Presentation PDF

Introduction
COURSE INTRODUCTION
This course has been carefully designed to allow delegates to understand the process of
auditing in the field of quality management. The course uses the guidance of ISO 19011:2011
to understand how to conduct internal audits of quality management systems (QMS) based on
ISO 9001:2015.
COURSE OUTCOMES
This course will enable you to:
 Revise the ISO 9001:2015 Implementation course
 Understand the ISO 19011:2011 requirements for conducting audits
 Understand the fundamentals of auditing
 Understand the auditing process
 Understand what characteristics the auditor needs, career development and continual
improvement
 Understand the requirements for an auditor
 Understand the auditing of a QMS based on ISO 9001:2015
SUCCEEDING IN THIS COURSE
The information collated in this manual is intended for delegates who have attended the ISO
9001:2015 Implementation course.
To gain maximum benefit from this course, the facilitator will appreciate delegates:
 participating professionally where interaction is required
 being punctual when breaks are allowed
 avoiding all outside distractions – working on laptops or phones during training is not
allowed
 leaving the classroom silently if there is a need to attend to an external situation, which they
are welcome to do
 asking questions when in doubt
We hope you find this course useful and enjoyable. Your feedback at the end is
important as it assists us with constantly improving our training services.
Module 1
Lesson 2 of 2
Revision of ISO 9001:2015 Implementation Course

The Process Approach
“A process is defined as a “set of interrelated or interacting activities, which transforms
inputs into outputs”. These activities require allocation of resources such as people and
materials. Inputs and intended outputs may be tangible (such as equipment, materials or
components) or intangible (such as energy or information).”
Clause 0.3.1 Process Approach – General
“This international standard promotes the adoption of a process approach when developing,
implementing and improving the effectiveness of a QMS, to enhance customer satisfaction by
meeting customer requirements. Specific requirements considered essential to the adoption of
a process approach are included in Clause 4.4.
Understanding and managing interrelated processes as a system contributes to the

organisation’s effectiveness and efficiency in achieving its intended results. This approach
enables the organisation to control the interrelationships and interdependencies among the
processes of the system, so that the overall performance of the organisation can be enhanced.
The process approach involves the systematic definition and management of processes and
their interactions, to achieve the intended results in accordance with the quality policy and
strategic direction of the organisation. Management of the processes and the system as a
whole can be achieved using the PDCA cycle (see Clause 0.3.2) with an overall focus on
risk-based thinking (see Clause 0.3.3) aimed at taking advantage of opportunities and
preventing undesirable results.
The application of the process approach in a QMS enables:

 1
understanding and consistency in meeting requirements
 2
the consideration of processes in terms of added value
 3
the achievement of effective process performance
 4
the improvement of processes based on evaluation of data and information
Figure 1 is a schematic representation of any process and shows the interaction of its
elements. The monitoring and measuring checkpoints, which are necessary for control,
are specific to each process and will vary depending on the related risks.”
Figure 1: Elements of a single process

Risk-Based Thinking
Annex A.4: Risk-Based Thinking
“The concept of risk-based thinking has been implicit in previous editions of this
international standard, for example, through requirements for planning, review and
improvement. This standard specifies requirements for the organisation to understand its
context (see Clause 4.1) and determine risks as a basis for planning (see Clause 6.1). This
represents the application of risk-based thinking to planning and implementing QMS
processes (see Clause 4.4) and will assist in determining the extent of documented
information.
One of the key purposes of a QMS is to act as a preventive tool. Consequently, this
standard does not have a separate clause or sub-clause on preventive action. The
concept of preventive action is expressed using risk-based thinking to formulate QMS
requirements.
The risk-based thinking applied in this standard has enabled some reduction in prescriptive
requirements and their replacement by performance-based requirements. There is greater
flexibility than in ISO 9001:2008 in the requirements for processes, documented information
and organisational responsibilities.
Although Clause 6.1 specifies that the organisation should plan actions to address risks, there
is no requirement for formal methods for risk management or a documented risk management
process. Organisations can decide whether to develop a more extensive risk management
methodology than is required by this standard, for example, through the application of other
guidance or standards.
Not all the processes of a QMS represent the same level of risk in terms of the organisation’s
ability to meet its objectives, and the effects of uncertainty are not the same for all
organisations. Under the requirements of Clause 6.1, the organisation is responsible for its
application of risk-based thinking and the actions it takes to address risk, including whether
or not to retain documented information as evidence of its determination of risks.”
Why Implement Risk-Based Thinking?
–
“Risk-based thinking is something we all do automatically and often subconsciously.

Risk-based thinking is already part of the process approach”, ensuring that
everybody consistently thinks about how risks can be prevented. This often results in
identifying opportunities for improvement of product and service delivery.
What Is Risk in The Context of Quality Management?
–
“Risk is the possibility of events or activities impeding the achievement of an

organisation’s strategic and operational objectives.”
Examples of Quality Risks
RISK POSSIBLE LOSS MITIGATION METHOD

Multifaceted marketing
Low customer turnover Loss of sales and profits
plan
Employee satisfaction
High employee turnover Customer dissatisfaction
committee
Accident – customer injury Profits, goodwill Safe practices, insurance
Insurance, planning,
Natural hazards – floods Facilities
secondary facility
Quality Management Principles (QMP)

 Customer focus
 Leadership
 Engagement of people
 Process approach
 Improvement
 Evidence-based decision-making
 Relationship management
QMP 1 – Customer Focus

Statement
The primary focus of quality management is to meet customer requirements and to strive to
exceed customer expectations.
Rationale
 Sustained success is achieved when an organisation attracts and retains the

confidence of customers and other interested parties.
 Every aspect of customer interaction provides an opportunity to create more
value for the customer.
QMP 2 – Leadership
 Statement
 Leaders at all levels establish unity of purpose and direction and create conditions in
which people are engaged in achieving the organisation’s quality objectives.
 Rationale
 Creation of unity of purpose and the direction and engagement of people enable an
organisation to align its strategies, policies, processes and resources to achieve its
objectives.
QMP 3 – Engagement of People
Statement
Competent, empowered and engaged people at all levels throughout the organisation are
essential to enhance the organisation’s capability to create and deliver value.
Rationale
 In order to manage an organisation effectively and efficiently, it is important to respect and

involve all people at all levels.
 Recognition, empowerment and enhancement of competence facilitate the engagement of
people in achieving the organisation’s quality objectives.
QMP 4 – Process Approach

Statement
Consistent and predictable results are achieved more effectively and efficiently when
activities are understood and managed as interrelated processes that function as a coherent
system.
Rationale
 The QMS consists of interrelated processes.

 Understanding how results are produced by this system enables an organisation to
optimise the system and its performance.
QMP 5 – Improvement
Statement
Successful organisations have an ongoing focus on improvement.
Rationale
Improvement is essential for an organisation
 to maintain current levels of performance

 to react to changes in its internal and external conditions
 to create new opportunities
QMP 6 – Evidence-Based Decision-Making

Statement
Decisions based on the analysis and evaluation of data and information are more likely to
produce desired results.
Rationale
 Decision-making can be a complex process and always involves some uncertainty.

 It often involves multiple types and sources of inputs, as well as their interpretation,
which can be subjective.
 It is important to understand cause and effect relationships and potential unintended
consequences.
 Facts, evidence and data analysis lead to greater objectivity and confidence in
decisions made.
QMP 7 – Relationship Management

Statement
For sustained success, organisations manage their relationships with interested parties, such
as providers.
Rationale
 Relevant interested parties influence the performance of an organisation.

 Sustained success is more likely to be achieved when the organisation manages
relationships with all of its interested parties to optimise their impact on its
performance. Relationship management with its provider and partner networks is
often of particular importance
Summary of Key Changes to ISO 9001:2015

The main changes in the new version of ISO 9001:2015 are:
 The adoption of the high-level structure and terminology as set out in Annex SL.
 Explicit requirements for risk-based thinking in combination with the process
approach.
 Fewer prescribed requirements.
 Less emphasis on documents.
 Improved applicability for services
 Increased emphasis on organisational context.
 Increased leadership requirements.
 Greater emphasis on achieving desired outcomes to improve customer
satisfaction.
Elements of ISO 9001:2015
CLAUSE
CLAUSE TITLE
NO
4 Context of the organisation (Title only)
4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of QMS
4.4 QMS and its processes
5 Leadership (Title only)
5.1 Leadership and commitment (Title only)
5.1.1 General
5.1.2 Customer focus
5.2 Policy (Title only)
5.2.1 Establishing the quality policy
5.2.2 Communicating the quality policy
5.3 Organisational roles, responsibilities, authorities
6 Planning (Title only)
6.1 Actions to address risks and opportunities
6.2 Quality objectives and planning to achieve them
6.3 Planning of changes
7 Support (Title only)
7.1 Resources (Title only)
7.1.1 General
7.1.2 People
7.1.3 Infrastructure
7.1.4 Environment for the operation of processes
7.1.5 Monitoring and measuring resources (Title only)
7.1.5.1 General
7.1.5.2 Measurement traceability
7.1.6 Organisational knowledge
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented Information (Title only)
7.5.1 General
7.5.2 Creating and updating documents
7.5.3 Control of documented information
8 Operation (Title only)
8.1 Operational planning and control
8.2 Requirements for products and services (Title only)
8.2.1 Customer communication
8.2.2 Determining the requirements for products and services
8.2.3 Review of the requirements for products and services
8.2.4 Changes to requirements for products and services
8.3 Design and development of products and services (Title only)
8.3.1 General
8.3.2 Design and development planning
8.3.3 Design and development inputs
8.3.4 Design and development controls
8.3.5 Design and development outputs
8.3.6 Design and development changes
8.4 Control of externally provided processes, products and services (Title only)
8.4.1 General
8.4.2 Type and extent of control
8.4.3 Information for external providers
8.5 Production and service provision (Title only)
8.5.1 Control of production and service provision
8.5.2 Identification and traceability
8.5.3 Property belonging to customers or external providers
8.5.4 Preservation
8.5.5 Post-delivery activities
8.5.6 Control of changes
8.6 Release of products and services
8.7 Control of nonconforming outputs
9 Performance evaluation (Title only)
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General
9.1.2 Customer satisfaction
9.1.3 Analysis and evaluation
9.2 Internal audit
9.3 Management review (Title only)
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review outputs
10 Improvement (Title only)
10.1 General
10.2 Nonconformity and corrective action
10.3 Continual Improvement
Annex A Clarification of new structure, terminology and concepts
Other international standards on quality management and quality management
Annex B
systems developed by ISO/TC 176
ISO 9001:2015 Deming Cycle

The Plan-Do-Check-Act (PDCA) or Deming cycle can be applied to all processes and to the
QMS as a whole. Figure 4 illustrates how causes 4 to 10 can be grouped in relation to the
PDCA cycle.
The PDCA cycle can be briefly described as follows:

P L AN : ( C L AU S E 6 ) D O : ( C L AU S E S 7 AN D 8 ) C H E C K : ( C L AU S E
9 ) AC T : ( C L AU S E 1 0 )
Take action to improve performance, as necessary.
Figure 2: The PDCA / Deming Cycle

Terms and Definitions of ISO 9001:2015
Terms and definitions were already covered in the ISO9001:2015 Introduction course.
The ISO 9000:2015 document containing the full standard was handed out in the
Implementation course.
Module 2
Lesson 1 of 2
The Fundamentals of Auditing (SO8)

W H AT I S AN AU D I T ?
W H Y D O W E D E S P I S E AU D I T S ? W H AT I S T H E P U R P O S E O F
AUDITI...
An audit is a systematic, independent and documented process for obtaining audit evidence
and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. A
management system audit means obtaining evidence and objectively evaluating it to
determine the extent to which the requirements of a management system standard are
fulfilled.
W H AT I S AN AU D I T ?
W H Y D O W E D E S P I S E AU D I T S ? W H AT I S T H E P U R P O S E O F
AUDITI...
Most people dislike audits, possibly, because of unpleasant experiences with
auditors who were incompetent, poorly trained, lacked experience within the specific
field and resulted in
 a fault-finding activity to blame employees

 a policing activity
 no assistance with improvements
 no accountability accepted or regulated by the lead auditor
 crisis management to implement improvements that may not be effective or
efficient for the organisation
 paper exercise
 only negative comments
 an audit directed at individuals, not processes
 auditing not being a problem-solving tool
 not identifying the root causes for the challenges found
W H AT I S AN AU D I T ? W H Y D O W E D E S P I S E AU D I T S ? W H AT I S
T H E P U R P O S E O F AU D I T I . . .
The purpose of internal auditing of a management system is to:
 determine the degree of implementation of the management system

 compare the documented management system to the implemented
management system
 determine the status of a management system or elements of a management
system
 identify deficiencies in the management system
 encourage a proactive approach to compliance
 identify potentially serious issues that can lead to non-compliance
 identify potential opportunities for improvement and promote continual
improvement
 assist management in achieving objectives
 initiate corrective and preventive actions and remediation of non-
conformances
 verify that corrective and preventive actions have been completed effectively
and on time
 recommend ways to further optimise a management system
The purpose of auditing is not to find non-conformances and assign blame. This is
why it is important to apply the principles of auditing (ISO 19011:2011, Clause 4) to
every single audit.
Audit Types
Audits can be classified by the type of audit, which can be based on the relationship between
the auditor and the person/organisation being audited. Firstly, we can differentiate between
internal and external audits. Internal audits are called first-party audits. External audits can be
either second or third-party audits.
VIEW
First-Party Audits
First party audits are internal audits conducted by an organisation of its own management
system. It is a self-assessment. Internal audits can be conducted in two ways. A horizontal
audit, when you audit one process across many departments in the organisation, for example,
you can audit the implementation of the document control process/procedure across several
or all departments. A vertical audit means all the processes in one department are audited. For
example, auditing of the processes of the training department.
Second-Party Audits
Second party audits are external audits by one organisation auditing another. They are
conducted by parties having an interest in the organisation, for example, customers, and are
usually based on a current or future agreement or contract for the supply of goods and/or
services.
Third-Party Audits
Third party audits are external audits conducted by an independent auditing organisation for
legal, regulatory or certification purposes (for example, legal compliance audit, certification
to ISO 9001:2015).
Summary of ISO 19011:2011

Introduction
ISO 17021
Since the first edition of this international standard was published in 2002, a number of new
management system standards have been published. As a result, there is now a need to
consider a broader scope of management system auditing, and to provide guidance that is
more generic.
In 2006, the ISO committee for conformity assessment (CASCO) developed ISO/IEC 17021,
which sets out requirements for third-party certification of management systems, and which
was based, in part, on the guidelines contained in the first edition of this standard.
The second edition of ISO/IEC 17021, published in 2011, was extended to transform the
guidance offered in the standard into requirements for management system certification
audits. It is in this context that this second edition of the standard provides guidance for all
users, including small and medium-sized organisations, and concentrates on what are
commonly termed “internal audits” (first-party) and “audits conducted by customers on their
suppliers” (second-party). While those involved in management system certification audits
follow the requirements of ISO/IEC 17021:2011, they might also find the guidance in this
standard useful.
In July 2015, ISO released a third iteration titled, ISO 17021:2015 Conformity assessment –
Requirements for bodies providing audit and certification of management systems. This
version made the following fundamental changes:
The new standard allows certified organisations to add a statement (but no mark) to
product packaging (not product) and accompanying literature that it has a certified
management system.
Audit work shift:

A new requirement stipulates that the Certification Body audit programs should consider the
working patterns of certified organisations. The activities that take place on all shifts should
be considered in programmes and audit plans. This can have an affect the duration of the
assessment.
Extension of the validity of certification:
If a corrective action for a major non-conformity is not implemented and verified by the
expiration date, or the organisation cannot be recommended for re certification the validity of
certification cannot be extended.
Transfer accredited certification between Certification

Bodies:
A new requirement puts more emphasis on the collection of information by the receiving
Certification Body. It stresses that sufficient information must be obtained to make a
certification decision.
Re-certification after the certification expiration date:

Six months is now allowed for re-certification after expiry of certification; otherwise, the
certification is repealed. When there is a gap in the certification (up to six months),
certification certificates shall clearly identify the difference.
Verification of corrective action:

If the certification body is unable to verify effective correction and corrective measures six
months after a first check, another stage 2 audit must be performed.
ISO 19011
This international standard does not state requirements, but provides guidance on the
management of an audit programme, on the planning and conducting of an audit of the
management system, as well as on the competence and evaluation of an auditor and an audit
team.
Organisations can operate more than one formal management system. To simplify the
readability of this standard, the singular form of “management system” is preferred, but the
reader can adapt the implementation of the guidance to their own particular situation. This
also applies to the use of “person” and “persons”, “auditor” and “auditors”.
This standard is intended to apply to a broad range of potential users, including auditors,
organisations implementing management systems, and organisations needing to conduct
audits of management systems for contractual or regulatory reasons. Users of this standard
can however, apply this guidance in developing their own audit-related requirements..
The guidance in this standard can also be used for the purpose of self-declaration, and can be
useful to organisations involved in auditor training or personnel certification.
The guidance in this standard is intended to be flexible. As indicated at various points in
the text, the use of this guidance can differ depending on the size and level of maturity
of an organisation’s management system and on the nature and complexity of the
organisation to be audited, as well as on the objectives and scope of the audits to be
conducted.
This standard introduces the concept of risk to management systems auditing. The approach
adopted relates both to the risk of the auditing process not achieving its objectives, and to the
potential of the audit to interfere with the auditee’s activities and processes. It does not
provide specific guidance on the organisation’s risk management process, but recognises that
organisations can focus audit efforts on matters of significance to the management system.
This international standard adopts the approach that when two or more management systems
of different disciplines are audited together, this is termed a “combined audit”. Where these
systems are integrated into a single management system, the principles and processes of
auditing are the same as for a combined audit.
Figure 4: Summary of the ISO19011:2011 standard.
ISO 19011:2011, Clause 1: Scope
–
The first clause of the ISO 19011:2011 deals with the scope of the document standard. The
scope can be defined as the extent to which subject matter deals with a topic.
The ISO 19011:2011 standard provides guidance and insights on auditing management
systems and elaborates on
 the principles of auditing
 managing an audit programme
 conducting management system audits
 guidance on the evaluation of competence of individuals involved
 in the auditing process
 persons managing the audit programme
 auditors and audit teams
The standard is generic and can be applied to the auditing of any type of organisation. The
standard also covers both internal and external audits of management systems or to manage
an audit programme.
ISO 19011:2011, Clause 2: Normative References
–
To spark creativity, feed your brain material like you're cramming for a tough test. Then stop
thinking about the problem you want to solve. Go surfing or take a leisurely walk. Research
shows that letting your mind wander fosters creativity.
It’s also found that meditation helps you spot and solve problems in creative ways. It
promotes divergent thinking that gets novel ideas flowing. According to these studies,
meditation also makes you more open to considering new solutions. Time to breathe.
ISO 19011:2011, Clause 3: Terms and Definitions
–
Refer to Clause 3 in the ISO 19011:2011 for discussion about the definitions.
Exercise
The class will be divided into two groups and allowed 30 minutes to read through and review
the terms and definitions attributed to ISO 19011:2011. Once the time is up, the standards
must be closed and each group will be given the opportunity to ask the other group 5 terms
each in this section. The groups are allowed an opportunity to discuss the appropriate
response amongst themselves. Once the response has been provided, the facilitator will
determine the adequacy of the answer.
This person’s responsibility is to:
 establish the objectives and extent of the audit programme
 identify and evaluate audit programme risks
 establish the responsibilities and audit procedures
 identify and ensure resources are provided to maintain the audit programme
 inform top management of the contents of the audit programme and request
approval
 ensure the implementation of the audit programme
 ensure that appropriate records are maintained
 ensure that the audit programme is monitored, reviewed and improved
The Audit Programme and Plan
The difference between an audit programme and an audit plan is
AUDIT PROGRAMME AUDIT PLAN

 This is a once-off plan, documented
for a specific audit on the audit
 It is normally an annual plan programme
 It is documented for internal  Its purpose is to guide the audit team
usage for the audit team and auditee through the audit
activities
 It is based on the risks identified
for that specific period  It provides structure to the audit
team and auditee so they
 It is a working document and
understand the audit objective,
provides a schedule of audits to
scope and criteria, date, time and
be conducted
who will be involved
 It must be used to ensure that
 It is the formal initiation of the audit
sufficient resources are available
planned on the audit programme
for all planned audits
 It provides the structure to ensure the
 It is prepared and managed by
relevant auditee(s) are available for
the person assigned by top
the planned audit
management.
 It is prepared by the audit team
leader
Typical Audit Programme Management Process

Below is a typical example of the process that will be followed to manage an audit
programme. It also indicates the responsibility for each task as well as the application of the
plan (P), do (D), check (C), act (A) cycle.


Ensure that audit programme objectives are established – top management. (P)
 The scope or extent of the audit programme can include more than one
management system (separately or combined) or only one audit (for
example, for a project).


Assign one or more competent persons to manage the audit programme – top management
(P)
 The person managing the audit programme must have the necessary
competence (See Clause 5.3.2).
 Establish the extent of audit programme – person(s) managing audit programme
(P).
 Identify and evaluate the audit programme risks – person(s) managing audit
programme (P).
 Establish audit responsibilities – person(s) managing audit programme (P).
 Establish procedures – person(s) managing audit programme (P).
 Identify audit programme resources – person(s) managing audit programme (P).
 Inform top management of contents of programme and request approval –
person(s) managing audit programme (P).









