Chapter : 6 – Audit Process

1.0 Introduction
This section defines and explains the difference between audit, certification and accreditation. It
deals with the steps that have to be taken in planning an audit according to the ISO 9001:2015
requirements, including the preparation of plans and checklists.
2.0 Audit, Certification and Accreditation
The terms “Assessment” and “Audit” are similar. “Assessment” refers to external 2nd or 3rd party
evaluation of the conformity of a management system against an agreed standard. The term
“Audit” is used to refer to the in-depth evaluation of an internal (1st party) management system.
However, the term “Audit” is now used by ISO for both internal and external audits.

Definition of Audit – Audit is a systematic, independent and documented process for

obtaining audit evidence and evaluating it objectively to determine the extent to which
audit criteria are fulfilled.

3rd Party audits are conducted by certification bodies for evaluation of applicants for
CERTIFICATION or REGISTRATION.

CERTIFICATION or REGISTRATION is the act of formally recognizing that an

organization’s management system conforms to specified published management
system standards and any supplementary documentation required under the system.

Certification and Registration is performed by Certification Bodies who are defined as –

A third party that assesses and certifies / registers the Quality Management System of
an organization with respect to published standards and any supplementary
documentation required under the system, like ISO 14001.

Certification bodies assess organizations against published criteria such as the ISO 9001, ISO
45001 or ISO 14001. The organizations gain their credibility by being evaluated by
accreditation bodies against internationally agreed criteria which cover both the effectiveness of
their quality management system and associated documentation and the competence of the
certification staff.

Accreditation is the act of formally recognizing the system and competence of a

certification body as meeting the requirements of the published accreditation standard.

Accreditation is stronger than certification in the sense that an approval of the competence of
the certification body is involved.

The international standard for certification bodies to operate and be assessed by accreditation
body is ISO/IEC 17021–1:2015 Conformity Assessment – Requirements for bodies providing
audit and certification of management systems – Part 1: Requirements.

Criteria for accreditation of certification bodies include –

1. Services shall be accessible to all applicants.
2. Shall confine the assessment to those matters related to the scope.
3. Shall be impartial.
4. Shall have a documented system meeting the requirements of the guide.
5. Shall specify the requirements for certification.
6. Shall require applicants to have a documented Quality Management System.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 1 of 26

Chapter : 6 – Audit Process

7. Shall require applicants to take timely corrective actions and operate surveillance.
8. Shall maintain a record system.
9. Shall maintain a register of registrations.
10. Shall maintain confidentiality of information.
11. Shall ensure competence of personnel.
12. Auditors shall meet the requirements of ISO/IEC 17021–1:2015.
13. Shall conduct audits in accordance with ISO 19011 and documented procedures.
14. Shall have a procedure for complaints.

Accreditation bodies have joined together to ensure that accreditation is comparable in different
countries, and certifications can be recognized where they have been endorsed by
Accreditation Bodies who have joined the International Accreditation Forum (IAF). In Europe
the members of IAC, the international commission on cooperation for accreditation, operate a
system of mutual recognition backed by peer audits of each other.

As they recognize each other’s accreditations, they recognize certifications given by

certification bodies accredited under the schemes.
3.0 What is Audit?
Audit is a systematic and independent examination of the management system. It aims to find
what are you doing and does it comply with the standard you have chosen to follow? It can be
conducted by someone within the organization or from outside. The person conducting the
audit may be in-house or from outside. However, he/she must be a trained auditor.
4.0 Audit Principles

 The General Principles for auditing are as follows –

Independence – The audit should be carried out without bias or influence in order to produce a
fair and unbiased informative report on which management can act to bring about
improvements to its operations.

Planning – Audits should be planned according to the needs and objectives of the
organization. The planning should be systematic and ensure that all the audit objectives are
met.

Competence – Audit team members should be trained, competent and free from any conflicts
of interest. Technical business management knowledge is often needed and teams may
require experts and translators to ensure the team can meet the audit objectives.

Evidence – All conclusions and reports must be based on recorded evidence to ensure that
they are reliable. Audit evidence relies on a sample of documents, records and information that
is available at the time of audit, and it is never possible to check every single item.

Integrity – Auditors should always work in an ethical manner, free from bias, and report
truthfully, fairly and accurately any deficiencies in the system. The relationship between the
client, the audit team and the auditees should be discrete and confidential without any conflicts
of interest. Auditors shall at all times operate to the auditor’s code of conduct.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 2 of 26

Chapter : 6 – Audit Process

 The Six Principles of auditing are as follows –

1. Integrity: The foundation of professionalism
2. Fair presentation: The obligation to report truthfully and accurately
3. Due professional care: The application of diligence and judgment in auditing
4. Confidentiality: Security of information
5. Independence: The basis for the impartiality of the audit and objectivity of the
audit conclusions
6. Evidence-based approach: Audit evidence is verifiable
5.0 Reasons for Audit (Why Audit?)
An audit is performed to answer the following questions:
1. Is the management system implemented exactly as intended?
a. Is there any problem? If yes,
b. Why did it occur?
c. How can it be resolved?
d. How can it be prevented in future?
2. Where are the opportunities to improve?
3. Does the management system meet the requirements of the standard?

Although there are many reasons for continually evaluating by sampling the effectiveness of
the Quality Management System and identifying areas for improvement (conducting audits), the
main underlying reasons are assurance, prevention of problems, and improvement. Audit can
be conducted by our own organization (1st party audit), by a customer on a supplier (2nd party
audit), or by an independent body (3rd party audit).

The reasons for audit may be:

1. To improve our own system.
2. To assure ourselves of the effectiveness and conformance of our system.
3. To select a new supplier – We assure ourselves of their EMS capability to meet our
needs.
4. To assure ourselves that existing suppliers are still capable of meeting our needs.
5. To improve our current suppliers.
6. To assure ourselves of a supplier fulfilling a contract placed.
7. To gain certification in order to assure customers the basis of the Quality Management
System and of our ability to meet their requirements.
8. For legal compliance, to assure the regulatory authorities that we are operating a
Quality Management System and work will be more consistent.
6.0 Types of Audit

There are different types of audit, depending on the reasons for conducting the audit, and the
relationship the auditors or their organization have with the auditees. This can have an effect on
the scope and coverage of the systems and whether advice is given to the auditees.

