The Elsmar Cove Business Standards Discussion Forums More Free Files Forum Discussion Thread Post Attachments Listing Elsmar Cove Discussion Forums Main Page

Quality Management System (QMS) Audits - Including Internal Auditing

Rendered on 1/28/05

Click here to start

Table of Contents

The Quality Audit

Did I Catch You Unaware?


An Open Source Document

Partial List Of Files In This Guide

Guide Objectives

Related 'Stuff' We'll Be Covering


Caution II

Auditing - The Program

The Goal Of An Audit

Basic Types of Audits

Audit Sub-Types

Audit Types

A Typical Audit System

Definitions: "Who"

Definitions: "What"

Phases of Auditing

The 'Standard' Four Phases

The Part People See

Quality Audit

Objective Evidence

Objective Evidence II

Reasons For Audits

More Reasons For Audits

The Audit Must Be


Auditors Are Not....

Why A Formal Audit Program?

Internal Audits

The Internal Audit

IIA's Definition Of Internal Audit

Internal Audit System Base Requirements

Internal Audit System Base Requirements

Role of the Internal Auditor

Internal Quality Auditing

PPT Slide

Compliance Audits

Compliance Audits

Compliance Audit

Compliance Audit

Systems Audits

Systems Audit

Systems Audit

Example Training System - A Support System

Process Audits

Process Audit

A Typical Series Of Manufacturing Processes

Process White Space Issues

Manufacturing Processes

Product Audits

Product Audit

Product Audit - A Brief Review

What Will YOU Will Be Auditing?

Basic Audit Focus?

Internal Audits - Focus

Reasons To NOT Address Compliance In Internal Audits

Reasons To NOT Address Compliance In Internal Audits

Reasons To NOT Address Compliance In Internal Audits

Reasons To NOT Address Compliance In Internal Audits

The Famed Document Pyramid

4.2.3 Control of Documents (4.5)

Another Document Control System

Audit Types - A Brief Review

A Quality Management System?

A Quality Management System?

ISO/QS-9000 (now IATF 16949) Quality Management System

Procedures & Systems

Many Requirements

The ISO Standards

The QS 9000 Document Origins

Documentation Hierarchy

PPT Slide

Typical Operations Flowchart

The Bottom Line

The Details

Complex Trade Relationships

An Organization As A Collection of Systems

What is a System?

System vs. Process

Systems Responsibilities

Systems Responsibilities II

The Organization as a System, Subsystems, and Processes

Systems and Subsystems

Extending Outside the Organization

An Extended System

Measures In The Extended System


What is a Process?

Examples of Processes

Quality Through Process Improvement

Significant and Critical Processes


Client's Responsibility

Auditor's Responsibility

Auditee's Responsibility

Auditor Qualifications

Education, Training & Experience

Auditor Personal Qualities

Personal Attributes

Applying Auditor Attributes

Audit Preparation

Planning The Audit

Audit Scope

The Audit Plan

Audit Failure Modes

A Second Auditor

Audit Team Assignments

Audit Frequency

QS-9000 (now IATF 16949) Requirements

ISO 9001:2000 Requirements

ISO 9001:2000 Requirements Summary

Internal Audit Schedule Example

Example Responsibilities Matrix

A Sample Compliance Audit Schedule

Check Lists

Check Lists

Check List Benefits

Check List Preparation

Check List Example

Check List Thoughts

Sample Size

Sample Size

Sample Size II

Audit Strategy

Audit Strategies

Internal Audit Strategies

Available Information

Review of Working Documents

Representative Samples

Pre-Audit Confirmation

Executing the Audit

Changes Happen

Opening Meeting

A Registrar's Opening Meeting 'Outline' I

A Registrar's Opening Meeting 'Outline' II

A Registrar's Opening Meeting 'Outline' III

A Registrar's Opening Meeting 'Outline' IV

A Typical Registrar's Finding Record

A Registrar's Opening Meeting 'Outline' V

A Registrar's Opening Meeting 'Outline' VI

Other Interpretations

Other Interpretations

Other Interpretations

Other Interpretations

Conducting The Audit

Registrar Audits

Registrar Audits II

Registrar Audits III

Audit Hints

Questions To Ask?

Taking Notes As Reference

Take Copious Notes!!!!

Taking Notes As Evidence

Avoiding Trouble

Good Auditing Practices

Keep People Informed

Bad Auditing Behavior

Expect These Reactions / Emotions

Interview the Right People

You're In The Audit Now!

Recording Nonconformances

Nonconformance Exists Because

'Standard' Nonconformance Categories

Establish The Facts

Facts About Facts

Things to Consider -- Is It Serious?

Assessing Nonconformances

Simple Nonconformance Report Form

Sample Audit Summary Sheet

The Closing Meeting

Nonconformance Reports

Writing Nonconformance Reports

Summary Content

Audit Reports

The Audit Report

Audit Report Example

Corrective Action

Corrective & Preventive Actions

Audit Follow-Up

Re-Audit Focus

Audit Records

Being Audited - Life on The Other Side Of The Fence

Being Audited

What is Controlled Documentation?

What is an Auditor?

What Will The Auditors Do?

Who Will Be Audited?

The Audit Team

Types of Audits

The Reason For Audits

What Will Happen If...

Things Everyone Must Know

Things to Do

Things NOT to Do

General Things To Know and Do

Some Typical Questions to Expect

Managers Should Think About...

Some Last Things to Think About

Good Luck!

Author: Marc Smith

Home Page:

Editable Powerpoint file available. Free!.

