internal auditor training
TRANSCRIPT
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
4
3
2
1 Introduction to Auditing
The Process Approach and Process Auditing
Managing an Audit Program
Audit Activities
Table of Content
5 Auditor Competence and Responsibilities
6 Conclusion
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Introduction to
Auditing
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Auditing What is an audit?
Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled
(ISO19011: 2002 clause 3.1)
Why audit?
Requirement of ISO 9001:2008
Monitor and measure the management system
Promote continuous improvement of the management system
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Principles of Auditing Principles relating to auditors:
Ethical conduct
Fair presentation
Due professional care
Principles relating to audit:
Independence
Evidence-based approach
4.0
Note: reference to ISO 19011:2002 Clause number
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Benefits of Auditing Verifies conformity to requirements
Increases awareness and understanding
Provides a measurement of effectiveness of the management system to top management
Reduces risk of management system failure
Identifies improvement opportunities
Continuous improvement if performed regularly
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Types of Audit Registration / Certification
Product
Customer contract
Gap assessment / Pre-assessment
Surveillance
Combined audit / joint audit
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
The Process Approach
and Process Auditing
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Process Approach The process approach emphasize the importance of:
Understanding and meeting requirements
Looking at processes in terms of added value
Obtaining results of process performance
Continual improvement of process
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
PDCA (Plan-Do-Check-Act))
Process
Act
Do Plan
Check
Continual Improvement
The Plan-do-Check-Act (PDCA) methodology applies to all processes
• Deploy and conform with plan • Activities • Controls • Documentation • Resources • Objectives
• Analyze/review • Decide/change • Improve effectiveness
• Measure and monitor for conformity and effectiveness
Management System Standards and the Process Approach
ISO 22716:
Is based upon the PDCA cycle which can be applied to processes
Applies the PDCA cycle to implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of a Cosmetic GMP
ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system audits
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Applying the Process Approach to Auditing
Auditors can apply the process approach to auditing by ensuring the auditee:
Can define the objectives, inputs, outputs, activities, and resources for its processes
Analyzes, monitors, measures, and improves its processes
Understands the sequence and interaction of its processes
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Process Auditing Approaches
Individual Process:
Input / Output / Value-added Activity
Plan-Do-Check-Act
Resources
Relationship with other processes:
Flow / Sequence / Linkage / Combination
Interaction / Communication
Evidence
Customer and supplier contract(s)
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Process Auditing “Turtle Diagram”
With what?
Resources
With who?
Personnel
What results?
Performance
indicators
Outputs
To
Whom/
Where
Inputs
From
Whom/
Where
How done?
Methods/
Documentation
Process (specific value-added
activities)
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Process Auditing Example With what? • Order processing
system
With who? • Customers • Competent sales and processing staff
What results? • Order processing
time
• Number or orders
• Value of orders
• Contract accuracy
Outputs Production/Service Delivery
Inputs • Customer
requirements
• Sales staff
How done? • IT system
• Processing system
• Terms and conditions
• Contract review procedure
Contract
Review
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Managing an Audit
Program
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Managing an Audit Program Process Flow
PLAN DO CHECK ACT 5.1
AUTHORIZE
ESTABLISH IMPLEMENT MONITOR &
REVIEW IMPROVE
• OBJECTIVES • EXTENT • ROLES • RESOURCES • PROCEDURES
• SCHEDULE AUDITS • EVALUATE • AUDITORS • SELECT TEAMS • DIRECT ACTIVITIES • MAINTAIN RECORDS
• MONITOR • REVIEW • IDENTIFY NEED FOR CA/PA • IDENTIFY OPPORTUNITIES TO IMPROVE
AUDITOR COMPETENCE
& EVALUZATION
SPECIFIC AUDIT ACTIVITIES
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Audit Activities
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Typical Audit Activities
Initialing the Audit
Conducting Document Review