The auditee’s reactions to the audit can also vary with reason for audit. The reaction of
auditees who have a $1,000,000 contract at stake will be different to those who have been
audited before by a long term customer who is auditing for improvement.

Following are different types of audits:

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 3 of 26

Chapter : 6 – Audit Process

1. Adequacy Audit: It is document verification audit to determine the extent to which the
documented information like management system manual, procedures, work
instructions and forms adequately meets the requirements of standard.
2. Compliance Audit: It is verification of implementation of documents to ensure the
extent to which the documented system is implemented by the workforce.
3. Horizontal Audit: In this type of audit, all departments are audited against one element
of standard or procedure.
4. Vertical Audit: In this type of audit, one department is audited against all elements of
standard or procedure)
5. Internal and External Audit

 Internal Audit: It is basically First Party Audit in which audit is done either by own
employee or auditor from outside)
 External Audit: It can be of two types:
1. Second party audit - By customer or customer-nominated representative
2. Third party audit - By the body providing the certificate.

Audits may be performed by our own staff, by consultants, by customers or their

representatives, or by independent organizations such as certification bodies. Compliance
audits are usually conducted by regulatory authorities for compliance to legal requirements;
although they are sometimes conducted by customers for compliance to contract requirements
that often include legal requirements that they must meet.

Conformance Audits or Compliance Audits are conducted by customers and certification bodies
for conformance to management systems standards to either assure themselves of the ability
of the organization to supply products which meet requirements or for the company to assure
its customers of this ability.

Product Audits are usually conducted on the product itself and the traceability of records and
processes for that particular product. This may be part of a conformance audit and it may be
conducted internally for assurance purposes.

1st Party, 2nd Party and 3rd Party Audits

1st Party Audits: Such audits are conducted within a business by own staff, according to an
internal audit program as required by ISO 9001:2015 and conducted in accordance with ISO
19011 guidance. The auditees are the beneficiaries, as the objective is to improve the current
system and to assure ourselves of the suitability and compliance. The conduct of the audit is in
a relaxed and friendly style, as auditees and auditors have the same objectives of improving
the system. The audits are usually conducted according to a set program covering all the areas
of the organization in turn over a set period of anything ranging from 1 – 3+ audits per year
depending on the organization’s needs. Each of the areas is audited in detail, checking each
aspect of the process. The opening and closing meetings are fairly informal; however records
of findings are reported to the responsible managers for corrective actions which must be taken
within agreed time scales. Recommendations or advice may be given by the auditors. Reports
go to the EMS Coordinator representative and are usually summarized for top management.
Reports also need to be analyzed for possible trends and the identification of risks enabling
controls to be put in action. Follow-up is performed on every NCR on the scheduled date.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 4 of 26

Chapter : 6 – Audit Process

2nd Party Audits: In such audits, Auditors are customers or representatives of customers of the
organization. The auditees will want to look good in the auditor’s eyes and whilst they are likely
to cooperate they are unlikely to point the auditor in the direction of problems even though both
the auditees and the customer may benefit. This is particularly the case when a contract is the
reward for a good audit report.

The style of the audit can be formal in the event of a contract being awarded; or can be less
formal for an ongoing improvement audit program where the contract is not at risk. No one
wants to be the one whose failure is seen as a reason for losing a contract. Audits need to be
planned carefully, as the auditors must cause as little disturbance as possible to the operations
but be thorough enough to evaluate compliance or identify areas for improvement. There may
be restrictions on the auditor’s time. Contracts may need to be examined as part of the
planning. As this is an external audit, less information is known and needs to be found by the
Lead Auditor in order to plan the audit.

The depth of the audit depends on the customer and the contract but is normally to ensure that
the systems are working as planned; however this may be restricted to only the contracts
pertaining to that customer. It may require the same thorough depth as an internal audit for one
particular contract.

Opening and Closing Meetings are usually quite formal and conducted against set procedures
and protocols. Recommendations as regards to the corrective action to be taken may be given
if this is part of the policy of the auditor’s organization. Reports may be given in writing as well
as verbally at the closing meeting or the report may be sent at a later date depending on the
agreed procedure.

Follow-up is dependent on the reason for audit; if a contract is not placed then the customer will
not want to follow up the audit. If follow up is done then a re–visit is normally made and the
status of the organization is reviewed by the customer.

3rd Party Audits: Third party audits are conducted by independent organizations for the
purpose of certification of company’s management systems to recognized (ISO) standards or
surveillance audits for continuing maintenance of certification. Auditors must conduct these
audits in accordance with set procedures and published guidelines against published criteria.
Certification bodies operate according to ISO/IEC 17021–1:2015 and this requires that
certification is done in two stages –the Documentation review stage 1, and implementation
audit stage 2.

The planning is done in detail as demanded by procedures and the technical requirements of
the audit and with agreement of the auditee’s staff. The Lead Auditor must ensure that all of the
requirements of the standard are assessed and to cause as little disruption to the
organization’s operations as possible. This is normally done using full-time auditing staff.

A formal documentation review is conducted and reported to the organization along with review
of corrective actions completed by the organization prior to the audit.

Opening and closing meetings are formally conducted according to a set agenda and
procedures.

The style of the audit is formal, professional and impartial at all times, the objective being to
check for compliance with the auditing standard for the agreed scope. The auditees often view
the auditors as enemy and will not voluntarily provide information to auditors as they do not
want to be the one who lets the side down. The reporting of the audit is according to set
procedures and standard forms. Recommendations as to the corrective actions to be taken are
not allowed as this may result in a conflict of interests and liability.
Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 5 of 26
Chapter : 6 – Audit Process

Follow-up action is nominated by the auditee organization but must be agreed by the Lead
Auditor. Implementation is by the auditees and is checked by the auditors during a re–audit,
follow-up visit or a surveillance visit, depending on the findings. If the auditees satisfy the
requirements, they are awarded a certificate.
7.0 Audit Techniques
Mainly there are three audit techniques for management system audit.
1. Trace forward - Take a copy of customer’s order and verify the order requirements, till
its delivery to customer.
2. Trace backward - Take a copy of delivery details and verify it up with the customer’s
order, and check all records backward.
3. Random checking - Take randomly one order and verify all the requirements.