Implementation of programme – person(s) managing audit programme (D):
 competence and evaluation of auditors

 define objectives, scope, criteria for each audit
 select audit methods
 select audit team members
 assign audit team leader
 perform audits
 manage outcome
 manage and maintain records
 Monitor and measure the audit programme to ensure objectives achieved –
person(s) managing audit programme (D).
 Review audit programme for improvements – person(s) managing audit
programme (A).
 Report overall results of audit programme to top management – person(s)
managing audit programme (A).
Example of an Audit Programme
When we show up to the present moment with all of our senses, we invite the world to fill us
with joy. The pains of the past are behind us. The future has yet to unfold. But the now is full
of beauty simply waiting for our attention.
ANNUAL AUDIT PROGRAMME FOR YEAR: 2017
1ST 2ND 3RD 4TH
SECTION TYPE QUARTER QUARTER QUARTER QUARTER
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
1st
Operations X X
Party
Finance 1st
X
Department Party
HR 1st
X
Department Party
1st
Engineering X X
Party
IT 1st
X
Department Party
ISO9001 3rd
X
Certification Party
Supplier 2nd
X
ABC Party
Customer 2nd
X
123 Party
Management Review X
The Auditing
iew X
1
Objectives of an Audit
The person managing the audit programme defines the objectives for each audit in the audit
programme. In any audit, there are objectives that need to ensure an unbiased, factual audit is
conducted
 to ensure that the implemented management system complies with relevant

requirements of the standard
 to determine that the organisation is working in accordance with its own stated goals
and targets
 to confirm that the implemented system is effective and conforms with external
standards and regulations
 to ensure that formal controls exist and are implemented
 to ensure that contractual requirements are satisfied
 to provide an opportunity for continual improvements
 to acknowledge progress achieved in programme implementation since the previous
audit
 to enable auditors to share knowledge on best available practices
 to identify and act on business opportunities
When defining these objectives, the following need to be considered
 management priorities
 commercial intentions
 management system requirements
 statutory, regulatory and contractual requirements
 needs of supplier evaluations
 customer requirements
 previous internal and/or external audit
 needs of other interested parties
 organisational risk to the auditee
 logistical surroundings and/or arrangements
Process (SDefining the Scope and Criteria

The scope describes the extent and boundaries of the audit. The audit scope generally
includes
 a description of the physical locations

 organisational units
 activities and processes
 as well as the time period covered
It must be consistent with the audit programme and audit objectives.
The criteria are an indication of the references that will be used to measure against. The audit
criteria are used as a reference against which conformity is determined and may include
applicable
Selecting the Audit Team

The audit team members should, where needed, be selected on their level of competence and
experience in terms of discipline and auditing skills. It is also important, where possible, to
include auditors-in-training, but here direction or guidance will be required from the lead
auditor.
O8) ISO 19011:2011, Clause 6: Performing an Audit

–
This clause contains guidance on preparing and conducting audit activities as part of an audit
programme. This clause will be discussed in detail in Module 4, The Auditing process.
ISO 19011:2011, Clause 7: Competence and Evaluation of Auditors

–
The competence of the people involved in the planning and carrying out of audits will
determine whether or not the objectives of an audit will be achieved, and that the auditing
process will be carried out in a manner that there will be confidence in the outcome.
Education, work experience, auditor training and audit experience, personal behaviour and
the ability to apply their knowledge and skills would be just some of the measures to
determine the competence of auditors. An auditee should not have a person who is unfamiliar
with the kind of business the organisation is in to audit them.
The consideration of auditors should take the needs of the audit programme and its objectives
into account. Clause 7.2.3 delves a little deeper into the knowledge and skills an auditor
should have when it comes to the auditing of management systems. The requirements of this
clause does not require everyone in a team to have full knowledge of every aspect of a system
in relation to its industry but the whole team should be compiled of people who collectively
can ensure the objectives of the audit is achieved.
Module 4
Lesson 1 of 1
The Auditing Process (SO8)

This module describes a typical auditing process. Even though the main steps will be the
same for each audit, the process may slightly differ for each step, depending on the auditee,
processes and specific circumstances of the audit. The four steps in the auditing process are:
STEP 1
Planning
STEP 2
Conducting the audit
STEP 3
Reporting
STEP 4
Follow-up
In this module, where content aligns with the SAQA Unit Standard (US) 12674
(Perform auditing activities), it will be indicated by SOx, ACx where SO refers to the
“specific outcomes” and AC refers to the “assessment criteria”.
Figure 5: The auditing process

Step 1: Planning
When the planning stage of an audit is reached, the following would have been completed as
part of the audit programme
 the audit objectives were defined
 the audit scope was defined
 the audit criteria were defined
 the audit method was selected
 the audit team members were selected
 the audit team leader was assigned
Contact with the Auditee
Read Clause 6.2.2.
The audit team leader must establish contact with the auditee, formally or informally.
Determine Feasibility
Read Clause 6.2.3.
To provide reasonable confidence that audit objectives can be achieved, the following factors
should be considered
 sufficient and appropriate information for planning the audit
 adequate co-operation from the auditee
 adequate time and resources available
Where it is not feasible, an alternative should be proposed to the audit client/auditee.
Prepare for Audit Activities

Read Clauses 6.3.1, 6.3.2, 6.3.3 and 6.3.4.
Document Review (See Clause B.2)

A document review is a review of management system documentation prior to on-site
activities to determine conformity of this documentation to audit criteria. The responsible
auditor should consider the following
 if information in the documents is complete, correct, consistent and current

 if the documents cover the audit scope and are sufficient to support the audit
objectives
 if the use of information and communication technologies promotes efficient conduct
of the audit, depending on the audit methods
Audit Plan (SO1, AC1)

The audit team leader prepares the audit plan based on the information contained in the audit
programme and the document review. The amount of detail in the plan depends on the scope
and complexity of the audit and the audit risks. The audit plan must be communicated to the
audit client and/or auditee. In order to improve the QMS, it is imperative that the audit plan is
communicated to all relevant stakeholders. These stakeholders must prepare for the audit to
ensure effective execution of the audit plan. The audit plan should cover or reference the
following
 1
the audit objectives, for example, the audit objective, can be to show compliance to a specific
process, procedure, legislation or standard
 2
the audit scope, including organisational and functional units as well as processes
 3
the audit criteria or reference documents, for example, ISO 9001:2015
 4
the scheduling and audit activities (dates and places, expected duration of audit activities)
 5
audit methods, including the extent of audit sampling and sampling plan, if required (see
Clauses B.1 and B.3)
 6
the roles and responsibilities of the audit team, guides and observers
 7
the allocation of critical resources, for example, people that must accompany the audit team
 8
the representatives of the auditee
 9
the language in which the audit will be conducted
 10
audit report topics
 11
logistic arrangements, for example, traveling, on-site facilities, PPE, induction, etc.)
 12
matters related to confidentiality
 13
audit follow-up action arrangements
Review and Acceptance of Audit Plan (SO1, AC2) (SO2,

AC2)
The audit team leader must obtain the acceptance of the audit plan by the audit client and/or
auditee. Objections to the audit plan should be resolved between the audit team leader, the
auditee and the audit client.
Assign Work to the Audit Team

The audit team leader must assign specific responsibilities for processes, activities, functions
or locations to each team member in consultation with the team. Independence, competence,
roles and responsibilities of auditors, auditors in training and technical experts, as well as
effective use of resources must be taken into account.
Prepare Work Documents

Work documents may include checklists, audit sampling plans and forms. Read Clause B.4
for guidance on preparing work documents.
Site Audit Conditions

Prior to doing the audit, there are a few things that need to be confirmed, which should have
been mentioned within the audit plan/programme
 does the audit team have access to site and are they allowed on the premises?
 does the audit team need to comply with an induction process and/or do the members
understand the security and safety rules of the site?
 are they aware of the areas where they are allowed or not allowed?
 audit follow-up action arrangements

1
AC2)
1
2
2
1
3
1
2
4
6
5
Are All Audits Planned, Or Can Surprise Audits Be
Conducted?
The majority of audits are planned. However, that does not preclude the internal audit
department from conducting unplanned audits. Prior to any audit, the internal audit
department will discuss the scope, purpose, and estimated timeframe of the audit with
appropriate stakeholders. This must, however, be documented in the audit policy or
procedure.
1
AC2)
1
2
1
2
3
1
4
5
Are All Audits Planned, Or Can Surprise Audits Be
Conducted?
The majority of audits are planned. However, that does not preclude the internal audit
department from conducting unplanned audits. Prior to any audit, the internal audit
department will discuss the scope, purpose, and estimated timeframe of the audit with
appropriate stakeholders. This must, however, be documented in the audit policy or
procedure.
1
5
6
6
Safety, Health and Environmental Policies and Procedures
During an audit, it is imperative that the audit team adheres to all safety, health and
environmental policies. Often, organisations have an induction programme(s) that must be
attended. This will be applicable for external audits, but where internal audits are done at
different sites, it might be required by internal staff to undergo induction as well for the
specific site where they conduct the audit.
AUDIT PLAN
Date and time 12 January 2016 at 08h00
Audit objective To achieve ISO 14001 Certification
Audit scope The Chemical Lab
Audit criteria ISO 14001 requirements and lab protocols, guidelines
Locations Laboratory
Audit method Process method
Roles and responsibilities Lead auditor, auditors, observers and guides, auditee
Opening meeting List the meeting agenda as per ISO 19011:2011, Clause 6.4.2
Document review Time and what documents will be reviewed
Site visit Where and who do you want to speak to?

