PREPARING FOR

CERTIFICATION
AUDIT
Development of a Province-Wide BATCHES 1 - 4
QMS Certifiable to ISO 9001:2015
for the Province of Sorsogon
1
ISO REFERENCES ON
CERTIFICATION
ISO Guidance with Terminologies
2
ISO GUIDANCE ABOUT CERTIFICATION

▰ ISO does not perform certification and do not issue certificates

▰ Other than developing management system standards, ISO produces
standards that regulate certification bodies
▰ Don’t say: “ISO certified”
▰ Do say: “ISO 9001:2015 certified”
▰ Don’t use or modify ISO logo

3
 VALUE OF CERTIFICATION

“Certification can be a useful tool to add credibility, by International Organization for

demonstrating that your product or service meets the Standardization
expectations of your customers. For some industries,
certification is a legal or contractual requirement”.
“Certification of a management system provides independent ISO/IEC 17021-1:2015
demonstration that the management system of the Conformity Assessment –
organization: Requirements for bodies
providing audit and certification
• Conforms to specified requirements of management systems
• Is capable of consistently achieving its stated policies and
objectives
• Is effectively implemented”

“Don’t mistake buyers of certification services with certificate users” 4

- Sidney Vianna
 CERTIFICATION TERMINOLOGIES

Certification Audit carried out by an auditing organization independent of the

Audit client and the parties that rely on certification, for the purpose of
certifying the client’s management system.
Certificate The form of attestation of conformity of an organization’s management
system to a specific management system standard.
Client Organization whose management system is being audited for
certification purposes
Accreditation The formal recognition by an independent body, generally known as an
accreditation body, that a certification body operates according to
international standards.

5
2
CERTIFICATION AUDIT
PREPARATORY ACTIVITIES
Readiness Assessment, Procurement of
Certification Services 6
 PROVINCE-WIDE QMS ROADMAP FOR SORSOGON
Workshop on Training Course on Root
Cause Analysis and
Process Mapping
and Risk-Based Corrective Action
Quality Planning Formulation

Technical Workshop on
Training Course on
Guidance on QMS Auditing QMS
ISO 9001:2015 QMS
Implementation
Requirements and
Documentation

MONTH 1 MONTH 3-4 MONTH 8

MONTH 2 MONTH 5-6 MONTH 7

QMS Technical Guidance

Launching Workshop on QMS on Management
Documentation Seminar- Review
Workshop on 5S
Orientation on Good
Housekeeping Technical
ISO 9001:2015
Tech. Guidance Guidance on
QMS
on Enhancement Preparation for
of Operational Training Course 3rd Party Audit
Controls and on Auditing QMS
Procedures
 These will be
MUST BE COMPLETED PRIOR TO CERTIFICATION checked during the
AUDIT Readiness
Assessment

▰ Quality Policy dissemination and awareness;

▰ Programs, Projects and Activities (PPAs) to support strategic objectives are already being implemented or
completed;
▰ Documented information (e.g. scope of QMS, Quality Manual, Procedures) are all registered and issued;
▰ Risk-based thinking concept and tools are evidently employed during the strategic and operational
planning (e.g. SWOT, Reality Gap Analysis, ROAAP);
▰ Performance objectives and targets are supported with actions or PPAs and with measurable data to
support the achievement;
▰ Controls identified in the ROAAP and Procedures have evidences of actual implementation;
▰ Planned Results, MFOs, Expected Outputs with evidences of fulfillment;
▰ Tasks specified in documented information (e.g. Procedures, Citizen Charter, IPCR) were performed;
8
 These will be
MUST BE COMPLETED PRIOR TO CERTIFICATION checked during the
AUDIT Readiness
Assessment

▰ One full-cycle of internal audit (i.e. all QMS processes were audited) was carried out;
▰ The relevant audit criteria (e.g. procedures, regulatory requirements, ISO 9001 clauses) were checked;
▰ Results of the internal audits, including the actions taken to address the identified nonconformities, were
included in the management meetings;
▰ Evaluation of the actions to address risks and opportunities, as identified in the ROAAPs, was carried out
during internal audit and/or management meetings;
▰ Re-assessment of the risk level (e.g. RPN) was done after the implementation of the Recommended
Actions;
▰ ROAAPs were updated resulting from the corrective actions taken to address causes of nonconformities;
▰ Management meeting records can demonstrate that the specified inputs in ISO 9001 clause 9.3.2 were
covered;
▰ Decision and actions resulting from the management meetings are documented 9
 READINESS ASSESSMENT FINDINGS TALLY
(SAMPLE)

