internal auditor training

Ramasubramanian.s Management consultant/Trainer/Auditor +919952229598

4

3

2

1 Introduction to Auditing

The Process Approach and Process Auditing

Managing an Audit Program

Audit Activities

Table of Content

5 Auditor Competence and Responsibilities

6 Conclusion


Introduction to

Auditing


Auditing What is an audit?

Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled

(ISO19011: 2002 clause 3.1)

Why audit?

Requirement of ISO 9001:2008

Monitor and measure the management system

Promote continuous improvement of the management system


Principles of Auditing Principles relating to auditors:

Ethical conduct

Fair presentation

Due professional care

Principles relating to audit:

Independence

Evidence-based approach

4.0

Note: reference to ISO 19011:2002 Clause number


Benefits of Auditing Verifies conformity to requirements

Increases awareness and understanding

Provides a measurement of effectiveness of the management system to top management

Reduces risk of management system failure

Identifies improvement opportunities

Continuous improvement if performed regularly


Types of Audit Registration / Certification

Product

Customer contract

Gap assessment / Pre-assessment

Surveillance

Combined audit / joint audit


The Process Approach

and Process Auditing


Process Approach The process approach emphasize the importance of:

Understanding and meeting requirements

Looking at processes in terms of added value

Obtaining results of process performance

Continual improvement of process


PDCA (Plan-Do-Check-Act))

Process

Act

Do Plan

Check

Continual Improvement

The Plan-do-Check-Act (PDCA) methodology applies to all processes

• Deploy and conform with plan • Activities • Controls • Documentation • Resources • Objectives

• Analyze/review • Decide/change • Improve effectiveness

• Measure and monitor for conformity and effectiveness

Management System Standards and the Process Approach

ISO 22716:

Is based upon the PDCA cycle which can be applied to processes

Applies the PDCA cycle to implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of a Cosmetic GMP

ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system audits


Applying the Process Approach to Auditing

Auditors can apply the process approach to auditing by ensuring the auditee:

Can define the objectives, inputs, outputs, activities, and resources for its processes

Analyzes, monitors, measures, and improves its processes

Understands the sequence and interaction of its processes


Process Auditing Approaches

Individual Process:

Input / Output / Value-added Activity

Plan-Do-Check-Act

Resources

Relationship with other processes:

Flow / Sequence / Linkage / Combination

Interaction / Communication

Evidence

Customer and supplier contract(s)


Process Auditing “Turtle Diagram”

With what?

Resources

With who?

Personnel

What results?

Performance

indicators

Outputs

To

Whom/

Where

Inputs

From

Whom/

Where

How done?

Methods/

Documentation

Process (specific value-added

activities)


Process Auditing Example With what? • Order processing

system

With who? • Customers • Competent sales and processing staff

What results? • Order processing

time

• Number or orders

• Value of orders

• Contract accuracy

Outputs Production/Service Delivery

Inputs • Customer

requirements

• Sales staff

How done? • IT system

• Processing system

• Terms and conditions

• Contract review procedure

Contract

Review


Managing an Audit

Program


Managing an Audit Program Process Flow

PLAN DO CHECK ACT 5.1

AUTHORIZE

ESTABLISH IMPLEMENT MONITOR &

REVIEW IMPROVE

• OBJECTIVES • EXTENT • ROLES • RESOURCES • PROCEDURES

• SCHEDULE AUDITS • EVALUATE • AUDITORS • SELECT TEAMS • DIRECT ACTIVITIES • MAINTAIN RECORDS

• MONITOR • REVIEW • IDENTIFY NEED FOR CA/PA • IDENTIFY OPPORTUNITIES TO IMPROVE

AUDITOR COMPETENCE

& EVALUZATION

SPECIFIC AUDIT ACTIVITIES


Audit Activities


Typical Audit Activities

Initialing the Audit

Conducting Document Review

Preparing, Approving, Distributing Audit Report

Completing the Audit

Conducting Audit Follow-up

Preparing for On-site Activities

Conducting for On-site Activities

PLAN

DO

CHECK

ACT

6.1


Audit Program Top management should authorize responsibility for program

management to:

