document 32 auditor handbook - iso certification 9001...

Document 32 Auditor Handbook

Auditor Handbook

Doc 32 / Issue 7 Page 1 of 47

Table of Contents

1 Introduction to IMS International ....................................................................... 3 2 Scope of Activities .............................................................................................. 3 3 Definitions ........................................................................................................... 3 4 Quality Policy ...................................................................................................... 5 5 Environmental Policy .......................................................................................... 6 6 Health and Safety Policy ..................................................................................... 7 7 Equal Opportunities Policy ................................................................................ 8 8 Organisational Structure .................................................................................... 9 9 Accreditation Standards ..................................................................................... 9 10 Overview of Audit Process ............................................................................... 10 10.1 ISO 9001:2015 Transition Process ................................................................... 11 10.1.1 Transition Stages: ............................................................................................. 12 10.1.2 Staged Approach .............................................................................................. 13 11 Auditor Requirements ...................................................................................... 13 11.1 General .............................................................................................................. 13 11.2 Competence ...................................................................................................... 14 11.3 Confidentiality and Impartiality ........................................................................ 14 11.4 Anti-Bribery ....................................................................................................... 15 11.4.1 Introduction ....................................................................................................... 15 11.4.2 Policy ................................................................................................................. 15 11.4.3 Gifts and hospitality .......................................................................................... 15 11.5 Communicating with the Client Remotely ....................................................... 16 11.6 Policies and Procedures ................................................................................... 16 11.7 Observers .......................................................................................................... 16 11.8 Guides ................................................................................................................ 17 12 Auditing Techniques ......................................................................................... 17 12.1 Auditing Principles ........................................................................................... 17 12.2 Questioning Sequence ..................................................................................... 17 12.3 Auditing Practice............................................................................................... 18 12.4 Questioning Techniques .................................................................................. 19 12.5 Process Approach ............................................................................................ 20 12.6 Three Year Audit Programme ........................................................................... 21 12.7 Audit Planning and Preparing Audit Plans ...................................................... 23 12.8 Opening Meetings ............................................................................................. 25 12.9 Closing Meetings .............................................................................................. 26 12.10 Communication during the Audit ..................................................................... 27 12.11 Collecting and Verifying Audit Evidence ......................................................... 27 12.12 Identifying and Recording Audit Findings ...................................................... 28 12.13 Effectiveness of Corrective Actions ................................................................ 29 12.14 Preparing Audit Conclusions ........................................................................... 30 12.15 Use of IMS and UKAS Logo .............................................................................. 30 12.16 Annex SL ........................................................................................................... 30 13 Audit Stages ...................................................................................................... 31 13.1 Scope of Certification ....................................................................................... 31 13.2 Documented Management System .................................................................. 32 13.3 Initial Certification Audit ................................................................................... 33

Auditor Handbook


13.3.1 Stage 1 audit ...................................................................................................... 33 13.3.2 Stage 2 audit ...................................................................................................... 35 13.4 Determining period between stages and Back to Back Audits ...................... 35 13.5 Outcome of Audit .............................................................................................. 36 13.6 Auditing Multi-Site Organisations .................................................................... 37 13.7 Reassessment ................................................................................................... 37 13.8 9001:2015Changes in Terminology.................................................................. 38 13.8.1 Documented Information. ................................................................................. 38 13.8.2 Risks & Opportunities ...................................................................................... 38 13.8.3 Externally Provided Products and Services .................................................... 39 13.8.4 Leadership and Commitment ........................................................................... 39 14 Evaluation of Compliance ................................................................................ 40 15 Audit Reporting for ISO and BS Standards ..................................................... 41 16 Audit Reporting for Aerospace Scheme .......................................................... 42 17 Certification Review .......................................................................................... 43 18 Corrective Action Plans and Objective Evidence ........................................... 43 19 Auditor Feedback .............................................................................................. 44 20 Certification Cycle ............................................................................................. 44 21 Mobile Phones ................................................................................................... 46 22 Document Revision History ............................................................................. 46

Auditor Handbook


1 Introduction to IMS International IMS Reliance Ltd (Trading as IMS International) offers a worldwide, non-bureaucratic, and continually developing range of assessment and certification services. The company has been built on an ethos of customer focus, and takes pride in its friendly, flexible and professional approach. IMS Reliance Limited is a company limited by shares and registered in England (number 08065841). All issued shares are owned by private individuals, as logged at Companies House.

2 Scope of Activities IMS International is accredited by UKAS (Registration Number 078) for certification of various schemes over a wide range of scope areas, as detailed in its Schedule of Accreditation. In 2002 IMS also became the first company worldwide to be accredited for the MAC Scheme by the Marine Aquarium Council (Registration Number 001). In addition to assessment and certification activities against accredited schemes, IMS can also provide other 3rd party assessment, and where appropriate registration, to other normative standards and/or customer requirements. Design and Development of new and existing schemes is covered by this management system. IMS does not undertake any other activities or offer any other services outside this scope. IMS are currently accredited by UKAS to provide certification to ISO 9001:2008, ISO 14001:2004, OHSAS 18001:2007, AS9100 Rev C, AS9120 Rev A, ISO 27006

3 Definitions Certified Client- Organisation whose management system has been certified Impartiality- Actual and perceived presence of objectivity Management system consultancy- Participation in designing, implementing or maintaining a management system Third party certification audit- Audit carried out by an auditing organisation independent of the client and the user, for the purpose of certifying the client’s management system Client/Auditee- Organisation whose management system is being audited for certification purposes Auditor- Person who conducts an audit Competence- ability to apply knowledge and skills to achieve intended results Guide- Person appointed by the client to assist the audit team

Auditor Handbook


Observer- Person who accompanies the audit team but does not audit Technical area- Area characterised by commonalities of processes relevant to a specific type of management system Audit Objective- The Audit objectives describe what is to be accomplished by the audit and includes determination of conformity of a client’s management system, or parts of it, with audit criteria, evaluating the ability of the management system to ensure the client organisation meets applicable statutory, regulatory and contractual requirements and the evaluation of the effectiveness of the management system to ensure the client is continually meeting its specified objectives and identification of areas for potential improvements of the management system. Audit Criteria- the Audit criteria is used as reference against which conformity is determined and includes the requirement of a defined normative document on management systems and the defined processes and documentation of the management system developed by the client. Audit Scope- the Audit scope describes the extent and boundaries of the audit, such as physical locations, organisational units, activities and processes to be audited. Audit Programme- an Audit programme is a programme established for the full certification cycle and will be used to clearly identify the audit activities required to demonstrate that the client’s management system fulfils the requirements for certification to the selected standard(s) or other normative document(s) Audit Plan- an Audit plan is established for each audit identified in the audit programme to provide the basis for agreement regarding the conduct and scheduling of the audit activities

Auditor Handbook


4 Quality Policy It is the aim of IMS International to provide a friendly, flexible, high quality service that meets or exceeds the requirements of our customers in every respect. We will strive to achieve this by:

Getting to know our customers, and understanding what is important to them;

Developing our systems and practices to better meet our customers’ needs;

Dealing with customer queries promptly and efficiently;

Developing an ethos that is both friendly and professional;

Reducing bureaucracy for our customers, whilst maintaining high levels of accountability and traceability;

Being flexible and remembering that each customer has their own individual requirements;

Ensuring our fees are as competitive as possible;

Delivering a value-added service in audits and all other dealings with customers;

Continually developing our staff and auditors in order to maintain a highly competent and motivated team;

Continually reviewing our system, processes and procedures to identify opportunities for improvement and to continually improve the effectiveness of our Management Systems

Ensure our systems meet the requirements of ISO 17021, AS9104 and all other legislation applicable to the effective operations of the company

This policy defines our commitment to quality, is known and understood by all within our company, and provides the philosophy upon which all our services are planned, developed and monitored.

Auditor Handbook


5 Environmental Policy It is the aim of IMS International to continually strive for reduced emissions and impacts on the environment. We will strive to achieve this by:

Planning audits together in order to reduce travel requirements;

Seeking technological advances within the business in order to reduce the volume of paper generated and energy consumed;

Recycle inks, paper, cardboard and plastics within the office;

Manage our energy usage;

Ensure legislative requirements are maintained ensuring we remain legally compliant;

Using localised auditors where possible;

Ensuring staff are fully trained and aware of our commitments to the environment and how their role has an effect on our objectives;

This policy defines our commitment to the environment, is known and understood by all within our company and provides the philosophy upon which all our services are planned, developed and monitored.

Auditor Handbook


6 Health and Safety Policy It is the policy of IMS International to recognise and accept its management responsibilities as an employer to prevent injury and ensure a healthy, safe working environment for all its employees. The company also accepts its statutory duties to conduct its undertaking in such a way so as to ensure that persons not in its employment, who may be affected by its working activities, are not exposed to risks to their health and safety. Our statement of general policy is:

To provide adequate control of the health and safety risks arising from our work activities.

The partners accept their legal responsibility for the health and safety of visitors to their premises and for other people who may be affected by the companies’ activities.

To consult with our employees on matters affecting their health and safety.

To provide and maintain a safe working environment.

To provide information, instruction and supervision for employees.

All employees must similarly play their part in protecting their own and their colleagues’ safety.

To ensure all employees are competent to do their tasks, and to give adequate training.

When working at client’s premises you must comply with the clients detailed rules regarding health and safety at work.

To prevent accidents and cases of work-related ill health.

To review and revise this policy as necessary at regular intervals.

