Professional Documents
Culture Documents
Presentation PDF
Presentation PDF
Presentation PDF
COURSE INTRODUCTION
This course has been carefully designed to allow delegates to understand the process of
auditing in the field of quality management. The course uses the guidance of ISO 19011:2011
to understand how to conduct internal audits of quality management systems (QMS) based on
ISO 9001:2015.
COURSE OUTCOMES
This course will enable you to:
Revise the ISO 9001:2015 Implementation course
Understand the ISO 19011:2011 requirements for conducting audits
Understand the fundamentals of auditing
Understand the auditing process
Understand what characteristics the auditor needs, career development and continual
improvement
Understand the requirements for an auditor
Understand the auditing of a QMS based on ISO 9001:2015
SUCCEEDING IN THIS COURSE
The information collated in this manual is intended for delegates who have attended the ISO
9001:2015 Implementation course.
To gain maximum benefit from this course, the facilitator will appreciate delegates:
participating professionally where interaction is required
being punctual when breaks are allowed
avoiding all outside distractions – working on laptops or phones during training is not
allowed
leaving the classroom silently if there is a need to attend to an external situation, which they
are welcome to do
asking questions when in doubt
We hope you find this course useful and enjoyable. Your feedback at the end is
important as it assists us with constantly improving our training services.
Module 1
Lesson 2 of 2
“This international standard promotes the adoption of a process approach when developing,
implementing and improving the effectiveness of a QMS, to enhance customer satisfaction by
meeting customer requirements. Specific requirements considered essential to the adoption of
a process approach are included in Clause 4.4.
The process approach involves the systematic definition and management of processes and
their interactions, to achieve the intended results in accordance with the quality policy and
strategic direction of the organisation. Management of the processes and the system as a
whole can be achieved using the PDCA cycle (see Clause 0.3.2) with an overall focus on
risk-based thinking (see Clause 0.3.3) aimed at taking advantage of opportunities and
preventing undesirable results.
“The concept of risk-based thinking has been implicit in previous editions of this
international standard, for example, through requirements for planning, review and
improvement. This standard specifies requirements for the organisation to understand its
context (see Clause 4.1) and determine risks as a basis for planning (see Clause 6.1). This
represents the application of risk-based thinking to planning and implementing QMS
processes (see Clause 4.4) and will assist in determining the extent of documented
information.
One of the key purposes of a QMS is to act as a preventive tool. Consequently, this
standard does not have a separate clause or sub-clause on preventive action. The
concept of preventive action is expressed using risk-based thinking to formulate QMS
requirements.
The risk-based thinking applied in this standard has enabled some reduction in prescriptive
requirements and their replacement by performance-based requirements. There is greater
flexibility than in ISO 9001:2008 in the requirements for processes, documented information
and organisational responsibilities.
Although Clause 6.1 specifies that the organisation should plan actions to address risks, there
is no requirement for formal methods for risk management or a documented risk management
process. Organisations can decide whether to develop a more extensive risk management
methodology than is required by this standard, for example, through the application of other
guidance or standards.
Not all the processes of a QMS represent the same level of risk in terms of the organisation’s
ability to meet its objectives, and the effects of uncertainty are not the same for all
organisations. Under the requirements of Clause 6.1, the organisation is responsible for its
application of risk-based thinking and the actions it takes to address risk, including whether
or not to retain documented information as evidence of its determination of risks.”
Why Implement Risk-Based Thinking?
–
The primary focus of quality management is to meet customer requirements and to strive to
exceed customer expectations.
Rationale
QMP 2 – Leadership
Statement
Leaders at all levels establish unity of purpose and direction and create conditions in
which people are engaged in achieving the organisation’s quality objectives.
Rationale
Creation of unity of purpose and the direction and engagement of people enable an
organisation to align its strategies, policies, processes and resources to achieve its
objectives.
QMP 3 – Engagement of People
Statement
Competent, empowered and engaged people at all levels throughout the organisation are
essential to enhance the organisation’s capability to create and deliver value.
Rationale
Consistent and predictable results are achieved more effectively and efficiently when
activities are understood and managed as interrelated processes that function as a coherent
system.
Rationale
QMP 5 – Improvement
Statement
Rationale
Rationale
For sustained success, organisations manage their relationships with interested parties, such
as providers.
Rationale
Terms and definitions were already covered in the ISO9001:2015 Introduction course.
The ISO 9000:2015 document containing the full standard was handed out in the
Implementation course.
Module 2
Lesson 1 of 2
W H Y D O W E D E S P I S E AU D I T S ? W H AT I S T H E P U R P O S E O F
AUDITI...
An audit is a systematic, independent and documented process for obtaining audit evidence
and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. A
management system audit means obtaining evidence and objectively evaluating it to
determine the extent to which the requirements of a management system standard are
fulfilled.
W H AT I S AN AU D I T ?
W H Y D O W E D E S P I S E AU D I T S ? W H AT I S T H E P U R P O S E O F
AUDITI...
Most people dislike audits, possibly, because of unpleasant experiences with
auditors who were incompetent, poorly trained, lacked experience within the specific
field and resulted in
The purpose of auditing is not to find non-conformances and assign blame. This is
why it is important to apply the principles of auditing (ISO 19011:2011, Clause 4) to
every single audit.
Audit Types
Audits can be classified by the type of audit, which can be based on the relationship between
the auditor and the person/organisation being audited. Firstly, we can differentiate between
internal and external audits. Internal audits are called first-party audits. External audits can be
either second or third-party audits.
VIEW
First-Party Audits
First party audits are internal audits conducted by an organisation of its own management
system. It is a self-assessment. Internal audits can be conducted in two ways. A horizontal
audit, when you audit one process across many departments in the organisation, for example,
you can audit the implementation of the document control process/procedure across several
or all departments. A vertical audit means all the processes in one department are audited. For
example, auditing of the processes of the training department.
Second-Party Audits
Second party audits are external audits by one organisation auditing another. They are
conducted by parties having an interest in the organisation, for example, customers, and are
usually based on a current or future agreement or contract for the supply of goods and/or
services.
Third-Party Audits
Third party audits are external audits conducted by an independent auditing organisation for
legal, regulatory or certification purposes (for example, legal compliance audit, certification
to ISO 9001:2015).
ISO 17021
Since the first edition of this international standard was published in 2002, a number of new
management system standards have been published. As a result, there is now a need to
consider a broader scope of management system auditing, and to provide guidance that is
more generic.
In 2006, the ISO committee for conformity assessment (CASCO) developed ISO/IEC 17021,
which sets out requirements for third-party certification of management systems, and which
was based, in part, on the guidelines contained in the first edition of this standard.