Acceptable Quality Level (AQL) The maximum percentage of non-conforming units in a lot or batch that, for the purpose of acceptance sampling, can be considered satisfactory as a process average.
Acceptance Number The maximum number of defective units or defects in a sample that will permit acceptance of the inspected lot.
Apprasial A form of the quality system audit, normally conducted to examine the total quality program effectiveness and implementation. An apprasial is usually conducted by a third party and reported to the highest level of management.
Assessment An estimate or determination of the significance, importance or value of something.
Attribute A characteristic or property that is appraised in terms of whether it does or does not exist with respect to a given requirement.
Attribute Inspection Inspection whereby either the product or product characteristics are classified as defective or non-defective, or the number of defects in a unit of product counted.
Audit A planned, independent and documented assessment to determine whether agreed-upon requirements are met.
Audit Program The organizational structure, commitment and documented methods used to plan and perform audits.
Audit Standard The organizational structure, commitment and documented methods used to plan and perform audits.
Audit Team The group of individuals conducting an audit under the direction of a team leader.
Auditee An organization or person to be audited.
Auditing Organization A unit or function that carries out audits through its employees. This organization may be a department of the auditee (when the auditee is a company), a client or an independent third party.
Auditor The individual who carries out the audit.
Average Outgoing Quality (AOQ) The expected quality of outgoing product following the use of an acceptance sampling plan for a given value of incoming product.
Average Outgoing Quality Limit (AOQL) For a given acceptance sampling plan, the maximum AOQ for all possible levels of incoming quality.
Batch A definite quantity of product or material produced under conditions that are considered uniform.
Calibration A comparison of an instrument or measuring device to a 'standard' of known accuracy traceable to a national or international standard in order to detect, report or eliminate by adjustment any discrepancy in accuracy of the measuring device.
Certification The procedure and action, by a duly authorized body, of determining, verifying and attesting in writing to the qualifications of personnel, processes, procedures or items in accordance with applicable requirements.
Characteristic A property that helps to identify or to differentiate between entities and that can be described or measured to determine conformance to requirements.
Client The person or organization requesting the audit. Depending upon the circumstances, the client may be the auditing organization, the aduitee or a third party.
Compliance An affirmative indication of judgement that the supplier of a product or service has met the requirements of the relevant specification(s), contract and/or regulation. Also, the state of meeting that (those) requirement(s).
Confirmation The agreement of data or information obtained from two or more different sources.
Conformance An affirmative indication or judgement that a product or service meets the requirements of relevant specifications, contract or regulation. Also the state of meeting requirements.
Contractor Any organization or person under contract to furnish items and/or services: a vendor, supplier, sub-contractor, fabricator, and sub-tier levels of these where appropriate.
Convention A customary practice, rule or method.
Corrective Action Action taken to eliminate the Root Cause(s) and symptom(s) of an existing undesirable deviation or non-conformity to prevent recurrence.
Corrective Action Request A formal document noting audit or other nonconformance finding(s) and requesting a resolution.
Defect A departure of a quality characteristic from its intended level that occurs with a severity sufficient to cause a product or service not to satisfy intended normal requirements.
Defective A unit of product or service containing at least one defect, or having several defects, that alone, or in combination, cause the unit not to satisfy intended requirements.
Deviation A non-conformance or departure of one or more characteristic(s) from specified product, process or systems requirements.
Evaluation The act of examining a process or item to some standard and forming certain conclusions as a result.
Examination A measurement of goods or services to determine conformance to some specified requirement.
Exit Meeting The meeting at the end of an audit between the auditors and the representative auditees at which time a rough draft of audit findings and observations are discussed and presented.
Finding A conclusion of importance based upon observation(s).
Follow-up Audit An audit which verifies that some corrective action has been accomplished as scheduled and determines that the action(s) are effective in preventing or minimizing recurrence.
Guidelines Documented instructions that are considered good practice but that are not mandatory.
Independence Freedom from bias and external influence.
Inspection Activities (e.g.: measuring, examining, testing) that gague one or more characteristics of a product or service and the comparison of these with specified requirements to determine conformity.
Inspection Level A feature of a sampling scheme relating to the size of the sample to that of the lot. Selection of an inspection level may be bsed upon simplicity, unit inspection cost, inspection destructiveness or lot consistency.
Inspection Lot A specific qualtity of similar units offered for inspection and subject to an acceptance decision.
Inspection Record Recorded data concerning inspection results.
Inspection, Normal See Inspection, Normal
Inspection, Reduced A feature of a sampling scheme permitting smaller sample sizes than are used in 'normal' inspection. Reduced inspection is used when experience (history) with the level of submitted quality is 'sufficiently good'.
Inspection, Tightened A feature of a sampling scheme using stricter acceptance criteria than those used in 'normal' inspection. Tightened inspection is used as a protective measure to increase the probability of rejecting lots when experience (history) shows the level of submitted quality has deterioriated.
Lead Auditor The individual who supervises auditors during an audit and serves as team leader.
Lot A defined quantity of a product or material accumulated under conditions that are considered uniform for sampling purposes.
Lot Size (N) The number of units in a lot.
Measuring and Test Equipment Any device used to measure, gage, test, inspect, diagnose or ottherwise examine materials, supplies and equipment to determine compliance with technical requirements.
Nonconforming Unit A unit of product or service containing at least one defect (at least 1 nonconformity). Also see Defective. Also see Unit.
Nonconformity A departure of a quality characteristic from its intended level or state that has a severity sufficient to cause an associated product or service not to meet a specification requirement.
Normal Inspection Inspection under a sampling plan which is used when there is no evidence that the quality of the product being submitted is better or poorer than the specified quality level.
Objective Evidence Verifiable (reproducable) qualitative or quantitative observations, information, records or statements of fact pertaining to the quality of an item or service or to the existence and implementation of a quality system element.
Observation An item of objective evidence found during an audit. Observations are not non-conformances.
Pre-Audit Meeting The introductory meeting between auditors and the representative auditees at which time the overview of the planned audit is presented.
Pre-Award Survey An activity conducted prior to a contract award and used to evaluate the overall capability of a prospective supplier or contractor. May include one or more of many elements, including quality aspects, facilities, equipment, etc.
Precision The closeness of agreement between randomly selected individual measurements or test results.
Procedure A document that specifies the method to perform an activity.
Process The particular method of producing a product or service, generally involving a number of steps or operations.
Process Average The average percent of defective or average number of defects per hundred units of product submitted by the supplier for original inspection.
Process Quality Audit An analysis of elements of a process and apprasial of completeness, correctness of conditions, and probable effeciveness.
Product A unit manufactured for a customer or a service delivered to a customer.
Product Quality Audit A quantitative assessment of conformance to required product characteristics.
Qual;ity System The organizational structure, responsibilities, procedures, processes and resources for implementing quality management.
Qualification The status given to an entity or person when the fulfillment of specified requirements has been demonstrated. The process of obtaining that status.
Quality Assurance All those planned and systematic actions necessary to provide adequate confidence that a product or service will satisfy given quality requirements.
Quality Audit A systematic and independent examination and evaluation to determine whether quality activities and results comply with planned arrangements, and whether these arrangements are implemented effectively and are suitable to achieve objectives.
Quality Control The operational techniques and activities that are used to fulfill requirements for 'quality'.
Quality Management The totality of functions involved in the determination and achievement of quality.
Quality Manual A document (typically) stating the quality policy (and other policies), quality system and quality practices of an organization. Sometimes called a Systems Manual or Quality Systems Manual.
Quality Plan One or more documents setting out the specific quality practices, resources and activities relevant to a particular product, process, service, contract or project.
Quality Policy The overall intentions and direction of an organization regarding quality as formally expressed by top management.
Quality Surveillance The continuing monitoring and verification of the status of procedures, methods, conditions, products, processes and services and the analysis of records in relation to stated references to ensure that requirements for quality are being met.
Quality System Audit A documented activity performed to verify, by examination and evaluation of objective evidence, that applicable elements of the quality system are suitable and have been developed, documented and effectively implemented in accordance with specified requirements.
Quality System Review A formal evaluation bt management of the status and adequacy of the quality system in relation to quality policy and/or new objectives resulting from changing circumstances.
Random Sampling The selection of units for a sample size (n) in such a manner that all combinations of (n) units under consideration have an equil chance of being selected.
Rejection Number The minimum number of variants or varient units in the sample that will cause the lot or batch to be designated as not acceptable.
Reliability The probability that an item will perform its intended function(s) for a specified interval under stated conditions.
Root Cause A fundamental deficiency that results in a non-conformance and must be corrected to prevent recurrence of the same or similar non-conformances.
Sample A small group of units or observations taken from a lot or batch of units or observations that serves to provide an information basis (typically statistically) for making a decision (by a statistically based prediction) concerning the lot or batch.
Sample Size (n) The number of units or observations in a sample.
Sampling Plan A statement of the sample size or sizes to be used and the associated aceptance and rejection criteria.
Specification The document that prescribes the requirements with which the product or service must conform.
Specification Limits Limits that define the conformance boundaries for an individual manufacturing unit, design or other requirement criteria or service operation.
Standard The documented result of a particular standardization effort by a recognized authority.
Standardization The act of documenting, formalizing and implementing efforts which result in an improvement (by way of conformity [standardization]) to similar or applicable methodologies, properties, processes or systems.
Survey An examination for some specific purpose. To inspect or consider carefully. To review in detail. Some authorities use the words audit and survey interchangably. Audit implies the existence of agreed upon criteria against which plans and execution can be checked. Survey implies the inclusion of matters not covered by agreed upon criteria.
Testing A means of determining an item's capability to meet specified requirements by subjecting the item to a set of physical, chemical, environmental or operating actions and conditions.
Testing A means of determining the capability of an item to meet specified requirements by subjecting the item to a set of physical, chemical, environmental or operating actions and conditions.
Traceability The ability to trace the history, application or location of an item or activity and like items or activities by means of reorded identification.
Unit Item. May be a physical item or a service.
Unit A quantity of product, material or service forming a cohesive entity on which a measurement or observation may be made.
Universe A group of populations, often reflecting different characteristics of the items or material under consideration.
Variable Inspection Inspection wherein certain quality characteristics of samples are evaluated with respect to a measurement.
Variant An item or event that is classified differently from others of its type.
Verification The act of reviewing, inspecting, testing, checking, auditing or otherwise establishing and documenting whether items, processes, services and/or documents conform to specified requirements.