8.0 Steps Involved in Audit

Management system audits involve three major steps as below:
1. Audit initiation - For audit initiation two things need to be considered:
 Scope: It includes department, activity, processes, and product areas - all or any
selected - as suggested by the management.
 Frequency: The frequency of audit depends on implementation phase of system.
For example: more audits at initial stages; frequency specified in documented
system; importance of activity; results of previous audit; and, any major
changes.
2. Audit preparation - This step involves Audit plan and documents review. Detailed audit
plan with the date and time of audit and the name of auditor is circulated; audit checklist
and system documents are also provided.
3. Audit execution and audit report - This step involves meetings, data collection,
documentation and reporting. Audit is conducted along with the details of what have
been observed and statement of compliance. This step includes collecting information
and reporting the findings).

9.0 Implementing the Audit Program

Implementation of an audit program includes:

1. Documenting and communicating the audit program
2. Coordinating and scheduling activities
3. Assigning responsibility to the auditors and audit team
4. Providing required resources to the audit team
5. Conducting audit according to the audit program
6. Collecting records of the audit activities
7. Reviewing audit records
8. Reviewing and distributing audit reports to the audit client and other specified parties
9. Performing audit follow-up.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 6 of 26

 Chapter : 6 – Audit Process

10.0 Seven Steps of Audit Program Implementation

Step wise key points are described below:

10.1 Step no. 1- Audit Planning

 List the activities you plan to audit;
 Estimate the period you need to complete the audit;
 Ensure that each activity is covered;
 Arrive at the total duration needed to complete the audit;
 Identify the persons to be involved in auditing; ensure their availability and properly
coordinate with the section to be audited and the auditors;
 Decide, to what extent sampling has to be done; discuss it with individuals or
organization’s staff to be involved in audit;
 If negative findings are there, draw more samples so as to establish the fact that these
are isolated cases or problem in the system.
 Refer to documents - Manual, procedure, work instructions, forms
 Consider history of past audit records. During audit planning, put more time where
problems were found in the past.

Audit plan must contain the following as a minimum:

1. Name of department or functional area;

2. Objectives and scope of audit;
3. Name of auditor(s);
4. Schedule - Start-time and end-time for each department, with audit duration, etc.

A sample Audit plan is given in Annexure-1.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 7 of 26

 Chapter : 6 – Audit Process

10.2 Step no. 2- Developing Checklists

To develop audit checklists following should be done:
 Refer to system standard requirements;
 Review documents to Identify important aspects of the activities which must be
conducted to meet the requirements of the standard or the documented system.
 List the activities in logical order; and
 Prepare a set of questions.
The auditor should prepare a checklist that could be used throughout the audit in a logical
manner and act as a prompt, reminding the auditor to ask questions, check documents and
records.)
10.3 Step no. 3- Conducting Opening Meeting
The purpose of the opening meeting is to:

1. Confirm the agreement of all parties, for example, auditee, audit team, to the audit plan;
2. Introduce the audit team;
3. Ensure that all planned audit activities are performed.
 Who will attend the meeting?
1. Auditor/audit team;
2. Lead auditor; and
3. Staff, mainly the manager from the area to be audited should attend the opening
meeting
 What is discussed?
1. Scope of audit
2. Expected duration of audit for each activity is discussed in this meeting.
The manager of the area to be audited and staff members which will be involved in the
audit should be included in the opening meeting. At this point the auditor or lead auditor
will reiterate the scope and expected duration of the audit.
 Agenda for opening meeting: The points which need to be taken care during opening
meeting are:
 Introductions
 Record of attendees
 Confirm scope & objectives
 Confirm the audit plan
 Explain the method of conducting audit
 Confirm auditee’s cooperation
 Establish lines of communications
 Promote auditee's participation in audit
 Confirm current revision of documentation
 Confirm the arrangements for lunch
 Confirm any resources requested
 Reporting procedure and closing
 Role of Guides
 Confirmation of audit timing
 Termination and Appeals
 Health and safety issues and access to facilities
 End of day briefings, if required
 Provision for a private room for team discussions,
 Any questions from either side.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 8 of 26

 Chapter : 6 – Audit Process

10.4 Step no. 4- Conducting the Audit

While conducting audit, the lead auditor should:
1. Assign the auditors their audit areas;
2. Select the sample;
3. Collect objective evidence of system effectiveness;
4. Compare findings from checklist with requirements;
5. Decide compliance or non–compliance;
6. Conduct audit team’s daily meeting/daily review meeting.
During audit, the auditors should:
 Collect and verify information
 Collect evidence about compliance:
 Interview personnel at various levels;
 Examine documents and records including procedures, work instructions, forms,
management system manual, etc. - Are their copies controlled? Are they
available? What is correction/ revision’s status? Are they used in the manner
intended?
 Examine Management System Records- Are they stored correctly? Are they
used as objective evidence? What are the types of records maintained?
 Observe activities - What is said or written in procedures, may not reflect in
practice.
 Examine facilities - Travel through organization/office, and examine equipment,
standard of housekeeping, size and layout of working area, and the
environment.
While conducting audit try to establish, whether:
1. Authorized documents are in use?
2. Superseded documents have been removed?
3. Good housekeeping is practiced?
4. Facilities are adequate?
5. Supervision is adequate?
6. Records are kept orderly?
7. Staff is adequately trained?
8. Awareness and communication is effective?
10.5 Step no. 5- Recording Audit Findings
Using checklists, record:
 The activities which do not adhere to management system. A discrepancy in the system
is called a non-conformance. They may be classified as:
1. Major non-conformance
2. Minor non-conformance
 The areas for improvement
Non-compliances can be:
1. Related to the management system standard requirements;
2. Related to follow of documents;
3. Failure to do something required;
4. Difference between work practices and documented information and procedures.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 9 of 26