Preparing, Approving, Distributing Audit Report
Completing the Audit
Conducting Audit Follow-up
Preparing for On-site Activities
Conducting for On-site Activities
PLAN
DO
CHECK
ACT
6.1
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Audit Program Top management should authorize responsibility for program
management to:
Establish, implement, review, and improve the audit program
Identify the necessary resources and ensure they are provided
• Organization should develop audit program processes
• Program should be managed by a member of the organization
• Keep appropriate audit records to monitor and review the audit program
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Audit Program Responsibilities Top management should authorize responsibility for program
management
Those assigned responsibility should:
Establish, implement, review, and improve the audit program
Identify the necessary resources and ensure they are provided
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Initiating the Audit Initiating the audit includes:
Appointing the audit team leader
Defining audit objectives, scope, criteria
Determining feasibility of the audit
Selecting the audit team
Establishing initial contact with the auditee
6.2
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Defining Audit Objectives, Scope, Criteria Audit Objectives may include:
Determining of the extent of conformity of auditee`s QMS with audit criteria
Evaluation of capability of QMS to ensure compliance with statutory, regulatory, and contractual requirements
Evaluation of effectiveness of the QMS to meet its objectives
Identification of areas of improvement
6.2.2
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Selecting the Audit Team For Team size and competence, consider:
Audit objectives, scope, criteria, and duration
Whether audit is combined or joint
Competence of team to meet objectives
Statutory, regulatory, contractual and accreditation/certification requirements
Independence of the team
6.2.4
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Auditor Competence and Responsibilities
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Auditor Competence Auditor competence is based on:
Personal attributes
Application of knowledge and skills
Competence is to be developed, maintained, and improved
7.1
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Personal Attributes
Ethical
Diplomatic
Open-minded
Auditor Competence Personal Attributes
Observant
Perceptive
Versatile
Tenacious
Decisive
Self-reliant
7.2
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Auditor Competence Generic Knowledge and skills
Auditor skills and competence could include:
Audit principles, procedures, and techniques
Management system and reference documents
Organizational situations
Laws, regulations, and other requirements
7.3.1
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Auditor Competence Specific Knowledge and skills
Specific knowledge and skills for quality auditors could include:
Quality methods and techniques
Quality terminology
Quality management tools and their application
Processes and products/services specific to the sector being audited
7.3.3
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Auditor Responsibilities Arrive on time
Maintain confidentiality
Be objective and ethical
Support the audit team and team leader
Plan and prepare work documents
Inform auditees of the audit process
Document and support all findings
Keep auditee informed
Safeguard all documents
Prepare the audit report
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Audit Planning Determine the objective of the audit
Identify specified requirements
Determine audit duration and resources needed
Select the team
Contact the auditee – agree the date(s)
Draw up audit plan
Brief the team
Prepare work documents
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Conducting Document Review A review of documentation:
Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit
May include relevant FSMS documents, records, and previous audit reports
May include a preliminary site visit
6.3
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Prepare Work Documents Prepare work documents
Use as a reference and for recording audit proceedings
Include checklists, sampling plans and forms, ISO 22000:2005 standard, etc.
Keep checklists flexible to allow changes resulting from information collected during the audit
Safeguard any confidential and proprietary information
Retain work documents and records
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Checklists Preparation One Approach is to:
Identify audit scope and process(es) within scope
Identify applicable factors (inputs, outputs, measures, resources, etc.)