The ‘Quality’ Audit
Did I Catch You Unaware?
An Open Source Document
This document is an Open Source document!
° This means it is the result of the input of may people and resources.
° This means YOU can and may participate. If you want something included or have a suggestion, please let me know. You can send some slides in e-mail. Or write me and tell me about what has not been addressed but that you believe should be addressed. If your suggestion is incorporated into the document you will be given credit in the document. You will get updates for free as long as the file is undergoing updates (rumour is I may die someday or decide to do something else with my life so I can’t really use the word forever).
° I will accept and incorporate good ‘patches’ and constructive criticism.
° Telling me of spelling errors doesn’t count, but will be very much appreciated.
° This is how we do things in hackerland; it's a combination of individual visions and collaborative synergy that makes things work. Just as it is in the Cove forums.
Partial List Of Files In This Guide
Guide Objectives
° To Develop an Understanding of What is Required of a ‘Quality’ System Auditor
° To Review the Guidelines for Auditing ‘Quality’ Systems
° To Develop Auditing Techniques
° To Utilize these Concepts through Actual Audits
° Understanding How to Respond to an Auditor
Related ‘Stuff’ We’ll Be Covering
° Understanding the General Structure of Quality Systems
° ISO 10011-1, 2, and 3 “Guidelines for Auditing Quality Systems”
• If you don’t have these, you should purchase them.
° Review Documentation Hierarchy
° Understanding Auditing Techniques
Planning Schedules
Creating Check Lists
Audit Plan
Audit Findings/Observations
Preparing Audit Reports
° Team Audits
° Whilst some of you may be using this guide for internal auditing, in general it addresses auditing as a third party just as the ASQC’s CQE (Certified Quality Auditor) course and exam does. This is to say much of the material is aimed at folks who will be dealing with companies they do not work in. This said, you will see I take a very formal approach at times. Most classes on auditing do. For example, we will talk about introductory meetings. Obviously these can be very formal and long (up to an hour or more), whilst for some companies doing internal audits the formality is very limited.
° So - as you go through the guide, recognize that the amount of formality will be dependent upon your specific situation.
Caution II
° This guide is not intended to address specific interpretation(s) of ISO 9001, QS-9000 (now IATF 16949) or any other specific standard or customer requirement. It is *assumed* that anyone auditing will have the appropriate background / experience / education in that which s/he is auditing.
° It is *assumed* that we all know you cannot audit anything you do or are responsible for. Conflict of Interest is the phrase.
Auditing - The Program
The Goal Of An Audit
To Collect
Objective Evidence
To Permit An
Informed Judgment
About The
Status Of The Systems or Product Being Audited
Basic Types of Audits
° Internal (First Party, Self)
• This type includes audits by your company employees, consultants and contractors.
° External
• Supplier Audit
F Second Party
• This is where: 1. Customer employee(s) audit your company or where 2. Your employee(s) audit a company which supplies your company with a product or service.
• Independent Organization
F Third Party - Registrar
• A customer wants an audit of your company but wants your company to pay for it.
• This type of audit is described as independent. In QS-9000 (now IATF 16949) this is not really the case.
Audit Sub-Types
° Compliance (do we comply with the standard)
• Example: Desk audit of high level systems
° System (the theory)
• Example: Audit of Document Control
° Process (the practice)
• Example: Audit of an assembly or fabrication ‘station’ (note to service industries: you DO have comparable processes)
° Product (the result)
• Example: Dock Audit
F A breakdown of the final product. Verify paperwork trail,inspection and test results, for each item of the product. Verify key characteristics meet dimensional requirements.
Audit Types
A Typical Audit System
Definitions: “Who”
° Auditor: A person who has the appropriate qualifications and performs audits.
° Client: A person or organization requesting the audit. For internal audits, this is the Management Representative.
° Auditee: An organization,facility or person being audited.
Definitions: “What”
° Quality System: The organizational structure, responsibilities, procedures, processes and resources for implementing quality management.
° Observation: A statement of fact made during an audit and substantiated by objective evidence.
° Objective Evidence: Qualitative or quantitative information, records or statements of fact pertaining to the quality of an item or service or to the existence and implementation of a quality system element, which is based on observation, measurement or test and which can be verified.
° Nonconformity: The nonfulfillment of specified requirements.
Phases of Auditing
° Planning and Preparing for the audit
° Execution of the audit plan
° Reporting the audit results
° Close out of corrective actions
The ‘Standard’ Four Phases
The Part People See
° Opening Meeting
° Collection of Information
° Record and Grade Nonconformances
° Evaluation of Number and Significance of Nonconformances
° Assessment of Compliance to Requirements
° Preparation of Findings
° Closing Meeting Review
Quality Audit
A systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve the stated objectives.
One Definition
Objective Evidence
° It exists and is ‘retrievable’
° Not influenced by emotion or prejudice
° Based on observation
° Verbal or documented
° Verifiable
° May be quantitative
° Within the systems being audited
° Take Detailed Notes!!!
Objective Evidence II
Reasons For Audits
One Purpose of Audits