The second edition of ISO/IEC 17021, published in 2011, was extended to transform the
guidance offered in the standard into requirements for management system certification
audits. It is in this context that this second edition of the standard provides guidance for all
users, including small and medium-sized organisations, and concentrates on what are
commonly termed “internal audits” (first-party) and “audits conducted by customers on their
suppliers” (second-party). While those involved in management system certification audits
follow the requirements of ISO/IEC 17021:2011, they might also find the guidance in this
standard useful.
In July 2015, ISO released a third iteration titled, ISO 17021:2015 Conformity assessment –
Requirements for bodies providing audit and certification of management systems. This
version made the following fundamental changes:
The new standard allows certified organisations to add a statement (but no mark) to
product packaging (not product) and accompanying literature that it has a certified
management system.
This international standard does not state requirements, but provides guidance on the
management of an audit programme, on the planning and conducting of an audit of the
management system, as well as on the competence and evaluation of an auditor and an audit
team.
Organisations can operate more than one formal management system. To simplify the
readability of this standard, the singular form of “management system” is preferred, but the
reader can adapt the implementation of the guidance to their own particular situation. This
also applies to the use of “person” and “persons”, “auditor” and “auditors”.
This standard is intended to apply to a broad range of potential users, including auditors,
organisations implementing management systems, and organisations needing to conduct
audits of management systems for contractual or regulatory reasons. Users of this standard
can however, apply this guidance in developing their own audit-related requirements..
The guidance in this standard can also be used for the purpose of self-declaration, and can be
useful to organisations involved in auditor training or personnel certification.
The guidance in this standard is intended to be flexible. As indicated at various points in
the text, the use of this guidance can differ depending on the size and level of maturity
of an organisation’s management system and on the nature and complexity of the
organisation to be audited, as well as on the objectives and scope of the audits to be
conducted.
This standard introduces the concept of risk to management systems auditing. The approach
adopted relates both to the risk of the auditing process not achieving its objectives, and to the
potential of the audit to interfere with the auditee’s activities and processes. It does not
provide specific guidance on the organisation’s risk management process, but recognises that
organisations can focus audit efforts on matters of significance to the management system.
This international standard adopts the approach that when two or more management systems
of different disciplines are audited together, this is termed a “combined audit”. Where these
systems are integrated into a single management system, the principles and processes of
auditing are the same as for a combined audit.
Figure 4: Summary of the ISO19011:2011 standard.
ISO 19011:2011, Clause 1: Scope
–
The first clause of the ISO 19011:2011 deals with the scope of the document standard. The
scope can be defined as the extent to which subject matter deals with a topic.
The ISO 19011:2011 standard provides guidance and insights on auditing management
systems and elaborates on
the principles of auditing
managing an audit programme
conducting management system audits
guidance on the evaluation of competence of individuals involved
in the auditing process
persons managing the audit programme
auditors and audit teams
The standard is generic and can be applied to the auditing of any type of organisation. The
standard also covers both internal and external audits of management systems or to manage
an audit programme.
ISO 19011:2011, Clause 2: Normative References
–
To spark creativity, feed your brain material like you're cramming for a tough test. Then stop
thinking about the problem you want to solve. Go surfing or take a leisurely walk. Research
shows that letting your mind wander fosters creativity.
It’s also found that meditation helps you spot and solve problems in creative ways. It
promotes divergent thinking that gets novel ideas flowing. According to these studies,
meditation also makes you more open to considering new solutions. Time to breathe.
ISO 19011:2011, Clause 3: Terms and Definitions
–
Refer to Clause 3 in the ISO 19011:2011 for discussion about the definitions.
Exercise
The class will be divided into two groups and allowed 30 minutes to read through and review
the terms and definitions attributed to ISO 19011:2011. Once the time is up, the standards
must be closed and each group will be given the opportunity to ask the other group 5 terms
each in this section. The groups are allowed an opportunity to discuss the appropriate
response amongst themselves. Once the response has been provided, the facilitator will
determine the adequacy of the answer.
This person’s responsibility is to:
establish the objectives and extent of the audit programme
identify and evaluate audit programme risks
establish the responsibilities and audit procedures
identify and ensure resources are provided to maintain the audit programme
inform top management of the contents of the audit programme and request
approval
ensure the implementation of the audit programme
ensure that appropriate records are maintained
ensure that the audit programme is monitored, reviewed and improved
The Audit Programme and Plan
The difference between an audit programme and an audit plan is
Ensure that audit programme objectives are established – top management. (P)
The scope or extent of the audit programme can include more than one
management system (separately or combined) or only one audit (for
example, for a project).
Assign one or more competent persons to manage the audit programme – top management
(P)
The person managing the audit programme must have the necessary
competence (See Clause 5.3.2).
Establish the extent of audit programme – person(s) managing audit programme
(P).
Identify and evaluate the audit programme risks – person(s) managing audit
programme (P).
Establish audit responsibilities – person(s) managing audit programme (P).
Establish procedures – person(s) managing audit programme (P).
Identify audit programme resources – person(s) managing audit programme (P).
Inform top management of contents of programme and request approval –
person(s) managing audit programme (P).
When we show up to the present moment with all of our senses, we invite the world to fill us
with joy. The pains of the past are behind us. The future has yet to unfold. But the now is full
of beauty simply waiting for our attention.
ANNUAL AUDIT PROGRAMME FOR YEAR: 2017
1ST 2ND 3RD 4TH
SECTION TYPE QUARTER QUARTER QUARTER QUARTER
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
1st
Operations X X
Party
Finance 1st
X
Department Party
HR 1st
X
Department Party
1st
Engineering X X
Party
IT 1st
X
Department Party
ISO9001 3rd
X
Certification Party
Supplier 2nd
X
ABC Party
Customer 2nd
X
123 Party
Management Review X
The Auditing
iew X
1
Objectives of an Audit
The person managing the audit programme defines the objectives for each audit in the audit
programme. In any audit, there are objectives that need to ensure an unbiased, factual audit is
conducted
management priorities
commercial intentions
management system requirements
statutory, regulatory and contractual requirements
needs of supplier evaluations
customer requirements
previous internal and/or external audit
needs of other interested parties
organisational risk to the auditee
logistical surroundings and/or arrangements
The criteria are an indication of the references that will be used to measure against. The audit
criteria are used as a reference against which conformity is determined and may include
applicable
This clause contains guidance on preparing and conducting audit activities as part of an audit
programme. This clause will be discussed in detail in Module 4, The Auditing process.
The competence of the people involved in the planning and carrying out of audits will
determine whether or not the objectives of an audit will be achieved, and that the auditing
process will be carried out in a manner that there will be confidence in the outcome.
Education, work experience, auditor training and audit experience, personal behaviour and
the ability to apply their knowledge and skills would be just some of the measures to
determine the competence of auditors. An auditee should not have a person who is unfamiliar
with the kind of business the organisation is in to audit them.
