IPK College Penang

Internal Auditors Refresher

Training for ISO 9001:2015 QMS
ONG EWE LEE
23 March 2024
 • First developed from the British Standard
Development 5750 Pt 1-3 in U.K(1979)
of ISO 9000 • 1st ISO edition : Issued in 1987
series • 2nd ISO edition : Issued in 1994
• 3rd ISO edition : Issued in 2000
• 4th ISO edition: Issued in 2008
The ISO 9000
ISO 9000: 2015
family tree
• A necessary document for auditors in
providing guidance to interpret the terms
and definition during auditing
The ISO 9000 ISO 9001: 2015
• Specifies the minimum requirements for
family tree EFFECTIVE quality management system
• The only “auditing criteria” for QMS
• Only certifiable QMS by Certification
bodies
 ISO 9004: 2018
The ISO 9000 • Guidance document to improve efficiency of
family tree the QMS.
• NOT for the implementation of ISO
9001:2015 requirements.
• Not an auditable document
• To be read consistently with ISO 9001:2015
The ISO
“9000” family ISO 19011:2018
tree • International standard for auditing
standards.
• Can be use as the auditing standards for all.
Quality Management System
ISO 9001:2015
 1. Scope
2. Normative references
3. Terms and definition
ANNEX SL 4. Context of the organisation
COMMON 5. Leadership

STRUCTU 6. Planning

RE 7. Support
8. Operation
9. Performance evaluation
10. Improvement
PLAN-DO-
CHECK-
ACT
 4.1
4.2 Expectations 4.3 Scope of 4.4 Quality
4.Context of Understanding of
of interested management Management
organization the organization
parties systems System
Plan and its content

5.1 Leadership 5.2 Quality 5.3 Organizational roles,

5 Leadership Policy responsibilities and authorities
and commitment

6.1 Actions to 6.2 Quality Objectives 6.3 Planning of

6 Planning address risk and and planning to achieve changes
opportunity them

ISO 7 Support
7.1
Resources
7.2
Competence
7.3 Awareness
7.4
Communication
7.5 Documented
Information

9001:2015 Do 8 Operation
8.1 Operation
planning and
8.2 Requirements
for products and
8.3 Design and
development of products
8.4 Control of externally
provided process,

CONTENTS 8.5 Production

control services and services products and services

8.6 Release of 8.7 Control of

and service products and Nonconforming
provision services Outputs

9.1 Monitoring,
Check 9 Performance
and Evaluation
measurement, analysis
9.2 Internal
Audit
9.3 Management
Review
and evaluation

Act 10
10.1 General
10.2 Nonconformity
and corrective
10.3 Continual
Improvement Improvement Foxit PDF Reader
action
Document
VERBAL WORDS
“shall” indicates a requirement
“should” indicates a recommendation
“may” indicates a permission
“can” indicates a possibility or capability
“Note” is guidance/clarification on requirements
“Note to entry” additional information that supplements
the terminology
Key term and definition
Key term and definition
Key term and definition
Key term and definition
ISO9001 OVERVIEW
OF THE ELEMENTS
 4-
4.1 Understanding the
CONTEXT organization and its context
OF THE 4.2 Understanding the needs
and expectations of
ORGANISAT interested parties
4.3 Determining the scope of
ION the quality management
system
4.4 Quality management
system and its processes
5
LEADERSHIP
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles,
responsibilities and authorities
 6 PLANNING
6.1 Actions to address risks and
opportunities.
6.2 Quality objectives and planning to
achieve them
6.3 Planning of changes
7 SUPPORT
Clause 7.1 Resources

Clause 7.2 Competence

Clause 7.3 Awareness

Clause 7.4 Information and communication

Clause 7.5 Documented information

8 OPERATION
8.1 Operational planning and control
8.2 Requirements for products and services
8.3 Design and development of products and services
8.4 Control of externally provided processes,
products and services
8.5 Production and service provision
8.6 Release of products and services
8.7 Control of nonconforming outputs
9 9.1 Monitoring,
PERFORMAN measurement, analysis
CE and evaluation
MONITORING
9.2 Internal audit
9.3 Management review
10 IMPROVEMENT