Establish, implement, review, and improve the audit program

Identify the necessary resources and ensure they are provided

• Organization should develop audit program processes

• Program should be managed by a member of the organization

• Keep appropriate audit records to monitor and review the audit program


Audit Program Responsibilities Top management should authorize responsibility for program

management

Those assigned responsibility should:

Establish, implement, review, and improve the audit program

Identify the necessary resources and ensure they are provided


Initiating the Audit Initiating the audit includes:

Appointing the audit team leader

Defining audit objectives, scope, criteria

Determining feasibility of the audit

Selecting the audit team

Establishing initial contact with the auditee

6.2


Defining Audit Objectives, Scope, Criteria Audit Objectives may include:

Determining of the extent of conformity of auditee`s QMS with audit criteria

Evaluation of capability of QMS to ensure compliance with statutory, regulatory, and contractual requirements

Evaluation of effectiveness of the QMS to meet its objectives

Identification of areas of improvement

6.2.2


Selecting the Audit Team For Team size and competence, consider:

Audit objectives, scope, criteria, and duration

Whether audit is combined or joint

Competence of team to meet objectives

Statutory, regulatory, contractual and accreditation/certification requirements

Independence of the team

6.2.4


Auditor Competence and Responsibilities


Auditor Competence Auditor competence is based on:

Personal attributes

Application of knowledge and skills

Competence is to be developed, maintained, and improved

7.1


Personal Attributes

Ethical

Diplomatic

Open-minded

Auditor Competence Personal Attributes

Observant

Perceptive

Versatile

Tenacious

Decisive

Self-reliant

7.2


Auditor Competence Generic Knowledge and skills

Auditor skills and competence could include:

Audit principles, procedures, and techniques

Management system and reference documents

Organizational situations

Laws, regulations, and other requirements

7.3.1


Auditor Competence Specific Knowledge and skills

Specific knowledge and skills for quality auditors could include:

Quality methods and techniques

Quality terminology

Quality management tools and their application

Processes and products/services specific to the sector being audited

7.3.3


Auditor Responsibilities Arrive on time

Maintain confidentiality

Be objective and ethical

Support the audit team and team leader

Plan and prepare work documents

Inform auditees of the audit process

Document and support all findings

Keep auditee informed

Safeguard all documents

Prepare the audit report


Audit Planning Determine the objective of the audit

Identify specified requirements

Determine audit duration and resources needed

Select the team

Contact the auditee – agree the date(s)

Draw up audit plan

Brief the team

Prepare work documents


Conducting Document Review A review of documentation:

Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit

May include relevant FSMS documents, records, and previous audit reports

May include a preliminary site visit

6.3


Prepare Work Documents Prepare work documents

Use as a reference and for recording audit proceedings

Include checklists, sampling plans and forms, ISO 22000:2005 standard, etc.

Keep checklists flexible to allow changes resulting from information collected during the audit

Safeguard any confidential and proprietary information

Retain work documents and records


Checklists Preparation One Approach is to:

Identify audit scope and process(es) within scope

Identify applicable factors (inputs, outputs, measures, resources, etc.)

Use these points and other requirements

(ISO 22716 system documentation, etc.) to:

Plan what to look at

Plan what to look for (audit evidence)

Prepare checklist


Checklists Structure Audit checklist structure:

Process/Activity Audited:

Requirement Source Evidence Notes

ISO 22716 Clause # or other

requirement

What to “look at”

What to “look for”

Notes


Conduct on-Site Audit Activities Conduct opening meeting

Communicate during the audit

Explain roles and responsibilities of participants

Collect and verify information

Generate audit findings

Prepare audit conclusions

Conduct closing meeting

6.5


Opening Meeting Hold opening meeting with auditee top management and

those responsible for processes audited

Meeting may be informal

Chaired by team leader

Audit team present

Purpose is to confirm all prior arrangements

6.5.1


Review

Sources of information

Collect by appropriate sampling & verification

Evaluate against audit criteria

Collecting and Verifying Information

Audit

Conclusions

Auditing Process Collect & Verify information

Collect information relevant to:

Audit objectives, scope, and criteria

interfaces between functions, activities and processes

Collect audit evidence by appropriate sampling and verify and record it

Be aware on sampling limitations, if acting on the audit conclusion

Use only information that is verifiable as audit evidence

6.5.4


Auditing Process Techniques to Obtain Audit Evidence

Interview:

Personnel that manage, perform, and verify activities

Also ensure they are responsible for the activity being audited

Listen carefully to responses

Observe:

Identity, status, condition, processes, equipment, activities, environment, and people

6.5.4


Auditing Process Audit Evidence

Review documents that describe:

Activities

Plans

Controls

Strategies

Exercises

tests

Review records for evidence of conformity to documents

Review records, statements of fact, or other information which are relevant to the audit criteria and verifiable

Audit evidence may be qualitative or quantitative


Communication and interpersonal skills

Put auditee at ease

Ask short questions and listen

Reflect right attitude, tone of voice, body language, and facial expressions

Smile and show eye contact

Avoid interruptions

Avoid off-cuff and condescending remarks

Give praise when appropriate


Communication and interpersonal skills

Show interest

Be tactful and polite

Show patience and understanding

Remember to say please and thank you

Ask the right person

Don`t say you understand when you do not


Questioning Techniques Open question

Using why, who, what, where, when, or how gets more than a yes or no answer

Expansive question

Further elaborates the current point

Opinion question

Asks opinion about current point

Non-verbal

Uses body language, for example: raise eye-brow to elicit further information


Questioning Techniques Repetitive question

Repeats back response in form of a question

Hypothetical question

Uses what if, suppose that, etc.

Closed question

Gets yes or no answer

Avoid using too often

Used for confirmation

Silence

Draws more information


Note Taking Notes could be used as reference for:

Immediate investigation

Investigation later

Use by a colleague

Subsequent audits

Notes taken during an audit are a record of:

The audit sample taken

What was reported

What was observed

Notes may be referenced by subsequent auditor


Sampling Samples should test the effectiveness of the system and should be:

Representative

Structured

Independently selected

Sample size should be based on:

Risk

Importance

Status

Findings from the previous/current audit


Control of the Audit Checklist is an aid, not a requirement

If potential audit trails appear, decide to:

Disregard

Note for later

Follow up immediately

Following audit trails may effect:

Sample size

Audit plan


EXAMPLES

Uncooperative

Long telephone calls

Cannot find document

Unprepared

Constant interruptions

Provocation

Long-winded auditees

Interdepartmental or personality conflicts

Diversionary tactics

Language

Noisy environment

Boastful

Called away

Volunteered information

Handling Difficult Situations

Establish the Facts Judgment in the Audit Process

Audit focus must be on conformity and effectiveness, NOT on finding nonconformities

The auditee must be given the benefit of any doubt where there is insufficient audit evidence


Establish the Facts Discuss concerns

Verify the findings

Record all the evidence:

Exact observation

Where, what, etc.

Establish why a nonconformity or otherwise

State who (if relevant) – preferably by job title

Obtain agreement with the facts


Generate Audit Findings Evaluate audit evidence against audit criteria to generate audit

findings

Indicate if findings are conformities, nonconformities or opportunities for improvement

Meet (audit team) to review findings

Specify (with supporting evidence) or summarize conformity by location, function, or processes, as required by audit plan

6.5.5


Nonconformity Non-fulfillment of a specified requirement:

Not doing it

Partially doing it

Doing it the wrong way

Specified requirement:

Conditions of the customer contract

Quality standard (ISO 22716)

Quality management system

Statutory or regulatory requirements

6.5.5


Generate Audit Findings Record nonconformity findings and supporting evidence

Obtain auditee acknowledgement of nonconformities for accuracy and understandability

Try and resolve differences of opinion

Keep a record of unresolved issues

6.5.5


Nonconformity - Minor Failure to comply with a requirement which (based on judgment

and experience) is not likely to result in QMS failure

Single observed lapse or isolated incident

Minimal risk of nonconforming product or service

Examples:

A two month lapse in the internal audit program

A training record not available

No actions taken to improve system based on previous result findings


Nonconformity - Major Absence or total breakdown of a system to meet a requirement

A number of minors related to the same clause or requirement

A nonconformity that experience and judgment indicate will likely result in QMS failure or significantly reduce its ability to assure controlled processes and products


Nonconformity - Major Examples:

No documented procedure for a required documented ISO 22716 process/activity

Document changes routinely made without authorization

No awareness program for the Food safety management system

No future planned internal audits

Insufficient scope

Numerous minor nonconformities found in the production process


Nonconformity Classifying the Nonconformity Consider the seriousness:

What could go wrong if the nonconformity remains uncorrected?