Auditor Handbook


7 Equal Opportunities Policy Statement of policy 1. We recognise that discrimination is unacceptable and although equality of opportunity has been a long standing feature of our employment practices and procedure, we have made the decision to adopt a formal equal opportunities policy. Breaches of the policy will lead to disciplinary proceedings and, if appropriate, disciplinary action. 2. The aim of the policy is to ensure no job applicant, employee or worker is discriminated against either directly or indirectly on the grounds of race, colour, ethnic or national origin, religious belief, political opinion or affiliation, gender, marital status, sexual orientation, gender reassignment, age or disability. 3. We will ensure that the policy is circulated to any agencies responsible for our recruitment and a copy of the policy will be made available for all employees and made known to all applicants for employment. 4. The policy will be communicated to all private contractors reminding them of their responsibilities towards the equality of opportunity. 5. The policy will be implemented in accordance with the appropriate statutory requirements and full account will be taken of all available guidance and in particular any relevant codes of practice. 6. We will maintain a neutral working environment in which no employee or worker feels under threat or intimidated.

Auditor Handbook


8 Organisational Structure

Board of Directors

Global CEO

Michael Venner

Global Operations

Manager

Martin Graham

Global Business

Developments

Graham O’Geran

Global

Certification

Manager

Michael Venner

Certification

Secretary

James O’Geran

Auditors

Regional

Management

Representatives:

SIMS

Operations Co-

ordinator

Charlotte Mellor

Impartiality

Committee

Business

Developments

Administrator

Leanne Ferris

Certification

Officers

Finance Manager

Les Gray

Finance

Administrator

Tracey Claydon

IMS Reliance

International Ltd

9 Accreditation Standards

ISO 17021-Requirements for Bodies Providing Audit and Certification of Management Systems

AS9104-Requirements for Aerospace Quality Management System Certification Programmes

AS9101- Audit Requirements for Aviation, Space, and Defence Organizations

IAF MD1-Certification of Multiple Sites Based on Sampling

IAF MD2-Transfer of Accreditation Certification of Management Systems

IAF MD3-Advanced Surveillance and Recertification Procedures

IAF MD4-Computer Assisted Auditing Techniques

IAF MD5-Duration of QMS and EMS Audits

IAF MD11-Audits of Integrated Management Systems

ISO 19011-Guidelines for Quality and Environmental Management Systems Auditing

EA-7/04-Legal Compliance as part of Accredited ISO 14001 Certification

EA-7/05-Application of ISO 17021 for Combined Audits

IAF ID9 – Transition Planning Guidance for ISO 9001:2015

Auditor Handbook


10 Overview of Audit Process The flow chart below shows the overall process for auditors carrying out audits for IMS International. Stages within this process are detailed further in this document. Scheme Documents for specific schemes, e.g. AS 9100, ISO 9001, ISO 14001 & BS 18001 may detail additional or alternative requirements.

Stage 1, Stage 2,

Surveillance or

Reassessment

Responsibilities Supporting Inputs

Administration

Operations

Manager

Auditor Appointment

Acknowledgement/PO

(Form 3)

Receive and review

previous audit report

and CAP’s if

applicable

Receive client’s

Documented

Management System

from IMS

See sections in this

Guidance Document

Operations

Manager

Auditor

Auditor

Auditee

Auditor

See Guidance

Document

Receive AAA, sign

and return to IMS

within 48 hours

Send completed

document review

report to IMS

Administration

See Guidance

Document

Refer Auditee to IMS

Website for guidance

on completing

Undertake Audit

Where required,

auditee sends

corrective action

plan and evidence

to IMS Admin

Prepare and send

to IMS appropriate

completed audit

plan (Form 4)

Complete

appropriate audit

report form

IMS manages

certification

process

Auditee informed of

outcome

Audits to be

planned and

undertaken in

accordance with

IMS requirements

and provisions of

ISO 19011 and

AS9104 (Aero)

Document

Review

required?

No

Yes

Auditor Handbook


10.1 ISO 9001:2015 Transition Process The final draft of the standard (FDIS 9001:2015) was released in July 2015 and the Final Version (ISO 9001:2015) is planned for release on the 15th September 2015. After the release date, organisations currently certified to ISO 9001:2008 will have three years in order to transition to the new version. IMS will cease offering ISO 9001:2008 to new clients 18 months after the release of the standard. Clients will be required to inform IMS of when they plan on transitioning to the new revision of the standard, letters requesting transition requirements will be sent out and followed up at six monthly intervals until they have all been received. When received, the client requested transition will be added to the client database against that client’s name, this will aid in the planning process. Prior to scheduling of each transition audit after the release of the standard, the client will be issued a Transition Preparation form (Form 80) which will obtain information as to the level of documentation the client has prepared for the transition. Not all clients will have their system documented in as much detail as previous versions of the standard, we expect that most clients transitioning will keep a level of documented procedures. Form 80 will help to gain an understanding of the clients documented system. When the Transition Preparation form is returned, a contract review is performed following Procedure 3, taking into consideration the type of next planned audit (surveillance or reassessment) and adding some additional time as per the table below: Transition Time Allocation

Employee Numbers Documented Not Documented

0-10 employees ¼ Off or onsite ¼ onsite

11+ ½ Off or onsite ½ onsite

Should an organisation have part of their system documented such as procedures, this shall not be considered as documented. For the system to be considered documented, an organisation would need to have 75% of the items identified on Form 80 documented. When the contract review has been completed, a quotation shall be issued to each client detailing the requirements for transition.

Auditor Handbook


10.1.1 Transition Stages: Off-Site Document Review: As the new standard requires less documentation than previous versions, it is not expected that a document review is necessary, however, when an organisation has provided documented evidence prior to the assessment a review shall be completed accordingly. Sufficient notes shall be taken as per normal procedures with specific reference to the areas below: Context of the Organisation Risks and Opportunities Effectiveness Measures Scope and Applicability Procedures updated Competencies and Knowledge Interested Parties Legal and Regulatory Requirements Key Processes within organisation

The notes shall be maintained and followed up with the client during the onsite assessment. On-Site Assessment: Additional time has been allowed for the transition to the new standard as per above, some of this may be performed offsite as per above, but will always be followed up with the client during the onsite assessment. This will be to verify the content provided and challenge certain areas such as the risks and mitigations. After suitable evidence has been collated during the assessment, any findings raised as per normal procedures and a comments made against all of the specific requirements within the new standard as per the audit report template. A recommendation for or against transition shall be made, which may include submittal of additional evidence to support the requirements. Until the deadline of the transition, clients would be able to retain ISO 9001:2008 until clearance of any outstanding non-conformances against ISO 9001:2015. Certification Decision: When the audit report has been completed and any non-conformances closed out by the auditor, the report pack will go for certification review/decision as per normal procedures. Specific attention shall be made by the certification officer to the comments made within the audit report regarding transition to ISO 9001:2015. The certification officer shall indicate whether or not transition has been granted.

Auditor Handbook


Certificate Issue: Certificates shall be issued as per normal procedures but the original certification cycle maintained. The same certificate number shall be utilized as per the current certificate and the logos remain valid.

10.1.2 Staged Approach It is common for organisations to gradually implement changes to the new standard during their cycle and to not formally apply for transition to the new version. Additional time has not been provided for this process to look at specific parts of the new standard but during the natural process of auditing some areas would be audited. For example, objectives would be reviewed as part of ISO 9001:2008 and therefore a review of the organisations preparation to meet ISO 9001:2015 objective requirements can be made. The same would apply for management review, internal audits and other areas of ISO 9001:2015 which are already included within ISO 9001:2008 but with amendments. Any findings raised against the new version of the standard can be raised as observations within the audit report. Non-conformances can only be raised should the client be transitioning to the new version. Areas which cannot be formally reviewed would be risk management, context of the organisation and scope and applicability.

11 Auditor Requirements

11.1 General Before undertaking any audit for IMS, an auditor must provide the following:

Supply a copy of their C.V. and all relevant / supporting certificates to IMS to enable identification of competent scope areas;

Complete Form 30, Auditor Competence Record;

Complete Scope Review forms and Related Bodies Risk Declaration;

Read the IMS Quality Manual, Quality Policy and relevant IMS Scheme Documents;

Read IMS Auditee Guidelines;

Read Auditor Handbook;

Read IMS procedures for certification, confidentiality and auditor training (Proc 6, Proc 7 and Proc 11);

Sign the (Sub) Contractor Agreement / Auditor Agreement (as applicable).

Auditor Handbook


11.2 Competence All auditors and technical experts used by IMS are regularly monitored, including via observed assessments and post audit reviews, to ensure continued competence and to identify training needs. The procedure for this is set out in Proc 11. Auditors are also required to keep IMS informed of any training they undertake independently, and to provide copies of certificates as appropriate. All auditors will be required to have read ISO 19011 (the guidelines for QMS and/or EMS auditing), and to have passed an IRCA-registered lead auditor course, or other relevant training programme. IRCA registration is desirable, though not essential. Competence requirements for auditors and technical experts have been defined for all technical areas in which IMS provides certification services. All auditors and technical experts used by IMS have been assessed in terms of their competence for each technical area, and auditors and technical experts are assigned with reference to this. Any concerns of auditors regarding their competence assessment, or their competence for any specific assignment should be referred to IMS Head Office. Auditors for schemes other than ISO 9001 will also need to satisfy any scheme-specific requirements as detailed in the relevant IMS Scheme Document.

11.3 Confidentiality and Impartiality Auditors are required to ensure that any information gained as a result of work undertaken for IMS International is not disclosed to any third party unless such information is public knowledge, or disclosure is required by law. This includes all and any information relating to IMS International, the auditee or the auditee’s customers, their associates or any other associated or interested party. IMS International’s procedures, documentation and software are protected by copyright and should not be shared with unauthorised parties. When signing the Auditor Appointment Acknowledgement (AAA) for an audit, auditors must make known any matter that could compromise their impartiality or objectivity. In particular, auditors should not have carried out any consultancy work for the client in the previous three years. Further information regarding your obligations regarding confidentiality and impartiality may be found in the (Sub) Contractor (Doc 12) / Auditor Agreement (Doc 21) (as applicable).

