5/19/2018

Welcome
From International Register of Certificated
Auditors

www.irca.org

www.irca.org

This course is certified by the International Register of

Certificated Auditors (IRCA)
IRCA is the leading professional body for management system auditors. IRCA
represents over 10,000 registered auditors in 150 countries and every year,
around 60,000 delegates attend an IRCA approved training course.

IRCA certified courses are recognised as an industry leader and you can be
confident that the course you are attending:

• covers the key knowledge and skills about management systems auditing
• will be taught by IRCA approved tutors
• Uses a variety of proven practical student-focused learning techniques
• has been regularly assessed by an IRCA approved assessor
• has a limited class size to maximise participation and optimise your learning

Find out more at www.irca.org

1
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 1
Learning objective: Define and outline course accreditation,
contents, proceedings and assessment methods

THE AIM

The aim of this course is to provide students with the knowledge and skills required to perform first,
second and third-party audits of quality management systems against ISO 9001, in accordance with ISO
19011 and ISO/IEC 17021, as applicable. All references to ISO standards in to the current versions,
unless stated otherwise.

1
 19/05/2018

SECURITY NOTICE

You are advised to ensure that your personal possessions and property are kept in a safe place at all
times.

Fire Exits !?! – If the course really hots up.

PLEASE, TURN SILENT MODE ON

DURING TRAINING SESSIONS!
Treat others with care

2
 19/05/2018

COURSE STRUCTURE

Presentations and Practice

Case Studies – to acquire learning and enabling objectives

• Examine ISO 9001:2015 requirements

• Audit Planning based on audit scope and criteria
• Audit team competence
• Audit methods – on-site vs. remote/ human interaction vs. no human interaction
• Audit result reporting and presentation
• Type of audit

Please supplement the course manual by taking notes – you are provided with space alongside the
presentations
Note-taking is important auditor skill

COURSE STRUCTURE

Case Studies – Simulated Audit

Plan, conduct, report and follow-up an audit of a quality management system to establish conformity
(or otherwise) with ISO 9001 and in accordance with ISO 19011, and ISO/IEC 17021

3
 19/05/2018

COURSE STRUCTURE

Continuous Assessment
Delegates will be assessed throughout the course for:

• Participation
• Application • Contribution
• Comprehension • Exercise & Team Work Presentation
• Communication Skills • Timekeeping/ Attendance
• Team Work

A pass mark is 70%

COURSE STRUCTURE

Examination

The course curriculum requires that an examination is taken on the last day of the course. A four-
section exam is set by the IRCA. The pass mark is 70% with a minimum of 50% to be passed within each
section.

4
 19/05/2018

COURSE OBJECTIVES

Explain the purpose of a quality management system, of quality management systems standards, of
management system audit, of third-party certification and the business benefits of improved
performance of the quality management system.
Explain the role and responsibilities of an auditor to plan, conduct, report and follow-up a quality
management system audit in accordance with ISO 9001, ISO 19011, and ISO/IEC 17021

COURSE OBJECTIVES

The IRCA course learning objectives are listed in the introduction at the beginning of each section in
your course manual.

The Course objectives and content are controlled by IRCA. The course duration is declared as 40 hours
minimum and delegates must show 100% attendance.

The learning objectives for each session are found on the first slide of each presentation.

5
 19/05/2018

COURSE CRITIQUE

The achievement of the course learning objectives is essential and your assessment of this level of
achievement is important to us.

The Tutor will now present you with a short questionnaire which we would ask you to consider as the
course progresses.

Please complete and return to the tutor at the end of the course.

DELEGATE INTRODUCTIONS

Key auditor skills: time management, note-taking, obtaining objective evidence through interviewing,
presentation of findings
Please interview the delegate to your left so you may introduce them to the group.
Include the following information in the introduction:

• Their Name
• A Brief Description of their organisation
• A Brief Job Description
• Their involvement in quality assurance – unless already stated.

Time allowed – 2 minutes for Interview

1 minute for Introduction

6
 19/05/2018

END OF SECTION 1

7
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 2 - Standards, Principles & Definitions
To ensure that delegates from differing backgrounds, are all familiar
with baseline quality terminology. To list the 7 quality principles and
interrelationships of the applicable standards

QUALITY MANAGEMENT PRINCIPLES

Engagement
of People
Process
Leadership
Approach

Customer Relationship
Focus Management

Evidence-
Based
Improvement Management Decision
Making

1
 19/05/2018

PRACTICE - QUALITY MANAGEMENT PRINCIPLES

Split in teams and study cl. 2.3 of ISO 9000:2015

Tutor assigns QM principles to your team
Pick a team leader(s) to present the gist of your assigned QM principle(s) to the rest of the group
Use any visuals that will help you – flipchart, PowerPoint, Prezi

ISO 9000 SERIES

ISO 9001:2015
QMS
ISO 9000:2015
Requirements Fundamentals
and Vocabulary

2
 19/05/2018

ABOUT ISO 9001:2015

• Presents the requirements for a Quality Management Systems

• See cl. 1 Scope of ISO 9001:2015

ABOUT ISO 9000:2005

QMS Fundamentals and Vocabulary

Defines the QM Principles, the process approach
Provides definitions of the main terms used
Provides graphic representation of the interrelationship among various terms

3
 19/05/2018

PDCA

Continuous Improvement
Plan Do

Act Check

Plan Do
Standard
Act Check

Consolidation through
Standard Standardization

ISO 9001:2015

4
 19/05/2018

EVOLUTION OF QUALITY REQUIREMENTS

ISO 9000 series: 1987, 1994, 2000, 2008 and 2015

• Management of
To
functions and • Process management
manufacture and universal
application
From

ISO 9001:2015

Scope of Application of the Standard

-Applicable to companies of any type or size

-All requirements must be complied with
-Exclusions can be taken from any clause with proper justification
-

Ref. Cl. 1.2

5
 19/05/2018

TERMS & DEFINITIONS

COMMON TERMS AND DEFINITIONS - PRACTICE

Terms and definitions are in ISO 9000:2015

• Open up your copy of ISO 9000:2015

• Take turns to read out a definition
• Guess the term matching the definition
• Time limit is 15 minutes
• Try to cover as much as possible
• The person with the greatest number of correctly matched terms and definitions wins
• Wrong “match” will cost you points

6
 19/05/2018

AUDITING PRACTICES AND CERTIFICATION SERVICES –

PRACTICE
ISO 19011
ISO 17021
Split in teams
Appoint a team leader
The tutor will appoint one of the standards above to you team
Draft a short presentation of your appointed standard’s:
• Scope and objectives
• Clause structure
• Main requirements

END OF SECTION 2

7
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 3 - Accreditation, Certification and Types
of Audits
Learning objective: To define accreditation and certification and
the bodies involved; to distinguish between the various types of
audits

THE STANDARDS

International Organization of standardisation (ISO)

Develops and provides standards globally

National Standardization Bodies

Q: What is your national standardization body?

1
 19/05/2018

ACCREDITED CERTIFICATION SERVICES

Managed by International Accreditation Forum - http://www.iaf.nu/

Provided by national accreditation bodies

Q1: What is your national accreditation body?

Q2: What is the relevance of ISO 17021?

ACCREDITATION

International Accreditation Forum (IAF)

COFRAC ANAB JAB UKAS

(France) (USA) (Japan) (UK)

2
 19/05/2018

ACCREDITATION

IAF

National Accreditation Body

Accredits

Certification bodies
Laboratories

Certifies
Various Organizations

BENEFITS OF ACCREDITED CERTIFICATION

Competence of CB recognized and confirmed

Compliance management
Provides confidence in clients and partners that the management system is compliant with the
respective standard
Opportunities for improvement identified

3
 19/05/2018

TYPES OF AUDITS

According to the parties involved

1st Party • Internal audits

• Customer audit of a supplier or a

2nd Party potential supplier

• Audit by an independent third

3rd Party party

SCOPE OF 19011:2011 AND ITS RELATIONSHIP WITH ISO/IEC 17021:2011

Internal Auditing External Auditing

Supplier Auditing Third Party Auditing

Sometimes called First Sometimes called Second For legal, regulatory and
Party Audit Party Audit similar
purposes
For certification (see also
the
requirements in ISO/IEC
17021:2011)

4
 19/05/2018

FIRST PARTY AUDIT

• An organization auditing its own systems, a self-assessment

• Used to measure the strengths and weaknesses against requirements, and an organizations own
standards

Document Report Follow-up

Reasons to perform:
• Instrument for “Evidence-based decision making”
• Ensure continued conformity to standard
• Conformity to internal procedures
• Compliance to regulations/standards
• Evaluate the effectiveness of corrective actions
• Good management practice

FIRST PARTY AUDIT

Who Can perform an Internal audit?

