LAC 9001 Course Material

ISO 9001:2015
QMS Auditor/Lead Auditor Course
Student Pack
Contents
About this course .................................................................................................................................... 5
Course objectives ................................................................................................................................ 5
Our methods ....................................................................................................................................... 5
Quality Management Systems Auditor/Lead Auditor (ISO 9001:2015).................................................. 6
Common Clause Structure .............................................................................................................. 6
Common Terms and Definitions ..................................................................................................... 7
The Quality Management System (QMS) ........................................................................................... 7
Typical QMS structure..................................................................................................................... 8
ISO 9000 Series ....................................................................................................................................... 9
ISO 9000: Fundamentals & vocabulary ............................................................................................... 9
ISO 9001:2015 Clause Structure and Principles .................................................................................... 10
Determining the Scope of the Management System ....................................................................... 10
Documented Information ............................................................................................................. 10
Records and Documents ............................................................................................................... 11
Benefits of documentation ........................................................................................................... 11
Documented Information – Definition and Context ..................................................................... 11
Documented Information – Requirements................................................................................... 11
The principles of quality management ............................................................................................. 13
Customer focus ............................................................................................................................. 13
Leadership ..................................................................................................................................... 14
Engagement of people .................................................................................................................. 14
Process approach .......................................................................................................................... 14
Improvement ................................................................................................................................ 14
Evidence based decision making .................................................................................................. 14
Relationship management ............................................................................................................ 14
Risk based thinking ........................................................................................................................... 14
ISO 9004: 2009 Managing for the sustained success of an organisation – A quality management
approach ....................................................................................................................................... 16
What is an audit? .................................................................................................................................. 17
ISO 19011 (Guidelines for Auditing Management Systems)............................................................. 17
Terms and definitions ................................................................................................................... 17
First party audits ............................................................................................................................... 19
Second party audits .......................................................................................................................... 19
Third party audits .............................................................................................................................. 19
Page 2
Different audit objectives ................................................................................................................. 20
Conformance audits versus effectiveness audits ......................................................................... 20
Compliance audits......................................................................................................................... 20
Improvement audits...................................................................................................................... 20
Procedural audits .......................................................................................................................... 20
Process audits ............................................................................................................................... 21
Planning a process audit ............................................................................................................... 21
Turtle diagram approach for planning a process audit ................................................................. 22
Key issues introduced when ISO 9001 adopted the Annex SL Format (Format used for aligning
Management System Standards) ...................................................................................................... 22
Context and Scope ........................................................................................................................ 22
Context considerations for employers of auditors ........................................................................... 23
Context considerations for certified organisations .......................................................................... 23
Determining the Scope of the Management System.................................................................... 23
Internal & External Issues ............................................................................................................. 24
Leadership ..................................................................................................................................... 24
Risks and Opportunities ................................................................................................................ 25
The Effect of Uncertainty (Risk) on Planning ................................................................................ 26
ISO 19011 Requirements for managing an audit program ................................................................... 27
Authority for the audit program ....................................................................................................... 28
Establishing the audit program objectives........................................................................................ 28
Determining and evaluating audit program risks and opportunities ............................................... 28
Establishing the audit programme .................................................................................................... 29
Roles and responsibilities.............................................................................................................. 29
Competence of people managing audit programme........................................................................ 29
Establishing extent of audit programme .......................................................................................... 30
Determining audit programme resources ........................................................................................ 30
Implementing the audit program ..................................................................................................... 31
Monitoring & reviewing the audit program ..................................................................................... 31
Improving the audit program............................................................................................................ 31
Initiating the audit ................................................................................................................................ 32
Conducting the (Stage 1) documentation review ............................................................................. 32
Preparing (Stage 2) audit activities ................................................................................................... 32
The Audit Plan ............................................................................................................................... 33
Audit checklists ............................................................................................................................. 35
Page 3
Conducting (Stage 2) Audit Activities................................................................................................ 36
Opening meeting........................................................................................................................... 36
Guides ........................................................................................................................................... 36
Collecting and verifying information ............................................................................................ 37
Preparing and Distributing the Audit Report .................................................................................... 37
Classification of non-conformities .................................................................................................... 39
Preparing audit conclusions .............................................................................................................. 40
Completing the Audit (Closing Meeting) .......................................................................................... 40
Typical closing meeting agenda items .......................................................................................... 41
Preparing approving and distributing the audit report ................................................................ 41
Summary report (simple example) ............................................................................................... 42
Completing the audit .................................................................................................................... 43
Audit Follow Up Activities ................................................................................................................. 43
ISO 19011 Auditor and lead auditor competences ............................................................................... 44
General.............................................................................................................................................. 44
Personal attributes............................................................................................................................ 44
Knowledge and skills ......................................................................................................................... 44
Generic auditor knowledge and skills requirements .................................................................... 44
Specific auditor knowledge and skills requirements (QMS) ......................................................... 45
Lead auditor competence ................................................................................................................. 45
Page 4
About this course
Course objectives
This course has been developed to meet the criteria for a Quality Auditor/Lead Auditor Course. The
Learning Objectives of the course can be summarised as follows, (to understand):
 The purpose, benefits and typical structure of a Quality Management System (QMS)
 Plan-Do-Check Act (PDCA) methodology, and the process approach to Quality
Management
 The principles of Quality Management and how they relate to the QMS and ISO 9001
 The purpose, scope and uses of the ISO 9000 series standards
 The roles, responsibilities and competence requirements of auditors and lead auditors
with reference to ISO 19011
Our methods
The most important thing to us is that at the end of the week you feel that you have learned
something worthwhile and that no-one could have worked harder than us to put you in the best
possible position and frame of mind to pass your exam and go on to make a good auditor. We can’t
do that by delivering a course that challenges you more to stay awake than to get your brain
working. For that reason you’ll find that we apply an approach of learning by doing, review,
discussion, team work and allowing you to have the occasional laugh along the way. The most
important thing you need to know is that it is your tutor’s job to make sure you learn, not yours, but
you must play your part by speaking up if there’s anything you are having difficulty with. Your tutor
will then need to work a bit harder to think of a way to help you. Don’t be afraid to ask questions.
Page 5
Quality Management Systems Auditor/Lead Auditor (ISO 9001:2015)
This course has been developed around the 2015 issue of the ISO 9001:2015 standard. ISO
9001:2015 is the first version of ISO 9001 that has adopted the “Annex SL” Common Management
System structure.
Common Clause Structure

The clause structure of all standards adopting the Annex SL format is as follows;
1. Scope
2. Normative References
3. Terms and definitions
4. Context of the Organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
The content and implications of the significant clause requirements will be addressed in turn and in
detail later in this document.
Page 6
Common Terms and Definitions
The purpose of clearly defined and understood terms and definitions can’t be understated. Their
purpose is to calibrate the use of the standard and reduce the potential for variation. It is important
to remember that many of the words used in ISO management system standards are also used in
everyday speech, and the context in everyday use of the same word or term may differ from the
definitions.
Term Definition
Organisation Person or group of people that has its own functions with responsibilities,
authorities and relationships to achieve its objectives
Interested Party (or Person or organization … that can affect, be affected by, or perceive itself to
stakeholder) be affected by a decision or activity
Requirement Need or expectation that is stated, generally implied or obligatory
Management Set of interrelated or interacting elements of an organization to establish
System policies and objectives and processes to achieve those objectives
Top Management Person or group of people who directs and controls an organization at the
highest level
Effectiveness Extent to which planned activities are realized and planned results achieved
Policy Intentions and direction of an organization, as formally expressed by its top
management
Objective Result to be achieved
Risk Effect of uncertainty
Competence Ability to apply knowledge and skills to achieve intended results
Documented Information required to be controlled and maintained by an organization and
Information the medium on which it is contained
Process Set of interrelated or interacting activities which transforms inputs into
outputs
Performance Measureable Result
Outsource Make an arrangement where an external organization performs part of an
organization’s function or process
Monitoring Determining the status of a system, a process or an activity
Measurement Process to determine a value
Audit Systematic, independent and documented process for obtaining audit
evidence and evaluating it objectively to determine the extent to which the
audit criteria are fulfilled
Conformity Fulfilment of a requirement
Non-conformity Non-fulfilment of a requirement
Corrective Action Action to eliminate the cause of a nonconformity and to prevent recurrence
Continual Recurring activity to enhance performance
Improvement
The Quality Management System (QMS)

Throughout this course we’ll be using a number of terms and definitions and we need to apply them
correctly in the context of this course. What that means is that we use the terms as defined within
(for this course at least) ISO 9000 and ISO 19011. The definition for “Quality Management System”
(QMS) can be found in ISO 9000. It is:
“Part of a Management System with regard to quality”
Page 7
Typical QMS structure
There are no rules as to how a QMS should be structured, more traditional systems are often based
on a 3 tier document hierarchy, although this is by no means a requirement. ISO 9001 does not
require that every conceivable aspect of the work is documented and the extent of documentation
an organisation develops should be based on the size and complexity of operations. The organisation
must strike a balance between comprehensive documentation and ease of use. It is fair to say that
the more document-heavy the system becomes, the less user-friendly it will be. So documentation
should be developed and kept under review from the perspective of risk. That is, if we don’t
document this, are we inviting any problems on ourselves? In addition certain customers may
require certain documentation, and this must also be a consideration.
Quality Manual
High level system
LINKS TO documents
Process maps & LINKS TO

LINKS TO core procedures
LINKS TO
Detailed procedures &

Standard forms Records
work instructions
Page 8
ISO 9000 Series
The ISO 9000 series is a set of three related standards. They are:
 ISO 9000:2015 Fundamentals and vocabulary (a guidance document)
 ISO 9001:2015 QMS Requirements (the auditable standard)
 ISO 9004:2009 Managing for the sustained success of an organisation (a guidance
document)
ISO 9001 is effectively the “engine” of the series. This is the auditable standard, and contains the set
of specific requirements that a conforming QMS must meet. ISO 9000 and ISO 9004 are
complimentary guidance documents whose purpose it is to aid the effective and consistent
application of the auditable standard (ISO 9001). ISO 9002 and ISO 9003 were withdrawn in 2003.
ISO 9000: Fundamentals & vocabulary

