Professional Documents
Culture Documents
LAC 9001 Course Material
LAC 9001 Course Material
Student Pack
Contents
About this course .................................................................................................................................... 5
Course objectives ................................................................................................................................ 5
Our methods ....................................................................................................................................... 5
Quality Management Systems Auditor/Lead Auditor (ISO 9001:2015).................................................. 6
Common Clause Structure .............................................................................................................. 6
Common Terms and Definitions ..................................................................................................... 7
The Quality Management System (QMS) ........................................................................................... 7
Typical QMS structure..................................................................................................................... 8
ISO 9000 Series ....................................................................................................................................... 9
ISO 9000: Fundamentals & vocabulary ............................................................................................... 9
ISO 9001:2015 Clause Structure and Principles .................................................................................... 10
Determining the Scope of the Management System ....................................................................... 10
Documented Information ............................................................................................................. 10
Records and Documents ............................................................................................................... 11
Benefits of documentation ........................................................................................................... 11
Documented Information – Definition and Context ..................................................................... 11
Documented Information – Requirements................................................................................... 11
The principles of quality management ............................................................................................. 13
Customer focus ............................................................................................................................. 13
Leadership ..................................................................................................................................... 14
Engagement of people .................................................................................................................. 14
Process approach .......................................................................................................................... 14
Improvement ................................................................................................................................ 14
Evidence based decision making .................................................................................................. 14
Relationship management ............................................................................................................ 14
Risk based thinking ........................................................................................................................... 14
ISO 9004: 2009 Managing for the sustained success of an organisation – A quality management
approach ....................................................................................................................................... 16
What is an audit? .................................................................................................................................. 17
ISO 19011 (Guidelines for Auditing Management Systems)............................................................. 17
Terms and definitions ................................................................................................................... 17
First party audits ............................................................................................................................... 19
Second party audits .......................................................................................................................... 19
Third party audits .............................................................................................................................. 19
Page 2
Different audit objectives ................................................................................................................. 20
Conformance audits versus effectiveness audits ......................................................................... 20
Compliance audits......................................................................................................................... 20
Improvement audits...................................................................................................................... 20
Procedural audits .......................................................................................................................... 20
Process audits ............................................................................................................................... 21
Planning a process audit ............................................................................................................... 21
Turtle diagram approach for planning a process audit ................................................................. 22
Key issues introduced when ISO 9001 adopted the Annex SL Format (Format used for aligning
Management System Standards) ...................................................................................................... 22
Context and Scope ........................................................................................................................ 22
Context considerations for employers of auditors ........................................................................... 23
Context considerations for certified organisations .......................................................................... 23
Determining the Scope of the Management System.................................................................... 23
Internal & External Issues ............................................................................................................. 24
Leadership ..................................................................................................................................... 24
Risks and Opportunities ................................................................................................................ 25
The Effect of Uncertainty (Risk) on Planning ................................................................................ 26
ISO 19011 Requirements for managing an audit program ................................................................... 27
Authority for the audit program ....................................................................................................... 28
Establishing the audit program objectives........................................................................................ 28
Determining and evaluating audit program risks and opportunities ............................................... 28
Establishing the audit programme .................................................................................................... 29
Roles and responsibilities.............................................................................................................. 29
Competence of people managing audit programme........................................................................ 29
Establishing extent of audit programme .......................................................................................... 30
Determining audit programme resources ........................................................................................ 30
Implementing the audit program ..................................................................................................... 31
Monitoring & reviewing the audit program ..................................................................................... 31
Improving the audit program............................................................................................................ 31
Initiating the audit ................................................................................................................................ 32
Conducting the (Stage 1) documentation review ............................................................................. 32
Preparing (Stage 2) audit activities ................................................................................................... 32
The Audit Plan ............................................................................................................................... 33
Audit checklists ............................................................................................................................. 35
Page 3
Conducting (Stage 2) Audit Activities................................................................................................ 36
Opening meeting........................................................................................................................... 36
Guides ........................................................................................................................................... 36
Collecting and verifying information ............................................................................................ 37
Preparing and Distributing the Audit Report .................................................................................... 37
Classification of non-conformities .................................................................................................... 39
Preparing audit conclusions .............................................................................................................. 40
Completing the Audit (Closing Meeting) .......................................................................................... 40
Typical closing meeting agenda items .......................................................................................... 41
Preparing approving and distributing the audit report ................................................................ 41
Summary report (simple example) ............................................................................................... 42
Completing the audit .................................................................................................................... 43
Audit Follow Up Activities ................................................................................................................. 43
ISO 19011 Auditor and lead auditor competences ............................................................................... 44
General.............................................................................................................................................. 44
Personal attributes............................................................................................................................ 44
Knowledge and skills ......................................................................................................................... 44
Generic auditor knowledge and skills requirements .................................................................... 44
Specific auditor knowledge and skills requirements (QMS) ......................................................... 45
Lead auditor competence ................................................................................................................. 45
Page 4
About this course
Course objectives
This course has been developed to meet the criteria for a Quality Auditor/Lead Auditor Course. The
Learning Objectives of the course can be summarised as follows, (to understand):
The purpose, benefits and typical structure of a Quality Management System (QMS)
Plan-Do-Check Act (PDCA) methodology, and the process approach to Quality
Management
The principles of Quality Management and how they relate to the QMS and ISO 9001
The purpose, scope and uses of the ISO 9000 series standards
The roles, responsibilities and competence requirements of auditors and lead auditors
with reference to ISO 19011
Our methods
The most important thing to us is that at the end of the week you feel that you have learned
something worthwhile and that no-one could have worked harder than us to put you in the best
possible position and frame of mind to pass your exam and go on to make a good auditor. We can’t
do that by delivering a course that challenges you more to stay awake than to get your brain
working. For that reason you’ll find that we apply an approach of learning by doing, review,
discussion, team work and allowing you to have the occasional laugh along the way. The most
important thing you need to know is that it is your tutor’s job to make sure you learn, not yours, but
you must play your part by speaking up if there’s anything you are having difficulty with. Your tutor
will then need to work a bit harder to think of a way to help you. Don’t be afraid to ask questions.
Page 5
Quality Management Systems Auditor/Lead Auditor (ISO 9001:2015)
This course has been developed around the 2015 issue of the ISO 9001:2015 standard. ISO
9001:2015 is the first version of ISO 9001 that has adopted the “Annex SL” Common Management
System structure.