• Competent staff
• Trained staff not directly responsible for what is being audited
• Competent Consultant if no one else is available

What types of records will an Internal auditor review

• Documented information
• Observation of the processes within the scope of the audit
• Interviews with authorized personnel

Role of the Internal auditor:

• A catalyst
• An interface between groups
• An advisor
• A reporter of facts

5
 19/05/2018

SECOND PARTY AUDIT

• Comprehensive evaluation performed by a customer to help ensure that the supplier is operating
under a state of control

• One organization auditing another with which it either has, or is going to have, a contract or
agreement for the supply of goods or services

SECOND PARTY AUDIT

Reasons to perform
• Help ensure the proper capability and quality systems are in place
• Promotes understanding of expectations of the customer
• Provides for an avenue of quality transfer between the supplier and customer
• Builds customer confidence regarding compliance to Regulations/Standards
• Good business practice

Who can perform an 2nd Party Audits?

• Competent staff trained in conducting external audits
• Internal Audits and External Audits quite different in approach and techniques and scope
• Competent external consultant

6
 19/05/2018

SECOND PARTY AUDIT

What an External auditor will review (not all inclusive)

• Quality Manual or Performance Improvement Plan

• Organizational Charts
• Registrations/licenses/accreditations
• Documented information
• Observation of the processes within the scope of the audit

Second party tend to be more formal than first party audits, because the audit results could influence
the customer's purchasing decision

THIRD PARTY AUDITS ACCORDING TO 17021

Audit carried out by a certification body independent of the client and the user, for the purpose of
certifying the client's management system

NOTE 1 In the definitions which follow, the term “audit” has been used for simplicity to refer to
third-party certification audit.

NOTE 2 Third-party certification audits include initial, surveillance, re-certification audits, and can
also include special audits.

7
 19/05/2018

THIRD PARTY AUDITOR

NOTE 3 Third-party certification audits are typically conducted by audit teams of those bodies
providing certification of conformity to the requirements of management system standards.

NOTE 4 A joint audit is when two or more auditing organizations cooperate to audit a single client.

NOTE 5 A combined audit is when a client is being audited against the requirements of two or more
management systems standards together.

NOTE 6 An integrated audit is when a client has integrated the application of requirements of two or
more management systems standards into a single management system and is being audited against
more than one standard.

PRACTICE

1. Explain the differences between First, Second and Third Party Audits in terms of scope, objective,
audit criteria, required audit team competence
2. Give the example of each
3. What do you think a regular 3rd party audit cycle would look like?
4. Define audit objectives for each audit within the 3rd party cycle
* Consult ISO 17021, cl. 9.1.3.2 and any other applicable to help your team provide a full answer

8
 19/05/2018

END OF SECTION 3

9
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 4 - Overview of ISO 9001:2008
Principles covered: To develop an understanding of the structure
and requirements of the ISO 9001:2015 standard

IMPORTANT!

Legal Requirements
• Failure to comply with legal requirements may result in a fine or imprisonment

Conformance to ISO Standards

• Failure to comply with ISO Standard 3rd Party Certification requirement may lead to loss of
registration
• Failure to comply with ISO Standard where the requirements are contractually binding may result in
being fined by the Civil Court

1
 19/05/2018

AUDITABLE CLAUSES OF ISO 9001:2015 AND THEIR INTERRELATION TO PDCA

EXCLUSIONS

Unlike ISO 9001:2008, any clause of ISO 9001:2015 may be considered for exclusion if there is sufficient
and clear justification for the exclusion.

2
 19/05/2018

ISO 9001:2015 - PRACTICE

Work in your team

Make a list of the mandatory documented information to be maintained and retained as required by
ISO 9001:2015
* Make sure you know the relevance of “maintained” and “retained”
Present your list to the tutor for evaluation
The team with the most complete list wins

END OF SECTION 4

3
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 5 – Context of the Organization

4. CONTEXT OF THE ORGANIZATION

The requirement of this clause is to considered the ‘external and internal issues’, ‘interested parties’ and
their requirements to ensure that the QMS is relevant to the organization's activity and its stakeholders
needs and expectations.

The objectives and concerns of external stakeholders shall be considered when developing the QMS.

The term ‘issue’ covers problems and important matters related to the QMS which need to be
addressed.

1
 19/05/2018

4. CONTEXT OF THE ORGANIZATION (CONT.)

The needs and expectations of interested parties have to be understood and the QMS of the
organization has to be aligned with its interested parties’ expectations in a balanced way.

4. CONTEXT OF THE ORGANIZATION (CONT.)

Examples for interested parties:

• Organizations: the decision-makers within;
• Customers, end-users, etc.
• Suppliers, providers of a product/service/information;
• MSS service provider - certification/accreditation bodies or consultants;
• Regulatory bodies;
• Non-governmental organizations.

2
 19/05/2018

4. CONTEXT OF THE ORGANIZATION (CONT.)

External context
external environment in which the organisation seeks to achieve its objectives [ISO Guide 73:2009]

Internal context
internal environment in which the organisation seeks to achieve its objectives. [ISO Guide 73:2009]

EXTERNAL & INTERNAL INTERESTED PARTIES

Reference: ISO 22313:2012

3
 19/05/2018

4. CONTEXT OF THE ORGANIZATION (CONT.)

Example of processes that may be used for this purpose:

• Identification of the interested parties and their requirement’;
• Identification of internal and external issues/context;
• Assessment of internal and external environment /issues and of interested parties;
• Monitor and manage interested parties relationships;
• Internal and external communication, etc.

ISSUES WITH INTERESTED PARTIES

Sample Internal Interested
Parties:
• Owners of the Company
• Top Management
• Line Functions, such as Marketing,
Production, Maintenance, etc
• Quality Assurance Organisation
• Safety Organisation
• Internal Personnel Groups
• Workers
• Representatives of Trade Unions
• Reference Groups
• Other Projects
Auditors to verify if the organization
has followed following approach towards Context
Sample External Interested Parties: Issues or Points of Conflict:
• Authorities of various sections, like • What are the situations in which the rights or
construction, social, import/export, taxation, obligations of the interested parties are in
work safety, labour, environment, etc. conflict?
• Financing sources like banks, stock holders, Interested Parties:
public finance, etc.
• Who other than those directly presented in
• The Press the conflict have an interest?
• Politicians
Consequences of Action:
• Trade unions
• Identify those that have the highest
• Church probability of occurring or the greatest
impact first
• Competitors
Consequences of Action:
• Suppliers
• What are the responsibilities of each
• Cooperative Parties
individual to other interested parties?
• Families of the Personnel
• Are these grounded in moral considerations
or are they a rationalization?

4
 19/05/2018

4. CONTEXT OF THE ORGANIZATION (CONT.)

Practice Session:

Work with your team and give example of audit evidence that auditors could gather and evaluate to
determine conformity/nonconformity with this requirement

ISO 9001:2015 gives no practical approach to organizational context analysis

It’s not mandatory but any of the following methods could be deployed: SWOT analysis, PEST or PESTLE
analysis, SOAR, Porter’s Five Forces Analysis, Value Chain Analysis, etc.

END OF SECTION 5

5
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
SECTION 5 (Module 1) Leadership, Planning and Support
(Clause 5, 6 and 7)
Purpose of this session: To understand the changes made to the
standard ISO 27001

LEADERSHIP

What are the differences between a Boss and a Leader?

1
 19/05/2018

5. LEADERSHIP

The term Leadership has been introduced (previously ‘Management

responsibility’).

LEADERSHIP AND MANAGEMENT

CHECK that the organization perceives the concept of leadership and clarity is there that Leadership is
different than Management

2
 19/05/2018

5. LEADERSHIP (CONT.)

CHECK if the organization:

• has established a management system policy and objectives compatible with the strategic direction
of the organization;
• has integrated the requirements of the management system (MS) into the organization’s processes;
• has assigned and communicated responsibilities and authorities relevant to MS conformance and
reporting on MS performance;
• has communicated the importance of effective management and conforming to the MS;
• supports persons to contribute to the effectiveness of the MS.

6. PLANNING

CHECK the Main requirements are available:

• consider the external and internal issues, requirements, needs and expectations of interested
parties;
• determine the risks and opportunities that need to be addressed and plan, integrate and implement
actions to address them and evaluate the effectiveness of these actions;
• establish objectives at relevant functions and levels and plan how to achieve them.