Earlier in these notes we looked at a range of common management system terms and definitions,
however ISO 9000 sets out a number of additional QMS specific terms and definitions. It is important
that whenever a term is used in conjunction with the ISO 9000 series, that we use the term in the
way that ISO 9000 means it. As an example there are many “Quality Gurus” and they all have their
own interpretation of the term “quality”, however when we are applying the requirements of ISO
9001, we need to put all other definitions to one side and use the term “quality” in the way it is
defined within ISO 9000. The table below sets out the main ISO 9000 terms and definitions that we
will be referring to continually throughout this course.
Term Definition
Quality Degree to which a set of inherent characteristics of an object fulfils
requirements
Quality Management Management system with regard to quality
System
System set of interrelated or interacting elements
Process set of interrelated or interacting activities that use inputs to deliver an
intended result
Procedure specified way to carry out an activity or a process
Product output of an organization that can be produced without any transaction
taking place between the organization and the customer
Quality management Management with regard to quality
Customer Person or organization that could or does receive a product or a service that is
intended for or required by this person or organization
Customer Satisfaction customer’s perception of the degree to which the customer’s expectations
have been fulfilled
Continual improvement Recurring activity to enhance performance
Improvement Activity to enhance performance
Effectiveness extent to which planned activities are realized and planned results are
achieved
Efficiency relationship between the result achieved and the resources used
Conformity Fulfilment of a requirement
Nonconformity Non-fulfilment of a requirement
Corrective action Action to eliminate the cause of a nonconformity and to prevent recurrence
Page 9
ISO 9001:2015 Clause Structure and Principles
The ISO 9001:2015 standard follows the Annex SL format, which means its main clauses are;
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
Determining the Scope of the Management System

The requirement to determine the scope of the management system remains a requirement of ISO
9001:2015. It also remains a mandatory documentary requirement, however there is no longer any
requirement as to where it must be documented (in ISO 9001:2008 it was required to have been
documented with the Quality Manual). The issue of applicability remains within ISO 9001:2015. This
means that, in certain circumstances, some of the requirements of ISO 9001:2015 may not be
applicable to some management systems. The word “exclusion” no longer features, however clause
4.3 still states that;
“The scope shall state the types of products and services covered, and provide justification for any
requirement of this International Standard that the organisation determines is not applicable to
the scope of its quality management system”
Exclusions, therefore (in the ISO 9001:2008 use of the word), may still be claimed, and must still be
justified, so in that sense there is no major change. In other words, and for example, if the
organisation has no design and/or development function then it may state that the requirements of
clause 8.3 do not apply. Clearly this claim of non-applicability must be consistent with the nature of
processes that operate within the scope of the QMS in order for that claim to be justified.
ISO 9001:2015 does not put any limits on claims of non-applicability in the way that ISO 9001:2008
limits claims of exclusion to its clause 7. This places a higher emphasis for detailed justification on
the organisation if it is to make any claim of non-applicability.
Documented Information
ISO 9001:2015 requires that an organisation maintains documentation appropriate to the needs of
its management system but, unlike previous versions of ISO 9001, it does not define any specific
mandatory procedures. Moreover whilst it remains a requirement for the organisation to “maintain”
a Policy and Objectives, there is no specific reference to any requirement that anything (apart from
the Scope of the Management System, Clause 4.3) be documented. There is no reference to
“Procedures required by this international standard” (i.e. there is no requirement to document any
specific procedures), and there is no requirement for a Quality Manual. It is left entirely up to the
organisation as to how it demonstrates conformity to ISO 9001:2015.
Page 10
Records and Documents
There are numerous areas within ISO 9001 where there is a mandatory requirement to produce and
retain records. This emphasises a key point, that it is primarily RECORDS not procedures that are the
basis of an auditable system. Whilst procedures tell you what could/should/might happen, records
tell you what DID happen. Also, once produced, a record should not be changed. Documents, on
the other hand, contain information that is prone to change, and therefore version control is very
important.
Benefits of documentation
There are clear benefits of documenting critical aspects of the system. For example:
 Reduced risk that knowledge leaves with the job holder
 Documents can be used as training aids
 Clarity of communications
 Consistency of work methods
 Records demonstrate facts and history and can be used to demonstrate conformity
 Records and data can be reliably fed into the management review process
Documented Information – Definition and Context

A management system will need a proportion of documented information to enable it to
consistently control certain (but possibly not all) activities. Documented Information is defined as;
“Information required to be controlled and maintained by an organisation and the medium on

which it is contained”
The definition is appended by some guidance notes that add context to the overall definition. They
are;
 Note 1: Documented information can be in any format and media, and from any source
 Note 2: Documented information can refer to:
o The management system and related processes
o Information created in order for the organisation to operate (documentation)
o Evidence of the results achieved
These notes therefore clarify the “documentation” includes both documents (that contain
information which may change and therefore require change control) and records (statements of
fact that should not change, but should be protected). Note 1 also indicates that “document” could
include hard copy printed documents, soft copy electronic documents, photographic instructions,
video clip procedures etc. The general auditing principle of “open mindedness” is important when
assessing documentation. Not all systems may be developed using “traditional” formats and
structures.
Documented Information – Requirements

The requirement for documented information within the Annex SL format is broken down into three
disciplines;
 General
 Creating and Updating
 Control
Page 11
Documented Information - General
The general requirement states that the organisation should develop documentation in two areas;
 Documentation defined as mandatory within the applicable standard

 Documentation not specifically determined as mandatory in the applicable standard, but
needed by the organisation in order to manage and control its activities
It is the second category of documentation that provides the greatest challenge for an auditor, as it
requires a judgement call. It is also important to understand that “procedure” and “documented
information” are not always the same thing. A control may be documented in a format other than a
tradition “procedure”.
The general requirement contains a guidance notes that helps us with interpretation and
application. It states;
“The extent of documented information for a management system can differ from one
organisation to another due to:
 The size of organisation and its activities, processes, products and services
 The complexity of processes and their interactions
 The competence of persons”
So what does that mean in practice? Well, for example, a small single site company with relatively
few simple processes and non-complex shift patterns may not have a large volume of complex
management system documentation. Procedures may be simple, communication systems may be
less formal and less formal – but the system may well still be fit for purpose and effective.
It also suggests that the competence of persons may affect the volume and complexity of
documentation. An example of where this may apply is in the case of time served tradespeople, such
as plumbers, carpenters and electricians. These activities rely heavily on the individual being
developed and approved as competent. This training and development process may be long and
structured, and be subject to assessment and approval, however once the tradesperson is approved
as competent, that person may well go from job to job without the need for complex procedures.
Obviously, for the work activity to be auditable, RECORDS must always be generated, but the
absence of a set of “plumbing” or “carpentry” procedure may not mean the activity is out of control.
A simple acid test that an auditor can apply to reach a decision on whether an absent procedure
causes a problem will be to assess the impact on new members of staff. People who have been in
the task for a while will generally have reached a position of competence somehow, and often they
will tell the auditor that (for them) a procedure is not required. That, however, does not mean that
the system does not require a procedure. Procedures are most useful for new members of staff and
people who are covering an absence at short notice. If new members of staff tell the auditor that a
procedure is not required, then that means that a procedure will add no value to anyone. In that
instance it is important to identify how the organisation exercises control by other means. Examples
could include;
Page 12
 A detailed and structured training and development programme prior to the person being
approved to work
 Software and computer based controls
A written procedure is just one way that information can be documented and an appropriate level of
control applied. The level of industry regulation is also a factor that must be considered. An
organisation that is heavily regulated will normally be required to have more detailed
documentation than an organisation that is not subject to regulation. Again, the documentation
requirements place a heavy emphasis on the auditor being able to understand and apply
organisational context appropriately.
Documented Information – Creating and Updating

The requirement to control the creation and updating of documents state that an organisation
should apply suitable methods in the following areas;
 Identification and description (e.g. title, date, author, reference numbers)

 Format (e.g. language, software version, graphics) and media (paper electronic)
 Review and approval for suitability and adequacy
Documents therefore need to be fit for purpose, user friendly, identifiable and issued following a
structured review and sign off.
Control of Documented Information

The control of documented information requirements have not changed significantly with the
development of Annex SL format. The general disciplines and control requirements remain as
follows;
 Availability
 Protection
 Distribution, access and retrieval
 Storage and protection
 Change control (appropriate to documents but NOT records)
 Retention and disposal
 Control of documents of external origin (e.g. drawings or a recipe from a customer,
manufacturer’s user manuals, technical specifications etc)
The principles of quality management

These principles of quality management can be considered “threads” of good business practice that
should focus the application and intent of the ISO 9000 series. ISO 9000:2015 provides guidance on
the way that these principles should be applied:
Customer focus
“The primary focus of quality management is to meet customer requirements and to strive to
exceed customer expectations”
Page 13
Leadership
“Leaders at all levels establish unity of purpose and direction and create conditions in which people
are engaged in achieving the organization’s quality objectives”
Engagement of people
“Competent, empowered and engaged people at all levels throughout the organization are essential
to enhance the organization’s capability to create and deliver value”
Process approach
“Consistent and predictable results are achieved more effectively and efficiently when activities are
understood and managed as interrelated processes that function as a coherent system”
Improvement
“Successful organizations have an ongoing focus on improvement”
Evidence based decision making

“Decisions based on the analysis and evaluation of data and information are more likely to produce
desired results”
Relationship management
“For sustained success, organizations manage their relationships with relevant interested parties,
such as providers”
It is important that we appreciate that these principles themselves are inter-dependent of one
another. A system, by definition, is a set of inter-related activities and processes. Nothing should be
viewed in isolation, and an effective QMS depends on effectively managing both the little picture
(the detail of the procedures) and the big picture (but are we still in business?)
Risk based thinking