The content and implications of the significant clause requirements will be addressed in turn and in
detail later in this document.
Page 6
Common Terms and Definitions
The purpose of clearly defined and understood terms and definitions can’t be understated. Their
purpose is to calibrate the use of the standard and reduce the potential for variation. It is important
to remember that many of the words used in ISO management system standards are also used in
everyday speech, and the context in everyday use of the same word or term may differ from the
definitions.
Term Definition
Organisation Person or group of people that has its own functions with responsibilities,
authorities and relationships to achieve its objectives
Interested Party (or Person or organization … that can affect, be affected by, or perceive itself to
stakeholder) be affected by a decision or activity
Requirement Need or expectation that is stated, generally implied or obligatory
Management Set of interrelated or interacting elements of an organization to establish
System policies and objectives and processes to achieve those objectives
Top Management Person or group of people who directs and controls an organization at the
highest level
Effectiveness Extent to which planned activities are realized and planned results achieved
Policy Intentions and direction of an organization, as formally expressed by its top
management
Objective Result to be achieved
Risk Effect of uncertainty
Competence Ability to apply knowledge and skills to achieve intended results
Documented Information required to be controlled and maintained by an organization and
Information the medium on which it is contained
Process Set of interrelated or interacting activities which transforms inputs into
outputs
Performance Measureable Result
Outsource Make an arrangement where an external organization performs part of an
organization’s function or process
Monitoring Determining the status of a system, a process or an activity
Measurement Process to determine a value
Audit Systematic, independent and documented process for obtaining audit
evidence and evaluating it objectively to determine the extent to which the
audit criteria are fulfilled
Conformity Fulfilment of a requirement
Non-conformity Non-fulfilment of a requirement
Corrective Action Action to eliminate the cause of a nonconformity and to prevent recurrence
Continual Recurring activity to enhance performance
Improvement
Page 7
Typical QMS structure
There are no rules as to how a QMS should be structured, more traditional systems are often based
on a 3 tier document hierarchy, although this is by no means a requirement. ISO 9001 does not
require that every conceivable aspect of the work is documented and the extent of documentation
an organisation develops should be based on the size and complexity of operations. The organisation
must strike a balance between comprehensive documentation and ease of use. It is fair to say that
the more document-heavy the system becomes, the less user-friendly it will be. So documentation
should be developed and kept under review from the perspective of risk. That is, if we don’t
document this, are we inviting any problems on ourselves? In addition certain customers may
require certain documentation, and this must also be a consideration.
Quality Manual
High level system
LINKS TO documents
LINKS TO
Page 8
ISO 9000 Series
The ISO 9000 series is a set of three related standards. They are:
ISO 9000:2015 Fundamentals and vocabulary (a guidance document)
ISO 9001:2015 QMS Requirements (the auditable standard)
ISO 9004:2009 Managing for the sustained success of an organisation (a guidance
document)
ISO 9001 is effectively the “engine” of the series. This is the auditable standard, and contains the set
of specific requirements that a conforming QMS must meet. ISO 9000 and ISO 9004 are
complimentary guidance documents whose purpose it is to aid the effective and consistent
application of the auditable standard (ISO 9001). ISO 9002 and ISO 9003 were withdrawn in 2003.
Term Definition
Quality Degree to which a set of inherent characteristics of an object fulfils
requirements
Quality Management Management system with regard to quality
System
System set of interrelated or interacting elements
Process set of interrelated or interacting activities that use inputs to deliver an
intended result
Procedure specified way to carry out an activity or a process
Product output of an organization that can be produced without any transaction
taking place between the organization and the customer
Quality management Management with regard to quality
Customer Person or organization that could or does receive a product or a service that is
intended for or required by this person or organization
Customer Satisfaction customer’s perception of the degree to which the customer’s expectations
have been fulfilled
Continual improvement Recurring activity to enhance performance
Improvement Activity to enhance performance
Effectiveness extent to which planned activities are realized and planned results are
achieved
Efficiency relationship between the result achieved and the resources used
Conformity Fulfilment of a requirement
Nonconformity Non-fulfilment of a requirement
Corrective action Action to eliminate the cause of a nonconformity and to prevent recurrence
Page 9
ISO 9001:2015 Clause Structure and Principles
The ISO 9001:2015 standard follows the Annex SL format, which means its main clauses are;
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
“The scope shall state the types of products and services covered, and provide justification for any
requirement of this International Standard that the organisation determines is not applicable to
the scope of its quality management system”
Exclusions, therefore (in the ISO 9001:2008 use of the word), may still be claimed, and must still be
justified, so in that sense there is no major change. In other words, and for example, if the
organisation has no design and/or development function then it may state that the requirements of
clause 8.3 do not apply. Clearly this claim of non-applicability must be consistent with the nature of
processes that operate within the scope of the QMS in order for that claim to be justified.
ISO 9001:2015 does not put any limits on claims of non-applicability in the way that ISO 9001:2008
limits claims of exclusion to its clause 7. This places a higher emphasis for detailed justification on
the organisation if it is to make any claim of non-applicability.
Documented Information
ISO 9001:2015 requires that an organisation maintains documentation appropriate to the needs of
its management system but, unlike previous versions of ISO 9001, it does not define any specific
mandatory procedures. Moreover whilst it remains a requirement for the organisation to “maintain”
a Policy and Objectives, there is no specific reference to any requirement that anything (apart from
the Scope of the Management System, Clause 4.3) be documented. There is no reference to
“Procedures required by this international standard” (i.e. there is no requirement to document any
specific procedures), and there is no requirement for a Quality Manual. It is left entirely up to the
organisation as to how it demonstrates conformity to ISO 9001:2015.
Page 10
Records and Documents
There are numerous areas within ISO 9001 where there is a mandatory requirement to produce and
retain records. This emphasises a key point, that it is primarily RECORDS not procedures that are the
basis of an auditable system. Whilst procedures tell you what could/should/might happen, records
tell you what DID happen. Also, once produced, a record should not be changed. Documents, on
the other hand, contain information that is prone to change, and therefore version control is very
important.