Auditor Handbook


11.4 Anti-Bribery

11.4.1 Introduction Bribery is a criminal offence. The Company prohibits any form of bribery. We require compliance, from everyone connected with our business, with the highest ethical standards and anti-bribery laws applicable. Integrity and transparency are of utmost importance to us and we have a zero tolerance attitude towards corrupt activities of any kind, whether committed by IMS International employees or by third parties acting for or on behalf of IMS International.

11.4.2 Policy It is prohibited, directly or indirectly, for any employee or person working on our behalf to offer, give, request or accept any bribe i.e. gift, loan, payment, reward or advantage, either in cash or any other form of inducement, to or from any person or company in order to gain commercial, contractual or regulatory advantage for the Company, or in order to gain any personal advantage for an individual or anyone connected with the individual in a way that is unethical. If we suspect that you have committed an act of bribery or attempted bribery, an investigation will be carried out and, in line with our disciplinary procedure where appropriate, action may be taken against you which may result in your dismissal, or the cessation of our business arrangement with you. If you, as an employee or person working on our behalf, suspect that an act of bribery or attempted bribery has taken place, even if you are not personally involved, you are expected to report this to IMS International. You may be asked to give a written account of events.

11.4.3 Gifts and hospitality We realise that the giving and receiving of gifts and hospitality as a reflection of friendship or appreciation where nothing is expected in return may occur, or even be commonplace, in our industry. This does not constitute bribery where it is proportionate and recorded properly. No gift should be given, nor hospitality offered, by an employee or anyone working on our behalf to any party in connection with our business without receiving prior written approval from IMS International. Similarly, no gift or offer of hospitality should be accepted by an employee or anyone working on our behalf without receiving prior written approval from IMS International. With the exception of reasonable business entertainment such as occasional meals and drinks, a record will be made of every instance in which gifts or hospitality are given or received.

Auditor Handbook


11.5 Communicating with the Client Remotely We expect auditors to communicate with the client throughout the audit process which includes remote communications by telephone and email. Auditors shall be courteous at all times and follow all IMS procedures and policies. When communicating via email, many of you will use personal email addresses which is permitted. We prefer you to use the IMS issued email address and use the remote email access system (Outlook Web Access) but this is not mandatory. Should you use your own personal email addresses, you shall not use any signatures or information within the email that could promote your own consultancy business (if applicable), or any other associated businesses. This is a breach of accreditation requirements and is considered as a breach of impartiality which is taken very seriously. You do not need to use an IMS specific signature, but if you wish to use this then please contact the office who will issue the signature template.

11.6 Policies and Procedures IMS issue a number of additional policies and procedures outside of this document, you will be required to abide by all issued documentation at all times.

11.7 Observers The presence and justification of observers during an audit activity shall be agreed to by IMS International and the client prior to the conduct of the audit. The audit team shall ensure that observers do not influence or interfere in the audit process or outcome of the audit. Observers can be members of the client’s organisation, consultants, witnessing accreditation body personnel, regulators or other justified persons. Observers are not to influence the outcome of an audit. Audit team members are to prevent observers that are consultants from answering questions or otherwise interfering in an audit. When performing the audit and an observer is answering questions or becoming too involved within the audit, the auditor shall instruct the observer to cease answering questions and to remind them they are an observer and should not take part in the audit in this way. If the observer persists, then contact the IMS Head Office for further instructions where someone from the management team shall contact the client directly. It is often the case that organisations will sub-contract out their internal auditing process to external sources such as Consultants. This is not necessarily an issue, but auditors must ensure that the internal audit process is being performed independently and impartially. The Quality Representative within an organisation where consultants are employed to perform the audits should either review and approve the audits of the internal audit process or perform that audit themselves. This should help to maintain impartiality and independence within the client’s organisation. As with observers, you should ensure that any external resource used by the organisation does not interfere with the audit process and that the audit is focused on the organisation and its system and not the external resource.

Auditor Handbook


11.8 Guides Each auditor shall be accompanied by a guide, unless otherwise agree to by the audit team leader and the client. Guide(s) are assigned to the audit team to facilitate the audit. The audit team shall ensure that guides do not influence or interfere in the audit process or the outcome of the audit.

12 Auditing Techniques

12.1 Auditing Principles Ethical conduct – auditors should always act in a professional manner and with the highest integrity, being able to provide trust, confidentiality and discretion. Fair presentation – an obligation to report truthfully and accurately the audit findings, including the positive aspects and any inadequacies and non-conformities due. Professional care – reasonable care in all audit activities and completeness in reporting the findings and presentation of the audit report. Auditors should always remember the importance of their task and the reliance that the client and other interested parties place on the audit being carried out correctly. Independence – audits should be independent of any influences which may affect the objectivity. Auditors should be independent of the activity being audited, free from bias and conflict of interest. Evidence based approach – all conclusions reached should be supported by objective, verifiable evidence. Such conclusions are based solely on the sample of evidence taken; differences of opinion should be resolved. The application of these principles gives an audit the following distinctive characteristics: audits are objective, systematic and independent and produce information on which management can act to improve its operations

12.2 Questioning Sequence

In asking questions on a particular process or activity, try and follow the PDCA sequence to ensure they are not only DOING the process but also MEASURING the process performance for improvement. When related to auditing, PDCA may apply as follows: PLAN – ask how the process or activity is planned including, where appropriate, the objectives and plans to meet the objectives DO – ask how it is performed – what – who – how etc. and what records are kept. You should always focus on the records as these provide the evidence of implementation. This part can be thought of as the “mechanics” of the audit

Auditor Handbook


CHECK – ask how the process or activity is evaluated – what checks are in place etc. e.g. - look at inspection & test results or audit results - as these are principal sources of information on the performance of the product (service) and process ACT – ask about what action is taken if there is problem and / or to achieve improvement – are there any recent improvements in the process or activity.

Auditors use three basic information gathering techniques when conducting an audit, i.e.:

Asking questions

Listening

Looking (including reviewing of documents, records and at the process / environment)

12.3 Auditing Practice

A checklist can be used as a guide only and to keep the audit on track you must reach positive conclusions (e.g. OK; NC; OBS) on all points. This will usually lead to audit trails. All conclusions must be supported by objective evidence. All evidence must be appropriately identified e.g. – numbers, locations etc. verbal evidence on its own is not acceptable; it must be cross-checked with appropriate documentary evidence. However, verbal comments on their own can open up another audit trail Things to avoid - too many YES / NO answers. These will result from you asking “CLOSED” questions. The guide, or others, answering the questions instead of the person you are auditing at the time – unless it is purely for clarification or unless it suits your purpose. If there is such interference you will need to politely and diplomatically move the line of questioning back to the auditee. Conflict situations occasionally break out, especially when someone is trying to blame someone else for an NC that you have identified. One or other of the parties in the conflict may turn to you – the auditor – for support. DO NOT GET INVOLVED – try and calm the situation and refocus the audit. However, a note should be made of the situation in case there are elements of the conflict that may require further investigation. Accepting answers at face value without probing and challenging the integrity of the system. Remember to ask the “what if” questions. Things to do - record fully the conduct of the audit. Make notes as you go recording all evidence sampled – e.g. purchase order number; fire extinguisher location; report dates etc… it is good practice to make a note of the identity of the evidence before examining it – some examples are:

Write down the PO number before examining the purchase order;

Write down the location and type of the fire extinguisher before checking the maintenance tag;

Write down the date and title of the report before reading it - adopting this discipline will reduce the risk of not identifying the evidence, because if the evidence for an NC is not identified there is no point in reporting it. Be sure to agree all observations and non-conformances during the interview.

Auditor Handbook


There should be no surprises at the closing meeting. This may take time; it is important that you examine the situation thoroughly and stick to the facts. It helps if you establish a good relationship with the auditee.

12.4 Questioning Techniques Different questioning techniques can be used to help the auditor gather information from the auditees. When to use each technique depends very much on the situation and how the auditee is responding. For example; is the auditee not free with the answers, not giving away much information, or, is the auditee open and forthcoming in discussion, adequately describing the activities under review. Below are some common questioning techniques along with some of the benefits of each.

Technique Benefits

Open: How….Why….When….Where….What…. Relaxes auditee How do you receive and process customer order?

Encourages open discussion Encourages auditee to describe activities in detail

Closed: Do….Can…. Do you always send a copy of the specification with the order? What day are the alarms tested? Reflective: You said that…. You said that customers do not always give full details with orders. What kind of problems can that cause?

Allows definitive answers to be obtained. Clarifies ambiguity. Sometimes a short answer is all that is needed. Expands information given previously Allows exploration of “what ifs?” Shows the auditee that the auditor is listening

Comparative: Comparing…. How do telephone orders compare with written orders, is the process different in any way?

Allows auditor to focus on specific issues. Encourages the auditee to open up the discussion. Allows comparisons & similarities between orders

Hypothetical: Imagine….What if…. What if the order arrived without full instructions, what steps do you take?

Allows auditor to ask specific questions about situations which may not have occurred. Encourages auditee to think in a wider context.

Leading: …You do this, don’t you…? When you receive the order you review it, sign it And pass it to production, don’t you?

Confirms understanding Useful when summarising information already given, but should not be used as the main source of gathering audit evidence.

Auditor Handbook


By careful with the phrasing of questions. The auditor can answer a multitude of points by asking a single question e.g. "How do you check all incoming post?" This invites the auditee to describe the system. During the answer supplementary questions can be interspersed such as, "Why do you do that?", "When is this done?", "How do you report defects?" etc.

Such questions need to be kept within the bounds of reason and the sense of proportion.

Do not be afraid to say "I don't understand" and ask for further information.

Compare answers given, with answers to the same question from someone else.

Silence can encourage the auditee to give further information.

Know what the procedures or standards require so that you are clear in your own mind what constitutes acceptable answers and acceptable evidence.

It is important to be clear on the reasons why you are asking the question before you ask it. The auditee may well ask you “why are you asking me that question?”