Use these points and other requirements
(ISO 22716 system documentation, etc.) to:
Plan what to look at
Plan what to look for (audit evidence)
Prepare checklist
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Checklists Structure Audit checklist structure:
Process/Activity Audited:
Requirement Source Evidence Notes
ISO 22716 Clause # or other
requirement
What to “look at”
What to “look for”
Notes
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Conduct on-Site Audit Activities Conduct opening meeting
Communicate during the audit
Explain roles and responsibilities of participants
Collect and verify information
Generate audit findings
Prepare audit conclusions
Conduct closing meeting
6.5
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Opening Meeting Hold opening meeting with auditee top management and
those responsible for processes audited
Meeting may be informal
Chaired by team leader
Audit team present
Purpose is to confirm all prior arrangements
6.5.1
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Review
Sources of information
Collect by appropriate sampling & verification
Evaluate against audit criteria
Collecting and Verifying Information
Audit
Conclusions
Auditing Process Collect & Verify information
Collect information relevant to:
Audit objectives, scope, and criteria
interfaces between functions, activities and processes
Collect audit evidence by appropriate sampling and verify and record it
Be aware on sampling limitations, if acting on the audit conclusion
Use only information that is verifiable as audit evidence
6.5.4
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Auditing Process Techniques to Obtain Audit Evidence
Interview:
Personnel that manage, perform, and verify activities
Also ensure they are responsible for the activity being audited
Listen carefully to responses
Observe:
Identity, status, condition, processes, equipment, activities, environment, and people
6.5.4
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Auditing Process Audit Evidence
Review documents that describe:
Activities
Plans
Controls
Strategies
Exercises
tests
Review records for evidence of conformity to documents
Review records, statements of fact, or other information which are relevant to the audit criteria and verifiable
Audit evidence may be qualitative or quantitative
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Communication and interpersonal skills
Put auditee at ease
Ask short questions and listen
Reflect right attitude, tone of voice, body language, and facial expressions
Smile and show eye contact
Avoid interruptions
Avoid off-cuff and condescending remarks
Give praise when appropriate
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Communication and interpersonal skills
Show interest
Be tactful and polite
Show patience and understanding
Remember to say please and thank you
Ask the right person
Don`t say you understand when you do not
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Questioning Techniques Open question
Using why, who, what, where, when, or how gets more than a yes or no answer
Expansive question
Further elaborates the current point
Opinion question
Asks opinion about current point
Non-verbal
Uses body language, for example: raise eye-brow to elicit further information
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Questioning Techniques Repetitive question
Repeats back response in form of a question
Hypothetical question
Uses what if, suppose that, etc.
Closed question
Gets yes or no answer
Avoid using too often
Used for confirmation
Silence
Draws more information
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Note Taking Notes could be used as reference for:
Immediate investigation
Investigation later
Use by a colleague
Subsequent audits
Notes taken during an audit are a record of:
The audit sample taken
What was reported
What was observed
Notes may be referenced by subsequent auditor
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Sampling Samples should test the effectiveness of the system and should be:
Representative
Structured
Independently selected
Sample size should be based on:
Risk
Importance
Status
Findings from the previous/current audit
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Control of the Audit Checklist is an aid, not a requirement
If potential audit trails appear, decide to:
Disregard
Note for later
Follow up immediately
Following audit trails may effect:
Sample size
Audit plan
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
EXAMPLES
Uncooperative
Long telephone calls
Cannot find document
Unprepared
Constant interruptions
Provocation
Long-winded auditees
Interdepartmental or personality conflicts
Diversionary tactics
Language
Noisy environment
Boastful
Called away
Volunteered information
Handling Difficult Situations
Establish the Facts Judgment in the Audit Process
Audit focus must be on conformity and effectiveness, NOT on finding nonconformities
The auditee must be given the benefit of any doubt where there is insufficient audit evidence
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Establish the Facts Discuss concerns
Verify the findings
Record all the evidence:
Exact observation
Where, what, etc.
Establish why a nonconformity or otherwise
State who (if relevant) – preferably by job title
Obtain agreement with the facts
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Generate Audit Findings Evaluate audit evidence against audit criteria to generate audit
findings
Indicate if findings are conformities, nonconformities or opportunities for improvement
Meet (audit team) to review findings
Specify (with supporting evidence) or summarize conformity by location, function, or processes, as required by audit plan
6.5.5
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Nonconformity Non-fulfillment of a specified requirement:
Not doing it
Partially doing it
Doing it the wrong way
Specified requirement:
Conditions of the customer contract
Quality standard (ISO 22716)
Quality management system
Statutory or regulatory requirements
6.5.5
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Generate Audit Findings Record nonconformity findings and supporting evidence
Obtain auditee acknowledgement of nonconformities for accuracy and understandability
Try and resolve differences of opinion
Keep a record of unresolved issues
6.5.5
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Nonconformity - Minor Failure to comply with a requirement which (based on judgment
and experience) is not likely to result in QMS failure
Single observed lapse or isolated incident
Minimal risk of nonconforming product or service
Examples:
A two month lapse in the internal audit program
A training record not available
No actions taken to improve system based on previous result findings
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Nonconformity - Major Absence or total breakdown of a system to meet a requirement
A number of minors related to the same clause or requirement
A nonconformity that experience and judgment indicate will likely result in QMS failure or significantly reduce its ability to assure controlled processes and products
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Nonconformity - Major Examples:
No documented procedure for a required documented ISO 22716 process/activity
Document changes routinely made without authorization
No awareness program for the Food safety management system
No future planned internal audits
Insufficient scope
Numerous minor nonconformities found in the production process
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Nonconformity Classifying the Nonconformity Consider the seriousness:
What could go wrong if the nonconformity remains uncorrected?