Minor Major
Office / Area Conformity OFI
NC NC
Top Management 6 4 0 0
IQA, Corrective Action 3 4 1 0
Records Control and Management 3 3 0 0
Human Resource Management 3 1 0 0
General Services 2 1 0 0
Financial Management 3 0 0 0
Planning and Development 4 2 0 0
Project Planning 5 1 0 0
Project Implementation 4 3 0 0
Project Monitoring 4 5 1 0
TOTAL 37 24 2 0 10
 READINESS ASSESSMENT CONCLUSION

Conclusion Description
With innovative approaches that go beyond the minimum requirements. Set
Certainly objectives show wide improvement trends of reliable data.
Certifiable
Without NC.
Systematic process-based approach, with early stage of systematic
improvements. 100% of the requirements can be fulfilled if given sufficient time to
Certifiable prepare.

With manageable number of Minor NCs

Relatively Reactive-based approach, with minimum data on conformance results available.
Passable With substantial number of Minor NCs
Uncertain to Deficient system is evident, with poor results or unpredictable results.
Pass With Major NC.
11
 Refer to the
PROCUREMENT OF CERTIFICATION SERVICES Sample TOR

Technical Requirements:
▰ CB has accreditation from the Philippine Accreditation Office relevant to the
nature of operation of the organization;
▰ CB has not provided consultancy services to the organization within the prior
two years;
▰ CB auditors must have experience in auditing government agencies;
▰ At least one member of the initial team will participate in the subsequent audits
as per the contract;
▰ CB has procedure for client appeals;
▰ CB must sign the non-disclosure agreement… 12
 Audit Time per Effective Number of Personnel
No. of Personnel Audit Time S1+S2 No. of Personnel Audit Time S1+S2
(days) (days)
1–5 1.5 626 – 875 12
6 – 10 2 876 – 1175 13
11 – 15 2.5 1176 – 1550 14
16 – 25 3 1551 – 2025 15
26 – 45 4 2028 – 2675 16
46 – 65 5 2676 – 3450 17
66 – 85 6 3451 – 4350 18
86 – 125 7 4351 – 5450 19
126 – 175 8 5451 – 6800 20
176 – 275 9 6801 – 8500 21
276 – 425 10 8501 – 10700 22
426 – 625 11 >10700 Follow progression above

13
3
TWO STAGE INITIAL
CERTIFICATION AUDIT
Stage 1 and Stage 2
14
 ACTIVITIES IN STAGE 1

▰ CB obtains information about the scope of the QMS, which includes:

▻ Products/services, processes and site/s,
▻ Acceptability of the justification for any exclusion,
▰ These information will establish the certification scope

Certification scope is a term used to refer to the scope in the certification document. This is
usually a statement that describes the “type of activities, products and services as
applicable at each physical site without being misleading or ambiguous” (ISO 17021:2015).
In the certification document the certified organization’s name and physical location (or of
the headquarters, and other physical sites, if applicable) are also stated.
- IAF APG Guidance on Scope 15
Sample of Individual-Scope Statement per office of the LGU 16
Sample of One-Scope Statement for the entire LGU 17
 ACTIVITIES IN STAGE 1

▰ CB reviews the existing QMS documented information, which includes:

▻ Quality manual, procedures, citizen charter,
▻ Internal/external issues considered during planning,
▻ Risk-based thinking tools (e.g. SWOT, ROAAPs),
▻ Alignment of strategic objectives and OPCRs with Vision and Mission,
▻ Internal audit and management review records,
▰ CB reviews the allocation of certification resources needed for Stage 2, including
agreeing on schedules.
18
 Typical Stage 1 Audit Plan
Day / Audit Criteria Responsible Auditor
GUIDANCE
Time
Day 1 / Opening Meeting Top Mgt, QMR, All Prepare presentation of the organization’s
8:30 Office Heads, profile (include the Mandate, Mission,
QMS Core Team Vision, Functional Chart)
Day 1 / Review of the Top Mgt., QMR, All Present how the internal/external issues
9:00 context of the Planning were considered during strategic planning
organization (Clause (e.g. SWOT or Vision Reality Gap
4) Analysis). Auditors will definitely ask
whether the pandemic, as an issue, was
considered during planning.