Benefits of documentation
There are clear benefits of documenting critical aspects of the system. For example:
Reduced risk that knowledge leaves with the job holder
Documents can be used as training aids
Clarity of communications
Consistency of work methods
Records demonstrate facts and history and can be used to demonstrate conformity
Records and data can be reliably fed into the management review process
The definition is appended by some guidance notes that add context to the overall definition. They
are;
Note 1: Documented information can be in any format and media, and from any source
Note 2: Documented information can refer to:
o The management system and related processes
o Information created in order for the organisation to operate (documentation)
o Evidence of the results achieved
These notes therefore clarify the “documentation” includes both documents (that contain
information which may change and therefore require change control) and records (statements of
fact that should not change, but should be protected). Note 1 also indicates that “document” could
include hard copy printed documents, soft copy electronic documents, photographic instructions,
video clip procedures etc. The general auditing principle of “open mindedness” is important when
assessing documentation. Not all systems may be developed using “traditional” formats and
structures.
General
Creating and Updating
Control
Page 11
Documented Information - General
The general requirement states that the organisation should develop documentation in two areas;
It is the second category of documentation that provides the greatest challenge for an auditor, as it
requires a judgement call. It is also important to understand that “procedure” and “documented
information” are not always the same thing. A control may be documented in a format other than a
tradition “procedure”.
The general requirement contains a guidance notes that helps us with interpretation and
application. It states;
“The extent of documented information for a management system can differ from one
organisation to another due to:
The size of organisation and its activities, processes, products and services
The complexity of processes and their interactions
The competence of persons”
So what does that mean in practice? Well, for example, a small single site company with relatively
few simple processes and non-complex shift patterns may not have a large volume of complex
management system documentation. Procedures may be simple, communication systems may be
less formal and less formal – but the system may well still be fit for purpose and effective.
It also suggests that the competence of persons may affect the volume and complexity of
documentation. An example of where this may apply is in the case of time served tradespeople, such
as plumbers, carpenters and electricians. These activities rely heavily on the individual being
developed and approved as competent. This training and development process may be long and
structured, and be subject to assessment and approval, however once the tradesperson is approved
as competent, that person may well go from job to job without the need for complex procedures.
Obviously, for the work activity to be auditable, RECORDS must always be generated, but the
absence of a set of “plumbing” or “carpentry” procedure may not mean the activity is out of control.
A simple acid test that an auditor can apply to reach a decision on whether an absent procedure
causes a problem will be to assess the impact on new members of staff. People who have been in
the task for a while will generally have reached a position of competence somehow, and often they
will tell the auditor that (for them) a procedure is not required. That, however, does not mean that
the system does not require a procedure. Procedures are most useful for new members of staff and
people who are covering an absence at short notice. If new members of staff tell the auditor that a
procedure is not required, then that means that a procedure will add no value to anyone. In that
instance it is important to identify how the organisation exercises control by other means. Examples
could include;
Page 12
A detailed and structured training and development programme prior to the person being
approved to work
Software and computer based controls
A written procedure is just one way that information can be documented and an appropriate level of
control applied. The level of industry regulation is also a factor that must be considered. An
organisation that is heavily regulated will normally be required to have more detailed
documentation than an organisation that is not subject to regulation. Again, the documentation
requirements place a heavy emphasis on the auditor being able to understand and apply
organisational context appropriately.
Documents therefore need to be fit for purpose, user friendly, identifiable and issued following a
structured review and sign off.
Availability
Protection
Distribution, access and retrieval
Storage and protection
Change control (appropriate to documents but NOT records)
Retention and disposal
Control of documents of external origin (e.g. drawings or a recipe from a customer,
manufacturer’s user manuals, technical specifications etc)
Customer focus
“The primary focus of quality management is to meet customer requirements and to strive to
exceed customer expectations”
Page 13
Leadership
“Leaders at all levels establish unity of purpose and direction and create conditions in which people
are engaged in achieving the organization’s quality objectives”
Engagement of people
“Competent, empowered and engaged people at all levels throughout the organization are essential
to enhance the organization’s capability to create and deliver value”
Process approach
“Consistent and predictable results are achieved more effectively and efficiently when activities are
understood and managed as interrelated processes that function as a coherent system”
Improvement
“Successful organizations have an ongoing focus on improvement”
Relationship management
“For sustained success, organizations manage their relationships with relevant interested parties,
such as providers”
It is important that we appreciate that these principles themselves are inter-dependent of one
another. A system, by definition, is a set of inter-related activities and processes. Nothing should be
viewed in isolation, and an effective QMS depends on effectively managing both the little picture
(the detail of the procedures) and the big picture (but are we still in business?)
“Effect of uncertainty”
However that short definition is accompanied by some explanatory notes to add context. Note 1
states that;
Thus introducing the concept of “upside risk” – a circumstance where things turn out better than
expected. Note 2 states that;
“Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood”
This emphasises the fact that not everything is known or even knowable, and a robust management
system is therefore one that accepts that and identifies what controls may be prudent in terms of
contingency. Note 3 states that;
Page 14
“Risk is often characterised by reference to potential “events” and “consequences” or a
combination of these”
“Risk is often expressed in terms of a combination of the consequences of an event and the
associated “likelihood” of occurrences”
The traditional approach to the identification and assessment of risk is based upon the principles
referred to in notes 3 and 4. It is important to appreciate that this approach is not inconsistent with
ISO 9001:2015.
“The organization should assess the risks related to planned innovation activities, including giving
consideration to the potential impact on the organization of changes, and prepare preventive
actions to mitigate those risks, including contingency plans, where necessary”
ISO 9004:2009 Clause 9.3.5
In summary, the concept of “risk based thinking” in terms of a Quality Management approach,
requires an organisation to identify both the known and unknown variables and develop
proportionate approaches in terms of controls and contingency.
Page 15
ISO 9004: 2009 Managing for the sustained success of an organisation – A quality
management approach
ISO 9004 is a companion document to ISO 9001. Its purpose is to provide guidance to help users of
ISO 9001 to use it for maximum benefit, particularly with respect to applying ISO 9001 for continual
Improvement. It provides a wider focus on quality management than ISO 9001; it addresses the
needs and expectations of all relevant interested parties and provides guidance for the systematic
and continual improvement of the organization's overall performance. ISO 9004:2009 is substantially
different to ISO 9004:2000 (Guidelines for performance improvement), although it has been
designed to be compatible with ISO 9001
Revision hints
Could you explain the purpose and potential benefits of a documented QMS?
Could you explain the structure of a typical QMS?
Could you explain why it is only documents and not records that require version control?
Could you identify the Principles of Quality Management and explain the potential benefits
of applying each within a QMS?
Could you explain the difference and relationship between a procedure, a process and a
system?
Could you explain what the scope of the quality manual is and explain why defining the
scope is important?
