05/10/2022

Effective Internal
Quality Auditing
based on ISO 19011:2018 –
Guidelines for Auditing Management Systems

Objectives
For the participants to gain basic knowledge and
skills in conducting Internal Audits, specifically in:
• Planning and preparing for internal audit;
• Conducting internal audit;
• Reporting audit results; and
• Conducting follow-up audits

Modules
1. Basics and Phases of QMS Audit
2. Creating Effective QMS Audit Checklist
3. Documenting Audit Findings

4. Analysis, Reporting and Verification of Audit Results

5. Competence and Attributes of Auditors

1
 05/10/2022

Workshops
1. Creating an Audit Checklist
2. Live Audit Exercise
3. Documenting Audit Findings

Module 1

Basics & Phases

of Internal Audit

Internal Audit – 9.2

9.2.1
“The organization SHALL CONDUCT INTERNAL AUDITS at
planned intervals to provide information on whether the
quality management system:
a. Conforms to:
1. The organization’s own requirements for its quality
management system:
2. The requirements of the International Standard (ISO
9001:2015)
b. Is effectively implemented and maintained

2
 05/10/2022

Internal Audit – 9.2

9.2.2
“The organization SHALL:
a. Plan, establish, implement and maintain an audit programme(s)
including the FREQUENCY, METHODS, RESPONSIBILITIES, PLANNING
REQUIREMENTS and REPORTING, which shall take into consideration
the importance of the processes concerned, changes affecting the
organization, and the results of previous audits;
b. Define the audit criteria and scope for each audit;
c. Select auditors and conduct audits to ensure objectivity and
impartiality of the audit process;
d. Ensure that the results of the audits are reported to relevant
management;
e. Take appropriate correction and corrective actions without undue
delay;
f. Retain documented information as evidence of the implementation of
the audit programme and the audit results.

Concepts relating to Audit

Audit programme – set of one or more
Audit client – audits planned for a specific time frame
organization or person and directed towards a specific purpose
requesting for audit
Audit findings – results of the
evaluation of the collected
audit evidence against audit
Auditee – criteria
organization or person AUDIT
being audited systematic, independent, and
documented process for obtaining audit Audit evidence – verifiable
evidence and evaluating it objectively to records, statements of fact or
Audit criteria – set of other information which are
determine the extent to which audit
policies, procedures or relevant to the audit criteria
requirements used as a criteria are fulfilled
reference

Audit conclusion – outcome of an audit

team after consideration of the audit
Audit team – one or more
Technical expert – objectives and all audit findings
auditors conducting an audit
person who provides
specific knowledge of or
expertise on the subject to
be audited Auditor – person with the competence
to conduct an audit

Types of Audit
• Only one party involved in the audit process
(Internal Audit)

• A self-check of one’s own system, product, etc.

• Better known by the generic term “Internal Audit”
1st Party

• May be performed by an external body

• Purpose: provide factual basis for identifying opportunities and needs for
continual improvement

• Two parties involved in the audit process

• Normally, customer auditing supplier
2nd Party
(Supplier

• Regulatory body auditing provider

Audit)

• Purpose: ensure that only suppliers of known accepted capability are used.

• Three parties involved in the audit process

(Certification

• Normally conducted by a Certification Body

3rd Party

CB – You – AB
Audit)

3
 05/10/2022

Overview of ISO 19011:2018

• Provides guidance on auditing management systems
• Includes:
― Principles of auditing
― Managing Audit Program
― Conducting management systems audit (1st, 2nd, 3rd Party)
― Guidance on evaluating the competence of auditors and
persons managing the audit program, auditors and audit teams
• Applicable to all organizations that need to conduct
internal or external audit of management systems

10

Principles of Auditing
in ISO 19011:2018

Auditor/ Managing Audit Process

the Audit Independence
Integrity Evidenced-based
Approach
Fair Presentation
Risk-based Approach
Due Professional Care
Confidentiality

11

Principles of Auditing
in ISO 19011:2018

INTEGRITY
• The foundation of professionalism.
• Replaces and expands the previous principle of Ethical
conduct.
• Auditors should perform work with honesty, diligence
and responsibility.
• Perform work in an impartial manner i.e. remain fair and
unbiased in all their dealings.
• Sensitive to any influences that may be exerted on their
judgment while carrying out an audit.