3
 19/05/2018

AUDITING RISKS & OPPORTUNITIES

CHECK following in Audit of Risk Assessment • Design Failure Risk

• Product Failure Risk
• All risks in relations of all Interested Parties in
business considered in Risk Assessment – impacting • Process Failure Risk
products or services; • IT Failure Risk
• Risk Evaluation Criteria is suitable to nature of • Environmental Risk
business; • Health & Safety Risk
• Probability and Severity is part of Risk Evaluation • IT Security Risk
Criteria; • Business Continuity Risk
• The scenarios of probability and severity are • Resource Shortage Risk
considered (Probability Changing or Impact Changes • Natural Calamity Risk
due to implementing of Controls to bring down the
risk); • Other Risks

• Residual Risks are approved by process owners /

authority;
• Risk Assessments are validated w.r.t Incidents (NC’s,
Complaints etc.)

RISKS & OPPORTUNITIES

Any risk arising from any positive step taken is an opportunity

(can have a cascading –ve impact from a positive step)

4
 19/05/2018

AUDITING RISKS & OPPORTUNITIES

CHECK Overall Risk Management is Justified to the Business

AUDITING RISK TREATMENTS IN QMS RISK ASSESSMENTS

Risk Mitigation – Sequence in Selection:

Practically in Normal Life, you use the same sequence in treating any risk.

•If this is not

1. Avoid possible,
then:

•If this is not

2. Treat possible,
then:

3. •If this is not

possible,
Accept then:

First Step should to be “Avoid “, 4.

which is rare in official treatments,
rather straight go for Treating
Transfer

5
 19/05/2018

AUDITING INTENT OF RISK MANAGEMENT

MORE INVESTMENT in HIGH

Controls (Treatments) – Implementing Risk Control Bring DOWN Risk
Better Risk Mitigation better 71 - 100 From to
- Brings DOWN the

Implementing Risk Control

RESIDUAL RISKS Medium R Bring DOWN Risk From
E to
BUT DON’T FORGET > 41 - 70 S

RISK LEVEL
• No control can make risk I
R
to ZERO D E
U S
Low I
• Risk is under control as A D
long as CONTROLS ARE
R
1 - 40 L U E
S
A
EFFECTIVE L
I
D
U
A
L

RISK MITIGATION ( Risk Reduction )

VERIFY RISK VISION IS PERSISTING

THE COMPANY
ISO 9001:2015
Risk Based Thinking (Risk Management) &
Corrective Actions require BIGGER VISION.

“Vision without execution is hallucination.” ~

Thomas A. Edison

6
 19/05/2018

7. SUPPORT

CHECK Main requirements: Sample Requirements:

• IT
• organizations to determine and provide the • Human Resources
necessary resources to establish, implement,
• Infrastructure & Administration
maintain and continually improve the MS;
• Etc.

• the need for internal and external

communications relevant to the MS shall be
determined;

7. SUPPORT

Cl. 7.2.1- People

CHECK that the organization determines and
provides the persons necessary for the effective
implementation of its QMS and for the operation
and control of its processes – is effective

7
 19/05/2018

7. SUPPORT (CONTD..)

Cl. 7.2.3 – Infrastructure

CHECK that the organization determines, provides
and maintains
the infrastructure necessary for the operation of
its processes and to achieve conformity of
products and services – is justified to the business

NOTE Infrastructure can include:

• buildings and associated utilities;
• equipment, including hardware and software;
• transportation resources;
• information and communication technology

7. SUPPORT (CONTD.… )

Cl.7.2.4 Environment for operation of processes Negative Work Environment:

CHECK that the organization determines, provides • Dog Eat Dog – Everyone fighting to get ahead
and maintains the environment necessary for the
• No one appreciates your contributions
operation of its processes and to achieve
conformity of products and services. • Toom much work, Not enough help
• Deadlines are unrealistic
NOTE A suitable environment can be a • Longer Hours/Additional work
combination of human and physical factors, such • Budget Constraints
as:
• social (e.g. non-discriminatory, calm, non-confrontational); • Competition is eating us alive
• psychological (e.g. stress-reducing, burnout prevention, • Poor Management/Direction
emotionally protective);
• Job Insecurity
• physical (e.g. temperature, heat, humidity, light, airflow,
hygiene, noise).
These factors can differ substantially depending on
the products and services provided.

8
 19/05/2018

7. SUPPORT (CONT.)

Cl. 7.5 Documented information

CHECK that the organization’s QMS includes:
• documented information is justified for the
effectiveness of the QMS

NOTE The extent of documented information for a

quality management system can differ from
one
organization to another due to:
• the size of organization and its type of
activities, processes, products and services
• the complexity of processes and their
interactions;
• the competence of persons.

7. SUPPORT (CONT.)

7.5.2 Creating and updating

CHECK while creating and updating documented information following
is implemented and justified:

• identification and description (e.g. a title, date, author, or reference number);

• format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
• review and approval for suitability and adequacy.

9
 19/05/2018

AUDITOR’S FOCUS FOR DOCUMENTS MAPPING WITH PROCESSES

7.5.3 CONTROL OF DOCUMENTED INFORMATION

7.5.3.1 CHECK
Documented information required by the QMS and Identity
Management
Standard is controlled to ensure:
• it is available and suitable for use, where and Compliance
Endpoint
when it is needed; Control &
Management
Security

• it is adequately protected (e.g. from loss of Information

confidentiality, improper use, or loss of (confidentiality,
integrity). availability,
integrity)

Unified Data &

Threat Application
Message Security

Email & Web

Security

10
 19/05/2018

7.5.3 CONTROL OF DOCUMENTED INFORMATION (CONTD..)

CHECK the control of documented information, the organization addresses the following activities, as
applicable:

• distribution, access, retrieval and use;

• storage and preservation, including preservation of legibility;
• control of changes (e.g. version control);
• retention and disposition.

7.5.3 CONTROL OF DOCUMENTED INFORMATION (CONTD..)

CHECK the documented information of external origin determined by the organization to be necessary
for the planning and operation of the quality management system shall be identified as appropriate,
and be controlled.

Documented information retained as evidence of conformity shall be protected from unintended

alterations.

NOTE
Access can imply a decision regarding the permission to view the documented information only, or the
permission and authority to view and change the documented information

11
 19/05/2018

7. SUPPORT (CONT.)

7.1.6 Organizational knowledge

CHECK the knowledge necessary for the operation

of its processes and to achieve conformity of
products and services in retained and maintained.

Also CHECK, the change needs and trends

considers its current knowledge and determine
how to acquire or access any necessary additional
knowledge and required updates to improve the
degree of compliance to enhance the business

Knowledge is of no value unless it is put into

practice

7. SUPPORT (CONT.)

7.1.6 Organizational knowledge (Cont..)

CHECK
NOTE 1 Organizational knowledge is knowledge
specific to the organization; it is generally gained
by experience. It is information that is used and
shared to achieve the organization’s objectives.
NOTE 2 Organizational knowledge can be based
on:
• internal sources (e.g. intellectual property;
knowledge gained from experience; lessons learned
from failures and successful projects; capturing and
sharing undocumented knowledge and experience;
the results of improvements in processes, products
and services);
• external sources ( e.g. standards; academia;
conferences; gathering knowledge from customers
or external providers).

12
 19/05/2018

6. PLANNING (CONT.)

PRACTICE SESSION

Representatives of the team are invited to the flip chart to comment on and provide examples of the
ways in which organizations may determine, evaluate and address risks and opportunities.

END OF SECTION 5

13
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 7 - Identifying and Documenting
Processes
To develop a skill to map out simple processes by recognizing
‘core process’ and what can be regarded as lower level detail

PROCESSES

The definition:
The transformation of a set of inputs into outputs.

1
 19/05/2018

PROCESSES

Working in your teams define the typical processes in Czerka Inc.

See sampled documented information

Provide examples of inputs and outputs

PROCESS MAPPING

When faced with a large or difficult task the simplest way to proceed is to break it down into
manageable stages

Process mapping is a way of identifying sequentially each stage of the process

Once charted, the process is discussed with the people doing the job and their confirmation

2
 19/05/2018

WHAT DO WE NEED TO KNOW ABOUT A PROCESS?

Objective:
Human
Resources
Owner:
Materials and
Outputs
Equipment

KPIs
Operational
Inputs
Controls

Maintenance
Procedures

MAIN SYMBOLS

Decision To Link
Activity

Document
Other process END

Manual
Handling Preparation
Data

3
 19/05/2018

EXAMPLE PROCESS MAP

Start

NO
A Watch TV
YES
Refer to TV Guide
Select Program
Turn on TV
Select Channel
NO
Like Prog
YES
Enjoy
Performance

‘MAPPING’

Using a mapping technique enables managing information and processes, no matter how complex, to
be documented by breaking them down into easily understood elements which together make up
the entire picture

4
 19/05/2018

Drill Down

Show
ownership

Show
supporting
functions

END OF SECTION 7

5
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 7 - Quality Management System
Documentation
Principles Covered Process Approach To formulate a clear view of
minimal documentation structural requirements for a compliant QMS
under ISO 9001:2015

REMEMBER!