Present also how the needs and

expectations of the stakeholders were
considered during planning and became
the basis for setting objectives.

Sample Audit Plan for Stage 1 CB Audit 19

 Typical Stage 1 Audit Plan
Day / Audit Criteria Responsible Auditor
GUIDANCE
Time
Day 1 / Review of the Scope Top Mgt., QMR, All Present the statement of the scope of the
11:00 of the QMS (Clause Planning QMS in the Quality Manual.
4)
The certification scope will be based on
the scope of the QMS.
Day 1 / Review of the Top Mgt., QMR, All Present how the Quality Policy was
1:00 Quality Policy and Planning, QMS disseminated for employee awareness,
Quality Objectives Core Team including external providers and
(Clauses 5 and 6) interested parties.

Present alignment of the set MFOs and

Success Indicators with the Strategic
Objectives.

Sample Audit Plan for Stage 1 CB Audit 20

 Typical Stage 1 Audit Plan
Day / Audit Criteria Responsible Auditor
GUIDANCE
Time
Day 1 / Review of the Planning, QMS Auditor Present how the ROAAP was utilized to
3:00 Actions to address Core Team 1 establish the controls in addressing risks
risks and and opportunities. These controls are
opportunities then reflected in the documented
(Clause 6) procedures.

Present how the controls were evaluated

for their effectiveness (i.e. re-assessment
after implementation of the
Recommended Controls, IQA also check
the implementation of the controls)
Day 1 / Review of the Planning, HRMO, Auditor Present how the resources are acquired
3:00 Resources, QMS Core Team 2 thru Annual Investment Plan, Annual
Competence, Procurement Plan, PPMP, etc.)
Awareness and
Documentation Present how the necessary HR
(Clause 7) interventions are identified and provided
Sample Audit Plan for Stage 1 CB Audit
(e.g. CapDev Plan, IDP, IPCR) 21
 Typical Stage 1 Audit Plan
Day / Audit Criteria Responsible Auditor
GUIDANCE
Time
Day 2 / Review of the HRMO, Auditor Present how the employees are made
9:00 Resources, Document 2 aware with the QMS requirements.
Competence, Controller,
Cont’n. Awareness and Records Officer Present how the documents and records
Documentation QMS Core Team are controlled.
(Clause 7)
Day 2 / Review of Control on BAC, GSO, QMS Auditor Present evaluation of suppliers/bidders.
9:00 External Providers Core Team 1 Monitoring of performance of contractors
(Clause 8) will also be checked.

Ensure that results of evaluation and

monitoring of performance are reported
during management meetings.

Sample Audit Plan for Stage 1 CB Audit 22

 Typical Stage 1 Audit Plan
Day / Audit Criteria Responsible Auditor
GUIDANCE
Time
Day 2 / Review of evaluation PMT, HRMO, Auditor Present how OPCRs and IPCRs are
1:00 of performance, Feedback 2 evaluated.
results of monitoring Monitoring
Customer Committee, QMS Present how feedback of customers are
Satisfaction (Clause Core Team obtained, analyzed and reported during
9) management meetings.
Day 2 / Review of internal Top Management, Auditor Present records of planning, preparation
11:00 audit and QMR, IQA Team, 1 and reporting of audits.
management review QMS Core Team
(Clause 9) Present records of the management
meetings demonstrating that the specified
inputs in Clause 9.3.2 were covered.

Sample Audit Plan for Stage 1 CB Audit 23

 Typical Stage 1 Audit Plan
Day / Audit Criteria Responsible Auditor
GUIDANCE
Time
Day 2 / Review of corrective Top Management, All Present reported nonconformities with
2:00 actions and continual QMR, IQA Team, implemented corrective actions.
improvement QMS Core Team
(Clause 10) Present improvements resulting from
internal audit and management meetings.
Day 2 / Report consolidation Auditors All N/A
4:00
Day 2 / Closing Meeting Top Mgt, QMR, All Obtain Audit Report from the CB Auditors.
5:00 Office Heads,
QMS Core Team

Sample Audit Plan for Stage 1 CB Audit 24

 ACTIVITIES IN STAGE 2

▰ Stage 2 will include auditing of at least the following:

▻ Information and evidence of conformity with ISO 9001 applicable requirements,
▻ Monitoring, measuring, reporting and reviewing key performance objectives and
targets,
▻ Ability and performance in meeting applicable statutory, regulatory and contractual
requirements,
▻ Operational control of the QMS processes,
▻ Internal audit and management review,
▻ Management responsibility for the Quality Policy.
25
 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Top Mgt. Discussions and review of Clauses 4, It is a common approach for CB Auditors to employ
Planning the organization’s: 5, 6 the Plan, Do, Check, Act (PDCA) approach in
QMR • determination of the auditing. Hence, they usually start by auditing the
context of the Planning process of the organization.
operations and the
identification of the Auditors will need to check the Executive and
needs and Legislative Agenda, Capacity Development Agenda,
expectations of Goals, Objectives and Strategies and might check
interested parties. how the internal/external issues (4.1) and needs and
• identification of risk and expectations of interested parties (4.2) were
opportunities to be considered.
addressed by the
Management System Auditors will also check whether the risk-based
thinking (RBT) concept was employed during
Discussion and review of strategic planning (e.g. SWOT, PESTLE, Vision-Gap
Top Management’s Analysis, etc.)
approach to Leadership
including review and
discussion of the Sample Audit Plan for Stage 2 CB Audit 26
committed Policy
 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Top Mgt. Discussions and review of Clauses 4, Auditors would be interested to know whether there
Planning the organization’s: 5, 6 are changes in the strategies and objectives due to
QMR • determination of the the impact of the “pandemic”. They will expect that
context of the the “pandemic” is now part of the LGU’s organization
operations and the context.
identification of the
needs and Auditors will need to see planning activities by the
expectations of LGU’s management for the adjustments made to the
interested parties. previously set strategies and objectives.
• identification of risk and
opportunities to be The 3rd item in the Audit Area pertains to the
addressed by the approach of the LGU in communicating their Quality
Management System Policy for the awareness of the personnel working
under their control. People at different areas might be
Discussion and review of asked about their understanding of the LGU’s Quality
Top Management’s Policy.
approach to Leadership
including review and
discussion of the Sample Audit Plan for Stage 2 CB Audit 27
committed Policy
 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Different Interview and discussions Clauses 6.1 to 6.3 clauses of the standard are about planning.
LGU with area management. 6.1, 6.2, So, the following records should be prepared:
Offices 6.3, 7.1, • Action Plans supporting the Objectives and/or
Review of data and/or 7.2, 7.3, MFOs;
records related to levels of 7.4, 7.5, • Risks/opportunities that affect the achievement of
performance of the 8.1, 8.2, the Objectives/MFOs, including the actions
activities involved against 8.3, 8.4, identified to address them;
expected outcomes. 8.5, 8.6, • OPCRs and IPCRs;
8.7, 9.1, • Any changes on the plans that were reviewed
Review and audit of the 10.1, 10.2, and approved
levels of competence of 10.3
staff and implementation of Auditors might ask about evidences of effectiveness
relevant function/process. of the actions taken to address risks and
opportunities. The approach in evaluating the
effectiveness of the actions to address risks and
opportunities will also be asked.

Sample Audit Plan for Stage 2 CB Audit 28

 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Different Interview and discussions Clauses 7.1 is a big clause about resources with requirements
LGU with area management. 6.1, 6.2, on:
Offices 6.3, 7.1, • People – provision of qualified persons;
Review of data and/or 7.2, 7.3, • Infrastructure – provision and maintenance of the
records related to levels of 7.4, 7.5, building, utilities, equipment (hardware and
performance of the 8.1, 8.2, software), transport, and ICT;
activities involved against 8.3, 8.4, • Work environment – implementation of 5S,
expected outcomes. 8.5, 8.6, priority lanes, anti-discrimination policies, anti-
8.7, 9.1, sexual harassment policies, security programs,
Review and audit of the 10.1, 10.2, health and safety programs, including controls on
levels of competence of 10.3 CoVid-19;
staff and implementation of • Monitoring and measuring resources – suitability
relevant function/process. of assessment tools, including those employed to
monitor performance indicators; measuring
equipment traceability and calibration;
• Organizational knowledge – mechanisms to
maintain and making available the knowledge
gained by experience such as sharing of lessons
Sample Audit Plan for Stage 2learned,
CB Auditcoaching by senior personnel, etc.; 29
 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Different Interview and discussions Clauses 7.2 is about ensuring the competence of persons
LGU with area management. 6.1, 6.2, working under the control of the LGU. Evidences can
Offices 6.3, 7.1, include: provision of training, coaching, mentoring,
Review of data and/or 7.2, 7.3, results of performance appraisals, certifications,
records related to levels of 7.4, 7.5, licenses, etc.;
performance of the 8.1, 8.2,
activities involved against 8.3, 8.4, 7.3 is about awareness to the LGU’s Quality Policy
expected outcomes. 8.5, 8.6, and with the relevant Objectives/MFOs;
8.7, 9.1,
Review and audit of the 10.1, 10.2, 7.4 is about internal and external communication. As
levels of competence of 10.3 long as there are mechanisms for this, there should
staff and implementation of be no problems;
relevant function/process.
7.5 is about documented information. Need to ensure
that the right documents are available at point of use.
Records should be readily retrievable.