 Chapter : 6 – Audit Process

The auditor documents observations in the form of notes. The notes made by an auditor during
assessment may lead to non-compliances being raised or to provide information for the audit
report. Notes provide objective evidence backup.
Nonconformity Report
1. Auditor prepares a report on nonconformities.
 It is used to report nonconformity audit findings.
 It must be factual.
 It must be understandable and traceable.
2. Auditor should raise a formal notification on the nonconformities found.
3. The auditee is required to put signature for understanding and acceptance of the non-
compliance.
4. Statements of non-compliances must be non-blaming statements of fact, based on
recorded objective evidence and directly related to specific requirement.
Nonconformity Report (NCR) should address three questions:
1. What is the Problem? Describe it clearly, concisely and factually.
2. Why it is non-compliance? Describe, against which requirement or document the non
compliance was found?
3. Where /when did it occur? Describe, in which department or activity and when did the
non-compliance occur?
The details of reporting non-conformance is given in Annexure-2 on Audit Execution and
Report
10.6 Step no. 6. Conducting the Closing Meeting
A closing meeting is conducted towards the end of the meeting. Closing meeting, facilitated by
audit team leader, should be held to present the audit findings, discuss corrective actions and
the dates on which they would be taken, and conclusions. The participants of the closing
meeting should include:
 Management;
 Functional Heads; (Those responsible for functions or processes which have been
audited
 Lead Auditor and audit team members.
Checklist for Conducting the Closing Meeting:
Following points must be taken into account during the closing meeting:
 Use an agenda or checklist
 Organize the team on the presentation
 Record attendees and proceedings
 Cover the points briefly
 Do not use jargon or emotive terms
 Stick to the facts and be prepared to clarify points and give detail if asked
 Invite questions
 Ensure confidentiality
 Top person to sign the report
 Inform about further actions

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 10 of 26

 Chapter : 6 – Audit Process

 Re-state scope and objectives

 Thank for cooperation
 Discuss summary of findings (Strengths)
 Define NCR- both major and minor
 Disclaimer / Appeals
 Give Recommendations
 Report of NCRs
 Ask auditees to propose corrective actions and time schedules
 Return the documents; thank all; and close
10.7 Step no. 7- Preparing the Audit Report
An audit report should be prepared in such a way that it should include:
1. The audit objectives;
2. The audit scope, particularly identification of the organizational and functional units or
processes audited;
3. Identification of the audit client;
4. Identification of audit team and auditee’s participants in the audit;
5. The dates and locations where the audit activities were conducted;
6. The audit criteria;
7. The audit findings and related evidence;
8. The audit conclusions;
9. A statement on the degree to which the audit criteria have been fulfilled.
The audit report should also include or refer to the following, as appropriate:
 The audit plan including time schedule;
 A summary of the audit process, including any obstacles encountered that may
decrease the reliability of the audit conclusions;
 Confirmation that the audit objectives have been achieved within the audit scope in
accordance with the audit plan;
 Any areas within the audit scope not covered;
 A summary covering the audit conclusions and the main audit findings supporting them;
 Any unresolved diverging opinions between the audit team and the auditee;
 Opportunities for improvement, if specified in the audit plan;
 Good practices identified;
 Agreed follow-up action plans, if any;
 A statement of the confidential nature of the contents;
 Any implications for the audit program or subsequent audits;
 The distribution list for the audit report.
Audit follow-up
The conclusions of the audit can, depending on the audit objectives, indicate the need for
corrections, or for corrective, preventive or improvement actions. Such actions are usually
decided and undertaken by the auditee within an agreed time frame. As appropriate, the
auditee should keep the person managing the audit program and the audit team informed of the
status of these actions.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 11 of 26

Chapter : 6 – Audit Process

11.0 Details of Audit Planning and Preparation

The initiation of the audit can be by an Internal Audit Program, by a supplier assessment
program or by request to audit a new supplier, or by application to a certification body.
Whoever requests the audit appoints the Lead Auditor to set up and execute the audit.

The first task of the Lead Auditor is to establish what exactly the reason for conducting the
audit is and what exactly the scope the audit to cover is. If you are asked to assess a large
multinational organization you will need to know the site and the scope, opt–outs, processes
and products.

In internal audits this is generally straightforward. As the audit procedure and policy on audit
are documented and readily available, the preparation stage may be simple, particularly if the
checklists have been prepared for previous audits. We normally have a good idea of the
functions of our own organization.

Third party audits require more preparation, and the scope of the audit including opt–outs
need to be established and agreed with the auditees. The auditees would normally have a
documented system in place prior to application and would submit details of the plant and
products with the application form. Lack of a documented system would affect the planning of
the audit as the Quality Management System activities would have to be verbally explained to
the auditor instead of the auditor being able to read the documents. Explaining verbally takes
much time and the auditor may have to check the correctness of the information from a second
source which takes longer, and therefore, more time may be required to check that the system
is effective.

Second party audits are sometimes simpler and sometimes more difficult than 3rd party audits
depending on the scope and objectives and the operations of the supplier.

If the outcome of the audit is a large order to a small or medium sizes company then the
supplier will be eager to accommodate the audit; however, in case of a large supplier and a
small order by their standards they may consider audit as an inconvenience that they do not
need or want. They may refuse the request to audit them. In second party audits, the customer
sets the scope of the audit of the supplier.

The Lead Auditor would first establish contact with the organization and establish the best
person and means of communication. Often in second party audits a questionnaire is sent to
the supplier similar to the certification bodies’ questionnaire. We need to know the size of the
plant the types and sequence of production/operational processes and their interaction and
products or services, the number of employees and production lines. We need to know if there
are specific legislation, industry codes or standards to be followed and any specialized testing
activities.