12

4
 05/10/2022

Principles of Auditing
in ISO 19011:2018

FAIR PRESENTATION
• The obligation to report truthfully and accurately.
• The communication should be truthful, accurate,
objective, timely, clear and complete.
• Audit findings, audit conclusions and audit reports
should reflect truthfully and accurately the audit
activities.
• Significant obstacles encountered during the audit and
unresolved diverging opinions between the audit team
and the auditee should be reported.

13

Principles of Auditing
in ISO 19011:2018

DUE PROFESSIONAL CARE

• The application of diligence and judgment in
auditing.
• Auditor having the ability to make reasoned judgment in
all audit situations.
• Auditors should value the importance of the task they
perform and the confidence placed in them by the audit
client.

14

Principles of Auditing
in ISO 19011:2018

CONFIDENTIALITY
• The security of information.
• The need for auditors to exercise discretion in the use
and protection of information acquired during audits
(inappropriate use of information for personal gain or in
a manner detrimental to the legitimate interests of the
auditee is prohibited)

15

5
 05/10/2022

Principles of Auditing
in ISO 19011:2018

INDEPENDENCE
• The impartiality of the audit and objectivity of the
audit conclusions.
• Auditors should be independent of the activity being
audited wherever practicable, free from bias and conflict
of interest.
• Auditors should maintain objectivity throughout the
audit process to ensure that the audit findings and
conclusions are based only on audit evidence.

16

Principles of Auditing
in ISO 19011:2018

EVIDENCE-BASED
APPROACH
• The rational method for reaching reliable and
reproducible audit conclusions in a systematic audit
process.
• Audit evidence should be verifiable.
• It should in general be based on samples of the
information available during the audit.

17

Principles of Auditing
in ISO 19011:2018

RISK-BASED APPROACH
• Conduct audit in consideration of risks and opportunities.
• Auditors should analyze the risks and opportunities
associated to every audit and plan/implement controls to
mitigate the risks but enhance the likelihood of
opportunities.

18

6
 05/10/2022

Purposes of Internal Audit

To provide information on whether the QMS:
• Conforms to company’s own QMS requirements and to the
requirements of the Standards; and
• Is effectively implemented and maintained

19

Audit of Internal Audit

• Selection of auditors
• Training and competence of Internal Auditors
• Audit program/ schedule
• Documentation of audit findings, i.e. completed checklists,
corrective action (CA) requests, reports
• Clarity and classification of audit findings
• Progress and monitoring of audit findings

20

Phases of Internal Audit

Planning
Performance
Preparation

Review by Reporting and

Management Follow-up

21

7
 05/10/2022

Phases of Internal Audit

PLANNING
Purpose – to ensure that: Main Activities
• Appropriately qualified, experienced, • Prepare annual audit program –
skilled auditors are assigned to the timetable, frequency and duration
particular scope
• Audit is carried out at an appropriate • Decide audit scope and purpose
time/ frequency with sufficient time • Select audit team members and
allocated to allow a complete audit define responsibilities
activity
• Collect relevant documents (system
documentation, reports, relevant
legislation, etc.)

22

Phases of Internal Audit

PREPARATION
Purpose: Main Activities
• Ensure the validity of the on-site/ • Prepare audit plan/itinerary
actual audit is done by thorough
approaches • Review documents and records
• Prepare audit checklist

23

Phases of Internal Audit

PERFORMANCE
Purpose:
• Review the levels of implementation
and the effectiveness of the
implementation against planned
arrangements and requirements of
the standard
• Draw conclusion from collected
objective evidence regarding the
extent of conformity
Main Activities
• Opening/ Introductory Meeting
• Actual audit
- Site/ facility tour
- Obtaining and evaluating audit
evidence
• Audit Review
- Team meetings
- Documenting results
• Closing/ Feedback Meeting