Sample Audit Plan for Stage 2 CB Audit 30

 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Different Interview and discussions Clauses 8.1 is about planning for the operation and evidences
LGU with area management. 6.1, 6.2, relevant to 6.1 to 6.3 can satisfy this;
Offices 6.3, 7.1,
Review of data and/or 7.2, 7.3, 8.2 is about making sure that the requirements
records related to levels of 7.4, 7.5, relevant to the LGU’s products and services are
performance of the 8.1, 8.2, clearly established, communicated to customers, and
activities involved against 8.3, 8.4, reviewed before incorporating into the products and
expected outcomes. 8.5, 8.6, services;
8.7, 9.1,
Review and audit of the 10.1, 10.2, 8.3 is about product/service design and development
levels of competence of 10.3 and very relevant to offices that create their own
staff and implementation of products/services. Ensure that:
relevant function/process. • Inputs necessary for designing and development
are obtained,
• DnD Outputs (e.g. draft ordinance, construction
plans, etc.) were subjected to review and
approval,
• Any changes during the DnD stages were
addressed.
Sample Audit Plan for Stage 2 CB Audit 31
 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Different Interview and discussions Clauses 8.4 is about controlling external providers (e.g.
LGU with area management. 6.1, 6.2, suppliers, contractors). So, offices that require the
Offices 6.3, 7.1, services or products of the external providers must
Review of data and/or 7.2, 7.3, have adequate controls. Controls can include
records related to levels of 7.4, 7.5, evaluation of bids, monitoring of their deliverables or
performance of the 8.1, 8.2, performance, inspection prior to acceptance of the
activities involved against 8.3, 8.4, supplied products, reporting to management about
expected outcomes. 8.5, 8.6, the performance of the external provider, etc.
8.7, 9.1,
Review and audit of the 10.1, 10.2, 8.5 is all about the controls in the actual delivery of
levels of competence of 10.3 products and services. Controls can include
staff and implementation of availability of documents (e.g. procedures, charter),
relevant function/process. availability of the items mentioned in 7.1, error-
prevention methods, identification and traceability
controls (e.g. patient number), protection of customer
property, preservation techniques, control on
changes that might occur while the product/service is
being delivered.
Sample Audit Plan for Stage 2 CB Audit 32
 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Different Interview and discussions Clauses 8.6 is about verifications done before releasing
LGU with area management. 6.1, 6.2, products and services to the customer. There are
Offices 6.3, 7.1, many applications of this clause such as:
Review of data and/or 7.2, 7.3, • Profiling of applicants prior to approval for
records related to levels of 7.4, 7.5, assistance,
performance of the 8.1, 8.2, • Inspections, examinations, assessments,
activities involved against 8.3, 8.4, evaluations performed at various offices,
expected outcomes. 8.5, 8.6, • Verification prior to releasing/discharge of
8.7, 9.1, patients,
Review and audit of the 10.1, 10.2, • Person authorizing the release is identified
levels of competence of 10.3
staff and implementation of 8.7 is about what the process owner or the LGU will
relevant function/process. do when the expected outputs turn out to be
nonconforming. Examples:
• Printed materials provided to customers have
errors,
• Supplies issued to requestor have damages or
incomplete,
• Late reports submitted, etc. 33
Sample Audit Plan for Stage 2 CB Audit
 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Different Interview and discussions Clauses 9.1 is about monitoring and measurement usually
LGU with area management. 6.1, 6.2, related to performance indicators.
Offices 6.3, 7.1,
Review of data and/or 7.2, 7.3, 10.1 is about identifying opportunities for
records related to levels of 7.4, 7.5, improvement in any area at any time (e.g. manual to
performance of the 8.1, 8.2, automation, lesser processing time, etc.)
activities involved against 8.3, 8.4,
expected outcomes. 8.5, 8.6, 10.2 is about addressing nonconformities. For those
8.7, 9.1, offices with pending nonconformities or complaints to
Review and audit of the 10.1, 10.2, be solved, be prepared to present the plan of actions
levels of competence of 10.3 to be taken. Those with problems that were already
staff and implementation of solved, be prepared to demonstrate the actions taken
relevant function/process. and evidence that the actions are effective.