Is it likely the system would detect it before the customer is affected?

If you are not certain it is a nonconformity, it is not.

You must have:

A requirement that has been broken

Proof that it has been broken


Nonconformity Good Report Examples

QMS Nonconformity Report Incident Number:1

Company under audit: XYZ, Inc.

Area under Review: Purchasing ISO 22716 Clause number 7.4

Category: Major Minor

Requirement: Clause 7.4.1 of ISO 9001:2008 requires that the organization establish criteria for evaluation and re-evaluation of suppliers.

Nonconformity Findings: Upon speaking with the purchasing Manager, it was found that no evaluation of ABC supplier had taken place since the contract was signed and business begin with ABC supplier


Nonconformity Poor Report Examples

The nonconformity statements below are inadequate due to the lack of specified requirements and detailed evidence:

Steering Group meeting minutes are not adequate

The authority level for the Emergency Controller must be documented for clarify purposes


Preparing Audit Conclusions Audit team confer prior to the closing meeting:

Scheduling of the audit plan

To plan for closing meeting

Purpose is to:

Review audit findings and other information

Agree on audit conclusions

To prepare the audit report and recommendations

If included in audit plan, to discuss audit follow-up

6.5.6


Audit Report Prepare, Approve & Distribute

1. Audit reference

2. Client and Auditee details

3. Audit team details

4. List of auditee representatives

5. Objectives, scope, and criteria

6. Audit plan – dates, places, areas audited and timing

7. Summary of audit process

8. Audit Summary

9. Uncertainty due to sampling

6.6.1

6.6.2


Audit Report Prepare, Approve & Distribute

10. Nonconformity reports

11. Recommendation

12. Obstacles encountered

13. Any areas in audit scope not covered

14. Any unresolved issues between the auditee and team

15. Confirmation that audit objectives accomplished

16. Confidentiality statement

17. Distribution list

6.6.1

6.6.2


Audit Report Distribution

• Issue within agreed time period

• If delayed, provide reasons and agree on new issue date

• Report must be dated, reviewed, and approved as per procedures

• Distribute to recipients designated by audit client

• Report is property of audit client

• Recipients and audit team must respect the confidentiality of the report

6.6.1


Completing the Audit • Audit is complete when all activities in audit plan have been

carried out and audit report is distributed

• Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures

• Maintain confidentiality of audit documents, information, and report

• Notify audit client and auditee ASAP if disclosure of audit information is required.

6.7


Closing Meeting • Hold closing meeting to present audit findings and conclusions

• Cover situations encountered during audit that may decrease reliance on audit conclusions

• Discuss and resolve diverging audit findings and conclusions

• Keep a record if not resolved

• Provide recommendations for improvement where specified by audit objectives

• Keep minutes and attendance records

• Will normally be informal for internal audits

6.5.7


Completing the Audit Conducting the Follow-up • Audit conclusions may require corrective, preventive, or

improvement actions

• Auditee decides and carries out these actions within agreed timeframe

• These actions are not part of the audit

• Audit team number should verify completion and effectiveness of actions taken

• This verification may be part of a subsequent audit

• Maintain independence in subsequent audit activities

6.8


Completing the Audit Corrective the Follow-up

• Auditee receives the nonconformity report

• Auditee prepares and approves a corrective action plan

• Auditee submits the plan to auditors

• Auditors evaluate and approve the plan

• Auditee implements the approved corrective action plan

• Auditor verifies the implementation and effectiveness

• Records of all actions taken by auditor and auditee

6.8


CASE STUDIES Find Major/Minor NC

Find standard clause reference

State Standard requirement

Write NC statement


Conclusion


Final Questions?


For you attendance and participation!


internal auditor training

Leadership & Management