When and agenda (list the meeting agenda as per ISO 19011:2011, Clause
Closing meeting
6.4.9)
Step 2: Conducting the Audit
Opening Meeting (SO8, AC2)
Read Clause 6.4.2.
The audit team leader will chair the opening meeting. An audit starts with an opening
meeting or, in some cases, with a phase where documented information is reviewed first.
The objective of the opening meeting is to address the objectives, scope and criteria of the
audit to be conducted, as well as to introduce the audit team to the organisation’s top
management and auditee and to establish who the guides or observers available to assist the
audit team will be.
Communication methods, language to be used, and method of reporting will be agreed at this
time. The conditions under which the audit may be terminated, and the appeals system,
should it be necessary, will also be clarified at this meeting.
Figure 6: The opening meeting agenda

Document Review While Conducting the Audit
Read Clause 6.4.3.
The auditee’s documentation must be reviewed by auditors to determine conformity with the
audit criteria and to gather information to support the audit activities (see Clause B.2).
Communication during the Audit
Read Clause 6.4.4.
Communication will be facilitated mainly by the audit team leader. The audit team should
confer periodically. There should be constant communication between the auditor and
auditee. The audit team leader will communicate critical issues. Any change required to the
audit plan must be reviewed and approved by both the person(s) managing the audit
programme and the auditee.
Guides and Observers

Read Clause 6.4.5.
Guides appointed by the auditee should assist the audit team and act on requests from the
audit team leader. Health and safety obligations of observers are managed between the audit
client and/or auditee.
Collect and Verify Information (SO1, AC3) (SO3, AC3)
Read Clause 6.4.6.
During the audit, information relevant to the audit objectives, scope and criteria, including
information relating to interfaces between functions, activities and processes, should be
collected by means of appropriate sampling, and should be verified. Only information that is
verifiable should be accepted as audit evidence. Audit evidence leading to audit findings
should be recorded. If, during the collection of evidence, the audit team becomes aware of
any new or changed circumstances or risks, these should be addressed by the team
accordingly.
Methods of collecting information include

 interviews
 observations
 review of documents, including records
NOTE 1
Guidance on sampling is given in Clause B.3.
NOTE 2
Guidance on sources of information is given in Clause B.5.
NOTE 3
Guidance on visiting the auditee’s location is given in Clause B.6.
NOTE 4
Guidance on how to conduct interviews is given in Clause B.7.
“Information can be data that is (1) accurate and timely, (2) specific and organised for a
purpose, (3) presented within a context that gives it meaning and relevance, and (4) can lead
to an increase in understanding and decrease in uncertainty.
Information is valuable because it can affect behaviour, a decision, or an outcome. For
example, if a manager is told the company's energy usage decreased in the past month, they
may use this information as a reason to identify how this impacted on production, or was
influenced by production (it might be due to a two-week shutdown in a production area).”
Reference: http://www.businessdictionary.com/definition/information.html (09.11.2015)

The attitude of the auditor is the key factor during the interview. The auditor must create a
relaxed, open and transparent environment so that the auditee can be comfortable to supply
information.
 1
The purpose of the interview must be clearly explained
 2
The types of questions, (open-ended, closed, leading, antagonistic, vague) must be
understood
OPEN ENDED CLOSED LEADING VAGUE ANTOGONISTIC
QUESTIONS QUESTIONS QUESTIONS QUESTIONS QUESTIONS
“Tell me a bit “So you did not/have
“How do you” “Do you” “Must a person...?’
more...” not”
“What do you
“Can you...?’ “There are/is...” “What do you think” “This/That are not...?
do if...?’
(Negative tone of
voice indicating non-
“When do “What is your
“Is this/that...?” “I see that...” compliance before
you...?” opinion”
evidence are
collected)
(Never assume. Be
“Where is...?” “Will this/that...” “I heard that...” to the point and refer
to facts)
“Who does...?’
“Why do
you...?’
Figure 7: Examples of types of questions
The auditor needs to avoid asking any closed, leading, vague or antagonistic questions.
Open and closed questions can be asked together. Refer to the following examples.
TYPE OF WHEN IS THIS TYPE OF QUESTION

EXAMPLE
QUESTION USEFUL?
The open-ended question is the most useful How does the organisation ensure
during the audit. These questions prompt the that all employees and contractors
auditee to provide specific information the are competent and know what legal
OPEN-ENDED
auditor requires. The auditor must keep the and other obligations (client
evidence required in mind before asking the requirements), they must comply
question. with in their specific area?
The closed question can be useful when the
Do you have a storage area for
CLOSED auditor wants to verify with a yes or no that
identified defective products?
the organisation has a specific record.
The leading question can be helpful with an Must an employee run to the
LEADING auditee who is not that literate and, so, more assembly point during an emergency
prompting is required. situation?
This type of question is never useful! This
You are hiding information from
ANTAGONISTIC type of questioning will result in negative
me, aren’t you?
behaviour and provoke conflict
Evaluate Evidence against Criteria and Generate Audit Findings

(SO1, AC4) (SO1, AC6) (SO4, AC4)
Read Clause 6.4.7.
In order to determine audit findings, audit evidence should be evaluated against audit criteria.
Read Clause B.8.
Definition of Audit Findings
ISO 19011:2011, Clause 3.4 (Audit findings) - “Results of the evaluation of the collected
audit evidence (Clause 3.3) against audit criteria (Clause 3.2)
NOTE: Audit findings can indicate either conformity or non-conformity with audit criteria or
opportunities for improvement.
How to Deal With Findings
The ISO 19011:2011 refers to either a non-conformity or conformity in the definition of audit
findings, Clause 3.4. Other literature refers to “major and minor findings, recommendations
for improvements according to best practices or improvement opportunities, etc.”
Reference, dated 08.11.2015: http://www.praxiom.com/iso-19011-definitions.htm (Audit

Findings)
During an audit, the audit team should meet at appropriate stages to discuss findings and to
ensure that there is agreement regarding the conclusion, as other audit team members may
have additional information not known to all team members.
The location/document number, whether it is a conformance or a non-conformance in terms

of the criteria, and a description of the finding will need to be presented. This is a statement
that the organisation is complying in terms of legislation, standards and/or organisational
procedures. This is mostly addressed when it is of an exceptional standard.
Non-Conformance/Finding
A non-conformance/finding means that the evidence supplied indicates that there is sub-
standard compliance to legislation, standard, and/or organisational procedures, or nothing
available. Remember the auditee will need to agree and confirm that the finding presented is
accurate. Findings must be clearly defined and unambiguous (not open to more than one
interpretation).
Example Audit Finding

“No evidence was presented to show compliance to the evaluation of competence for internal
auditors, as indicated by the requirements of ISO 9001:2015 Clause 7.2 (4).”
The Audit Team Must Ensure

 when evaluation of compliance is done, confirmation is received from the auditee
that a conformance/non-conformance was identified, this way, there will not be
any discrepancies during the closing meeting; therefore, agree with the auditee at
the time the finding was raised
 the audit team meets at appropriate stages to discuss findings and ensure that there
is agreement regarding the conclusion(s) as other audit team members may have
additional information not known to all team members
the evidence received is traceable
 when interviews are done, record the name of the person and his/her
position and location/ area that was audited
 when documented information is reviewed, the document number, title or
identification method, origin of the information, etc. must be recorded
 record whether the reviewed information conformed /did not conform to
the requirements
 STEP 1STEP 2STEP 3
 refers to the requirements that are applicable during the audit
STEP 1STEP 2STEP 3
refers to the objective evidence that needs to be acquired by the auditor to prove compliance
STEP 1STEP 2STEP 3
Refers to the decision that the auditor made regarding compliance/non-compliance

Audit Conclusions (SO1, AC5) (SO5, AC5)
Read Clause 6.4.8.
Definition of Audit Conclusions
ISO 19011:2011, Clause 3.5 (Audit conclusions) - “Outcome of an audit (Clause 3.1),
provided by the audit team (Clause 3.9) after consideration of the audit objectives and all
audit findings”
Prior to the closing meeting, the audit team should confer to review the findings, agree on the
conclusions, preparing recommendations and discuss audit follow-up.
Closing Meeting (SO1, AC6) (SO6, AC5)
Read Clause 6.4.9.
The objective of the closing meeting, facilitated by the audit team leader, is not to report on
all findings, but to summarise it. Should further discrepancies arise from the closing meeting,
they must be dealt with after the meeting. Audit conclusions, including recommendations for
improvement, are presented as part of the summary at the closing meeting.
The lead auditor will relay the audit team’s findings to top management and other
organisational representatives and, where necessary, highlight the high-risk areas found
during the audit. It is imperative that audit findings reported on at the closing meeting be
evident in the audit report. Should the auditee provide objective evidence at a later stage,
after the closing meeting, the findings will still be documented in the audit report.
Confirmation of the period the auditee has to submit corrective actions must be clarified. The
duration will depend on the critical aspects for certain findings; the discretion of the lead
auditor should also be used.
Figure 9: Closing meeting structure

Step 3: Reporting
Prepare and Distribute the Audit Report (SO1, AC5) (SO1, AC6)
(SO5, AC5) (SO6, AC6)
Read Clause 6.5
The audit report is prepared by the audit team leader. The audit is completed once all the
activities have been met and finished, in line with the audit plan, and the audit report has been
distributed.
Any documentation from the organisation that does not form part of the audit records, or the
audit team does not have permission to have, should be returned to the auditee as soon as
practicable.
The audit team leader should be responsible for the preparation and contents of the audit
report. The audit report should provide a complete, accurate, concise and clear record of the
audit, and should include or refer to the following
 1
the audit objectives
 2
the audit scope, particularly identification of the organisational and functional units or
processes audited, and the time period covered
 3
identification of the audit client
 4
identification of audit team leader and members
 5
the dates and places where the on-site audit activities were conducted
 6
the audit criteria
 7
the audit findings
 8
the audit conclusions
The audit report may also include or refer to the following, as appropriate
 1
the audit plan
 2
a list of auditee representatives
 3
a summary of the auditing process
 4
a summary of the auditing process, including the uncertainty and/or any obstacles
encountered that could decrease the reliability of the audit conclusions
 5
confirmation that the audit objectives have been accomplished within the audit scope in
accordance with the audit plan
 6
any areas not covered, although within the audit scope
 7
any unresolved diverging opinions between the audit team and the auditee
 8
recommendations for improvement, if specified in the audit objectives
 9
agreed follow-up action plans, if any
 10
a statement of the confidential nature of the contents
 11
the distribution list for the audit report
The auditor must ensure that the report is authorised or approved by the auditee. It is
advisable to discuss and confirm all findings during the audit with the relevant auditee and
not at the closing meeting. The closing meeting should be used only as confirmation of the
findings observed.
An audit report is a document that is distributed to the person responsible for the specific area
audited. In the case where the internal auditor reviewed only a specific process or area in the
organisation, the relevant section/department manager will receive the audit report.
It should not be the internal auditor’s responsibility to distribute and discuss findings with
anybody else in the organisation. Confidentiality must be maintained. In the case where an
external auditor submitted the audit report to the organisation, a company representative will
be responsible for the distribution of the report.
Accurate and provable information is the key to an audit report. The audit report should also
be checked for grammar and typing errors prior to distribution. This portrays a professional
and valuable report.
The distribution of the report should be done within the agreed timeframes and where delays
do occur, this must be communicated to the relevant client (whether internal or external).
The report should provide a complete, accurate, concise and clear record of the on-site audit
conducted. It needs to be concluded, dated, reviewed and approved, as soon as possible after
the audit, and distributed to recipients designated by the organisation.
Example: Audit Report
Company Logo
ISO 9001:2015 Audit Report Example
Index
 Executive summary of supplier
 Disclaimer
 Audit objectives
 Audit scope
 Audit limitations
 Summary of organisation
processes
 Abbreviations
 Health and Safety arrangements
 Audit plan
 Audit methods
 Summary of audit findings
 Conclusion
 Closure
Compliance Levels
C: Compliance to Standard requirements
NC: Non-Compliance to Standard requirements
QNC: The organisation must provide more evidence
to verify the level of compliance
QNC: The organisation must provide more evidence
to verify the level of compliance
OBS: Observation is designed to highlight a potential
compliance issue
FYI: For the organisation information
DESCRIPTION OF APPLICABLE
NO. REQUIREMENT RECOMMENDATION
FINDING ACTIVITIES
The policy is in draft Finalise the policy and Reviewing of
ISO 9001:2015
1 format and is therefore not obtain management documented
Clause 5.2.1
approved by management. approval information
Step 4: Follow-Up
Conducting Audit Follow-Up (SO1, AC7) (SO7, AC7)
Read Clause 6.7
From the final audit report distributed, and depending on the audit objectives, there may be a
need for corrective or improvement actions to be implemented. The audit team leader and
auditee will agree on the timeframe for implementation of actions.
Once implemented, the effects should be verified. This verification may form part of a
subsequent audit, which should be specified as a follow-up audit. Members of the initial audit
team may be required for this task.
The Auditor
Read Clause 7
Characteristics of the Auditor