ISO 9001:2015 raises the visibility of the concept of “risk based thinking” as an input into the
development and improvement of system controls. It identifies that some form of analysis will be
required in order for appropriate risk control measures (preventative actions) to be identified and
developed. Annex SL defines “risk” as;
“Effect of uncertainty”
However that short definition is accompanied by some explanatory notes to add context. Note 1
states that;
“An effect is a deviation from the expected – positive or negative”
Thus introducing the concept of “upside risk” – a circumstance where things turn out better than
expected. Note 2 states that;
“Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood”
This emphasises the fact that not everything is known or even knowable, and a robust management
system is therefore one that accepts that and identifies what controls may be prudent in terms of
contingency. Note 3 states that;
Page 14
“Risk is often characterised by reference to potential “events” and “consequences” or a
combination of these”
While note 4 states that;
“Risk is often expressed in terms of a combination of the consequences of an event and the
associated “likelihood” of occurrences”
The traditional approach to the identification and assessment of risk is based upon the principles
referred to in notes 3 and 4. It is important to appreciate that this approach is not inconsistent with
ISO 9001:2015.
ISO 9004:2009 refers to “Risks” in the following way;
“The organization should assess the risks related to planned innovation activities, including giving
consideration to the potential impact on the organization of changes, and prepare preventive
actions to mitigate those risks, including contingency plans, where necessary”
ISO 9004:2009 Clause 9.3.5
In summary, the concept of “risk based thinking” in terms of a Quality Management approach,
requires an organisation to identify both the known and unknown variables and develop
proportionate approaches in terms of controls and contingency.
Page 15
ISO 9004: 2009 Managing for the sustained success of an organisation – A quality
management approach
ISO 9004 is a companion document to ISO 9001. Its purpose is to provide guidance to help users of
ISO 9001 to use it for maximum benefit, particularly with respect to applying ISO 9001 for continual
Improvement. It provides a wider focus on quality management than ISO 9001; it addresses the
needs and expectations of all relevant interested parties and provides guidance for the systematic
and continual improvement of the organization's overall performance. ISO 9004:2009 is substantially
different to ISO 9004:2000 (Guidelines for performance improvement), although it has been
designed to be compatible with ISO 9001
Revision hints
Could you explain the purpose and potential benefits of a documented QMS?
Could you explain the structure of a typical QMS?
Could you explain why it is only documents and not records that require version control?
Could you identify the Principles of Quality Management and explain the potential benefits
of applying each within a QMS?
Could you explain the difference and relationship between a procedure, a process and a
system?
Could you explain what the scope of the quality manual is and explain why defining the
scope is important?
Explain the underpinning QMS concept of “risk based thinking”
Could you describe the difference between ISO 9000, ISO 9001 and ISO 9004?
Could you describe the relationship between each of the three aforementioned documents?
Could you identify which of these three documents is an auditable standard, and describe
the difference between an auditable standard and a guidance document?
Page 16
What is an audit?
People audit for lots of different reasons, so there are lots of different types of audit. They vary in
size (sometimes the audit takes in virtually all the company’s activities, sometimes just a single
procedure); they vary in complexity (sometimes there are lots of standards, specifications, customer
requirements and legislation to check on, sometimes not so many); and they vary in focus (why we
do the audit in the first place).
Each of these parameters has its own audit terminology (ISO 190011 definitions have been outlined
earlier). In plain English, the main parameters are:
 What the audit will look at (the “SCOPE”)

 What the audit will check against (the “CRITERIA”)
 Why we do the audit (our audit “OBJECTIVES”)
It is critical that the auditor never loses sight of these parameters, and also that the parameters are
clearly understood by the auditee, more about communication requirements later. If nothing else,
an audit is a process designed to promote clarity and transparency. If it is shrouded in secrecy and
delivered as something of a black art, the auditor is doing the reverse.
ISO 19011 (Guidelines for Auditing Management Systems)

ISO 19011 (Guidelines for Auditing Management Systems) is an international standard designed to
provide guidance on the management of audit programs, the conduct of internal and external audits
as well as the competence and desired behaviours of auditors. As we’ve already established, as a
guidance document, it is not intended to be used as an auditable standard. This IRCA Auditor/Lead
Auditor Course is designed to develop the competences of students in accordance with the guidance
in ISO 19011.
Terms and definitions

ISO 19011 sets out a number of audit terms and definitions. Auditable standards (such as ISO 9001)
in using the same terms (such as “audit”) adopt the definition of the term as outlined in ISO
19011, so the documents, although separate, are complimentary to one another. The table below
sets out the main ISO 19011 terms and definitions
Term Definition
Audit Systematic, independent and documented process for obtaining audit
evidence and evaluating it objectively to determine the extent to which the
audit criteria are fulfilled
Audit Criteria Set of policies, procedures and requirements
Used as a reference against which audit evidence is compared
Audit Findings Results of the evaluation of collected audit evidence against the audit criteria
Audit Conclusion Outcome of the audit provided by the audit team after consideration of the
audit objectives and all audit findings
Audit Client Organization or person requesting an audit
Auditee Organization as a whole or part thereof being audited
Auditor Person who conducts an audit
Page 17
Audit team One or more auditors conducting an audit, supported if needed by technical
experts
Technical Expert Person who provides specific knowledge or expertise to the audit team
Audit Program Arrangements for a set of one or more audits planned for a specific time
frame and directed
towards a specific purpose
Audit Plan Description of activities and arrangements for an audit
Audit Scope Extent and boundaries of an audit
Competence Demonstrated personal attributes and demonstrated ability to apply
knowledge and skills
Ethical Conduct The foundation of professionalism. Trust, integrity, confidentiality and
discretion
Independence The basis for the impartiality of the audit and objectivity of audit conclusions
Due Professional The application of diligence and judgement in auditing.
Care
Fair Presentation The obligation to report truthfully and accurately. Significant obstacles
encountered during the audit and unresolved diverging opinions between
the audit team and auditee are reported
Evidence Based The rational method for reaching reliable and reproducible audit conclusions
Approach in a systematic audit process. It is based on samples of information available
since an audit is conducted within a finite period of time. The appropriate
use of sampling is closely related to the confidence that can be placed in
audit conclusions
Audit Evidence Records, statement of fact or other information which are relevant to the
audit criteria and are verifiable
First Party Audit Internal audits … conducted by, or on behalf of, the organization itself for
management review and other internal purposes, and may form the basis for
an organization’s self declaration of conformity
Second Party Audit Audits … conducted by parties having an interest in the organization such as
customers or other persons on their behalf
Third Party Audit Audits … conducted by external, independent auditing organizations, such as
those providing registration or certification to conformity to the
requirements of ISO 9001, OHSAS 18001 or ISO 14001
If nothing else, an audit is an exercise in promoting transparency of working methods. It is an

exercise in generating (hopefully) useful management information, to help managers make more
informed decisions. It is therefore important that these terms are understood and applied
consistently by auditors (and explained to the auditee where necessary), otherwise confusion and
suspicion will reign. It is not a good thing if the auditee considers the work of an auditor to be
something of a dark art.
As this course progresses we will be referring constantly to these definitions and exploring the
context of each, so you will have a clear understanding of how these terms are applied in relation to
first, second and third party audits.
Page 18
First party audits
“Internal audits … conducted by, or on behalf of, the organization itself for management review and
other internal purposes, and may form the basis for an organization’s self-declaration of conformity”
A first party (internal) audit process may well differ quite considerably to the process followed
during a second and third party audit due to its nature. The people involved will generally be more
familiar with one another, so a formal Opening Meeting may not be necessary, and, since it is an
audit performed by us on our own system, we usually set the scope, objectives and criteria for each
audit. The reason the word “usually” is used here is because sometimes when a company is working
for a particular customer, the customer may well dictate some of the parameters of the internal
audit regime as part of the contract requirements. Internal Audits, nonetheless, need to follow the
general principles outlined in ISO 19011 especially with regard to their effective planning, conduct,
reporting, follow-up and for the competence and independence of the internal auditors.
Second party audits

“Audits … conducted by parties having an interest in the organization such as customers or other
persons on their behalf”
The most common type of second party audit is an audit by a customer on a supplier. Another
example would be a public sector organisation working to a set of Government requirements that is
then subject to periodic audit by a Government Inspectorate. In these cases although the auditing
body is external, they are not independent. They will be using the results in some way. For example,
if the outcome of a customer/supplier audit is very unfavourable, the customer may terminate the
contract. Generally speaking it is on a Second Party Audit where emotions run highest, because the
immediate consequences of a poor result are usually more severe than on a First or Third Party
Audit.
Third party audits