10.3 is connected to the results of 9.1, 9.2 and 9.3

where needs/opportunities for improvement are
expected to be addressed. This clause is
supplemental to 10.1 which is the General
requirement
Sample Audit Plan for Stage 2 CB Auditfor Improvement. 34
 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Document Interview and discussions Clauses Usual evidences that will be asked to present
Controller with area management for 7.5 include:
and control of documented • Records of review and approval of documents
Records information, both prior to use,
Officer maintained and retained. • Registration and dissemination of documents,
• Control of obsolete documents,
• Use of official documents, including forms,
• Consistency of statements among documents,
• Retrieval of retained documents,
• Protection of records,
• Controls on archiving of records.

Sample Audit Plan for Stage 2 CB Audit 35

 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Internal Interview and discussions Clauses Usual evidences that will be asked to present
Audit with area management for 9.2, 10.1, include:
the conduct of internal 10.2, 10.3 • Audit plan or program,
audit activities. • Audit itineraries or schedules,
• Audit reports,
• Corrective action requests,
• Verification of corrective actions,
• Results of audits were included in the
management review.

Auditors expect all the clauses applicable to a

particular process are covered by the internal
auditors.

Auditors expect that all the QMS processes, including

the internal audit process and the management
review were audited.

Sample Audit Plan for Stage 2 CB Audit 36

 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
Top Mgt. Review and assessment of Clauses Usual evidences that will be asked to present
• implementation and 9.3, 10.1, include:
effective performance 10.2, 10.3 • Minutes of the meeting of the Management
of management review Review meeting,
activities as both • Topics in series of meetings can demonstrate that
required by the the specified inputs in clause 9.3.2 were covered.
standard and the • Opportunities for improvement identified on any
organization’s own topic or issue,
defined process • Action plans determined resulting from the
• Decisions and actions management review meeting should identify the
resulting from needed resources,
management reviews • Monitoring of the actions determined during the
necessary for continual management review meeting.
improvement of the
QMS.

Sample Audit Plan for Stage 2 CB Audit 37

 Typical Stage 2 Audit Plan
Auditee Audit Area Clauses GUIDANCE
All Reporting and explanation N/A Those offices with anticipated NCs or Observations
of any formal non- that might be raised during the Closing Meeting
conformances identified should be present. Bring additional evidences, there
during the audit requiring might be chances that NCs and Observations can be
formal action and response overruled during the Closing Meeting.
by the company and  
summary of the position Be assertive – ask, clarify, expound, supplement with
regarding positive evidences.
recommendations of the
team leader regarding
certification status

Sample Audit Plan for Stage 2 CB Audit 38

4
REMOTE CERTIFICATION
AUDIT GUIDANCE
References, Planning, Preparation and
Conduct of the Remote Audit 39
 MANAGEMENT OF EXTRAORDINARY EVENTS OR
CIRCUMSTANCES

▰ IAF ID 3:2011 – IAF Informative Document for Management of Extraordinary Events

or Circumstances Affecting ABs, CABs and Certified Organizations – Issue 1,
application date November 8, 2012:
▻ Extraordinary event or circumstance: A circumstance beyond the
control of the organization, commonly referred to as “Force Majeure” or
“act of God”. Examples are war, strike, riot, political instability,
geopolitical tension, terrorism, crime, pandemic, flooding, earthquake,
malicious computer hacking, other natural or man-made disasters.