An auditor needs to have the correct qualities to conduct audits, these include, but are not
limited to being
 1
ethical
 2
open-minded
 3
diplomatic
 4
observant
 5
perceptive
 6
versatile
 7
tenacious
 8
decisive
 9
self-reliant, and
 10
having good listening skills
Auditor Evaluation Methods
The evaluation of the competence of the auditor should be undertaken by a person or a panel
using one or more of the methods selected below.
METHOD OBJECTIVE OF EVALUATION WHAT TO LOOK FOR

Analysis of records of education,
Review of records To verify the background of the auditor training, employment and audit
experience
Surveys, questionnaires, personal
Positive and negative To provide information about how the
references, testimonials, complaints,
feedback performance of the auditor is perceived
performance evaluation, peer review
To evaluate personal attributes and
communication skills, to verify
Interview Face-to-face and telephone interviews
information and test knowledge and to
acquire additional information
To evaluate personal attributes and the Role playing, witnessed audits, on the
Observation
ability to apply knowledge and skills job performance
To evaluate personal attributes, knowledge Oral and written exams, psychometric
Testing
and skills, and their application testing
Review of the audit report and
To provide information where direct
discussion with the audit client,
Post-audit review observation may not be possible or
auditee, colleagues, and with the
appropriate
auditor
These methods can also be used during the evaluation of compliance of the QMS. The
objective of evaluation will then be aligned with the requirements of ISO 9001:2015.
Continual Improvement for an Auditor

Even though an auditor may have all the education, knowledge, skill and expertise in
conducting audits, it is important that the auditor is evaluated by his/her peers. This can be
done by an accrediting body, which will ensure that the auditor is conducting audits in line
with the requirements, processes and guidelines. This accrediting body will also investigate
any complaints received regarding an auditor.
Accreditation bodies also conduct workshops, training sessions and/or seminars that auditors
can attend to ensure their commitment to their own continual professional development and,
as is said, “Practice makes perfect”. By participating in regular audits, they can also maintain
and demonstrate their commitment.
Demonstrate Knowledge of Auditing a QMS
ISO 19011:2011, Clause 7.2.1, General
In deciding the appropriate knowledge and skills required of the auditor, the following should
be considered
 the size, nature and complexity of the organisation to be audited

 the management system disciplines to be audited
 the objectives and extent of the audit programme
 other requirements, such as those imposed by external bodies, where appropriate
 the role of the auditing process in the management system of the auditee
 the complexity of the management system to be audited
 the uncertainty in achieving audit objectives
This information should be matched against that listed in Clauses 7.2.3.2, 7.2.3.3 and 7.2.3.4.
Knowledge and skills related to the discipline and the application of discipline-specific
methods, techniques, processes and practices, should be sufficient to enable the auditor to
examine the management system and generate appropriate audit findings and conclusions.
Lesson 1 of 2
How to audit ISO 9001:2015

Clause 4 – Context of the Organisation
Applicable Clauses
CLAUSE
CLAUSE TITLE
NO.
4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of Interested parties
4.3 Determining the scope of QMS
4.4 QMS and its processes
What Must the Auditor Look for?

VIEW
1
Clause 4.1: Understanding the Organisation and Its
Context
The auditor must
 ensure that the organisation has determined its context.

 confirm if quality risks and opportunities are identified according to the context of the
organisation
 confirm that activities, products and services that have a significant influence on the
QMS are included in the context of the organisation
 collect evidence that indicates external and internal aspects are included in the QMS
 ensure that the context of the organisation is available to the public, for example, on
the company website, or available on request

VIEW
1
Clause 4.1: Understanding the Organisation and Its
Context
The auditor must
 ensure that the organisation has determined its context.

 confirm if quality risks and opportunities are identified according to the context of the
organisation
 confirm that activities, products and services that have a significant influence on the
QMS are included in the context of the organisation
 collect evidence that indicates external and internal aspects are included in the QMS
 ensure that the context of the organisation is available to the public, for example, on
the company website, or available on request
2
Clause 4.2: Understanding the Needs and Expectations of
Interested Parties
The auditor must
 ensure that interested parties, such as suppliers, stakeholders, etc. are considered to be
included in the QMS
 evaluate contractor agreements to confirm that they are included and will comply with
the QMS requirements
 ensure that any contractual obligations are included as compliance obligations for the
organisation
Interested parties can be
 employees
 board members / shareholders
 neighbours
 customers
 suppliers/contractors
 regulators
 community and/or pressure groups
Clause 4.3: Determining the Scope of QMS

The auditor must
 confirm that the physical and organisational boundaries are documented in the QMS
 if only a section of the organisation is identified to be certified, this must be clarified in the
QMS
 ensure that excluded activities do not pose a high risk of influencing the QMS negatively; if
they do, the organisation cannot exclude those activities
 confirm that the defined scope is not misleading
Clause 4.4: QMS and Its Processes

The auditor must ensure that
 integrated processes are established, implemented, maintained and continually improved

 the inputs (resources) required to achieve the desired outcomes are defined and available
 the criteria and methods to ensure effective operations, including how the organisation will
monitor and measure the performance, are determined
 responsibilities are allocated for all defined processes
 risks and opportunities are determined as indicated in Clause 6.1
 all processes are evaluated for effective achievement of results
 where desired results are not achieved, changes are made to improve the processes
 documents identified in Clauses 4.1 and 4.2 are included in the QMS
CLAUSE
CLAUSE TITLE
NO.
5.1 Leadership and commitment
5.1.1 General
5.1.2 Customer focus
5.2 Quality policy (Title only)
5.2.1 Establishing the quality policy
5.2.2 Communicating the quality policy
5.3 Organisational roles, responsibilities and authorities
Clause 5.1: Leadership and Commitment
Clause 5.1.1 – General
The auditor must:
 confirm that top management is defined as the responsible person(s) to establish,

implement and maintain the QMS
 (This can be confirmed through employee contracts, legal appointment letters,
organograms, job descriptions, or any other documentation that stipulates the
responsibility and accountability at the highest level of the organisation)
 interview top management to evaluate commitment, and accountability must be
measured where improvements are recommended
 ensure top management communicates the QMS to the workforce
 confirm that operational, support and external employees and contractors, suppliers
and any other external party, comply with the QMS
 confirm that continual improvement is promoted through awareness sessions
 confirm that QMS objectives are established and met
Clause 5.1.2 – Customer Focus

The auditor must ensure that:
 top management demonstrates commitment and leadership regarding customer focus

 statutory and regulatory requirements are determined (see Clause 8.2, Requirements
for product and services), and are consistently met
 risks are identified that might have a negative effect on conforming to products and
services
 opportunities to improve on customer requirements are defined and addressed
 customer satisfaction is consistency achieved – this must be measured (see Clause 9,
Improvement)
Clause 5.2: Quality Policy

Clause 5.2.1 – Establishing the quality policy
The auditor must ensure that the QMS policy
 is appropriate to the organisation’s purpose and context

 is appropriate to the nature, scale and environmental impact of activities, products and
services
 provides the framework for QMS objectives and possibly even state what the
objectives are
 is documented and available to interested parties
 is communicated internally
 commits management to ensuring that continual improvement is a focus of theirs.
Clause 5.2.2 – Communicating the quality

policy
The auditor must ensure that the QMS policy is
 documented and controlled as per Clause 7.5 (Documented information)

 communicated, understood and applied at all functional areas. Evidence must be
presented to support the claim that it is communicated. For example, e-mails, notices,
minutes of meetings, or employee assessments. An auditor can test this by asking
employees if they know what the policy contains
 available to interested parties. The availability of the policy should be practical and
should not take too long to obtain and communicate
Clause 5.3: Organisational Roles,

Responsibilities, Authorities
The auditor must ensure that:
 relevant roles and authorities are assigned and communicated in order to effectively
control and ensure conformance to the requirements of the QMS. This can be in the
form of appointments.
 processes key to the QMS are reviewed. Ask for evidence of the outputs that are
defined in the process.
 performance of the QMS is reported on as stipulated in Clause 10.1 (Improvement).
This can be in the form of minutes of management reviews.
 customer satisfaction always remains the focus of everybody in the organisation. Ask
for evidence to the fact.
 the integrity of the QMS is maintained when changes are made. For example, review
performance reports for before and after changes were implemented.
Clause 7.5.3.1 – (No Title)

–

 documented information is controlled in a way that it is suitable and
available at the time it is needed
 documented information is adequately protected from loss of
confidentiality, improper use, or loss of integrity

–

 documented information is managed in terms of
o distribution
o accessibility
o retrieval
o use
o storage
o legibility
o version control
o retention and disposal
o unintended alterations
NOTE: Access can imply a decision regarding the permission to view the documented
information only, or the permission and authority to view and change the documented
information.
Clause 8 – Operation
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
8.3.1 General
8.4.1 General
8.5.4 Preservation
Clause 8.1: Operational Planning and Control

 processes are established, implemented and controlled as defined in Clause 4.4 (QMS
and its processes)
 these processes address the requirements of products and services
 actions identified in Clause 6 (Actions to address risks and opportunities) are planned,
implemented and controlled
 criteria for all processes are established to achieve the desired results for products and
services; these criteria must include when products and services can be accepted or
not
 sufficient resources (as defined in Clause 7.1) are available to conform to product and
service requirements
 control of the process is implemented in accordance with the criteria identified
 documented information is determined, maintained and retained to the extent that it
assures processes were carried out as planned and demonstrates the conformity of
products and services to their requirements
 when there is change in operational processes, these changes are controlled so as to
reduce any adverse effects on the business, and where changes are unplanned, the
consequences are reviewed and actioned to mitigate any adverse effects
 any process that is outsourced is controlled
Clause 8.2: Requirements for Products and Services

Clause 8.2.1 – Customer communication
 the organisation informs its customers about information related to products and services,
for example, the purpose of the product, how it should be used, who can use it, what the
content it is, and what the customer can expect from the product.
 queries from customers are handled. Corroborate a sample of customer correspondence to
ascertain of action was taken to satisfy customer requirements, look for evidence.
 feedback from customers (including complaints) is obtained to ensure customer satisfaction.
 customer property is controlled and protected.
 specific requirements for contingency actions of risks identified have been identified.