The consideration of auditors should take the needs of the audit programme and its objectives
into account. Clause 7.2.3 delves a little deeper into the knowledge and skills an auditor
should have when it comes to the auditing of management systems. The requirements of this
clause does not require everyone in a team to have full knowledge of every aspect of a system
in relation to its industry but the whole team should be compiled of people who collectively
can ensure the objectives of the audit is achieved.
Module 4
Lesson 1 of 1
The audit team leader must establish contact with the auditee, formally or informally.
Determine Feasibility
Read Clause 6.2.3.
To provide reasonable confidence that audit objectives can be achieved, the following factors
should be considered
sufficient and appropriate information for planning the audit
adequate co-operation from the auditee
adequate time and resources available
does the audit team have access to site and are they allowed on the premises?
does the audit team need to comply with an induction process and/or do the members
understand the security and safety rules of the site?
are they aware of the areas where they are allowed or not allowed?
2
Assign Work to the Audit Team
The audit team leader must assign specific responsibilities for processes, activities, functions
or locations to each team member in consultation with the team. Independence, competence,
roles and responsibilities of auditors, auditors in training and technical experts, as well as
effective use of resources must be taken into account.
1
3
Prepare Work Documents
Work documents may include checklists, audit sampling plans and forms. Read Clause B.4
for guidance on preparing work documents.
1
2
4
Site Audit Conditions
Prior to doing the audit, there are a few things that need to be confirmed, which should have
been mentioned within the audit plan/programme
does the audit team have access to site and are they allowed on the premises?
does the audit team need to comply with an induction process and/or do the members
understand the security and safety rules of the site?
are they aware of the areas where they are allowed or not allowed?
6
5
Are All Audits Planned, Or Can Surprise Audits Be
Conducted?
The majority of audits are planned. However, that does not preclude the internal audit
department from conducting unplanned audits. Prior to any audit, the internal audit
department will discuss the scope, purpose, and estimated timeframe of the audit with
appropriate stakeholders. This must, however, be documented in the audit policy or
procedure.
1
Review and Acceptance of Audit Plan (SO1, AC2) (SO2,
AC2)
The audit team leader must obtain the acceptance of the audit plan by the audit client and/or
auditee. Objections to the audit plan should be resolved between the audit team leader, the
auditee and the audit client.
1
2
Assign Work to the Audit Team
The audit team leader must assign specific responsibilities for processes, activities, functions
or locations to each team member in consultation with the team. Independence, competence,
roles and responsibilities of auditors, auditors in training and technical experts, as well as
effective use of resources must be taken into account.
1
2
3
Prepare Work Documents
Work documents may include checklists, audit sampling plans and forms. Read Clause B.4
for guidance on preparing work documents.
1
4
Site Audit Conditions
Prior to doing the audit, there are a few things that need to be confirmed, which should have
been mentioned within the audit plan/programme
does the audit team have access to site and are they allowed on the premises?
does the audit team need to comply with an induction process and/or do the members
understand the security and safety rules of the site?
are they aware of the areas where they are allowed or not allowed?
5
Are All Audits Planned, Or Can Surprise Audits Be
Conducted?
The majority of audits are planned. However, that does not preclude the internal audit
department from conducting unplanned audits. Prior to any audit, the internal audit
department will discuss the scope, purpose, and estimated timeframe of the audit with
appropriate stakeholders. This must, however, be documented in the audit policy or
procedure.
1
5
6
6
Safety, Health and Environmental Policies and Procedures
During an audit, it is imperative that the audit team adheres to all safety, health and
environmental policies. Often, organisations have an induction programme(s) that must be
attended. This will be applicable for external audits, but where internal audits are done at
different sites, it might be required by internal staff to undergo induction as well for the
specific site where they conduct the audit.
AUDIT PLAN
Locations Laboratory
Roles and responsibilities Lead auditor, auditors, observers and guides, auditee
Opening meeting List the meeting agenda as per ISO 19011:2011, Clause 6.4.2
The audit team leader will chair the opening meeting. An audit starts with an opening
meeting or, in some cases, with a phase where documented information is reviewed first.
The objective of the opening meeting is to address the objectives, scope and criteria of the
audit to be conducted, as well as to introduce the audit team to the organisation’s top
management and auditee and to establish who the guides or observers available to assist the
audit team will be.
Communication methods, language to be used, and method of reporting will be agreed at this
time. The conditions under which the audit may be terminated, and the appeals system,
should it be necessary, will also be clarified at this meeting.
The auditee’s documentation must be reviewed by auditors to determine conformity with the
audit criteria and to gather information to support the audit activities (see Clause B.2).
Communication will be facilitated mainly by the audit team leader. The audit team should
confer periodically. There should be constant communication between the auditor and
auditee. The audit team leader will communicate critical issues. Any change required to the
audit plan must be reviewed and approved by both the person(s) managing the audit
Guides appointed by the auditee should assist the audit team and act on requests from the
audit team leader. Health and safety obligations of observers are managed between the audit
client and/or auditee.
Collect and Verify Information (SO1, AC3) (SO3, AC3)
Read Clause 6.4.6.
During the audit, information relevant to the audit objectives, scope and criteria, including
information relating to interfaces between functions, activities and processes, should be
collected by means of appropriate sampling, and should be verified. Only information that is
verifiable should be accepted as audit evidence. Audit evidence leading to audit findings
should be recorded. If, during the collection of evidence, the audit team becomes aware of
any new or changed circumstances or risks, these should be addressed by the team
accordingly.
“Information can be data that is (1) accurate and timely, (2) specific and organised for a
purpose, (3) presented within a context that gives it meaning and relevance, and (4) can lead
example, if a manager is told the company's energy usage decreased in the past month, they
may use this information as a reason to identify how this impacted on production, or was
“Who does...?’
“Why do
you...?’
The auditor needs to avoid asking any closed, leading, vague or antagonistic questions.
Open and closed questions can be asked together. Refer to the following examples.
In order to determine audit findings, audit evidence should be evaluated against audit criteria.
Read Clause B.8.
ISO 19011:2011, Clause 3.4 (Audit findings) - “Results of the evaluation of the collected
audit evidence (Clause 3.3) against audit criteria (Clause 3.2)
NOTE: Audit findings can indicate either conformity or non-conformity with audit criteria or
opportunities for improvement.
How to Deal With Findings
The ISO 19011:2011 refers to either a non-conformity or conformity in the definition of audit
findings, Clause 3.4. Other literature refers to “major and minor findings, recommendations
for improvements according to best practices or improvement opportunities, etc.”
During an audit, the audit team should meet at appropriate stages to discuss findings and to
ensure that there is agreement regarding the conclusion, as other audit team members may
have additional information not known to all team members.