Explain the underpinning QMS concept of “risk based thinking”
Could you describe the difference between ISO 9000, ISO 9001 and ISO 9004?
Could you describe the relationship between each of the three aforementioned documents?
Could you identify which of these three documents is an auditable standard, and describe
the difference between an auditable standard and a guidance document?
Page 16
What is an audit?
People audit for lots of different reasons, so there are lots of different types of audit. They vary in
size (sometimes the audit takes in virtually all the company’s activities, sometimes just a single
procedure); they vary in complexity (sometimes there are lots of standards, specifications, customer
requirements and legislation to check on, sometimes not so many); and they vary in focus (why we
do the audit in the first place).
Each of these parameters has its own audit terminology (ISO 190011 definitions have been outlined
earlier). In plain English, the main parameters are:
It is critical that the auditor never loses sight of these parameters, and also that the parameters are
clearly understood by the auditee, more about communication requirements later. If nothing else,
an audit is a process designed to promote clarity and transparency. If it is shrouded in secrecy and
delivered as something of a black art, the auditor is doing the reverse.
Term Definition
Audit Systematic, independent and documented process for obtaining audit
evidence and evaluating it objectively to determine the extent to which the
audit criteria are fulfilled
Audit Criteria Set of policies, procedures and requirements
Used as a reference against which audit evidence is compared
Audit Findings Results of the evaluation of collected audit evidence against the audit criteria
Audit Conclusion Outcome of the audit provided by the audit team after consideration of the
audit objectives and all audit findings
Audit Client Organization or person requesting an audit
Auditee Organization as a whole or part thereof being audited
Auditor Person who conducts an audit
Page 17
Audit team One or more auditors conducting an audit, supported if needed by technical
experts
Technical Expert Person who provides specific knowledge or expertise to the audit team
Audit Program Arrangements for a set of one or more audits planned for a specific time
frame and directed
towards a specific purpose
Audit Plan Description of activities and arrangements for an audit
Audit Scope Extent and boundaries of an audit
Competence Demonstrated personal attributes and demonstrated ability to apply
knowledge and skills
Ethical Conduct The foundation of professionalism. Trust, integrity, confidentiality and
discretion
Independence The basis for the impartiality of the audit and objectivity of audit conclusions
Due Professional The application of diligence and judgement in auditing.
Care
Fair Presentation The obligation to report truthfully and accurately. Significant obstacles
encountered during the audit and unresolved diverging opinions between
the audit team and auditee are reported
Evidence Based The rational method for reaching reliable and reproducible audit conclusions
Approach in a systematic audit process. It is based on samples of information available
since an audit is conducted within a finite period of time. The appropriate
use of sampling is closely related to the confidence that can be placed in
audit conclusions
Audit Evidence Records, statement of fact or other information which are relevant to the
audit criteria and are verifiable
First Party Audit Internal audits … conducted by, or on behalf of, the organization itself for
management review and other internal purposes, and may form the basis for
an organization’s self declaration of conformity
Second Party Audit Audits … conducted by parties having an interest in the organization such as
customers or other persons on their behalf
Third Party Audit Audits … conducted by external, independent auditing organizations, such as
those providing registration or certification to conformity to the
requirements of ISO 9001, OHSAS 18001 or ISO 14001
Page 18
First party audits
“Internal audits … conducted by, or on behalf of, the organization itself for management review and
other internal purposes, and may form the basis for an organization’s self-declaration of conformity”
A first party (internal) audit process may well differ quite considerably to the process followed
during a second and third party audit due to its nature. The people involved will generally be more
familiar with one another, so a formal Opening Meeting may not be necessary, and, since it is an
audit performed by us on our own system, we usually set the scope, objectives and criteria for each
audit. The reason the word “usually” is used here is because sometimes when a company is working
for a particular customer, the customer may well dictate some of the parameters of the internal
audit regime as part of the contract requirements. Internal Audits, nonetheless, need to follow the
general principles outlined in ISO 19011 especially with regard to their effective planning, conduct,
reporting, follow-up and for the competence and independence of the internal auditors.
The most common type of second party audit is an audit by a customer on a supplier. Another
example would be a public sector organisation working to a set of Government requirements that is
then subject to periodic audit by a Government Inspectorate. In these cases although the auditing
body is external, they are not independent. They will be using the results in some way. For example,
if the outcome of a customer/supplier audit is very unfavourable, the customer may terminate the
contract. Generally speaking it is on a Second Party Audit where emotions run highest, because the
immediate consequences of a poor result are usually more severe than on a First or Third Party
Audit.
Certification schemes are common. Their intent is usually to provide customers with a higher degree
of confidence. The principle is that the company that carries the certification meets certain criteria
(for example for product characteristics, performance, or the way they conduct their business). In
order for customers to trust the certification, they need to trust the process that delivers
certification. For that reason certifications are often awarded and maintained through a program of
Third Party Audits. The independence of the auditing body adds confidence to the integrity of the
process and the true value of the certification. It is for that reason that ISO 19011 requires greater
independence of Third Party Auditors, than they do of First Party Auditors, and why Accredited
Certification Bodies require their auditors to declare any potential conflicts of interest (such as
holding shares in the audited company).
Page 19
Different audit objectives
Conformance audits versus effectiveness audits
Results are always important, and it should be a major objective of any auditor to clarify whether the
important results are being achieved. Methods, on the other hand, may or may not be critical. An
auditor will adopt a conformance approach when methods, as well as results, are important.
Generally this means that the activity will be supported by detailed procedures and those
procedures must be followed. This is common in heavily automated processes, many medical
processes and legal processes. Irrespective of whether results are good, there must be evidence that
the results were achieved in the right way, otherwise future problems are inevitable.
Sometimes methods are not critical. There may be a team of people working together, performing
similar job roles, but they may each have their own differing ways of doing things, and it may not
matter. Many support functions such as Sales, Marketing, Customer Services and Training may
actually require flexibility. This is generally because, unlike an automated manufacturing process, we
can’t control the consistency of the input to the process, so it may well need to be flexible to allow
for that. A good auditor must be able to apply common sense to the evidence and understand that
in some instances, differences in methods do not present significant risks and problems. In fact they
are a good thing as, in the examples previously identified; if the process is not flexible there WILL be
problems.
Compliance audits
The term “compliance” is reserved for audits where the criteria contain mandatory requirements,
most commonly legal requirements. In compliance audits there is understandably less of a
requirement for flexibility, but there is an increased requirement that the auditor very clearly
understands the requirements and interprets them correctly, as the potential impact can have a
significant implication for the auditee.
