02 Slides - QMS04101ENIN - v6 (AD03) - Feb2020

CQI and IRCA Certified ISO 9001:2015 Lead Auditor Training Course
(Reminder to delegates)
Delegates are expected to have the following prior knowledge:
a) Management systems
• The Plan, Do, Check, Act (PDCA) cycle
• The core elements of a management system and the interrelationship between top
management responsibility, policy, objectives, planning, implementation, measurement,
review and improvement
b) Quality management
• The fundamental concepts and the seven quality management principles
• The relationship between quality management and customer satisfaction
c) ISO 9001
• Knowledge of the requirements of ISO 9001 and the commonly used quality management
terms and definitions
QMS04101ENIN v6.0(AD03) Feb 2020 Copyright © 2020 BSI. All rights reserved. 1
To maintain credibility, organizations need competent auditors. Recognized and valued

worldwide, this CQI and IRCA (Chartered Quality Institute and International Register of
Certificated Auditors) course is the accepted benchmark for management systems auditor
training.
Organizations recognize the value of using management systems to control business risk and
add value to their business. They rely on skilled professionals to assess the performance of
their management practices to enhance efficiency and credibility.
With increasing globalization and competitiveness, it is more important than ever for
organizations to use competent, certified auditors.
This course will give you the confidence to effectively audit a quality management system in
accordance with internationally recognized best practice techniques.
In addition, this course will help you:
• Identify the aims and benefits of an ISO 9001 audit

• Interpret ISO 9001 requirements for audit application
• Plan, conduct and follow-up auditing activities that add real value
• Grasp the application of risk-based thinking, leadership and process management
• Access the latest auditor techniques and identify appropriate use
• Build stakeholder confidence by managing processes in line with the latest requirements
You’ll be evaluated through the relevant CQI and IRCA examination and skills assessment. By
successfully completing your CQI and IRCA certified auditor training, you’ll demonstrate the
knowledge and necessary skills to undertake and lead an effective management systems
audit.
For your personal safety, please be aware of the emergency exits from your classroom and
the building, and assembly points and fire drill test times.
The tutor will inform you of the nearest restrooms.
Please do not leave valuable items unattended in the classroom. Keep them with you, or make
other arrangements for their safekeeping.
Please be considerate of other delegates and avoid distractions from your personal electronic
devices – mobile phones off/silent please.
Please do not use recording devices since they may restrict free discussion.
The tutor will inform you of the lunch and break schedule. Please return to class on time.
The tutor will inform delegates of any area(s) known to be available for smoking.
If there are any special needs (dietary, etc.) please confirm these now.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Your tutor(s) will introduce themselves.
Your turn!
• Delegate name?
• Organization and product, or service?
• Job position or role?
• Experience of quality management, and knowledge of ISO 9001?
• Any specific question to be answered/expectation from the course?
• Something interesting about YOU?
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
You may be unfamiliar with some of the terms above; please do not worry, these will be
explained as the course progresses.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Learning objectives describe in outline what delegates will know and be able to do by the
end of the course.
On completion, successful delegates should gain the displayed knowledge and skills.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
This course includes a detailed delegate workbook, tutorial sessions, practical activities,
continual evaluation and a two-hour written examination.
There is also a course notepad, which should be used as a ‘Learning Diary’, for recording
self-marking of model answers and during later reflection. The contents of the Delegate
Workbook include an agenda, slides and associated notes (like these), activities, references
and case study materials.
If any delegate has a question, which they feel might not be appropriate to ask at that
particular point in the course, a recording facility (flipchart page) has been provided. This
will be periodically reviewed by the tutor and questions dealt with at the appropriate time.
Model answers (in references section) are included in the folder for reference only after
completing the activity, and not for copying from during the activities (the only person you
will be cheating if you do look is yourself!); as exams are closed book it’s the learning
during the course and activities that will be important to you. However, if you manage to
finish an Activity early then please review the model answer; also compare with your own
outputs and then feedback any gaps and learning gained.
Delegates are expected and encouraged to participate, experiment, and question in a stress-
free environment.
Throughout this course, delegates will be assessed by the tutor against the criteria
contained within a personal continuous assessment record (PCAR), including:
• Participation in class and team activities, written assignments, attitude and personal
attributes, attendance and punctuality, communication skills and feedback
There is also an exam, on the last day, for 2 hours (70% to pass). Examination is ‘closed
book’, with four sections to complete. You may however re-sit the exam within a 12 month
period if you happen to be unsuccessful at the first attempt.
Delegates may use a ‘clean’ copy of the requirement standard (not annotated or marked)
during the exam – these are the only items normally permitted for reference.
Delegates, whose first language is not the language the course is presented in, may also use
an appropriate dictionary, and are also entitled to an extra 24 minutes (20%) for the
examination.
Dictionaries (for use in the exam) are also permitted for any delegate who has learning
difficulties; they are also entitled to an extra 36 minutes (30%) for the examination.
A specimen exam paper is provided, as part of the course materials, and you will have the
opportunity to work through this sample paper, before the actual exam.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
As auditing is a practical activity, and involves finding things out, this course is very
interactive in nature. Many activities have therefore been included where delegates will
collaborate in pairs/teams to create knowledge, rather than purely information
provision/discussion sessions from the tutor. This will greatly enhance your knowledge
retention, and provide an opportunity to discuss topics from other team members’
perspectives. The tutor will facilitate this learning, as appropriate. Team members will also
be swapped around, to ensure valuable existing knowledge and experience is shared
between delegates.
Do not concern yourself with the size of the case study; as your tutor will explain how
auditors would deal with this when auditing in a real life environment.
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
In order for delegates to achieve the overall learning objectives, you will need to acquire and
develop specific knowledge and skills. These are specified as ‘enabling objectives’ and can be
considered as steps to the achievement of learning objectives.
We will start with the ‘knowledge’ elements.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
First-party - Internal
A first-party audit is an audit conducted by an organization on itself, to determine whether
their systems and processes are consistently improving their ability to provide products and/or
services to customers and users, and as a means to evaluate conformance with their
processes and the standard. Internal audits are a requirement of ISO 9001 Clause 9.2.
Second-party – External provider audit, or other interested party audit

A second-party audit is that carried out on a current or potential external provider by a
purchasing organization; audit results may then be used as part of the purchasing equation.
This is just one method of complying with ISO 9001 Clause 8.4. Purchasers must consider
how much assurance is needed for a particular product, service or project. By consideration of
a number of factors, a decision can be reached as to the relative importance of the external
provider having a fully compliant system. This could mean that even if an external provider
had a very attractive price and delivery, they would not be given a contract where risk was
involved due to weaknesses in their Quality Management System.
Third-party – Certification and/or accreditation, or statutory, regulatory and

similar audit
The third-party ISO 9001 certification scheme was designed to reduce, and perhaps remove
the need for many second-party audits, by providing a list of organizations whose systems
had been assessed and shown to be in conformance with ISO 9001. The assurance thus
provided to potential customers would mean that they might not have to audit external
providers themselves, providing that the assurance given by the third-party satisfied their
needs. It is becoming increasingly common that a purchasing organization will not even
consider a tender from an external provider unless they are certified to ISO 9001.
An organization may also invite an independent body (e.g. a consultancy) to audit their
management systems for a purpose other than certification, e.g. an evaluation of statutory
and regulatory requirements applicable to a product (8.2.2 a), or to assess the effectiveness
of a particular process etc. This could also be considered a third-party audit, from the
perspective of the consultancy and the organizations.
[Please keep in mind, for all activities on this course: There may be more than one ‘correct’
answer. Try to identify the strongest or most direct answer in each case, and be prepared to
consider, defend, or rebuke alternate answers raised during class discussions.]
Activity 1: Differences between first, second and third-party audits
Purpose:
To explain the differences (approach, duration, formality, objective etc.) between first, second
and third-party certification audits of management systems.
Duration:
10 minutes in pairs
10 minutes classroom discussion/review model answers
5 minutes reflection/application to own workplace
Directions:
The tutor will label three flip charts with: ‘First Party Audits’, ‘Second Party Audits’ and ‘Third-
Party Audits’.
In pairs, try and think of the differences between these audit types (approach, duration,
formality, objective etc.) Record, as many as you both can think of, onto ‘Post-it/Sticky Notes’,
and affix to the appropriate flipchart.
The tutor will then review your feedback.
One of the benefits of operating to a standard is that it provides a common reference point
against which to assess performance. However, there is a difficulty in trying to make an
objective assessment of that performance. This can best be achieved through an
independent audit process.
Governments have authorized Accreditation Bodies to oversee the work and competence of
various certification bodies; such as the British Standards Institution (BSI).
Certification bodies are accredited to carry out independent audits of organizations to

determine if they conform to the requirements of a given standard.
If it does conform, the organization is able to claim that it is certificated to the standard and
this provides a degree of assurance to other bodies in the organization’s competence of the
given area.
Impact of IAF Mandatory Documents on third-party audits (Extracted from: IAF GD

5:2006 Guidance on ISO/IEC Guide 65:1996)
Accreditation reduces risk for business and its customers by assuring them that accredited
bodies are competent to carry out the work they undertake. Accreditation bodies that are
members of the International Accreditation Forum, Inc. (IAF) are required to operate at the
highest standard and to require the bodies they accredit to comply with appropriate
international standards and IAF Guidance to the application of those standards.
Accreditations granted by accreditation body members of the IAF Multilateral

Recognition Arrangement (MLA), based on regular surveillance to assure the equivalence of
their accreditation programs, allows companies with an accredited conformity assessment
certificate in one part of the world to have that certificate recognized everywhere else in the
world.
Therefore certificates in the fields of management systems, products, services, personnel and
other similar programs of conformity assessment issued by bodies accredited by members of
the IAF MLA are relied upon in international trade.
IAF publishes Guidance for the use of accreditation bodies when accrediting
certification/registration bodies to assure that they also operate their programs in a consistent
and equivalent manner. IAF Guidance documents are not intended to establish, interpret,
subtract from or add to the requirements of any ISO/IEC Guide but simply to assure
consistent application of those Guides.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Certification is an independent assessment of both an organization’s implementation and

the effectiveness of a Management System, in accordance with an internationally agreed
standard of best practice i.e. ISO 9001.
Certification may be awarded by an organization that is not accredited. In this case it is

possible that no-one is auditing the auditor/organization. This organization could audit in any
way they choose – even bad practice, or to undercut others on time/cost. This is not to say
they would do so, but there is clearly a level of doubt and risk from a prospective customer.
On the other hand, an accredited certification organization, has been assessed and
accredited by an independent body, i.e. UKAS (United Kingdom Accreditation Service) to
provide a certification service. The accredited organization is then subject to compliance with
ISO 17021 (Conformity assessment. Requirements for bodies providing audit and certification
of management systems), and are thus audited against this requirement by the awarding
accredited body i.e. UKAS.
Using an accredited certification organization provides a level of independent assurance for

the prospective customer and the organization itself.
(The audited organization’s processes meet the requirement of the particular management
system, and are continually improving in line with their policy commitments and objectives i.e.
they can probably provide needed product or services, when needed).
Other benefits
Independent assurance to insurers and other stakeholders of an effective quality management
system.
Enhances reputation by demonstrating your organization’s commitment to good quality

practices to shareholders, employees and customers, which in turn can help to attract new
investors.
Accredited certification can be a differentiator from competitors, helping you to retain your
existing customer base, and attract new business. More and more invitations to tender require
accredited certified quality management systems to be in place.
Application of the principles of ISO 9001 and certification not only provides direct benefits, but
also makes an important contribution to managing cost and risks. Benefit, cost and risk
management considerations are important for the organization, its customers and other
interested parties. These considerations on overall performance of the organization may
impact customer loyalty and:
• Repeat business and referral