“Audits … conducted by external, independent auditing organizations, such as those providing
registration or certification to conformity to the requirements of ISO 9001 or ISO 14001”
Certification schemes are common. Their intent is usually to provide customers with a higher degree
of confidence. The principle is that the company that carries the certification meets certain criteria
(for example for product characteristics, performance, or the way they conduct their business). In
order for customers to trust the certification, they need to trust the process that delivers
certification. For that reason certifications are often awarded and maintained through a program of
Third Party Audits. The independence of the auditing body adds confidence to the integrity of the
process and the true value of the certification. It is for that reason that ISO 19011 requires greater
independence of Third Party Auditors, than they do of First Party Auditors, and why Accredited
Certification Bodies require their auditors to declare any potential conflicts of interest (such as
holding shares in the audited company).
Page 19
Different audit objectives
Conformance audits versus effectiveness audits
Results are always important, and it should be a major objective of any auditor to clarify whether the
important results are being achieved. Methods, on the other hand, may or may not be critical. An
auditor will adopt a conformance approach when methods, as well as results, are important.
Generally this means that the activity will be supported by detailed procedures and those
procedures must be followed. This is common in heavily automated processes, many medical
processes and legal processes. Irrespective of whether results are good, there must be evidence that
the results were achieved in the right way, otherwise future problems are inevitable.
Sometimes methods are not critical. There may be a team of people working together, performing
similar job roles, but they may each have their own differing ways of doing things, and it may not
matter. Many support functions such as Sales, Marketing, Customer Services and Training may
actually require flexibility. This is generally because, unlike an automated manufacturing process, we
can’t control the consistency of the input to the process, so it may well need to be flexible to allow
for that. A good auditor must be able to apply common sense to the evidence and understand that
in some instances, differences in methods do not present significant risks and problems. In fact they
are a good thing as, in the examples previously identified; if the process is not flexible there WILL be
problems.
Compliance audits
The term “compliance” is reserved for audits where the criteria contain mandatory requirements,
most commonly legal requirements. In compliance audits there is understandably less of a
requirement for flexibility, but there is an increased requirement that the auditor very clearly
understands the requirements and interprets them correctly, as the potential impact can have a
significant implication for the auditee.
Improvement audits
Sometimes the primary focus of the audit is to establish whether situations are improving. This is a
common focus of a “follow up” audit. That is, sometime in the past a conformance, effectiveness or
a compliance audit identified problems and a follow up audit is scheduled some time in the future to
establish that problems have been resolved and things are getting better. In order for the auditor to
focus accurately on the audit objectives it is important that in planning the audit, the auditor does
some background research to establish the levels of past performance in order to clearly and
accurately report the “before” and “after” situation. This generally involves examining previous audit
results and process performance indicators in advance of performing the audit.
Procedural audits
A procedural audit will generally be quite narrow in scope and will look in detail at the execution of a
particular operation. Good procedural audits don’t just examine in detail whether the procedure is
being followed, but also if the procedure is effective. That is, is it a good thing that people are
following it? If the procedure is out of date or has major omissions, it might be better if people ARE
NOT following it. Procedural audits are useful at getting detailed information about conformity, but
usually limited to a single task or activity. Many internal (first party) audits will be procedural audits
(but a good internal audit system will not be made exclusively of them).
Page 20
Process audits
Let’s start with some useful ISO 9000 definitions:
Specified way to carry out an activity or a process

ISO 9000 definition of a procedure
A set of inter-related activities that transforms inputs into outputs

ISO 9000 definition of a process
The key word that distinguishes the two terms is “inter-related”. A process is a collection of
activities, end to end, that transform the process input into its output (or outcome). The scope of a
procedural audit is usually quite narrow (i.e. a procedure for performing a specific test, servicing a
machine component, or logging an enquiry), but a process audit may, for example, follow this type
of broad path
Process Audit
$
$
Sales Purchasing Warehouse Manufacturing Quality Assurance Packaging Distribution
As a general rule, a procedural audit will have a very narrow scope and will focus on conformity
matters, whereas a process (as it takes in various interfaces and inter-relationships) will focus more
on efficiencies.
A process audit looks at the big picture, and is therefore a much bigger job. It is complex. Process
audits examine the efficiency of the operation. Why is efficiency important? Because given infinite
resources and time, anyone can deliver inefficient conformity. Conformity is important, BUT it must
be delivered at an acceptable price otherwise the customer will go somewhere else. That is why
efficiency is also important.
Planning a process audit

Because process audits are a substantial task and can be quite complex, planning is important. There
will not normally be a convenient internal document that defines how the auditor should conduct a
process audit in any organisation, so the auditor has little option but to draw up the plan of action
for himself. This will involve requesting relevant manuals, organisation charts and process maps that
may exist so that the auditor can draw up his checklist from an informed perspective.
Page 21
Turtle diagram approach for planning a process audit
WHO? (RESPONSIBILITIES & AUTHORITIES)

WHAT? (INFRASTRUCTURE & ENVIRONMENT) How are roles defined within the process?
What equipment is used within this process? How well are these roles understood?
How is equipment maintained in good working order? Is there confusion or overlap in responsibilities?
Calibration? Are there any stages where responsibilities are not defined?
How is the general work space managed? How are competence levels for various responsible people
What environmental controls are required? determined and established?
PROCESS NAME & SCOPE

INPUT (S) Define the key steps of the process? OUTCOME (S)
Customer needs and requirements Step 1: …. What does the customer get?
Specifications Step 2: …. How is it delivered?
Input materials Step 3: …. Acceptance criteria?
Legislative/regulatory requirements Step 4: …. Satisfaction verified?
SUPPORT PROCESSES HOW? (METHODS)

MEASURES How is the process defined and
How is the success, performance or Key Interfaces with this process
 Design? controlled?
otherwise of the process measured and What procedures have been established?
verified?  Purchasing?
 HR? How are procedural requirements
 Measures of product/service communicated, understood and changed
conformance to requirements?  Sales?
 QA? when necessary?
 Measures of process efficiency? Do we have appropriate document
 IT Support?
control?
Key issues introduced when ISO 9001 adopted the Annex SL Format
(Format used for aligning Management System Standards)
ISO 9001:2015 is the first issue of ISO 9001 that adopts the Annex SL common management system
format. The adoption of that format has introduced some significant considerations for auditors, as
it adjusted the focus on several issues (such as “documentation” and “risk”) and it raised the status
and importance of issues such as Top Management Commitment, the overall Effectiveness of the
system and the identification of Internal and External Issues.
Context and Scope

One of the key themes that has emerged as a result of the adoption of the Annex SL format has been
the issue of “Organisational Context”. Not all organisations are the same, and it follows that not all
management systems will be the same. Context is an issue as much for auditors of a management
system as it is for those that develop and manage management systems. Controls must be
appropriate, proportionate and effective. What works for one organisation may be wholly
inappropriate for another. It is unlikely that, if an organisation in developing its system has adopted
generic procedures, that the specific context has been fully considered.
Page 22
Context considerations for employers of auditors
Organisations employing auditors (third party certification bodies, for instance) must consider
“context” when allocating an auditor to an audit client. Does the auditor have the appropriate sector
knowledge to be able to appreciate context? Would the auditor be able to take a reliable value
judgement on the appropriateness of controls specific to the context? Are we putting a square peg
into a round hole?
The fact that any given auditor is not able to audit effectively in any given context is not a weakness
on anybody’s part, it is purely a reflection on that auditor’s experience and background in a given
sector. It follows that, if an auditor has little or no exposure to a particular type of organisational
context, the auditor is probably going to struggle to reliably audit the appropriateness and
effectiveness of the controls. An auditor that has specialised throughout his/her professional life in
the construction industry, for example, is unlikely to be able to fully appreciate the context of a
Residential Care provider, at least not without the assistance of a sector specialist. The
consequences of a failure of an auditor to appreciate context could include;
 A superficial audit
 Unreliable and/or inappropriate findings
 Friction and frustration
 A loss of credibility for both auditor and the certification body
Context considerations for certified organisations

Annex SL (Appendix 2) suggests that, as a minimum, in order to fully appreciate the context of the
organisation and the appropriateness of the system controls, it should understand;
 The interested parties, internal and external (examples listed earlier) and;
 The requirements of those interested parties;
Some customers have a very low tolerance to defects, others don’t. Some sectors have a high level
of regulation, others don’t. Some suppliers need close and careful management, others don’t. Some
tasks are highly complex and are difficult to control in the absence of a written procedure, others are
not. It is important for an organisation to understand the circumstances that apply so that it may act
accordingly. The consequences of a failure to understand context can include;
 Heavy handed and overly cumbersome procedures (taking a hammer to crack a nut)
 The absence of appropriate controls
 Procedures that do not effectively control the risks of the process
In other words, doing too much, doing too little or doing things in a totally inappropriate way.
Determining the Scope of the Management System

Defining the scope of the management system is significant for a number of reasons, particularly
when it comes to third party certification. The scope describes the boundaries and limits of the
management system and, consequently the certified entity. This is important because it is common
for an organisation to seek certification only for a particular function of its operation, or for a single
site. Certification is often used to help the organisation secure contracts, and an organisation may
only need a part to be certified for that purpose.
It is important to understand that whatever scope is defined by the organisation within its own
management system, will also be specified on the certificate. This helps prospective customers
understand the limits of the certification and prevents the organisation making false representation
Page 23
by claiming certification for parts of the organisation that are not certified. Excluding parts of the
organisation from scope is in no way a dodge, as the scope that is stated on the certificate will not
include the excluded parts. The customer will then be able to make an informed decision as to
whether the certification the organisation holds is broad enough for its purposes.
Internal & External Issues

Annex SL identifies that management systems adopting the Annex SL format need to pay greater
attention to identifying and understanding internal and external issues. This is an important part of
defining the context of the management system.
Specifically, an organisation should carefully analyse its internal and external interfaces and identify
the internal and external interested parties, which will in turn help it to identify their needs and
expectations and develop controls appropriately. Annex SL identifies a number of examples that
could be considered;
 Organizations (of various types and sizes): the decision-makers within an organization who
approve work to implement and achieve conformance to the MSS;
 Customers/end-users, i.e. individuals or parties that pay for or use a product (including
service) from an organization;
 Supplier organizations, e.g. producer, distributor, retailer or vendor of a product, or a
provider of a service or information;
 Management system service (MSS) provider, e.g. MSS certification bodies, accreditation
bodies or consultants;
 Regulatory bodies;
 Non-governmental organizations
Obviously this list is neither exhaustive nor generic, but it offers guidance on the general principle
that key internal and external interfaces need to be identified, understood and managed. It is not
suggested that each interface or interested party is of equal importance, and an organisation, in
understanding the interface must consider the most appropriate and efficient way of manging that
interface, appropriate to (among other things) its significance.
Leadership
The actions of top management are important. They are the decision makers, role models, enforcers
and also the financial supporters of the management system. Without an effective leadership
function, the management system will be adversely affected in a number of crucial ways.
In fact, whilst there will be some variation in the detailed requirements of the top management
function between different management system standards (such as the content of the Policy and its
specific communication requirements) the general requirements of top management don’t vary
significantly from one standard to the next. They will always contain the common elements of;
 Leadership and Commitment

o Establishing Policy and Objectives
o Ensuring integration and implementation of the system and its processes
o Provision of necessary resources
o Communicating priorities and requirements
o Ensuring organisation outputs/objectives are met
Page 24
o Direction and support to personnel
o Promotion of a continual improvement culture
o Support to other levels of management
 Policy
o Establishing authorising and communicating the top level policy statement
 Establishing the organisations management structure
o Defining roles and responsibilities, reporting structures
o Oversight of change management
The specific focus of Leadership will vary from one MSS to another, so each standard will contain
some specific variation within the Leadership clause. A QMS MSS, for example, will be primarily
customer and product focussed, an OHSMS MSS will be primarily focussed on matters of health and
wellbeing of those exposed to the organisation’s activities, and an EMS will be more focussed on
matters relating to the prevention of pollution.
There is also an additional specific requirement for Top Management intervention outside of Clause
5 – Management Review
Risks and Opportunities

