Effective Internal Auditing To ISO 9001:2008 Presented By Munir Ahmad FCMA - MBA
Course Outline • Principles of Management System Auditing • Managing the Internal Audit Program • Planning the Internal Audit • Conducting the Internal Audit • Reporting the Audit Findings • Post-Audit Activities
Principles of Management System Auditing Why Audit is essential? • A management tool for monitoring and verifying the effective implementation of an organization’s Quality Management System • To identify areas of conformity and nonconformity against customer requirements, applicable statutory and regulatory requirements, and established planned arrangements in the QMS • To provide a systematic discipline for corrective or preventive actions if actual or potential nonconformities are found
Principles of Management System Auditing Why Audit is essential? • To provide information on which an organization can act to improve its performance (identify opportunities for continual improvements) • It is an essential part of conformity assessment activities such as 3rd party certification
Principles of Management System Auditing Internal Quality Audits are essential… … to determine, by an unbiased means and through factual information on quality performance, whether the quality system is effective in maintaining control by checking that prescribed quality objectives are being achieved and the resultant products and services meet specified customer and regulatory requirements.
Principles of Management System Auditing Likely effects on QMS of a weak IQA System • Inadequate review of the Quality Management System vs. the requirements • Conclusions not reliable basis for Top Management to evaluate the effectiveness of QMS implementation • Diminished people’s full support to the Quality Management System.
Principles of Management System Auditing Important terms and definitions: Audit A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.
Principles of Management System Auditing Audit Criteria – Set of policies, procedures or requirements used as a reference against which audit evidence is compared. Audit Evidence – Records, statements of fact or other information, which are relevant to the audit criteria and verifiable.
Principles of Management System Auditing Audit findings – results of the evaluation of the collected audit evidence against audit criteria Audit Conclusion – outcome of an audit provided by an audit team after consideration of the audit objectives and all audit findings Auditor – person with competence to conduct an audit
Principles of Management System Auditing Audit Scope – extent and boundaries of an audit; generally includes a description of the physical locations, organizational units, activities and processes, as well as the time period covered. Audit Program – set of one or more audits, planned for a specific timeframe and directed towards a specific purpose.
Principles of Management System Auditing Audit Plan – description of the activities and arrangements for an audit Auditee – organization being audited Audit client – organization or person requesting an audit Competence – demonstrated personal attributes and demonstrated ability to apply knowledge and skills
Principles of Management System Auditing Types of Audit Internal Audit • Conducted by, or on behalf of the organization itself for internal purposes and can form the basis for an organization’s self-declaration of conformity. • Also called first party audit
Principles of Management System Auditing External Audit • Conducted by any interested party (e.g. by customers or other persons in their behalf), by a regulatory body or by a 3rd party certification body • Can be conducted as combined audit, joint audit, or integrated audit
Principles of Management System Auditing • 5 Principles of Auditing 1. Ethical Conduct : the foundation of professionalism - Trust - Integrity - Confidentiality - Discretion These are essential to auditing.
Principles of Management System Auditing 2. Fair presentation : the obligation to report truthfully and accurately - Audit reports, audit conclusions must reflect accurately the audit activities. - Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee should be reported.
Principles of Management System Auditing 3.Due professional care : the application of diligence and judgment in auditing - Auditors exercise care in accordance with the importance of the task they perform and the confidence placed in them by the audit client and other interested parties. - Having the necessary competence is an important factor.
Principles of Management System Auditing 4.Independence : the basis for impartiality of the audit and objectivity of the audit conclusions - Auditors are independent of the activity being audited and are free from bias and conflict of interest. - Auditors maintain an objective state of mind throughout the audit process to ensure that the audit findings and conclusions will be based only on objective evidence.
Principles of Management System Auditing 5.Evidence-based approach : the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process. - The audit evidence is verifiable. - The audit evidence is based on available information during the audit. - Appropriate use of sample related to the confidence that can be placed to the audit conclusions.
Managing the Internal Audit Program 1. Authority for the Audit Program - granted by Top Management • Management Representative - Establish, implement, monitor, review and improve the audit program - Identify the necessary resources and ensure they are provided. - Appointed by Top Management and is a member of the organization’s management.