24

8
 05/10/2022

Phases of Internal Audit

REPORTING
Purpose: Contents of Audit Report
• Provide the management adequate 1. Audit objectives and scope
information about the status/ 2. Audit criteria against which the audit
effectiveness of the management
was conducted
system implementation.
3. Audit Team and Auditees
4. Audit date and Duration
5. Summary of audit process and
problems encountered, if any
6. Summary of Audit findings

25

Phases of Internal Audit

REPORTING
Contents of Audit Report Progress Audit Report
7. Details (Classification) of audit • Aimed to update the Management
findings supported with evidences
8. Statements of confidentiality – • May include revision of Audit
optional for internal auditors Program, if any
9. Audit conclusions/ • Include status of audit findings
recommendations - Investigation of root causes
- Extent at which the defined objective is met - Proposed actions to prevent recurrence/
- Recommendation on the need for additional audit
occurrence
- Implementation of actions
- Closure of NCs, Observations and OFIs

26

Phases of Internal Audit

FOLLOW UP
Purpose: Activities by the Auditee/ Audited
• Verify if agreed actions to audit Department
findings are indeed implemented • Correct any on-going issues
and are effective. • Determine root causes (possible causal
factors)
• Determine action to prevent recurrence
Activities by the Auditor (occurrence)
• Determine the requirements for • Verify existence of similar problem in
verification other area/ process/ function
- The need to verify information on site
- Selection of auditors where need arises
• Implement actions, including changes in
procedures
• Closure of Corrective Action (CA)
- Implementation • Notify relevant function for verification
- Effectiveness

27

9
 05/10/2022

Typical Audit Activities

Planning the Audit
• Appoint Head of Internal Audit
• Establish Audit Program (Annual)
• Define audit objectives, scope and
criteria
• Organize Audit Team and Members
• Establish initial contact with relevant
department/ functions
Preparing for the On-site Audit
Activities
• Prepare audit itinerary
• Conduct documentation review
(documents, previous audits, changes,
complaints, etc.)
• Prepare audit documents, i.e. checklists,
attendance, etc.

Conducting On-site Audit Activities

• Review implementation of relevant management
system documents including records, and determine Correction and
their adequacy with respect to audit criteria. Corrective Action

Preparing, Approving and Distributing the

Audit Report
• Prepare the audit report Conducting Audit Follow-up
• Review, approve and distribute the audit report

28

Module 2

Creating Effective
Audit Checklists

29

Audit Checklists
• Ensure systematic, structured and uniform approach
• Guide in remembering key points to ensure thorough
coverage of scope
• Aids in time management
• Serves as valuable record of what was audited and the
results
• Useful in:
⁻ Taking notes (objective evidence)
⁻ Doing follow-up
⁻ Writing details of audit findings

30

10
 05/10/2022

Audit Checklists
What must be included in the audit checklists?
• Requirements of the Standards
• Processes taking place, associated risks and
opportunities and appropriate action plans
• Availability of procedures and records being generated
• Deficiencies from previous audits, if any
• Customer complaints, changes, emergencies, if any

31

Audit Checklists
How to Prepare Audit Checklists?
• Based on the identified process, identify applicable clauses
and determine specific requirements
• Establish audit trail taking into account:
⁻ Understanding of the quality policy and contexts of the organization
⁻ Relevant objectives and targets, if any
⁻ Specifications and MMAE requirements for the process (source-
inputs-process-outputs-customer)
⁻ Associated risks and opportunities and planned actions
⁻ Availability of procedures and records being generated
⁻ Deficiencies from previous audits, customer complaints, changes

32

Workshop 1
Prepare audit checklist
• For 1 hour
• Ensuring objectivity and impartiality, organize audit
teams
• Assign responsibilities
• Use the standard as criteria and documented
information as reference document

33

11
 05/10/2022

Audit Evidences

34

Audit Evidences
• People: Interview auditee to determine understanding/
familiarity
- Competence to perform what needs to happen/ what had happened –
understanding, knowledge, statements

• Paper: Review of Documented Information (Documents and

Records)
- Tells what to happen/ what had happened – procedures, records,
permits, licenses, reports, etc.

• Practice: Observe actual processes and infrastructure

- Confirmation of what to happen/ what had happened – performance
of tasks, current activities, etc.