The Quality Management System is not a part of the management system.

It IS the management system.

1
 19/05/2018

QMS BENEFITS

Motivates staff towards pride in carrying out job

Promotes improved industrial relations through interfaces and interdepartmental co-operation and
input
Provides activity/ service/ product performance data through feedback analysis
Controls all activity/ service/ product changes
Identifies and controls training need
Provides historical records to confirm levels of quality/system effectiveness and activity/ service/
product achievement and assist with product liability claims

PROCESS DOCUMENTATION

Includes flow charts/process maps that define the operating sequence and interaction at each stage for
all management and operational processes.
All flow charts are subject to the same number and issue status controls as for other quality system
procedures.

2
 19/05/2018

DOCUMENTED INFORMATION TO BE MAINTAINED

DOCUMENTED INFORMATION TO BE RETAINED

Documented information to the extent necessary to have confidence that the processes are being
carried out as planned (clause 4.4).
Evidence of fitness for purpose of monitoring and measuring resources (clause 7.1.5.1).
Evidence of the basis used for calibration of the monitoring and measurement resources (when no
international or national standards exist) (clause 7.1.5.2).
Evidence of competence of person(s) doing work under the control of the organization that affects the
performance and effectiveness of the QMS (clause 7.2).
Results of the review and new requirements for the products and services (clause 8.2.3).

3
 19/05/2018

DOCUMENTED INFORMATION TO BE RETAINED

Records needed to demonstrate that design and development requirements have been met (clause
8.3.2)
Records on design and development inputs (clause 8.3.3).
Records of the activities of design and development controls (clause 8.3.4).
Records of design and development outputs (clause 8.3.5).
Design and development changes, including the results of the review and the authorization of the
changes and necessary actions (clause 8.3.6).
Records of the evaluation, selection, monitoring of performance and re-evaluation of external providers
and any and actions arising from these activities (clause 8.4.1)

DOCUMENTED INFORMATION TO BE RETAINED

Evidence of the unique identification of the outputs when traceability is a requirement (clause 8.5.2).
Records of property of the customer or external provider that is lost, damaged or otherwise found to be
unsuitable for use and of its communication to the owner (clause 8.5.3).
Results of the review of changes for production or service provision, the persons authorizing the
change, and necessary actions taken (clause 8.5.6).
Records of the authorized release of products and services for delivery to the customer including
acceptance criteria and traceability to the authorizing person(s) (clause 8.6).

4
 19/05/2018

DOCUMENTED INFORMATION TO BE RETAINED

Records of nonconformities, the actions taken, concessions obtained and the identification of the
authority deciding the action in respect of the nonconformity (clause 8.7).
Results of the evaluation of the performance and the effectiveness of the QMS (clause 911)
Evidence of the implementation of the audit programme and the audit results (clause 9.2.2).
Evidence of the results of management reviews (clause 9.3.3).
Evidence of the nature of the nonconformities and any subsequent actions taken (clause 10.2.2).;
Results of any corrective action (clause 10.2.2).

PRACTICE

Work individually
Pick 3 pieces of documented information
Verify whether it is available or not in the Czerka Inc documentation
Report the result

5
 19/05/2018

END OF SECTION 8

6
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 9 - ISO 9001:2015 – review of
requirements and interpretation
Clause 8 Operation

CL. 8. OPERATION

Work in your team

Appoint a team leader
!!! Make sure team leaders rotate
Identify all documented information to be retained or maintained in cl. 8 in a list (see previous
presentation for help)
Draw a process map/ algorithm for applying the requirements (the choice for organization type is up to
you)
Explain your process map to the rest of the group – be prepared to answer questions

1
 19/05/2018

END OF SECTION 9

2
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 10 – ISO 9001:2015 – review of
requirements and interpretation
Clause 9 Performance Evaluation
Clause 10 Improvement

CL. 9 & 10

Work in your team

Appoint a team leader
!!! Make sure team leaders rotate
The tutor will assign cl. 9 or cl. 10 to your team
Draw a process map/ algorithm for applying the requirements (the choice for organization type is up to
you)
Explain your process map to the rest of the group – be prepared to answer questions

1
 19/05/2018

END OF SECTION 10

2
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 11 – Audit Planning
To be able to define audit stages, roles and responsibilities. To
develop lead auditor skills through accurate and detailed planning

REASONS FOR CONDUCTING AUDITS

To examine the system for improvements

To determine compliance or non-compliance with the requirements of the standard or applicable legal
requirements
To make a certification decision
To establish continued conformity of the system to the management standard

1
 19/05/2018

AUDIT PROGRAMME

All audits in a given audit cycle

When planning the audit program, the following must be considered:
• Status and importance of processes
• Major changes
• Previously established non-conformities and weaknesses

• !!!Consult ISO 19011 for further details

MANAGING THE AUDIT PROGRAM

The audit process would address:

• Roles and responsibilities in the process
• Competence requirements (LA, A, TE)
• Methods of performing auditing process at each stage
• Format of all retained documented information, storage, retention

2
 19/05/2018

MAIN DOCUMENTS TO BE CONSIDERED

ISO 17021: 2011 - Third Party Audit Requirements

ISO 19011: 2011 - Auditing Guidelines
Requirements of the management system standard

ISO 19011: 2011 GUIDELINES FOR MANAGEMENT

SYSTEMS AUDITING
ISO 19011 (does not state requirements) provides guidance:
on the management of an audit programme,
on the planning and conducting of an audit of the management system,
on the competence and evaluation of an auditor and an audit team.

NB: The new version covers all disciplines whereas the previous version covered only quality and
environmental

3
 19/05/2018

THE PURPOSE OF ISO/IEC 17021

This International Standard specifies requirements for certification bodies.

Aims to ensure that certification bodies operate management system certification in a competent,
consistent and impartial manner.
This International Standard serves as a foundation for facilitating the recognition of management
system certification in the interests of international trade.

RELATIONSHIP BETWEEN ISO/IEC 19011:2011 AND ISO/IEC 17021:2011

The ISO 19011 is intended to provide useful guidance in:

Internal Auditing External Auditing

Supplier Auditing Third Party Auditing

Sometimes called First Sometimes called Second For legal, regulatory and
Party Audit Party Audit similar purposes

ISO/IEC 17021:2011
Conformity assessment
requirements for bodies
providing audit and
certification of
management system

4
 19/05/2018

AUDITS OBJECTIVES, SCOPE AND CRITERIA FOR INDIVIDUAL AUDIT

ACCORDING TO ISO/IEC 19011
• The audit objectives define what is to be accomplished by the individual audit

• The audit scope should be consistent with the audit programme and audit objectives. It includes
such factors as physical locations, organizational units, activities and processes to be audited, as well
as the time period covered by the audit.

• The audit criteria are used as a reference against which conformity is determined and may include
applicable policies, procedures, standards, legal requirements, management system requirements,
contractual requirements, sector codes of conduct or other planned arrangements.

AUDIT OBJECTIVES, SCOPE AND CRITERIA FOR THIRD PARTY CERTIFICATION

AUDIT ACCORDING TO ISO/IEC 17021:2011
Determination of the conformity of the client’s management system, or parts of it with audit criteria
Evaluation of the ability of the management system to ensure the
organization meets applicable statutory, regulatory and contractual
requirements
Evaluation of the effectiveness of the management system to
ensure the client organization is continually meeting its specified
objectives
As applicable, identification of areas for potential improvement of the management system.

5
 19/05/2018

ISO 19011:2011
Establishing the Audit Programme objectives
(5.2)

5.3.Establishing the Audit Programme

PLAN
5.3.1. Roles and responsibilities of the person managing the audit programme
5.3.2 Competence of the person managing the audit programme
5.3.3 Establishing the extent of the audit programme
5.3.4 Identifying and evaluating audit programme risks
5.3.5 Establishing procedures for the audit programme
5.3.6 Identifying audit programme resources

Competence &
5.4 Implementing the audit programme evaluation
5.4.1 General
5.4.2 Defining the objectives, scope and criteria for an individual audit of Auditors

DO
5.4.3 Selecting the audit methods (clause 7)
5.4.4 Selecting the audit team members
5.4.5 Assigning responsibility for an individual audit to the audit team leader
5.4.6 Managing the audit programme outcome Performing an
5.4.7 Managing and maintaining audit programme records audit
(clause 6)

CHECK
5.5 Monitoring the audit programme

5.6 Reviewing and improving the audit

ACT
programme

ROLES, RESPONSIBILITIES, COMPETENCE REQUIREMENTS

• LEAD AUDITORS
• AUDITORS
• TECHNICAL EXPERTS
• AUDITEES

6
 19/05/2018

LEAD AUDITOR RESPONSIBILITIES

• A person qualified and authorised to manage a system Audit.