Is To Remove Bear Traps
More Reasons For Audits
° ISO 9001 Requires Them (QS-9000 (now IATF 16949) 4.17 and ISO 9001:2000 8.2.2)
° A Control Mechanism Used By Management
° Tool For Continuous Improvement
° Correct Nonconformities In Systems
° Helps Assure Ongoing Systems Operate As Intended And Required
The Audit Must Be
Open, Honest, and Constructive
The Person or Activity Being Audited Always Gets the Benefit of the Doubt.
° Random Basis
° Auditor Chosen
° Permission
° Factual Agreement
° Objectivity
° Be Polite
° Be Professional
Auditors Are Not….
° Inquisitors
° Fault Finders
° Rock Throwers
° Avenging Angels (Biased For or Against)
° Dishonest
° Overactive
Why A Formal Audit Program?
° To ensure the documented systems meet specified requirements.
° To ensure the documented systems are practical, understood, and followed throughout the business.
° To maintain records of audit activity including areas audited, nonconformances, and corrective and preventive actions.
Internal Audits
The Internal Audit
The Systematic Investigation
of the Intent, Implementation, and Effectiveness
of Selected Aspects of the Systems
of an Organization
or One or More of It’s Departments
IIA’s Definition Of Internal Audit
Definition according to the Institute of Internal Auditors (IIA)
J "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.
J It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
Internal Audit System Base Requirements
° Documented system
• Remember 8.2.2 in ISO 9001:2000 and 4.17 in QS-9000 (now IATF 16949)
° You must have a Schedule
• Preferably 1.5 year minimum
° Effective Corrective Element
• Including An Escalation ‘Trigger’
° Verification of Corrective Action
• You CAN NOT close an audit out until the effectiveness of the corrective action is verified and validated!
° Input of results into Management Review
• This must include any specific problem areas as this is the highest level in the escalation feature of your system.
° ‘Inclusion of working environment’ (QS-9000 (now IATF 16949) )
Internal Audit System Base Requirements
There are several very important features to bear in mind:
• It is important to consider whether the identified nonconformance is a ‘repeater’ (recurrent).
• Particularly in internal auditing, disagreements arise which must be resolved by the audit program manager (or the equivalent).
• Not every nonconformance identified requires a formal corrective action.
• Some require a ‘minimum’ corrective action.
• Some require a serious, in-depth investigation following the 8-D format.
Role of the Internal Auditor
° A Catalyst
° An Interface Between Different Groups
° An Advisor
° A Reporter of Fact(s)
Internal Quality Auditing
° Is NOT a Police Force
° Is NOT an Inspection of Products
° Is NOT an Interrogation Task Force
Compliance Audits
Compliance Audits
It should be noted that, in fact, broadly speaking, every audit is, in one way or another, a compliance audit. Even a product audit is assessing conformance (compliance) against something - a drawing, an inspection sheet - something. When you see the words Compliance Auditing, you should bear in mind the context.
Compliance Audit
° A Compliance audit is typically an audit which compares a company’s defined systems against those required by the standard being audited against.
• May be extensive such as with a QS-9000 (now IATF 16949) audit, or may be a customer audit which is very limited in scope.
° Typically you look at the requirements of the standard or requirement and contrast them against the company’s systems.
° Typically a Compliance (Conformance) Audit is done as a ‘Desk’ audit. This is verification of compliance.
° When a registrar does a Quality Manual Review prior to the pre-assessment audit (usually at US$750 to US$1500), for all intents and purposes they are doing a Compliance Audit (does the manual address every line item of the standard being audited against).
Compliance Audit
Systems Audits
Systems Audit
° A Systems Audit is an audit where high level company systems are reviewed. Typically we are talking about Level II procedures which form the backbone based upon the Quality Systems Manual.
° Systems audits typically probe the interactivity (communication) of the inter-related company systems and as such often cross ‘functional’ area ‘boundaries’.
° Typical Systems Audits:
• Document Control
• Nonconformance
• Control of Measuring and Test Equipment
° Systems Audits are typically carried out in multiple departments. For example, if one decides to audit Document Control, one must audit a number of departments.
Systems Audit
Example Training System - A Support System
Process Audits
Process Audit
° A Process Audit is where the company’s procedures are validated.
° Processes are sub-parts of a system. As such, they are typically a part of a system audit.
• Process audits are almost always a part of a larger system(s) audit. This is not to say that process audits are only performed as a part of a larger systems or registration audit. An internal audit may indicate the need to perform a specific process audit, for example.
° Almost always, one or more other process(es) will interact with any given process. One very important issue to consider is the effectiveness of communications between systems and/or processes.
A Typical Series Of Manufacturing Processes
You may choose to examine 1 or more of the processes. This should be defined within the stated scope of the audit.
Remember interacting processes. The Inspection Instruction here is a possible example. It is not typically part of the manufacturing process instructions. However, some MRP and other systems do include inspection instructions.
Process White Space Issues
Manufacturing Processes
Product Audits
Product Audit
° A product audit is an assessment of the final product or service and it’s ‘fitness for use’ evaluated against the intent of the purpose of the product or service. I.e.: Does it meet requirements?
° May be performed by:
• One of your customers.
F Also see 7.4.3 in ISO 9001:2000, and 4.6.4 in QS-9000 (now IATF 16949) .
• Internally as a ‘Dock Audit’ (QS-9000 (now IATF 16949) requirement).
• Internally as ‘Final Inspection’.
° External product audits are typically oriented to a specific customer.
° In military manufacturing this used to be called ‘Source Inspection’.
Product Audit - A Brief Review
+ Product audits are most commonly done by a company on its supplier. In some product audits dimensional, electrical or other measurements may be taken. Test results may be reviewed.
+ Internal audits do not typically include product audits in and of themselves. More typically you will be reviewing the a product audit performed by someone as a function of auditing the Dock Audit Procedure.
+ QS-9000 (now IATF 16949) does have a Dock Audit requirement. See the Notes below.
What Will YOU Will Be Auditing?
Basic Audit Focus?
° Desk Audit: Are your systems compliant with the standard(s) (such as ISO/QS-9000 (now IATF 16949) ) you are auditing against?
° Desk Audit: Do your systems address customer requirements? Federal, state and local requirements?
° Floor (Process) Audit: Do employees know what procedures ‘affect’ them? Are employees following procedures?
Internal Audits - Focus
° If your situation is that of internal auditor, your company should choose a method which suits your company.
° Most internal auditing courses approximate a Lead Auditor course which focuses on compliance audits. As we know, compliance audits typically involve interpretation of compliance to ISO 9001:2000 [or other standard(s)] by the auditor. Make sure you want that level of expertise and depth.
Reasons To NOT Address Compliance In Internal Audits
° Typically, over time, compliance is determined by high level procedures. As in the ‘standard’ document pyramid, it is evident that lower level procedures - all the way to the level of work instructions and defined On-The-Job training will be compliant if they follow the higher level procedures which are supposed to be defining the parameters of the lower level documents and systems.
Reasons To NOT Address Compliance In Internal Audits
If your high level procedures are compliant, your lower level procedures ‘must’ be as well. Every time your registrar ‘visits’, it chooses a sample of your systems and verifies, among other things, compliance to the standard. Theoretically, every year they should cover every compliance element at least once. And every 3 years they are supposed to (although it appears this practice is dying) they are (were?) supposed to go through - well, essentially a ‘thorough’ (complete?) audit like the registration audit. It seems more and more registrars are admitting that the ‘3 year blowout audit’ isn’t really much more than a money maker. It doesn’t accomplish much when you’re there every 6 months to a year anyway.
Reasons To NOT Address Compliance In Internal Audits
So - your registrar and your Quality Manager should be watching your systems compliance pretty closely. Your registrar will tell you any ‘significant’ change to your quality manual has to be submitted to them for approval and may require a re-audit of the change. Your Quality Manager is internally typically the one who is supposed to be ‘watching the systems’.
Your secondary line if defense is in your document control system. Changes are supposed to be reviewed and approved by ‘appropriate’ people. In your company, who is ‘appropriate’? In many companies it’s one person. In larger companies there are typically many people who can review and approve documents.
Reasons To NOT Address Compliance In Internal Audits
The question becomes: Who can review and who can approve (yes, it can be one person who does both) new and changed procedures (systems included). And the answer is not always simple in larger companies. But again to cite the famed document pyramid, in larger companies there are layers and functional areas which address issues they are responsible for. There are supposed to be ‘suitable’ reviews and approvals.
The bottom line is no procedure, new or changed, should change compliance to standards, customer requirements or other such requirements such as legal, federal, state and local regulations. If this is not the case, your document control system, and probably other systems (e.g. Design) is (are) not compliant.
The Famed Document Pyramid
4.2.3 Control of Documents (4.5)
Another Document Control System
Audit Types - A Brief Review
A Quality Management System?
° The following slides are meant to give you an idea of different ways to look at a company. You may be looking at it from a ‘macro’ view or you may be looking at it in a ‘micro’ view.
° Remember that a company is a complex collection of interacting systems.
° Always bear in mind the Scope of the audit.
A Quality Management System?
From ISO 9000:2000
° 3.1.1: Quality: Degree to which a set of inherent characteristics (3.5.1) fulfils requirements (3.1.2)
° 3.1.2: Requirements: Need or expectation that is stated, generally implied or obligatory.
° 3.2.2: Management System: System (3.2.1) to establish policy and objectives and to achieve those objectives.
° 3.2.3: Quality Management System: Management system (3.2.2) to direct and control and organization (3.3.1) with regard to quality (3.1.1)
° 3.3.1: Organization: Group of people and facilities with an arrangement of responsibilities, authorities and relationships.
° 3.5.1: Characteristics: Distinguishing features
ISO/QS-9000 (now IATF 16949) Quality Management System
° Document What You Do
° Perform to Your Documentation
° Record the Performance as Evidence
° “Say what you do and do what you say”
Procedures & Systems
Many Requirements
QS/ISO 9001
Contract Requirements
Company System Requirements
(Policy, Procedures, Instructions)
Federal and State Regulatory
The ISO Standards
The QS 9000 Document Origins
Documentation Hierarchy
Typical Operations Flowchart
The Bottom Line
The Documented System
• vs. The Requirement(s)
F What the standard and/or other requirement states.
• vs. Objective Evidence
F What is actually happening.
The Details
Let’s Start From The Top
Complex Trade Relationships
An Organization As A Collection of Systems
What is a System?
° Collection of interacting parts functioning as a whole.
° Collection of subsystems that support the larger system.
° Collection of processes oriented toward a common goal.