A pre-audit visit may be arranged with the auditee organization to ensure that the Lead
Auditor gets all the information needed to plan the audit. The benefits of the pre-audit is that
the Lead Auditor can see the size of the site, identify the number of processes to be covered,
the sequence and interaction of the processes, the extent and implementation of the Quality
Management System and their readiness for audit.

The auditor can be reassured that there are no surprise processes lying in wait. There may be
no documented procedures or areas that will require specialist technical knowledge. Cultural,
language and religious requirements will also need to be identified as the auditor may appear
rude or even insulting in his auditing technique and he should also be aware of the need for
prayer periods in certain locations. In some cultures it is impolite to say no and auditors should
be aware of this and phrase their questions accordingly. In other cultures polite conversation is
Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 12 of 26
Chapter : 6 – Audit Process

etiquette and should not be construed as time wasting. The organization also needs to be
informed as to how the audit will be conducted and what is required of them. The scope and
objectives should be finalized, the procedure for audit and any follow-up actions or approvals
explained and the system of communications between the team and the auditees, particularly
for problems and reporting, should be confirmed. Communications are essential but there can
be a sensitive area where miscommunications can cause the auditee company problems,
particularly in different cultures and in unionized companies. The Lead Auditor should establish
the system of communications and agree this with the auditee’s management.

The auditors would normally visit to review the state of readiness of the organization for the
implementation or stage-2 audit. This review covers the documented system and key
procedures if available; they may to be sent to us if we were unable to visit in advance of a 2 nd
party audit. In a second party audit, the company to be audited may not have a QMS manual
and procedures, but that would not stop us going ahead with the audit as we may have to
approve them as a supplier; we can use this as an area of supplier’s improvement.

The Lead Auditor for certification would conduct a stage 1 documentation review to check that
documentation is complete and covers all the Elements of the ISO 9001:2015 related
processes and satisfies all the requirements of the standard (this is part of the 3rd Party Audit
requirement). This can be done in two ways, by going through the documented information and
checking compliance with the standard or by going through the standard and checking
compliance in the documented information. The results and deficiencies, if found, are reported
to the auditees in writing for information and for corrective actions. This may be difficult for
organizations with little documentation.
This visit is useful for the Lead Auditor to establish a rapport with the auditees and to check that
all the areas have been identified for auditing and sufficient time has been allocated for each
activity. If the site is very large, much time may be needed to travel between areas.

In planning and conducting second party audits, customers request suppliers to provide
information to help in planning and understanding the system. This information is useful if the
auditee organization is overseas and a pre-audit visit is not economical.
The Lead Auditor then needs to develop an Audit Plan and decide the number of days required
and the number and skills and competences of the auditors needed to complete the audit. The
Lead Auditor also needs to agree the audit scope and date of audit and ensure the availability
of the auditors selected. The start and finish times and lunch time should coincide with the
auditees and any requirements for safety, such as receipt of safety instructions before entering
the site should be incorporated into the plan. Times should be arranged for the Opening and
Closing Meetings.

The audit plan is a detailed schedule of which processes/activities/areas the auditors will be
covering and when. The auditors and the auditees should be ready for the audit at the
appointed times and the auditees can carry on with their normal job when they are not required
for audit but ensure that they are present when scheduled. The Lead Auditor develops the plan
with inputs from the audit team and the auditee organization. If feasible the Lead Auditor will
hold a meeting of the team to brief them on the task and to finalize the audit plan which would
have been sent as a draft discussion document prior to the briefing meeting. Discussions will
cover the scope of the audit, the types of process they would expect to encounter, and timings.
The Lead Auditor sends the plan to the auditee organization for agreement or comment, as the
organization may wish to give input to the plan.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 13 of 26

Chapter : 6 – Audit Process

The Audit Plan is produced from the Business Process Flow Chart. We produce or
reproduce the business process map and identify all the areas/departments/processes and
activities within the audit scope that we need to audit (noting supporting activities such as
laboratories, Operational control, maintenance, continual improvement, objectives, and
Information control and top management). Planning establishes how much time will be needed
to effectively audit each area and helps to allocate auditor time to each area. This defines the
program timing needed to complete the audit. The team leader allocates auditors to each area
following the activity flows and available time. (Auditees may not be available during lunch, shift
changeover or after normal working hours) Planning may be more difficult due to the eased
requirements for documentation and this may make a pre–audit site visit essential.
The audit team leader should prepare a plan for the on-site audit activities. This plan provides
necessary information to the audit team, auditee and audit client. It also facilitates scheduling
and coordination of the audit activities. The extent of detail provided in the audit plan should be
adapted to suit the size and complexity of the audit. The details may differ between initial and
subsequent audits and also between internal and external audits.

The audit plan should include, as appropriate:

a) The audit objectives and scope;
b) The audit criteria and reference documents;
c) The dates and places where the onsite audit activities are to be conducted;
d) The identification of the organizational and functional units or processes to be audited;
e) The identification of the sites, activities and management system processes that are
essential to meeting audit objectives in order to allocate appropriate resources to critical
areas of the audit including opt–outs;
f) The expected time and duration for audit on-site activities, including meetings with the
auditee’s management and audit team meetings;
g) The working and reporting language(s) of the audit;
h) The identification of roles and responsibilities of the audit team members and any
accompanying persons;
i) The audit report topics (including any methods of non–conformance grading),
j) Format and structure, expected date of issue and distribution;
k) Logistic arrangements (travel, on-site facilities etc.);
l) Matters related to confidentiality;
m) Any arrangements for audit follow-up actions.

The plan should be reviewed and accepted by the audit client and presented to the auditee
before the audit. Any objections by the auditee should be resolved between the audit team
leader, the auditee and the audit client before continuing the audit.

The audit team leader, in consultation with the audit team, should assign to each team member
responsibility for auditing specific management system processes, functions, sites, areas or
activities. Such assignments should take into account the need for auditor independence,
competence and efficient use of resources. Changes to the work assignments may be made to
ensure the achievement of the audit objectives. The audit team members should review all
relevant information related to their audit assignments and prepare any work documents
necessary for those assignments.