12.5 Process Approach Many of the ISO standards are designed around the process approach to auditing and the design of the management system and takes you away from clause based systems. Organisations who introduce ISO 9001, AS9100, AS9120, AS9110 etc. need to ensure their management systems are utilising the Plan Do Check Act definitions and steer away from clause based auditing and system design. This is also relevant to organisations implementing other standards such as ISO 14001. Within ISO 9000, the definition of a process is: ‘a set of interrelated or interacting activities which transforms inputs into outputs’. Inputs to a process are generally outputs from other processes and a process has a start and an end defined by two limits and must be considered when defining processes. Within ISO 9001 and AS9100, clause 4.1 requires organisations to (e) monitor, measure where applicable, and analyse these processes, and (f) implement actions necessary to achieve planned results and continual improvement of these processes. The above clause is very important and is commonly overlooked by organisations and auditors. Many organisations applying AS9100, AS9120 or AS9110 will be aware of the new Process Effectiveness Assessment Report (PEAR) form which auditors shall use during assessments. These reports are very important and will identify if your processes have been clearly defined and are suitably monitored and measured. Tools can be used to help organisations document their processes, some example tools can be process flowcharts, SIPOCs and Turtle Diagrams. Taking the above information, organisations need to ensure that their processes have been clearly defined with inputs and outputs and showing the interaction of these processes. Measuring the effectiveness of the process is also vitally important and a non-conformance shall be raised if these processes are found to be ineffective.

Auditor Handbook


You can be in compliance with a clause of ISO 9001 or the Aerospace Standards, but still be non-conforming, if you are not monitoring and measuring a defined process and taking corrective actions against any areas which are outside of the defined requirements or targets. A prime example of this could be late deliveries, if you have a process for delivering products within a defined time frame and you are late or outside of that requirement then a non-conformance should be raised internally and corrective actions taken. Please note that this is a requirement of ISO 9001 and not just the aerospace standards. Review clause 4.1 carefully and consider how processes are being defined and how the monitoring and measuring of those processes is being carried out. The process approach is now more explicit and defined within 9001:2015. The principles remain the same, but now need to consider the wider context of the organisation. The emphasis is to establish expected inputs and outputs, to assign responsibilities for the process and to address risks and opportunities associated with the processes, as well as the associated monitoring, measurement and actions.

12.6 Three Year Audit Programme An audit programme, for the full certification cycle, shall be developed to clearly identify the audit activities required to demonstrate that the client’s management system fulfils the requirements for certification to the selected standard(s) or other normative document(s). Form 60A has been produced which is used for preparing the three year audit programme. This shall be generated during the stage 1 and/or reassessment audit for each client. The key processes within the management system shall be highlighted on the form and a plan put in place as to what processes shall be covered during each audit throughout the cycle. The form is not to be used to cover the mandatory requirements of the standard as these are highlighted on the audit report. The clause references shall also not be used for this process. The processes of the organisation shall be documented which may be manufacturing, assembly, welding, despatch etc. Processes such as internal audits, management review are not to be recorded, these are highlighted within each audit report as mandatory and therefore there is no need to highlight these. If the organisation has a number of temporary sites and you are required to perform site visits, these are to be included onto the three year programme; this would typically be construction organisations but could be a number of other industries. ISO 9001:2015 may further expand the information required and included in the three year programme – for example there may be specific reference to an Organisations Context, Risks & Opportunities, and Interested Parties etc.

Auditor Handbook


Example of Three Year Programme:

Client Name: The Bestest Client in the World

Site: Never Never Land

Date Cycle Started: November 2011

Standard (s): ISO 9001:2008

Client process Identification S

tage

1

Sta

ge

2 /

RE

S

V 1

SV

1.1

SV

1.2

SV

2

SV

1.1

SV

1.2

Specific Comments for Reassessment

1 Contract Review - - - -

2 Purchasing and supplier evaluation

- - - - -

3 Despatch - - - -

4 Manufacturing - - - - -

5 Assembly - - - - -

6 Inspections - - - -

7 Welding - - - - -

8 Painting - - - - -

9 Maintenance - - - - -

10 Training and Competencies - - - - -

11 Site Visit - - - - -

Auditor Handbook


12.7 Audit Planning and Preparing Audit Plans Auditors are responsible for planning audits and ensuring that the client receives an audit plan at least 28 days before the first day of the audit. In preparing the audit plan, the auditor should consider the following:

Initial audits should cover all relevant aspects of the standard against which the client is being assessed;

The visit planner table within the audit report (Form 9) identifies areas of the relevant standard that must be covered at every surveillance visit;

All other areas of the relevant standard must be covered at least once during the three-year surveillance cycle as shown on the programme;

For initial audits, the auditor should use the client’s management system documentation to identify areas for specific focus, in order to determine appropriate timescales and identify relevant people to interview during the audit;

For surveillance visits, auditors should consider previous audit reports, including non-conformances and observations raised, and in particular areas identified for checking on the visit planner table in order to determine areas to focus on during the audit;

Auditors should also plan the audit to ensure that all relevant parts of the auditee’s business covered by the scope and proposed certificate are covered. This should also take account of multiple locations and temporary sites where appropriate;

The plan should be clear which members of the organisation will be required and when – in particular for the leadership elements.

The Auditor should send the appropriate completed audit plan template (Form 4) to IMS Admin and the rest of the audit team (as appropriate) at least 28 days before the audit. IMS Admin shall forward a copy to the client. The plan should, as a minimum, give the proposed timescales for the audit, identify which areas each auditor will be covering, and give the auditee a clear idea of which staff will be required and when. The audit plan should be considered as a useful tool for both the audit team and the auditee, but should not be seen as set in stone. In practice the audit findings and the auditee’s working practices are likely to lead to differences in what is seen when.

The audit plan shall be appropriate to the objectives and the scope of the audit. The audit plan shall at least include or refer to the following:

The audit objectives;

The audit criteria;

The audit scope, including identification of the organizational and functional units or processes to be audited;

The dates and sites where the on-site audit activities are to be conducted, including visits to temporary sites, as appropriate;

The expected time and duration of on-site audit activities;

The roles and responsibilities of the audit team members and accompanying persons. Planning and report writing time should be no greater than 10% (45 minutes for an 8 hour day) of total audit time (an audit day is 8 hours).

Auditor Handbook


The functions/ processes should be the client’s specific processes for managing their business and delivering the expected outcomes of the management system standard, and not limited to a listing of the management system(s) standard clauses as “processes” e.g. QMS- ‘product realisation process’, is not acceptable as this will normally contain a number of key interrelated processes unique to the clients business operation. The audit plans should highlight the processes of the organisation and not just the clause titles of the standard(s). Using a manufacturing organisation as an example, the processes could be manufacturing, welding, despatch, inspection etc. and not production and service provision, monitoring and measurement. Do not over plan the audit resulting in the planned areas not being covered. Auditors should be realistic in what they can cover in the allotted time. If you feel the contract review process performed by IMS Head Office has not allowed sufficient time to perform the audit then this should be communicated back. IMS shall review the allocated time and make adjustments where necessary. If there is a team of auditors performing the audit, then the lead auditor shall prepare the audit plan, highlighting each of the processes being performed by each of the auditors based on their skills and knowledge. Should the areas the auditor is performing change during the assessment, the auditor notes shall highlight the change against the audit plan. Many organisations now have multiple standard audits (combined audits) and the planning for those audits should be carefully considered. The time allocation for each of the audit standards may be different and you should therefore plan accordingly. For example, there may be a requirement for 1 day ISO 9001, 2 days ISO 14001 and 3 days OHSAS 18001. The audit plan should not show the same amount of site effort being placed on each of the assessments. The appropriate time required for each standard shall be communicated to the auditor via email or through the auditor appointment acknowledgment (AAA). If you are unsure of the allocation please contact the IMS Head Office. Many clients will require a site visit to be performed on one or more of their temporary sites during the assessment, typically construction organisations. When this is the case, the audit plan shall highlight at what stage the site visit shall be performed -this shall not be at the last point within the audit. Information gathered from the site visit shall be used as a basis for performing the audit of the office activities. Therefore, performing the site visit at the end of the audit does not allow for this to effectively take place. The site being visited shall be confirmed during the opening meeting.

Auditor Handbook


12.8 Opening Meetings A formal opening meeting, where attendance shall be recorded, shall be held with the client's management and, where appropriate, those responsible for the functions or processes to be audited. The purpose of the opening meeting, which shall usually be conducted by the audit team leader, is to provide a short explanation of how the audit activities will be undertaken. The degree of detail shall be consistent with the familiarity of the client with the audit process. The IMS audit report forms (Form 9) have a facility to record the opening meeting attendees and any specific questions or comments raised during the meeting. The requirements for the opening meeting are also identified within the audit report but are shown below:

Introduction of the participants, including an outline of their roles;

Confirmation of the scope of certification;

Confirmation of the audit plan (including type and scope of audit, objectives and criteria), any changes, and other relevant arrangements with the client, such as the date and time for the closing meeting, interim meetings between the audit team and the client's management;

Confirmation of formal communication channels between the audit team and the client;

Confirmation that the resources and facilities needed by the audit team are available;

Confirmation of matters relating to confidentiality;

Confirmation of relevant work safety, emergency and security procedures for the audit team;

Confirmation of the availability, roles and identities of any guides and observers;

The method of reporting, including any grading of audit findings;

Information about the conditions under which the audit may be prematurely terminated;

Confirmation that the audit team leader and audit team representing the certification body is responsible for the audit and shall be in control of executing the audit plan including audit activities and audit trails;

Confirmation of the status of findings of the previous review or audit, if applicable;

Methods and procedures to be used to conduct the audit based on sampling;

Confirmation of the language to be used during the audit;

Confirmation that, during the audit, the client will be kept informed of audit progress and any concerns;

Opportunity for the client to ask questions.