Annex SL requires the management system to appropriately identify “risks and opportunities” and
take into consideration the potential for variation in planning processes. This raises the visibility of
the concept of “risk based thinking” as an input into the development and improvement of system
controls. It identifies that some form of analysis will be required in order for appropriate risk control
measures and contingencies to be identified and developed. Annex SL defines “risk” as;
“Effect of uncertainty”
However that short definition is accompanied by some explanatory notes to add context. Note 1
states that;
“An effect is a deviation from the expected – positive or negative”
Thus introducing the concept of “upside risk” – a circumstance where things turn out better than
expected. Note 2 states that;
“Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood”
This emphasises the fact that not everything is known or even knowable, and a robust management
system is therefore one that accepts that and identifies what controls may be prudent in terms of
contingency. Note 3 states that;
“Risk is often characterised by reference to potential “events” and “consequences” or a

combination of these”
While note 4 states that;
Page 25
“Risk is often expressed in terms of a combination of the consequences of an event and the
associated “likelihood” of occurrences”
Consequently, as an overall requirement, the management system should develop contingency

appropriate to the level of uncertainty. Not all management information is knowable, but better and
worse case scenarios can often be considered.
The Effect of Uncertainty (Risk) on Planning

Where there is certainty, planning can be precise. Where there is uncertainty, precise planning is not
possible. A plan that takes account of uncertainty is said to provide for CONTINGENCY.
Contingency should be proportionate to the level of uncertainty and its effect. That is, if something
is unlikely to occur and/or the effect of uncertainty is minor, a lot of contingency (which can be
expensive) would be disproportionate. Obviously when an auditor is assessing the appropriateness
of the level of contingency, it must be remembered that it is not a precise science. One of the factors
an auditor may consider when looking at whether contingency is appropriate (and to what level) is
whether the uncertain outcome has ever actually happened previously and, if it has, what were the
consequences.
Revision hints
In context of an audit …
Could you describe the purpose of ISO 19011 and how it is used?
Could you describe the difference between a 1st, 2nd and a 3rd party audit?
Could you explain the role of each of these in context of an audit;
o Client?
o Auditor?
o Auditee?
o Technical Expert?
Could you explain the term “audit scope” and describe why it is important that the scope is
clearly defined?
Could you explain the term “audit criteria” and give typical examples of typical criteria that
would be used during a 1st, 2nd and 3rd party audit?
Could you explain the meaning of audit scope, objective and criteria?
Could you explain why it is vital that each of the above is crystal clear from the outset of an
audit?
Could you explain the difference between conformance and compliance?
Could you explain the difference between conformance and effectiveness?
Could you explain the difference between a procedural approach and a process approach
and the strengths and limitations of each approach?
Could you explain how an auditor may assess whether the organisation has identified its
risks and opportunities and its significant Internal and External Issues?
Page 26
ISO 19011 Requirements for managing an audit program
ISO 19011 defines this general process for the management of an audit program. It follows a clear
PDCA structure. The specific requirements of ISO 19011 relating to this overall process are detailed
later in these notes
Page 27
Authority for the audit program
It is important that the audit program is supported by top management and that authority for the
program is clearly seen to be supported from the top. There are several reasons for this, for
example:
 People are more likely to see the audit as important, take it seriously and co-operate
 In the event that the audit team requires resources to implement to program successfully,
these may often be required to be sanctioned by top management
 Any audit barriers can be quickly removed
The consequences of a lack of support from top management can include;
 Failure to provide sufficient resource to the audit function or a competent resource
 Audits just don’t get done
 Non-conformances don’t get closed, or if they are closed, they are only closed when no
additional resource is required
Establishing the audit program objectives

ISO 19011 identifies a number of important considerations in establishing the audit program. They
are:
 Needs/expectations of interested parties
 Characteristics and requirements of the organisation’s processes
 Management system requirements
 Need for evaluation of external providers
 Auditee’s performance level, level of maturity, level of non-conformances
 Identified risks and opportunities
 Results of previous audits
These are important planning considerations for any process in general, and the audit process is no
different. If these aspects are not established at the outset, the process is likely to be inefficient at
best
Determining and evaluating audit program risks and opportunities

There are risks and opportunities related to the context of the auditee that can be associated with
an audit programme and can affect the achievement of its objectives. The people managing the
audit programme need to be able to identify and present to the audit client the risks and
opportunities considered when developing the audit programme and the associated resource
requirements, so that they can be addressed appropriately. This can include:
a) planning, e.g. failure to set relevant audit objectives and determine the extent, number,
duration, locations and schedule of the audits;
b) resources, e.g. allowing insufficient time, equipment and/or training for developing the audit
programme or conducting an audit;
c) selection of the audit team, e.g. insufficient overall competence to conduct audits
effectively;
d) communication, e.g. ineffective external/internal communication processes/channels;
e) implementation, e.g. ineffective coordination of the audits within the audit programme, or
not considering information security and confidentiality;
Page 28
f) control of documented information, e.g. ineffective determination of the necessary
documented information required by auditors and relevant interested parties, failure to
adequately protect audit records to demonstrate audit programme effectiveness;
g) monitoring, reviewing and improving the audit programme, e.g. ineffective monitoring of
audit programme outcomes;
h) availability and cooperation of auditee and availability of evidence to be sampled.
Opportunities for improving the audit programme can include:
 allowing multiple audits to be conducted in a single visit;
 minimizing time and distances travelling to site;
 matching the level of competence of the audit team to the level of competence needed to
achieve the audit objectives;
 aligning audit dates with the availability of auditee’s key staff.
Establishing the audit programme

Roles and responsibilities
The people that manage the audit programme need to:
a) establish the extent of the audit programme according to the relevant objectives (see 5.2)
and any known constraints;
b) determine the external and internal issues, and risks and opportunities that can affect the
audit programme, and implement actions to address them, integrating these actions in all
relevant auditing activities, as appropriate;
c) ensuring the selection of audit teams and the overall competence for the auditing activities
by assigning roles, responsibilities and authorities, and supporting leadership, as
appropriate;
d) establish all relevant processes including processes for:
— the coordination and scheduling of all audits within the audit programme;
— the establishment of audit objectives, scope and criteria of the audits, determining
audit methods and selecting the audit team;
— evaluating auditors;
— the establishment of external and internal communication processes, as
appropriate;
— the resolutions of disputes and handling of complaints;
— audit follow-up if applicable;
— reporting to the audit client and relevant interested parties, as appropriate.
e) determine and ensure provision of all necessary resources;
f) ensure that appropriate documented information is prepared and maintained, including
audit programme records;
g) monitor, review and improve the audit programme;
h) communicate the audit programme to the audit client and, as appropriate, relevant
interested parties.
Competence of people managing audit programme

The people that manage the audit programme should have the necessary competence to manage
the programme and its associated risks and opportunities and external and internal issues effectively
and efficiently. That will include an appropriate level of knowledge of
Page 29
a) audit principles, methods and processes;
b) management system standards, other relevant standards and reference/guidance
documents;
c) information regarding the auditee and its context (e.g. external/internal issues, relevant
interested parties and their needs and expectations, business activities, products, services
and processes of the auditee);
d) applicable statutory and regulatory requirements and other requirements relevant to the
business activities of the auditee. As appropriate, knowledge of risk management, project
and process management, and information and communications technology (ICT) may be
considered.
The people managing the audit programme should engage in appropriate continual development
activities to maintain the necessary competence to manage the audit programme.
Establishing extent of audit programme

The people that manage the audit programme need to determine the extent and boundaries of the
audit programme. This can vary depending on the information provided by the auditee regarding its
context. In certain cases, depending on the auditee's structure or its activities, the audit programme
might only consist of a single audit (e.g. a small project within the organisation). Other factors
impacting the extent of an audit programme can include the following:
a) the objective, scope and duration of each audit and the number of audits to be conducted,
reporting method and, if applicable, audit follow up;
b) the management system standards or other applicable criteria;
c) the number, importance, complexity, similarity and locations of the activities to be audited;
d) those factors influencing the effectiveness of the management system;
e) applicable audit criteria, such as planned arrangements for the relevant management
system standards, statutory and regulatory requirements and other requirements to which
the organization is committed;
f) results of previous internal or external audits and management reviews, if appropriate;
g) results of a previous audit programme review;
h) language, cultural and social issues;
i) the concerns of interested parties, such as customer complaints, non-compliance with
statutory and regulatory requirements and other requirements to which the organization is
committed, or supply chain issues;
j) significant changes to the auditee’s context or its operations and related risks and
opportunities;
k) availability of information and communication technologies to support audit activities, in
particular the use of remote audit methods;
l) the occurrence of internal and external events, such as nonconformities of products or
service, information security leaks, health and safety incidents, criminal acts or
environmental incidents;
m) business risks and opportunities, including actions to address them.
Determining audit programme resources