Improvement audits
Sometimes the primary focus of the audit is to establish whether situations are improving. This is a
common focus of a “follow up” audit. That is, sometime in the past a conformance, effectiveness or
a compliance audit identified problems and a follow up audit is scheduled some time in the future to
establish that problems have been resolved and things are getting better. In order for the auditor to
focus accurately on the audit objectives it is important that in planning the audit, the auditor does
some background research to establish the levels of past performance in order to clearly and
accurately report the “before” and “after” situation. This generally involves examining previous audit
results and process performance indicators in advance of performing the audit.
Procedural audits
A procedural audit will generally be quite narrow in scope and will look in detail at the execution of a
particular operation. Good procedural audits don’t just examine in detail whether the procedure is
being followed, but also if the procedure is effective. That is, is it a good thing that people are
following it? If the procedure is out of date or has major omissions, it might be better if people ARE
NOT following it. Procedural audits are useful at getting detailed information about conformity, but
usually limited to a single task or activity. Many internal (first party) audits will be procedural audits
(but a good internal audit system will not be made exclusively of them).
Page 20
Process audits
Let’s start with some useful ISO 9000 definitions:
The key word that distinguishes the two terms is “inter-related”. A process is a collection of
activities, end to end, that transform the process input into its output (or outcome). The scope of a
procedural audit is usually quite narrow (i.e. a procedure for performing a specific test, servicing a
machine component, or logging an enquiry), but a process audit may, for example, follow this type
of broad path
Process Audit
$
$
As a general rule, a procedural audit will have a very narrow scope and will focus on conformity
matters, whereas a process (as it takes in various interfaces and inter-relationships) will focus more
on efficiencies.
A process audit looks at the big picture, and is therefore a much bigger job. It is complex. Process
audits examine the efficiency of the operation. Why is efficiency important? Because given infinite
resources and time, anyone can deliver inefficient conformity. Conformity is important, BUT it must
be delivered at an acceptable price otherwise the customer will go somewhere else. That is why
efficiency is also important.
Page 21
Turtle diagram approach for planning a process audit
Key issues introduced when ISO 9001 adopted the Annex SL Format
(Format used for aligning Management System Standards)
ISO 9001:2015 is the first issue of ISO 9001 that adopts the Annex SL common management system
format. The adoption of that format has introduced some significant considerations for auditors, as
it adjusted the focus on several issues (such as “documentation” and “risk”) and it raised the status
and importance of issues such as Top Management Commitment, the overall Effectiveness of the
system and the identification of Internal and External Issues.
Page 22
Context considerations for employers of auditors
Organisations employing auditors (third party certification bodies, for instance) must consider
“context” when allocating an auditor to an audit client. Does the auditor have the appropriate sector
knowledge to be able to appreciate context? Would the auditor be able to take a reliable value
judgement on the appropriateness of controls specific to the context? Are we putting a square peg
into a round hole?
The fact that any given auditor is not able to audit effectively in any given context is not a weakness
on anybody’s part, it is purely a reflection on that auditor’s experience and background in a given
sector. It follows that, if an auditor has little or no exposure to a particular type of organisational
context, the auditor is probably going to struggle to reliably audit the appropriateness and
effectiveness of the controls. An auditor that has specialised throughout his/her professional life in
the construction industry, for example, is unlikely to be able to fully appreciate the context of a
Residential Care provider, at least not without the assistance of a sector specialist. The
consequences of a failure of an auditor to appreciate context could include;
A superficial audit
Unreliable and/or inappropriate findings
Friction and frustration
A loss of credibility for both auditor and the certification body
It is important to understand that whatever scope is defined by the organisation within its own
management system, will also be specified on the certificate. This helps prospective customers
understand the limits of the certification and prevents the organisation making false representation
Page 23
by claiming certification for parts of the organisation that are not certified. Excluding parts of the
organisation from scope is in no way a dodge, as the scope that is stated on the certificate will not
include the excluded parts. The customer will then be able to make an informed decision as to
whether the certification the organisation holds is broad enough for its purposes.
Specifically, an organisation should carefully analyse its internal and external interfaces and identify
the internal and external interested parties, which will in turn help it to identify their needs and
expectations and develop controls appropriately. Annex SL identifies a number of examples that
could be considered;
Organizations (of various types and sizes): the decision-makers within an organization who
approve work to implement and achieve conformance to the MSS;
Customers/end-users, i.e. individuals or parties that pay for or use a product (including
service) from an organization;
Supplier organizations, e.g. producer, distributor, retailer or vendor of a product, or a
provider of a service or information;
Management system service (MSS) provider, e.g. MSS certification bodies, accreditation
bodies or consultants;
Regulatory bodies;
Non-governmental organizations
Obviously this list is neither exhaustive nor generic, but it offers guidance on the general principle
that key internal and external interfaces need to be identified, understood and managed. It is not
suggested that each interface or interested party is of equal importance, and an organisation, in
understanding the interface must consider the most appropriate and efficient way of manging that
interface, appropriate to (among other things) its significance.
Leadership
The actions of top management are important. They are the decision makers, role models, enforcers
and also the financial supporters of the management system. Without an effective leadership
function, the management system will be adversely affected in a number of crucial ways.
In fact, whilst there will be some variation in the detailed requirements of the top management
function between different management system standards (such as the content of the Policy and its
specific communication requirements) the general requirements of top management don’t vary
significantly from one standard to the next. They will always contain the common elements of;
Page 24
o Direction and support to personnel
o Promotion of a continual improvement culture
o Support to other levels of management
Policy
o Establishing authorising and communicating the top level policy statement
Establishing the organisations management structure
o Defining roles and responsibilities, reporting structures
o Oversight of change management
The specific focus of Leadership will vary from one MSS to another, so each standard will contain
some specific variation within the Leadership clause. A QMS MSS, for example, will be primarily
customer and product focussed, an OHSMS MSS will be primarily focussed on matters of health and
wellbeing of those exposed to the organisation’s activities, and an EMS will be more focussed on
matters relating to the prevention of pollution.