° The organization as a system.
System vs. Process
° System
Pronunciation sI stEm
Definition A group of related things or parts that function together as a whole.
Example The school system in your city.
° Process
Pronunciation pra sehs
Definition A systematic sequence of actions used to produce something or achieve an end.
Example An assembly-line process.
Systems Responsibilities
This is an example of a Responsibility Matrix. (See Responsibilities_by_Dept.xls - included with this guide).
As you can see, to audit 4.2.4 you can choose from any department because all departments have records of one kind or another which require ‘control’.
Systems Responsibilities II
This is another example of Responsibilities defined for specific high level internal procedures (systems). Note that at this point there comes the question: What is a system and what is a procedure? Don’t read too much into the definitions. Procedures describe system details.
The Organization as a System, Subsystems, and Processes
Systems and Subsystems
Extending Outside the Organization
An Extended System
Measures In The Extended System
° As you go through an audit and you see links to other systems, you must be careful. Make sure you stay within the scope of the audit. I have seen auditors start to run to other departments to follow up on paperwork and such.
° If the scope of your audit is limited, don’t go running around to other departments with a “Surprise! We’re here to check out some of your paperwork to see if it agrees with ….” If you do this you WILL make enemies! If that is your intent, which it sometimes will be, then give that department or person advance notice and formally include them in the scope of the audit.
What is a Process?
° A series of operations or steps that results in a product or service.
° A set of causes and conditions that work together to transform inputs into an output.
Examples of Processes
Quality Through Process Improvement
Significant and Critical Processes
° Significant Processes
• Are processes by which the mission-essential work of the organization is accomplished.
• Contribute directly to meeting the needs and requirements of customers.
• Can be traced from output (to external customer) back to input (to the organization).
° Critical Processes
• A stage within a significant process.
• One that is deemed as most important for control and improvement.
Client’s Responsibility
° Determine the need for and the purpose of the audit and initiates the process
° Determine the auditing organization/department
° Determine the general scope of the audit, such as what quality system standard or document to audit against
° Receives the audit report
° Determine what follow-up action, if any, is to be taken, and informs the auditee of it
Auditor’s Responsibility
° Comply with applicable audit requirements
° Communicate and clarify audit requirements
° Plan the audit and carry out assigned responsibilities effectively and efficiently
° Document the observations
° Report the audit results
° Verify the effectiveness of corrective actions taken as a result of the audit
° Retain and safeguard documents pertaining to the audit:
Submitting documents as required
Ensuring documents remain confidential
Treating privileged information with discretion
Auditee’s Responsibility
° Inform relevant employees about the objectives and scope of the audit
° Appoint responsible members of staff to meet with members of the audit team
° Provide all resources needed for the audit team in order to ensure an effective and efficient audit process
° Provide access to the facilities and evidential material as requested by the auditors
° Co-operate with the auditors to permit the audit objectives to be achieved
° Determine and initiate corrective actions based on the audit report
Auditor Qualifications
° Education
° Experience
° Training
° Proficiency
° Competence
° Communication
Education, Training & Experience
° Education:
• Candidates should demonstrate competence in clear and fluent oral and in written concepts and ideas
° Training:
• Knowledge and understanding of the standards, systems and/or procedures audited
• Assessment techniques of questioning, evaluating and reporting
• Audit management audit skills such as planning, organizing, communicating and directing
° Experience:
• Candidates should have four years full-time workplace experience
Auditor Personal Qualities
° Communication Skills
° Tactfulness
° Flexibility
° Persistence
° Objectivity
° Integrity
Personal Attributes
Auditors should:
° Be open-minded and mature
° Possess sound judgement
° Have analytical skills and tenacity
° Have the ability to perceive situations in a realistic way
° Understand complex operations from a broad perspective
° Understand the role of individual units within the overall organization
Applying Auditor Attributes
Auditors should apply these attributes in order to:
° Obtain and assess objective evidence fairly.
° Remain true to the purpose of the audit without fear or favour.
° Evaluate constantly the effects of audit observations and personal interactions during an audit.
° Treat concerned personnel in a way that will best achieve the audit purpose.
° Perform the audit process without deviating due to distraction
° Commit full attention and support to the audit process.
° React effectively in stressful situations.
° Arrive at generally acceptable conclusions based on audit observations.
° Remain true to a conclusion despite pressure to change that is not based on evidence.
Audit Preparation
Preparing for the Audit
Planning The Audit
° Objective
° Scope
° Team and Leader
° Audit Duration
° Contact Company / Department(s)
° Establish Date & Time
° Check List
° Team Briefing
Audit Scope
° Compliance to requirements or company procedures?
° Entire organization? Specific area? Depth? Duration?
° The client makes the final decisions on which quality system elements, physical locations and organizational activities are to be audited within a specified time frame. If appropriate, the auditee should be contacted when determining the scope of the audit.
° The scope and depth of the audit should be designed to meet the client’s specific information needs.
° Standards or documents within the auditee’s system should be specified by the client.
° Sufficient objective evidence should be available to demonstrate the operation and effectiveness of the auditee’s quality system.
° The resources committed to the audit must be sufficient to meet its intended scope and depth.
° Stay within your scope - Do NOT wander about! (e.g. Calibration)
The Audit Plan
The audit plan is approved by the client and communicated to the auditors and auditee. Create a flexible audit plan which allows the audit team to track-down audit trails yet ridged enough to ensure on-time completion. The plan should include:
° The audit objectives and scope
° Identification of the individuals having significant direct responsibilities regarding the objectives and scope
° Identification of reference documents (ISO / QS standards, QM, SOPs, and WIs)
° Identification of audit members
° Date, expected completion time and place for the audit
° Meeting schedule for department members
° Confidentiality requirements
° Schedule of planned future audits
Audit Failure Modes
° Scope too wide for time allotted.
° Plan is too specific for time allotted.
° Sample sizes inappropriately large.
° Inadequate or no check list.
° Failure to follow check list.
° Failure to adhere to schedule.
A Second Auditor
° Impartial
° Watcher
° Listener
° Timekeeper
° Note Taker
° Corroborator
° Special Expertise
° Training
Audit Team Assignments
When assigning an auditor to a team or task, the Auditors:
• Need to be independent from the department or element. One cannot audit their own work.
The Auditor should have:
• A general knowledge of the department.
• A good knowledge of the standard requirement.
• A clear knowledge of the element or section in the quality standard.
Audit Frequency
The need to perform an audit, as well as frequency, is determined by the client.
Determining frequency should take into account:
• Results of previous audits.
• Status & Importance of the Activity.
• Specified or regulatory requirements.
• Significant changes in management, organization, policy, techniques or technologies.
• Changes to the system itself.
Internal audits may be organized on a regular basis for management or business purposes.
QS-9000 (now IATF 16949) Requirements
° Element 4.17 – Internal Quality Audits
° The supplier shall establish and maintain documented procedures for planning and implementing internal quality audits to verify whether quality activities and related results comply with planned arrangement and to determine the effectiveness of the quality system.
° Internal quality audits shall be scheduled on the basis of the status and importance of the activity to be audited and shall be carried out by personnel independent of those having direct responsibility in the activity being audited.
° NOTE: “Activity” can refer to departments, areas, processes, functions, etc. in a company.
° NOTE: There is no specified check list that MUST be used for internal auditing purposes.
° The results of the audits shall be recorded (see 4.16) and brought to the attention of the personnel having responsibility in the area audited. The management personnel responsible for the area shall take timely corrective action on the deficiencies found during the audit.
° Follow-up activities shall verify and record the implementation and effectiveness of the corrective action taken (see 4.16).
° 20 The results of internal audits form an integral part of the input to management review activities (see 4.l1.3.)
° 21 Guidance on quality system audits is given in ISO 10011.
° 4.17.1 – Internal Audit Schedules
° Internal auditing should cover all shifts and be conducted according to an audit schedule updated annually. When internal/external nonconformances or customer complaints occur, the planned audit frequency should be increased.
ISO 9001:2000 Requirements
8.2.2 Internal Audit
NOTE: There are no new requirements in Internal Audit from the 1994 version.
The company shall conduct internal audits at planned intervals to determine whether the quality management system
• a) Conforms to the planned arrangements (see 7.1), to the requirements of ISO 9001:2000 and to the quality management system requirements established by the company, and
• b) Is effectively implemented and maintained.
An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process.
Auditors shall not audit their own work.
The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure.
The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8.5.2).
NOTE See ISO 10011-1, ISO 10011-2 and ISO 10011-3 for guidance.
ISO 9001:2000 Requirements Summary
° Internal Quality Audits are required to ensure that the quality system is working effectively and is in conformance with the ISO 9001:2000 standard. Internal Audits are a key component of your QMS, they provide a means for measuring, analyzing and improving your management system. Audits are also a very important input to the Management Review process. The accuracy, scope and reporting of the results of your internal audits are critical in enabling your management to identify the need for corrective actions and preventive action.
° The ISO 9001:2000 standard has helped to clarify the auditing requirement. ISO 9001:94 was a little vague when it called for audits to "determine the effectiveness of Quality System". The new standard now is more prescriptive, pointing to the purpose of the audit as to "determine whether the quality management system a) conforms to the requirements of this (ISO 9001:2000) International Standard, and b) has been effectively implemented and maintained." The use of check lists is still a valuable tool for auditing.
Internal Audit Schedule Example
Example Responsibilities Matrix
In the previous slide, you saw that the schedule was by department. In planning, a responsibilities matrix like this one was used to determine what, exactly, was to be audited. Take Design Engineering, for example. If you look at the column heading and follow the column down, you will see that there are quite a few maps which they are responsible for understanding and complying with.
A Sample Compliance Audit Schedule
Check Lists
° Define the Sample