• Operational results such as revenue and market share
• Flexible and fast responses to market opportunities
• Cost and cycle times through efficient and effective use of resources
• Alignment of processes which will best achieve desired results
• Competitive advantages through improved organizational capabilities
• Understanding and motivation of people towards the organizational goals and objectives,
as well as participation in continual improvement
• Confidence of interested parties in the effectiveness and efficiency of the organization, as
demonstrated by the financial and social benefits from the organization’s performance,
product life cycle, and reputation
• Ability to create value for both the organization and its external providers by optimization
of cost and resources; as well as flexibility and speed of joint responses to changing
markets
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Audit Process, (Generic) to any management system audit, is shown above.
Also there are three main dimensions to auditing:
• Assessment of the documented management system (INTENT)

• Assessment of the degree of implementation (IMPLEMENTATION)
• Assessment of the QMS effectiveness (EFFECTIVENESS)
Intent
Does Top Management intend to implement a QMS? If so, how is this intent demonstrated?
Conformance with the minimum documented information requirements of the standard; as
auditors we need to know that the organization has planned to meet the requirements.
Implementation
Does the implementation of the QMS reflect the intent of Top Management?
Conformance here is all about checking if activities are as they are supposed to be, following
processes, policies, protocols etc.
Effectiveness
Is the implementation effective (i.e. does it meet the parameters established by the intent?).
Conformance here is in the effectiveness of the management system – is it on target to
deliver the organization's policy, objectives and customer’s requirements?
Improvements - as auditors we want to see that the system is healthy and self-healing; if
there are problems they are addressed, and that there is a continual focus on how the system
could be improved for the purposes of customer satisfaction.
Activity 2: Typical audit activities
Purpose:
To explain the audit process.
Duration:
10 minutes in groups
Directions:
The tutor will provide each group with a pack of cards. Please try and arrange these into a
logical process to explain the sequence of activities that are involved in a generic
management system audit. Please resist viewing the forthcoming slides!
THESE CARDS WILL BE USED AGAIN FOR THE NEXT ACTIVITY – SO PLEASE KEEP THE
CARDS ON YOUR DESK IN THE FINAL ORDER CHOSEN.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Cards cover the below activities: (in no particular order!)
Header cards:
Conducting audit activities
Conducting audit follow-up
Completing audit
Initiating audit
Preparing and distributing audit report
Preparing audit activities
Cards (within headers above):

Assigning roles and responsibilities of guides and observers
Assigning work to audit team
Audit information availability and access
Audit planning
Audit planning details
Collecting and verifying information
Communicating during audit
Conducting closing meeting
Conducting opening meeting
Content of audit conclusions
Determining audit conclusions
Determining feasibility of audit
Distributing audit report
Establishing contact with auditee
General (audit Team Leader responsibility)
General (sequence may be varied)
Generating audit findings
Performing review of documented information
Preparation for closing meeting
Preparing audit report
Preparing documented information for audit
Reviewing documented information while conducting audit
Risk-based approach to planning
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
The tutor will now explain in further detail the process steps just identified.
Please ask questions on any step as they arise, with the tutor.
Main areas of similarities include:
Preparation – before the audit

Communication – during the audit
Collection and verifying findings
Conclusions – from findings
Reporting – preparation and distribution
A useful acronym is P.E.R.C:
Planning
Execute
Reporting
Close out/down findings
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
The tutor will direct the class to ISO 19011 Clause 6, and also refer the class to the Terms
and definitions for: ‘3.1 Audit’ definition‘.
For clarification:
The tutor will also refer the class to the definition of an ‘audit plan’: By reference to ISO
19011 3.6, and what an ‘audit programme’ is defined as: By reference to ISO 19011 3.4.
These will be covered in more depth later in the course, when you will be auditing a supplier’s
‘audit programme. Please note that particular attention always needs to be paid to the design,
planning and validation of an audit programme in the case of multiple locations/sites or where
important functions are outsourced.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 3: Audit process differences
Purpose:
To explain the differences in audit process between first-party, second-party and third-party
certification audits.
Duration:
10 minutes in pairs
Directions:
In pairs, review the cards on your desk from the previous activity. Identify where differences
may lie between first/second/third-party audits. Record, as many as you both can think of,
onto ‘Post-it/Sticky Notes’, and also affix to the flipcharts from Activity 1. Please mark the
‘Post-it/Sticky Notes’ as ‘Differences’.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Three aspects need deciding:
The first is the objective of the audit. Is it to assess an organization for its degree of
conformance to the Quality Management System standard? Is it to determine where the
greatest problems lie? Is it to determine the organization's ability to make a particular product
or to deliver on time? Or is it to follow-up on nonconformities reported at a previous audit?
The audit objectives define what is to be accomplished by the individual audit.
The second aspect is the scope: Which relates to the ‘extent and boundaries’ of an audit. The
audit scope generally includes a description of the physical locations, organizational units,
activities and processes, as well as the time period covered. For a third-party audit this tends
to cover the complete scope of the organization’s management system. A second-party audit
may also include this, but more probably only the area of interest. A first-party audit tends to
be just one item on the audit programme which itself will cover the complete management
system scope.
If an organization makes washing machines and refrigerators, but the interest is in

refrigerators only then that will be reflected on the scope and the effort required. Similarly, if
the audit is required to look at all departments associated with that product range from order
receipt through to delivery, that also will have a bearing on early decisions. For second-party
audits the scope is decided by the client. The audit scope should be consistent with the audit
programme and audit objectives.
The scope of a management system could be the same as the scope of a second/ third-party
audit, except for the omission of a time period.
The audit criteria are used as a reference against which conformity is determined.
Each individual audit should be based on documented audit objectives, scope and criteria.
These should be defined by the person managing the audit programme and be consistent with
the overall audit programme objectives.
In summary:
Scope – What are the boundaries of the audit?
Criteria – What are you going to be assessing against?
Objectives – What are you auditing for/to achieve?
The significance for auditors (you) is that these are your terms of reference; your details of
works, which everything emanates from. These will dictate your document review, work
documents, appear in your audit plan, opening meeting, closing meeting and audit report.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 4: Determine objectives, scopes and criteria
Purpose:
To determine possible audit objectives, scopes and criteria for QMS audits.
Duration:
10 minutes individually
Directions:
Working individually try and think of some audit objectives, scopes and criteria, and write
them on your notepads. Then explain these to your neighbour, and listen also to their
answers to this activity. Be ready to query the answers if you do not agree with their findings.
Discuss any where you are not sure with the tutor and class after.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Resources for an audit could be split between:
Audit team – Availability of competent auditors for the sector/discipline – might include
legal, culture and geographical considerations, interpreters, technical experts i.e. chemists,
security clearances – children/government.
Technical experts – Availability: If the language of the auditee, or the auditee’s social and
cultural characteristics are unknown to the auditor, or skills are lacking. If all the necessary
competence is not covered by the auditors in the audit team, technical experts with additional
competence should be included in the team. Technical experts should operate under the
direction of an auditor, but should not act as auditors. All communications should be through
the auditor, and not through the expert.
People (Auditee’s) – Availability of person(s) responsible/managing the activity being

audited and actually carrying it out, top management availability, key functions –
procurement, HR etc.
Logistics/infrastructure – Availability of meeting rooms/team meeting facilities, internet

access, PPE, guides, car parking, security and health and safety for your team, movement
within the site (transport - distances etc.)
Documented information during the audit – Documents, records, processes, programmes,

archives etc.
Resourcing the audit will include the importance of auditor and team competency, and the
selection of team members. This will be particularly important regarding personal
characteristics, generic knowledge and skills, the knowledge of the relevant management
system discipline, industry sector, regulations, and auditor training. See ISO 19011 Clause 7.
For example:
Personal characteristics (Examples demonstrating an absence of competency)
• Ethical – Tell another department what a mess the last department you audited was –
have a laugh about people getting nonconformities. Lie, or twist the facts to get someone
you don’t like into trouble!
• Diplomatic – If the auditee is worried about getting his/her department into trouble, but
you find a major problem. Be tactful in dealing with this person – it’s not you I’m auditing,
this is a chance for improvement so we should all welcome it etc.
• Tenacious – The auditor asks to see a particular sample, but the auditee provides a
different one. The auditor accepts this and moves on!
• Decisive – The auditee keeps arguing and giving different excuses and the questioning is
going round and round, even though there is sufficient objective evidence to close the
finding!
• Culturally sensitive – shaking a woman’s hand when this would not be appropriate, or
continuing to audit when certain prayer times are normally adhered to. Offering
food/drink to the auditee when they are fasting, etc.
Generic knowledge and skills of management system auditors (Examples

demonstrating an absence of competency)
• An auditor who is being handed samples to look through, but is not selecting samples
themselves
• Not spending more time on processes of greater risk to the product/service
• Auditing outside the scope because he/she knows more about that area, or is interested
in it!
Applicable Legal requirements that apply (Examples demonstrating an absence of

competency)
• Clear breach admitted by the auditee in a product legal requirement i.e. CE Marking, but
the auditor is not comfortable, or is unaware how to raise this in a nonconformity
statement and says: ‘We’ll I’m not that informed on legal, so best we leave that alone,
don’t you think?’
Discipline specific (Examples demonstrating an absence of competency)

• A quality management system auditor who has been tasked with an ISO 45001
management system audit, but has no knowledge of occupational health and safety
Generic knowledge and skills of audit team leaders (Examples demonstrating an

absence of competency)
• Not making effective use of resources – one team member (auditor) has a very long lunch
break; perhaps waiting for an activity to start, the Audit team leader not ensuring his
team’s health and safety, or not resolving conflicts within the team or with the auditee’s
management
Clause 7 of ISO 19011 details very specific auditor knowledge and skills expectations. For
example: Understanding the types of risks and opportunities associated with auditing and the
principles of the risk-based approach to auditing; auditing a process from start to finish,
including the interrelations with other processes and different functions, where appropriate;
relationships and interactions between the management system(s) processes; the needs and
expectations of relevant interested parties that impact the MS; principles, methods and
techniques relevant to the discipline and sector, so the auditor can determine and evaluate
opportunities associated with the audit objectives; and discussing strategic issues with top
management of the auditee to determine whether they have considered these issues when
evaluating their risks and opportunities. Continual professional development activities should
also take into account changes in sector or discipline.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Clearly, defined and understood roles and responsibilities, for all parties involved in the audit,
need to be established.
The main parties involved will be the:

• Audit client
• Individual(s) managing the audit programme – establish its extent, audit objectives, scope
and criteria for individual audits, determine necessary resource, responsibilities, audit
methods, selecting the audit team, evaluating auditors, audit records, improve the
programme and inform top management of its contents. The individual(s) managing the
audit programme should also identify and present to the audit client the risks and
opportunities considered when developing the audit programme, and resource
requirements, so that they can be addressed appropriately, and review the audit
programme to identify opportunities for its improvement
• Audit team leader
• Auditor(s)
• Auditee(s), including management
• Guide(s) and observer(s)
Main roles are:

• Audit client – to commission/request an audit (for an internal audit – can also be the
auditee or the person managing the audit programme)
• Audit team leader – to audit and manage the process to achieve the defined audit
objectives
• Auditor(s) – to audit under the direction of the Audit team leader
• Auditee(s), including management – to assist the auditor during the collection of the
objective evidence
• Guide(s) – to assist the audit team and act on the request of the audit team leader
Activity 5: Roles and responsibilities
Purpose:
To describe the main responsibilities of the auditee(s) management, auditors, audit team
leaders, auditees, guides and observers.
Duration:
Directions:
The tutor will allocate a sheet of sticky labels to each group detailing the main responsibilities
and the functions concerned.
In your groups:
• Review the labels and discuss

• Peel each label from the sheet and place on a flipchart, matching the main responsibilities
to the functions concerned
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
The Audit Team Leader is effectively the team captain. Their specific management
responsibilities are discussed below.
Throughout the audit the team leader needs to prepare for the next stage of the audit and
manage the audit and the audit team. This will include:
• Following up on any ‘leads' which have become apparent as the audit progresses, and
deciding changes to the audit plan (with the client)
• Deciding whether the audit is progressing to plan, and whether audit objectives can still be
achieved
• Co-ordinating review sessions with client management and audit team meetings
• Planning and management of the opening and closing meetings – specifically time
management and questions arising
• Assisting and managing the audit team if major concerns are found
• Deciding on the severity of non-conformances – Major or Minor findings
• Ensuring the ‘tone’ and ‘conduct’ of the audit is appropriate in their team: In line with
looking for conformance, not just searching for things that are wrong
The audit team leader is ultimately responsible for all phases of the audit. The audit team
leader should have management capabilities and experience and should be given
authority to make final decisions regarding the conduct of the audit and any audit
observations and conclusions.
Please note: Assigning work to the audit team should include assigning, as appropriate,
authority for decision-making.
An audit is confidential between the two parties, as is any information raised before, during or
thereafter. This confidentiality binds management system auditors. CQI and IRCA
registered auditors/audit team leaders are also bound by a Code of Conduct stipulating this.
A statement to this effect should therefore be made by the leader auditor; normally in the
opening/closing meetings and audit report.
The format of notes and the medium on which to write them are matters for each auditor to
decide. Many use clipboards with loose sheets, which are then clipped together, others find a
notebook more practical. Whichever format they use, auditors must safeguard the
confidentiality of the information they gain during the audit.
The very fact that an audit has taken place is confidential between the two parties, and the
information must not be disclosed to another party without the permission of both parties.
There are of course two exceptions; firstly, during an audit which is determining the way one
organization audits its external providers, and secondly, if the audit is for the purpose of
certification and the auditee is successful. Then they can give permission to advertise the fact.
A second-party audit is also a matter between the two parties, and any breach of
confidentiality is not only a serious breach of trust but may also result in legal proceedings.
A first-party internal audit is in effect, no different to the above, in that it is a matter between
the auditor/employee and the organization. Any unauthorized disclosure of sensitive
information may result in disciplinary proceedings.
In keeping with the ethics of auditing, if requested to do so, an auditor should have no
hesitation in signing a confidentiality agreement.
Activity 6: Audit methods
Purpose:
To outline different audit methods.
Duration:
Directions:
Individually – provide one advantage and disadvantage for each of the methods detailed in
Table A.1 - Audit methods of ISO 19011 (Page 35).
Please note: Audit methods also need to be determined based on where, when, and how to
access audit information. This is crucial to the outcome of a successful audit and is
independent of where the information is created and used etc. Audit methods may need to
change as audit circumstances change during the audit (to access audit information) See A.1.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Stage 1: As defined by ISO 17021 (Conformity assessment. Requirements for bodies

providing audit and certification of management systems), has the purposes of:
• Confirming the duration of the audit

• Confirming the competence of the team
• Clarifying the scope and objective of an audit
• Gain an understanding of the business
• Evaluate the internal audits and management review are being planned and performed
• Review the clients status and understanding regarding with respect to identification of key
performance indicators, processes and objectives of the management system
• Define process flow and interaction
• Agree processes to be used during audit
• Resolve any misunderstandings
• Identify any special needs, skills, protective clothing
• Identify layout of company/plant
• Establish the adequacy of documentation – The key word here is ‘establish’. This is just an
overview and not testing the implementation or effectiveness of processes
• Assess the organizations readiness for the next stage
• Plan the next stage of the audit
Third-party certification audits include a stage 1 site visit, and the costs are built into the initial
proposal. The visits can be of great value. They allow the team leader to meet various
members of the auditee's staff, and they are a good opportunity for the team leader to be
given a ‘quick tour’ of the site, and thus appreciate the scale, layout and geography involved.
Should transport around the site, or special protective clothing be necessary, it also gives the
team leader time before the audit to ensure these will be available, thus saving valuable audit
time. The meeting obviously provides the auditee with an opportunity to ask the team leader
about the way the audit will be conducted.
Stage 1 audit process and outputs.
See diagram overleaf.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Inputs
• Audit objectives, scope, criteria
• Audit methods, duration, location
• Audit team members (including
team leader - responsibilities)
Activities:
• Establish initial contact with the auditee
• Determine feasibility of the audit
• Request documentation relevant to the scope,
objective and criteria.
Outputs/Inputs:
Contact is established and audit is feasible
(or not as the case may be – inform audit client),
relevant documentation.
Activity:
Perform document review
Outputs/Inputs:
• Documentation meets criteria (or not)
• Areas or concern/risk identified
Activity:
Prepare audit plan
Outputs/Inputs:
Audit plan to achieve audit objective and consider
risk/importance, sent to Auditee’s management for
agreement (or change)
Activity:
Assign work to the audit team
Outputs/Inputs:
Auditor communicated and referenced in
the audit plan
Activity:
Prepare work documents according to the audit plan
Output
Ready for stage 2
Stage 2: As defined by ISO 17021:2015 (Conformity assessment. Requirements for

bodies providing audit and certification of management systems), has the purposes of:
Assessing the ‘implementation’ and ‘effectiveness’ of the management system.
Some preparation considerations for this stage of the audit include:
• Determine scale of audit and resources required

• Consider past results (if available)
• Consider current problems/risks
• Consider management's concerns
• Consider management's priorities (where appropriate)
• Contact auditee and agree date(s)
• Report from stage 1 site visit
• Determining the setting and importance/risk (including legislation)
• Identify the risk potential of activities, products and services
• Prepare and agree audit plan
• Assigning work to the audit team
• Audit team briefing
• Prepare work documents
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
This slide establishes the context of an initial certification audit and its outcomes. Use it as the
course progresses, and to show the broad architecture of the audit process.
There is an opening meeting, summary report, nonconformities if applicable, closing meeting

and corrective action if applicable at both Stage 1 and 2.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 7: Audit plan template
Purpose:
To prepare an audit plan structure (template).
Duration:
Directions:
Individually, read ISO 19011 Clause 6.3.2 (Audit planning). Then, in groups try and create an
audit plan structure (template) on a flipchart, that could be populated later. Ensure it includes
2 auditors (Lead and Auditor) with space to cover a duration over 2 days (use 2 sheets in
landscape view).
This will be populated later.
The tutor will then invite other groups to critique your template during feedback.
After the activity, please read the notes on ‘The Audit Plan’ in your References section.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Audit team members should collect and review the information relevant to their audit
assignments, and prepare work documents as necessary for reference and for recording audit
evidence. Such work documents may include the following:
• Checklists
• Audit sampling plans
• Forms for recording information (such as supporting evidence, audit findings and
records of meetings)
The use of checklists and forms should not restrict the extent of audit activities, which can
change as a result of information collected during the audit.
Work documents may also include: Nonconformity report forms, audit summary report
forms, corrective action schedules etc.
An Aide Memoire approach may be more beneficial for experienced auditors; who are then
able to follow audit trails and use their own experience to verify conformity. However these
could also have disadvantages; such as auditor bias and skewing the sampling from the audit
criteria.
The tutor will create an example format(s) for a checklist/Aide memoire, on a

flipchart, for you. Record it in your learning diary.
Please note: Preparing documented information for audit can include digital checklists, and
audio visual information.
Audit sampling takes place when it is not practical, or cost effective, to examine all available
information during an audit, e.g. records are too numerous or too dispersed geographically to
justify the examination of every item in the population. Audit sampling typically involves the
following steps:
• Establish the objectives of the sampling plan

• Select the extent and composition of the population to be sampled
• Select a sampling method
• Determine the sample size to be taken
• Conduct the sampling activity
• Compile, evaluating, reporting and documenting results
Departments/Records available?
How many would typically be sampled from the above?
What would you do if n/c is found in one of them, or risk is higher, or lots of n/c’s at the last
audit?
Samples should test the effectiveness of the system and should be:
• Representative with an equal probability of being picked by you
• Structured
• Independently selected
Sample size should be based on:

• Risk
• Importance
• Status
• Findings from the previous/current audit
Please refer to ISO 19011 A.6 (Page 37)
Advantages and disadvantages of using checklists.
Checklist benefits
• Sample relevant to audit objectives
• Formality: Defines the audit processes
• Requires research and thought
• Helps maintain the pace of an audit (and time management)
• Keeps audit objectives clear
• Historical reference as an audit record
• Reduces workload for the auditor during the audit
• Assures auditee of auditor professionalism
• Ensures auditors keep the processes in mind
• Can be used an audit criterion for other audits (benchmark)
Disadvantages
• Can become a tick list
• Can become full of yes/no questions
• If not on checklist might be so distracted by the next questions that important audit
trails can be lost
• Stifles initiative and analysis of the processes
• If used time and time again the sample of questions become rigid and fixed, and
therefore can lose its value to the organization
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
The purpose of the opening meeting is to:
1. Confirm the agreement of all parties to the audit plan

2. Introduce the audit team
3. Ensure that all planned audit activities can be performed
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 8: Opening meeting
Purpose:
To identify agenda items for use in an opening meeting and their purpose.
Duration:
15 minutes whole class
Directions:
Whole class, please shout out the possible agenda items for an opening meeting. The tutor
will record these on a flipchart, and ask the purpose/meaning behind them.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Problems encountered during an opening meeting might include:
• MD proposes an hour’s long video of the organization