Non-Conformance/Finding
A non-conformance/finding means that the evidence supplied indicates that there is sub-
available. Remember the auditee will need to agree and confirm that the finding presented is
accurate. Findings must be clearly defined and unambiguous (not open to more than one
interpretation).
when interviews are done, record the name of the person and his/her
position and location/ area that was audited
when documented information is reviewed, the document number, title or
identification method, origin of the information, etc. must be recorded
record whether the reviewed information conformed /did not conform to
the requirements
STEP 1STEP 2STEP 3
refers to the objective evidence that needs to be acquired by the auditor to prove compliance
ISO 19011:2011, Clause 3.5 (Audit conclusions) - “Outcome of an audit (Clause 3.1),
provided by the audit team (Clause 3.9) after consideration of the audit objectives and all
audit findings”
Prior to the closing meeting, the audit team should confer to review the findings, agree on the
conclusions, preparing recommendations and discuss audit follow-up.
Closing Meeting (SO1, AC6) (SO6, AC5)
Read Clause 6.4.9.
The objective of the closing meeting, facilitated by the audit team leader, is not to report on
all findings, but to summarise it. Should further discrepancies arise from the closing meeting,
they must be dealt with after the meeting. Audit conclusions, including recommendations for
improvement, are presented as part of the summary at the closing meeting.
The lead auditor will relay the audit team’s findings to top management and other
organisational representatives and, where necessary, highlight the high-risk areas found
during the audit. It is imperative that audit findings reported on at the closing meeting be
evident in the audit report. Should the auditee provide objective evidence at a later stage,
after the closing meeting, the findings will still be documented in the audit report.
Confirmation of the period the auditee has to submit corrective actions must be clarified. The
duration will depend on the critical aspects for certain findings; the discretion of the lead
auditor should also be used.
It should not be the internal auditor’s responsibility to distribute and discuss findings with
anybody else in the organisation. Confidentiality must be maintained. In the case where an
external auditor submitted the audit report to the organisation, a company representative will
be responsible for the distribution of the report.
Accurate and provable information is the key to an audit report. The audit report should also
be checked for grammar and typing errors prior to distribution. This portrays a professional
and valuable report.
The distribution of the report should be done within the agreed timeframes and where delays
do occur, this must be communicated to the relevant client (whether internal or external).
The report should provide a complete, accurate, concise and clear record of the on-site audit
conducted. It needs to be concluded, dated, reviewed and approved, as soon as possible after
the audit, and distributed to recipients designated by the organisation.
Company Logo
Index
Executive summary of supplier
Disclaimer
Audit objectives
Audit scope
Audit limitations
Summary of organisation
processes
Abbreviations
Audit plan
Audit methods
Conclusion
Closure
Compliance Levels
C: Compliance to Standard requirements
NC: Non-Compliance to Standard requirements
QNC: The organisation must provide more evidence
to verify the level of compliance
QNC: The organisation must provide more evidence
to verify the level of compliance
OBS: Observation is designed to highlight a potential
compliance issue
FYI: For the organisation information
DESCRIPTION OF APPLICABLE
NO. REQUIREMENT RECOMMENDATION
FINDING ACTIVITIES
The policy is in draft Finalise the policy and Reviewing of
ISO 9001:2015
1 format and is therefore not obtain management documented
Clause 5.2.1
approved by management. approval information
Step 4: Follow-Up
Conducting Audit Follow-Up (SO1, AC7) (SO7, AC7)
Read Clause 6.7
From the final audit report distributed, and depending on the audit objectives, there may be a
need for corrective or improvement actions to be implemented. The audit team leader and
auditee will agree on the timeframe for implementation of actions.
Once implemented, the effects should be verified. This verification may form part of a
subsequent audit, which should be specified as a follow-up audit. Members of the initial audit
team may be required for this task.
The Auditor
Read Clause 7
The evaluation of the competence of the auditor should be undertaken by a person or a panel
using one or more of the methods selected below.
These methods can also be used during the evaluation of compliance of the QMS. The
objective of evaluation will then be aligned with the requirements of ISO 9001:2015.
This information should be matched against that listed in Clauses 7.2.3.2, 7.2.3.3 and 7.2.3.4.
Knowledge and skills related to the discipline and the application of discipline-specific
methods, techniques, processes and practices, should be sufficient to enable the auditor to
examine the management system and generate appropriate audit findings and conclusions.
Lesson 1 of 2
Applicable Clauses
CLAUSE
CLAUSE TITLE
NO.
4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of Interested parties
4.3 Determining the scope of QMS
4.4 QMS and its processes
2
Clause 4.2: Understanding the Needs and Expectations of
Interested Parties
The auditor must
ensure that interested parties, such as suppliers, stakeholders, etc. are considered to be
included in the QMS
evaluate contractor agreements to confirm that they are included and will comply with
the QMS requirements
ensure that any contractual obligations are included as compliance obligations for the
organisation
employees
board members / shareholders
neighbours
customers
suppliers/contractors
regulators
community and/or pressure groups
confirm that the physical and organisational boundaries are documented in the QMS
if only a section of the organisation is identified to be certified, this must be clarified in the
QMS
ensure that excluded activities do not pose a high risk of influencing the QMS negatively; if
they do, the organisation cannot exclude those activities
confirm that the defined scope is not misleading
CLAUSE
CLAUSE TITLE
NO.
5.1 Leadership and commitment
5.1.1 General
5.1.2 Customer focus
5.2 Quality policy (Title only)
5.2.1 Establishing the quality policy
5.2.2 Communicating the quality policy
5.3 Organisational roles, responsibilities and authorities
What Must the Auditor Look for?
Clause 5.1: Leadership and Commitment
Clause 5.1.1 – General
The auditor must:
relevant roles and authorities are assigned and communicated in order to effectively
control and ensure conformance to the requirements of the QMS. This can be in the
form of appointments.
processes key to the QMS are reviewed. Ask for evidence of the outputs that are
defined in the process.
performance of the QMS is reported on as stipulated in Clause 10.1 (Improvement).
This can be in the form of minutes of management reviews.
customer satisfaction always remains the focus of everybody in the organisation. Ask
for evidence to the fact.
the integrity of the QMS is maintained when changes are made. For example, review
performance reports for before and after changes were implemented.
NOTE: Access can imply a decision regarding the permission to view the documented
information only, or the permission and authority to view and change the documented
information.