Clause 10.1 General

Clause 10.2 Nonconformity and corrective action

Clause 10.3 Continual Improvement

 Workshop :Documented Information

In your group , identify the clauses which

contains the term “documented
information” from Clause 4- 10.
Definition, Purpose
and Focus of Audit
Definition, Purpose and
Focus of Audit
Definition :
A systematic, independent and documented
process for obtaining audit evidence and evaluating
it objectively to determine extent to which the
audit criteria are fulfilled.
Definition, Purpose and
Focus of Audit
Purpose :
To provide management with information in the
extent of conformance of QMS with specified
requirements and the need for continuing
development and improvement.
Definition, Purpose and
Focus of Audit
Focus :
Always focus on the CONFORMANCE and
opportunities for improvement
When audit is
valuable ???
• Performed at appropriate intervals
• Planned against correct criteria and methods
• Conducted by competent person
• Seen as objective and transparent
• Reported without fear or favour
 Types of Audit – Internal Audit
What is it? What’s the purpose?
Audit carried out Gather objective What benefit?
within an evidence of extent of Factual based
organization by conformance of the decision making by
members of the implementation, Management
organization. effectiveness and on the opportunities
A.k.a – suitability of the QMS and needs for
1st Party Audit continual
improvement of
QMS
 Types of Audit – Supplier Audit
What is it? What’s the purpose? What benefit?
Audit carried out by To ensure that only supplier 1. Factual based decision
members of the of known quality capability making by
organization onto are used to prevent impact to Management
supplier/vendor the quality performance on the extent of
A.k.a – caused by poor quality control required.
2nd Party Audit supplied products. 2.Establish mutually
beneficial relationship
 Types of Audit – Certification
Audit

What is it? What’s the purpose? What benefit?

Audit carried out by To provide professional 1. Truly independent
independent certification assessment of the extent of 2.Certified QMS that
bodies on an conformance with the ISO will be recognized by
organization against the 9001:2015 standard the Customers.
ISO 9001:2015
A.k.a –
3rd Party Audit
Composition of a good auditor
• Auditors with good personal attributes
• Auditors with good training
• Auditors with correct qualification
• Auditors with experience in audit
application
Personal Attributes
Analytical Open minded
and tenacity and mature

Have sound
judgement

Realistic
 •Auditors should acquire training to improve :-
•Skills to conduct an audit
Training •Knowledge of the standard requirements
 •Auditors are required to communicate and write
reports on the audit performed.
•Therefore , a basic qualification is required to
Qualification imply that the above requirement can be met i.e to
be able read, write and communicate
 • Most important component of a good auditor.
• Auditors are often asked to evaluate not only
Experience the implementation but also the effectiveness
( especially for internal audits)
General concept and phases of Audit

6Ps Proper
Planning&
Preparation
Prevents
Poor
Performance
General concept and phases of Audit

4.Reporting and
Follow up

3.Performance

2.Preparation

1.Planning
Phase 1 - Planning
•Identifying the scope of audit
•Identifying the frequency of audit
•Identifying the criteria for auditor selection
•Identifying the audit team
Phase 1 – Planning –
Audit Scope
The scope of audit must cover the following :-
• All the requirements of the ISO 9001:2015
• All area of the organization and their key
processes.
• Internal audit – 1st party audit
Phase 1 – Planning –
Audit Frequency
The frequency of audit is decided by :-
• The internal audit documented procedure on:
• How the organization determines the
frequency of internal audit
• How the organization develops an audit
program/schedule.
Phase 1 – Planning –
Audit Frequency(continued)
Basic requirement now for internal audit planning
is :-
• To ensure that all elements are audited at least
once/year and
• To demonstrate that all involved areas of the
organization is also audited.
• Processes need to be map to determine their
status and importance
 Besides the earlier consideration, 2 main
criteria should be taken into
consideration :-
Phase 1 – •Independence
Planning – • Independent of the activity under
audit
Auditor •Authority
Selection • Who audits the top management?
• Need to consider auditor’s relative
seniority when assigned to this task.
 Most internal auditors are “part – timers”.
Phase 1 – Therefore, this one time training should
not automatically equate to competence.
Planning – Internal auditor training should be viewed
Auditor as skill training and auditors are reviewed
for competence and therefore further skill
Training training may be necessary.
 Who should audit?
The internal audit team should collectively
Phase 1 – have the necessary competence relative to
the audit area or requirements.
Planning – • Experience of the area under audit
Audit Team • Knowledge of statutory or regulatory
requirements
• Skills appropriate to audit type
 Workshop –
Before, During and
After an Audit
 A.k.a Desktop review
Ensure adequacy of the documents against
Phase 2 - the standard requirement
Preparing Audit Checklist and/or Trails
Preparation Preparing the audit plan
 Intention of this phase is for the audit
team to understand :-
•The scope of the audit
Phase 2 - •Nature of the organization including
the permissible exclusions
Preparation •Individual roles and responsibilities
•The basic process approaches of the
QMS
 Ensure adequacy of the documents against
Phase 2 – the standard requirement
WHY?
Preparation • Audit team to understand the scope and
- Adequacy nature of activities in the audit area
• If inadequate, audit cannot proceed
Phase 2 – Purpose of Audit Checklist :