• Plan the Audit and organise a team to conduct the Audit.
• Manage all aspects of the Audit ‘on site’.

AUDITOR RESPONSIBILITIES

A person qualified and authorised to perform all, or a portion of, an audit.

To audit allocated areas/ activities and report findings to the Lead Auditor.

Be aware of the needs and expectation of the Auditee.

Consider local culture and customs.

7
 19/05/2018

AUDITEE’S RESPONSIBILITIES

Co-operate with the Auditor in the planning and conducting of the Audit.

Provide access for the Audit team.

Provides guides.

Attend the opening and closing meetings.

Address and implement corrective action.

AUDIT STAGES

• Pre-audit management
Planning • Document review
• Detailed planning for the on-site audit

Implementation • On-site audit

Reporting and • Reporting

Follow Up • Follow up

8
 19/05/2018

TYPICAL AUDIT ACTIVITIES ACCORDING TO 19011

TWO STAGE APPROACH IN INITIAL AUDITS STAGES:

• STAGE I: define the processes, judge on system
readiness, stage II duration, team constitution,
special requirements
• STAGE II: evaluate compliance and effectiveness
(see ISO 17021) Preparing audit activities
Initiating the audit
• Establishing initial contact with the auditee
• Determining the feasibility of the audit
• Performing document review in preparation for the
audit
• Preparing the audit plan
• Assigning work to the audit team
• Preparing work documents
Team size and audit durations:
• Size and complexity of the company’s operation
• Number of sites
• Applicable standard

TYPICAL AUDIT ACTIVITIES ACCORDING TO 19011

Conducting the audit activities Preparing and distributing the audit report
Conducting the opening meeting Preparing the audit report
Performing document review while conducting the Distributing the audit report
audit
Communicating during the audit Completing the audit
Assigning roles and responsibilities of guides and
observers
Conducting audit follow-up
Collecting and verifying information
(if specified in the audit plan)
Generating audit findings
Preparing audit conclusions
Conducting the closing meeting

9
 19/05/2018

THIRD-PARTY AUDIT AND CERTIFICATION PROCESS ACCORDING TO

17021:2011
Client submits
application for
Initial certification Surveillance audits Recertification
initial
certification
Stage 1
- Select and appoint competent Exchange of information between client and certification body
audit team (e.g. change of scope); determine if changes to audit programme
-Plan, Perform and Report Stage required
1 Audit
-Resolve stage 1 audit areas of Recertification
concern (if applicable) audit planning

- Confirm audit programme and communicate to client

Stage 2
- Select and appoint competent - Confirm/appoint competent audit team
audit team
-Plan, Perform and Report Stage
2 Audit
-Resolve stage 2 audit areas of -Plan, Perform and Report Audit
concern (if applicable) -Resolve audit areas of concern (if applicable)
-Initial certification audit
conclusions

Initial certification decision Recertification decision

Confirm or adjust audit programme and appropriate audit follow-up and surveillance
activities including frequency and
duration. Special audits must also be taken into consideration .

END OF SECTION 11

10
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 12 – Checklists
To acquire pre-auditing skills of producing and using checklists

CHECKLISTS

Used by the auditor as an Aide Memoir and an audit trace record

Are compiled from the results of a detailed study of the processes, documented information and the
standard

Used to ensure that all elements and relevant requirements contained in the standard are covered and
nothing is omitted

1
 19/05/2018

CHECKLISTS

Used to reference each question to the relevant clauses of the standard

Are valuable aid when writing the audit report.

Space should be left on the checklist so that answers to the questions can be noted for later use.

SAMPLING

Considerations • Previous Problems

• Important Aspects
• Scope • Sample size and its significance
• Duration of Audit • Corporate Issues
• Requirements of the standard
• Level of potential risk

Sampling Benefits - more efficient use of time

Sampling Limitations – not all items are checked

2
 19/05/2018

SAMPLE CHECKLIST

Standard: Type of Audit:

Client: Auditor: Date:
Requirements OK CAR Obs N/A Objective Evidence

END OF SECTION 12

3
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
SECTION 13 Auditing Techniques
Purpose of this session: To develop auditing skills for planning,
conducting, audit conclusion & follow up towards ISO 9001:2015

SECTION 1 <<<<< INTRODUCTION TO AUDIT >>>>>>

1
 19/05/2018

AUDIT PROCESS – BIRD’S EYE VIEW

Audit Samples
PROCESSES DOCUMENTS PEOPLE
audit
systematic, independent and
documented process for
obtaining objective evidence
and evaluating it objectively to Audit Criteria
determine the extent to which
the audit criteria are fulfilled 1. ISO 9001:2015 &
Corrective Actions 2. Customer Requirements &
3. Legal Requirements &
4. QMS Complete Documents

Non-Compliances Audit Finding Compliances

After the audit the details of the samples become evidences

• If evidences are complying to audit criteria, they become evidences of compliance
• If evidences are not complying to audit criteria, they become evidences of non-compliances
Evidence Sample >
PROCESS> Prod. Line # 2 & 5 DOCUMENTS > Production WI WI-LINE-040 Ver. 2.1 PEOPLE> Line Supervisor

AUDIT PROCESS – FUNDAMENTALS

Audit Objective >

To verify the degree of compliance of QMS
towards the Audit Criteria

Compliance >
When QMS Documentation
& Implementation both are met, towards the
Audit Criteria

2
 19/05/2018

AUDIT TYPES IN INDUSTRY – BIRD’S EYE VIEW

I = FIRST PARTY AUDITS (Self Audits) II = SECOND PARTY AUDITS (Customer Audits)

III = THIRD PARTY AUDITS (Audits by external parties who are not in this business relationship)

I CUSTOMERS / CLIENTS

Certification III II
Bodies
or
II
Legal Audits I ORGANIZATION
Etc. QMS – ISO 9001 : 2015
III
II

I SUPPLIERS / -SUB-
CONTRACTORS

PRINCIPLES OF AUDIT (CLAUSE 4 OF ISO 19011:2011)

Integrity – The foundation of Professionalism

Fair Presentation – The obligation to report truthfully and accurately
Due Professional Care – The application for diligence and judgement in
auditing
Confidentiality – Security of Information
Independence – The basis for the impartiality of the audit and objectivity
of the audit conclusions
Evidence Based Approach – The rationale method for reaching reliable
and reproducible audit conclusions in a systemic audit.

3
 19/05/2018

AUDIT PROGRAM (CLAUSE 5.1 OF ISO 19011:2011)

SECTION 2 <<<<< AUDIT MACRO DETAILS >>>>>>

Elements of the Quality Management System for

Annual Audits
Audit Management
• Authority
• Independence, objectivity and integrity
• Conduct of the audit
• Consultation
• Security, access and file retention
People Management
• Resourcing
• Leadership and Supervision
• Performance management
• Professional development
• Respectful Workplace
Continual Improvement
• Practice Review

4
 19/05/2018

AUDIT PROGRAM VS AUDIT PLAN

Audit program
An audit program (or programme) is a set of
arrangements that are intended to achieve a
specific audit purpose within a specific time frame.
It includes all of the activities and resources
needed to plan, organize, and conduct one or
more audits.

Audit plan
An audit plan specifies how you intend to conduct
a particular audit. It describes the activities you
intend to carry out in order to achieve your audit
objectives.

TEAMS INVOLVED IN AUDIT PROCESS- RESPONSIBILITIES & AUTHORITIES

(MAJOR ROLES) – REFER TO CLAUSE OF ISO 19011:2011
AUDIT TEAM – Performs audit, recommends Audit Organization for Certification (Initial) and Certificate Continuation
Member Role in Audit Responsibility Authority
 Auditor Identification as per Industry Sector
Plans & arranges logistics
AUDIT PLANNER competence None
for the Audit
 Plans and Logistic arrangements
 Being Team Leader, does Initial contact with  Auditor selection
LEAD
Leads & Controls the audit Audit Organization & clarifies the feasibility of  Auditor allocation to audit area
AUDITOR (LA) /
to successful Audit audit & prepares Audit Plan  Audit Findings & Audit Conclusions on
TEAM LEADER
Conclusions  At sire, conducts Opening & Closing Meetings & recommendations
(TL)
controls the audit  Prepares Audit Program for future audits
 Assisting TL/LA on administrative issues
Supports the leader and  Perform audits & record evidences as per Audit
AUDITOR  Decide & Recommend audit findings
conducts the Audit Plan & Audit procedures, prepare respective
reports & recommend audit findings to TL/LA
Observe & learn the Audit  Observe, Record, Clarify & Learn all aspects of
OBSERVER None
– practically audit activities in actual live audits
 Observe the processes, documents &
Assist the Audit Team competency of personnel w.r.t Scope as per Audit
TECHNICAL
EXPERT
on Industry Specific Plan None
Technical matters  Assist Audit Team in consulting technical in
audits and audit conclusion