Is it likely the system would detect it before the customer is affected?
If you are not certain it is a nonconformity, it is not.
You must have:
A requirement that has been broken
Proof that it has been broken
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Nonconformity Good Report Examples
QMS Nonconformity Report Incident Number:1
Company under audit: XYZ, Inc.
Area under Review: Purchasing ISO 22716 Clause number 7.4
Category: Major Minor
Requirement: Clause 7.4.1 of ISO 9001:2008 requires that the organization establish criteria for evaluation and re-evaluation of suppliers.
Nonconformity Findings: Upon speaking with the purchasing Manager, it was found that no evaluation of ABC supplier had taken place since the contract was signed and business begin with ABC supplier
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Nonconformity Poor Report Examples
The nonconformity statements below are inadequate due to the lack of specified requirements and detailed evidence:
Steering Group meeting minutes are not adequate
The authority level for the Emergency Controller must be documented for clarify purposes
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Preparing Audit Conclusions Audit team confer prior to the closing meeting:
Scheduling of the audit plan
To plan for closing meeting
Purpose is to:
Review audit findings and other information
Agree on audit conclusions
To prepare the audit report and recommendations
If included in audit plan, to discuss audit follow-up
6.5.6
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Audit Report Prepare, Approve & Distribute
1. Audit reference
2. Client and Auditee details
3. Audit team details
4. List of auditee representatives
5. Objectives, scope, and criteria
6. Audit plan – dates, places, areas audited and timing
7. Summary of audit process
8. Audit Summary
9. Uncertainty due to sampling
6.6.1
6.6.2
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Audit Report Prepare, Approve & Distribute
10. Nonconformity reports
11. Recommendation
12. Obstacles encountered
13. Any areas in audit scope not covered
14. Any unresolved issues between the auditee and team
15. Confirmation that audit objectives accomplished
16. Confidentiality statement
17. Distribution list
6.6.1
6.6.2
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Audit Report Distribution
• Issue within agreed time period
• If delayed, provide reasons and agree on new issue date
• Report must be dated, reviewed, and approved as per procedures
• Distribute to recipients designated by audit client
• Report is property of audit client
• Recipients and audit team must respect the confidentiality of the report
6.6.1
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Completing the Audit • Audit is complete when all activities in audit plan have been
carried out and audit report is distributed
• Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures
• Maintain confidentiality of audit documents, information, and report
• Notify audit client and auditee ASAP if disclosure of audit information is required.
6.7
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Closing Meeting • Hold closing meeting to present audit findings and conclusions
• Cover situations encountered during audit that may decrease reliance on audit conclusions
• Discuss and resolve diverging audit findings and conclusions
• Keep a record if not resolved
• Provide recommendations for improvement where specified by audit objectives
• Keep minutes and attendance records
• Will normally be informal for internal audits
6.5.7
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Completing the Audit Conducting the Follow-up • Audit conclusions may require corrective, preventive, or
improvement actions
• Auditee decides and carries out these actions within agreed timeframe
• These actions are not part of the audit
• Audit team number should verify completion and effectiveness of actions taken
• This verification may be part of a subsequent audit
• Maintain independence in subsequent audit activities
6.8
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Completing the Audit Corrective the Follow-up
• Auditee receives the nonconformity report
• Auditee prepares and approves a corrective action plan
• Auditee submits the plan to auditors
• Auditors evaluate and approve the plan
• Auditee implements the approved corrective action plan
• Auditor verifies the implementation and effectiveness
• Records of all actions taken by auditor and auditee
6.8
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
CASE STUDIES Find Major/Minor NC
Find standard clause reference
State Standard requirement
Write NC statement
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Conclusion
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
Final Questions?
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598
For you attendance and participation!
Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598