35

Interview Techniques
• Be courteous at all times (never act superior)
• Appropriate language for questioning (tone or level)
• Ask auditee to explain what he/ she does with respect to
selected situations
• Listen carefully to what is said. Allow time for auditee to
think
• Match questions to levels of responsibility
⁻ Management – about policy, leadership and commitment, structure,
support, progress against objectives, challenges, etc.
⁻ Process owners – about areas of operation, specific controls, tasks

36

12
 05/10/2022

Interview Techniques
• Use open-ended questions. Avoid closed, direct or leading
questions
• Follow a “trail or questioning”
• Use the “silent question” where appropriate
• Check, cross check and validate
• Remember alternative situations (what happens if)
• Be systematic (summarize to show understanding to ensure
that both you and Auditee understand each other fully)
• Thank Auditee for his cooperation and feedback results

37

Physical inspection
• Observe the activities within a defined process
• Observe condition of facility and equipment
• Time observation/ inspection to verify compliance
- Observe sampling and monitoring procedure

38

Sampling
• Audit is done on a sampling basis
• No sampling plans nor statistical methods suitable
• Based on subjective judgment of the auditor
• Auditor must have skills to understand:
- What the evidence is demonstrating
- Consistency of records/ evidence
- Where evidence is leading to
- Areas of special interest

39

13
 05/10/2022

Sampling Guide
• Criticality of the process/ area under review
• Results of previous audits and where applicable
complaints
• Training and understanding of the personnel

40

Controlling the Audit

Auditor should:
• Remain assertive
• Not antagonize or dictate
• Be thorough and efficient
• Avoid lengthy discussion or observation
• Keep track of schedule
• Not be led or misled
• Avoid becoming side-tracked or bogged down

41

Workshop 2
Live Audit Exercise
• Use the checklist that you prepared
• Work with your assigned group mates
• Conduct actual audit (as assigned)

42

14
 05/10/2022

Module 3

Documenting Audit
Findings

43

Audit Findings Classification

POSITIVE FINDING
• Areas that were observed during the audit as excellent
examples of implementing the requirements of the
Standards, best practices, or innovations that brought
significant improvement.
• Positive findings may focus on:
- Management leadership and commitment, and engagement of
personnel
- Awards and recognitions
- Achievements/ performance
- Receptiveness to changes/ new ideas
- Level of compliance to legal requirements
- Level of implementation
- New initiatives and programs

44

Audit Findings Classification

OPPORTUNITY FOR IMPROVEMENT
• Based on the expertise of the auditor, OFIs are issued as
recommendation to better improved the QMS.

45

15
 05/10/2022

Audit Findings Classification

POTENTIAL PROBLEM
• Not a nonconformity during audit but could lead to a
nonconformance, if allowed to continue uncorrected
• Could be an isolated lapse in the documentation or
implementation which did not result to legal
noncompliance, customer complaint
• Follow-up/ Action item
• Action is mandatory

46

Audit Findings Classification

NONCONFORMITY
• Failure to fulfil a specified requirement
- Management System Standards
- Applicable legal requirement i.e. permit/ license
- Company’s management system
• Documented action is mandatory (SIR)

47

NONCONFORMITY
Major Nonconformity - (System Breakdown) total failure to
fulfil a specified requirement of the standard and/or own
management system
• Absence of documented information (document or record) to
demonstrate conformity to a process/ requirement of the standard or
own management system
• Failure to report legal noncompliance where required to do so by a
license condition, authorization, etc.
• Immediate threat of delivering defective products
• Aggregation of minor nonconformities
• Consistently repeating or widespread failure to implement requirement
of the standards (escalation)

48

16
 05/10/2022

NONCONFORMITY
Minor Nonconformity - lapse in the process/ system that has
limited effect on the integrity of the management system or to
the company’s QMS performance
• Inconsistency in the implementation of a process/ procedure/ plan
• Non-implementation of some requirements of a process/ procedure/ plan
• Some missing documents, records, signature, incomplete data, etc.