° Must Be Representative
Check Lists
° Keep It Simple
° Keep to the Requirements/Facts
° Look at Something
° Look for Something
Check List Benefits
° Keeps Objective On Track
° Shows Evidence of Planning
° Maintains Pace and Continuity
° Reduces Potential Bias
° Decreases Workload and Time Requirement
° Records Audit Sample
° Exhibits Professionalism
Check List Preparation
° Organization
° Responsibility/Authority
° Qualification/Training
° Control of Documentation
° Nonconformance Control
° Calibration (if appropriate)
° Records or Other Evidence
Check List Example
Check List Thoughts
° Management
• Philosophy
• Organizational Charts
• Authority of the Quality Department
• Management commitment
• Defined quality responsibilities
Sample Size
Sample Size
Sample Size II
If you ask your registrar what sampling plan they use to determine sample size, you will find them hemmmming and hawwwwing at best. In their opening comments to your group during the meeting before the audit starts, as well as during the exit meeting, every registrar I have ever witnessed has spoken about how they ‘take a sample’ of your system and (to limit their liability) they will say that just because they did not find something that does not mean there were no nonconformities. None has ever cited a valid sampling plan, much less sample size (valid = based on something other than speculation). I guarantee they will NOT cite ANSI/ASQC Z1.4-1993 or the old standby MIL-STD-105.
Audit Strategy
Audit Strategies
° There are may ‘audit strategies’. Which you use will depend upon your personal methodology as well as the scope and intent of the audit. Take for example Up Stream and Down Stream audits: Both of these audits are simply where one starts at one end and finishes at another.
• Up Stream
F Take a packaged product ready to ship and start working backwards. You can eventually reach the purchase order for that product.
• Down Stream
F Take a request for quote or other ‘early’ document (such as a PO) and follow the process. For example, one might want to start by asking to see evidence of review of the RFQ or the purchase order. Next, let’s see the job registered in the planning system. Etc.
Internal Audit Strategies
° With internal audits there is the main issue of how your company addresses auditing. Many companies are ‘listening’ to courses and folks such as ‘The Audit Guy’ who believes internal audits should be a major experience and should address compliance to standards. This is one way to do it. I have, and continue to, argue against this method unless you are a very big company where auditors hold that as a primary job position.
° Earlier in this presentation, in the section which starts with “What Will You Will Be Auditing?”, I try to state my case for keeping standards interpretations out of internal audits.
Available Information
° Quality Manual, Procedures, & Instructions
° Management Priorities
° Quality Reports (Internal and External)
° Previous Audits
° Product/Process Information
° Auditor Experience and Knowledge
° Constraints
Review of Working Documents
° Documents to facilitate the auditor’s investigation may include:
• QS / ISO-9000 and other referenced standards relating to element
• Quality Manual, Standard Procedures, Work Instructions relating to element
• Check-lists used for evaluating ISO or QS elements (QSA);
• Forms for reporting audit observations
• Forms for documenting supporting evidence
• Corrective Action Reports generated from previous audits
° Review documentation against standards
• Document nonconformances against documentation which does not conform to standards
• Develop additional questions from documentation
• Develop list of forms used in area
Representative Samples
° What is the Department’s Function?
° What are It’s Major and Minor Functions?
° What Does the Department Do Within It’s Function(s)?
° What Does the Department Do When Things Go Wrong?
Pre-Audit Confirmation
° Make sure you give the ‘main’ auditee a ‘heads up’. Call a day or two ahead of time to confirm the audit schedule. In some cases a week might be more appropriate.
° Ensure everything is ‘on track’
• Are the auditee(s) aware of the need for them to be available?
• Is the scope of the audit understood?
• Is the expected length of the audit understood?
Executing the Audit
Changes Happen
I have never seen an audit follow a schedule rigorously. It’s in the nature of doing an audit. This is an example of a re-negotiated schedule.
Remember - Take Notes!!!
Opening Meeting
The opening meeting:
° Introduces the audit team to the department members
° Reviews the audit plan, scope and objectives for the audit
° Establishes the official communication link between department representative and audit team
° Review findings from document review
A Registrar’s Opening Meeting ‘Outline’ I
° Introduce Individuals
° “Registrar X is committed to providing qualified, competent, efficient, afforddable, and openly available third party registration and assessment services to various national and international standards in a timely manner with the highest of integrity. Registrar X’s emphasis shall be to provide its customers with the best registration and assessment services possible while helping its customers stay focused on achieving value from their quality systems.
° Accredited to ISO/IEC Guide 62
° Only approved auditors -> ISO 10011
° No Consulting
° Please sign attendance sheet
° Verify Scope and Standard(s)
A Registrar’s Opening Meeting ‘Outline’ II
° Confidentiality and Conflict of Interest
° All information and reports treated as proprietary
° Accreditation body may see reports during their audit
° No quality system consulting 24 months before and 12 months after
° Auditor agreement for each customer
° Any proprietary areas?
A Registrar’s Opening Meeting ‘Outline’ III
Audit Process
° Sampling and Objective Evidence
° Requirements are found in three and only three places;
• ISO or other standard
• Customer requirement(s)
• Internal Documentation
° Use of check list
• Look for compliance
° Management style not dictated
° Disputes, complaint, and appeal processes
° Customer expected to interpret requirements
° Services and auditors continually monitored
A Registrar’s Opening Meeting ‘Outline’ IV
Audit Process Continued
° Typical Audit Steps / Schedule
° Opening Meeting
• Introductions
• Discuss scope
• Review process
° Review prior findings
° Review of documentation
° Sample quality system
° Daily auditor meetings
° Daily debrief
° Closing meeting
• Review findings
• Present recommendation
• Audit summary sheet
A Typical Registrar’s Finding Record
A Registrar’s Opening Meeting ‘Outline’ V
Audit Process Continued
° Major Nonconformance
• The absence of, or the failure to implement and maintain, one or more required management system elements, or a situation which would, on the basis of available objective evidence, raise significant doubt as to the quality of what the registration customer is supplying. An assessment team may judge many minor nonconformities against a single quality system element to be a significant breakdown of a quality management system element.
° Minor Nonconformance
• Any other non-conformance and is normally easily corrected and verified.
° Opportunity
• Neither a major or minor non-conformance. It is used to document items that may help a customer improve.
A Registrar’s Opening Meeting ‘Outline’ VI
° Registration recommendation
° Audit team to registration manager
• To Register
F No major nonconformities
• Not to register
F Many major nonconformities
• HOLD registrtation pending corre3ctive action
F Many minors major non-conformities
F May require visit
° Completed internal audit covering all elements of quality management system
° At least one management review
° QS-9000 (now IATF 16949) and TE Supplement
° All majors and minors must be closed before recommended to register.
Other Interpretations
° A Major Nonconformity is either:
• The absence or total breakdown of a system to meet the ISO 9000 requirement.
• A number of minor nonconformities against one requirement can represent a total breakdown of the system and thus be considered a major nonconformity.
• Any noncompliance that would result in the probable shipment of nonconforming product.
• A condition that may result in the failure or materially reduce the usability of the products or services for their intended purpose.
• A noncompliance that judgment and experience indicate is likely either to result in the failure of the quality system or to materially reduce its ability to assure controlled processes or products.
Other Interpretations
From KPMG:
° A nonconformance which is of a serious nature.:
° May be a long-standing minor nonconformance from previous assessments, or a collection of similar minor nonconformances indicating a widespread problem;
° Established as detrimental to quality delivered to customers; or
° A failure or significant deficiency in a significant part of the quality system governed by applicable standards.
From LRQA:
° LRQA calls a 'major' finding a HOLD POINT. They discourage talk about 'major' and 'minor' nonconformances.
Other Interpretations
° An ISO 9001 nonconformance to that judgment and experience indicate is not likely to result in the failure of the quality system or reduce its ability to assure controlled processes or products.
° A failure in some part of the supplier's documented quality system relative to ISO 9000, or
° A single observed lapse in following one item of the company's quality system.
° From KPMG:
• A nonconformance that is not of the severity indicated by the definition of major nonconformances, above, but which must be actioned.
° From LRQA:
• LRQA calls this a Continuous Improvement point. They discourage talk about 'major' and 'minor' nonconformances.
Other Interpretations
° An observation is essentially an OPINION. Read this thread ( for some thoughts on what an observation is -- If you've never heard of a LOOK ( I hadn't), it's also discussed in the thread. This thread also has some oblique references. When I see an auditor write up an 'Observation' I ask myself this: "Is this person qualified through experience, etc. to be offering what is no more than their advice to me on my business and/or process(es)?" Double check with your registrar -- Ask what their expectations are when (if) they write up an Observation. Some say you can ignore it while others expect the Observation to be addressed in some manner. I have heard a registrar tell the client that they expected the observation to be addressed and action implemented by the next visit!
Conducting The Audit
° Arrive and Meet the Department Manager
° Explain What You Want to See/Do
° Investigate to Necessary Depth
° Satisfy the Sample Requirement
Don’t Over-sample
Don’t Assume Wrong Exists
Don’t Worry About “No Problems” Found
° Move On
Registrar Audits
° In ‘the old days’, an audit for compliance to ISO 9001 was relatively straight forward. There were stated requirements. While there were interpretative issues, the 2000 revision has blurred things quite a bit. The change is from “…show me where you address this and explain the system…” the task is now directed at “…auditing for performance…” I believe we all know how subjective this can be.