Preparation • To ensure that auditors do not “miss”

anything
– • Use as a reference/guide to major
requirements
Audit • To identify the objective evidence
Checklist demonstrating conformance
Phase 2 – Guide to preparation of checklist :-
• Valid
Preparation – Checklist should reflect the actual
– words and requirements of the
procedures.
Audit - Auditor’s personal preference or
methods should not be used to
Checklist define the best method/system
 Guide to preparation of checklist :-
Phase 2 – • Traceable :-
Preparation • Contain x references to procedures
or documents and sections of the
– procedures
• Important and time saving when
Audit validity of the issue is question or
issue is too ambiguous.
Checklist
Phase 2 – Guide to preparation of checklist :-
• Complete :-
Preparation • Checklist helps auditors to
“trigger” questions…….
– • Should also include “answers” to
Audit the questions to demonstrate
conformance
Checklist
 Phase 2 – Preparation –
Audit Checklist
Example of a Bad Checklist :-

Ref. Audit Item Evidence

5.2 Top management shall
establish, implement and
maintain a quality policy

This is a standard requirement, not the organization’s approach to the

standard requirement.
 Why do we need them?

Phase 2 – • For time management and common

Preparation understanding with the auditee
• Relevant personnel required for the
– audit interview can be made available.
Audit Plan/ • For cross checking for completeness of
the audit and agreement with the
Schedule auditee.
 Contents of the audit plan
Phase 2 – •Dates of the audit
Preparation •Identification of audit team members

– •Scope and standard applicable

•Allocation of auditor to audit area
Audit Plan/
Schedule
  Conducting the Opening meeting
 Auditing the implementation of
standard requirements through :-
 Sampling of objective evidence via
Phase 3 - interviews, observation & analysis

Performance  Conducting audit team reviews

 Conducting final audit team
conclusion
 Determining & Reporting
Nonconformance (NCR)
Phase 3 –
Performance Purpose :
•To open communication channel between
-Opening the audit team with the auditee
organization
Meeting
 Step to conduct an Opening Meeting :
 Introduction of the audit team members

Phase 3 –  Explaining the purpose of the audit

 Confirming the scope of the audit
Performance  Explaining the methodology of the audit

-Opening  Explaining the Nonconformity

 Confirm the audit plan
Meeting  Confirm provision of guides and facilities
 Complete the meeting attendance record
 To be an effective auditor , the following
issues must be effectively applied by the
auditor :
Phase 3 – • Audit Psychology

Performance • Questioning techniques

• Sampling techniques
–Audit • Auditing Objective Evidence

performance • Auditing Effectiveness of Process

Approach by Cross Checking
• Audit team meetings
 During audit , auditee would be “under
pressure” to do well in the audit and is
Phase 3 – often quite stressed/tensed.

Performance Auditors should be able to recognize this

situation and deal with it through the
– auditor’s personal attributes such as :-
•Interpersonal skill
Audit •Analytical skill
Psychology •Communication skill
•Crisis Management skill
 Auditors’ greatest tools :-
Phase 3 – •Questioning, Listening & Observation

Performance While questioning the auditee, avoid :-

•Confusion
– •Communication breakdown
Questioning •Wasting time
Phase 3 – Performance –
Audit Questioning
Type of questions :-
• Open – Questions designed to extract
information from auditee. a.k.a probing
questions.
• Close – Questions designed to direct or focus on
a certain topic. Usually yields a “yes”
or “no” answer a.k.a directional
questions.
Phase 3 – Performance –
Audit Sampling
• An audit cannot be a 100%!!!!!
Difficult issue then is
• HOW MUCH IS ENOUGH????
General guidance :
The depth & amount of sampling is proportional to
• Criticality of the activity
• Level of knowledge
 Phase 3 – Performance –
Objective Evidence
Paper ( PAST)
Shows implementation that matches
with PRESENT

PRESENT ( Process)
Current compliance with
procedure

FUTURE ( People )
People involvement and
understanding of the procedures
 Phase 3 –
Performance
–
Audit The golden rule is :-
Effectiveness “Always cross check and verify …..never assume”.
of Process Effective means the implementation results of the
achievement of own quality goals.
Phase 3 – Performance –
Audit Effectiveness of Process