• Suggested two hour lunch at a five star restaurant
• Each departmental head will give a 15 minute presentation
• Samples have been pre-prepared by the auditee
• Best staff are available who have been audited many times
• Dept ‘x’ is off limits due to manager just coming back after sick leave for stress
• Lots in internal audit nonconformity, so there is no need for you to look at it again
• Suggested extended site tour
• No guide available – but free to wander around
• Key members of staff off-sick
• Records not on site, so have preselected ones for you to save time etc…
Can you think of any others?
These issues will be looked at again tomorrow and how to respond to them.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 9: Audit evidence
Purpose:
To explain how audit evidence is collected and how this can become objective.
Duration:
Directions:
In groups, please draw a large triangle on a flipchart and try and label the sides with three
different methods for collecting audit evidence. Then, for each side, consider how to make
this evidence objective (data supporting the existence or verity of something – i.e. not your
opinion!). Record this next to the evidence.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Perhaps the biggest challenge for the auditor is the fact that finding out information depends,
amongst other things, on communication skills. Within a very short time of meeting
someone the auditor needs to have developed a degree of rapport with that person to
obtain the facts essential to the investigation whilst remaining objective. If these facts are
indicative of a lack of management control in the area, then the auditor needs to be tactful in
the way these findings are presented.
The main method of soliciting information is by asking questions in a series of interview

situations. Though not always appreciated, the best interviewers are those who say least and
have an ability to listen or hear what is being said. By combining this with the right kind of
attitude and tone, the auditors generate an atmosphere in which good communication can
take place.
The interviewee (the auditee) must not feel threatened by the auditor. Many people are
easily intimidated by auditors. The auditor can avoid generating this by being polite,
patient, slightly informal and not afraid to smile. Showing interest in what people say is
essential. Holding a degree of eye contact, small verbal acknowledgements, ‘I see’, ‘ah’,
‘yes’, and so on will show that the ‘transmission is being received’, as will the right facial
expression and head movement. There are no standard expressions and head movements
recommended to elicit information, each auditor will develop their own style.
It often happens that the auditee, (because the majority of them are human), misunderstands
a question or is determined to tell the auditor about some other matter. They may even say
something which the auditor knows not to be true. If the auditor interrupts abruptly, or
directly contradicts the auditee, easy communication will not continue.
At the end of the ‘interview’ the auditor should thank all auditees for their help and time,
regardless of whether it was beneficial or otherwise.
Opinion questions are often neglected. There is a danger in straying too far from fact, but this
type of question can be very useful for gaining someone's attention or for gaining new
approaches to problem solving. They indicate that the auditor regards the auditee's view as
important, thus raising the auditee's self image, and encourages auditees who regard
themselves as the ‘local expert' to say more. They can also encourage junior people in an
organization to say more: ‘What do you think would be the most effective . . . ?', ‘How would
you go about . . . ?’.
Please note: When conducting interviews, the careful selection of the types of question used
is therefore important (including appreciative inquiry).
Non-verbal questions may seem to be a contradiction in terms, but questions do exist in this
form. For example, the raising of the eyebrows whilst maintaining eye contact can indicate a
wish for the auditee to continue.
Please note: An awareness of limited non-verbal communication in virtual settings should be

remembered, with perhaps then more focus applied on the type of questions to use in finding
objective evidence.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 10: Effective communications
Purpose:
To recognize examples of effective communications, during an audit.
OPTION 1: e-learning module on ‘Questioning Techniques’

Duration:
5 minutes classroom e-learning
5 minutes to create learning test questions (with your neighbour) for the rest of the class
Directions:
The tutor will now run an e-learning module for the rest of the class; please listen and take
notes. If the tutor is going too fast for you: Please slow him/her down!
When this is finished, please reflect on what you have learnt, and discuss any learning points
with your neighbour. Think of questions (in your pairs) that you could ask - to test the other
groups learning i.e. provide example of different questions and then ask other groups what
type of question it is.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
OPTION 2:
Duration:
10 minutes in pairs
Directions:
In pairs, the tutor will provide you with two types of questions from the below:
1st pair – Open and Specific
2nd pair – Leading and Closed
3rd pair – Hypothetical and Reflective
4th pair – Probing and Rhetorical
Please think of one statement to demonstrate the questions above for a real life audit
situation. Get ready to feed these back to the rest of the class.
5th pair – How could you funnel these questions to come up with an audit finding? Which
ones would you start with etc. and end with?
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Conformance and positive audit findings – Such as those areas or processes which were
found to be meeting the audit criteria requirements and were perhaps very effective, or
indeed good practice found. Also, to thank the auditees for their cooperation and courtesy.
Opportunities for improvement or potential risks (OFI’s) – While a particular process

may be effective, it might not be as efficient as it could be. It might be the case that the
auditor has specialist knowledge, or has explored best practice with the auditee. However,
third-party auditors should exercise caution; as identifying OFI’s could be construed as giving
advice/consultancy. There may also be areas of concern, but for which there is insufficient
objective evidence to raise conformity or nonconformity. For example, whilst a particular
process meets the requirements today, it is likely that it will not should either: (i) if the same
state of affairs is to continue e.g. deterioration, or (ii) if there is a change in the situation e.g.
an expected or unexpected demand is made of the process. An OFI could therefore be
described as a statement referring to a potential enhancement, weakness, or potential
deficiencies in a management system. It can also provide a rationale for improvement, and
generic information about industrial best practice, without providing a specific solution. BSI
assessors may also use a finding called an ‘Observation’, for specific schemes where
accreditation rules prohibit the certifying body from issuing an OFI.
Nonconformity (ISO 9000: Non-fulfilment of a requirement)

There will be a audit nonconformity if an audit criteria has not been fulfilled:
1. The process (documented or not) does not comply with the requirements of the criteria
2. The process (documented or not) has not been implemented
3. The process (documented or not) (what is actually being done) is not effective, i.e. the
required output is not produced
As soon as the objective evidence points to a nonconformity, the auditor should immediately
voice their thoughts to the auditee to seek clarification, and verification. This is not a cause
for rejoicing, but total openness from auditors will hopefully encourage the same from the
auditee. It is essential that both parties fully understand what the problem is and how serious
it is. Auditors will often need a little help from the auditee to do that. Once the facts of the
matter are established, they should be written down by the auditor and agreed with the
auditee.
When determining audit findings: Accuracy; sufficiency and appropriateness of objective

evidence to support audit findings; and the extent to which planned audit activities are
realized and planned results achieved, should be considered. Therefore, when recording
conformity, an auditor should consider audit evidence to support effectiveness, if applicable.
(See process audit preparation slide, introduced later in the course, on process effectiveness.)
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Auditors should be focused on the intended result of the management system throughout the
audit process. While processes and what they achieve are important, the result of the
management system and its performance are what counts.
It may be helpful to the auditee, and management, to provide a summary of the days
auditing progress – in particular progress against the audit plan, positives encountered,
areas of non-conformance encountered, and anything that is/could affect the audit objective,
or the plan the next day.
Before the closing meeting, but immediately after the actual auditing process is
completed, an audit team meeting should be held so that the team leader can plan the closing
meeting in detail, and ensure the team knows what is going to be presented to the
organization in the way of conformance, nonconformities and conclusion. The team meeting
needs to be at least an hour before the closing meeting, less if some of the work has already
been done the night before, for example.
Some auditors try to ‘squeeze in’ a bit more auditing at this point. The law of diminishing
returns operates, and very little will be gained by trying to rush through some more auditing.
The team leader chairs the audit team meeting and only the audit team is present. The team
completes any nonconformity reports and reviews all findings. The team leader prepares the
audit report and final conclusions.
There is no set rule about who presents the information. The team leader may present
everything – all nonconformities and the report – or the team members may be asked to
present the nonconformities they have found. The review of nonconformities is
important, and members should be rigorous in their review of one another's statements. Are
all the facts there? Is it clear that it is a nonconformity? Can it be read easily? Is it
grammatically correct?
As a result of the ‘review team’ findings the team leader prepares an audit report. This
report reflects the degree to which an organization is complying with its own QMS and the
relevant audit criteria.
As a suggestion, a team leader could do worse than answer three questions asked about the
system in any audit:
• Is there a system intending to address all the clauses of the relevant standard? To what
extent? (audit of intent)
• Has this system been put into practice? To what extent? (audit of implementation)
• Is the system achieving its intent/objectives? To what extent? (audit of effectiveness).
To answer these questions, the nonconformities raised will give some guide.
Further questions may be answered by the report:

• Do the nonconformities raised indicate weakness in any particular area(s) of the
organization?
• Do the nonconformities raised indicate weaknesses in any particular sections of the
management system?
Please note: The content of audit conclusions should also address issues such as the
identification of risks and the effectiveness of actions taken by the auditee to address risks
and consider the level of the integration of different management systems and their intended
results. The absence of a process or documentation can be important in a high risk, or
complex organisation, but not so significant in other organizations.
The team leader will also prepare an agenda for the closing meeting and arranges, either
through a team member or a guide, for copies of each nonconformity to be passed over to
the organization's management at the appropriate time. It is ideal, but by no means possible
on every audit, for the team leader to organize the seating arrangements for the closing
meeting. This is not for any underhand reason, but they should try to ensure that the
arrangements suit the purpose, and, that no one is in an awkward position. Often, the closing
meeting may be in the very room the auditors are using for their team meeting.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
The closing meeting is the concluding meeting of the audit, and is the formal presentation by
the team of the findings and conclusions of the audit.
The way the meeting is carried out is by conventions which have been drawn up over the
years in which audits have been carried out. As long as the auditee management understands
the findings and agrees the facts surrounding them, before the team leaves, the team leader
and team have done their job.
At the pre-agreed time the team should make themselves available for the meeting. The team
leader chairs the meeting. The team leader should take the initiative and work through the
agenda as prepared during the audit team meeting.
The following points need to be covered in some form.
List of attendees at the closing meeting

The team leader or second auditor passes around a headed list with name and position to be
entered onto it by each attendee.
Please note: The closing meeting can be attended by, as applicable, other relevant interested
parties as determined by the audit client and/or auditee.
Thanks
The team leader should thank the organization on behalf of the team for their help and time
etc. If the audit was carried out in an open fashion by the organization, the team leader
should say so and thank them for it. If it was not, then silence is the preferred method. The
team leader should also thank the guides.
Objectives, scope and criteria