° Acquisition and use of data has gained significantly in importance. Serious emphasis is now being placed on how you evaluate and determine what and how to continuously improve. Evaluation of system effectiveness and possible ways to reduce costs are focused on.
Registrar Audits II
° I have now been through 2 registration audits to ISO 9001:2000. Each was a bit different. One was relatively focused on the stated requirements of the standard. The other was more focused upon ‘performance’.
• “How many times is a quote revised?”
• “Sometimes as many as 2 or 3 times.”
• Is that a lot? Is there any way - shouldn’t you get better or more complete information on customer needs and requirements up front so you don’t have to requote so many times? Requotes cost you money, you know. I mean, if you’re asking the right questions...”
° This went back and forth for quite a while. The auditor eventually accepted that, with consideration to the company and its products, that everything was being considered.
° This is just one example of the difference with one auditor. I have mixed feelings about the difference. With a good auditor, this should not be a serious problem. However -- it leaves open much to interpretation and is - well, it’s very close to consulting.
Registrar Audits III
° This is not meant to scare anyone. It is meant to ensure that you understand to each registrar and each auditor is setting their own ‘interpretation’ of the ‘new’ ISO 9001 is about.
° Some, like the last one I experienced, would better be called a business consulting visit than an audit. It was an analysis of what the company was doing and questioning whether their systems ‘make sense’. As with the quote process example, it was not so much does your system meet the requirements, it was more along the lines of whether the auditor agreed it was the best way to be doing something. The lead auditor was an ex-DCAS and his approach to the audit was evident.
° The second auditor was more traditional, if you will. Followed a check list and the main interest was whether they were meeting the requirements. Secondary focus was continuous improvement.
Audit Hints
° Use Your Check List As Your Guide
° Audit Trails (Potential) Will Begin To Appear
° You Will Make Many Observations. Make Decisions On Each:
• Disregard
• Note For Later Follow-Up
• Follow-Up Now
• Call In Team Leader or “Expert” Assistance
Questions To Ask?
Taking Notes As Reference
Please, Please! Take Notes!!!
• For Investigation Now
• For Investigation Later
• For Use By Other Auditors
• For Use On Future Audits
° Legibility
° Retrievable
Take Copious Notes!!!!
Taking Notes As Evidence
° Statements (Admissible)
° Document Numbers
° Item Identifiers
° Revision Information
° Names
° Locations / Places
° Dates
° Positions
Avoiding Trouble
° Give Advance Notification
• Please - No Surprises!
° Ensure Importance is Known
• This is not a drill!
° Keep Information Known
• Don’t hide anything. If you observe a potential non-conformance, discuss it first.
° Remember, Audits Cause STRESS!
Good Auditing Practices
° Ask the right person!
° Speak clearly and simply. Use ‘local’ language.
° Look at the person - in the eyes!
° Rephrase your question if the auditee doesn’t seem to know what you’re asking.
° Don’t talk down to anyone.
° Smile and be relaxed. We’re all friends!
° Be unemotional and impartial.
• Don’t get excited or fix ‘blame’.
° Avoid interrupting an auditee.
° Don’t look for trouble - Find the facts
Say Thank You!
Keep People Informed
° Review Findings Regularly
• “Everything looks good here” is a good phrase to use.
° Beat the Grapevine
° Keep It Constructive
• Criticism we don’t need!
° Show Professionalism
• Be precise, attentive, responsive.
° Create Rapport
• Make a friend!
° Include Appropriate Personnel
• Talk to all the right people.
Bad Auditing Behavior
° Asking too many questions
° Asking leading questions
° Saying you understand when you don’t
° Answering your own questions
° Giving insufficient time to answer
° Provoking an argument
° Subjective opinions
° Taking sides
° Criticizing Individuals
Expect These Reactions / Emotions
° Antagonism
° Challenging
° Diversionary
° Authority
° Enlisting Help
° Volunteering Information
° Internal Conflict
° Open and Honest
Interview the Right People
Those Responsible
• Talk to the right people. Don’t ask the inspection folks how receiving does their job.
Those Doing
• These are the people who should know.
Those Being Supplied By the Process
• You can ask those ‘down stream’ about their ‘supplier’.
You’re In The Audit Now!
° Collecting evidence
• Interviews with personnel in area
• Examination of documents related to area
• Observations of activities and conditions in area
° Document audit observations
• Document conformance
• Document nonconformance, show objective evidence and reference the standard
Recording Nonconformances
° Exact observation of facts
° Where it was found
° Why a nonconformance - cite the specific requirement
° Who was there
° Use local terminology
° Make it retrievable
° Make it helpful
Nonconformance Exists Because
° The System Does Not Comply With the Standard, Procedure or Other Requirement(s)
° Performance Does Not Comply With the System
° Performance Is Not Effective
‘ Standard’ Nonconformance Categories
° Major
• Portion of the standard not addressed
• May lead to shipment of nonconforming product
• Not isolated, consistently found such as a procedure consistently not being followed
° Minor
• ‘Significant’ number of minor nonconformances indicating system weakness
• 3 to 5 Minors in one element or procedure *MAY* make a Major - but - this is a rule of thumb for companies under 150 folks. Larger companies will typically have more minors than smaller companies. So - this is somewhat subjective.
° Finding
• Very minor problem; isolated incident
• Needs to be addressed
° Observation
• Opportunity for improvement
Establish The Facts
° Get Help From the Auditee or Others
° Discuss the Concern or Problem
° Collect All of the Evidence Available
What Did You Observe?
Why Does It Not Conform?
Who or What Is It?
Where Is It?
Facts About Facts
° Use Easily Understood Wording
° Be Able To Retrieve the Fact(s)
° Make It Constructive and Helpful
° Make It Concise and To the Point
° Be Sure It Is True and Relevant
° No Surprises or Blind-Side Attacks
° Make Sure Everyone Understands
Things to Consider -- Is It Serious?
° What Could Go Wrong In the System if the Nonconformance Is Not Corrected?
° What Is the Possibility or Likelihood of Such A Thing Going Wrong?
° Is there a possibly non-conforming product could be shipped to a customer?
Assessing Nonconformances
° Does what I have found represent a nonconformance?
° Confidence in auditor’s judgement?
° Sufficient facts?
° Critical situation?
° Isolated minor discrepancy?
° Happening too frequently?
° Too many nonconformances?
° Formal corrective action versus immediate?
Simple Nonconformance Report Form
Sample Audit Summary Sheet
The Closing Meeting
° Opening Remarks & Thanks
° Attendee List - Pass around for signatures
° Review Audit Objective & Scope
° Restrictions/Limitations
° Tell of GOOD Things You Saw
° Review of of Findings
• Listing of and Description of
PROBLEMS Identified
° Clarifications
° Agreement and Q & A
° Summary (including agreements)
° Closing & Thank You!
° Save Audit findings as Quality Records.
Nonconformance Reports
Writing Nonconformance Reports
° Be Specific
• Where
• What
F Name
F Number
• Why
F Per System
F Per Requirement
° Be Correct - Check Your Facts!
Summary Content
° Number of Nonconformances
° Nonconformance Location(s)
° Activities Where None Detected
° Most Frequent Type of Violations
° Recommendations
Audit Reports
° Audit Identification & Date
° Auditee Information
° Objective and Scope
° Audited Standard(s)
° Auditor’s Names
° Audit Schedule(s)
° Audit Check List
° Procedure References
° Personnel Interviewed
° Audit Findings / Observations
° Agreed Nonconformance(s)
° Nonconformance Reports
° Corrective Actions (If Completed)
° Summary
° Suggestions
° Approval Sign-Off
° Make Copies
° File Record
The Audit Report
• Insignificant details
• Any points not discussed
• Ambiguous statements
• Confidential information
• Auditor’s (your) opinions
Audit Report Example
Corrective Action
The Auditee responds to nonconformaties using the Corrective Action Report
The Auditee is responsible for planning, implementing, and monitoring the corrective action plan
Corrective & Preventive Actions
° Identification/Agreement of Non-conformance Detected
° Root Cause Analysis
° Schedule for Actions
Solve Problem
Implement Solution
Evaluate Effectiveness
° Re-Audit to Verify
Audit Follow-Up
° Review Corrective Action Request
° Response - When, Who, Where, & How
° Response Evaluation
° Completion of Action(s)
° Evaluation - Limited Re-Audit
° Records
° Review of Documentation
° Ensure corrective action taken
° Provide satisfactory conclusion
° Verify at next audit
Re-Audit Focus
° Spot check related previous conforming areas
° Selected areas in greater depth
° Vary re-audit to meet the needs
° Target nonconformance
Audit Records
° Reference and Date(s)
° Department/Operation/Activity
° Scope/Objective
° Auditor Name(s)
° Schedule & Check List
° Issued Nonconformance(s)
° Summary
° C.A.R. Activity
° Auditor Notes
Being Audited - Life on The Other Side Of The Fence
Being Audited
° A positive and constructive attitude toward auditing can make the exercise enjoyable for both the auditor and the auditee. Most people enjoy telling you what they know and how good they are at their job. In addition, without an air of suspicion and distrust, auditees are likely to confide concerns or suggestions that are in the company's best interest to address and not simply lay blame.
° In the course of seeking conformance, concerns or nonconformances may become evident, but it is important that everyone involved understand that the intent is to verify / validate conformance. Conclusions must be based on objective evidence, observation, interview and documents.
° If auditing is understood as a staff persecution or a 'witch-hunt,' then do not be surprised when (not if, but when) the members of your company respond with suspicion, distrust and even hostility. It is extremely important that management appreciate the purpose and principles of quality system auditing and that the auditors conduct themselves accordingly.
° The results of an audit should indicate whether the quality system is properly implemented and maintained. These results are considered by management for action as necessary.
What is Controlled Documentation?
° A controlled document is a document which, if changed, effects some part of the process or product. These can be ‘procedures’, process documents, product or part drawings (prints) or other ‘similar’ documents. Forms are typically controlled documents.
• Typically there will be one or more list(s) of master documents.
• If a controlled document is changed, a record of the change has to be made. This means there must be a History of All Changes.
• If a document is changed, people who use it must know about the change. This means there has to be a distribution list or other effective way to let everyone who uses it know the document has changed (read Communicate the changes).