VIEW
1
and its processes)
not
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2
 the organisation informs its customers about information related to products and
services, for example, the purpose of the product, how it should be used, who can use
it, what the content it is, and what the customer can expect from the product.
 queries from customers are handled. Corroborate a sample of customer
correspondence to ascertain of action was taken to satisfy customer requirements,
look for evidence.
 feedback from customers (including complaints) is obtained to ensure customer
satisfaction.
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3
Clause 8.2.2 – Determining the requirements for products
and services
 the organisation has the necessary measures in place to support the product or service
it offers to customers. Examine possibly a returns department to ascertain if it is
properly resourced or if the organisation has sufficient resources to respond
effectively to a customer complaint.
 the organisation meets all statutory and regulatory requirements for their offerings.
Ask for and review the legal or compliance register for the organisation or ascertain if
a legal audit/review has been conducted and the results documented.
Clause 8.2.3 – Review of the requirements for products

and services
 the organisation has the ability to meet the specific requirements as defined in Clause 8.2.2
 the organisation reviews the requirements before committing to supplying the products and
services, taking into consideration
o the delivery and post-delivery activities required, for example, transportation of
products, when a product can be activated or used
o requirements not stated by the customer, but required by a manufacturer before
intended use, for example, a cell phone that needs to be charged before it is used
o requirements specified by the organisation to ensure a high standard of product or
service delivery, for example, if you manufacture ear pieces and the product must
be imported, the organisation does not have control over these processes, therefore
it cannot commit to delivery within a certain timeframe
o statutory and regulatory requirements as stated in Clause 8.2.2
o contract or order requirements that differ from those previously stated; this must be
resolved during the activities explained in Clause 8.2.1 (Determining the customer’s
requirements)
o all customer requirements are confirmed and documented before acceptance of the
order
NOTE: Where confirmation of requirements is impractical, advertising or product

information catalogues can be used.

 documented information is kept to prove that the organisation reviewed the results on
any new requirements for products and services.
 this information is resourced and managed as required by Clause 7.5 (Documented
information).
Clause 8.2.4 – Changes to requirements for products and
services
 the organisation has documented information that should requirements

change that the relevant people in the organisation would be informed about
these changes. Evidence may be in the form impact assessments or a list of
interested and affected parties and processes.
Clause 8.3: Design and Development of Products and

Services
 a design and development process is established, implemented and maintained

 the process must indicate how the products and services will be provided. A conventional
way is drawing up a process flow or procedure detailing the activities with their inputs and
outputs.
NOTE: Some organisations may deem this clause not to be applicable due to the nature
of their organisation. For example, Civil Engineering Consultants versus a Used Car
Dealer. However, this decision must be documented based on factual and relevant
information.
Clause 8.3.2 – Design and development planning

 the organisation has planned and documented the design and development process
taking into consideration:
o the nature, duration and complexity of the design and development activities.
o the required design and development verification and validation activities
o the responsibilities and authorities involved in the design and development
process
o the internal and external resources needed for the design and development of
products and services
o the need to control interfaces between persons involved in the design and
development process
o the requirements for subsequent provision of products and services
o the level of control expected for the design and development process by
customers and other relevant interested parties
o the documented information needed to demonstrate that design and
development
o requirements have been met
Sample evidence could include decisions recorded in minutes of meeting with the agenda for
planning and documenting the design.

VIEW
1
and its processes)
not
3
4
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2
look for evidence.
satisfaction.
3
4
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3
and services
4
5
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
4
and services
 the organisation has the ability to meet the specific requirements as defined in Clause
8.2.2
 the organisation reviews the requirements before committing to supplying the
products and services, taking into consideration
o the delivery and post-delivery activities required, for example, transportation
of products, when a product can be activated or used
o requirements not stated by the customer, but required by a manufacturer
before intended use, for example, a cell phone that needs to be charged before
it is used
o requirements specified by the organisation to ensure a high standard of
product or service delivery, for example, if you manufacture ear pieces and the
product must be imported, the organisation does not have control over these
processes, therefore it cannot commit to delivery within a certain timeframe
o contract or order requirements that differ from those previously stated; this
must be resolved during the activities explained in Clause 8.2.1 (Determining
the customer’s requirements)
o all customer requirements are confirmed and documented before acceptance of
the order
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
5
information).
3
4
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
6
services

change that the relevant people in the organisation would be informed
about these changes. Evidence may be in the form impact assessments
or a list of interested and affected parties and processes.
1
5
6
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
7
Services

 the process must indicate how the products and services will be provided. A
conventional way is drawing up a process flow or procedure detailing the activities
with their inputs and outputs.
information.
1
5
6
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
8
process
development process
development
1
3
4
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
9
Clause 8.3.3 – Design and development inputs
 requirements essential for specific types of products and services have been identified
 functional and performance requirements have been considered.
 information derived from previous similar design and development activities have
been considered.
 statutory and regulatory requirements have been considered.
 required standards or codes of practice are committed to
 potential consequences of failure due to the nature of the products and planned
activities have been considered
 inputs are adequate for the design and development purposes
 conflicting design and development inputs have been resolved
 documented information is maintained.
Most often, the comparison between tender request submissions is a good source for
information to ascertain if in design inputs have been considered and met.
Clause 8.3.4 – Design and development controls

 the organisation has the defined the desired results that are/are to be achieved.
 reviews are/have been conducted to ensure that requirements are met.
 verification activities are/have been conducted to measure that outputs meet input
requirements
 validation activities are done to confirm the intended use of the product or service
 actions are taken where deviations occur.
 documented information is maintained for all activities
Assess whether the organisation has defined controls to ensure that no error is engineered into
the design and development process. A poor design can lead to a poor quality manufactured
product/delivered service. This may lead to rework which wastes resources.
Clause 8.3.5 – Design and development outputs

Design and development outputs:
 meet the input requirements

 are adequate for the processes to provide the product or service
 refer to acceptance criteria
 specify the characteristics of the products and services to confirm the intended use
 and that documented information is maintained
These documents define the design, and can be whatever the organisation chooses to define
them as. This could be written assembly instructions, drawings, electronic machining files,
etc. The outputs however, need to:
 include anything required in the inputs (for example, if a drawing is required by the
customer, or a machine shop requires electronic CAD files)
 be usable by necessary departments such as purchasing and production
 have the acceptance criteria for the product, and identify the essential characteristics
for proper use.
Clause 8.3.6 – Design and development changes

 the organisation identifies how to review and control changes.

 documented information of changes is maintained
 results of reviews are maintained
 changes are authorised
 any actions taken to prevent adverse impacts on product and services are documented and
maintained
This requirement refers to how an organisation changes their drawings, instructions, etc. The
concept is to make sure that not just anyone can make changes without making sure that the
change is shown to be good and approved to be implemented. Included in this is deciding
how making this change will affect related parts, and how not making this change to parts
already complete will affect their usability. Of course, records of these changes need to be
kept.
Clause 8.4: Control of Externally Provided Processes,

Products and Services
 externally provided processes, for example, transportation, supply of goods and

materials, complies with the requirements identified for product and service delivery
 controls are defined for externally provided processes that influence the organisation’s
own products and services.
An example could include assessing if the organisation has identified and mapped in any
external processes, products and services into their own organisational processes.
Clause 8.4.2 – Type and extent of control

 processes, products and services provided externally do not adversely affect the
organisation’s ability to consistently deliver conforming products and services to its
customers
 externally provided processes remain within the control of the organisation’s QMS
 controls are applied to the external provider(s), and that the controls applied to the
resulting outputs of the externally provided process are defined
 it takes into consideration the potential impact that externally provided processes have
on the requirements of the organisation’s clients; this will include statutory and
regulatory requirements as defined in Clause 8.2.2
Clause 8.4.3 – Information for external providers

 the organisation’s requirements are defined properly before they are communicated to the
external provider. This could be in the form of an MOU or SLA, etc.
 the organisation has communicated the following to external providers
o the process, products and services that are to be/need to be provided
o when products and services will be approved
o what methods, processes and equipment are used to carry out approval tasks
o the conditions of release for the processes, products or services
o what competency level is required for persons employed by an external provider
involved in the provision of processes, products or services?
o the conditions and extent to which external providers will interact with the
organisation
o the scope and schedule of performance or verification reviews on external providers
Assess if the organisation has evidence to support any of the requirements above.
Clause 8.5: Production and Service Provision
Clause 8.5.1 – Control of production and service provision
 the organisation has ensured that production and service provision is done under
controlled conditions. Controlled conditions refer to
 documented information.
 the implementation of monitoring and measurement activities
 the use of suitable infrastructure and environment
 the validation/re-validation activities
 the implementation of actions to prevent human error
 the implementation of release, delivery and post-delivery activities
Assess if the organisation has any documented information that shows compliance to the
requirements of this clause. For example, inspection reports, non-conformance reports, etc.
Clause 8.5.2 – Identification and traceability

 suitable activities to identify outputs after each production phase

 the control of the unique identification of each output
 documented information is maintained to prove traceability
 for example, batch numbers, bar codes, document/record numbers, inspection reports
Clause 9 – Performance Evaluation
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
9.1.1 General
9.2 Internal audit
9.3.1 General
Clause 9.1: Monitoring, Measurement,
Analysis and Evaluation
 the organisation has identified

o what needs to be monitored and measured
o what methods are used to ensure valid results
o when monitoring and measurement takes place
o when results are analysed and evaluated
Documented processes, testing and inspection records are usually good sources to ascertain if
the requirements of this clause have been met.
Date 2
Clause 9.1.2 – Customer satisfaction
 the organisation monitors the client’s degree of satisfaction

 methods for obtaining this information are defined
Ask for customer surveys, customer feedback on delivered products and services, meetings
with customers, market-share analysis, compliments, warranty claims and dealer reports.
Also, ascertain if effective actions were taken to deal with any deviations any non-
conformances.
Clause 9.1.3 – Analysis and evaluation
 appropriate data is analysed and evaluated and that the results are used to evaluate:
o product conformity
o the degree of customer satisfaction
o the effectiveness of the QMS
o the effectiveness of planning for the delivery of the product and services
o whether organisational risks have been mitigated
o the performance of external providers
o the need for improvement of the QMS
A good source of information to ascertain if these types of reviews are conducted in minutes
of meeting where the analysis of data in on the agenda. Also, ask for possible reports that are
generated in this regard.
Clause 9.2: Internal Audit