49

NONCONFORMITY
Types of Nonconformity
• Nonconforming output (against defined criteria/
requirements i.e. QCP, Procedure, WI, etc.)
• Complaints from customers
• Complaints from relevant interested parties
• Objectives that are not met
• Non-fulfillment of compliance obligations
• Nonconformities detected during audits

50

Audit Findings Statement

Finding statement must be:

Clear Concise

Supported by Evidence
Based on Facts

51

17
 05/10/2022

Finding Statement
Positive Finding
• The level of awareness of the QMS and its requirements is very
high
Example:
Quality Policy is documented, communicated and understood at
all levels. It has been translated in the vernacular for the farm
workers to understand and appreciate, printed in small sizes and
distributed to all staff, inserted in their ID jackets.

The practice was validated effective because farm workers can

speak of its essence and the way they contribute towards
achieving it is by working hard on their assigned tasks even
without supervision.

52

Finding Statement
Opportunity for Improvement (OFI)
Example:
1. Consider preparing a documented
procedure for evaluating performance of
external providers to ensure continuity and
consistency of the process.
2. There are initiatives that are unique to the
Center and can potentially generate best
practices when replicated. Documentation
of such is therefore recommended.

53

Finding Statement
Potential Problem
Example:
1. The identification and evaluation of risks and opportunities
can be further improved to avoid subjectivity in
determining what need to be addressed in the management
system.
2. There is a need to update the Section’s ROA to include
nonconforming outputs identified in their Quality Control
Plan as risks in order to assess if there are necessary
interventions/ controls to be put in place.
3. Orientation among new entrants need to be done to ensure
that they are aware of the Center’s Quality Policy and
Objectives and know how they can contribute to its
achievement.

54

18
 05/10/2022

Finding Statement
Nonconformity
• The process on (system required by the standard/ management system) is not
fully implemented, as evidenced by the following:
Example:
The procedure for control of records was not consistently implemented, as
evidenced by the following:
- Entries of releases in the stock card for lactating concentrate must have
corresponding withdrawal slip. However, withdrawal slips for the whole
months of August and September were not available during the audit despite
releases of lactating concentrates made for said months.
- There are two forms maintained to record ingredients used for each dairy
product, the Ingredients Utilization and Supplies Inventory and Logbook of
Mixture of Ingredients. Both forms are intended to keep records of
ingredients used for all dairy products but they contain different volume of
ingredients for the same product.

55

Finding Statement
Nonconformity
Example:
The process on corrective action is not fully (not
consistently) implemented as evidenced by the
following:
- Root causes of SIRs issued in the last internal audit
have not been identified and/ or analyzed
- SIR was not initiated for targets that were not
achieved last year

56

Finding Statement
Nonconformity
Example:
Quality Policy was claimed to have been communicated
to the staff of the Centers through various meetings e.g.
target setting sessions and others. However, no
documented evidence was present to prove that the
activity has indeed occurred.
The documented Quality Policy also needs to be signed
by the top management to signify her commitment to its
achievement.

57

19
 05/10/2022

Workshop 3
For 1 hour:
▪ Work with your group
▪ Using the checklist that was earlier prepared and
the previous results of your live audit exercise,
write at least 1 audit finding with appropriate
clause(s) and audit classification

58

Correction, Root Cause and

Corrective/ Preventive Action
Correction
refers to an immediate solution that will contain the
problem to prevent from spreading and causing further
damage. This is required for every non-conformance and
potential problem cited in the audit. Opportunities for
Improvement (OFIs) do not require Correction since there
are no problems yet that need to be contained.

59

Correction, Root Cause and

Corrective/ Preventive Action
Root Cause
the cause of a problem which if appropriately addressed will
prevent recurrence. This is determined by investigating
deeply why the problem occurred and is required prior to
the determination of corrective actions.

60

20
 05/10/2022

Correction, Root Cause and

Corrective/ Preventive Action
Corrective Action
is the long term solution to the non-conformance found and
shall be implemented to prevent the problem from
recurring. Corrective Actions shall address the Root Cause(s)
determined after careful evaluation and analysis.

61

Correction, Root Cause and

Corrective/ Preventive Action
Preventive Action
is a determined potential solution to the anticipated or
potential problem that shall be implemented to prevent its
occurrence. This also applies to OFIs, if considered by the
auditee.