The audit plan is usually accompanied by a covering letter which would inform the auditees of
the audit team and any special arrangements being requested such as testing of items,
production of certain items or special projects or provision of safety equipment. Other items
such as meals, the reporting procedure and guides may also be covered.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 14 of 26

Chapter : 6 – Audit Process

The plan is also sent to the audit team members for their preparation. Some certification bodies
send out generic checklists; other organizations would require the auditors to produce their own
checklist. All organizations should supply the auditors with procedures or instructions for
conducting the audit.

The Lead Auditor should confirm the arrangements, including travel and accommodation, prior
to the audit with both the Auditees and Audit Team.
12.0 Guidance for the Selection and Composition of Audit Teams
The Lead Auditor is often responsible for the selection of the audit team. Auditors should be
able to meet the competence requirement criteria of ISO/IEC 17021–1:2015.

The criteria for selection of auditors should be:

 An understanding of the standard for Quality Management System;
 An understanding of industrial sector issues;
 Technical Knowledge of the activities to be audited;
 Possession of the right personal requirements;
 Experience in management systems auditing;
 Availability.
Audit teams should be able to demonstrate an up-to-date knowledge of the following:
 Techniques to ensure compliance to customer requirements, including their practical
application for that industrial sector;
 Performing Quality Management System audits;
 Relevant industrial sector guidance;
 Conversant with the legal requirements.
Composition of audit teams
Each audit team should include a minimum of a Lead Auditor (Team Leader); the team
members should be familiar with Quality Management System, applicable standards,
supporting guidance documents and possess auditing competence. As required, planning
experts with specific knowledge regarding processes will be included in the audit team to assist
the auditors; however, they would not be authorized to audit the system independently, as this
is the responsibility of the auditors.

The Lead Auditor should ensure the competence and availability of the auditors before formally
designating the audit tasks. The Lead Auditor should obtain the following:
 Authorization for the audit;
 Provisional scope and objectives;
 System Documentation Information;
 Business focus and business process plan;
 Specific Regulatory and Safety requirements;
 Evaluation of competence of auditors, supporting experts and translators;
 Name of contact, site, processes and product details;
 Any other relevant available information.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 15 of 26

 Chapter : 6 – Audit Process

13.0 Business Process Maps, Audit Plans and Checklist Construction

13.1 Introduction

Checklists are often used by auditors as a useful tool to help them to remember all of the items
that they need to check on an audit and develop audit trails. They are also used as a record as
to the items that have been checked on the audit. They help the auditor to save time on the
audit by being prepared in advance which items need to be checked. However checklists do
take time to produce and may lead auditors to take a too narrow view.

The checklists for audits can be produced in different ways depending on the type of audit, the
scope and objectives.

The main objective in their production is to prevent important activities and requirements of the
audit standard from being unchecked during the audit and to save time.

Most checklists used by auditors consist of bullet points to remind the auditor to ask around
particular points to cover specific controls and operations. There are some auditors who like to
write down individual questions to assist them. Checklists should not act as a tick-mark list. To
investigate any part of a management system thoroughly involves asking questions and
checking the evidence that the system is fully controlled and operating effectively.

The checklist production method will depend on the selected method of audit. Audits can be
conducted on a site, on a building, on a department or on a function or aspect.

13.2 The Process Model

With this method we look at the Business Process of the organization and look at the individual
processes and support services which make up the overall process. We can then select an
individual process and analyze the inputs, process controls, and outputs including rejects,
corrective action and feedback by checking through the records.

The initial step is to map out the activities of the organization, including the support services
such as maintenance, warehousing, testing and audit.

We examine the controls that operate over the inputs, the process and the outputs. We work
through all the activities involved in the process systematically, considering set up,
maintenance and cleaning. We also consider all the applicable clauses of the standard that
need to be met within that area or function.

Once we have identified all of these items, we put them together as a checklist in the order that
we are likely or wish to encounter them in our audit. Remember to cover both the sequence of
activities in the process (in Horizontal Audit) and the responsibilities and activities required up
and down the organizational levels of the organization (in Vertical Audit). We must audit the
management, supervisors, operators and assistants or clerks through a series of audit trails to
include process inputs, outputs, and measurable interfaces through a series of audit trails to
constructively evaluate the effectiveness of the Quality Management System.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 16 of 26

 Chapter : 6 – Audit Process

13.2.1 BUSINESS PROCESS MAP

CUSTOMER

DESIGN MARKETING SPARE PART

SERVICES

PURCHASING

SUPPLIER

PRODUCTION

WAREHOUSE

DISPATCH

CUSTOMER

 Laboratory
 Training
 Document control and records
 Management review and audit
 Corrective action and risks
 Aspect-impact identification
 Objectives and continual improvement
 Inspection, test, monitoring and analysis
 Calibration and maintenance
 Communications and legislation

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 17 of 26

 Chapter : 6 – Audit Process

Auditing a Process

Manager

Feedback
Supervisor

Activity1 Operator Activity3 Activity4 Monitoring

Activity2

Clerks/
Assistants

PROCESS MAP

PEOPLE
MATERIALS
OUTPUT
I
N PROCESS
P METHODS
U WASTE
T
S INFRASTRUCTURE
AND
ENVIRONEMNT

CORRECTIVE ACTION FEEDBACK

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 18 of 26

Chapter : 6 – Audit Process

13.2.2 Function Method

In this method we look at the particular functions their objectives and responsibilities and how
activities are controlled and monitored.
Examples of areas where we use this method are –
 Policy, Objectives and Resources
 Transport
 Training
 Calibration
 Contracts
 Purchasing and Supplier Controls
 Marketing
 Environment and Legal
 Individual Services
 Mock Exercise
 Continual Improvement Systems.