When determining resources for the audit programme, the people managing the audit programme
may need to consider:
Page 30
a) the financial and time resources necessary to develop, implement, manage and improve
audit activities
b) audit methods);
c) the individual and overall availability of auditors and technical experts having competence
appropriate to the audit programme objectives;
d) the extent of the audit programme and audit programme risks and opportunities
e) travel time and cost, accommodation and other auditing needs;
f) the impact of different time zones;
g) the availability of information and communication technologies (e.g. technical resources
required to set up a remote audit using technologies that support remote collaboration);
h) the availability of any tools, technology and equipment required;
i) the availability of necessary documented information, as determined during the
establishment of the audit programme
j) requirements related to the facility, including any security clearances and equipment (e.g.
background checks, personal protective equipment, ability to wear clean room attire).
Implementing the audit program

“Implementing” the audit program covers a range of activities, including:
 Scheduling audits
 Evaluating auditors
 Selecting audit teams
 Directing audit activities
 Maintaining records
So during a second or third party audit, establishing that this requirement for “implementing” the
audit is met, involves more than checking that there is no backlog of audits on the current program.
It is a more systematic and holistic assessment of whether it is also fit for purpose and controlled
Monitoring & reviewing the audit program

The audit program needs monitoring to ensure that any value adding actions agreed by the audit
(corrective actions, preventive actions, opportunities for improvement) are resourced, carried
through and that they achieve the anticipated result
Improving the audit program

Some audit programs don’t change much year on year, and an auditor should be concerned when
this situation occurs. Audits should, as a rule, be scheduled based on the status, importance and
criticality of the activities. The status and importance of activities will change year by year. Some
processes with a history of problems may receive frequent audits, at least until those problems have
been resolved, and then the audit intervals may be extended (time off for good behaviour). The
organisation’s processes may change year on year, elevating or decreasing the relative risk or
criticality of different processes. We should see active monitoring of the schedule with the ultimate
aim of ensuring that we are using our finite audit resources to maximum benefit
Page 31
Initiating the audit
Initiating the audit is effectively establishing the ground rules and requirements for the audit. It
includes establishing communication channels, methods, resource requirements, roles and
responsibilities and so on. It is important at this stage that these parameters and processes are
communicated to and understood by all parties involved in the audit (client, team members,
auditee), in order that the audit objectives can be achieved with maximum efficiency and the
minimum of disruption to the auditee’s operations. Sometimes this stage may include organising a
Preliminary Visit to the auditee. This is more common when the auditee organisation is large and/or
complex, and the audit team leader needs to pay a visit to the main sites principally to accurately
assess time and specialist resource requirements for the audit. Often these requirements can be
established through good pre-audit communication with the auditee, without the need for a visit
One of the main considerations at this stage is estimating an appropriate time to allocate to the
audit. Audit duration will depend on the scope of the audit, the size and complexity of operations
and the number of auditors in the team. Third party certification bodies refer to the following table
as a guide in order to allocate time consistently to third party audits and ensure that all auditees
receive a similar degree of scrutiny.
Conducting the (Stage 1) documentation review

Most audits include a document review stage (although some narrow scope, routine, internal audits
on established and mature systems may not). They are particularly useful during 2nd and 3rd party
audits, and during a 1st party audit on a brand new or unfamiliar system. The document review does
not involve a detailed examination of methods, records, audit trails and systems, more it is a
somewhat cursory examination of the general sufficiency of the system (policies, documents,
records etc). The document review potentially adds value to the process in the following ways:
 It establishes whether it is even worthwhile going any further. If an examination of the

sufficiency of documentation identifies several glaring omissions or problems, then it is
often a waste of time going through the on site audit process, as the overall result may
already be known
 It assists the onsite planning processes by familiarising the team with the system and, to an
extent, the people they will encounter on site. It can assist the audit team by helping them
identify key issues for the audit checklist, identify the most appropriate auditee for each
process, gauge sampling requirements and to allocate time to each part
At the end of the document review the audit team will need to make the decision as to whether the
onsite audits should proceed. They will also usually feedback any emerging findings to the auditee
immediately after the review has taken place in order that some or all of the issues may be
addressed in advance of the onsite audit
Preparing (Stage 2) audit activities

Depending on the size and complexity of the auditee organisation, this can be a real test of the lead
auditor’s organisational capabilities. For example, if the organisation is large, has complex
operations and several sites miles apart, all doing different things, and the audit will last a week and
involve a team of 4 auditors, the lead auditor has to find a way of achieving the audit objectives with
maximum efficiency. Considerations will involve technical issues, such as which sites to sample,
Page 32
which auditor is most qualified to audit which area, whether the team will need to come equipped
with any protective equipment, or alternatively to furnish the auditee with information on things like
coat and shoe sizes if the auditee will provide such items, what the working language of the audit
will be, including the potential requirement for a translator, and which documents will need to be
ready at each stage of the audit
The Audit Plan

There will also be a large number of logistical issues to consider, such as:
 Minimising time lost due to travel between sites and methods of travel
 Where the auditors will stay overnight and who pays
 The most efficient sequence of audit activities
 How the audit team will stay in touch throughout the audit
 How the auditee will be kept up to date of progress and by whom
At this stage it is important that the audit team leader remembers that the Audit Plan is a working
document not just for the audit team, but also for the auditee, so it must be agreed with them well
in advance, so people can be ready, and also in a readily understandable format. Once the plan has
been developed, the checklists will then follow. These can be considered “daughter documents” to
the plan. Checklists, however, are working documents only for the audit team and provide more
specific prompts to auditors regarding which trails to follow and what to clarify.
Audit plan (simple example, 1 auditor, 2 calendar days)
Page 33
Audited organisation Date of audit
DND Couriers 22/23 March
Audit criteria Audit scope Auditor
ISO 9001:2015 Full QMS audit Terry Bell-Day
Audit objective
To determine and report the extent of conformance of the management system of DND Couriers
to ISO 9001 requirements
Audit Timetable
Day 1 Day 2
0845-0900 Site tour, induction 0900-0945 Procurement & Supplier

Management (Marcus Howe)
0900-0930 Opening meeting with DND 0945-1100 Facilities & Infrastructure (Walter
Couriers HQ management team Wall)
0930-1030 Top management activities with 1100-1115 Break

(Steve Jones)
1030-1045 Break 1115-1230 Focus Group (Sample of 5 drivers)
1045-1230 QMS maintenance/improvement 1230-1315 Lunch

activities (Tony Power)
1230-1315 Lunch 1315-1430 Focus Group (sample of 5 admin

staff)
1315-1400 Operational Planning (Jake Pegg) 1430-1500 HR, Admin, Training (Chrissie
White)
1415-1500 Contracts and tenders (Susan 1500-1630 Report writing

Brewer)
1500-1515 Break 1630-1700 Closing meeting with Top

Management
1515-1630 Customer orders, customer
service, complaints (Diane Crow)
1645-1700 End of day update (Tony Power)
There is an example of an audit plan on the previous page. The example shows an audit plan for a
small single site organisation, over a period of 2 days, carried out by a sole auditor. It is therefore a
Page 34
very simple example. An audit plan for a large, multi-site, complex organisation, involving a team of
2 or more auditors will be much more complex. The plan will need to be sufficiently detailed and
understandable to enable effective co-ordination of resources throughout the duration of the audit.
In simple terms the main purpose of the audit is to ensure that the right people are in the right
locations at the right time to be audited on a subject they have been informed of in advance.
Audit checklists
Auditors are only human and therefore fallible. The audit is only a sampling process, so by definition
the audit will always miss something. However it is unforgivable to fail to test an important area of
risk or a key requirement. A well thought out checklist reduces the chances that something
important will be missed, forgotten about, or overlooked in the “excitement”. The checklist is an
aide memoir and a working document for the auditors. It is important that the checklist is
understandable to the user, so it is a good idea if each auditor constructs their own checklists, that
way they can use and understand, for example, their own abbreviations.
Checklist (example)
Audit Checklist
Date: Audit of:
23 March DND Couriers
Area under review: Auditee: Auditor:
Procurement/Suppliers Marcus Howe Terry Bell-Day
Assessment questions Conforms? Comments
How are suppliers evaluated? Methods? (8.4.1)
Who determines selection criteria? (8.4.1)
Where are results of evaluations documented? Check examples

(8.4.1)
How are requirements communicated to suppliers? (8.4.3)

Check contracts, orders
How is supplier performance analysed? (9.1.3)
Approved supplier list? (8.4.1)
Check orders against supplier list for discrepancies (8.4.3)
What action is taken in cases of deteriorating/variable

supplier performance? (10.2)
What records of supplier complaints, returned goods etc are

kept? (8.4.3/10.2)
Is supplier performance covered during management review?