5

TEAMS INVOLVED IN AUDIT PROCESS- RESPONSIBILITIES & AUTHORITIES
(MAJOR ROLES) > CONTD.- REFER TO CLAUSE OF ISO 19011:2011
AUDITEE TEAM – Getting audited by Audit Team
Team Member Role in Audit
Getting audited – reveal the
evidences to prove the
AUDITEE
degree of compliance in
transparent manner
Representative to guide the
GUIDE Audit Team during entire
Audit process
AUDIT PROCESS – FUNDAMENTALS
19/05/2018
Responsibility Authority
 Cooperate in audits
 Maintain transparency in audits – reveal all evidences to auditors,
without delay and Integrity
 Avoid unpleasant situations and ensure audit is completed in good
spirit None
 Accept the Audit findings positively and focus on corrections &
corrective Actions to close the Audit Findings as per procedure of
Certification Bodies
 Give administrative support to audit team
 Not to Participate in the audit process except of being a witness to None
the audit
Auditors > Verify these compliances
STAGE 1 STAGE 2
6
 19/05/2018

AUDIT STAGES > LOGICAL SEQUENCE OF FIRST TIME CERTIFICATION

Stage 1

Not Corrective
Complying ? Actions

Recommended
for Stage 2

Stage 2
Follow Up
No Major NC Corrective Audit
Actions (only Major NC)
Complying ?

Recommended
for
CERTIFICATION

AUDIT - STAGE 1 (DOCUMENTARY / ADEQUACY AUDIT)

Points to be verified in Adequacy Audit = [ Stage 1 ]

• Prior to the on-site audit activities the auditee’s documentation should be reviewed
to determine the conformity of system documents, with audit criteria:
• The review should take into account the scope agreed in contract size, nature and
complexity of the organization.
• Scope for stage 2 Audit (agreed in Contract with CB) may also change, as an outcome
of Stage 2 completion

Not
Complying Corrective
? Actions

Recommended
for Stage 2

7
 19/05/2018

AUDIT - STAGE 2 (COMPLIANCE / CERTIFICATION AUDIT)

Points to be verified in Adequacy Audit = [ Stage 2 ]

• On-site audit activities the System Implemented shall be reviewed to determine the conformity of
system, with audit criteria, to determine the % of performance – audit conclusion for
Recommending for Certification
• The review should take into account the scope agreed in contract size, nature and complexity of
the organization –
• Scope recommended for certification in stage 2 Audit (agreed in Stage 1, may also change,
as an outcome of Stage 2 completion) – To be agreed between TL & Auditee Management
• Even ONE MAJOR NC, CERTIFICATION RECOMMENDATION be given only on CLOSURE OF MAJOR
NC.

SECTION 3 <<<<< EVIDENCING IN AUDIT >>>>>>

Define the Target Population

Define the Sampling Frame

Select a Sampling
Technique(s)

Determine the Sample Size

Examine the Sampling

Process

8
 19/05/2018

AUDITS – SOURCES OF COLLECTING EFFECTIVE EVIDENCES

Observations: Documents Verification: Auditee Interview:

How/What work gets done
(Process)
Where work gets done (Places)
Who does the work (People)
The Tools used to get the job
done (Tools/Technology)
Customer Requirement The Interview is the most
challenging.
Plans
Standards & Acceptance Criteria
Production & Test Processes
Records
Customer Satisfaction

Based on situations, all these sources should be used during audits to arrive at evidence

COMMUNICATIONS IN AUDITS

Important communication types in auditing:

Oral & Body Language
Types of
Communication
in Auditing

Verbal Non Verbal

Written Oral Body Language Most important aspect in audit communication

and behaviour is to AVOID AUDITEE GOING INTO
DEFENSIVE MODE

9
 19/05/2018

COMMUNICATIONS IN AUDITS

Important communication types in auditing: Orally > Let us clarify

Evidence leads
to effective
Audit
Conclusions

QUESTIONING TECHNIQUES IN AUDIT INTERVIEW (BEST PRACTICES)

Through Questioning, auditors have to zero down the conversations in a FRIENDLY MANNER, to witness
/ verify evidences to reach an audit conclusion on degree of compliances

Qs. Type Sample Expected Answer Cautions during asking

Open Qs. What is the system you
maintain here?
Probing Which acceptance criteria
Qs. you use for quality
inspections ?
Closed Could you please show
me some records to
evidence the same
This is a lab where we quality Auditee may go into
testing & calibrate measuring defensive mode –
instruments mainly with closed
Every product have different questions
standards which are acceptance
criteria for quality
NOW AUDITEE HAS TO SHOW THE EVIDENCE

10
 19/05/2018

COMMUNICATIONS IN AUDITS - ORAL

Important communication types in auditing: Orally > Quality of Questions

Avoid questions / statements like below ones:

Samples of Statements / Qs. types Anticipated impacts of such Qs.

 Why you taking time to show the records?

AUTHOROTATIVE This surely would make Auditee go
 I have another half an hour as per the audit plan, so please hurry up ?
into defensive mood and would need
 Show Inspection results double the efforts to find out the
ONLY CLOSED Qs.  Show me calibration results evidences for audit conclusions
 Show me NC’s & Corrective actions
 What do you do after office hours ? Auditee would lead interest in audit
NOT FROM SCOPE
 Do you think movies teach good practices? process
 Why are you not transparent ? Might lead to arguments or auditee
ARRAGANCY
 Are you aware what you are doing by not cooperating ? might not cooperate for evidences
 Five minutes back you said something else and now you are saying just the opposite ? Would lead to defensive mood and
INTORRAGATIVE
might also irritate the auditee
 Keep the inspection records ready but could you show only genuine records ?
INSTIGATIVE
Might lead to arguments
ARGUMENTATIVE  This record does not reveal facts
 Transparency is always good for improving the process

COMMUNICATIONS IN AUDITS - ORAL

Important communication types in auditing: Body Language > Let us clarify

Some key tips on Auditee’s behaviour contributing to understanding Auditee mindset

Cluster Element Acceptance Signals Caution Signals Disagreement Signals

Body Angle Leaning forward and Leaning away from auditor Retracted shoulders
upright leaning away and back
from auditor
Facial Expression Smiling relaxed direct Puzzled, little or no Tense expression showing
contact position, voice, expression, averted eyes anger, little eye contact,
tone negative voice tone or
sudden silence
Hands Relaxed open handshake Clasped weak handshake Tense, clenched motions
or rejection, weak
handshake
Arms Relaxed, open Crossed, tense Tense, crossed over chest
Legs Crossed and pointed Moving, crossed away Crossed and away from
towards auditor uncrossed from auditor the auditor

11
 19/05/2018

COMMUNICATIONS IN AUDITS – BODY LANGUAGE (BEST PRACTICES)

Friendly Body Language Non Friendly
Smiling Facial Tight Lipped
Relaxed Mouth Grim Smile
Alert Raised Eyebrows
Ready to Listen Jaw Muscles Clenched
Pupils Dilated Eyes Looking Down Nose
Good Contact Lack of Contact
Wide Open Narrowed
Straight Head Bowed
Mildly Nodding Shaking
Open Body Position Crossed Arms
Erect Legs Crossed Away
Leaning Forward Cold Shoulder
Open Hands Hand Gestures Tapping Fingers
Touching Closed Hands
Hand to Chest Finger Wagging

SECTION 4 <<HANDLING EVIDENCES & AUDIT REPORTING >>

Audit Samples
PROCESSES DOCUMENTS PEOPLE

Audit Criteria

1. ISO 9001:2015 &

Corrective Actions 2. Customer Requirements &
3. Legal Requirements &
4. QMS Complete Documents

Non-Compliances Audit Finding Compliances

12
 19/05/2018

EVIDENCES IN AUDITS – SAMPLES (CLAUSE B.2.2 OF ISO 19011:2015)

Correct Sampling = Effective Audit Conclusions

Timeline Samples Process as Samples Document as Samples People as Samples

EVIDENCES IN AUDITS – SAMPLES IN AUDIT TRIAL

Process > Set of interacting activities which transforms inputs and outputs

13
 19/05/2018

CONTENTS OF NONCONFORMITY (BEST PRACTICES)

Nonconformity

One out of Fifteen Measuring Instrument (Instrument #: TF 303), in Quality Laboratory, no evidence
Provided by Lab In-charge, for its adequate calibration as per defined procedure was not calibrated
since last one year (Calibration procedure TF-CP-004 Ver.3.2 Dt. Jan.2014 & previous Calibration Cert.
No; QPQ 122 Dt. June 2013, from external agency).