We allocate each control to members of the team and would expect each area to be thoroughly
investigated. Again the checklists starts at the inputs which can be materials, information,
people and machines looking at controls over the process, product and rejects. We again
follow the system through a logical path, our checklist reflecting the steps and the branches of
the complete system and the activities taking place at the different organizational levels. Look
particularly into the monitoring and measurement as well as validation of controls. Remember
the importance of using the ISO 9001:2015 Quality Management System Standard as a
consistent pair throughout the audit planning and conduct of the audit.
14.0 Conclusion
Planning of audits may be more difficult for organizations that have minimal procedural
documentation and pre-audit site visits may be necessary.

An audit plan should be developed covering all the system and supporting processes and
addressing all the applicable clauses of the standard.

Audit teams shall demonstrate competence in the processes being audited as knowledge of
industrial sector practice, codes, guides and legislative requirement may be required.

Cultural and language issues shall be identified and planned for.

Systems shall be identified, through appropriate business process plans with a clear
understanding of the focus of the business.

Process plans are important in the preparation of checklists.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 19 of 26

 Chapter : 6 – Audit Process

Annexure – 1

Audit Plan for Stage 2 Audit

Company Global Chemical INC Date  10th May 2019
Audit team Auditor 1 Mr. Tony Lewis
Auditor 2 Mr. Roger Strauss
Standard ISO 9001:2015
Audit Scope:
Research, development, manufacture and supply of Synthetic Organic Dyes
Day 1
Timing Auditor 1 Auditor 2
9.00 Opening Meeting
9.30 to 10.30 Managing Director / Top management – Context, Interested Parties,
Leadership and Planning
10.30 to 12.30 Determination of requirements Purchasing/suppliers
Legal Requirements
12.30 to 13.15 Lunch (Working Lunch)
13.15 to 16.00 Production Marketing and Dispatch
16.00 to 17.00 Maintenance Stores
17.00 Debrief for the Day
17.30 End of Day 1
Day 2
Timing Auditor 1 Auditor 2
9.00 Arrival at the Site
9.30 to 12.30 Quality Control QMS Coordinator’s Area
12.30 to 13.15 Lunch
13.15 to 14.15 Calibration HR and Training
14.15 t0 15.00 Auditors’ discussion time
15.00 to 16.00 Audit report preparation and compilation
16.00 Closing Meeting

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 20 of 26

 Chapter : 6 – Audit Process

Annexure – 2
Audit Execution and Audit Report

1.0 Audit execution and preparation of audit report: –

Main steps of Audit execution are: –
(A) Initial meeting
(B) Data gathering and documentation
(C) Report of findings
(A) Initial meeting: –
This is a meeting with management and the responsible managers of the organization
before commencing the audit. During this meeting the audit schedule is agreed and
auditee is informed of the scope and nature of the proposed audit.
(B) Data gathering and documentation: –
The data gathering is done through observation, interviews and study of documents,
including the witness of the processes. Most documents are checked against actual
operations by questioning and wherever possible by observations also.
Findings are documented before the finalization. A meeting of the auditors is held first
with team leader and then jointly with departmental heads and management to discuss
on the findings. Then a report is made.
(C) Report of findings: –
An auditor prepares audit report by filling the formats for reporting.
2.0 Audit reporting and system effectiveness: –
2.1 General: –
The findings of an audit carried out for a department or an organization need to be documented
and reported so that appropriate corrective actions are identified and taken by the audited.
Audit reporting involves recording of following aspects:
(A) Compliance with Management system requirements
(B) Non-conformance against Management system requirements
(C) System effectiveness
In the audit, system effectiveness is normally examined during the management reviews.
However, report on both compliance and Non-conformances (if any) are still required.
In the Third Party Audit all the three reports are necessary. The system effectiveness is
summarized in the closing meeting by the Lead auditor.
2.2 Reporting on compliance: –
2.2.1 Compliance with the requirements of the Management system is established when details of
Audit Samples examined are documented. The details may include following:
(A) Name of persons with whom discussion were held
(B) Place where this happened
(C) Reference to process/equipment/facility relevant to the audit sample
(D) Documents examined

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 21 of 26

 Chapter : 6 – Audit Process

(E) Records verified

(F) Details of audit trials to be followed subsequently
(G) Reference to clause of the standard
(H) Reference to relevant documents used or refereed in the Management System
(I) Reference to the non–conformance report, as and when they are revealed.
2.2.2 There are distinct advantages in adopting the above practice. These are as follows:
(A) The audit findings, consisting of only the non–conformance reports, are not complete
without report on compliance.
(B) The aspects included in the audit, as well as those overlooked or missed (due to time
constrain) can be verified. Accordingly, appropriate corrective measures could be
determined.
(C) The depth of auditing i.e. drawing representative samples can also be revealed from the
records.
(D) The effectiveness of the Audit program in following audit trials can be assessed. In case
of the Third Party Audit, the effectiveness will apply to the audit performed by Audit
Team.
(E) The positive aspects recorded can help subsequent audit teams to be better equipped
with information on both strong and weak aspects of the area audited.
2.3 Reporting non–conformances: –
2.3.1 Non–conformance reports help the audited in identifying corrective actions. Non–conformance
reported during the audit may be examined in subsequent reviews with the audited. In the
closing meeting also there may be occasion to clear some of the non–conformances. Further,
prior to registration, the Accreditation Body may like to ascertain status against the outstanding
non–conformances. Similar situation may arise during Surveillance Audit carried out after
registration.
It is therefore, important that a Non–conformance Report should not give rise to any ambiguity
nor should it be subject to miss–interpretation. A Non–conformance report as such should be
completed.
2.3.2 The following should be considered while raising Non–Conformance Reports:
(A) A Non–conformance is a condition adverse to Quality.
(B) A Non–conformance arises when specified requirements are violated, indicated in order
of precedence, as follows:
 Conditions of contract (with Purchaser / client)
 Quality Manual
 Procedures
 Work Instructions
 ISO 9001:2015 standard requirements
(C) A Non–conformance may arise in any of the following situations:
(I) Written procedure does not comply with requirements of ISO 9001:2015
standard.
(II) Written procedures are not implemented as described in the procedures.
(III) The practice is not effective i.e. required output is not achieved. This is applied
even when written procedures / instructions are not required by the standards.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 22 of 26