Clause 9.2.1 – (No Title)
 the organisation has compiled an audit programme to confirm whether the

organisation:
o complies with its own QMS as described in its documented information
o complies with ISO 9001:2015 requirements
o carries out effective implementation and maintenance of the QMS
Ask for an audit programme and ascertain if the programme is adhered to.
 the organisation has

o an audit programme established, implemented and maintained
o an audit programme that indicates the frequency, methods, responsibilities,
planning requirements and reporting on results of audit findings
o defined audit criteria and scopes
o auditors that are selected to audit the QMS, ensuring that they are objective
and impartial during the auditing process, that is, auditors are do not audit
their own departments.
o actioned appropriate corrective action
o documented information to support this requirement.
Typically there are a number of pieces of documented information that can be referred to
namely:
 audit programme
 audit scopes
 audit reports
 non-conformance reports
 minutes of audit opening and closing meetings
Clause 9.3: Management Review

 the QMS is reviewed at planned intervals for suitability, adequacy, effectiveness and
alignment with strategic direction of the organisation.
Evidence for this could be in the form of management review meeting schedules, agendas
and minutes. Ascertain if the meetings have been meaningfully conducted and are not just a
paper exercise as a box ticking exercise.
Clause 9.3.2 – Management review inputs
 the review inputs comply with requirements of this clause. These requirements form a
good basis for an agenda for the management review meeting.
 data sources for the review inputs are an accurate and honest account of the
performance of the QMS.
Ask for meeting agendas and reports that were to be discussed in management review
meetings. Request and review the data sources of where the report information comes from.
Clause 9.3.3 – Management review outputs
 the outputs of management review meetings are realistic and comply with the needs
of the QMS.
Ask for Management Review Meetings. Ascertain if actions required due to the management
review have been or are in process of being dealt with.
Clause 10 – Improvement
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
10.1 General
Other international standards on quality management and quality management systems
Annex B
developed by ISO/TC 176

Clause 10.1: General
–

 the organisation has identified opportunities for improvement.
These opportunities are usually identified due to outputs from management review meetings.
They could be in the form of improvements to
 products
 process
 resource utilisation
 employee skills and expertise
 the reduction of waste, etc.
.
Clause 10.2: Non-Conformity and Corrective Action
–

 there are systems in place to enable to organisation to report on and act
upon non-conformances.
Evidence of conformance to this requirement may be in the form of documented information,
that is, processes, non-conformance reports, registers, investigation reports, actions to close
out root causes. Ask for a non-conformance register, take a sample non-conformance and
follow the trail from reporting, investigation, actions and close out. Records all findings.
Clause 10.3: Continual Improvement
–

 the organisation can demonstrate continual improvement of the suitability,
adequacy and effectiveness of the QMS.
 the results identified in Clause 9.1.3 (Analysis and evaluation) and Clause
9.3 (Management review), are used to determine needs or opportunities to
continually improve the QMS.
The results of continual improvement must be measurable. They can come in the form of
year-on-year or period-on-period performance report. Ask for evidence to support an
organisation’s claim that continual improvement is occurring.
How to audit ISO 9001:2015

Clause 7.1.5.1 – General
–

 the organisation has sufficient resources available to
 validate reliable product and service results
 verify conformity to product and service requirements
 the organisation has provided resources are
 suitable for the specific monitoring and measurement activities being
undertaken
 maintained to ensure their continuing fitness for their purpose; it is
imperative that the organisation retain documented information as
evidence that resources are fit for the purpose of monitoring and
measuring activities
Ensure that quality checks are conducted and if equipment is used to for any verification
purposes, that calibration certificates/records are available for inspection.
Clause 7.1.5.2 – Measurement traceability
–

 products and services are traceable during the production process to
ensure that verification and validation during the monitoring and
measurement activities are dependable
 where calibrated measurement standards are used, documented
information is retained
 where measuring equipment is used, it is identified in order to determine
whether it is effectively calibrated and when the next calibration is
required
 where measuring equipment is used, it is safeguarded from adjustments,
damage or deterioration that can influence the validity of the measurement
results
 where it was determined that the measurement results deviate from the
expected results, actions are taken to ensure that verification and
validation results are correct.
If equipment is used to for any verification purposes, that calibration certificates/records are
available for inspection. Ask for any non-conformance reports that the auditee may have.
Clause 7.1.6 – Organisational knowledge
–

 knowledge necessary for the operation of its processes are identified; this
can be done in the format of a training matrix, performance discussions,
on-the-job observations, etc.
 the organisation maintains the internal knowledge and competence and
extend it where necessary; this means the organisation must focus on
retention of knowledgeable and experienced workers to reduce costs and
improve efficiency of the QMS
 where changes to the QMS are identified, the need for training and
updating information is indicated
NOTE 1: Organisational knowledge is knowledge specific to the organisation and is

generally gained by experience. It is information that is used and shared to achieve the
organisation’s objectives.
NOTE 2: Organisational knowledge can be based on
 internal sources (for example, intellectual property, knowledge gained
from experience, lessons learned from failures and successful projects,
capturing and sharing undocumented knowledge and experience, the
results of improvements in processes, products and services)
 external sources (for example, standards, academia, conferences, gathering
knowledge from customers or external providers
Clause 7.2: Competence

–

 the organisation determines the competency level of person(s) doing work
under its control; this can be done during performance discussions, on-the-
job observations, and presented in the form of a training matrix
 competency can be verified through appropriate education, training or
experience information; this can be done with evidence of training
certificates, attendance registers, professional registrations, witnesses, etc.
 where it is required for people to improve competence, actions are taken
and these actions are evaluated for effectiveness; this mean that when
workers attend training, the organisation must ensure that the application
of knowledge is evaluated afterwards. review a sample of assessments
Applicable actions can include the provision of training to, the mentoring of, or the
reassignment of currently employed persons or hiring or contracting competent persons.
Clause 7.3: Awareness
–

 the organisation has communicated documented information via
awareness sessions to all persons working under its control. The document
information can include but is not limited to:
 the quality policy
 relevant quality objectives
 the contribution they have towards the effectiveness of the QMS
 the benefits of improved performance of the QMS
 the consequences/implications of not complying with the QMS
requirements
Ask for records of such sessions.

.
Clause 7.4: Communication
–

 a communication process is established, implemented and maintained
 communication is consistent and reliable
 communication received about the QMS is responded to
 information communicated is documented
 the procedure must include
o what will be communicated (refer to “What must be
communicated” below)
o who will communicate it (who will transfer the information)
o when information will be communicated
o with whom it will be communicated (applies to contractors, sub-
contractors)
o how the organisation will communicate (for example, e-mails,
communication boards, SMSs, two-way radios, etc.)
 communication is
o transparent, that is, the organisation is open in the way it derives
what it has reported on
o appropriate so that information meets the needs of relevant
interested parties, enabling them to participate
o truthful and not misleading to those who rely on the information
reported
o factual, accurate and able to be trusted
o not excluding relevant information
o understandable to interested parties
INTERNAL EXTERNAL
 Quality requirements to externa

 Importance of effective quality
providers and users
management and conforming to
QMS requirements  Information as required by
compliance obligations to interested
 Responsibilities for QMS roles
parties
 QMS performance to top
 Significant quality aspects
management
 Quality policy and scope
 QMS policy
 Responses to relevant incoming
 QMS objectives
communication regarding the QMS
Clause 7.5: Documented Information

–

 documentation is maintained to ensure a suitable, adequate and effective
QMS
 focus on implementation of QMS, not a complex document control system
 documentation that is required by the standard has been generated
 documentation is controlled, available and protected
 documentation is transparent and can be easily audited
 documented information deemed necessary including those of external
origin is maintained and available
NOTE 1: The extent of documented information for a QMS can differ from one organisation
to another due to
 the size and type of activities, processes, products and services
 the complexity of processes and their interactions
 the competence of persons
NOTE 2: Most organisations do not manage all their information in one place, there are often
more than one system managing documented information. For example, finance may use an
electronic accounting system versus Human Resources that has a hard copy filing system.
Ensure that there is at least documented information that defines how these systems are
managed.
Clause 7.5.2 – Creating and updating
–

 the type(s) of documentation required to control the organisation’s
processes are identified
 the level of language is appropriate to the audience
 the format and media in which information is presented is effective for the
transfer of information
 documented information is reviewed and approved for suitability and
adequacy
Ascertain the adequacy of any policy or process covering the updating of documentation is
generated. This could also be in the form of software that manages the repository of
information on the organisation’s behalf. Review previous versions of documents and keep
an eye out for any outdated documentation that may lie around.
Clause 7.5.3 – Control of documented information
–

 documented information is controlled in a way that it is suitable and
available at the time it is needed
 documented information is adequately protected from loss of
confidentiality, improper use, or loss of integrity

–

 documented information is managed in terms of
o distribution
o accessibility
o retrieval
o use
o storage
o legibility
o version control
o retention and disposal
o unintended alterations
NOTE: Access can imply a decision regarding the permission to view the documented
information only, or the permission and authority to view and change the documented
information.
Clause 8 – Operation
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
8.3.1 General
8.4.1 General
8.5.4 Preservation

and its processes)
not

look for evidence.
satisfaction.

and services

and services
 the organisation has the ability to meet the specific requirements as defined in Clause
8.2.2
 the organisation reviews the requirements before committing to supplying the
products and services, taking into consideration
o the delivery and post-delivery activities required, for example, transportation
of products, when a product can be activated or used
o requirements not stated by the customer, but required by a manufacturer
before intended use, for example, a cell phone that needs to be charged before
it is used
o requirements specified by the organisation to ensure a high standard of
product or service delivery, for example, if you manufacture ear pieces and the
product must be imported, the organisation does not have control over these
processes, therefore it cannot commit to delivery within a certain timeframe
o contract or order requirements that differ from those previously stated; this
must be resolved during the activities explained in Clause 8.2.1 (Determining
the customer’s requirements)
o all customer requirements are confirmed and documented before acceptance of
the order


information).

services

change that the relevant people in the organisation would be informed
about these changes. Evidence may be in the form impact assessments
or a list of interested and affected parties and processes.