Check minutes (9.3)
Auditor’s signature:
Page 35
Conducting (Stage 2) Audit Activities
Effective planning reduces the chances of problems on site, however, if the auditors lack discipline
and focus, things can and do go pear-shaped at this stage very quickly. A successful on site audit will
involve an effectively managed and executed process, and demonstration of the necessary people
skills by the auditors (more about these competences in the next section)
Opening meeting
A good opening meeting will help to get things off to a good start. It will be chaired by the audit
team leader and delivered in the presence of senior management of the auditee organisation. Its
objective is to establish ground rules, to create transparency in the process, ensure everyone knows
what to expect and what co-operation the team will need, and finally to give the auditee a chance to
ask any questions. There is a sample agenda for an Opening Meeting below (adapted form ISO
19011)
Typical Opening Meeting Agenda (adapted from ISO 19011)
 Introduce audit team and explain their roles

 Clarify scope, objectives and criteria for the audit
 Confirm the auditee understands of the plan, particularly with regard to time/place for the
 Closing Meeting, and establish that it is still valid. Changes may be made to the plan at this
 stage if there are any unforeseen circumstances (such as sickness) that affect parts of the
 original plan
 Clarify methods that the team will use (interviews, sampling documents, records,
 observation)
 Explain that the audit will be based only on a sample and explain the limitations of the
 results in that context
 Clarify communication channels, how the auditee will be kept updated, working language if
 applicable
 Confirm resources and facilities needed by the team (workspace, guides, PPE)
 Confirm confidential nature of findings and to whom the results will be distributed
 Clarify safety and emergency procedures (if this has not already been addressed by a site
 induction)
 Clarify reporting methods and documentation that will be produced
 Confirm instances that could result in a suspension of audit activities
 Explain the appeals procedure if there is one
Guides
Guides are important, especially if the site being audited is large, complex, dangerous, has parts here
access is restricted, or where special clothing or PPE is required. In many ways they are required to
help the auditors stay out of trouble and to find their way about the organisation in the safest and
most appropriate way. The main thing an auditor needs to be careful of with regard to the guide is
to avoid the guide becoming inappropriately involved in the audit activities. For example, during a
3rd Party QMS Audit, 9 times out of 10, the guide will be the System Manager. This is useful in many
ways as the guide can explain many documents, records etc and may also have authority and the
knowledge to confirm and accept emerging findings
Page 36
The risk is that the System Manager may not be able to resist the temptation to intrude on parts of
the audit that involve other people (an audit involving an interview with an Operative, for example).
They may interrupt the Operative, correct them or even answer questions on their behalf. The
auditor should diplomatically and politely put a stop to this. It is vital that during an audit that the
true situation is established, not what the procedure says should happen. On a sensitive or
potentially dangerous site, the auditor should not go anywhere without the guide.
Collecting and verifying information

ISO 19011 identifies two important aspects at this stage of the on site process. Collection AND
verification. The auditor may generate lots and lots of information from a wide range of sources
using techniques such as interviews, sampling records, checking documents and observing work
activities, but it is critical that this all leads to decisive conclusions regarding the degree of
conformance to the audit criteria. It is impractical merely to collect loads of information and assume
that sense will be made of it at the end of the day, because what happens if, when the evidence is
reviewed later on, that many things are still unclear? It will usually be impractical to return and
gather more evidence, and even if it is feasible to return, it will be patently obvious to the auditee
that only half a job was done first time round. Therefore the auditor must continually review the
evidence as it comes, compare it continually with the criteria, clarify it as necessary with the auditee,
and stop when enough evidence (one way or the other) has been found. Apparent non-conformities
should be discussed with the auditee at the point of discovery. There are three good reasons for this:
 It gives the auditee a chance to explain the situation if the auditor has misinterpreted the
evidence
 It reduces the chances of argument in the Closing Meeting if a series of nasty surprises are
delivered
 It is good manners and helps maintain good relations during the audit if there is
transparency
There are few things more infuriating than to spend an hour with an auditor and for the auditor to
walk away without giving any indication regarding the sufficiency of information that has been
supplied. It is not consistent with ISO 19011 and it is bad practice. Decisions on conformance must
be reached as the audit progresses.
Preparing and Distributing the Audit Report

Once information has been collected and verified, the audit team will need to summarise the
collection of verified information into a set of audit findings. This may involve grading the non-
conformities (e.g. major or minor) and deciding what the overall conclusion should be in light of any
non-conformities found. If the audit is being carried out by a team, this stage will require an
organised communication and consensus process within the team. Findings should contain sufficient
information to enable the recipient to understand and to appreciate that the auditor has reached
the right conclusion (i.e. reference to the criteria and the evidence)
An example of a well written report is given below. Notice how the body of the report contains three
key pieces of information:
 What the criteria requires

 What actually happened
Page 37
 The supporting evidence
Also notice how it is written in simple, clear language for the benefit of the auditee
Notice how the area reserved for “corrective action” is empty. This is because, when the report is
issued by the auditor, the corrective action, as an auditee responsibility, has yet to be determined.
This may be filled in during the Closing Meeting.
Non-conformity report (example)

CPA Certification: non-conformity report
NCR no. ISO 9001 Clause Major/Minor/Observation
1 8.4.1
Location of non-conformity or observation (i.e. dept/site)
Purchasing & supplier approval
Description of non-conformity
ISO 9001 Clause 8.4.1 requires that records of the results of supplier evaluations shall be maintained.
During the audit it was established that, although Belgravia maintains close working relationships
with key suppliers, meetings between the Purchasing Manager and key supplier contacts including
any agreed action points, are usually not recorded. This was found to be the case with the following
suppliers (identified on the Approved Supplier List
as “Key Suppliers”)
Turnbulls (Facilities Maintenance)

Toshack and Son (Equipment Servicing)
Corrective action details and timescale for completion
Issued by Accepted by
(Auditor) (Company representative)
Page 38
Classification of non-conformities
It is common for the client to request that non-conformities are graded to reflect their severity and
relative urgency for corrective action to be taken. Different clients have different classification
systems. Most systems, however, are variations on the theme detailed in the example below
Grading What does this mean?
Major A big problem. There may be a significant part of the audit criteria that
has not been met (e.g. a major non-conformance to clause 4.5.5 could
be that no internal audits have been completed for a year or more).
Non-conformities that have had carry a significant risk due to the
potential for immediate adverse impact on the business. Major non-
conformities require corrective action to be taken as a matter of
urgency, as they are likely to be harming the company with each day
that they remain open
Minor A smaller problem. There may be a part of the audit criteria that has not
been FULLY met (e.g. a minor to clause 4.5.5 could be a 2 month backlog
of internal audits, or a small number of corrective actions that have gone
beyond their agreed deadlines for corrective action). Minor non-
conformities generally affect internal operations and efficiency, with
little or no immediate impact on product, service or customer.
Corrective action is required (as the problem can escalate) however
minor non-conformities are not generally treated as matters of urgency,
and may be given a more generous timescale for completion
Observation/Opportunity A “nearly” problem or inefficiency. An observation or OFI is NOT a non-
for Improvement conformity and therefore does NOT require mandatory corrective
action. It can be described as an instance where a system is “working but
wobbling”. Requirements are being met – but only just. Observations are
raised when an auditor sees a value in bringing the matter to the
auditee’s attention, but corrective action is taken at the auditee’s
discretion. The auditor will generally keep observations in view, as they
have the potential to become non-conformities if the situation
deteriorates. Auditors may also raise observations on apparent problems
observed during the audit that were outside the scope of the audit being
performed (e.g. possible environmental breaches)
Page 39
Preparing audit conclusions
There will always be a reason for the audit (the objective), and the audit findings should contain a
clear and reliable conclusion, otherwise it will be unclear whether the audit objectives have been
achieved. In other words, “what does this all mean?” ISO 19011 provides the following guidance on
developing audit conclusions:
Audit Conclusions
Audit conclusions can address issues such as:
a) The extent of conformity of the management system with the audit criteria
b) The effective implementation, maintenance and improvement of the management system
and,
c) The capability of the management review process to ensure the continuing suitability,
adequacy, effectiveness and improvement of the management system
If specified by the audit objectives, audit conclusions can lead to recommendations regarding
improvements, business relationships, certification/registration or future auditing activities
Completing the Audit (Closing Meeting)

The formality of the Closing Meeting will depend on the nature of the audit. In general terms the
Closing Meeting is a presentation of the findings by the auditor to the auditee. The objectives of the
Closing Meeting is to establish agreement between the two parties that the findings are a statement
of fact and to secure a commitment to appropriate corrective action if non-conformities have been
reported. Sometimes the nature of corrective action will be discussed, agreed and documented,
however it is more common that the auditee is given a period of time to assess the problem and
submit a proposal for corrective action within an agreed timeframe
If the Closing Meeting is formal (more common for 2nd and 3rd party audits) formal minutes may be
kept including a list of attendees and any points of disagreement that were encountered. The
auditor can increase the chances that the Closing Meeting by taking the following precautions.
 Clearly reference the audit findings to the audit criteria (explain it in simple terms if
 necessary)
 Clearly identify and explain the specific objective evidence that supports the findings
 Do not raise any findings (especially non-conformities) that were not discussed fully and
 agreed with the auditee at the point of discovery
If there is failure to reach agreement on any parts of the audit findings, the auditor must make a
clear record of the situation and reasons for the disagreement
Page 40
Typical closing meeting agenda items
It is important that the lead auditor drafts a closing meeting agenda so that a clear structure can be
followed and no important aspects are left uncovered or unexplained. Typically it will include:
 Introductions and thanks
 Reiteration of audit scope, objectives and criteria
 Description of the process that was followed and any difficulties encountered
 Qualification of findings (findings are based on a sample etc etc)
 Presentation of findings and the recommendation
 Establish agreement of findings and commitment to course of corrective action
 Explain to the auditee what will happen next
Preparing approving and distributing the audit report