• Every employee must know how to check to see if documentation they are using is the most current version.
What is an Auditor?
° An auditor is a person. Really! Their job is to validate documentation. This means they look at documentation (instructions) and make sure people are following the documentation.° Auditors go from company to company validating documentation and asking people about their documentation.
° Auditors are just people who ask questions about how you do your job.
° Auditors ask people questions about how they do their job.
What Will The Auditors Do?
° The auditors will look at written procedures and policies (verification).
° The auditors will then look at how people in the company do things. They will look to make sure each person is following written procedures and policies (validation).
° They will look at records to ensure everyone is properly completing paperwork (Examples would be SPC charts and check lists which need to be initialed and dated).
° They will look to make sure everyone is properly trained to do their job.
Who Will Be Audited?
° Absolutely Everyone whose job affects quality is subject to the audit. Which is to say Everyone!
° And the farther up the corporate tree you go, the more difficult the audit is. This is because as you go up the tree (eventually to the plant manager), job duties and responsibilities increase.
• Corporate Personnel
• Plant Manager
• Departmental managers
• Supervisors
• Engineers
• Technical personnel
• Hourly employees
The Audit Team
° When you are visited by an auditor, he/she will NOT be alone. At the very minimum, there will be:
• The Auditor
• A Company Escort - This will be someone from within Motorola GDL who knows the area and the specification well. The escort will try to provide structure to the audit and will try to help out when he/she can.
• The Area Supervisor - The area supervisor or other person directly responsible for the area will be present.
° Remember - YOU ARE NOT ALONE!
Types of Audits
° Internal Audit
An audit of internal systems and/or procedures. An internal audit is most often performed by people how directly work for the company. Many companies hire outside firms (see third party below) to perform the audits.
° External Audit
Customer Audits
Customer audits are those where a customer (or a customer representative) performs the audit. A customer audit is not ‘objective’ because the customer is intimately involved with your company (the supplier to the customer). This involvement can BIAS the audit.
° ‘Third Party’ Audits
Third party audits are like those you think of when you think of bank audits. Banks (and other financial institutions) must hire a company or person to audit their books and procedures. The company or person hired to do the audit cannot have an ‘interest’ in the business it is auditing. This is known as an ‘Independent Audit’. This is the type of audit the registration audit is!
The Reason For Audits
° Everyone is familiar with the idea of audits. One place we are all aware of audits is in the banking industry. For years, the government has required banks to submit to periodic audits by government agencies and/or external companies who specialise in auditing. Few people want to put their money in a bank where there are no controls such as periodic audits. If there are no audits, you have no way of knowing if your bank is using your money well. If the bank is not ‘using your money well’ the bank could easily fail - then you could lose all of your money.
° Audits in manufacturing industries are not new. Customer audits have been going on for years. But only recently has the idea of third party audits become reality. This is in large part due to the adoption in Europe of ISO 9000 and other international standards.
° The intent of third party audits is to provide assurance that a company complies with a standard or specification.
° Many people say that third party audits will eliminate customer audits. This has not been the case up to now in part because customers still see the need to ensure compliance to their specific requirements. Even QS 9000, specific to Ford, GM and Chrysler suppliers, does not eliminate customer audits.
What Will Happen If...
° If an auditor finds a problem, s/he will let the person being audited know immediately that a possible problem may exist. In NO case will the auditor ‘find a problem’ and not discuss it with the auditee ‘on the spot’. They always tell the auditee the suspected problem and they will ask the auditee (or other company official present) to sign a statement of fact of what was found (statement of objective evidence). The auditee should know that signing the statement is NOT an admission of a problem. It is an agreement of facts found. Whether or not it is a problem is discussed during end-of-day and final review meetings.
° If an auditor leaves your area and says nothing about a possible problem, you can be sure no problem(s) were found. Auditors do NOT report findings to management without discussing it with the personnel involved FIRST. There are no tricks. Nothing is ‘hidden’ until later.
Things Everyone Must Know
° Know what documentation affects YOU!
• You must know what documentation applies to your job and know how to check to make sure you are using the ‘latest’ version. This should have been explained to you when you were trained to do the job. If you are not sure what documentation applies to you, ASK YOUR SUPERVISOR or TRAINER before the audit.
° Know what Training you have had. If you do not know, ASK YOUR SUPERVISOR NOW! Don’t wait until the audit!
° You must follow all documentation that applies to you. If it says you do something a certain way, you must do it that way.
° You must complete all forms. If you are supposed to initial and date when you do something, the auditors will check to ensure you complete the form the way you are supposed to.
° How do you know if your equipment is in calibration? Know how to read a calibration label.
Things to Do
° Be patient. Wait for the auditor to ask a question.
° Listen closely before answering any question(s). If you are not sure you understand the question, ask the auditor to repeat it. If you still do not understand the question, tell the auditor you do not understand it. The auditor will try to better explain him/herself. Never answer a question you do not understand!
° Never say “Sometimes I....”. When you do something differently because of different circumstances, explain exactly! “When ------ happens, I...., and when +++++ happens, I ....”. Be specific.
° Always tell the Truth. Don’t ever try to hide something. You may think you are helping someone - you are not. One lie can destroy confidence. Just like in a marriage, if one spouse lies to the other and the other finds out, the relationship may be in real danger. One lie could ruin the entire audit.
Things NOT to Do
° If you do not know the answer to a question, tell the auditor that you do not know the answer. Don’t attempt to ‘fake it’. If the auditor tries to explain again and you still do not understand the question, tell him/her again that you do not understand the question. The Escort will attempt to help if this happens.
° Do NOT try to hide from the auditor. All the auditor wants is to ask you about your job and how to do it. You know your job. You can tell the auditor about as easily as you can tell anyone else.
° Do NOT try to answer a question for another person. If the question is not about the job you are doing and you know who does that job, tell the auditor who they should ask if you know.
° Do NOT try to answer a question about another job. The only question an auditor is supposed to ask is about YOUR job. If the auditor asks you a question about someone else’s job, you should answer “That is not my job.” The GDL escort or the other GDL person with the auditor must take the lead from this point.
General Things To Know and Do
° Auditors are NOT trying to test your memory. If you have to look something up in your documentation, tell the auditor. The auditor will then tell you whether to look up the information or not.
° Only answer the auditor’s question. Do NOT volunteer information. Do NOT try to ‘help’ the auditor with additional information.
° Answer with the shortest, simplest answer you can think of. If you can answer with a Yes or No, that’s all you should do.
° Don’t try to explain things unless the auditor asks you to. The auditor will ask questions to help him/her understand. Your job is to only answer questions asked.
° Do not tell stories or speculate what ‘may’ happen.
° If there is any documentation which you are using that you think or know is not correct, contact your supervisor immediately! Before the audit!
Some Typical Questions to Expect
° What is ISO 9001 (or QS 9000)?
° Who is the QS Management Representative?
° What is the quality policy? What does the quality policy mean to you?
° Does your company do a good job meeting the quality policy objectives?
° How do you know whether you are doing your job well or not?
° How do you know what to do? Tell me about your job and your duties. What are your quality responsibilities? Tell me how your job affects the quality of your product.
° What are controlled documents? What documentation do you follow (are you responsible for)? Where is it? How do you know you are using the most recent version? If your documentation says you should do something a specific way and someone else tells you to do it differently, what do you do?
° How do you know if your equipment is in calibration? What do you do if it is not? Can you explain what this calibration label tells you?
° Do you ever have problems come up? How do you handle them?
° When you find nonconforming product, what do you do?
Managers Should Think About...
° Work Instructions
• Does Every Job Have Relevant Work Instructions?
• Are Work Instructions Controlled?
• Is Each Signed & Dated?
• Who is the Keeper of a Master List & Where is it Kept?
° Hand Revisions
• Have Any Work Instructions, Visual Aids, or Other Process Documentation Been Updated By Hand?
• If So, Are They Signed and Dated?
° Equipment PMs
• Are All Equipment PMs Up To Date and to a Schedule?
° Measurement & Test Equipment
• Is All Measurement and Test Equipment Calibrated and properly Labeled?
° Defective Material
• Is Defective Material Identified and Segregated?
• Is A Defective Material HOLD Area Identified?
• Is DMR Material Dispositioned in a Timely Manner?
Some Last Things to Think About
° Employee Training
• Do You Know the Training Requirements Of Each Job Position?
• Is Each Employee Trained?
• Where Are Training Records Kept?
• Are Training Records Up To Date?
• Are People Keeping SPC Charts Trained in SPC?
• Are SPC Charts Current and Being Utilized?
• Are Trends Identified and is Corrective Action Taken?
° Work Areas
• Are Work Areas Clean, Organized and Orderly?
° Baskets, Boxes, Racks, Shelves & Other Containers
• Is Each Properly Labeled (Identified)?
• Are They Where They Are Supposed To Be?
Good Luck!

ISO 19011 - Quality and Environmental Management Systems Auditing Forum Discussions



View the Elsmar Cove Privacy Policy and Terms and Conditions