 Chapter : 6 – Audit Process

(D) A Non–conformance report should include following aspects:

(I) Exact observation of the facts
(II) Where was it found
(III) What was found
(IV) Why it is non–conformance
(V) Who was there–indicate designation, avoid personal identity.
(VI) Use local terminology.
(VII) Make it retrievable
(VIII) Make it helpful (only in Audit/Assessment)
(E) A non–conformance should be carefully worded and should be crisp.
(F) Seriousness of a non–conformance should be judged on the basis of following:
(I) What could go wrong if the non–conformance remains uncorrected?
(II) What is the likelihood of such a thing going wrong?
(G) A non–conformance should be classified MAJOR in following situation:
(I) A significant non–conformance with standard requirement.
(II) A failure of complete system.
(III) Lack of quality management system requirement.
(IV) Significant number of minor non–conformances.
(H) A non–conformance should be classified MINOR in the following situation:
(I) An isolated witnessed incident of failure to comply with a procedure or
management system Management requirement.
(II) Minor problem are requiring attention.
2.3.3 The following should be ensured while raising non–conformance reports:
a) The Department / area where the non–conformance is noticed should be made aware
about the fact by the auditor before leaving the area.
b) While it is preferable to raise a non–conformance report, on the spot, the choice is left
to the auditor.
2.4 Reporting System Effectiveness: –
The System Effectiveness is reported to convey informed judgment of the Lead Assessor in the
Third Party Audit. As a minimum, the following need to be considered while reporting System
Effectiveness.
(A) To what extent has the documented Management system addresses the requirements
of the standard.
(B) To what extent has the documented system been put into practice?
(C) To what extent is the system in practice effective?
(D) Do the non–conformances raised indicate a particular area(s) of the supplier's
organization is (are) weak?
(E) Do the non–conformances raised indicate a particular management system(s)
requirements(s) is (are) weak?

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 23 of 26

 Chapter : 6 – Audit Process

(F) The area where greatest risk and least assurance lie in the Management system
implemented by the supplier.
(G) Kinds of failures found and there relative frequency.
2.4.1 In trying to address the above aspects, the nature of non–conformances raised along with the
report on compliance will provide sufficient inputs for forming an informed judgment on the
system effectiveness.
2.4.2 The aspects mentioned below will provide additional inputs:
(A) Frequent avoidable changes in documents
(B) Frequent customer complaints
(C) Status on corrective actions and Management Review, reflecting on management
commitment.
(D) Authority of System coordinator.

Below is the typical process flow for collecting and verifying the information

Source of information

Collecting by means of appropriate

sampling

Audit evidence

Evaluating against audit criteria

Audit finding

Reviewing

Audit conclusion

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 24 of 26

Chapter : 6 – Audit Process

Annexure-3:
The Auditor’s Conduct
Some of the traits an auditor is supposed to have are given below. The list is exhaustive but not
final. An auditor needs lot of common sense in addition to the conducts listed here.
1. Look the part – Dressing smart.
2. Be calm and courteous.
3. Be punctual.
4. Be precise.
5. Be prepared.
6. Do time management.
7. Have sense of proportion – Neglect Human Errors.
8. Be honest.
9. Be human.
10. Be decisive, determined and direct.
11. Get on the job.
12. Be fair.
13. Be independent and not guided or controlled by the Audited (auditee).
14. Use your power of deduction and inferences.
15. Know who's who for effective and proper communication.
16. Be sure from all corners – sufficient evidence.
17. Discuss problems on the spot.
18. Be aware of union relationship for smooth conduct of audit.
19. Meet daily in audit team conference for cross-verification and progress control.
20. Dispense with unnecessary escorts to be effective.
21. Record Non–conformances / Non–compliances and Evidences; summarize them daily.
22. Good Guy – Bad Guy approach (two auditor team) one for the task and other for mild
approach.
23. Key trait – Be a good listener.

Tips for Trained Auditors

 Be a fact-finder and not a fault-finder.
 Look for effectiveness of system, process and approach, rather than only records.
 Keep in mind, your four key boundaries are:
 Management system requirements
 Company defined documents
 Customer requirements
 Statutory and regulatory requirements
 Follow audit methodology:
 Interview People
 Verify Records
 Witness / check Process
 Verify Process / Product Parameters
 Auditing is a sampling exercise (No auditor can check all 100% reports and
documents.)

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 25 of 26

Chapter : 6 – Audit Process

Tips for Interviewing People

In the process of audit, the auditor has to interview various levels of personnel in an
organization for getting the factual information. One gets information only when he listens.
Therefore, besides being a good interviewer an auditor has to be good listener first. The
following types of questions are normally used while interviewing people.
Unit Concept: WHAT / WHY / WHEN / WHERE / HOW / WHO and SHOW ME
It means a set of questions, which can be used in the given sequence as a unit followed by a
crunch question "Show me".
 Hypothetical question:
 Let us say?
 Suppose?
 If this not happen then? –
 Silent questions: Body language, silence
 Dumb question – Obvious one
 Inverse question: I am not sure, are you sure?
 Comparison question: comparing different situations or statements.
 Open-ended / close-ended / lead questions
 Begin with open-ended questions. While further investigating use a mix of open-ended
and lead questions and close the audit with a lead question. The key is that prefix every
question with "are you please ...”, irrespective of the level of auditee.

Annexure-4
The Auditee’s Conduct
An auditor need to be vigilant and guarding himself against the tactics of audited which they
use quite often in order to hide the weakness and prove their power before the auditors. List of
auditee’s traits is given below:
1. Time wasters
2. The cook's tour
3. Provocations
4. Fixed ballot or loaded dice
5. The special case logic
6. The trial of strength by argument on competence
7. Insincerity – Kill him with kindness
8. Please for pity
9. The absentee
10. Amnesia – Let auditor forget it
11. Language barrier
12. The bribe
13. The right tactics
14. Desperation.

Copyright 2018 @ Punyam Academy | devang@punyamacademy.com | +91-9825031523 Page 26 of 26