I was also confused about the original question: "What am I supposed to look for, apart from continual improvement."
My "duh buzzer" went off too, I just didn't say anything about that. I instead suggested a course in auditing, because a high-quality course will cover this question as did the course I took for lead ISO 14001 auditor.
I remain confused after reading that our poster has an auditing certificate. Does this mean:
A. The course was of such poor quality that no discussion was given regarding metrics that indicate process functions, operations proceeding according to the QMS and standard, and results?
B. The QMS has no metrics in place, not having clearly defined how the system will show effects like customer satifaction? Mr. Sharma says "Yes we do have bug tracking system in place. These are reviewed periodically by the management. Corrective actions are taken, Preventive actions are initialized. We have management and people involvement and above all we do have satified customers.
As continual improvement, we do have regualr and better interactions with customers for midproject queries etc. " yet doesn't mention how they know things are going and seems unsure about what to look for in an audit.
C. The audit program is not defined well enough to give guidance on how audits are to be conducted?
D. There is no one there that understands quality management enough to provide guidance on precisely how to ensure the system is functioning through organized checks and observations?
General comments have been made questioning why registration went through while an auditor doesn't know what to look for. This suggests there is a gap in any of three areas: Metrics structure, training, or audit program structure. The reason I remain confused is that I had thought there need to be a series of at least two audit rounds prior to registration: to show the system is both functioning in accordance to, and responding to the program. Having these rounds of audits means there should be no more need for questions like "What do I look for?"
But maybe we just have a communication problem. We needn't make a person feel bad when what he seems to want is technical insight. So let me take a step backward and respond again to the original question. As per my experience in internal auditing, I recommend You look for evidence that the system is functioning in accordance to the QMS.
1. You go through the standard's elements pragmatically and objectively, and ask yourself: "How do I know we are in compliance with the standard--what should I look for?" There should be some description, somewhere, of how the system will record its successes and failures. You plan to look at these indicators. If none exist, you ask yourself "How can I verify that the process is functioning as it should?" and take/chart some counts yourself.
2. Per a schedule of selected elements (you can't do them all at once) you examine the procedures and work instructions to familiarize yourself with the manner in which they comply with the standard.
3. You look for controlled documents being current, appropriately distributed and used.
4. You observe processes to see that they are functioning as the system describes they will within the standard's requirements. This means following work as it is being done, interviewing people and taking notes per the checklist that you have developed. You do not look for "Gotchas!" or people making mistakes. They should be observable as the lack of successes if you look for successes.
5. You check that nonconformances are being addressed in a manner that seeks to prevent the problems from reoccurring, and followed up that the "fixes" remain as durable activities or send them back into the NC loop for more attention.
6. You examine data collection to ensure the system is functioning as it claims to: how you know customers are happy; that their concerns are being addressed in a manner that resolves their concerns; that data is collected that shows trends, indicating improvements or opportunities for improvement.
7. You verify that management is reviewing the data you provide them, as well as process-indicative data and responding to it in a pattern of improvement versus firefighting.
Does this help?