Auditing - Best Practices


Fully vaccinated are you?
Staff member
This for everyone. I would like a perspective from both sides - auditors and auditees.

What would you say are Best Practices in Auditing?

Please specifiy whether you are stating your ideas of Best Practices with respect to Internal vs. Second party (customer) vs. Third party (registrar) auditing.
Elsmar Forum Sponsor


Super Moderator
Great topic seeing as I am right now in the middle of doing some registration audits in Texas and Louisiana.

First and foremost, 1st, 2nd or 3rd party..Know the standard you are auditing to. OBJECTIVE. Get rid of your personal wishes, likes, feelings and thoughts. Have an open mind.

Third...Maintain a good sense of humor

Fourth.....Always...always...always be as polite and courteous to the least important as you would the most important person of the organization being audited.

Fifth....Look and act the part you are playing

Toodles for now from Cajun Country:bigwave:

Randy Stewart

Internal & 2nd Party

Both: I remind myself that the person I'm talking to is the expert in that field at that time. Wheather or not I have ever done that job or something similar before.

Both: Digest the conversation, review and study the pieces to see how they fit together. And always remember - 2 eyes, 2 ears, 1 mouth. Use them in the proportion that we were born with.

Both: You are dealing with a persons livelihood - their job, this is how they put food on the table for their families. Treat it with respect.

In the case of a 2nd party audit: I am the representative of my company. Even though I must have my company's best interest in mind, I may be the only or the lasting impression of what my company is. Will it be a master & servant relationship or are we really here to help.


barb butrym

Quite Involved in Discussions
awesome job guys

Great response.......i agree with everything you said

I'll try the auditee answer.


Be prepared. Know what is expected and be ready to present evidence. Don't volunteer extraneous information....but know where the auditor is heading, don't make him grovvel for information hoping he will forget something.
Be proud of your system, it helps.

Ask for clarification when you are not sure what is expected/asked of you. Promote a "relationship" not a confrontation mode. Listen Listen Listen........good communication is a key factor.

Be humble but not condescending. Be prepared to show how the system works for you if unconventional methods are used...educate the auditor. Be as professional as you would expect the auditor to be.

Honesty.......the auditor probably has seen it before, don't try to hide things when caught red handed...belly up to the bar.


Best Practice vs. Standard Compliance

Throughout the process of moving from 1994 to 2000 I am always trying to get more out of the limited resources at hand by developing "best practices". Being a multi-site registration it gets expensive to send qualified personnel out to the off-site locations to conduct audits. In addition, I always want to send the best qualified person(s). Now IMHO the requirement for qualified person(s) doesn’t end with just auditing skills … it includes an understanding of the products and services being produced, the processes being used and the “know the customer” factor. With all this in mind … what is a "best practice" when assigning auditors to audit a given area/process/etc? Does clause 8.2.2 restrict me from selecting the absolute best auditor because: “Selection of auditors and conduct of audits SHALL ensure objectivity and impartiality of the audit process. Auditors SHALL not audit their own work.”

Here is my thought: I would like to train some of the managers who frequently visit these off-site locations as a course of their normal business routine to become auditors. They are by my estimation the best qualified technically because they manage the job from A to Z (they don’t do the work). They understand the processes the best and have the best “view” of what works and what doesn’t. For example, if I trained the Division Manager of division XYZ (who doesn’t work at the off-site location and therefore is not auditing his/her own work) to audit one of his/her sub-departments (for this example divisions are made up of several small departments) is this by definition a problem with “objectivity and impartiality” since the manager is responsible for the very work in the department he audited? Is it absolutely impossible for the Division Manager to be open-minded enough to conduct the audit and most likely have to report some form of nonconformance against himself? An ideal QMS should work for the benefit of the company by detecting process problems and fixing them, and if top management truly supports this concept then no manager should be “afraid to report nonconformances”. If this is true, does objectivity and impartiality become less of a concern than finding the problem and fixing it?

This seems to make good business sense which is the purpose of a well run QMS, but I also have to balance “good business sense” by smartly following the intent of the standard. Would a simple resolution be to have these managers sign a type of pledge to conduct these audits without any impartiality and to remain objective regardless of the findings? At least the signed pledge would be objective evidence that the manager completely understands the concept and has agreed to “leave any impartiality at the door” during an audit. Not living in a perfect world I know this can’t be done 100%, but is it a reasonable method to satisfy all requirements? I would like to hear from third party auditors Marc has invited to this site … as well as the regulars of course. DISCLAIMER: This is not an attempt to “lip service, cheat, or short-cut” the standard, but as always to be effective and efficient with the resources at hand and to follow the intent and spirt of the standard.
Best? practices

For auditors, it would be to develop a checklist based on the procedure, or process. Do not just rely on “canned” checklist. They are great at auditing to the standard, but do not reflect individual processes and procedures. Secondly, you should already know the answer to most questions you ask. Otherwise, you could not be sure they gave a correct answer.

For auditees…spill your guts (especially in internal audits)! :eek: This is contrary to everything we are taught, but if the intent is to improve, we really must be forthright and not hold anything back. When we “hide” things from auditors, including information, we inhibit our ability for improvement and growth.



I understand where you're coming from. Who better to audit than someone who understands? But to play devil's advocate, I'll throw out some thoughts...