Managing the Internal Audit Program 2. Establishing the Audit Program • Define audit program objectives – to direct planning and conduct of audits • Define the extent of audit program – influenced by the size, nature and complexity of the organization • Define audit program responsibilities – assigned to one or more auditors who has general understanding of audit principles and has management skills as well as technical and business understanding relevant to activities to be audited. • Determine and provide audit program resources. • Establish audit procedure(s)
Managing the Internal Audit Program 3. Implementing the Audit Program • Schedule the audits • Evaluating auditors • Selecting audit teams • Directing audit activities • Maintaining records
Managing the Internal Audit Program 4. Monitoring and reviewing the Audit Program • Monitoring and reviewing the program • Identifying needs for corrective / preventive action • Identifying opportunities for improvement
Managing the Internal Audit Program 5. Improving the Audit Program
Planning the Internal Audit • Requirements: 8.2.2 Internal Audit (ISO 9001:2008) The organization shall conduct internal audits at planned intervals to determine whether the QMS: a. Conforms to planned arrangements to the requirements of the standard, and the QMS requirements established by the organization, and b. Is effectively implemented and maintained.
Planning the Internal Audit 8.2.2 Internal Audit (ISO 9001:2008) An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of the previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process.
Planning the Internal Audit 8.2.2 Internal Audit (ISO 9001:2008) Auditors shall not audit their own work. A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results. Records of the audits and their results shall be maintained (see 4.2.4)
Planning the Internal Audit 8.2.2 Internal Audit (ISO 9001:2008) The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include verification of the actions taken and the reporting of verification results.
Planning the Internal Audit Audit procedure should address the ff: • audit program preparation • assuring auditors’ competence • assigning roles and responsibilities for auditors and audit teams • planning and conducting audits • conducting audit follow-up and corrective action verification • monitoring effectiveness of the audit program • reporting to Top Management on the overall results and achievements of the audit program
Planning the Internal Audit • Assigning the Auditors • Check availability of auditor (must be • independent of area to be audited) • Brief the auditor on the objectives of the audit • Define the limits of the area to be audited • Apprise auditor of any special requirements, e.g. • follow-up of corrective action, priority areas • for verification, etc.
Planning the Internal Audit • Tasks of the Internal Auditor • Obtain and assess evidence in a fair manner • Preserve his independence and integrity • Be flexible to changing situations during the audit • Interact with auditees in a positive way • Add value to auditee’s process or activities • Perform the audit process fully and adhere to the • audit plan • Arrive at acceptable conclusions based on audit • findings and objective evidence • To stand his ground despite possible pressure of • contrary views
Planning the Internal Audit • Auditor planning for each Audit • Auditor reads and understands the QMS documentation • and business process • Communication with the auditee to confirm audit • schedule • Preparation of the audit agenda and checklists (should • reflect Plan-Do-Check-Act approach) • Auditor checks that his audit kit is complete (with audit • plan, previous audit reports, forms and note pads, • references, pens)
Planning the Internal Audit • Preparing the Checklist of Questions • Check which elements of the Standard apply to the area • to be audited • Check key requirements in the document • Check for any problems which normally are known to • occur in the process to be audited • If necessary, ask other people for advice • Refer to other previous audit checklists/reports • Sequence questions in a logical way and also to permit • Plan-Do-Check-Act approach to auditing
Planning the Internal Audit • Audit Using PDCA Approach • The IQA auditor may cover the following key points: • What are the key objectives for the function/ process? • Are objectives, quantitative targets and programs defined? • Do they define desired outcomes of function? • Do they address customer requirements? • Do they relate to the organization’s Quality Policy? • Do they relate to the Eight QMPs? • Do they relate to legal requirements, if any?
Planning the Internal Audit • Audit Using PDCA Approach • Are resources available and managed, as planned, to achieve objectives? • Is there a process for defining and allocating resources? • Are resource needs identified, adequate, accounted for? • Does this include financial, specialized skills, equipment, technology and the like?
Planning the Internal Audit • Audit Using PDCA Approach • 3. Are key activities and methods for achieving objectives identified, documented and controlled? • Are plans, procedures, formula, etc. documented? • Are process and operating criteria defined? • Are responsibilities and authorities defined?