62

Module 4

Analysis, Reporting
& Verification of
Audit Results

63

21
 05/10/2022

Analysis of Results
Clause 9.2.2 states that:
“The organization shall plan, establish, implement
and maintain an audit programme(s) including the
frequency, methods, responsibilities, planning
requirements and reporting, which shall take into
consideration the importance of the processes
concerned, changes affecting the organization,
and the results of previous audits.”

64

Analysis of Results
Factors to be considered in the Analysis
• Importance of the processes
- Satisfying customer requirements
- Meeting product/ service specifications
• Results of previous audits
- Problematic areas need to be audited more frequently or
interview
• Changes in the organization
- New product/ service may be audited early and/ or more
frequently
- Organizational changes

65

Analysis of Results
Sample Weight Assignment to Audit Findings
NC - 6 points
Frequency of Audit
PP - 3 points Points Frequency
OFI - 1 point >30 3 x a year
15 - 30 2 x a year
<15 1 x a year

66

22
 05/10/2022

Verification of Implementation &

Effectiveness of Corrective
Action (CA)
• Conduct follow-up audit or verification based on the
committed completion date of the Auditee
• Evaluate all the functions connected with the
nonconformity concerned
• Decide on the status of the CA after the verification

67

Verification of Implementation &

Effectiveness of Corrective
Action (CA)
Status of CA
Close
• Proposed CAs were implemented and completed
• CAs taken are adequate/ effective (reduced
likelihood of occurrence or reduced adverse
impacts if the NC is not totally eliminated)

68

Verification of Implementation &

Effectiveness of Corrective
Action (CA)
Status of CA
Open
• Proposed CAs are not implemented or not yet
completed
• Proposed CAs were completed but the same
nonconformity is occurring (or the likelihood of
occurrence or adverse impacts are not significantly
reduced)
• NC is not totally eliminated

69

23
 05/10/2022

Verification of Implementation &

Effectiveness of Corrective
Action (CA)
Actions on Open Findings
• If the remaining shortcomings are relatively minor:
- Request further action
- Extend completion date
- Where necessary, re-investigate root causes and determine and
implement additional actions
• If shortcomings are still major
⁻ Escalate the NC to the next level of management
⁻ Where necessary, re-investigate root causes and determine and
implement additional action

70

Module 5

Competence and
Characteristics of
Auditors

71

Competence and Characteristics

of Auditors
Auditors Competence Requirements
• Personal behavior (Characteristics)
• Knowledge and Skills (General and Specific)
- Standard
- Management System Requirements
- Legal Requirements
- Technical Knowledge
- Auditing Skills
• Experience (Work and Audit)

72

24
 05/10/2022

Competence and Characteristics

of Auditors
Auditors Characteristics
• Versatile (Limited, Not flexible)
⁻ Adjusts readily to different situations
• Tenacious (Complacent)
- Persistent and focused on achieving objectives
• Decisive (Slow in arriving conclusions, weak analytical
skills)
- Reaches timely conclusions based on logical reasoning and analysis
• Self-reliant (Dependent)
⁻ Acts and functions independently while interacting effectively with
others

73

Competence and Characteristics

of Auditors
Auditors Characteristics
• Ethical (vested Interest, Unprofessional)
⁻ Fair, truthful, sincere, honest and discreet
• Open-minded (Narrow-minded)
- Willing to consider alternative ideas or points of view
• Diplomatic (Abrasive/ Insensitive)
- Tactful in dealing with people
• Observant (Negligent/ Remiss)
⁻ Actively aware of and able to understand situation

74

Competence and Characteristics

of Auditors
“Ideal Auditor”
• Relaxed and friendly (has excellent interpersonal skills)
• Has positive attitude
• Interested and inquisitive
• Objective and logical
• Good listener
• Explains the process and understands the technicality
• Can communicate at all levels of the organization

75

25
 05/10/2022

Competence and Characteristics

of Auditors
Other DOs and DON’Ts
• Don’t be LATE
• ACT that part
• Don’t INTIMIDATE
• Put Auditee at EASE
• Be FRIENDLY but FIRM

76

77

26