commencement of auditing as per audit
schedule.
• During the audit, the TL is the official spokesperson and provides the official channel of
communication.
• TL ensures periodic feedbacks are given to the auditee and is responsible for conducting
the closing meeting, submission of audit report and follow-up actions.
• In addition, the team leader carries out the allocated audits, as per the audit plan
• In case of any controversy in audit conclusions, the final verdict is the responsibility of
the Team Leader.
• TL examines the audit findings of audit team members for acceptance.
• The audit report shall provide an accurate, concise and clear record of the audit to
enable an informed certification decision to be made by the certification body.
The audit report can also include or refer to the following, as appropriate:
• the audit plan including time schedule;
• a summary of the audit process, including any obstacles encountered that may
decrease the reliability of the audit conclusions;
• confirmation that the audit objectives have been achieved within the audit scope
in accordance with the audit plan;
• The audit report should be dated, reviewed and approved, as appropriate, in accordance
with audit programme procedures.
• The audit report should then be distributed to the recipients as defined in the audit
procedures or audit plan.
• Unless required by law, the audit team and the person managing the audit programme
should not disclose the contents of documents, any other information obtained during the
audit, or the audit report, to any other party without the explicit approval of the audit client
and, where appropriate, the approval of the auditee. If disclosure of the contents of an
audit document is required, the audit client and auditee should be informed as soon as
possible.
• Lessons learned from the audit should be entered into the continual improvement
process of the management system of the audited organizations
• The completion and effectiveness of these actions should be verified. This verification
may be part of a subsequent audit
The reassessment provides for a review of the past performance of the quality
management system over the period of previous certification, including
examination of the documents/records relating to the internal audits,
management review and effectiveness of corrective and preventive actions,
etc.
Re- certification audit shall be planned and conducted three months prior to
the validity of the certificate to ensure continuity of certification in the likely
event of any non conformance found during the audit. In the case of 9/6
monthly surveillance frequency the Re-certification audit can be clubbed with
the Surveillance Audit.
The process of Re-certification is planned by the CAB. Advance notice is sent
to the client. If the client agrees for the recertification the sending
Questionnaire, quotation and application review is done as per procedure. If
there are changes like addition of new processes/services, regulatory
requirement or new product/services addition or change of location or change
of Top management Stage 1 audit is required to be conducted .Before
proceeding to client site, the team leader shall review all the previous reports
since certification audit/ last Reassessment by Performance Review and make
a note of relevant points.