Planning the Internal Audit • Audit Using PDCA Approach • 4. What measures are available to demonstrate achievement of objectives, and what evidence is available to demonstrate continual improvement for the function / process? • Review and assess, among others: • Process capability, equipment reliability • Waste rates, variance vs. budget and other metrics • Legal compliance (findings should be backed up by data and company records) • Performance monitoring and monitoring results; analyses • Actions taken for un-met objectives, product nonconformities, significant process deviations.
Planning the Internal Audit • Auditor’s Final Check • Notebook, writing instruments • Copy of relevant QMS documents • Copy of audit plan confirmed by the auditee • Copy of he standard (ISO 9001:2008) • Copy of Internal Audit procedure, work instructions • Copy of audit checklist, if any • Forms for audit findings/report preparation • Previous nonconformity reports for verification of effectiveness of corrective actions
Conducting the Internal Audit • The Audit Agenda • Opening Meeting • Audit Proper • Closing Meeting
Conducting the Internal Audit • The Opening Meeting • What to say during the opening meeting? • Review / discuss the following Opening Meeting agenda for the audit program, to include: • Objective and scope of audit and audit criteria • The schedule of events; other arrangements • Definition of nonconformities, major and minor • How you will report the audit results • Confidentiality of audit data • Resolve any questions and items for clarification from the auditees
Conducting the Internal Audit • The Opening Meeting • Who should attend the opening meeting? • - Audit Team and Management Team to be audited • Who should preside the opening meeting? • Chaired and managed by the Lead Auditor or Team • Leader
Conducting the Internal Audit • Audit Proper • Interview the staff responsible for each task • Obtain audit evidence by: • Asking questions: inquire about task details • Observing actual task: watch the task being done • Checking records: confirm if task done is consistent with the documented procedure; cross check with what records reveal • Follow the audit trail: sequence of process steps
Conducting the Internal Audit • Audit Proper • Compare and evaluate practice against the documented • QMS (conforming? At variance?) • Use checklists to guide you in completing audit • Define nonconformity where lapses of the practice • against QMS documentation might be found • Record objective evidence/s of the NC • Confirm with the auditee the presence of NC • Point out observations; area for improvement
Conducting the Internal Audit • What key things to look for and where? • Task - work methods defined, efficiency • People - training, skills, competence and motivation • Equipment; Work Environment • identification, capability, condition, safety, sanitation • Documents / Records • identification, issue, content, correctness and distribution • retention, preservation, legibility, accessibility
Reporting the Audit Findings • The Audit Reporting Cycle • Discuss and agree on findings • Record Findings • Hold Closing Meeting • Issue Audit Report • Update Records • Agree to undertake follow-up audit, if needed • Carry out and record results of Follow-up Audit
Reporting the Audit Findings • Types of Audit Findings • Positive findings – good practice; • conformities • Negative findings – nonconformities • Observations – opportunities for • improvements
Reporting the Audit Findings • 2 Types of Nonconformities • Minor • A failure to meet one requirement of a clause of ISO 9001 or other reference document, or a single lapse in following the organization’s QMS. • Major • The absence or the total breakdown of a System to meet the requirements of a clause of ISO 9001 or other related documents. A number of minor NCs against one clause can represent a total breakdown and thus be considered as a major NC
Reporting the Audit Findings • The Closing Meeting • Who should attend the opening meeting? • - Audit Team and Management Team to be audited • Who should preside the opening meeting? • Chaired and managed by the Lead Auditor or Team • Leader
Reporting the Audit Findings • The Closing Meeting Agenda • Thank the auditees for their time and cooperation • Commend auditees for accomplishments • Present a balance summary; point out good points and areas • for improvement • Report any nonconformity – invite the individual auditor to report • their respective findings • Report the overall conclusions and recommendations • Invite comments from auditees • Resolve any inquiries, concerns • Obtain consensus from auditees on nonconformity reports • (accepted) • Establish date of submission to auditor of corrective action • Reiterate confidentiality
Post-Audit Activities • What happens next? • For the concluded audit: • Agree on the corrective actions • Agree on-site follow-up audit, if necessary • Compile the audit report and submit to Top Management • Review the Audit Program • Improve the Audit Program • Prepare for the next audit
Post-Audit Activities • Follow-up Actions • Auditor verifies and evaluates corrective actions • upon submission; approves, if OK • Auditor records results of verification and evaluation • Auditor escalates problems to the management, if • corrective action not completed.