Auditor Handbook


12.9 Closing Meetings A formal closing meeting, where attendance shall be recorded, shall be held with the client's management and, where appropriate, those responsible for the functions or processes audited. The purpose of the closing meeting, which shall normally be conducted by the audit team leader, is to present the audit conclusions, including the recommendation regarding certification. Any non-conformances shall be presented in such a manner that they are understood and the timeframe for responding shall be agreed. NOTE “Understood” does not necessarily mean that the non-conformances have been accepted by the client The client shall be given opportunity for questions. Any diverging opinions regarding the audit findings or conclusions between the audit team and the client shall be discussed and resolved where possible. Any diverging opinions that are not resolved shall be recorded and referred to within the closing meeting notes for the IMS Head office to review. Similarly to the opening meeting, the IMS audit report (Form 9) has a facility to record the attendees and any questions or queries which cannot be resolved during the audit or meeting. The requirements for the closing meeting are within the audit report but also listed here:

Thank the company for their hospitality and for their assistance and co-operation;

Overall summary of assessment, non-conformances and observations found during the audit;

Deliver any non-conformances and observations and explain the timeframe and process for response. Ensure findings have been understood;

Present recommendation for or against proceeding to stage 2 audit or continuing certification;

Explain the continued surveillance audit cycle;

Explain the appeals process;

Invite questions from the company’s representatives, including comments on the report.

For the Aerospace Scheme Audits there is a separate Form (Form 68) which is used for the opening and closing meetings due to the additional requirements of that scheme. If you do not have sufficient time to prepare the written report, you shall at minimum deliver the findings verbally and ensure the clause areas, grade/severity and audit evidence is communicated and understood. Details on the corrective actions / objective evidence required shall also be communicated.

Auditor Handbook


12.10 Communication during the Audit During the audit, the audit team shall periodically assess audit progress and exchange information. The audit team leader shall reassign work as needed between the audit team members and periodically communicate the progress of the audit and any concerns to the client. Where the available audit evidence indicates that the audit objectives are unattainable or suggests the presence of an immediate and significant risk (e.g. safety), the audit team leader shall report this to the client and, if possible, IMS head office to determine appropriate action. Such action may include reconfirmation or modification of the audit plan, changes to the audit objectives or audit scope, or termination of the audit. The audit team leader shall report the outcome of the action taken to IMS.

12.11 Collecting and Verifying Audit Evidence During the audit, information relevant to the audit objectives, scope and criteria (including information relating to interfaces between functions, activities and processes) shall be collected by appropriate sampling and verified to become audit evidence. This evidence shall be recorded within the auditor notes. Outside of the Aerospace Scheme, the auditor notes shall be recorded on the standard IMS audit notepads or soft copy template (form 74) with all required boxes completed at the top of each page and down each of the columns. Should the auditor use an electronic method of recording audit evidence (i.e. a tablet or laptop), the standard soft copy template as above shall be used. All required sections shall be completed from the template questions, ensuring that the columns are completed accordingly. The standard and clause numbers must be recorded and the reference number of any findings shown. If you fail to complete all required information, the report shall be rejected back to the auditor for completion. Methods to collect information shall include, but are not limited to:

Interviews;

Observation of processes and activities;

Review of documentation and records;

Review of marketing literature including websites.

Organisations can often be inadvertently claiming to provide a service when they do not, a common issue is claims of design when they do not manage or control a design process within the organisation. Auditors are required to review client websites and marketing literature for unambiguous comments and shall raise non-conformances should this not be the case. Should the audit be for more than a single day, you shall show in the notes the relevant sections covered each day.

Auditor Handbook


12.12 Identifying and Recording Audit Findings Audit findings summarising conformity and detailing nonconformity and its supporting audit evidence shall be recorded within the auditor notes. The notes shall be sufficient enough to enable an informed certification decision to be made or the certification to be maintained. The relevant audit reports shall also be completed for each audit as detailed within this guidance document. Opportunities for improvement/observations may be identified and recorded within Form 10 for general scheme audits and within the audit report for the Aerospace Scheme audits. Non-conformances shall not be recorded as observations/opportunities for improvement and no soft grading is permitted under any scheme. A finding of nonconformity shall be recorded against a specific requirement of the audit criteria, contain a clear statement of the nonconformity and identify in detail the objective evidence on which the nonconformity is based. Non-conformances shall be discussed with the client to ensure that the evidence is accurate and that the non-conformances are understood. The auditor shall not suggest the cause of non-conformances or their solution. A nonconformity shall be raised when a situation represents:

A failure to fulfil one of more requirements of the management system standard, or

A situation that raises significant doubt about the ability of the client’s management system to achieve its intended outputs

A major non-conformance is broadly defined as: the total breakdown of the system, control or procedure; an absence of a standard requirement; a number of minor issues related to the same clause; non-conformity that experience and judgement indicate will likely result on system failure or materially reduce its ability to assure controlled processes and products.

A minor non-conformance is broadly defined as failure to comply with a requirement which (based on judgement and experience) is not likely to result in system failure; a single observed lapse or isolated incident; minimal risk of non-conforming product or service.

For the aerospace scheme there are specific definitions which determine the difference between Major and Minor non-conformances:

Major: a nonconformity where the effect is judged to be detrimental to the integrity of the

product or service;

the absence of or total breakdown of a system to meet a 9100-series standard requirement, an organisation procedure, or customer quality management system requirement;

any nonconformity that would result in the probable shipment of nonconforming product; and/or

a condition that could result in the failure or reduce the usability of the product or service and its intended purpose.

Auditor Handbook


Minor: a single system failure or lapse in conformance with a 9100-series standard or

customer quality management system requirement; or

a single system failure or lapse in conformance with a procedure associated to the organization's quality management system.

NOTE: A number of minor non-conformances against one requirement (e.g., similar non-conformances associated to different sites or different departments/functions/processes within a single site) can represent a total breakdown of the system and thus be considered a major nonconformity.

Further information regarding the actions to be taken in the event of a non-conformance within the aerospace scheme can be found within Document 16. In the case of a major non-conformance being raised against the aerospace scheme, a follow-up visit is mandatory to review the effectiveness of the corrective actions. Non-conformances and observations under general schemes shall be recorded onto Form 10: non-conformance and observation corrective action plan. For Aerospace scheme audits, the non-conformances shall be recorded onto Form 42. The audit team leader shall attempt to resolve any diverging opinions between the audit team and the client concerning audit evidence or findings, any unresolved points shall be recorded within the notes section of the relevant audit report and subjected to a review by the Certification Officer.

12.13 Effectiveness of Corrective Actions The Auditor and subsequently the Certification Officer shall review the corrections, identified causes and corrective actions submitted by the client to determine if these are acceptable. The effectiveness of any correction and corrective actions taken shall be verified and recorded on the non-conformity form (Form 10) and Form 42 for the Aerospace Scheme. Subsequent visits shall also review the effectiveness of corrective actions and the non-conformity forms updated with evidence of the closure and effectiveness of actions taken, with the ‘status’ column updated accordingly. Should the review determine that the corrective actions have not been effective; the non-conformance shall be re-raised as a major non-conformance and evidence of the closure required to be submitted by the client. If necessary, a follow-up visit shall be required to verify the closure and effectiveness of that non-conformance. If a Major non-conformance is raised during Aerospace scheme audits, a follow-up visit is mandatory. The results of the review shall be communicated to the client through the relevant non-conformity form being sent to the client.

Auditor Handbook


12.14 Preparing Audit Conclusions Prior to the closing meeting, the audit team shall:

Review the audit findings, and any other appropriate information collected during the audit, against the audit objectives;

Agree upon the audit conclusions, taking into account the uncertainty inherent in the audit process;

Identify any necessary follow-up actions;

Confirm the appropriateness of the audit programme or identify any modification required (e.g. scope, audit time or dates, surveillance frequency, competence). Any changes shall be made on the three year programme.

12.15 Use of IMS and UKAS Logo The use of the IMS and UKAS logo shall be verified during all assessments in line with the requirements set out in Document 34 (Rules governing the use of IMS and UKAS Logo). If any instances of misuse of logos are identified then a non-conformance shall be raised against the organisation and corrective actions requested along with supporting evidence.

12.16 Annex SL ISO 9001:2015 adopts Annex SL’s high level structure, core text and common terms and definitions. This means that when requirements are essentially unchanged between the 2008 & 2015 version of 9001, they are frequently found under a new clause / sub clause heading. Annex SL and its associated appendices collectively define a generic management system framework. In the future, all ISO management system standards will adopt this approach and all current management systems will migrate to this structure during forthcoming revisions. The intention of this adoption is that ISO management system standards should become more consistent and compatible. Annex SL consists of a number of clauses and appendices. They cover three essential points – high level structure; identical core text; common terms and core definitions. High level structure clauses are: 1. Scope 2. Normative references 3. Terms & definitions 4. Context of the organisation 5. Leadership 6. Planning 7. Support 8. Operation 9. Planning 10. Improvement

Auditor Handbook


The major clause numbers, titles and common terms / core definitions cannot be changed, however specific text, sub clauses, terms and definitions may be added or modified to suit specific disciplines of the relevant standard.