The formal report may be prepared before the Closing Meeting (typical of modern day 3rd party
audits) and presented at the Closing Meeting, or it may be prepared after the Closing Meeting and
distributed to the auditee and client a short time after the audit has finished. If this is the case, then
a verbal summary of the likely contents of the formal report should be presented at the Closing
Meeting. The audit report should clearly identify scope, objectives, criteria, findings, conclusions,
participants, distribution and also details of any disagreements or significant problems (in process)
that were encountered. In preparing the audit report it is vital to consult with the client and
establish the desired format, style, and distribution and approval requirements of that client.
Different clients will have different preferences
One of the more common failings in audit reporting is a tendency to report only the problems and
non-conformities. Whilst these are important, they form only part of the totality of findings. The
auditor must remember that the purpose of the report is to accurately identify the degree of
conformity with requirements. A failure to report areas of conformance is a major omission
Page 41
Summary report (simple example)
Audit Summary Report
Company name Date of Audit Auditor (s)
Hodges Ltd 21st-23rd September Don K. Derby
Audit Scope Audit Criteria Type of Audit
Full QMS Audit ISO 9001:2015 Initial Certification
Summary of findings
Over the course of the 3 day audit all key operational and management processes were sampled.
Specifically at the following locations:
HQ (Henterbury)
Dunbridge Site Office
Castlebrough Distribution Centre
The 2 minor non-conformances that were raised during the initial assessment had been effectively
cleared by the time of the on site audit and these have now been closed. Operational processes
were sound with good record keeping, communications, induction and training systems in place.
Operational infrastructure and environmental controls were adequate in order to meet defined
job requirements. The processes for fault reporting were well understood by staff and well
observed (however see NCR1 attached). Management processes at HQ were similarly well
documented within the manual, again with generally good levels of record keeping (however see
NCR2) and although some processes (internal auditing, formal documented management reviews)
were quite new, the early signs are promising with good levels of conformance to planned
arrangements. Obviously these new systems need to be kept under review and refined with the
benefit of experience and learning.
A further minor non-conformance was identified in the area of supplier approval (NCR3). Supplier
selection and management appeared generally adequate and fit-for-purpose, but record keeping
with regard to reasons for using/not using a supplier were not always available. Overall a good
level of conformance to ISO 9001 was demonstrated, with good levels of staff awareness and
commitment shown from the top
Recommendation
It is recommended that certification to ISO 9001:2015 be awarded subject to the submission of an

acceptable corrective action plan relating to the three minor non-conformances
Issued by: Don Derby Accepted by: Justin Case

(Auditor) (Company representative)
Page 42
Completing the audit
The audit is complete when all activities detailed in the audit plan have been carried out and the
client’s procedure for reporting, and for generating and distributing records has been followed. The
requirement for record keeping will again vary from client to client, but such records as the plan and
report will always be retained, audit working documents, such as checklists, may or may not be
retained. Audit findings will always be kept confidential unless there is a legal requirement to
disclose
Audit Follow Up Activities

In the event that corrective actions or improvement actions form part of the audit findings, the
auditee will liaise with the client with regard to the status and progress of these agreed actions.
These actions are not considered part of the audit, however it is common for the client to request
members of the original audit team to verify (follow up) close out actions. It is the responsibility of
the auditee to identify and implement the necessary corrective actions (not the auditor) for the
following reasons:
 The auditor needs to remain independent to the working processes

 The auditor is unlikely to have access to all the appropriate technical knowledge surrounding
the problem area, and not best placed to decide how any problem should be fixed
 There is a better chance of an effective and “owned” (as opposed to an imposed, cosmetic)
solution
Details of the auditor’s judgement on the sufficiency or otherwise of actions taken should be
reported to the client using the client’s preferred documentation and methods
Revision hints
With reference to ISO 19011, could you:
Outline the general components of an audit program?

Explain acceptable differences of approach within the program with reference to a typical
1st, 2nd or 3rd Party audit?
Relate the audit program to the PDCA Cycle?
Outline the general audit process from preparing the audit program to initiating the audit
through to follow up activities
Explain the purpose of each stage and typical stage activities (e.g. the document review)
Explain who is responsible for what at each stage (e.g. corrective action, follow up)
Explain how the process may differ between 1st, 2nd and 3rd party audit?
Identify the stages of the audit when top management from the auditee organisation should
be present?
Identify the requirements of the Opening and Closing Meeting, The Plan and the Report
Page 43
ISO 19011 Auditor and lead auditor competences
General
The quality of the audit will be directly proportional to the competence of the auditor. ISO 19011
breaks this requirement for “competence” down into two important aspects. They are:
 Personal attributes (whether you are “the right type” to be a good auditor)
 Possession of the necessary knowledge and skills and the ability to apply them consistently
This section clarifies the specific requirements of ISO 19011 relating to the two aspects of auditor
competence.
Personal attributes
What are the personal attributes that make a good auditor? Can anyone be a good auditor? The fact
that most people will have encountered both good ones and bad ones suggest that it is not an
occupation that comes easily to everyone. ISO 19011 identifies a number of attributes that a good
auditor should possess and demonstrate. Few of these require any explanation. They are:
Ethical Conduct Open-mindedness Diplomacy

Truthful, sincere, honest, Open to different points of view Tactful in discussions, and over
discreet disagreements
Observation Perceptiveness Versatility
Aware of physical surroundings Able to interpret situations Able to adjust to different
and events accurately situations
Tenacity Decisiveness Self-reliance
Persistent, focussed on Able to reach a reliable Can be trusted to get the job
achieving the audit objectives conclusion done on time to standard
Knowledge and skills

Audits require a certain amount of knowledge and skills, some generic and required for an effective
outcome in any audit situation, other knowledge and skill requirements may be specific to particular
situations (organisational types, sectors, technical processes etc).
Generic auditor knowledge and skills requirements

The ability to apply audit principles and An understanding of typical management
techniques systems structure and documentation
In short, a sound grasp of the ISO 9011 audit Policies, procedures, records, technical
process requirements that were outlined in the specifications, etc and how they relate to one
previous section another
An appreciation of different organisational A knowledge of applicable laws and regulations
situations and how they relate to the audit criteria
Different sectors have different sector practices, This could include laws, regulations, customer
things are done differently in different parts of contracts or codes of practice
the world
Page 44
Specific auditor knowledge and skills requirements (QMS)
An understanding of typical quality related An understanding of the general nature of
methods and techniques, how they are applied products and services, including technical
and for what purpose requirements
This will include an understanding of general Certain sectors have certain mandatory
terms like, QA, QC and also a general requirements and the auditor must be aware of
understanding of commonly used methodology these in order to determine if the delivered
such as FMEA, SPC, Six Sigma, Quality Circles product or service is fit for purpose
Clearly different sectors will have different ways of doing things and the QMS of different
organisations will vary considerably in their complexity and methods. What that all means is that
some auditors are better placed to audit in certain sectors than others, and the audit client should
try to establish that the auditor possesses sufficient sector experience and knowledge to be able to
do a thorough job, in simple terms placing a square peg in a square hole. Third party certification
bodies use a set of industry codes to help them match the right person to the right job. When an
auditor works for a 3rd party certification body he/she will be assessed as competent to audit
organisations in certain industries (depending on the auditors background and experience).
Lead auditor competence

The lead auditor is not necessarily the oldest, most experienced or most technically aware auditor in
the team. The lead auditor is that person who the client has determined possesses the additional
competences that go with leading the team, and is prepared to take on the extra work that goes
with the job.
Additional competence requirements A bit of extra work

Planning responsibilities and the efficient use of Liaising with the client before (in connection with
audit resources the plan, team selection etc) and after the audit
Lead responsibility for communications with (submitting, explaining the findings)
auditee and client Liaising with the auditee before the audit (in
Organise and direct team Additional guidance to connection with the plan, answering questions)
auditors in-training Lead team, achieve Resolving disputes, disagreements, chairing
consensus and reach decisive meetings etc
conclusions Sorting out travel and accommodation issues
Prevent/resolve conflict with the client
Preparation of the final report and its distribution More paperwork before and after the audit
Ultimately the lead auditor is at the centre of a triangle that includes the client, the auditee and the
audit team. The lead auditor has to appreciate the needs of each party and strike a balance between
their needs whilst maintaining a clear focus on achieving the audit objectives.
END OF STUDENT PACK
Page 45

LAC 9001 Course Material

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LAC 9001 Course Material

Uploaded by

Copyright:

Available Formats

ISO 9001:2015

QMS Auditor/Lead Auditor Course

Common Clause Structure

The Quality Management System (QMS)

“Part of a Management System with regard to quality”

Process maps & LINKS TO

Detailed procedures &

ISO 9000: Fundamentals & vocabulary

Determining the Scope of the Management System

Documented Information – Definition and Context

“Information required to be controlled and maintained by an organisation and the medium on

Documented Information – Requirements

 Documentation defined as mandatory within the applicable standard

Documented Information – Creating and Updating

 Identification and description (e.g. title, date, author, reference numbers)

Control of Documented Information

The principles of quality management

Evidence based decision making

Risk based thinking

“An effect is a deviation from the expected – positive or negative”

While note 4 states that;

ISO 9004:2009 refers to “Risks” in the following way;

 What the audit will look at (the “SCOPE”)

ISO 19011 (Guidelines for Auditing Management Systems)

Terms and definitions

If nothing else, an audit is an exercise in promoting transparency of working methods. It is an

Second party audits

Third party audits

Specified way to carry out an activity or a process

A set of inter-related activities that transforms inputs into outputs

Sales Purchasing Warehouse Manufacturing Quality Assurance Packaging Distribution

Planning a process audit

WHO? (RESPONSIBILITIES & AUTHORITIES)

PROCESS NAME & SCOPE

SUPPORT PROCESSES HOW? (METHODS)

Context and Scope

Context considerations for certified organisations

Determining the Scope of the Management System

Internal & External Issues

 Leadership and Commitment

Risks and Opportunities

“An effect is a deviation from the expected – positive or negative”

“Risk is often characterised by reference to potential “events” and “consequences” or a

While note 4 states that;

Consequently, as an overall requirement, the management system should develop contingency

The Effect of Uncertainty (Risk) on Planning

Establishing the audit program objectives

Determining and evaluating audit program risks and opportunities

Establishing the audit programme

Competence of people managing audit programme

Establishing extent of audit programme

Determining audit programme resources

Implementing the audit program

Monitoring & reviewing the audit program

Improving the audit program

Conducting the (Stage 1) documentation review

 It establishes whether it is even worthwhile going any further. If an examination of the

Preparing (Stage 2) audit activities

The Audit Plan

DND Couriers 22/23 March

Audit criteria Audit scope Auditor

ISO 9001:2015 Full QMS audit Terry Bell-Day

0845-0900 Site tour, induction 0900-0945 Procurement & Supplier