As a formality, and to ensure that the basis for the audit is in no doubt, the objectives and the
scope should be restated. This is for a number of practical reasons. There is usually no real
doubt about this in the auditee organization, because it has been discussed and agreed before
the audit took place. However, some of the people attending the closing meeting may not
have been present at the opening meeting, or are not necessarily aware of everything that
has happened in between. Audits cover a lot of ground, some of it (not too much in a well-
planned audit) irrelevant. The objectives can become hazy. Therefore this statement by the
team leader resets the context of the audit. It is also important to state whether the audit
objective has been accomplished (or not), as the case may be. This is important when
activities/processes, or responsible key personnel were not available during the audit
(although planned to be). This may reduce the reliance on the conclusion (through sampling),
and hence in certain instances make the conclusion unreliable.
Report
The outline of how the audit will be formally reported and the results sent to the auditee
should be described. Ask who the report should be distributed to, within the auditee’s
organization.
Limitations
It bears repetition that the audit was a sample of activities, and is therefore subject to the
risks associated with sampling. Not every conforming or nonconforming area was seen, only a
representative selection. Therefore the possibility exists that there are nonconformities in
areas not covered by this audit.
It is recommended that the auditors develop a standard statement covering the essence of
the above in their own words, although many certification bodies include the appropriate
wording in their report documents.
As appropriate, an explanation of the fact that an audit is not necessarily fully representative
of the overall effectiveness of the auditee’s processes should also be covered.
Presentation of findings
It is recommended that positive findings (good practice etc.) are covered first, then
nonconformities (if any) are communicated, one after the other, until they have all been
presented, although it might be necessary to give a summary.
In some cases the auditee representatives will have copies of the nonconformities if some
were agreed earlier. There are different schools of thought about giving copies of the
nonconformities to the auditees at the time of the closing meeting. Generally there are few
disadvantages, and it is recommended here as good practice. There is then no need for
auditees to try to make notes. It is also recommended that the nonconformities are read out
from the report, rather than trying to describe them. This limits the tendency to add
unnecessary words and comments, which should not be necessary if the nonconformity
statement is complete in all respects.
Reading the statements also encourages perhaps less experienced auditors to present the
nonconformities in a clear, firm voice not in an apologetic manner.
Any diverging opinions should be discussed and, if possible, resolved. If not resolved, this
should be recorded. If specified by the audit objectives, recommendations for improvements
may be presented. It should be emphasized that recommendations are not binding.
The degree of detail should take into account consideration of its context and risks and
opportunities.
Summarize
The team leader is responsible for presenting the conclusion that the audit results have led
the team to reach. This is the ‘informed judgement' of the auditors and must consider the
seriousness of any nonconformity, and whether they indicate a departmental or organization
wide breakdown of systems. They must be balanced with positive findings made during the
audit.
Agreement
Each of the nonconformities presented was raised on the basis of the facts being agreed with
a departmental representative at the time. Having reached agreement at the time, the
wording of the nonconformity is unlikely to have been at its most complete and concise. Either
at review meetings, or at the closing meeting, these nonconformities are sometimes signed by
the auditee to acknowledge receipt and understanding of the content.
Clarification
The auditee must have an opportunity to ask questions about the nonconformities, or the
summary, and it would normally come at this point. The facts as stated should not be in
dispute. Assuming all the nonconformities or the audit report are accepted by the auditee, the
auditor may be asked what response is necessary by the auditee to the points raised. The
auditors would expect the auditees to propose some corrective action in a given time. The
closing meeting is not the place to discuss any actual corrective actions necessary. That
should be given very careful consideration by the auditee. The team leader should therefore
state that a response in writing is necessary within a number of days or weeks after receipt of
the report, with a proposed plan of corrective action. However, if the recommendation is for a
full re-audit then it will not be necessary to submit a corrective action plan.
Departure
Having presented the findings and discussed them to the auditee's satisfaction, the audit team
can depart, once again thanking the auditee for their time etc.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
The audit report should provide a complete, accurate, concise and clear record of
the audit and should include or refer to the following:
• The audit objectives, scope and criteria
• Identification of the audit client
• Audit team and auditee’s participants
• Dates and locations where conducted
• Audit findings and evidence
• Audit conclusions
• Statement to which the criteria have been fulfilled
Please note: Preparing the audit report should also include, or refer to the fact, that audits by
nature are a sampling exercise; as such there is a risk that the audit evidence examined is not
representative. Any unresolved diverging opinions between the audit team and the auditee
should also be referred to.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
The report ‘may’ also include or refer to the following, as appropriate:

• Audit plan
• Summary of the audit process including any obstacles
• Confirmation that the audit objectives have been achieved in accordance with the audit
plan
• Areas within scope not covered
• Summary of audit conclusions and main findings
• Good practices identified
• Agreed follow-up plans
• Statement of confidentiality
• Implications for the audit programme or subsequent audits
• Distribution list
Please note: Preparing the audit report can also include or refer to any issues of availability of
evidence, and resources or confidentiality, with related justifications.
(See ISO 19011 6.5.1 – page 27)
Additional notes
As the audit moves towards the concluding stages the auditors could be gradually building up
a picture of areas of systems exhibiting conformance, or the most failures. This is the
composite picture the auditors are required to present at the closing meeting and in their
written report. The team leader has the responsibility for generating this composite picture as
their informed judgement of the degree to which working systems comply with stated systems
(and the standard). The information to provide this comes from the audit findings, but it is
necessary to ‘sort' these, so that a reasonable conclusion can be thus sought (assuming
nonconformities have been found).
Based on this, a picture emerges of the types of failure found, relative frequency, where they
were found in the organization, and the management system requirement, (clause of the
standard), which is weakest.
If auditors find information which indicates a distinct lack of management support for the
QMS, then they should say so in their report. Their task is to collate the evidence as fairly and
objectively as they can, and to highlight areas where greatest risk and least assurance lie.
The audit report must also reflect what effect the results of the audit will have on the future
relationship between the two organizations. If it is a second-party audit, the auditors will have
to make recommendations to their own organization about conducting business with the
auditee. The auditors are often limited in what they are allowed to say to the auditee. For
example, few auditors actually make the purchasing decision. However, they should leave the
auditees with a clear idea of where they stand.
As with any record, audit reports should be retained on file for a prescribed time. All the other
records from the audit should also be retained, e.g. checklists, which are useful for re-audits,
and the auditor's own notes made during the audit investigation. As corrective action is taken
the documented information of this will be kept to satisfy the ‘close out’ requirements of each
nonconformity.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
The audit report should be issued within an agreed period of time. If it is delayed, the
reasons should be communicated to the auditee and the person managing the audit
programme.
The audit report should be dated, reviewed and approved, as appropriate, in accordance
with audit programme procedures.
The audit report should then be distributed to the recipients, as defined in the audit
processes, audit plan or closing meeting.
Please note: When distributing the audit report, appropriate measures should be considered
to ensure confidentiality.
Completing audit: When completing the audit, lessons learned from the audit can identify
risks and opportunities for the audit programme and the auditee.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 11: Audit follow-up
Purpose:
To recognize the purpose of audit follow-up, and the activities involved.
Duration:
Directions:
Individually, please refer to ISO 19011 Clause 6.7 and decide what the purpose of this phase
is, and what you would do/check, as the audit team leader.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
In order for delegates to achieve the overall learning objectives, you will need to acquire and
develop specific knowledge and skills. These are specified as ‘enabling objectives’ and can be
considered as steps to the achievement of learning objectives.
We will now continue with the ‘knowledge’ elements.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 12: Start of day 2 quiz
Purpose:
To review and revise the 7 Quality Management Principles (QMP’s).
Duration:
Directions:
In groups, lay out the 7 QMP flash cards (red) in front of you. For each of the 7 QMP’s there
are ‘benefit’ cards (blue), and ‘how to apply cards’ (yellow). Please match the benefits, and
the how to apply cards, to the appropriate QMP.
When you have completed the activity please refer to the references section for activity 12,
and compare answers.
Get ready to feedback any differences found, and your conclusions to the rest of the class.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Purpose
It can help an organization to improve its overall performance and forms an integral
component of sustainable development initiatives. It can be used by internal and external
parties to assess the organization’s ability to consistently meet customer, statutory and
regulatory requirements applicable to the product and services it provides, the organizations
own requirements, and its aim to enhance customer satisfaction.
It specifies requirements aimed primarily at giving confidence in the products and services
provided by an organization and thereby improving customer satisfaction.
It can be used for demonstrating an organization’s ability to consistently provide products and
services that meet customer and applicable statutory and regulatory requirements, and aims
to enhance customer satisfaction through the effective application of the system, including
processes for improvement of the system and the assurance of conformity to customer and
applicable statutory and regulatory requirements.
Organizational benefits
(0.1) The potential benefits to an organization of implementing a quality management system
based on this International Standard are:
a) The ability to consistently provide products and services that meet customer and applicable
statutory and regulatory requirements
b) Facilitating opportunities to enhance customer satisfaction
c) Addressing risks and opportunities associated with its context and objectives
d) The ability to demonstrate conformity to specified quality management system
requirements
ISO 9000 describes the fundamentals and vocabulary of quality management systems.
Terms relating to ‘Service’ and ‘Products’:
Service is defined as: An ‘output of an organization with at least one activity necessarily
performed between the organization and the customer’.
A service is usually experienced by the customer, with its dominant elements being generally
intangible.
Product is defined as: An ‘output of an organization that can be produced without any
transaction taking place between the organization and the customer’. The dominant elements
of a product are generally tangible.
There are three generic product categories, as follows:
1. Software (e.g. computer program, dictionary content: Consists of information)

2. Hardware (e.g. engine mechanical part: Generally tangible and its amount is a countable
characteristic)
3. Processed materials (e.g. lubricant: Generally tangible and their amount is a continuous
characteristic)
Hardware and processed materials are often referred to as goods.
Many products comprise of elements belonging to different generic product categories.

Whether the product is then called software, hardware or processed material depends on the
dominant element.
Activity 13: Terminology
Purpose:
To explain the terminology used in ISO 9001.
Duration:
Directions:
Individually, please match the ISO 9001 term up with its correct definition: Place the definition
letter next to the term it describes. Once you have done this, compare and discuss any
differences with your neighbour. Please feedback to the class any differences found.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Term Ans Definition

1. Competence A Set of interrelated or interacting elements of an
organization to establish policies and objectives and
processes to achieve those objectives
2. Continual Improvement B Person or group of people that has its own functions
with responsibilities, authorities and relationships to
achieve its objectives
3. Corrective Action C Person or group of people who directs and controls
an organization at the highest level
4. Documented Information D Result to be achieved
5. Process E Ability to apply knowledge and skills to achieve

intended results
6. Interested Party F Action to eliminate the cause of a nonconformity and
to prevent recurrence
7. Management System G Effect of uncertainty
8. Measurement H Make an arrangement where an external organization

performs part of an organization’s function or process
9. Monitoring I Measurable result
10. Objective J Need or expectation that is stated, generally implied

or obligatory
11. Organization K Information required to be controlled and maintained
by an organization and the medium on which it is
contained
12. Outsource L Recurring activity to enhance performance
13. Performance M Determining the status of a system, a process, a

product, a service, or an activity
14. Requirement N Process to determine a value
15. Risk O Set of interrelated or interacting activities that use

inputs to deliver an intended result
16. Top Management P Person or organization that can affect, be affected
by, or perceive itself to be affected by a decision or
activity
The clauses of ISO 9001 broadly follow the Plan-Do-Check-Act (PDCA) cycle.
PDCA can be applied to all processes, and to the quality management system as a
whole. The cycle can be briefly described as follows.
Plan: Establish the objectives of the system and its processes, and the resources needed to
deliver results in accordance with customers’ requirements and the organization’s policies.
Extent of planning will depend on risk.
Do: Implement what was planned.
Check: Monitor and (where applicable) measure processes and the resulting products and
services against policies, objectives and requirements and report the results.
Act: Take actions to improve performance, as necessary.
Typical processes could be:

• How documents are controlled
• Risk and opportunity determination
• Quality management planning
• Internal communications
• Management review process
• Competence process
• Etc.
Taking the last process (competence):