There is also an additional specific requirement for Top Management intervention outside of Clause
5 – Management Review
“Effect of uncertainty”
However that short definition is accompanied by some explanatory notes to add context. Note 1
states that;
Thus introducing the concept of “upside risk” – a circumstance where things turn out better than
expected. Note 2 states that;
“Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood”
This emphasises the fact that not everything is known or even knowable, and a robust management
system is therefore one that accepts that and identifies what controls may be prudent in terms of
contingency. Note 3 states that;
Page 25
“Risk is often expressed in terms of a combination of the consequences of an event and the
associated “likelihood” of occurrences”
Contingency should be proportionate to the level of uncertainty and its effect. That is, if something
is unlikely to occur and/or the effect of uncertainty is minor, a lot of contingency (which can be
expensive) would be disproportionate. Obviously when an auditor is assessing the appropriateness
of the level of contingency, it must be remembered that it is not a precise science. One of the factors
an auditor may consider when looking at whether contingency is appropriate (and to what level) is
whether the uncertain outcome has ever actually happened previously and, if it has, what were the
consequences.
Revision hints
In context of an audit …
Could you describe the purpose of ISO 19011 and how it is used?
Could you describe the difference between a 1st, 2nd and a 3rd party audit?
Could you explain the role of each of these in context of an audit;
o Client?
o Auditor?
o Auditee?
o Technical Expert?
Could you explain the term “audit scope” and describe why it is important that the scope is
clearly defined?
Could you explain the term “audit criteria” and give typical examples of typical criteria that
would be used during a 1st, 2nd and 3rd party audit?
Could you explain the meaning of audit scope, objective and criteria?
Could you explain why it is vital that each of the above is crystal clear from the outset of an
audit?
Could you explain the difference between conformance and compliance?
Could you explain the difference between conformance and effectiveness?
Could you explain the difference between a procedural approach and a process approach
and the strengths and limitations of each approach?
Could you explain how an auditor may assess whether the organisation has identified its
risks and opportunities and its significant Internal and External Issues?
Page 26
ISO 19011 Requirements for managing an audit program
ISO 19011 defines this general process for the management of an audit program. It follows a clear
PDCA structure. The specific requirements of ISO 19011 relating to this overall process are detailed
later in these notes
Page 27
Authority for the audit program
It is important that the audit program is supported by top management and that authority for the
program is clearly seen to be supported from the top. There are several reasons for this, for
example:
People are more likely to see the audit as important, take it seriously and co-operate
In the event that the audit team requires resources to implement to program successfully,
these may often be required to be sanctioned by top management
Any audit barriers can be quickly removed
The consequences of a lack of support from top management can include;
Failure to provide sufficient resource to the audit function or a competent resource
Audits just don’t get done
Non-conformances don’t get closed, or if they are closed, they are only closed when no
additional resource is required
Page 28
f) control of documented information, e.g. ineffective determination of the necessary
documented information required by auditors and relevant interested parties, failure to
adequately protect audit records to demonstrate audit programme effectiveness;
g) monitoring, reviewing and improving the audit programme, e.g. ineffective monitoring of
audit programme outcomes;
h) availability and cooperation of auditee and availability of evidence to be sampled.
Opportunities for improving the audit programme can include:
allowing multiple audits to be conducted in a single visit;
minimizing time and distances travelling to site;
matching the level of competence of the audit team to the level of competence needed to
achieve the audit objectives;
aligning audit dates with the availability of auditee’s key staff.
Page 29
a) audit principles, methods and processes;
b) management system standards, other relevant standards and reference/guidance
documents;
c) information regarding the auditee and its context (e.g. external/internal issues, relevant
interested parties and their needs and expectations, business activities, products, services
and processes of the auditee);
d) applicable statutory and regulatory requirements and other requirements relevant to the
business activities of the auditee. As appropriate, knowledge of risk management, project
and process management, and information and communications technology (ICT) may be
considered.
The people managing the audit programme should engage in appropriate continual development
activities to maintain the necessary competence to manage the audit programme.
Page 30
a) the financial and time resources necessary to develop, implement, manage and improve
audit activities
b) audit methods);
c) the individual and overall availability of auditors and technical experts having competence
appropriate to the audit programme objectives;
d) the extent of the audit programme and audit programme risks and opportunities
e) travel time and cost, accommodation and other auditing needs;
f) the impact of different time zones;
g) the availability of information and communication technologies (e.g. technical resources
required to set up a remote audit using technologies that support remote collaboration);
h) the availability of any tools, technology and equipment required;
i) the availability of necessary documented information, as determined during the
establishment of the audit programme
j) requirements related to the facility, including any security clearances and equipment (e.g.
background checks, personal protective equipment, ability to wear clean room attire).
Scheduling audits
Evaluating auditors
Selecting audit teams
Directing audit activities
Maintaining records
So during a second or third party audit, establishing that this requirement for “implementing” the
audit is met, involves more than checking that there is no backlog of audits on the current program.
It is a more systematic and holistic assessment of whether it is also fit for purpose and controlled
Page 31
Initiating the audit
Initiating the audit is effectively establishing the ground rules and requirements for the audit. It
includes establishing communication channels, methods, resource requirements, roles and
responsibilities and so on. It is important at this stage that these parameters and processes are
communicated to and understood by all parties involved in the audit (client, team members,
auditee), in order that the audit objectives can be achieved with maximum efficiency and the
minimum of disruption to the auditee’s operations. Sometimes this stage may include organising a
Preliminary Visit to the auditee. This is more common when the auditee organisation is large and/or
complex, and the audit team leader needs to pay a visit to the main sites principally to accurately
assess time and specialist resource requirements for the audit. Often these requirements can be
established through good pre-audit communication with the auditee, without the need for a visit
One of the main considerations at this stage is estimating an appropriate time to allocate to the
audit. Audit duration will depend on the scope of the audit, the size and complexity of operations
and the number of auditors in the team. Third party certification bodies refer to the following table
as a guide in order to allocate time consistently to third party audits and ensure that all auditees
receive a similar degree of scrutiny.
At the end of the document review the audit team will need to make the decision as to whether the
onsite audits should proceed. They will also usually feedback any emerging findings to the auditee
immediately after the review has taken place in order that some or all of the issues may be
addressed in advance of the onsite audit
Page 32
which auditor is most qualified to audit which area, whether the team will need to come equipped
with any protective equipment, or alternatively to furnish the auditee with information on things like
coat and shoe sizes if the auditee will provide such items, what the working language of the audit
will be, including the potential requirement for a translator, and which documents will need to be
ready at each stage of the audit
Minimising time lost due to travel between sites and methods of travel
Where the auditors will stay overnight and who pays
The most efficient sequence of audit activities
How the audit team will stay in touch throughout the audit
How the auditee will be kept up to date of progress and by whom
At this stage it is important that the audit team leader remembers that the Audit Plan is a working
document not just for the audit team, but also for the auditee, so it must be agreed with them well
in advance, so people can be ready, and also in a readily understandable format. Once the plan has
been developed, the checklists will then follow. These can be considered “daughter documents” to
the plan. Checklists, however, are working documents only for the audit team and provide more
specific prompts to auditors regarding which trails to follow and what to clarify.