The Effectiveness of the systematic PROCESS model

can be established by identifying :-
• How was the need first established?
• How was the expectations passed to the receiving
user?
• How was the output reviewed confirmed or
amended?
Phase 3 – Performance –
Audit team meetings
Important for audit team to use this
meeting platform to discuss about
cross checking and verifications
Lead auditor can use this meeting to :-
• Monitor overall progress vs plan
• Identify complicated areas or delays
• Monitor performance of auditors and
re direct auditors for further support.
 Auditors must be able to understand the
different implication of the terminology to
avoid confusion and misrepresentation of
the audit statements
Phase 3 –
Determining • What is non compliance ?
& Reporting • It is a non fulfillment of a legal requirement.
NCR
What is then a
nonconformance?
 What is a non conformance ?
Phase 3 – It is a non fulfillment of a specified
Determining requirement.
- Product nonconformance
& Reporting
- Process nonconformance
NCR
- Management system nonconformance
 Example :
In a production area an auditor notices that an
Phase 3 – automatic machine, the operation of which is
covered by a documented work instruction, is
Determining being operated at pressure settings outside of the
indicated limits. These pressure settings are critical
& Reporting to the quality of the product. The work instruction
specifies that the setting shall be checked and
NCR reset at start of each day and these have been
done.
How would the auditor report this?
 Answer # 1:
“Automatic machine are being operated
outside of prescribed settings”
Phase 3 –
Determining
No , because it is a process NC
& Reporting statement
NCR
 Answer # 2:
“Product quality critical parameters of the
Phase 3 – product are being adversely affected by the
operation of equipment set outside of the
Determining prescribed pressure settings”
& Reporting
NCR No , because it is a Product and
Process NC statement
 Answer # 3:
“The implementation of daily checks of
Phase 3 – operating equipment pressure settings, as
Determining described within the documented work
instruction for the activity , is not effective”
& Reporting
NCR YES , because it is a SYSTEM NC
statement
Phase 3 – Determining &
Reporting NCR
A NCR must include the basic information :-
• Identification or reference to the basic
requirement/clause to which the NCR is raised.
• The objective evidence of the nonconformance
• The area or location of where the NCR was
identified.
• The classification of NCR – Major/Minor
Phase 3 – Determining &
Reporting NCR
Conducting a Closing Meeting :-
• Restating the audit objectives and
thanking the auditee organization
• Restating the scope of the audit
• Presenting/reporting the conformance
and nonconformance identified
• Explain the close out routines
• Completing the attendance records.
Workshop :Audit Performance
In your group, prepare a checklist to audit the
ISO 9001:2015 requirements on Clause 5.2
Policy
Phase 4 – Reporting &
Follow up
• Reporting to top management is to
provide a complete record of the overall
audit activity
• Report both the conformance and if any ,
the non conformance
• Auditee to follow-up on the NCR
• Auditor to close out the NCR.
Phase 4 – Reporting &
Follow up
For an internal audit , the time scales for
follow up and close outs are usually defined
in the Internal Audit documented
procedure.
Typical timeframes ranges from 30 days – 60
days .
If an organization fails to respond to NCR ,
the audit team leader will have to report
the matter to the appropriate authority.
Phase 4 – Reporting &
Follow up
Audit Reporting:-
•Written report provides the organization with a
comprehensive record of the audit activity.
•Provides the top management with a record which
can be used for future references such as
corrective actions and management reviews.
Phase 4 – Reporting &
Follow up
Content of an audit report:-
•Names of contact personnel audited
•Date of the audit
•Audit team members
•Standard applied
•Summary of audit methods
•Extent of Conformance with ISO Standard
•Summary of any NCR findings
•Initial conclusions and recommendations
 Phase 4 – Reporting & Follow
up

Auditor identifies Audit Team Management

Audit Team issue
NC confirm Accept

Management Management Management Management

notify Revise Correct Investigates

Auditor Auditor N
Accept
Receives Reviews

Y Auditor
Close Out
GOOD LUCK!!!!
 Workshop-

Task : In your group , review the audit process and

identify the audit activities required for
below stages:-
a) Before Audit
b) During Audit
c) After Audit

Time Limit : 30 mins

 Workshop-
BEFORE DURING AFTER
Review previous audit Conduct Opening meeting Conduct Closing
result for audit plan Meeting
consideration
Communicate approved Conduct audit as per audit plan Followup and review
audit plan to management NCR reply from auditee
and all concerned parties
Brief audit team members Gather audit evidence and Verify for NCR closure
on their audit assignments evaluate objectively for audit
criteria fulfilment

Review internal document Prepare and issue out NCR Issue audit report for
to prepare checklist and Audit team meeting Management Review
Time Limit : 30 mins