Plan – determine the necessary competence of person(s) doing work under its control that
affects the performance and effectiveness of the quality management system
Do – where applicable, take actions to acquire the necessary competence
Check – evaluate the effectiveness of the actions taken
Act – Continue to determine and provide the competence OR re-evaluate the methods of
training or other action to ensure it is now effective.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Auditors should understand that auditing a management system is auditing an organization’s

processes and their interactions in relation to one or more management system standard(s),
and NOT auditing a management system standard (i.e. clauses of the standard) in relation to
an organization’s processes.
Auditors should recognize that ISO 9001 promotes the adoption of a process approach, and
hence rather than taking a piecemeal approach to auditing processes and work instructions
etc. (in isolation), the auditor should take a more holistic approach to testing a ‘coherent
system’ and follow how the product/service is realized throughout the organization. This might
contrast to a more risk based management system, like: OH&S or Environmental etc. In these
systems the auditor focuses in the main where risk is, and not necessarily following a
coherent system of process to achieve a defined product/service etc.
However, the design and implementation of an organization’s quality management system is

influenced by its organizational context (issues and requirements), changes in that context,
and the risks/opportunities arising within that context.
An auditor, therefore, may take the approach of following the defined process, but where
risks/opportunities are encountered: The auditor may wish to spend much longer in that part
of the process – perhaps by reviewing processes, competence and documented information
etc. Once conformity has been established: To then continue in the process.
ISO 19011 - 7.2.3.2 c) Refers to the auditor comprehending the auditee’s structure, purpose
and management practices, and should cover the following: Needs and expectations of
interested parties that impact the management system; types of organization, governance,
size, structure, functions and relationships; general business and management concepts,
processes and related terminology, including planning, budgeting and management of
individuals; cultural and social aspects of the auditee.
Don’t forget also: The processes are there to achieve the intended result(s) of its quality
management system – which introduces you to the next activity…
Activity 14: QMS elements and interactions
Purpose:
To outline the processes involved in establishing, implementing, operating, monitoring,
reviewing, maintaining and improving a quality management system.
Duration:
10 minutes in pairs
Directions:
In pairs, please try and create a logical flow of activities from the items listed overleaf, by
populating the diagram. Various entries have been added to assist you.
There is no absolute right/wrong answer here…but a logical interrelationship is expected.
Then, locate the respective clauses from ISO 9001 for each activity, and write these into the
diagram.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
QMS intended
result(s) Customer focus
QMS Scope
Management review
Internal audit Objectives and planning to

achieve them
Determine and provide competent

resources
Operation
1. Awareness/Communications/Documented information
2. Control of nonconforming outputs
3. Context of the organization
4. Monitor, measure, analyse and evaluate
5. Roles, responsibilities and authorities
6. N/C and corrective action
7. Actions to address risk and opportunities
8. Demonstrate leadership and commitment
The Auditor's Role

A summary of certain points is fitting here. The major duty of auditors is to look at an
organization’s processes, and the controls on their external providers/ outputs.
This is so they can determine conformance and effectiveness with the organization’s intended
result(s), the Standard, and perhaps specific contract requirements.
With regard to the product or service it provides, ISO 9001 also requires an organization to
demonstrate the ability to meet applicable statutory and regulatory requirements (which
can be expressed as legal requirements). For example 8.2.2 a) – applicable to the
product and service, and 8.3.3 c) – design and development inputs etc. Also ISO
17021 9.1.2.2 Determining audit objectives, scope and criteria, specifically 9.1.2.2.2, states
‘The audit objectives shall describe what is to be accomplished by the audit and shall include
the following.... b) evaluation of the ability of the management system to ensure the client
organization meets applicable statutory, regulatory and contractual requirements; NOTE: A
management system certification audit is not a legal compliance audit’.
Auditing legal requirements might in some cases require a level of knowledge e.g. possibly CE
Marking, Technical files etc. perhaps even a legal expert or specialist in the area. Other
management systems require also an ‘evaluation of compliance’ with its compliance
obligations (including statutory and regulatory requirements) i.e. 14001, 45001 etc. ISO 9001
requires an audit programme to be planned, taking into consideration ‘changes affecting the
organization’ – which might imply auditing for evaluation of compliance. The organization may
choose to use the same auditor to evaluate all statutory and regulatory requirements relating
to the product, service, health and safety, environmental etc.
ISO 19011 - 7.2.3.2 d) The auditor should be aware of, and work within, the organization’s
legal and contractual requirements. Knowledge and skills should cover the following: Laws
and regulations and their governing agencies; basic legal terminology; and, contracting and
liability.
The major requirement though is to only use objective evidence: Unsubstantiated information
is not admissible, and it is the management system that is being audited and not a legal
compliance audit.
Please see additional guidance on evaluating legal compliance in your references

section.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Documented information is defined as:

‘Information required to be controlled and maintained by an organization and the medium on
which it is contained’.
Documented information can be in any format and media and from any source, and can refer
to: The quality management system, including related processes; information created in order
for the organization to operate (documentation); or evidence of results achieved (records).
[SOURCE: ISO 9000]
As part of the alignment with other management system standards a common clause on
'Documented Information' has been used within the standard.
The terms ‘documented procedure’ and ‘record’ have both been replaced throughout the
requirements text by ‘documented information’.
Where ISO 9001:2008 would have referred to documented procedures (e.g. to define, control
or support a process) this is now expressed as a requirement to maintain documented
information.
Where ISO 9001:2008 would have referred to records this is now expressed as a requirement
to retain documented information.
Clause 8.1 also refers now to ‘determining, maintaining and retaining documented
information’.
Requirements for QMS documentation:
ISO 9001
Documented Information Requirements
Clause:
4.1
4.2
4.3 Maintained scope
Maintained documented information to the extent necessary to support the

operation of processes, and retained documented information to the extent
4.4
necessary to have confidence that the processes are being carried out as
planned
5.1
5.2 Maintained quality policy (5.2.2)
5.3
6.1
6.2 Maintained quality objectives (6.2.1)
6.3
Retained evidence of fitness for its purpose, as a monitoring and
measurement resource (7.1.5.1)
7.1
Where no such standard exists (measurement standards), the basis used for
calibration or verification (7.1.5.2 a) – retained
ISO 9001
Clause:
7.2 Retained appropriate evidence of competence
7.3
7.4
Required by this International Standard (7.5.1 a)

Determined by the organization as being necessary for the effectiveness of
7.5 the QMS (7.5.1 b)
Documented information of external origin determined by the organization to
be necessary for the planning and operation of the QMS (7.5.3.2)
Determining, maintaining and retaining documented information to the extent

necessary to have confidence that the processes have been carried out as
8.1
planned, and to demonstrate conformity of products and services to
requirements (8.1 e)
Retained the results of the review, including any new requirements for the
8.2 products and services, relevant amended documented information
(8.2.3.2/8.2.4)
Demonstrate that design and development requirements have been met
(8.3.2 j)
Retained documented information on design and development inputs (8.3.3)
Design and development control activities – retained (8.3.4 f)
8.3
Retained documented information on design and development outputs
(8.3.5)
Design and development changes, results of reviews, authorizations and
actions taken (8.3.6)
Retained documented information of the evaluation, selection, monitoring, re-

8.4
evaluations of external providers, and any necessary actions (8.4.1)
Availability - defining the characteristics of the products and services, or the

activities to be performed (8.5.1 a) 1))
Availability – defining the results to be achieved, (8.5.1 a) 2))
Retained to maintain traceability (where traceability is a requirement) (8.5.2)

8.5
Customer, or external providers property (lost, damaged etc.) on what has
occurred (8.5.3)
Retained description of the results of the review of changes, the persons
authorizing the change, and any necessary actions (8.5.6)
Retained evidence of conformity with the acceptance criteria

8.6
Traceability to the person(s) authorizing release of products and services
ISO 9001
Clause:
Describing the: nonconformity, actions taken, concessions obtained, and on
8.7 the authority that decided the action in respect of the nonconformity –
retained (8.7.2)
Retained evidence of the results of monitoring, measurement, analysis and
9.1
evaluation activities (9.1.1)
Audit programme (9.2.2)
9.2
Retained evidence of the implementation of the audit programme and the
audit results (9.2.2 f)
9.3 Retained evidence of the results of management reviews (9.3.3)
10.1
Retained evidence of the nature of the nonconformities and any subsequent
10.2
actions taken and the results of any corrective action (10.2.2)
10.3
*** The underlined text forms the key decisions to be taken ***
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
In order for delegates to achieve the overall learning objectives, you will now need to acquire
and develop specific skills; by practising and testing the knowledge gained in real/simulated
audit situations. These are also specified as ‘enabling objectives’, and can be considered as
steps to the achievement of learning objectives.
We will now look at the ‘skills’ elements.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 15: Initiating the audit
Purpose:
To practise and test the skills for initiating an audit.
Duration:
15 minutes whole class
10 minutes classroom discussion/review
Directions:
You are currently working for a renowned manufacturing supplier that makes plastic panels
for the car industry. This involves plastic injection moulding equipment which utilizes high
pressures and heavy presses. Your organization is called ‘Plastico’.
Whole class, please ask the tutor questions to complete this stage. This includes speaking to
your audit client (Purchasing Director), your programme manager (Quality Manager) and then
the auditee’s management.
Please note: Initial contact with the auditee should also include requesting access to
information on the risks and opportunities the organization has identified, and how these are
addressed; also the determination of any areas of risk to the auditee, in relation to the specific
audit. Resolution of any issues regarding the composition of the audit team, with the auditee
or audit client, will also be necessary.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 16: Document review
Purpose:
To practise and test the skills for carrying out a document review, in preparation for an audit.
Duration:
60 minutes groups
Directions:
In groups, please now perform a document review of the case study organization. Please also
include in your desktop review an audit of their Quality Policy, Scope and gain a basic
understanding of their business processes. Be prepared to feedback your findings to the other
groups. Use the template that follows.
Please note: Delegates might wish to either allocate sections of the complete documented
information to each group member, or limit reading to the Managing Director’s introduction to
LLL and the organization’s ‘Quality Management System Overview – QM001’. As long as a
sufficient document review is carried out in preparation for your audit.
Please note: Performing review of documented information should take into account the
context of the auditee’s organization, and its related risks and opportunities.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
ISO 9001 - Minimum documentation COVERED IN THE: Case Study

requirements: documentation?
4.1
4.2
4.3 - Maintained scope
4.4 - Maintained documented information to the

extent necessary to support the operation
of processes, and retained documented
information to the extent necessary to
have confidence that the processes are
being carried out as planned
5.1
5.2 - Maintained quality policy (5.2.2)
5.3
6.1
6.2 - Maintained quality objectives (6.2.1)
6.3
7.1 - Retained evidence of fitness for its

purpose, as a monitoring and
measurement resource (7.1.5.1)
Where no such standard exists
(measurement standards), the basis used
for calibration or verification (7.1.5.2 a) -
retained
7.2 - Retained appropriate evidence of

competence
7.3
7.4

7.5 - Required by this International Standard

(7.5.1 a)
Determined by the organization as being

necessary for the effectiveness of the QMS
(7.5.1 b)
Documented information of external origin

determined by the organization to be
necessary for the planning and operation
of the QMS (7.5.3.2)
8.1 – Determining, maintaining and retaining

documented information to the extent
necessary to have confidence that the
processes have been carried out as
planned, and to demonstrate conformity
of products and services to requirements
(8.1 e)
8.2 - Retained the results of the review,

including any new requirements for the
products and services, relevant amended
documented information (8.2.3.2/8.2.4)
8.3 - Demonstrate that design and development

requirements have been met (8.3.2 j)
Retained documented information on
design and development inputs (8.3.3)
Design and development control activities
– retained (8.3.4 f)
Retained documented information on
design and development outputs (8.3.5)
Design and development changes, results
of reviews, authorizations and actions
taken (8.3.6)
8.4 - Retained documented information of the

evaluation, selection, monitoring, re-
evaluations of external providers, and any
necessary actions (8.4.1)