Audit plan (simple example, 1 auditor, 2 calendar days)
Page 33
Audited organisation Date of audit
Audit objective
To determine and report the extent of conformance of the management system of DND Couriers
to ISO 9001 requirements
Audit Timetable
Day 1 Day 2
0900-0930 Opening meeting with DND 0945-1100 Facilities & Infrastructure (Walter
Couriers HQ management team Wall)
1315-1400 Operational Planning (Jake Pegg) 1430-1500 HR, Admin, Training (Chrissie
White)
There is an example of an audit plan on the previous page. The example shows an audit plan for a
small single site organisation, over a period of 2 days, carried out by a sole auditor. It is therefore a
Page 34
very simple example. An audit plan for a large, multi-site, complex organisation, involving a team of
2 or more auditors will be much more complex. The plan will need to be sufficiently detailed and
understandable to enable effective co-ordination of resources throughout the duration of the audit.
In simple terms the main purpose of the audit is to ensure that the right people are in the right
locations at the right time to be audited on a subject they have been informed of in advance.
Audit checklists
Auditors are only human and therefore fallible. The audit is only a sampling process, so by definition
the audit will always miss something. However it is unforgivable to fail to test an important area of
risk or a key requirement. A well thought out checklist reduces the chances that something
important will be missed, forgotten about, or overlooked in the “excitement”. The checklist is an
aide memoir and a working document for the auditors. It is important that the checklist is
understandable to the user, so it is a good idea if each auditor constructs their own checklists, that
way they can use and understand, for example, their own abbreviations.
Checklist (example)
Audit Checklist
Date: Audit of:
23 March DND Couriers
Area under review: Auditee: Auditor:
Procurement/Suppliers Marcus Howe Terry Bell-Day
Assessment questions Conforms? Comments
How are suppliers evaluated? Methods? (8.4.1)
Auditor’s signature:
Page 35
Conducting (Stage 2) Audit Activities
Effective planning reduces the chances of problems on site, however, if the auditors lack discipline
and focus, things can and do go pear-shaped at this stage very quickly. A successful on site audit will
involve an effectively managed and executed process, and demonstration of the necessary people
skills by the auditors (more about these competences in the next section)
Opening meeting
A good opening meeting will help to get things off to a good start. It will be chaired by the audit
team leader and delivered in the presence of senior management of the auditee organisation. Its
objective is to establish ground rules, to create transparency in the process, ensure everyone knows
what to expect and what co-operation the team will need, and finally to give the auditee a chance to
ask any questions. There is a sample agenda for an Opening Meeting below (adapted form ISO
19011)
Guides
Guides are important, especially if the site being audited is large, complex, dangerous, has parts here
access is restricted, or where special clothing or PPE is required. In many ways they are required to
help the auditors stay out of trouble and to find their way about the organisation in the safest and
most appropriate way. The main thing an auditor needs to be careful of with regard to the guide is
to avoid the guide becoming inappropriately involved in the audit activities. For example, during a
3rd Party QMS Audit, 9 times out of 10, the guide will be the System Manager. This is useful in many
ways as the guide can explain many documents, records etc and may also have authority and the
knowledge to confirm and accept emerging findings
Page 36
The risk is that the System Manager may not be able to resist the temptation to intrude on parts of
the audit that involve other people (an audit involving an interview with an Operative, for example).
They may interrupt the Operative, correct them or even answer questions on their behalf. The
auditor should diplomatically and politely put a stop to this. It is vital that during an audit that the
true situation is established, not what the procedure says should happen. On a sensitive or
potentially dangerous site, the auditor should not go anywhere without the guide.
It gives the auditee a chance to explain the situation if the auditor has misinterpreted the
evidence
It reduces the chances of argument in the Closing Meeting if a series of nasty surprises are
delivered
It is good manners and helps maintain good relations during the audit if there is
transparency
There are few things more infuriating than to spend an hour with an auditor and for the auditor to
walk away without giving any indication regarding the sufficiency of information that has been
supplied. It is not consistent with ISO 19011 and it is bad practice. Decisions on conformance must
be reached as the audit progresses.
Page 37
The supporting evidence
Also notice how it is written in simple, clear language for the benefit of the auditee
Notice how the area reserved for “corrective action” is empty. This is because, when the report is
issued by the auditor, the corrective action, as an auditee responsibility, has yet to be determined.
This may be filled in during the Closing Meeting.
1 8.4.1
Description of non-conformity
ISO 9001 Clause 8.4.1 requires that records of the results of supplier evaluations shall be maintained.
During the audit it was established that, although Belgravia maintains close working relationships
with key suppliers, meetings between the Purchasing Manager and key supplier contacts including
any agreed action points, are usually not recorded. This was found to be the case with the following
suppliers (identified on the Approved Supplier List
as “Key Suppliers”)
Issued by Accepted by
Page 38
Classification of non-conformities
It is common for the client to request that non-conformities are graded to reflect their severity and
relative urgency for corrective action to be taken. Different clients have different classification
systems. Most systems, however, are variations on the theme detailed in the example below
Major A big problem. There may be a significant part of the audit criteria that
has not been met (e.g. a major non-conformance to clause 4.5.5 could
be that no internal audits have been completed for a year or more).
Non-conformities that have had carry a significant risk due to the
potential for immediate adverse impact on the business. Major non-
conformities require corrective action to be taken as a matter of
urgency, as they are likely to be harming the company with each day
that they remain open
Minor A smaller problem. There may be a part of the audit criteria that has not
been FULLY met (e.g. a minor to clause 4.5.5 could be a 2 month backlog
of internal audits, or a small number of corrective actions that have gone
beyond their agreed deadlines for corrective action). Minor non-
conformities generally affect internal operations and efficiency, with
little or no immediate impact on product, service or customer.