13 Audit Stages

13.1 Scope of Certification The audit scope describes the extent and boundaries of the audit, such as physical locations, organisational units, activities and processes to be audited, as well as the time period covered by the audit. Under 9001:2015 this clause has been further defined - the scope of the management system shall take into consideration and reflect: 1) The context of the organisation – to include external and internal issues relevant to its purpose and strategic direction; 2) The requirements of relevant interested parties; 3) The products and services of the organisation There shall be a statement and justification within the scope of any requirement that is deemed not applicable. There is no longer a requirement in 9001:2015 for a statement of exclusion(s) within the system, however there must be a statement within the scope of those requirements that are not applicable. For example – a scope of ‘Waste Management’ is not necessarily acceptable. In line with the above, the scope could be considered as ‘The provision of a licenced waste collection, transport, segregation, management & recycling service covering the UK, serving the public, private and commercial sectors for mixed dry, non-hazardous and municipal waste. Design & development is not applicable as all services are carried out to customer specified requirements’ This will obviously vary according to activity, but it gives an idea of the level of detail expected. The process of confirming scopes is essentially unchanged with 9001:2015; however as you can see the scope now needs to be very specific and clear. The clients’ scope of certification needs to clearly reflect the activities and processes so as to not lead to ambiguity. Clients will generally not define their scope of certification clearly within their applications, and during the assessment the auditor needs to ensure the suitability of their scope. Put yourself in their customers’ position and ask yourself “what does this organisation do and will I know exactly what activities their certificate covers?” The scope of certification needs to state clearly and unambiguously the activities of the company and those covered by the certification. As part of any audit, in particular a stage 1, you need to confirm all activities of the company – including a review of the company’s website and temporary / other site locations. All areas of the claimed scope need to be audited during an initial assessment and a reassessment.

Auditor Handbook


Any significant changes to scope MUST be approved by IMS Head Office prior to the audit. Minor changes such as grammar, word order etc. may be proposed by you, but the addition of any new functions or activities must be processed and approved by IMS Head Office prior to the audit and you will be advised if the change may be considered. If an organisation states something on their website but it is not in the scope then this is acceptable, as long as the organisation does not put the ISO logo on the website as this then becomes ambiguous. It is suggested that before you visit any client, you review their website. As an example, an organisation may apply for “the procurement and distribution of motor parts”. This scope can make you believe that they purchase and supply new parts to the motor industry, when you are performing your audit you may notice that they supply new and refurbished parts. When a customer looks at the certificate they may think they would be getting new parts, however, when parts arrive they could possibly be refurbished. This isn't necessarily a problem as the audit probably covers the process of refurbished parts but when someone is looking at their certificate they may assume that it does not cover refurbished parts. The scope would need to be changed to something like: “The procurement and distribution of new and refurbished parts for the motor industry”. This scope now clearly reflects the clients’ activities and can reduce the chances of ambiguity. The scope not only needs to be confirmed during the stage 1 assessment, it needs to be confirmed at every visit. If something has changed throughout the year you need to verify the scope to ensure that it is still appropriate to the organisation. Although clients are required to inform the IMS Head Office of any changes, they inevitably will not in all cases as they don't think it would affect the auditing process (see above re changes of scope). The scopes shall be verified by the Certification Officer during the review process and they will be expecting to see a clear scope of certification.

13.2 Documented Management System During any assessment stage, the auditor shall use the client’s documented procedures and processes for reference, electronic copies should be avoided as this makes it difficult to have the procedure visible when auditing the shop floor. Clients are requested to have a hard copy of their Documented Management System available to the auditor within the audit plan. If a client prints out documented procedures during the assessment when required, the auditor shall ensure that these are printed from the clients own server system and not from an external source such as a consultants laptop. The client needs to demonstrate control over their management system and not to be relying on an external resource. During each assessment the auditor shall review any changes made since the last assessment, they do not need to necessarily review the entire documented system but confirmation of any changes is required to be recorded. This includes policies and procedures.

Auditor Handbook


13.3 Initial Certification Audit The initial certification audit of a management system shall be conducted in two stages: stage 1 and stage 2

13.3.1 Stage 1 audit The stage 1 audit shall be performed: To audit the client’s management system documentation (this can be done off-site, contract review will specify); To evaluate the client’s location and site-specific conditions and to undertake discussions with the client’s personnel to determine the preparedness for stage 2 audit;

To review the client’s status and understanding regarding requirements to the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;

To collect necessary information regarding the scope of the management systems (see above guidance), processes and location(s) of the client, and related statutory and regulatory aspects and compliance (e.g. quality, environmental, legal aspects of the client’s operation, associated risks, etc.);

To review the allocation of resources for stage 2 and agree with the client on the details of the stage 2 audit;

To provide a focus for planning the stage 2 audit by gaining a sufficient understanding of the client’s management system and site operations in the context of possible significant aspects;

To evaluate if the internal audits and management review are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for the stage 2 audit. To establish and confirm the context of the organisation – this is a process of determining the factors that can affect an organisations purpose, objectives and sustainability. It consists of both internal (e.g. culture, knowledge, performance) and external factors (e.g. legal, technological, social, economic). To establish and confirm interested parties. An interested party is an individual or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity, they can be both internal and external to the organisation. Identifying interested parties forms part of the process of understanding the context of the organisation and is a key part of the risk management of the organisation. Examples of interested parties are – customers, employees, contractors, partners and society. Establishing interested parties and their associated effect, forms part of the process of managing risks to the organisation. The organisation only needs consider parties deemed relevant to its management system. Determining relevance is dependent on whether or not the party has an impact on the organisations ability to provide compliant products and services (meeting customer, statutory

Auditor Handbook


and regulatory requirements) or ultimately the aim of enhancing customer satisfaction and overall performance. The context and interested parties will of course need to be considered during every audit for changes, however it is particularly important during the stage 1. The establishing of context and interested parties is particularly important as it has a direct influence on all key areas of the management system - scope, risk, planning, operation, evaluation and improvement. During the stage 1 audit, you need to confirm the legal entity status, structure and any trading names of the company. We are permitted to certify ‘ABC trading as XYZ’, but this needs to be clear and unambiguous. During stage 1 audits, we will provide you with a copy of the application questionnaire – this will provide you with information to verify against. If there are any discrepancies or inconsistencies, these need to be clearly reported to IMS Head Office prior to the stage 2. During any audit, if you have concerns regarding the above, then please make sure you contact IMS Head Office. We will make you aware of any name or entity change requests that we receive. In these instances you will be asked to verify these and that suitable changes and arrangements have been made. The stage 1 audit should raise (as needed) potential non-conformances against the management system(s) that will require closure by the client prior to the stage 2. The outcome of the stage 1 should be your judgment and recommendation as to whether or not the client’s management system is prepared for stage 2. In either case, suitable and clear recommendation should be made. 9001:2015 Off Site Document Review: As the new standard requires less documentation than previous versions, it is not expected that a document review is necessary, however, when an organisation has provided documented evidence prior to the assessment a review shall be completed accordingly. Sufficient notes shall be taken as per normal procedures with specific reference to the areas below: Context of the Organisation Risks and Opportunities Effectiveness Measures Scope and Applicability Procedures updated Competencies and Knowledge Interested Parties Legal and Regulatory Requirements Key Processes within organisation

The notes shall be maintained and followed up with the client during the onsite assessment.

Auditor Handbook


13.3.2 Stage 2 audit The purpose of the stage 2 audit is to evaluate the implementation, including effectiveness, of the client’s management system. The stage 2 audit shall take place at the site(s) of the client. It shall include at least the following: Information and evidence about conformity to all requirements of the applicable management system standard or normative document; Performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document); The client’s management system and performance as regards legal compliance; Operational control of the client’s processes; Internal auditing and management review; Management responsibility for the client’s policies; Links between the normative requirements, policy, performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document), any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and internal audit findings and conclusions.

13.4 Determining period between stages and Back to Back Audits The contract review will determine the approximate interval between stage 1 and stage 2, taking into consideration the risk, number of employees, commonality of operations, applicable legislation and regulations, and key processes. For Aerospace Scheme audits, back to back assessments are not permitted and a maximum period of six months is permitted between stage 1 and stage 2. During the scheduling process for the stage 1 assessment, the client and auditor may tentatively arrange a date for the stage 2 assessment in line with the contract review guidance. This date will be confirmed during the stage 1 assessment, taking into consideration any findings and the client’s resource availability to meet the deadline. During the contract review it may be determined that a back to back audit is possible for stage 1 and stage 2 assessments. The client and auditor will be made aware of the risk of carrying out back to back audits and if the client fails stage 1 assessment then the stage 2 assessment will not go ahead and will need to be rescheduled. The quotation will reflect this requirement and client informed of the risk. Clients and Auditors are made aware that findings will not be downgraded to allow for the stage 2 audit to be carried out back to back with stage 1.

Auditor Handbook


Formal opening and closing meetings must be held for both stages and a report written and presented for both.

13.5 Outcome of Audit The audit team must make a judgement, based on the evidence gathered during the audit, as to whether the audited system meets the requirements of the relevant standard. Based on this judgement, a recommendation should be made to the Certification Officer. This recommendation may be:

i. The system is deemed to be compliant – certification recommended; ii. The system is deemed to be compliant except for a limited number of minor non-

conformances – certification recommended subject to the auditee identifying, carrying out and submitting appropriate corrective action(s) and supporting evidence as required;

iii. The system contains one or more major non-compliances, or an excessive number of minor non-compliances with the cumulative result that the system is deemed to fall short of the requirements – certification cannot be recommended without suitable follow up or additional audit time as required.

In the case of (ii) above, the client should be informed at the closing meeting of how corrective actions are to be verified. This will depend on the judgement of the auditor, taking the below requirements into consideration: In the case of (iii) above, the auditor should inform the client that additional audit effort (which may be on or off site) may be required and that this may incur additional costs.

In all cases, a Corrective Action Plan (Form 10) should be completed and sent to IMS by the Auditee within 28 days of the final day of the audit, or an alternative appropriate period as determined by the auditor (of no more than 3 months) – this shall be detailed clearly within the audit report recommendation;

For initial assessments and instances of ‘major’ non-conformance, objective evidence must also be sent to IMS demonstrating closure of all corrective actions before a certificate is issued;

For surveillance and reassessment visits, the auditor should determine whether corrective action(s) can be verified at the next visit, or whether objective evidence should be sent to IMS within a specified time period. If non-conformances remain open from the previous audit then objective evidence shall be requested from the client to support their corrective action plan. If necessary, a follow-up visit will also be recommended to verify closure of the non-conformances;

In certain circumstances, the auditor may recommend that a further visit is required to confirm the completion of corrective actions (see above). This may be where the review of objective evidence off site cannot be considered a suitable or effective measure of corrective action implementation;

Auditees will be expected to consider any observations raised by the auditor as part of their management review process or other appropriate mechanism, but will not be required to take any action, nor to list any actions decided upon on the corrective action plan. The auditor should review the client’s consideration as part of the following visit and make note within the audit record to this effect.