Clause 8 – Operation
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
8.1 Operational planning and control
8.2 Requirements for products and services (Title only)
8.2.1 Customer communication
8.2.2 Determining the requirements for products and services
8.2.3 Review of the requirements for products and services
8.2.4 Changes to requirements for products and services
8.3 Design and development of products and services (Title only)
8.3.1 General
8.3.2 Design and development planning
8.3.3 Design and development inputs
8.3.4 Design and development controls
8.3.5 Design and development outputs
8.3.6 Design and development changes
8.4 Control of externally provided processes, products and services (Title only)
8.4.1 General
8.4.2 Type and extent of control
8.4.3 Information for external providers
8.5 Production and service provision (Title only)
8.5.1 Control of production and service provision
8.5.2 Identification and traceability
8.5.3 Property belonging to customers or external providers
8.5.4 Preservation
8.5.5 Post-delivery activities
8.5.6 Control of changes
8.6 Release of products and services
8.7 Control of nonconforming outputs
processes are established, implemented and controlled as defined in Clause 4.4 (QMS
and its processes)
these processes address the requirements of products and services
actions identified in Clause 6 (Actions to address risks and opportunities) are planned,
implemented and controlled
criteria for all processes are established to achieve the desired results for products and
services; these criteria must include when products and services can be accepted or
not
sufficient resources (as defined in Clause 7.1) are available to conform to product and
service requirements
control of the process is implemented in accordance with the criteria identified
documented information is determined, maintained and retained to the extent that it
assures processes were carried out as planned and demonstrates the conformity of
products and services to their requirements
when there is change in operational processes, these changes are controlled so as to
reduce any adverse effects on the business, and where changes are unplanned, the
consequences are reviewed and actioned to mitigate any adverse effects
any process that is outsourced is controlled
the organisation informs its customers about information related to products and services,
for example, the purpose of the product, how it should be used, who can use it, what the
content it is, and what the customer can expect from the product.
queries from customers are handled. Corroborate a sample of customer correspondence to
ascertain of action was taken to satisfy customer requirements, look for evidence.
feedback from customers (including complaints) is obtained to ensure customer satisfaction.
customer property is controlled and protected.
specific requirements for contingency actions of risks identified have been identified.
processes are established, implemented and controlled as defined in Clause 4.4 (QMS
and its processes)
these processes address the requirements of products and services
actions identified in Clause 6 (Actions to address risks and opportunities) are planned,
implemented and controlled
criteria for all processes are established to achieve the desired results for products and
services; these criteria must include when products and services can be accepted or
not
sufficient resources (as defined in Clause 7.1) are available to conform to product and
service requirements
control of the process is implemented in accordance with the criteria identified
documented information is determined, maintained and retained to the extent that it
assures processes were carried out as planned and demonstrates the conformity of
products and services to their requirements
when there is change in operational processes, these changes are controlled so as to
reduce any adverse effects on the business, and where changes are unplanned, the
consequences are reviewed and actioned to mitigate any adverse effects
any process that is outsourced is controlled
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2
Clause 8.2: Requirements for Products and Services
Clause 8.2.1 – Customer communication
The auditor must ensure that
the organisation informs its customers about information related to products and
services, for example, the purpose of the product, how it should be used, who can use
it, what the content it is, and what the customer can expect from the product.
queries from customers are handled. Corroborate a sample of customer
correspondence to ascertain of action was taken to satisfy customer requirements,
look for evidence.
feedback from customers (including complaints) is obtained to ensure customer
satisfaction.
customer property is controlled and protected.
specific requirements for contingency actions of risks identified have been identified.
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3
Clause 8.2.2 – Determining the requirements for products
and services
The auditor must ensure that
the organisation has the necessary measures in place to support the product or service
it offers to customers. Examine possibly a returns department to ascertain if it is
properly resourced or if the organisation has sufficient resources to respond
effectively to a customer complaint.
the organisation meets all statutory and regulatory requirements for their offerings.
Ask for and review the legal or compliance register for the organisation or ascertain if
a legal audit/review has been conducted and the results documented.
the organisation has the ability to meet the specific requirements as defined in Clause 8.2.2
the organisation reviews the requirements before committing to supplying the products and
services, taking into consideration
o the delivery and post-delivery activities required, for example, transportation of
products, when a product can be activated or used
o requirements not stated by the customer, but required by a manufacturer before
intended use, for example, a cell phone that needs to be charged before it is used
o requirements specified by the organisation to ensure a high standard of product or
service delivery, for example, if you manufacture ear pieces and the product must
be imported, the organisation does not have control over these processes, therefore
it cannot commit to delivery within a certain timeframe
o statutory and regulatory requirements as stated in Clause 8.2.2
o contract or order requirements that differ from those previously stated; this must be
resolved during the activities explained in Clause 8.2.1 (Determining the customer’s
requirements)
o all customer requirements are confirmed and documented before acceptance of the
order
documented information is kept to prove that the organisation reviewed the results on
any new requirements for products and services.
this information is resourced and managed as required by Clause 7.5 (Documented
information).
Clause 8.2.4 – Changes to requirements for products and
services
The auditor must ensure that
NOTE: Some organisations may deem this clause not to be applicable due to the nature
of their organisation. For example, Civil Engineering Consultants versus a Used Car
Dealer. However, this decision must be documented based on factual and relevant
information.
the organisation has planned and documented the design and development process
taking into consideration:
o the nature, duration and complexity of the design and development activities.
o the required design and development verification and validation activities
o the responsibilities and authorities involved in the design and development
process
o the internal and external resources needed for the design and development of
products and services
o the need to control interfaces between persons involved in the design and
development process
o the requirements for subsequent provision of products and services
o the level of control expected for the design and development process by
customers and other relevant interested parties
o the documented information needed to demonstrate that design and
development
o requirements have been met
Sample evidence could include decisions recorded in minutes of meeting with the agenda for
planning and documenting the design.
processes are established, implemented and controlled as defined in Clause 4.4 (QMS
and its processes)
these processes address the requirements of products and services
actions identified in Clause 6 (Actions to address risks and opportunities) are planned,
implemented and controlled
criteria for all processes are established to achieve the desired results for products and
services; these criteria must include when products and services can be accepted or
not
sufficient resources (as defined in Clause 7.1) are available to conform to product and
service requirements
control of the process is implemented in accordance with the criteria identified
documented information is determined, maintained and retained to the extent that it
assures processes were carried out as planned and demonstrates the conformity of
products and services to their requirements
when there is change in operational processes, these changes are controlled so as to
reduce any adverse effects on the business, and where changes are unplanned, the
consequences are reviewed and actioned to mitigate any adverse effects
any process that is outsourced is controlled
3
4
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2
Clause 8.2: Requirements for Products and Services
Clause 8.2.1 – Customer communication
the organisation informs its customers about information related to products and
services, for example, the purpose of the product, how it should be used, who can use
it, what the content it is, and what the customer can expect from the product.
queries from customers are handled. Corroborate a sample of customer
correspondence to ascertain of action was taken to satisfy customer requirements,
look for evidence.
feedback from customers (including complaints) is obtained to ensure customer
satisfaction.
customer property is controlled and protected.
specific requirements for contingency actions of risks identified have been identified.