Corrective action is required (as the problem can escalate) however
minor non-conformities are not generally treated as matters of urgency,
and may be given a more generous timescale for completion
Observation/Opportunity A “nearly” problem or inefficiency. An observation or OFI is NOT a non-
for Improvement conformity and therefore does NOT require mandatory corrective
action. It can be described as an instance where a system is “working but
wobbling”. Requirements are being met – but only just. Observations are
raised when an auditor sees a value in bringing the matter to the
auditee’s attention, but corrective action is taken at the auditee’s
discretion. The auditor will generally keep observations in view, as they
have the potential to become non-conformities if the situation
deteriorates. Auditors may also raise observations on apparent problems
observed during the audit that were outside the scope of the audit being
performed (e.g. possible environmental breaches)
Page 39
Preparing audit conclusions
There will always be a reason for the audit (the objective), and the audit findings should contain a
clear and reliable conclusion, otherwise it will be unclear whether the audit objectives have been
achieved. In other words, “what does this all mean?” ISO 19011 provides the following guidance on
developing audit conclusions:
Audit Conclusions
Audit conclusions can address issues such as:
a) The extent of conformity of the management system with the audit criteria
b) The effective implementation, maintenance and improvement of the management system
and,
c) The capability of the management review process to ensure the continuing suitability,
adequacy, effectiveness and improvement of the management system
If specified by the audit objectives, audit conclusions can lead to recommendations regarding
improvements, business relationships, certification/registration or future auditing activities
If the Closing Meeting is formal (more common for 2nd and 3rd party audits) formal minutes may be
kept including a list of attendees and any points of disagreement that were encountered. The
auditor can increase the chances that the Closing Meeting by taking the following precautions.
Clearly reference the audit findings to the audit criteria (explain it in simple terms if
necessary)
Clearly identify and explain the specific objective evidence that supports the findings
Do not raise any findings (especially non-conformities) that were not discussed fully and
agreed with the auditee at the point of discovery
If there is failure to reach agreement on any parts of the audit findings, the auditor must make a
clear record of the situation and reasons for the disagreement
Page 40
Typical closing meeting agenda items
It is important that the lead auditor drafts a closing meeting agenda so that a clear structure can be
followed and no important aspects are left uncovered or unexplained. Typically it will include:
Introductions and thanks
Reiteration of audit scope, objectives and criteria
Description of the process that was followed and any difficulties encountered
Qualification of findings (findings are based on a sample etc etc)
Presentation of findings and the recommendation
Establish agreement of findings and commitment to course of corrective action
Explain to the auditee what will happen next
One of the more common failings in audit reporting is a tendency to report only the problems and
non-conformities. Whilst these are important, they form only part of the totality of findings. The
auditor must remember that the purpose of the report is to accurately identify the degree of
conformity with requirements. A failure to report areas of conformance is a major omission
Page 41
Summary report (simple example)
Audit Summary Report
Summary of findings
Over the course of the 3 day audit all key operational and management processes were sampled.
Specifically at the following locations:
HQ (Henterbury)
Dunbridge Site Office
Castlebrough Distribution Centre
The 2 minor non-conformances that were raised during the initial assessment had been effectively
cleared by the time of the on site audit and these have now been closed. Operational processes
were sound with good record keeping, communications, induction and training systems in place.
Operational infrastructure and environmental controls were adequate in order to meet defined
job requirements. The processes for fault reporting were well understood by staff and well
observed (however see NCR1 attached). Management processes at HQ were similarly well
documented within the manual, again with generally good levels of record keeping (however see
NCR2) and although some processes (internal auditing, formal documented management reviews)
were quite new, the early signs are promising with good levels of conformance to planned
arrangements. Obviously these new systems need to be kept under review and refined with the
benefit of experience and learning.
A further minor non-conformance was identified in the area of supplier approval (NCR3). Supplier
selection and management appeared generally adequate and fit-for-purpose, but record keeping
with regard to reasons for using/not using a supplier were not always available. Overall a good
level of conformance to ISO 9001 was demonstrated, with good levels of staff awareness and
commitment shown from the top
Recommendation
Page 42
Completing the audit
The audit is complete when all activities detailed in the audit plan have been carried out and the
client’s procedure for reporting, and for generating and distributing records has been followed. The
requirement for record keeping will again vary from client to client, but such records as the plan and
report will always be retained, audit working documents, such as checklists, may or may not be
retained. Audit findings will always be kept confidential unless there is a legal requirement to
disclose
Details of the auditor’s judgement on the sufficiency or otherwise of actions taken should be
reported to the client using the client’s preferred documentation and methods
Revision hints
With reference to ISO 19011, could you:
Page 43
ISO 19011 Auditor and lead auditor competences
General
The quality of the audit will be directly proportional to the competence of the auditor. ISO 19011
breaks this requirement for “competence” down into two important aspects. They are:
Personal attributes (whether you are “the right type” to be a good auditor)
Possession of the necessary knowledge and skills and the ability to apply them consistently
This section clarifies the specific requirements of ISO 19011 relating to the two aspects of auditor
competence.
Personal attributes
What are the personal attributes that make a good auditor? Can anyone be a good auditor? The fact
that most people will have encountered both good ones and bad ones suggest that it is not an
occupation that comes easily to everyone. ISO 19011 identifies a number of attributes that a good
auditor should possess and demonstrate. Few of these require any explanation. They are:
Page 44
Specific auditor knowledge and skills requirements (QMS)
An understanding of typical quality related An understanding of the general nature of
methods and techniques, how they are applied products and services, including technical
and for what purpose requirements
This will include an understanding of general Certain sectors have certain mandatory
terms like, QA, QC and also a general requirements and the auditor must be aware of
understanding of commonly used methodology these in order to determine if the delivered
such as FMEA, SPC, Six Sigma, Quality Circles product or service is fit for purpose
Clearly different sectors will have different ways of doing things and the QMS of different
organisations will vary considerably in their complexity and methods. What that all means is that
some auditors are better placed to audit in certain sectors than others, and the audit client should
try to establish that the auditor possesses sufficient sector experience and knowledge to be able to
do a thorough job, in simple terms placing a square peg in a square hole. Third party certification
bodies use a set of industry codes to help them match the right person to the right job. When an
auditor works for a 3rd party certification body he/she will be assessed as competent to audit
organisations in certain industries (depending on the auditors background and experience).
Ultimately the lead auditor is at the centre of a triangle that includes the client, the auditee and the
audit team. The lead auditor has to appreciate the needs of each party and strike a balance between
their needs whilst maintaining a clear focus on achieving the audit objectives.
Page 45