Services

 the process must indicate how the products and services will be provided. A
conventional way is drawing up a process flow or procedure detailing the activities
with their inputs and outputs.
information.

process
development process
development
Clause 8.3.3 – Design and development inputs

 requirements essential for specific types of products and services have been identified
 functional and performance requirements have been considered.
 information derived from previous similar design and development activities have
been considered.
 statutory and regulatory requirements have been considered.
 required standards or codes of practice are committed to
 potential consequences of failure due to the nature of the products and planned
activities have been considered
 inputs are adequate for the design and development purposes
 conflicting design and development inputs have been resolved
 documented information is maintained.
Most often, the comparison between tender request submissions is a good source for
information to ascertain if in design inputs have been considered and met.
Clause 8.3.4 – Design and development controls

 the organisation has the defined the desired results that are/are to be achieved.
 reviews are/have been conducted to ensure that requirements are met.
 verification activities are/have been conducted to measure that outputs meet input
requirements
 validation activities are done to confirm the intended use of the product or service
 actions are taken where deviations occur.
 documented information is maintained for all activities
Assess whether the organisation has defined controls to ensure that no error is engineered into
the design and development process. A poor design can lead to a poor quality manufactured
product/delivered service. This may lead to rework which wastes resources.
Clause 8.3.5 – Design and development outputs

Design and development outputs:
 meet the input requirements

 are adequate for the processes to provide the product or service
 refer to acceptance criteria
 specify the characteristics of the products and services to confirm the intended use
 and that documented information is maintained
These documents define the design, and can be whatever the organisation chooses to define
them as. This could be written assembly instructions, drawings, electronic machining files,
etc. The outputs however, need to:
 include anything required in the inputs (for example, if a drawing is required by the
customer, or a machine shop requires electronic CAD files)
 be usable by necessary departments such as purchasing and production
 have the acceptance criteria for the product, and identify the essential characteristics
for proper use.
Clause 8.3.6 – Design and development changes

 the organisation identifies how to review and control changes.

 documented information of changes is maintained
 results of reviews are maintained
 changes are authorised
 any actions taken to prevent adverse impacts on product and services are documented
and maintained
This requirement refers to how an organisation changes their drawings, instructions, etc. The
concept is to make sure that not just anyone can make changes without making sure that the
change is shown to be good and approved to be implemented. Included in this is deciding
how making this change will affect related parts, and how not making this change to parts
already complete will affect their usability. Of course, records of these changes need to be
kept.
Clause 8.4: Control of Externally Provided Processes,

Products and Services
 externally provided processes, for example, transportation, supply of goods and

materials, complies with the requirements identified for product and service delivery
 controls are defined for externally provided processes that influence the organisation’s
own products and services.
An example could include assessing if the organisation has identified and mapped in any
external processes, products and services into their own organisational processes.
Clause 8.4.2 – Type and extent of control

 processes, products and services provided externally do not adversely affect the
organisation’s ability to consistently deliver conforming products and services to its
customers
 externally provided processes remain within the control of the organisation’s QMS
 controls are applied to the external provider(s), and that the controls applied to the
resulting outputs of the externally provided process are defined
 it takes into consideration the potential impact that externally provided processes have
on the requirements of the organisation’s clients; this will include statutory and
regulatory requirements as defined in Clause 8.2.2
 it takes into consideration the extent to which the external provider applies the
controls effectively
 it determines and conducts verification of activities done by the external provider
Assess whether or not the organisation carried out and second party audits on external parties
or performs inspections on externally provided processes, products or services.
Clause 8.4.3 – Information for external providers

 the organisation’s requirements are defined properly before they are communicated to
the external provider. This could be in the form of an MOU or SLA, etc.
 the organisation has communicated the following to external providers
o the process, products and services that are to be/need to be provided
o when products and services will be approved
o what methods, processes and equipment are used to carry out approval tasks
o the conditions of release for the processes, products or services
o what competency level is required for persons employed by an external
provider involved in the provision of processes, products or services?
o the conditions and extent to which external providers will interact with the
organisation
o the scope and schedule of performance or verification reviews on external
providers
Assess if the organisation has evidence to support any of the requirements above.
Clause 8.5: Production and Service Provision

Clause 8.5.1 – Control of production and service provision
 the organisation has ensured that production and service provision is done under
controlled conditions. Controlled conditions refer to
 documented information.
 the implementation of monitoring and measurement activities
 the use of suitable infrastructure and environment
 the validation/re-validation activities
 the implementation of actions to prevent human error
 the implementation of release, delivery and post-delivery activities
Assess if the organisation has any documented information that shows compliance to the
requirements of this clause. For example, inspection reports, non-conformance reports, etc.
Clause 8.5.2 – Identification and traceability

 suitable activities to identify outputs after each production phase

 the control of the unique identification of each output
 documented information is maintained to prove traceability
 for example, batch numbers, bar codes, document/record numbers, inspection reports
Clause 9 – Performance Evaluation
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
9.1.1 General
9.2 Internal audit
9.3.1 General
Clause 9.1: Monitoring, Measurement,
Analysis and Evaluation
 the organisation has identified
o what needs to be monitored and measured
o what methods are used to ensure valid results
o when monitoring and measurement takes place
o when results are analysed and evaluated
Documented processes, testing and inspection records are usually good sources to ascertain if
the requirements of this clause have been met.
Date 2
Clause 9.1.2 – Customer satisfaction
 the organisation monitors the client’s degree of satisfaction

 methods for obtaining this information are defined
Ask for customer surveys, customer feedback on delivered products and services, meetings
with customers, market-share analysis, compliments, warranty claims and dealer reports.
Also, ascertain if effective actions were taken to deal with any deviations any non-
conformances.
Clause 9.1.3 – Analysis and evaluation
 appropriate data is analysed and evaluated and that the results are used to evaluate:
o product conformity
o the degree of customer satisfaction
o the effectiveness of the QMS
o the effectiveness of planning for the delivery of the product and services
o whether organisational risks have been mitigated
o the performance of external providers
o the need for improvement of the QMS
A good source of information to ascertain if these types of reviews are conducted in minutes
of meeting where the analysis of data in on the agenda. Also, ask for possible reports that are
generated in this regard.
Clause 9.2: Internal Audit

 the organisation has compiled an audit programme to confirm whether the

organisation:
o complies with its own QMS as described in its documented information
o complies with ISO 9001:2015 requirements
o carries out effective implementation and maintenance of the QMS
Ask for an audit programme and ascertain if the programme is adhered to.
 the organisation has

o an audit programme established, implemented and maintained
o an audit programme that indicates the frequency, methods, responsibilities,
planning requirements and reporting on results of audit findings
o defined audit criteria and scopes
o auditors that are selected to audit the QMS, ensuring that they are objective
and impartial during the auditing process, that is, auditors are do not audit
their own departments.
o actioned appropriate corrective action
o documented information to support this requirement.
Typically there are a number of pieces of documented information that can be referred to
namely:
 audit programme
 audit scopes
 audit reports
 non-conformance reports
 minutes of audit opening and closing meetings
Clause 9.3: Management Review

 the QMS is reviewed at planned intervals for suitability, adequacy, effectiveness and
alignment with strategic direction of the organisation.
Evidence for this could be in the form of management review meeting schedules, agendas
and minutes. Ascertain if the meetings have been meaningfully conducted and are not just a
paper exercise as a box ticking exercise.
Clause 9.3.2 – Management review inputs
 the review inputs comply with requirements of this clause. These requirements form a
good basis for an agenda for the management review meeting.
 data sources for the review inputs are an accurate and honest account of the
performance of the QMS.
Ask for meeting agendas and reports that were to be discussed in management review
meetings. Request and review the data sources of where the report information comes from.
Clause 9.3.3 – Management review outputs
 the outputs of management review meetings are realistic and comply with the needs
of the QMS.
Ask for Management Review Meetings. Ascertain if actions required due to the management
review have been or are in process of being dealt with.
Clause 10 – Improvement
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
10.1 General
Other international standards on quality management and quality management systems
Annex B
developed by ISO/TC 176

Clause 10.1: General
–

 the organisation has identified opportunities for improvement.
These opportunities are usually identified due to outputs from management review meetings.
They could be in the form of improvements to
 products
 process
 resource utilisation
 employee skills and expertise
 the reduction of waste, etc.
.
Clause 10.2: Non-Conformity and Corrective Action
–

 there are systems in place to enable to organisation to report on and act
upon non-conformances.
Evidence of conformance to this requirement may be in the form of documented information,
that is, processes, non-conformance reports, registers, investigation reports, actions to close
out root causes. Ask for a non-conformance register, take a sample non-conformance and
follow the trail from reporting, investigation, actions and close out. Records all findings.
Clause 10.3: Continual Improvement
–

 the organisation can demonstrate continual improvement of the suitability,
adequacy and effectiveness of the QMS.
 the results identified in Clause 9.1.3 (Analysis and evaluation) and Clause
9.3 (Management review), are used to determine needs or opportunities to
continually improve the QMS.
The results of continual improvement must be measurable. They can come in the form of
year-on-year or period-on-period performance report. Ask for evidence to support an
organisation’s claim that continual improvement is occurring.

Presentation PDF

Uploaded by

Copyright:

Available Formats

You might also like

Presentation PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Presentation PDF

Uploaded by

Copyright:

Available Formats

Introduction

Revision of ISO 9001:2015 Implementation Course

Understanding and managing interrelated processes as a system contributes to the

The application of the process approach in a QMS enables:

Figure 1: Elements of a single process

Annex A.4: Risk-Based Thinking

“Risk-based thinking is something we all do automatically and often subconsciously.

“Risk is the possibility of events or activities impeding the achievement of an

Examples of Quality Risks

RISK POSSIBLE LOSS MITIGATION METHOD

Quality Management Principles (QMP)

QMP 1 – Customer Focus

 Sustained success is achieved when an organisation attracts and retains the

 In order to manage an organisation effectively and efficiently, it is important to respect and

QMP 4 – Process Approach

 The QMS consists of interrelated processes.

Successful organisations have an ongoing focus on improvement.

Improvement is essential for an organisation

 to maintain current levels of performance

QMP 6 – Evidence-Based Decision-Making

 Decision-making can be a complex process and always involves some uncertainty.

QMP 7 – Relationship Management

 Relevant interested parties influence the performance of an organisation.

Summary of Key Changes to ISO 9001:2015

ISO 9001:2015 Deming Cycle

The PDCA cycle can be briefly described as follows:

Figure 2: The PDCA / Deming Cycle

The Fundamentals of Auditing (SO8)

 a fault-finding activity to blame employees

The purpose of internal auditing of a management system is to:

 determine the degree of implementation of the management system

Summary of ISO 19011:2011

Audit work shift:

Transfer accredited certification between Certification

Re-certification after the certification expiration date:

Verification of corrective action:

AUDIT PROGRAMME AUDIT PLAN

Typical Audit Programme Management Process

Implementation of programme – person(s) managing audit programme (D):

 competence and evaluation of auditors

 to ensure that the implemented management system complies with relevant

When defining these objectives, the following need to be considered

Process (SDefining the Scope and Criteria

 a description of the physical locations

It must be consistent with the audit programme and audit objectives.

Selecting the Audit Team

O8) ISO 19011:2011, Clause 6: Performing an Audit

ISO 19011:2011, Clause 7: Competence and Evaluation of Auditors

The Auditing Process (SO8)

Figure 5: The auditing process

Where it is not feasible, an alternative should be proposed to the audit client/auditee.

Prepare for Audit Activities

Document Review (See Clause B.2)

 if information in the documents is complete, correct, consistent and current

Audit Plan (SO1, AC1)

Review and Acceptance of Audit Plan (SO1, AC2) (SO2,

Assign Work to the Audit Team