3
4
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3
Clause 8.2.2 – Determining the requirements for products
and services
The auditor must ensure that
the organisation has the necessary measures in place to support the product or service
it offers to customers. Examine possibly a returns department to ascertain if it is
properly resourced or if the organisation has sufficient resources to respond
effectively to a customer complaint.
the organisation meets all statutory and regulatory requirements for their offerings.
Ask for and review the legal or compliance register for the organisation or ascertain if
a legal audit/review has been conducted and the results documented.
4
5
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
4
Clause 8.2.3 – Review of the requirements for products
and services
Clause 8.2.3.1 – (No Title)
the organisation has the ability to meet the specific requirements as defined in Clause
8.2.2
the organisation reviews the requirements before committing to supplying the
products and services, taking into consideration
o the delivery and post-delivery activities required, for example, transportation
of products, when a product can be activated or used
o requirements not stated by the customer, but required by a manufacturer
before intended use, for example, a cell phone that needs to be charged before
it is used
o requirements specified by the organisation to ensure a high standard of
product or service delivery, for example, if you manufacture ear pieces and the
product must be imported, the organisation does not have control over these
processes, therefore it cannot commit to delivery within a certain timeframe
o statutory and regulatory requirements as stated in Clause 8.2.2
o contract or order requirements that differ from those previously stated; this
must be resolved during the activities explained in Clause 8.2.1 (Determining
the customer’s requirements)
o all customer requirements are confirmed and documented before acceptance of
the order
NOTE: Where confirmation of requirements is impractical, advertising or product
information catalogues can be used.
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
5
Clause 8.2.3.2 – (No Title)
The auditor must ensure that
documented information is kept to prove that the organisation reviewed the results on
any new requirements for products and services.
this information is resourced and managed as required by Clause 7.5 (Documented
information).
3
4
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
6
Clause 8.2.4 – Changes to requirements for products and
services
The auditor must ensure that
5
6
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
7
Clause 8.3: Design and Development of Products and
Services
Clause 8.3.1 – General
NOTE: Some organisations may deem this clause not to be applicable due to the nature
of their organisation. For example, Civil Engineering Consultants versus a Used Car
Dealer. However, this decision must be documented based on factual and relevant
information.
1
5
6
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
8
Clause 8.3.2 – Design and development planning
The auditor must ensure that
the organisation has planned and documented the design and development process
taking into consideration:
o the nature, duration and complexity of the design and development activities.
o the required design and development verification and validation activities
o the responsibilities and authorities involved in the design and development
process
o the internal and external resources needed for the design and development of
products and services
o the need to control interfaces between persons involved in the design and
development process
o the requirements for subsequent provision of products and services
o the level of control expected for the design and development process by
customers and other relevant interested parties
o the documented information needed to demonstrate that design and
development
o requirements have been met
Sample evidence could include decisions recorded in minutes of meeting with the agenda for
planning and documenting the design.
1
3
4
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
9
Clause 8.3.3 – Design and development inputs
The auditor must ensure that
requirements essential for specific types of products and services have been identified
functional and performance requirements have been considered.
information derived from previous similar design and development activities have
been considered.
statutory and regulatory requirements have been considered.
required standards or codes of practice are committed to
potential consequences of failure due to the nature of the products and planned
activities have been considered
inputs are adequate for the design and development purposes
conflicting design and development inputs have been resolved
documented information is maintained.
Most often, the comparison between tender request submissions is a good source for
information to ascertain if in design inputs have been considered and met.
the organisation has the defined the desired results that are/are to be achieved.
reviews are/have been conducted to ensure that requirements are met.
verification activities are/have been conducted to measure that outputs meet input
requirements
validation activities are done to confirm the intended use of the product or service
actions are taken where deviations occur.
documented information is maintained for all activities
Assess whether the organisation has defined controls to ensure that no error is engineered into
the design and development process. A poor design can lead to a poor quality manufactured
product/delivered service. This may lead to rework which wastes resources.
These documents define the design, and can be whatever the organisation chooses to define
them as. This could be written assembly instructions, drawings, electronic machining files,
etc. The outputs however, need to:
include anything required in the inputs (for example, if a drawing is required by the
customer, or a machine shop requires electronic CAD files)
be usable by necessary departments such as purchasing and production
have the acceptance criteria for the product, and identify the essential characteristics
for proper use.
An example could include assessing if the organisation has identified and mapped in any
external processes, products and services into their own organisational processes.
processes, products and services provided externally do not adversely affect the
organisation’s ability to consistently deliver conforming products and services to its
customers
externally provided processes remain within the control of the organisation’s QMS
controls are applied to the external provider(s), and that the controls applied to the
resulting outputs of the externally provided process are defined
it takes into consideration the potential impact that externally provided processes have
on the requirements of the organisation’s clients; this will include statutory and
regulatory requirements as defined in Clause 8.2.2
the organisation’s requirements are defined properly before they are communicated to the
external provider. This could be in the form of an MOU or SLA, etc.
the organisation has communicated the following to external providers
o the process, products and services that are to be/need to be provided
o when products and services will be approved
o what methods, processes and equipment are used to carry out approval tasks
o the conditions of release for the processes, products or services
o what competency level is required for persons employed by an external provider
involved in the provision of processes, products or services?
o the conditions and extent to which external providers will interact with the
organisation
o the scope and schedule of performance or verification reviews on external providers
Assess if the organisation has evidence to support any of the requirements above.
Clause 8.5: Production and Service Provision
Clause 8.5.1 – Control of production and service provision
the organisation has ensured that production and service provision is done under
controlled conditions. Controlled conditions refer to
documented information.
the implementation of monitoring and measurement activities
the use of suitable infrastructure and environment
the validation/re-validation activities
the implementation of actions to prevent human error
the implementation of release, delivery and post-delivery activities
Assess if the organisation has any documented information that shows compliance to the
requirements of this clause. For example, inspection reports, non-conformance reports, etc.
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General
9.1.2 Customer satisfaction
9.1.3 Analysis and evaluation
9.2 Internal audit
9.3 Management review (Title only)
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review outputs
9.1 Monitoring, measurement, analysis and evaluation
What Must the Auditor Look for?
Clause 9.1: Monitoring, Measurement,
Analysis and Evaluation
Clause 9.1.1 – General
The auditor must ensure that
Documented processes, testing and inspection records are usually good sources to ascertain if
the requirements of this clause have been met.
Date 2
Clause 9.1.2 – Customer satisfaction
The auditor must ensure that
Ask for customer surveys, customer feedback on delivered products and services, meetings
with customers, market-share analysis, compliments, warranty claims and dealer reports.
Also, ascertain if effective actions were taken to deal with any deviations any non-
conformances.