8.5 - Availability - defining the characteristics of
the products and services, or the activities
to be performed (8.5.1 a) 1))
Availability – defining the results to be
achieved, (8.5.1 a) 2))
Retained to maintain traceability (where

traceability is a requirement) (8.5.2)
Customer, or external providers property

(lost, damaged etc.) on what has occurred
(8.5.3)
Retained description of the results of the
review of changes, the persons authorizing
the change, and any necessary actions
(8.5.6)
8.6 - Retained evidence of conformity with the

acceptance criteria
Traceability to the person(s) authorizing
release of products and services
8.7 - Describing the: nonconformity, actions

taken, concessions obtained, and on the
authority that decided the action in respect
of the nonconformity – retained (8.7.2)
9.1 - Retained evidence of the results of

monitoring, measurement, analysis and
evaluation activities (9.1.1)
9.2 - Audit programme (9.2.2)

Retained evidence of the implementation
of the audit programme and the audit
results (9.2.2 f)

9.3 - Retained evidence of the results of

management reviews (9.3.3)
10.1
10.2 - Retained evidence of the nature of the

nonconformities and any subsequent
actions taken and the results of any
corrective action (10.2.2)
10.3
***The underlined text above forms the key decisions taken by the organization***
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 17: Audit plan
Purpose:
To practise and test the skills for preparing an on-site audit plan that is appropriate to the
defined objectives, scope, criteria, and the organization’s context and processes.
Duration:
45 minutes groups
Directions:
Working in groups, use the template from Activity 7 to create an audit plan that will achieve
the audit objectives, discovered in Activity 15, for LifeLong Learning (LLL).
The tutor will provide more help to one group, so that an typical example (from practice) can
be shown to other groups.
The tutor will then invite other groups to critique each group’s answers during feedback, and
then recap the main learning points.
Please note: The audit team leader should take a risk-based approach to planning, based on
the audit programme and the documented information provided. The audit team leader
should also consider opportunities to improve the effectiveness and efficiency of the audit
activities, and the risks to achieving the audit objectives created by ineffective audit planning.
Audit planning should also address or reference: The processes to be audited; the locations
(physical and virtual); the need to familiarise themselves with the auditee’s facilities and
processes; reviewing information and communication technology; allocation of resources
based on risks and opportunities; and follow-up actions (e.g. lessons learned, project
reviews).
Activity 18: Work documents
Purpose:
To practice and test the skills for preparing the necessary work documents: Checklists, sampling
plans and forms.
Duration:
(This will be used for the audit of top management – tested in Activity 21)
Directions:
Working in groups, please create checklists for your interview with top management. (You may
wish to split the question topics up for each team member to focus on)
Audit Criteria – ISO 9001 (Clauses of possible note: 5, 6 (Top level), 9.3, and elements of 4 -
purpose, strategic direction, intended results(s), expectations etc.)
Audit objective and scope as per Activity 15
Auditee representative – Managing Director
Specific documented information in the case study material of possible interest:

Managing Director’s introduction to LLL
Quality Management System Overview:
• Scope of the Quality Management System
• Exclusions
• Quality Policy
• Organization Chart
• Responsibilities and Authorities
• LifeLong Learning Process interrelationships
Management Review, context of the organization and objectives
Activity 19: Opening meeting
Purpose:
To practise and test the skills to conduct an opening meeting for a QMS audit.
Duration:
20 minutes whole class observe video and comment
30 minutes in groups plan and carry out an opening meeting
Directions:
1. Whole class, please observe the second-party audit - opening meeting (video) for LLL, and
then comment for its suitability and effectiveness.
2. Then, in groups, plan and carry out an opening meeting, in accordance with your audit
plan for LLL. The tutor will then select one group to carry out the actual opening meeting.
The other group to observe, take notes, and comment as appropriate.
Please note: Names are different in the video to LLL!
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 20: Observations
Purpose:
To practise and test the skills required for a site tour, and collect evidence through
observations.
Duration:
20 minutes in pairs
Directions:
Please refer to Section 3 of your References section. There you will find 22 photographs. The
tutor will allocate sections of photos to different groups, so that all photographs can be
covered within the time allocated.
Assume you are making these observations as you walk around the organization’s site. Please
record what questions you might ask: In relation to the observations made.
Your tutor will talk through some of the typical observations, for one photograph, to start you
off.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Your tutor will now show you a video covering a top management audit.
Some areas to consider/feedback are:
1. What clauses of the Standard are being audited?

2. The ability to manage meetings and audit interviews effectively with top management
3. The ability to follow audit trails with top management
4. The ability to collect and verify appropriate audit evidence, including appropriate sampling
5. The purpose and the intended result(s) of the management system, and the relevant
external and internal issues, as determined by the organization
6. The relevant interested parties and any relevant requirements that have been determined
by the organization
7. The scope of the management system in relation to its:
• External and internal issues
• Requirements of relevant interested parties
• Products and services
8. The management system policy and objectives have been established and that they:
• Are compatible with the organization’s context and strategic direction
• Have been communicated/are available to relevant interested parties
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 21: Auditing ‘top management’
Purpose:
To practice and test the skills required, as an auditor, in a review of top management at an
organization.
Time is normally very limited for this audit with top management – so focus on the important
questions and evidence expected. Assume all your samples are already contained in your case
study documented information.
Duration:
45 minutes for audit and with tutor feedback
10 minutes to review/reflect and summarize findings in preparation for Activity 30 (your Audit
Report).
Directions:
In your allocated teams (using your output from Activity 18), interview the Managing Director
of ‘LifeLong Learning Ltd (LLL)’ who will be played by the tutor. Each group will be allowed to
ask questions in turn. When you are not asking questions please follow the audit and take
notes of evidence provided. These may provide further useful audit trails for yourself.
You should note the information given to you, and be prepared to discuss in class what this is
and how you might use this during the audit.
You and your team should also be prepared to discuss auditor/auditee body language issues
and tone and language used for top management.
Please note: Auditors should also aim to interview top management to confirm that they have
an adequate understanding of the discipline-specific issues relevant to their management
system, together with the context their organization operates within, so that they can ensure
that the management system achieves its intended results. Auditors should not only focus on
leadership at the top management level but should also audit leadership and commitment at
other levels of management, as appropriate.
*An example Quality Policy has been added to Section 4 of your References section.*
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 22: Auditing ‘Context of the organization’
Purpose:
To practice and test the skills required, as an auditor, in a review of the overleaf audit criteria
at an organization.
Assume all your samples are already contained in your case study documented information.
Duration:
15 minutes work documents preparation
10 minutes to review/reflect and summarize findings
Directions: (Part A)
In your allocated teams, create work documents for the areas allocated, then start auditing.
Each group will be allowed to ask questions in turn. When you are not asking questions
please follow the audit and take notes of evidence provided. These may provide further
useful audit trails for yourself.
Audit Criteria – The organization’s ‘Context of the organization’ documented information, ISO
9001 Clause 4, and audit trails from the top management interview.
Audit objective and scope as per Activity 15.
Auditee representative(s) – You decide!
Please note: Auditors should have relevant sector-specific knowledge and understanding of
the management tools that organizations can use in order to make a judgement regarding
the effectiveness of the processes used to determine context.
Directions: (Part B)
After the audit, spend 10 minutes reflecting on your audit and summarize the main findings
(good and bad) in preparation for Activity 30 (Audit Report).
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 23: Auditing ‘Planning for the QMS’
Purpose:
To practice and test the skills required, as an auditor, in a review of the overleaf audit
criteria at an organization.
Assume all your samples are already contained in your case study documented information.
Duration:
In your allocated teams, create work documents for the areas allocated, then start
auditing. Each group will be allowed to ask questions in turn. When you are not asking
questions please follow the audit and take notes of evidence provided. These may provide
further useful audit trails for yourself.
Audit Criteria – Organization’s planning for the QMS processes, ISO 9001 Clause: 6, and
audit trails from your previous audits.
Auditee representative – You decide!
Please note: An audit of an organization’s approach to the determination of risks and

opportunities should not be performed as a stand-alone activity. It should be implicit during
the entire audit of a management system, including when interviewing top management.
The organization’s treatment of its risks and opportunities, including the level of risk it wishes
to accept and how it is controlled, will require the application of professional judgement by the
auditor.
(good and bad) in preparation for Activity 30 (Audit Report)
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 24: Auditing ‘risks and opportunities’ video
Purpose:
To discuss the auditors approach to assessing risks and opportunities.
Duration:
15 minutes – 1st video
15 minutes classroom discussion
5 minutes – 2nd video

Directions:
Your tutor will now show you two videos covering audits of ‘determining risks and
opportunities’.
Areas to consider are:

• Extent of documented information needed
• What clauses of the standards are being discussed
• What are the findings? Intent/Implementation or Effectiveness?
• Are there any audit trails?
• Identify good/bad audit practice
Auditors should apply professional judgement during the audit process and avoid
concentrating on the specific requirements of each clause of the standard at the expense of
achieving the intended outcome of the management system. Some ISO management system
standard clauses do not readily lend themselves to audit in terms of comparison between a
set of criteria and the content of a procedure or work instruction. In these situations, auditors
should use their professional judgement to determine whether the intent of the clause has
been met. Please remember though: Auditors should be focused on the intended result of the
management system throughout the audit process. While processes and what they achieve
are important, the result of the management system and its performance are what
counts.
A process is defined as a: ‘set of interrelated or interacting activities that use inputs to deliver
an intended result’.
Identifying the processes that drive an organization’s activities, products and services helps to
understand the ‘coherent System’, and thus the risks incurred and the appropriate controls.
Whether you are attempting to audit existing processes or you are auditing new ones, an
important stage is the accurate identification of inputs, outputs, controls and resources. In
order to capture the information, it is useful to construct a diagram to identify all the elements
of a process, as on the slide. Creating the diagram will also help focus attention on the need
for the process in the first place – you may find that it has evolved rather than been designed.
During this sort of analysis, it is sometimes hard to know whether you are auditing a process
or a series of processes, where the output of one process is the input into the next process.
Note, in some processes, some inputs become outputs without any transformation e.g. a
blueprint used in a manufacturing process or a catalyst in a chemical process. A process
where the conformity of the resulting output cannot be readily or economically validated is
frequently referred to as a ‘special process’.
Note that a ‘procedure’ is a ‘specified way to carry out an activity or a process’, which may be
a documented set of instructions, or simply an established way of doing a specific task that
itself forms part of a larger process. In ISO 9001 this might be considered captured, in the
main, by ‘the availability of documented information that defines the activities to be
performed and the results to be achieved’ 8.5.1 a) Control of production and service
provision.
QMS04101ENIN v6.0(AD03) Feb 2020 Copyright © 2020 BSI. All rights reserved. ‹#›
**Please now refer to your References section for a template that may assist you when
preparing for the process audits coming up next**
As mentioned previously, there are three main dimensions to auditing:
Assessment of the documented management system (INTENT)

Assessment of the degree of implementation (IMPLEMENTATION)
Assessment of the QMS effectiveness (EFFECTIVENESS)
It is therefore important not to forget about process effectiveness. The definition of

effectiveness, from (Annex SL) is: ‘extent to which planned activities are realized and planned
results achieved’.
‘Planned Activities’ are considered as the means, methods, and internal requirements by which
the organization intends to achieve planned results of a given process to meet requirements.
Planned activities include conformity to process requirements and processes.
Please note, ‘Process Effectiveness’ includes a consideration of both:

Process realization - the extent to which planned activities are realized; and
Process results - the extent to which planned results are achieved.
(An EXAMPLE therefore, from an auditor’s findings, which has taken into
consideration process effectiveness)
Process: Tendering
Reviewed documents/evidence:
Management’s description of the process (Management Interview)
Documented tendering process ‘TENPROC’ 23rd Jul 2018
………etc.
Planned activities: Have been fully realized.
Methods for determining process results are: Returned on time on-going target (98%),
……etc.
Results: Weekly review minutes (wk 34, 36 and 40) state on-going sales team’s concern with
the timely completion of tenders (currently 78%), although no investigation/action has yet
been taken…..etc.
Planned results: not achieved and appropriate action is not taken.
There are therefore basically: ‘Five steps to a finding’ here.
Remembering this should help all auditors when structuring their documented evidence, to
include process effectiveness i.e.
1. Objective evidence as bullet point/list

2. Planned activities have been fully realized / not fully realized / not realized
3. Methods for determining process results are:
4. Result:
5. Planned results achieved /not achieved but actions being taken/ not achieved and
appropriate actions not taken.
Activity 25: Auditing the organization’s processes (1)
Purpose:
To practice and test the skills required, as an auditor, in a review of the audit criteria below,
and specifically practice process auditing skills. Assume all your samples are already contained
in your case study documented information.
Duration:
Each group will be allowed to ask questions in turn. When you are not asking questions please
follow the audit and take notes of evidence provided. These may provide further useful audit
trails for yourself.
Audit Criteria – Organization’s processes: PD1-3 (and relevant parts of PD7-9), ISO 9001
(Typical clauses that may be applicable include: 7, 8.1, 8.5.1-3, 8.4.1/2, 9.1), and audit trails
from your previous audits.

Purpose:
Duration:
Audit Criteria – Organization’s processes: QPR1 – PD5 (and relevant parts of PD7-9), ISO
9001 (Typical clauses that may be applicable include: 8.2, 8.4.3, 8.5.4, 8.5.6, 8.6, 8.7, 9.1),
and audit trails from your previous audits.

Purpose:
Duration:
Audit Criteria – Organization’s processes: PD6 and Customer feedback (and relevant parts of
PD8-9), ISO 9001 (Typical clauses that may be applicable include: 8.5.5, 9.1/2, 10), and audit
trails from your previous audits.

Nonconformities can be graded depending on the context of the organization and its risks.
The grading can be quantitative (e.g. 1-5) and qualitative (e.g. minor, major).
Minor nonconformity: Nonconformity that does not affect the capability of the management
system to achieve the intended results (ISO/IEC 17021-1:2015 3.13)
Example: Nonconformity: Training is not being evaluated for effectiveness as required by ISO
9001. During the audit the personnel manager stated (admissible statement) that monitoring
of training effectiveness has not been performed on training activity ‘123’ (required for
necessary competence).
ISO 9001 Clause 7.2.c) requires that training (necessary for competence) is evaluated for
effectiveness.
Major nonconformity: Nonconformity that affects the capability of the management system
to achieve the intended results (ISO/IEC 17021-1:2015 3.12)
Nonconformities could be classified as major in the following circumstances:

• If there is a significant doubt that effective process control is in place, or that products or
services will meet specified requirements
• A number of minor nonconformities associated with the same requirement or issue could
demonstrate a systemic failure and thus constitute a major nonconformity
Example: Nonconformity: Documented information of the design and development control

activities is not retained. The design manager stated (admissible statement) that designers did
not need to keep any documentation of control activities, and none were identified during the
audit.
ISO 9001 Clause 8.3.4 requires documented information of the design and development
control activities to be retained.
Activity 28: Nonconformities
Purpose:
To practise and test the skills required, as an auditor, to recognize nonconformity and
write/grade nonconformity reports correctly.
Duration:
Directions:
1. Individually, review the scenarios contained in your references section (for this activity) and
answer the questions posed.
After a classroom discussion:
2. The tutor will select a nonconformity(ies). In groups, please each write a nonconformance
statement on a flipchart for all groups to then review (groups will assess to ensure the
statement is: Complete, concise and correct). Please use the format covered on the last
slide (examples), and in the specimen exam paper.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 29: Closing meeting
Purpose:
To practise and test the skills to present audit conclusions and recommendations clearly in a
closing meeting.
Duration:
15 minutes whole class observe video and comment
45 minutes whole class plan and carry out a closing meeting
Directions:
1. Whole class, please observe the second-party audit - closing meeting (video) for LLL, and
then comment for its suitability and effectiveness.
2. Then, whole class, plan and carry out a closing meeting: Concluding on your recent audit
activities of the case study this week. The tutor will select one delegate to act as the team
leader and all other delegates are then to write one (different) nonconformity statement
out (from your audit of LLL) and be ready to present it during the meeting – as prompted
by your team leader.
Note/ If there are more than 10 delegates your tutor may split the class into two, for the
purpose of ensuring the meeting runs effectively.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
Activity 30: Audit report
Purpose:
To practise and test the skills to present audit conclusions and recommendations.
Duration:
60 minutes individually, then a 5 minutes reflection/application to own workplace
Directions:
Working individually, prepare an audit summary report - to be given to the tutor for marking.
Please record no more than 2-3 sides of A4 paper please (or equivalent).
Please include:
A unique reference number
Auditors in team with yourself identified as the Audit Team Leader
Audit Objective, Scope and Criteria
Auditee’s interviewed
Executive summary detailing:
• Total number of minors/major nonconformities/OFI’s/observations
• The main positive encountered during the audit
• The main area of weakness in the system including ISO 9001 clause
• One nonconformity report
• Assessment of intent – paragraph detailing the main area of weakness and strength
• Assessment of implementation – paragraph as above
• Assessment of effectiveness – paragraph as above
• Recommendation/Conclusions
Activity 31: Audit follow-up
Purpose: To practise and test the skills to evaluate proposals for corrective action, and
differentiate between correction and corrective action.
**Correction – action to eliminate a detected nonconformity
**Corrective action – action to eliminate the cause of a nonconformity and to prevent

recurrence
Duration:
30 minutes in pairs
Directions:
Following a recent audit your team conducted, five nonconformities (contained in your
references section for this activity) have been raised.
First, review the nonconformities raised with your neighbour; also the proposed corrective
actions sent to you from the organization. Then, you can accept the actions proposed by the
organization, or if you do not, then note down why it would not be acceptable and what might
be acceptable proposals. This will then be discussed with the tutor.
Activity 32: Specimen exam paper
Purpose:
To practise and test the skills required (for section 4 of the exam): To analyse audit situations,
evaluate audit evidence and apply knowledge of the audit criteria correctly.
Duration:
Directions:
Individually, complete section 4 of the specimen exam paper.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
CQI and IRCA (Chartered Quality Institute and The International Register of Certificated
Auditors) are internationally recognized as a certification body providing auditor registration.
See CQI and IRCA website (www.quality.org), for details of the QMS Auditor scheme
requirements and guidance.
Code of conduct - All CQI and IRCA certified auditors are required to agree in accordance
with, and be bound by, the Code of Conduct found within the ‘CQI professional code of
conduct’ document, available in your References section.
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
COURSE REVIEW
Learning objectives describe in outline what delegates will know and be able to do by the
end of the course.
On completion, successful delegates will have the knowledge and skills to perform first,
second and third-party audits of quality management systems against ISO 9001, in
accordance with ISO 19011 and ISO/IEC 17021, as applicable.
Knowledge:
Explain the purpose of:
• A QMS
• QMS standards
• Management system audit
• Third-party certification
• Business benefits
• Explain the role and responsibilities of an auditor to plan, conduct, report and follow-up a
QMS audit in accordance with ISO 19011, and ISO/IEC 17021, as applicable
Skills:
Have the skills to:
• Plan
• Conduct
• Report, and
• Follow-up an audit of a QMS to establish conformity (or otherwise) with ISO 9001 and in
accordance with ISO 19011, and ISO/IEC 17021, as applicable
……………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………
………………………………………………………………………………………………………………
……………

02 Slides - QMS04101ENIN - v6 (AD03) - Feb2020

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02 Slides - QMS04101ENIN - v6 (AD03) - Feb2020

Uploaded by

Copyright:

Available Formats

CQI and IRCA Certified ISO 9001:2015 Lead Auditor Training Course

Delegates are expected to have the following prior knowledge:

To maintain credibility, organizations need competent auditors. Recognized and valued

In addition, this course will help you:

• Identify the aims and benefits of an ISO 9001 audit

The tutor will inform you of the nearest restrooms.

Your tutor(s) will introduce themselves.

We will start with the ‘knowledge’ elements.

Second-party – External provider audit, or other interested party audit

Third-party – Certification and/or accreditation, or statutory, regulatory and

Activity 1: Differences between first, second and third-party audits

The tutor will then review your feedback.

Certification bodies are accredited to carry out independent audits of organizations to

Impact of IAF Mandatory Documents on third-party audits (Extracted from: IAF GD

Accreditations granted by accreditation body members of the IAF Multilateral

Certification is an independent assessment of both an organization’s implementation and

Certification may be awarded by an organization that is not accredited. In this case it is

Using an accredited certification organization provides a level of independent assurance for

Enhances reputation by demonstrating your organization’s commitment to good quality

• Repeat business and referral

Audit Process, (Generic) to any management system audit, is shown above.

Also there are three main dimensions to auditing:

• Assessment of the documented management system (INTENT)

Activity 2: Typical audit activities

Cards cover the below activities: (in no particular order!)

Cards (within headers above):

Main areas of similarities include:

Preparation – before the audit

A useful acronym is P.E.R.C:

Activity 3: Audit process differences

Three aspects need deciding:

If an organization makes washing machines and refrigerators, but the interest is in

Activity 4: Determine objectives, scopes and criteria

Resources for an audit could be split between:

People (Auditee’s) – Availability of person(s) responsible/managing the activity being

Logistics/infrastructure – Availability of meeting rooms/team meeting facilities, internet

Documented information during the audit – Documents, records, processes, programmes,

Generic knowledge and skills of management system auditors (Examples

Applicable Legal requirements that apply (Examples demonstrating an absence of

Discipline specific (Examples demonstrating an absence of competency)

Generic knowledge and skills of audit team leaders (Examples demonstrating an

The main parties involved will be the:

Main roles are:

Activity 5: Roles and responsibilities

• Review the labels and discuss

Activity 6: Audit methods

Stage 1: As defined by ISO 17021 (Conformity assessment. Requirements for bodies

• Confirming the duration of the audit

Stage 1 audit process and outputs.

See diagram overleaf.

Stage 2: As defined by ISO 17021:2015 (Conformity assessment. Requirements for

Assessing the ‘implementation’ and ‘effectiveness’ of the management system.

Some preparation considerations for this stage of the audit include:

• Determine scale of audit and resources required

There is an opening meeting, summary report, nonconformities if applicable, closing meeting

Activity 7: Audit plan template

This will be populated later.

The tutor will create an example format(s) for a checklist/Aide memoire, on a

• Establish the objectives of the sampling plan

How many would typically be sampled from the above?

Sample size should be based on:

Please refer to ISO 19011 A.6 (Page 37)

Advantages and disadvantages of using checklists.