40
MANAGEMENT OF EXTRAORDINARY EVENTS OR
CIRCUMSTANCES

▻ An extraordinary event affecting a certified organization or CAB may

temporarily prevent the CAB from carrying out planned audits on-site.
When such a situation occurs, ABs and CABs, operating under
recognised standards or regulatory documents need to establish (in
consultation with certified organizations) a reasonable planned course of
action.

https://www.iaf.nu/upFiles/IAFID32011_Management_of_Extraordinary_Events_or_Circumstances.pdf

41
 USE OF ICT FOR AUDITING PURPOSES
Initially released in
September 15, 2008

▰ IAF MD 4:2018 – IAF Mandatory Document for the Use of Information and
Communication Technology (ICT) for Auditing/Assessment Purposes – Issue 2,
application date on July 4, 2019:
▻ This mandatory document provides for the consistent application in
auditing/assessment, for the use of ICT as part of the methodology.
The scope of this document is for the auditing /assessment of
management systems, persons, and product and is applicable to
conformity assessment bodies and accreditation bodies.

42
USE OF ICT FOR AUDITING PURPOSES

▻ The use of ICT is not mandatory and may be used for other types
of conformity assessment activities, but if used as part of the
audit/assessment methodology, it is mandatory to conform to this
document.

https://www.iaf.nu/upFiles/IAF%20MD4%20Issue%202%2003072018.pdf

43
 GUIDANCE ON REMOTE AUDITS

▰ ISO/TC 176 and International Accreditation Forum: ISO 9001 Auditing Practices
Group Guidance on Remote Audits, released on April 16, 2020
▻ There are a variety of reasons that an auditor may not be present due to
safety constraints, pandemics or travel restrictions. The voluntary or
mandatory confinement due to the current COVID19 pandemic…is
one example where auditing remotely is beneficial.

https://committee.iso.org/files/live/sites/tc176/files/documents/ISO%209001%20Auditing
%20Practices%20Group%20docs/Auditing%20General/APG-Remote_Audits.pdf

44
PLANNING REQUIREMENTS

▰ Confirmation of the audit date/s

▰ Confirmation of the Audit Plan
▰ Agree on the ICT resources and application to be used
▻ Common access key for joining the online session
▻ Separate meeting session per auditee after the Opening
Meeting
▻ Cloud storage on where to obtain e-copies of evidences
45
PREPARATION REQUIREMENTS

▰ Advance request for documented information to

facilitate expedient presentation of documents,
records, including video (the cloud storage will be
used for this purpose)
▰ Availability of ICT resources (e.g. scanning, file
sharing) to facilitate easy presentation of documents
and records to avoid delay in the audit

46
• Quality Manual (Scope, QMS Processes, Quality Policy, Functional Descriptions)
• Strategic and operational objectives with result of accomplishment, including
OPCRs
• Planning documents demonstrating that issues (internal and external) were
considered).
• Identified risks/opportunities and controls to them
• Evidence of evaluation of actions to address risks and opportunities
• Internal audit records (i.e. audit program, audit plan, audit report, including
presentation to management review)
• Identified nonconfomities with verified corrective actions
• Management review records demonstrating all inputs specified by Clause 9.3.2
were covered
• Decision and actions intended for continual improvement that resulted from
management reviews
Documented information to be requested in advance 47
• Records of analysis and responses on customer satisfaction and feedback
• Records of control for external providers (i.e. during bidding, monitoring of
performance, reports to management review)
• Acquisition of new resources (e.g. infrastructure, equipment, etc.) or renovations
made
• Maintenance records of infrastructure, including calibration of measuring
equipment
• Records of interventions planned, provided and evaluated to ensure employee
competence
• Records of monitoring of performance of employees, i.e. IPCRs
• Evidences of actual implementation of controls specified in the procedures,
charter, operations manual, ROAAP

Documented information to be requested in advance 48

 CONDUCT OF THE REMOTE AUDIT

▰ CB will follow the same procedure in carrying out certification audit but will use
the ICT resources and applications to communicate and obtain information from the
auditees.
▻ People will be interviewed (thru online conference).
▻ Paper will be reviewed (thru screen sharing or uploading to the cloud storage).
▻ Practice will be observed (thru live or recorded video).
▰ Opening and Closing meetings will be conducted (could be on the same venue thru
online conference)
▰ Audit findings and conclusion will be presented for acknowledgment.