Auditees should be made aware that all actions and evidence must be submitted to [email protected], and not via the auditor.

Auditor Handbook


13.6 Auditing Multi-Site Organisations If non-conformances are identified during the initial assessment a certificate shall not be issued until these have been addressed and closed out accordingly. A certificate will not be issued to one site if there are outstanding non-conformances pertaining to another site within the organisation. When non-conformances are found at any individual site, either through the client’s internal auditing or from an external audit non-conformances, investigation needs to take place by the client to determine whether the other sites may be affected. If they are found to do so, corrective action should be performed and verified both at the central office and at the individual affected sites. It shall not be admissible that, in order to overcome the obstacle raised by the existence of a non-conformity at a single site, the organisation seeks to exclude from the scope the “problematic” site during the certification process. Such exclusion can only be agreed in advance.

13.7 Reassessment During reassessments auditors will need to have carried out a full document review of the clients Documented Management System, this can be carried out on-site or off-site but will be determined by IMS Head Office personnel during the triennial review process and will be confirmed to the Auditor on the AAA. As well as the key areas identified in 13.3.2 of this document, the auditor must ensure that a review and audit record is made of the last three years records takes place during the assessment which will include but is not limited to:

Last three years internal audits to verify frequency, findings, trends, performance etc.;

Last three years management reviews to verify frequency, findings, discussions, content etc.;

Last three years of non-conformances and complaints to verify number, findings, effective closure, trends etc.;

Changes within the organisation, increase or decrease in personnel, processes added or deducted, management changes etc.;

Objective and target performance, has the client progressed their system and aimed to improve the effectiveness etc.;

General performance over the last three years of audits etc.

Auditor Handbook


13.8 9001:2015 Changes in Terminology

Products = Products & Services

Exclusions = Not Used (See scope section 13.1)

Documentation / Records = Documented Information

Work Environment = Environment for the Operation of Processes

Purchased Product = Externally Provided Products and Services

Supplier = External Provider

13.8.1 Documented Information.

One of the main terminology changes in 9001:2015 is from ‘documents & records’ to ‘documented information’. This is information that is required to be controlled and maintained by the organisation along with the medium on which it is contained. Documented information is required by a number of clauses in ISO 9001:2015: 4.3, 4.4.2, 5.2.2, 6.2.1, 7.1.5.1, 7.2, 8.1, 8.2.3.1, 8.3.3, 8.3.4, 8.3.6, 8.4, 8.5.1, 8.5.3, 8.5.6, 8.6, 8.7.2, 9.1.1, 9.2.2, 9.3.3, 10.2.2 and this information shall be reviewed, verified and recorded, as applicable, during the audit. Documented information can be considered in any format and media and be from any source. It can refer to the management system and related processes, information created in order for the organisation to operate and records of results achieved. As you can see, this ‘documented information’ may not be in the familiar format and so it is important the auditor understands and determines how compliance is being demonstrated. It may well be the case that a once single record is now in a number of forms – for example, objectives may be documented within a set of minutes or a business plan.

13.8.2 Risks & Opportunities

Risk is defined as ‘the effect of uncertainty’. In terms of ISO 9001:2015, this is to be considered as the uncertainty of the management system achieving intended results. Fundamentally, this is to provide confidence in the organisations ability to consistently provide customers with conforming goods and services and enhancing satisfaction and meeting the objectives of the organisations management system as well as encouraging a proactive culture of prevention and improvement. The organisation shall identify the risks and opportunities relative to its context, scope, products / services and interested parties as well as plan actions to address same. An example of risk could be an organisations supply chain. They should ensure that actions are in place to mitigate the negative effects of a supply chain issue such as expanding their supplier base to ‘spread the risk’ of relying on an individual supplier. It will be necessary to establish not only that the organisation have considered their risks but also that they have established actions to address them. These actions include avoidance, eliminating the risk source, substitution or sharing the risk. Risk and opportunity are not fixed or absolute quantities. Changes to operations, resources, infrastructure or processes may affect risk and these changes need to be considered on a continual basis. In like manner, risk and opportunity may be perceived differently by

Auditor Handbook


individuals, therefore the process of considering risks and opportunities needs to involve as many persons within the organisation as is practical. The concept of preventive action is now addressed within the standard by the risk identification and control process and is a key principle within 9001:2015. This forms part of the management system being utilised as a preventive tool. Risks should not always be thought of as negative. Risk based thinking may also be used to identify opportunities. As with risks, 9001:2015 also asks that opportunities are identified, with actions taken to pursue and address same. It should also be remembered that there is no requirement for formal risk management or a documented risk management process. However, there should be documented information available to demonstrate that the process is being implemented, that risks and opportunities are being identified and that associated actions are being integrated, implemented and evaluated.

13.8.3 Externally Provided Products and Services This now replaces purchasing / outsourcing. 9001:2015 places a greater emphasis on the type and extent of control applied to these providers and requires that these products / services do not adversely affect the organisations ability to consistently deliver conforming products and services. In this sense, the organisation shall ensure that these processes remain within the control of the management system and define the controls on the provider and also the output. The process of determining controls needs to consider the potential impact of the provider on the product / service. Some key processes will require much greater / more detailed controls than others. A key part of these controls is monitoring performance against requirements. These indicators or ‘kpi’s’ may take various forms such as on time delivery, within tolerance / specification, response time etc. The nature and extent of control will be entirely relative to the degree of ‘risk’ associated with the provider and the impact on product / service.

13.8.4 Leadership and Commitment Whilst there is no longer a requirement in 9001:2015 for a nominated management representative, the concept of clear LEADERSHIP is now in place. This is critical to the effective operation of the management system and whilst there is usually no doubt that top management understand the organisations direction, it is critical that this is fed into the management system planning, operation and monitoring. The means of establishing compliance will typically be via a ‘leadership interview’. This will require the input of top / senior management and will be used to establish the understanding and commitment of the management towards the key areas of scope, context, products and services, interested parties, risks, opportunities, resources, competence, roles & responsibilities, infrastructure, customers, objectives, planning, policy, direction, change and communication. As mentioned above, whilst there is no requirement for a management representative, part of the top management leadership role is to assign and communicate responsibility and authority as required to ensure the effective operation of the management system. This may well be one person, but could now fall to a number of individual groups or departments.

Auditor Handbook


14 Evaluation of Compliance Organisations certified to ISO 14001 or OHSAS 18001 have a requirement to ensure they are legally compliant. They need to maintain their system for periodically evaluating their compliance against legislation applicable to their organisation. Organisations should not be certified to either of these standards should they be in breach of any legislation applicable to the business. Any organisation not showing legal compliance shall not become certified or maintain their certification, any deliberate or continued breaches against legislation shall result in the client being suspended. Auditors are not responsible for approving the identified legal requirements as being final or definitive. This sole responsibility lies with the organisation. There are some key requirements that need to be considered by auditors during ISO 14001 or OHSAS 18001 Audits:

During the on-site audit, the auditor shall verify that the organisation complies with applicable legal requirements, by considering examples of significant environmental aspects as well as regional, national and local legal requirements.

The audit should be undertaken by examining activities controlled by environmental permits and other applicable legislation through a risk-based assessment using sampling to confirm that environmental compliance is realised.

The auditor audit shall establish that the EMS is capable of achieving legal compliance. Not all pieces of legislation are likely to be covered during each assessment; the auditor has to take a risk based approach in determining which legislation should be reviewed for compliance. If an organisation is in breach of legislation in any way, a non-conformance shall be raised as per normal procedures. If there is a serious breach of legislation, the regulators may need to be informed and appropriate actions taken. IAF Document EA7/04 is to be used by the auditor for additional information on this requirement.

Auditor Handbook


15 Audit Reporting for ISO and BS Standards

IMS will ensure that all auditors are supplied with up-to-date versions of the Audit Report Form (Form 9), please ensure that you delete any old versions when issued with new. Do not use an old copy of the clients audit report and update the information. The audit report is a critical document. It needs to provide a clear, succinct but value added summary of the audit. We all have our own reporting styles, but as this is the only real legacy of the audit for the client, it is important that it is accurate and complete – not only for the client, but also for IMS Head Office processing. Details such as company name, employee numbers, scope, areas and number of findings and recommendations need to be accurate. If there are any significant changes to these areas, then they need to be clearly highlighted – please do not leave details hidden in notes or elsewhere. The fields requiring completion are there for a reason and reports will be rejected if not completed suitably. The report summary needs to give an overall feeling of the audit. It should seek to add value and comment on observed examples as opposed to generic statements. When there are areas of concern – e.g. non-conformance – then this needs to be commented on. The reports need to correlate accurately with the corrective action plan (form 10). Also, your notes should reference clearly the findings as reported – for example your initials and the number and this should match form 10 to enable quick cross reference. In the case of follow up or special visits (excluding AS scheme audits) there should be appropriate notes made and the original report and form 10 updated accordingly to make a clear and unambiguous reference to the follow up activity and recommendations (e.g. with the use of a different font or text colour).

The various sections of the Audit Report should be completed as outlined, and in the order set out below.

Audit Details

Completion of this page should be self-explanatory.