Without Evidences, NC is Incomplete!

AUDIT FINDINGS – NONCONFORMITY CLASSIFICATION

AUDIT FINDINGS – types , definitions and examples

NC Type Definition
Isolated facts/evidences in the
designated areas, which do not
MINOR NC conform to any one /combination
the audit criteria
Example (Underlined = Evidences)
One out of Fifteen Measuring Instrument (Instrument #: TF 303), no evidence available for its
adequate calibration as per defined procedure was not calibrated since last one year
(Calibration procedure TF-CP-004 Ver.3.2 Dt. Jan.2014 & previous Calibration Cert. No; QPQ
122 Dt. June 2013, from external agency)

Major Gaps between
facts/evidences in designated area,
MAJOR NC which do not conform to the audit
criteria – System Breakdown
No Internal audits done on the two outsourced activities i.e. complete IT Activities &
Maintenance (Sigma Systems) and packing process (Goodwill Pack-king)– there were many IT
incidents leading to process breakdown and lot of packing complaints since last six months, as
defined as Annual audits on critical suppliers in Internal Audit procedure (TP-IA-18 Ver. 2.1 Dt.
June 2015).

Areas of Improvements or Potential The Organization’s Process Risks Assessments (with residual risks) done in Excel is available
Observation with all the head of departments, in soft copy form and pending NC’s of Internal Audits shows
Non-conformities lot of Information Security Incidents

14
 19/05/2018

AUDIT NC HANDLING – BIRD’S EYE VIEW

AUDITOR AUDITEE
Accepted &
Details of NC
Proposed action to ACTION TAKEN
address the NC MAY BE DIFFERENT
Accepte No THAN WHAT PROPOSED
d? EARLIER
Actual action to
Yes address the NC

Corrective Actions
Corrections
Accepte No (Quick Fix)
(Prevent from
d? Recurrence)
Actions focussing Actions focussing
on samples of on causes of evidences of other
NC evidences samples of system, apart from
Closure of NC of this audit samples of this audit

AUDIT FINDINGS – NONCONFORMITY FORMAT

Auditor to give details of the NC

15
 Auditor to verify the effectiveness of the corrective
Auditee to give Proposed action & actual action
Action taken to improve the Management System
to address the causes of the NC – Correction &
Compliance
Corrective Action

AUDIT FINDINGS – NONCONFORMITY FORMAT

AUDIT FINDINGS – NONCONFORMITY FORMAT

16
19/05/2018
 19/05/2018

END OF SECTION 13

17
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
SECTION 14 Process Auditing and Added Value
Principles covered: How to audit a process

‘PROCESS MANAGEMENT’

Identification of Process:
3 Types of Processes (There is no unique typology of the organization processes)
A. Product Realisation Processes
B. Support Processes
C. Management Processes

1
 19/05/2018

‘PROCESS MANAGEMENT’

Identification of Processes
A. Product Realisation Process

Contribute directly on product realization from the identification of the clients’ needs to its satisfaction.

It’s relevant to all of the activities related to life cycle of the product: Launch of new products, Sales and
management of contracts, Design, Purchasing, Logistics, Production and Control of communication with
the client.

‘PROCESS MANAGEMENT’

Identification of Processes
B. Support Processes

Contribute for supporting the realisation processes by implementing

the adequate resources. They are mandatory for the functioning of
the organisation. They are mainly:
• Human Resources
• Financial Resources
• Installations and their maintenance (buildings, equipment, software, etc.)
• Information and Know-how

2
 19/05/2018

‘PROCESS MANAGEMENT’

Identification of Processes
C. Management Processes

Contribute to determine the Policy of the organisation and for the deployment of the objectives all over
the organisation. They are mainly:
• Elaboration of the organisation strategy
• Quality Management
• Internal Communication
• Personnel Involvement
Management

Establishing Quality Managing Conducting Communi-

the strategy Management Human Cultural cation
Resources Changes
1 2 3 4 5
6 Manufacturing a product for Lebanon
Operational

7 Manufacturing a product for Export

8 Sell of in stock product
9 New product development
10 New product development
11 12 13 14 15
Support

Identify Client
Feedback Equipment
needs and Accounts Marketing
Control Maintenance
Expectations

3
 19/05/2018

OPERATIONAL
Manufacturing of the product
Supply the customer
Production
SUPPORT
Accounts
Financial Resources
Maintenance of Equipment, Building, Software, etc.
MANAGEMENT
Elaborating the strategy of the organisation
Establishing the Quality Policy
Internal Communication

THE TURTLE DIAGRAM PROCESS PLAN

Process Objective:
Process Owner: Personnel
Resources

Outputs
Materials &
Equipment

COP?

Performance
Measures

Inputs
Process
Support
Procedures

4
 19/05/2018

END OF SECTION 14

5
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 15 - Opening Meeting
To be able to list and structure an opening meeting agenda

THE OPENING MEETING

Punctuality is important! Arrive on time

The meeting should be brief and to the point

1
 19/05/2018

OPENING MEETING

Work as a team
Open up your copy of ISO 19011
Find the clause with the opening meeting requirement
Draft a checklist the lead auditor will use to conduct an opening meeting during the next case study
Provide your work for short inspection be the tutor

END OF SECTION 15

2
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 16 - Raising Non-Conformities
To establish the ground rules for writing and agreeing NCR’s
To understand the possible differences between NCR’s raised during 1st, 2nd & 3rd Party audits
To clarify categorisation/ grading of non-conformity reports

NONCONFORMITY REPORTING

What is the Problem ?

• describe clearly, concisely and factually
Why is it a noncompliance ?
• i.e. against what requirement
Where did it occur ?
• i.e. which department or activity
Who ? - avoid apportioning blame
• (i.e. naming individuals)

1
 19/05/2018

NONCONFORMITY REPORT

Used to report nonconformity audit findings

Must be factual
Must be understandable and traceable
Raise formal notification of any issues at the time of finding
Allow the auditee to implement corrective action prior to the closing meeting
The auditee is requested to sign signifying an understanding and acceptance of the non-compliance

WORDING OF NCR’S

It is important when preparing NCR’s to take care and ensure it is justified.

Failure to achieve clear factual information will invite challenge of the findings at the closing meeting.

This will be particularly important in areas where the emphasis is placed on the following
• Management Commitment
• Competence
• Communication
• Continual improvement

2
 19/05/2018

OBSERVATIONS

Notes made by an auditor during assessment may lead to non-compliances being raised or to provide
information for the audit report

Notes provide Objective Evidence back up

CATEGORISING NON-CONFORMITIES

Major
A single major system, product, or service nonconformity

• A lack of procedures needed to satisfy an agreed requirement

• Non-implementation of documented procedures and arrangements

• A series of minor non-conformities in a particular area or activity which collectively have an

adverse effect on the system

3
 19/05/2018

CATEGORISING NON-CONFORMITIES

Minor
There is a defined system, documented procedures and arrangements which satisfy agreed
requirements against which the organisation being assessed can demonstrate an acceptable level
on implementation overall, but there are minor discrepancies or lapses in discipline.

END OF SECTION 16

4
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 17 – How to Audit Competence
To establish a means of defining competence
To understand the term and devise ways by which an auditor could record
evidence of compliance with the standard.

WHAT IS COMPETENCE?

• Give your understanding for the elements that build competence?

• Training?
• ……….
• ……….

1
 19/05/2018

COMPETENCE

How can we measure it and when?

• Establish a level

• Test against the level

• Retest against the level at suitable intervals

• Review the level when processes change

EVIDENCE

Now against each of the elements that you give, describe what evidence would an auditor look for to
find compliance:

2
 19/05/2018

COMPETENCE

Note:
It is not your task to set the competence level but to ensure the company has.
You are not to challenge the competence of an individual but test the system to confirm competence is
achieved.
Lack of a procedure will mean greater emphasis is placed upon competence.

COMPETENCE

Remember!

Competence can perish:

• A lack of opportunity to practice the skill

• The frequency by which a person carries out a task
• The time between learning the skill and applying it.
• A change in the process.

3
 19/05/2018

END OF SECTION 17

4
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 18 – Audit Reporting
To be able to list and present closing meeting agenda points
To be able to list the contents of an audit report

AUDIT FINDINGS

Throughout the entire audit the evidence collected in the form of OBSERVATIONS is to be recorded on
the auditors checklists.

This evidence is then to be examined to determine if there are any non-conformities which need to be
reported.