49
 REMOTE AUDIT: HOW AND WHAT TO PREPARE?

▰ Audit rooms:
▰ ICT resources:
▻ Monitor or projector;
▻ Reliable internet connection;
▻ Speaker;
▻ Computers/laptops with webcam and mic;
▻ Microphone;
▻ Smart phones;
▻ Good lighting;
▻ Online conference platform with:
▻ No high-background
▻ Video conferencing noise
▻ Chat (better with private messaging)
▻ Screen sharing One set for each
CB Auditor.
▻ Recording 50
 Remote Audit Task Matrix
Date/Time Area Auditee Auditors Online Venue Meeting ICT Evidence
Meeting Host Support Presenter
Key
09/XX/20 Opening All All Meeting ID Conference Diana Clark Kent Bruce
9:00-9:30 Meeting and Room Prince Wayne
Password
09/XX/20 Top Mgt. Governor, All
9:30-10:30 Vice
Governor,
QMR,
Office
Heads
09/XX/20 Respective Office Assigned Meeting ID Site of the Tony Stark Bruce Natasha
10:30 Offices as Head, Auditor as and Office Banner Romanov
onwards per the Process per the Password
Audit Plan Owners Audit Plan
Lunch Break

Using the Audit Plan as reference, assign tasks to ensure smooth flow of audit 51
 DESCRIPTION OF TASKS

RESPONSIBLE TASKS
Auditee • Answers questions of the Auditor/s
• Coordinates with the Evidence Presenter about the evidences to be prepared for
online presentation
Meeting Host • Sends invitation to meeting participants
• Monitors the chat box and relays information to relevant participants
• Observes proper online conference etiquette
ICT Support • Setups the online conference platform
• Provides the Online Meeting Keys
• Admits participants to join the meeting
• Assists the Evidence Presenter in screen sharing and uploading files into the
cloud storage
Evidence • Ensures relevant documents/records are ready for screen sharing and uploading
Presenter • Arranges evidences for online presentation
52
 ADDITIONAL TECHNIQUES IN VIRTUAL AUDIT

▰ Use of two monitors, one for screen sharing and one for video of the meeting (use the projector
or big monitor for this purpose);
▰ Muting the microphone is recommended in case there are high background noise;
▰ Limit the participants to prevent high background noise or feedback when using a microphone;
▰ Have a cloud-based storage (e.g. Google Drive) to store documents for evaluation by the auditor;
▰ Pre-arrange the records and evidences to be presented remotely. Save in the respective folders
the updated files or scanned images relevant to the areas to be covered;

53
 ADDITIONAL TECHNIQUES IN VIRTUAL AUDIT

▰ Take photos or videos of controls to provide the auditors a virtual “walk in the premises”;
▰ Place the files and documents relevant to the areas to be audited within the audit rooms;
▰ Dedicate one easy to carry camera (e.g. from a smart phone) for viewing actual evidences to be
presented;
▰ Use the chat function when questions from the other participants arise;
▰ Beware of behaviors on camera;
▰ Use of common virtual background to establish an “official” look;
▰ Set up and practice before the remote audit.

54
 To be used also for
DOCUMENTED EVIDENCES TO PREPARE IN LIGHT the Readiness
OF THE PANDEMIC Assessment

▰ Records that the organization revisited the internal and external issues (i.e. pandemic issue) to
adjust context, strategic directions and programs;
▰ Records that the organization revisited the new or changed needs of the stakeholders;
▰ Records of reassessment of risks and opportunities to determine new or enhanced controls in
the operation and delivery of services of the organization;
▰ Records of planning for preparing the organization to operate and deliver its services
employing the “new normal” approach;
▰ Records of training or any intervention provided to the employees in preparing for the “new
normal” way of work;
▰ Records of communication to stakeholders (e.g. customers) for preparing for the “new
normal” way of providing services;
55
 To be used also for
DOCUMENTED EVIDENCES TO PREPARE IN LIGHT the Readiness
OF THE PANDEMIC Assessment

▰ Records of acquisition and installation of controls necessary for the effective implementation
of the “new normal” operation;
▰ Records of the adjustments made on the previously set MFOs, objectives, targets, goals,
performance indicators due to the impact of the pandemic;
▰ Records of the implementation of internal audit program, including its results;
▰ Records of the management meetings to demonstrate conformity with the “management
review” requirements of ISO 9001;
▰ Records of the implementation of the corrective actions to address the nonconformity findings
from the previous internal audit.

56
WHEN THE REMOTE CERTIFICATION AUDIT
CONCLUDES

▰ Make sure that the Auditors’ findings are

clearly understood;
▰ Be assertive – ask, clarify, expound,
supplement with positive evidences;
▰ Secure the audit report;
▰ Thank the auditors and the auditees.

57
THANKS!
Any questions?

58