Clause 9.1.3 – Analysis and evaluation
The auditor must ensure that
appropriate data is analysed and evaluated and that the results are used to evaluate:
o product conformity
o the degree of customer satisfaction
o the effectiveness of the QMS
o the effectiveness of planning for the delivery of the product and services
o whether organisational risks have been mitigated
o the performance of external providers
o the need for improvement of the QMS
A good source of information to ascertain if these types of reviews are conducted in minutes
of meeting where the analysis of data in on the agenda. Also, ask for possible reports that are
generated in this regard.
Ask for an audit programme and ascertain if the programme is adhered to.
Clause 9.2.2 – (No Title)
The auditor must ensure that
audit programme
audit scopes
audit reports
non-conformance reports
minutes of audit opening and closing meetings
the QMS is reviewed at planned intervals for suitability, adequacy, effectiveness and
alignment with strategic direction of the organisation.
Evidence for this could be in the form of management review meeting schedules, agendas
and minutes. Ascertain if the meetings have been meaningfully conducted and are not just a
paper exercise as a box ticking exercise.
Clause 9.3.2 – Management review inputs
The auditor must ensure that
the review inputs comply with requirements of this clause. These requirements form a
good basis for an agenda for the management review meeting.
data sources for the review inputs are an accurate and honest account of the
performance of the QMS.
Ask for meeting agendas and reports that were to be discussed in management review
meetings. Request and review the data sources of where the report information comes from.
Clause 9.3.3 – Management review outputs
The auditor must ensure that
the outputs of management review meetings are realistic and comply with the needs
of the QMS.
Ask for Management Review Meetings. Ascertain if actions required due to the management
review have been or are in process of being dealt with.
Clause 10 – Improvement
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
10.1 General
10.2 Nonconformity and corrective action
10.3 Continual Improvement
Annex A Clarification of new structure, terminology and concepts
Other international standards on quality management and quality management systems
Annex B
developed by ISO/TC 176
These opportunities are usually identified due to outputs from management review meetings.
They could be in the form of improvements to
products
process
resource utilisation
employee skills and expertise
the reduction of waste, etc.
.
Clause 10.2: Non-Conformity and Corrective Action
–
The results of continual improvement must be measurable. They can come in the form of
year-on-year or period-on-period performance report. Ask for evidence to support an
organisation’s claim that continual improvement is occurring.
Ensure that quality checks are conducted and if equipment is used to for any verification
purposes, that calibration certificates/records are available for inspection.
Clause 7.1.5.2 – Measurement traceability
–
If equipment is used to for any verification purposes, that calibration certificates/records are
available for inspection. Ask for any non-conformance reports that the auditee may have.
Clause 7.1.6 – Organisational knowledge
–
Applicable actions can include the provision of training to, the mentoring of, or the
reassignment of currently employed persons or hiring or contracting competent persons.
Clause 7.3: Awareness
–
INTERNAL EXTERNAL
NOTE 1: The extent of documented information for a QMS can differ from one organisation
to another due to
the size and type of activities, processes, products and services
the complexity of processes and their interactions
the competence of persons
NOTE 2: Most organisations do not manage all their information in one place, there are often
more than one system managing documented information. For example, finance may use an
electronic accounting system versus Human Resources that has a hard copy filing system.
Ensure that there is at least documented information that defines how these systems are
managed.
Clause 7.5.2 – Creating and updating
–
Ascertain the adequacy of any policy or process covering the updating of documentation is
generated. This could also be in the form of software that manages the repository of
information on the organisation’s behalf. Review previous versions of documents and keep
an eye out for any outdated documentation that may lie around.
Clause 7.5.3 – Control of documented information
Clause 7.5.3.1 – (No Title)
–
processes are established, implemented and controlled as defined in Clause 4.4 (QMS
and its processes)
these processes address the requirements of products and services
actions identified in Clause 6 (Actions to address risks and opportunities) are planned,
implemented and controlled
criteria for all processes are established to achieve the desired results for products and
services; these criteria must include when products and services can be accepted or
not
sufficient resources (as defined in Clause 7.1) are available to conform to product and
service requirements
control of the process is implemented in accordance with the criteria identified
documented information is determined, maintained and retained to the extent that it
assures processes were carried out as planned and demonstrates the conformity of
products and services to their requirements
when there is change in operational processes, these changes are controlled so as to
reduce any adverse effects on the business, and where changes are unplanned, the
consequences are reviewed and actioned to mitigate any adverse effects
any process that is outsourced is controlled
the organisation informs its customers about information related to products and
services, for example, the purpose of the product, how it should be used, who can use
it, what the content it is, and what the customer can expect from the product.
queries from customers are handled. Corroborate a sample of customer
correspondence to ascertain of action was taken to satisfy customer requirements,
look for evidence.
feedback from customers (including complaints) is obtained to ensure customer
satisfaction.
customer property is controlled and protected.
specific requirements for contingency actions of risks identified have been identified.
the organisation has the necessary measures in place to support the product or service
it offers to customers. Examine possibly a returns department to ascertain if it is
properly resourced or if the organisation has sufficient resources to respond
effectively to a customer complaint.
the organisation meets all statutory and regulatory requirements for their offerings.
Ask for and review the legal or compliance register for the organisation or ascertain if
a legal audit/review has been conducted and the results documented.
the organisation has the ability to meet the specific requirements as defined in Clause
8.2.2
the organisation reviews the requirements before committing to supplying the
products and services, taking into consideration
o the delivery and post-delivery activities required, for example, transportation
of products, when a product can be activated or used
o requirements not stated by the customer, but required by a manufacturer
before intended use, for example, a cell phone that needs to be charged before
it is used
o requirements specified by the organisation to ensure a high standard of
product or service delivery, for example, if you manufacture ear pieces and the
product must be imported, the organisation does not have control over these
processes, therefore it cannot commit to delivery within a certain timeframe
o statutory and regulatory requirements as stated in Clause 8.2.2
o contract or order requirements that differ from those previously stated; this
must be resolved during the activities explained in Clause 8.2.1 (Determining
the customer’s requirements)
o all customer requirements are confirmed and documented before acceptance of
the order
documented information is kept to prove that the organisation reviewed the results on
any new requirements for products and services.
this information is resourced and managed as required by Clause 7.5 (Documented
information).
the organisation has planned and documented the design and development process
taking into consideration:
o the nature, duration and complexity of the design and development activities.
o the required design and development verification and validation activities
o the responsibilities and authorities involved in the design and development
process
o the internal and external resources needed for the design and development of
products and services
o the need to control interfaces between persons involved in the design and
development process
o the requirements for subsequent provision of products and services
o the level of control expected for the design and development process by
customers and other relevant interested parties
o the documented information needed to demonstrate that design and
development
o requirements have been met
Sample evidence could include decisions recorded in minutes of meeting with the agenda for
planning and documenting the design.
requirements essential for specific types of products and services have been identified
functional and performance requirements have been considered.
information derived from previous similar design and development activities have
been considered.
statutory and regulatory requirements have been considered.
required standards or codes of practice are committed to
potential consequences of failure due to the nature of the products and planned
activities have been considered
inputs are adequate for the design and development purposes
conflicting design and development inputs have been resolved
documented information is maintained.