Summary of Audit Findings & Visit Planner

The number of non-compliances and observations found under each clause of the relevant standard(s) should be listed on this page(s). The auditor should also check that customer complaints are being handled appropriately, and that the IMS and UKAS logo is being used correctly. Non-conformances or observations against either of these aspects should be recorded in the relevant boxes. Visit Planner- This table is used to identify which clauses were checked during the audit, and which clauses should be checked at the next visit (see section 12.6). Any specific areas that should be checked (e.g. sites, work activities or departments that were considered weak or were not able to be assessed fully) should also be identified on this table.

Auditor Handbook


Audit Summary

The comments and concerns boxes on this page should always be completed. It is important that auditors include positive and negative feedback in this section, and highlight aspects of the audited system that are areas of good practice. The auditor should also use this page to make a recommendation for or against certification, and to make clear what follow-up action is required with regard to corrective action, as described in section 13. Any useful comparisons with the results of previous assessments of the system should also be included.

Opening Meeting Mandatory Agenda; Closing Meeting Mandatory Agenda

Completion of these pages should be self-explanatory (see sections 12.8 & 12.9)

Photo Evidence

This section is optional and is more likely to be used when carrying out environmental and health and safety audits. Sometimes it is far easier to take a picture than trying to write down detailed information with regards to audit evidence, especially if it is visual evidence. Always ensure that you ask the client and/or audit guide if it is acceptable to take photographic evidence and place it within the audit report prior to taking any pictures. We do not require any specific quality of the photographs as it will not be used for specific audit evidence and any non-conformances or observations must always be included on the non-conformance / observation section

Note that Audit Reports and Audit Notes should be written or translated into English. Audit reports should always be left with the client in a pdf format. Both word and pdf versions should be submitted to IMS Admin. Audit Reports to use and when:

Form 9A- Document Reviews and Stage 1 Assessments

Form 9B- Stage 2 Assessments, Surveillances, Follow Ups & Reassessments

16 Audit Reporting for Aerospace Scheme The Aerospace scheme has specific reports which are standards in their own documents to aid in the completion and uploading; these are from AS9101 and are detailed fully within Doc 33 All auditors involved with Aerospace Scheme audits are to be competent based on the IMS Procedure 11. An additional guidance document (Doc 33) has been produced to aid the auditors in completing the AS9101 documents and has been provided to all relevant auditors.

Auditor Handbook


17 Certification Review

Following the audit, the auditor will send the audit reports to IMS, along with the audit notes and any other relevant information or evidence collected during the audit. The auditor should also inform the client to send details of corrective actions to IMS as described within the corrective action section. All information sent to IMS should be written in, or translated into, English. The client’s corrective action plan and objective evidence should also be in English where possible. If this is not possible, the corrective action plan and / or objective evidence should be sent to the Lead Auditor who must provide a translation and/or summary of the information, and also indicate whether he or she thinks that the information submitted is acceptable. The Certification Officer will undertake the Certification Review as detailed in Proc 6. If required, the auditor may be contacted to provide clarification, additional information, or to comment on corrective action(s) submitted by the client. The review is recorded on Form 11 (11A for the Aerospace Scheme). The Scope of Certification will need to be reviewed and verified as clearly defining what the clients activities consist of and that the report and scope is a true reflection of this. If the scope is unclear then the auditor and client need to be consulted before a certificate is issued. The auditor will be informed of the outcome of the certification review and any additional information required as part of the review shall be requested and documented on the certification review form. The Certification Officer is responsible for reviewing the expiration date of the client’s certificate(s) and shall highlight the date of the next assessment onto the certification review form. This date is to be 3 months prior to the expiration of their certificate.

18 Corrective Action Plans and Objective Evidence

Wherever possible to ensure impartiality, the corrective action plan and any supporting objective evidence will be reviewed and approved/rejected by the assessor(s) who carried out the audit. If it is not possible for the original assessor to carry out the review then someone independent of the certification review decision shall be appointed.

The reviewer of the corrective action plan needs to ensure that all sections of the corrective action plan (form 10) or AS9101 Form 42 for the aerospace scheme have been fully completed and in enough detail as to satisfy themselves that the client has addressed the non-conformance suitably to ensure no re-occurrences. The “immediate/remedial corrective action” section needs to detail actions taken by the client to deal with the issue in question and correct that incident. The “root cause” section requires the client to detail how the non-conformance occurred. There are techniques such as “5 whys” that help the client discover the root cause of the problem. Doc 6F “Guidance notes on root cause analysis” has been produced for use by auditors and is available on the IMS website – www.imsworld.org - for clients to use.

Auditor Handbook


The “long term corrective actions” section needs to detail what the client has done and what systems have been changed or implemented to ensure that the problem identified in the root cause section which generated the non-conformance, has been dealt with and ensures that it will not re-occur. For the Aerospace Scheme; comments and verification processes shall be recorded directly onto the NCR form (Form 42) and sent to the client within 14 days of receipt. If you are not satisfied with the corrective action plan that has been submitted then make a comment on the form detailing what further information/clarification is required from the client. This can be forwarded onto the IMS Admin department to subsequently inform the client. The IMS Admin department will chase the client for the follow-up information as required. The review section can also be used for reminders or actions for the next visit, an example of this will be to review skills matrix during next audit for all new employees. When you are happy with the Corrective Action Plan you shall complete the relevant sections and submit to IMS. All non-conformances shall be verified and closed (if possible) at the subsequent visit, which may be a special visit as required. See section 13.

19 Auditor Feedback

As part of the certification review, the Certification Officer will ensure that the documentation provided by the auditor is complete, correct, and of a sufficiently high standard, and will also review the completed Auditee Feedback Questionnaire where completed and applicable. Any examples of audits not being conducted or reported in line with the requirements of IMS International or relevant schemes will be detailed on a non-conformance report and forwarded to the auditor, along with required corrective action. A copy of the report will also be kept in the staff file and reviewed as part of the annual competence review of each auditor (see Proc 11). Any specific feedback relevant to the subsequent audit will be communicated to the auditor via the AAA.

20 Certification Cycle Any new client will receive an initial assessment, with the number of required audit days based upon specified guidance, but varied according to factors such as simplicity / complexity of operations, number of sites, exclusions etc.

Certification will in most cases last three years. An initial surveillance visit will generally be carried out after nine months, and thereafter annually or six-monthly. The number of days per surveillance visit will be approximately one third of the days required for initial assessment, though could vary depending on the reliance that can be placed on the system as identified during the audits.

Auditor Handbook


Surveillance visits shall include on-site audits assessing the certified client’s management system’s fulfilment of specified requirements with respect to the standard to which certification is granted. They will also cover as a minimum:

The effectiveness of the system to meet objectives and policies;

Internal audits and management review;

Progress of planned activities aimed at continual improvement;

Continuing operational control;

Review of any changes;

Use of marks and/or any other reference to certification;

Interviews with management responsible for the system;

Effectiveness of communication;

Verification of closure of non-compliances identified during previous audits;

Action taken in response to complaints.

Before the expiry of the certificate, a re-assessment will be undertaken. The number of days will generally be two-thirds of the days required for initial assessment, but will depend on the number of audit days undertaken during the certification cycle as compared to guidance, and also on the level of compliance demonstrated during the cycle.

Re-assessment will ensure:

Overall continuing conformity of the organisation’s management system to the requirements of the relevant standard, and that the system has been properly implemented and maintained;

The effective inter-action between all elements of the system;

The overall effectiveness of the system in its entirety in the light of changes to operations;

Demonstrated commitment to maintain the effectiveness and improvement of the management system in order to enhance overall performance;

Whether the operation of the certified management system contributes to the achievement of the organisation’s policy and objectives;

Documentation continues to comply to the requirements of the standard and is appropriate to the organisation’s activities.

This process will be managed by IMS Head Office, but auditors should be aware of the process in order to inform clients as and when required.

Requirements relating specifically to AS scheme audits and transfers will be determined by the IMS Head Office and communicated accordingly.

Auditor Handbook


21 Mobile Phones

Mobile phones should remain on silent throughout the audit.

Mobile phones should only be checked periodically during the audit (this is for missed calls, emails, texts etc.).

Phone calls should only be made and received during planned breaks, such as lunch.

Only urgent phone calls should be made or taken during an audit, and these should be kept brief.

If you are concerned about family members trying to get hold of you in a case of an emergency, please tell them they can contact the office. We obviously have all the contact details for clients and can relay a message.

22 Document Revision History

Date Amendment Revision

28th July 2012 Scope of Certification section added under “Carrying out Audits” Added paragraph to “Certification” section to emphasise the review of the scope

2

20th April 2013 Reviewed and revised the requirements for the audit plans to better explain the process identifications. Also highlighted the requirement to show the auditors names against the processes and when a site visit shall be performed. Added in reference to EA07/04 for the environmental legislation review/evaluation of compliance

3

22nd May 2013 Updated the Certification Review section to detail the requirement of reviewing the certificate expiration date and setting the next visit for 3 months prior.

4

21st July 2013 Removed Reference to TickIT Added in reference to IAF MD11 Amended company name Added a number of items: Audit Planning-Added section to audit planning to help prevent over planning for items and running out of time. Closing Meeting-Added some information regarding communicating the findings if not leaving copy of the report. Observers-Increased the guidance on this and introduced requirement to inform IMS office should any observer become too involved Collecting and Verifying Information-added requirement to check the organisations marketing literature including website Use of IMS and UKAS logo-added entire section Documented Management System-Added entire section

5

Auditor Handbook


14th February 2014

Updated to new IMS standard template Added in section references Included the requirement to include site visits onto the three year programme-12.5 Included requirement to use standard notepad templates-12.10 Re-located a few sections to place in more appropriate locations Included the communicating with clients remotely requirement-11.5 Included policy and procedure section-11.6 Included the requirement to make comments on changes to the Management system within each audit-11.2 Added some additional guidance for audit planning against multiple standards-12.7

6

August 2015 Updated in line with 9001:2015 Various typographical changes in line with organisational an operational changes.

7