Audit Criteria And Method Of Audit



Some of you can help me?
Recently, we have gone through first transition audit to ISO 9001-2000 standard. One major non-conformity raised was, in our audit procedure, we have not defined the audit criteria and method of doing internal audit. We have demonstrated that audit program takes into consideration of customer complaints/repetitive non-conformances etc. Also all our internal auditors are trained by external agency, and they know how to do the audit. Why should I tell them the method of audits? In the procedure, we have mentioned about the preparation of check list on need basis. But it is not mandatory that every auditor use the check list.

However, I could not convince the external auditor. I seek your inputs in this regard.

Thanks in advance,


M Greenaway

Hmmm tricky one.

The standard says that audit criteria and methods shall be 'defined'.

It then goes on to say 'responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records shall be defined in a documented procedure.'

Why are these two seperate sentences ? Can audit criteria and methods be 'defined' but not in a documented procedure ?

My guess is that your auditor is looking for the audit criteria and method in your documented procedure.

Strictly following the letter of the law he is incorrect.

If however he is just saying that it is 'not defined' he has a case. However if everyone appears to follow the same criteria and method you could argue that it is defined by 'custom and practice'.

This, in my opinion, is where ISO9001:2000 is weak compared to the 1994 standard in that it doesnt mandate procedural requirements. As such this kind of debate will undoubtedly be experienced by us all.


Thanks Greenway, for your comment!

Now I have to re-write the Internal Audit Procedure. Can you give me some hints, how I define audit criteria and method of audit? We talked about the use of checklist on need basis. The qualification of auditor is mentioned in our procedure. The status and the important of audit area have also been taken care of. What more to write?


Aaron Lupo

If I am understanding you, your procedure tells who has responsibility for your audit system, how the schedule is determined, how they are conducted (as far as contacting the manager of the area to be audited to set it up), how the results are reported to the responsible party and upper management, what standards you are using to do the audit, time frame for responding to issues from the audit by the responsible person, what happens if scheduled audits can’t be completed, and how they are trained. I would say that’s all you need.


Yes, in our audit procedure, we talked about audit plan, status and importance of area to be audited, selection of audit team, audit notification(name of auditor/auditee/department/time of audit/ISO clause), reporting audit finding in audit reporting form, collection of audit report, closing of audit findings, and auditor's qualification.

However, the ISO standard, specifically calls for criteria and method of audit to be defined. I feel the external auditor wants, some kind of heading, Audit criteria, and I should write something under this heading. My problem is that what I write under heading, audit criteria. Method , I understand, I shall write about the use of need base Check list etc. Though I feel making mandatory use of check list is redundant. We have been ISO certified from 1998 onwards. Our internal auditors were trained in ISO 9001-1994 standard and have carried out numerous audits. They have been trained specifically for ISO 9001-2000 standards. Why I should tell them how to do the audit?

I can close the non-conformity and send it to external auditor. However, it should not come back to me saying that closing of non-conformity is not satisfactory. That is the reason, I want inputs from this forum to re-write my procedure.




The audit criteria is basically what you are auditing against. There are various types of audit, such as system, process, product, contract, etc.

For Internal Quality Systems audits the criteria will be the same for all of them, and can be a bland statement in your auditing procedure, or a declaration on your audit reporting system.

Basically the criteria would be auditing of complaince to the requirements of ISO9001:2000 and other requirements detemined by the organisation, and to detemine the effectiveness fo the quality system.

I think your assessor is being a bit of a split ass on this one. The criteria for internal audits to ISO9001:2000 is obvious, but like you say the standard does require you to state this !!

M Greenaway (posting from home on a Saturday night - I must get a life).


Quite Involved in Discussions
Audit Criteria (9000-2000)-set of policies,procedures or requirements used as a reference. This of course is associated with planning. You must define the policies,procedures,standards to which the audit is conducted. What standard are you auditing to? What system procedures are you auditing against,of course you must audit to those mentioned in 4.2 and any others. If you had no porblem with 94,should not have none with 00


Thanks Greenaway, for your inputs!

I will make up something and send to auditor. Hope it will work.


barb butrym

Quite Involved in Discussions
don't make something up to please the auditor!!!!!! What ever you do needs to add value to your system NOT HIS AUDIT!!!!!!

Your report lists the standard and procedures/rev audited against doesn't it? then thats defining the audit criteria....thats where you define it...just say so. As for the method, your audit trail notes are the record of the method (where, who, what reviewed/ interviewed etc....). The auditor training gives you the expertise to plan and determine the method on an audit by audit basis.

its your system not the auditors!!!!!

my pet peeve, can you tell???????????

barb butrym

Quite Involved in Discussions
I just reread your initial post....A MAJOR?

Damn......A major is a total breakdown or absence of a system

You need to stand up for yourself.......
Top Bottom