1
 19/05/2018

WRITTEN AUDIT REPORT

Description of audit objectives, scope, criteria and exclusions (as appropriate)

Number and details of non-conformities
Summary of audit findings (both positive and opportunities for improvement)
Recommendations made as a result of audit findings
Signature by the Lead Auditor and client representative

AUDIT FILE

Audit plan
Audit report
Open/closing meeting attendance list
Copies of non-conformity reports and objective evidence provided
Assignment of the audit teams
Confidentiality statements of the audit team

2
 19/05/2018

PURPOSE OF CLOSING MEETING

Advise auditee of findings and conclusions reached based on the audit findings
Advise on the recommendation to be made
• ACCEPTABLE
• UNACCEPTABLE

CLOSING MEETING

Thank management for help and cooperation

Explain that sample taken has determined conclusion reached
Ask management to defer questions until end of summary presentation to appreciate full picture
(unless for clarification)
Present summary report
• Non-conformities
• Conclusion
• Recommendations

3
 19/05/2018

CLOSING MEETING

Invite questions - for clarification only

Agree follow up actions required and ask for date by which action will have been completed
Agree distribution of final report
Make statement of confidentiality

END OF SECTION 18

4
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 19 – Management Communications
To develop an appreciation of leadership styles
To be able to list the management stages that a Lead Auditor must
handle

MANAGEMENT STYLE

“Tell”
• This approach is where the team leader plans and makes the decisions up front and then gives
clear instructions - directing the team the way he or she wants the task to proceed
• This style may well be welcomed by the less experienced team members, but may not always
receive approval from those more experienced who feel they have something to contribute.

1
 19/05/2018

MANAGEMENT STYLE

“Sale”

• As with “Tell”, the team leader will probably have planned and decided on the programme, but will
feel that some justification is necessary as to how the programme was established and how they
wish to proceed. The team leader will then attempt to complete the sale to convince the team
members that the proposed course of action is correct.

MANAGEMENT STYLE

“Consult”

• The consult approach is where the team leader takes time to talk to the team members first,
listen to their ideas and evaluate their capabilities before making a decision.
• This is probably the preferred approach, but if time is a constraint and the team is not available
then this approach may not be possible.

2
 19/05/2018

MANAGEMENT STYLE

“Team”
• The team approach is when the team leader acts more as a chairperson seeking concise
opinions and allowing other team members to take an active role in the decision making
process.
• This approach is perhaps more useful when preparing for the final report. Giving the opportunity
for the final report to be truly representative of the whole teams findings.

MANAGEMENT STAGES

Establish audit requirements

Client Interface (pre-visit)
Audit Planning and Team Meeting
Audit Opening Meeting
Manage the audit programmes and team/client interface
Daily Team Meetings & Report Preparation
Closing Meeting
Formal Issue of Report
Follow up visits

3
 19/05/2018

MEETINGS

The Lead Auditor shall:

• assume control
• have authority (but not dictatorial)
• manage proceedings
• confirm the purpose and scope
• review and confirm the agenda
• set the atmosphere
• establish good working relationships

MEETINGS

Remain impartial with a sense of fairness

Promote involvement

Remain cool, calm, courteous and patient

4
 19/05/2018

AUDITEE ATTENDANCE AT MEETINGS

In addition to attending the Opening and Closing meetings an auditee management representative shall
be required to be present at audit team and corrective action feedback meetings to agree and
process nonconformities raised during the audit.

END OF SECTION 19

5
 19/05/2018

IRCA CERTIFIED ISO 9001:2015

AUDITOR/LEAD AUDITOR TRAINING
COURSE
(QUALITY MANAGEMENT SYSTEMS)
Section 20 – Audit Follow Up Actions
To establish the responsibilities for audit follow up actions

REVIEWING CORRECTIVE ACTIONS

To ensure actions corrective actions requested are

being implemented by auditee
The agreed timescales are achieved
Corrective actions are effective

1
 19/05/2018

REVIEWING CORRECTIVE ACTIONS

Corrective Action implementation can be verified

off-site based on documentary evidence
provided
Follow-up visits may be as necessary to verify
actions have been take and were effective
Non-conformities should be closed out at each
visit or further corrective actions agreed

CORRECTIVE ACTION RESPONSIBILITIES

Nonconformity
Report at
Sign
Raise NCR Categorise Closing
agreement
Auditor Meeting
Auditee Lead Auditor Auditor

Propose Accept/Reject Implement

C/A proposed C/A C/A
Auditee Auditor Auditee

Monitor Review Reject action

Complete action
effective action taken or close
taken section
action taken NCR
Auditee Auditee Auditor Auditor

2
 19/05/2018

SURVEILLANCE

Purpose

• To ensure the management system remains in

compliance with the standard
• It is effective and achieves its objectives
• Identify opportunities for improvement
Carried out by:

• Certification Organisation

• Client or Customer

SURVEILLANCE

Frequency

• Minimum once per year

• As specified in each contract

• Normally pre-planned but may be

unannounced

3
 19/05/2018

END OF SECTION 20

MANAGEMENT STYLE

“Tell”
• This approach is where the team leader plans and makes the decisions up front and then gives
clear instructions - directing the team the way he or she wants the task to proceed
• This style may well be welcomed by the less experienced team members, but may not always
receive approval from those more experienced who feel they have something to contribute.

4
 19/05/2018

MANAGEMENT STYLE

“Sale”

• As with “Tell”, the team leader will probably have planned and decided on the programme, but will
feel that some justification is necessary as to how the programme was established and how they
wish to proceed. The team leader will then attempt to complete the sale to convince the team
members that the proposed course of action is correct.

MANAGEMENT STYLE

“Consult”

• The consult approach is where the team leader takes time to talk to the team members first,
listen to their ideas and evaluate their capabilities before making a decision.
• This is probably the preferred approach, but if time is a constraint and the team is not available
then this approach may not be possible.

5
 19/05/2018

MANAGEMENT STYLE

“Team”
• The team approach is when the team leader acts more as a chairperson seeking concise
opinions and allowing other team members to take an active role in the decision making
process.
• This approach is perhaps more useful when preparing for the final report. Giving the opportunity
for the final report to be truly representative of the whole teams findings.

MANAGEMENT STAGES

Establish audit requirements

Client Interface (pre-visit)
Audit Planning and Team Meeting
Audit Opening Meeting
Manage the audit programmes and team/client interface
Daily Team Meetings & Report Preparation
Closing Meeting
Formal Issue of Report
Follow up visits

6
 19/05/2018

MEETINGS

The Lead Auditor shall:

• assume control
• have authority (but not dictatorial)
• manage proceedings
• confirm the purpose and scope
• review and confirm the agenda
• set the atmosphere
• establish good working relationships

MEETINGS

Remain impartial with a sense of fairness

Promote involvement

Remain cool, calm, courteous and patient

7
 19/05/2018

AUDITEE ATTENDANCE AT MEETINGS

In addition to attending the Opening and Closing meetings an auditee management representative shall
be required to be present at audit team and corrective action feedback meetings to agree and
process nonconformities raised during the audit.

END OF SECTION 20

8
 5/19/2018

Congratulations
You have completed your IRCA certified
training course. We hope that you enjoyed the
experience and achieved your objectives.

www.irca.org

What can you do now?

The International Register of Certificated Auditors (IRCA) is the professional body
for management system auditors and membership is available to all delegates who
have completed an IRCA approved course. You now have 2 options

1) Record your certificate

2) Become a registered IRCA auditor

1
 5/19/2018

www.irca.org/certificate

1) Record your certificate

Now you have completed the IRCA course, you can record your training course
completion certificate with IRCA. This is free and allows you to:

• access the latest news in IRCA’s newsletter – Inform

• network with fellow auditors in IRCA’s private LinkedIn group
• keep your skills up-to-date with exclusive access to IRCA’s reports and
research
• get advance notice of ISO standard changes and how they impact auditors
• get notified about discounts on IRCA fees
• Record your achievement with IRCA.

All you need to do is visit www.irca.org/certificate and enter the details.

www.irca.org/join

2) Become a registered IRCA auditor

The next step beyond recording your certificate is to become a registered
auditor with IRCA. Over 10,000 auditors gain IRCA registration because it:

• is an easy way to let employers differentiate you from less qualified auditors
• shows you have business expertise in addition to auditing expertise
• allows you to list yourself on the IRCA register
• connects you to a network of 10 000 contacts
• helps you to work internationally with a globally recognised qualification
• supports your career by showing a commitment to ethics and CPD

visit www.irca.org/join to find out more.

2
 5/19/2018

Get in touch with IRCA

• Find out more about IRCA registration www.irca.org/join
• Record your certificate - www.irca.org/certificate
• Follow IRCA on LinkedIn – www.linkedin
• Follow us on Twitter – www.twitter.com/IRCA_INform

We can also be contacted at our head office.

IRCA, 2nd Floor North, Chancery Exchange,
10 Furnival Street, London EC4A 1AB

Tel: +44 (0)20 7245 6833

Fax: +44 (0)20 7245 6755
Email: registration@irca.org