Most often, the comparison between tender request submissions is a good source for
information to ascertain if in design inputs have been considered and met.
the organisation has the defined the desired results that are/are to be achieved.
reviews are/have been conducted to ensure that requirements are met.
verification activities are/have been conducted to measure that outputs meet input
requirements
validation activities are done to confirm the intended use of the product or service
actions are taken where deviations occur.
documented information is maintained for all activities
Assess whether the organisation has defined controls to ensure that no error is engineered into
the design and development process. A poor design can lead to a poor quality manufactured
product/delivered service. This may lead to rework which wastes resources.
These documents define the design, and can be whatever the organisation chooses to define
them as. This could be written assembly instructions, drawings, electronic machining files,
etc. The outputs however, need to:
include anything required in the inputs (for example, if a drawing is required by the
customer, or a machine shop requires electronic CAD files)
be usable by necessary departments such as purchasing and production
have the acceptance criteria for the product, and identify the essential characteristics
for proper use.
This requirement refers to how an organisation changes their drawings, instructions, etc. The
concept is to make sure that not just anyone can make changes without making sure that the
change is shown to be good and approved to be implemented. Included in this is deciding
how making this change will affect related parts, and how not making this change to parts
already complete will affect their usability. Of course, records of these changes need to be
kept.
An example could include assessing if the organisation has identified and mapped in any
external processes, products and services into their own organisational processes.
processes, products and services provided externally do not adversely affect the
organisation’s ability to consistently deliver conforming products and services to its
customers
externally provided processes remain within the control of the organisation’s QMS
controls are applied to the external provider(s), and that the controls applied to the
resulting outputs of the externally provided process are defined
it takes into consideration the potential impact that externally provided processes have
on the requirements of the organisation’s clients; this will include statutory and
regulatory requirements as defined in Clause 8.2.2
it takes into consideration the extent to which the external provider applies the
controls effectively
it determines and conducts verification of activities done by the external provider
Assess whether or not the organisation carried out and second party audits on external parties
or performs inspections on externally provided processes, products or services.
the organisation’s requirements are defined properly before they are communicated to
the external provider. This could be in the form of an MOU or SLA, etc.
the organisation has communicated the following to external providers
o the process, products and services that are to be/need to be provided
o when products and services will be approved
o what methods, processes and equipment are used to carry out approval tasks
o the conditions of release for the processes, products or services
o what competency level is required for persons employed by an external
provider involved in the provision of processes, products or services?
o the conditions and extent to which external providers will interact with the
organisation
o the scope and schedule of performance or verification reviews on external
providers
Assess if the organisation has evidence to support any of the requirements above.
the organisation has ensured that production and service provision is done under
controlled conditions. Controlled conditions refer to
documented information.
the implementation of monitoring and measurement activities
the use of suitable infrastructure and environment
the validation/re-validation activities
the implementation of actions to prevent human error
the implementation of release, delivery and post-delivery activities
Assess if the organisation has any documented information that shows compliance to the
requirements of this clause. For example, inspection reports, non-conformance reports, etc.
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General
9.1.2 Customer satisfaction
9.1.3 Analysis and evaluation
9.2 Internal audit
9.3 Management review (Title only)
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review outputs
9.1 Monitoring, measurement, analysis and evaluation
What Must the Auditor Look for?
Clause 9.1: Monitoring, Measurement,
Analysis and Evaluation
Clause 9.1.1 – General
The auditor must ensure that
the organisation has identified
o what needs to be monitored and measured
o what methods are used to ensure valid results
o when monitoring and measurement takes place
o when results are analysed and evaluated
Documented processes, testing and inspection records are usually good sources to ascertain if
the requirements of this clause have been met.
Date 2
Clause 9.1.2 – Customer satisfaction
The auditor must ensure that
Ask for customer surveys, customer feedback on delivered products and services, meetings
with customers, market-share analysis, compliments, warranty claims and dealer reports.
Also, ascertain if effective actions were taken to deal with any deviations any non-
conformances.
Clause 9.1.3 – Analysis and evaluation
The auditor must ensure that
appropriate data is analysed and evaluated and that the results are used to evaluate:
o product conformity
o the degree of customer satisfaction
o the effectiveness of the QMS
o the effectiveness of planning for the delivery of the product and services
o whether organisational risks have been mitigated
o the performance of external providers
o the need for improvement of the QMS
A good source of information to ascertain if these types of reviews are conducted in minutes
of meeting where the analysis of data in on the agenda. Also, ask for possible reports that are
generated in this regard.
Ask for an audit programme and ascertain if the programme is adhered to.
Clause 9.2.2 – (No Title)
The auditor must ensure that
Typically there are a number of pieces of documented information that can be referred to
namely:
audit programme
audit scopes
audit reports
non-conformance reports
minutes of audit opening and closing meetings
the QMS is reviewed at planned intervals for suitability, adequacy, effectiveness and
alignment with strategic direction of the organisation.
Evidence for this could be in the form of management review meeting schedules, agendas
and minutes. Ascertain if the meetings have been meaningfully conducted and are not just a
paper exercise as a box ticking exercise.
Clause 9.3.2 – Management review inputs
The auditor must ensure that
the review inputs comply with requirements of this clause. These requirements form a
good basis for an agenda for the management review meeting.
data sources for the review inputs are an accurate and honest account of the
performance of the QMS.
Ask for meeting agendas and reports that were to be discussed in management review
meetings. Request and review the data sources of where the report information comes from.
Clause 9.3.3 – Management review outputs
The auditor must ensure that
the outputs of management review meetings are realistic and comply with the needs
of the QMS.
Ask for Management Review Meetings. Ascertain if actions required due to the management
review have been or are in process of being dealt with.
Clause 10 – Improvement
Applicable Clauses
CLAUSE
CLAUSE DESCRIPTION
NO.
10.1 General
10.2 Nonconformity and corrective action
10.3 Continual Improvement
Annex A Clarification of new structure, terminology and concepts
Other international standards on quality management and quality management systems
Annex B
developed by ISO/TC 176
These opportunities are usually identified due to outputs from management review meetings.
They could be in the form of improvements to
products
process
resource utilisation
employee skills and expertise
the reduction of waste, etc.
.
Clause 10.2: Non-Conformity and Corrective Action
–
The results of continual improvement must be measurable. They can come in the form of
year-on-year or period-on-period performance report. Ask for evidence to support an
organisation’s claim that continual improvement is occurring.