1) Perhaps the one to audit should not know everything (or think he does). That leaves an open and truly objective mind. Someone who hasn't worked in the box will have a different perspective. They are able to stand away from the process and truly ask and wonder "why"? and "how"? I know I was floored when I was informally auditing one of the dept. here. Some of the things they did made no sense and the worker had no idea why it was done that way except that she was just doing it the way it was set up before she started. And no one else involved in the process ever really gave it much thought either. All they knew was that they were having problems and didn't know why. As an outsider who started with zero knowledge, I was able to see what they couldn't.

2) Doesn't "objective' mean that another reasonable person would draw the same conclusion? Any person. So a true piece of objective evidence is perhaps best identified by someone without a pre-conceived notion.

3) A manager who will have responsibility for addressing the CAR is not impartial and his/her objectivity is doubted. I would also be wary of the responses that an underling would give to his/her boss, even if removed by a couple of management levels.

I would hope that a manager would spend some time with his folks to learn what they are doing and how they are doing it, but I would not make it a part of the internal audit process. JMHO.


The Other Side

Lucinda, Thanks for the "devil thoughts". That's what I like about this forum ... you get all kinds of good input and a lot of the input makes you step back and think ... again.

David Mullins

first bite

initial response - scope needs definition.

I'd suggest breaking this down into facets of auditing and then determining best practice in each area.

Some example areas include:
arranging audits
preparing checklists
opening meetings
asking audit questions
following leads
closing meetings
report writing
reporting forms
Thread starter Similar threads Forum Replies Date
G Best Practices for IT auditing - Is a session-id necessary for a complete audit trail? IEC 27001 - Information Security Management Systems (ISMS) 0
H Quality Management Best Practices for Internal Auditing Internal Auditing 6
A Best Method of Auditing an Installation Process at a client job-site ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
W Audit Protocol Manual which describes best practice Auditing Standards General Auditing Discussions 1
K Is this Best Practice Auditing? General Auditing Discussions 3
G New to Internal Auditing - Best questions to ask? Internal Auditing 17
R Auditing COT's Suppliers / First Post Supplier Quality Assurance and other Supplier Issues 2
K ISO 9001 Auditing in a Healthcare setting Process Audits and Layered Process Audits 15
S ISO 9001:2015 Internal Auditing Internal Auditing 8
H Auditing Santa's workshop General Auditing Discussions 0
C List of MDSAP Auditing Organizations Medical Device and FDA Regulations and Standards News 1
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 7
cscalise Suggestions for MDR Auditing tools EU Medical Device Regulations 1
J Auditing of Support Function IATF 16949 - Automotive Quality Systems Standard 9
D ISO 13485, FDA 21 CFR 820 and Auditing the Accounting Department ISO 13485:2016 - Medical Device Quality Management Systems 5
S Risk based internal auditing Internal Auditing 6
Randy Remote auditing (for disaster, disease, disturbance etc...) during the Neo Coronavirus Pandemic and Social Distancing Registrars and Notified Bodies 7
K ANVISA B-GMP Auditing requirements for Contract Manufacturers Other Medical Device Regulations World-Wide 1
F AS9100D Internal auditing requirements Internal Auditing 11
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
I Questions to ask when auditing for Organizational Leadership and Planning for the QMS? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
tony s What is the automotive process approach for auditing? IATF 16949 - Automotive Quality Systems Standard 2
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
R I've been auditing for a CB for 18 years General Auditing Discussions 10
P Consultant Auditing Qualifications Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 23
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 149
M We still have not received our certificate due to a 'backlog' with our auditing body Registrars and Notified Bodies 25
N Online Internal Auditing Course for ISO 13485 - Suggestions ISO 13485:2016 - Medical Device Quality Management Systems 8
A Agenda for 8D audit on Supplier's side - Auditing Corrective Actions General Auditing Discussions 5
U Internal auditing - Company employees or contract second party Internal Auditing 10
J Recomended Values - Auditing process in a supplier IATF 16949 - Automotive Quality Systems Standard 18
M Canada - Registrars that allow e-auditing for ISO 9001? Registrars and Notified Bodies 4
K Internal Auditing - Umbrella QMS and Multiple Standards Oil and Gas Industry Standards and Regulations 4
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
supadrai Auditing Organization dragging their heels on issuing our MDSAP Surveillance Audit Confirmation Letter - everyone is nervous ... are we the only ones? Canada Medical Device Regulations 13
Ed Panek Supplier Auditing - No purchases from our key suppliers in the last 24 months ISO 13485:2016 - Medical Device Quality Management Systems 5
P Auditing "process validation" process 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
qualprod Effective Auditing advice needed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
M Acceptance of remote auditing techniques - Can you help me with my research? General Auditing Discussions 0
GStough Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay? General Auditing Discussions 11
qualprod Auditing Product and Services doubts ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
R Auditing support and management processes General Auditing Discussions 7
F It is acceptable moving remote locations staff to manufacturing plant for auditing? IATF 16949 - Automotive Quality Systems Standard 3
D MSDS / GHS Walk-through / Auditing Occupational Health & Safety Management Standards 6
Pmarszal Supplier Auditing Services (Audit Needed?) General Auditing Discussions 4
S ISO 9001 Audit Observations - Transitioning my career into auditing Career and Occupation Discussions 16

Similar threads

Top Bottom