presentation for internal auditor training rev.1.pptx
TRANSCRIPT
CONSULTANT AND TRAINING CENTRE SDN BHD (1089456-K)
INTERNAL AUDITOR TRAINING
Table of Content
1. Introduction to Auditing2. Process Approach & Process Auditing3. Managing Audit Programme4. Auditing Activities5. Competency & Responsibilities of Auditor6. Conclusion
1. Introduction to Auditing
What is an audit ?
Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled(ISO19011: 2002 clause 3.1)
an evidence gathering process
Why audit ?
Requirement of ISO 9001:2015 Monitor and measure the management
system Promote continuous improvement of
the management system Promote continuous improvement of the management system
Principle of AuditingPrinciples relating to auditors: Ethical conduct Fair presentation Due professional care
Principles relating to audit: Independence Evidence-based approachNote: reference to ISO 19011:2002 Clause number 4.0
Benefits of Auditing
Verifies conformity to requirements Increases awareness and understanding Provides a measurement of effectiveness of the
management system to top management Reduces risk of management system failure Identifies improvement opportunities Continuous improvement if performed regularly
Type of Audit
First-party (internal audit)
Second-party (external audit)
Third-party (external audit)
Workshop 01
Answers for Workshop 01-Type of Audit
First-party audit
Organizations use first party audits to audit themselves. First party audits are used to confirm or improve the effectiveness
of management systems. They're also used to declare that an organization complies with an ISO standard (this is called a self-declaration). Of course, such a declaration is credible only if first party auditors are genuinely independent and free of bias. If you decide to use first party auditors to make a self-declaration
of compliance, make sure that they aren't auditing their own work.
Second-party auditThey’re usually done by customers or by others on their behalf. However, they can also be done by regulators or any other external party that has a formal interest in an organization.
Answers for Workshop 01-Type of Audit
Third-party auditThey’re performed by independent organizations such as registrars (certification bodies) or regulators.
Answers for Workshop 01-Type of Audit
2. Process Approach & Process Auditing
Process Approach
The process approach emphasize the importance of :
Understanding and meeting requirements Looking at processes in terms of added value Obtaining results of process performance Continual improvement of process
Process Approach
The process approach emphasize the importance of :
Understanding and meeting requirements Looking at processes in terms of added value Obtaining results of process performance Continual improvement of process
PDCA (Plan-Do-Check-Act)
PLAN• What to do?• How to do?
DO• Do what was
planned
CHECK• Did things
happen according to plan?
ACT• How to
improve next time?
Workshop 02
PDCA (Plan-Do-Check-Act)
CUSTO
MER
REQUIREMENTS
SATISFACTION
CUSTO
MER
Management Responsibility
PLAN
ResourceManagement
DO
Product Realization
CHECK
Measurement, Analysis,
Improvement
ACT
Productinput output
Continual Improvement of QMS
Value-adding activities Information flow
PDCA (Plan-Do-Check-Act)
PDCA (plan–do–check–act or plan–do–check–adjust) is an iterative four-step management method used in business for the control and continuous improvement of processes and products.
It is also known as the Deming circle/cycle/wheel, Shewhart cycle, control circle/cycle, or plan–do–study–act (PDSA).
By Wikipedia
ISO 9001:2015 : Is based upon the PDCA cycle which can be applied to
processes Applies the PDCA cycle to implementing, operating,
monitoring, exercising, maintaining and improving the effectiveness of a QMS
ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system audits
Management System Standards vsthe Process Approach
Applying the Process Approach
Auditors can apply the process approach to auditing by ensuring the auditee:
Can define the objectives, inputs, outputs, activities, and resources for its processes
Analyzes, monitors, measures, and improves its processes
Understands the sequence and interaction of its processes
Process Auditing Approaches
Individual Process: Input / Output / Value-added Activity Plan-Do-Check-Act Resources
Relationship with other processes: Flow / Sequence / Linkage / Combination Interaction / Communication Evidence Customer and supplier contract(s)
Process Auditing “Turtle Diagram”
Workshop 03
Workshop 03
Answers for Workshop 03-Turtle Diagram
3. Managing Audit Program
Managing an Audit Program Process FlowPLAN DO CHECK ACT
AUTHORIZE
ESTABLISH IMPLEMENT MONITOR & REVIEW IMPROVE
AUDITOR COMPETENCE & EVALUATION
SPECIFIC AUDIT ACTIVITIES
OBJECTIVES EXTENT ROLES RESOURCES PROCEDURES
SCHEDULE AUDITS EVALUATE AUDITORS ELECT TEAMS DIRECT ACTIVITIES MAINTAIN RECORDS
MONITOR REVIEW IDENTIFY NEED FOR CA/PA IDENTIFY OPPORTUNITIES
TO IMPROVE
Audit ActivitiesPLAN Initiating the Audit
Conducting Document Review
Preparing for On-site Activities
DO Conducting for On-site Activities
Preparing, Approving, Distributing Audit Report
Completing the AuditCHECK
Completing Audit Follow UpACT
Workshop 04
Audit Program Top management should authorize responsibility for
program management to: Establish, implement, review, and improve the audit
program Identify the necessary resources and ensure they are
provided Organization should develop audit program processes Program should be managed by a member of the
organization Keep appropriate audit records to monitor and review the
audit program
Initiating the AuditInitiating the audit includes: Appointing the audit team leader Defining audit objectives, scope, criteria Determining feasibility of the audit Selecting the audit team Establishing initial contact with the auditee
Defining Audit Objectives, Scope, Criteria
Audit Objectives may include:Determining of the extent of conformity of auditee’s QMS with
audit criteriaEvaluation of capability of QMS to ensure compliance with
statutory, regulatory, and contractual requirementsEvaluation of effectiveness of the QMS to meet its objectivesIdentification of areas of improvement
What is the difference between audit scope and audit criteria?Audit Scope – extent and boundaries of an audit.
The audit scope generally includes a description of the physical locations, organizational units, activities and processes, as well as the time period covered.
Its tells : when audit shall be conducted (start and end date) what/who are we going to audit where the audit shall be done
Audit scope shall be derived from the QMS Scope.
What is the difference between audit scope and audit criteria?Audit Criteria – set of policies, procedures or requirements.Audit criteria are used as a reference against which audit evidence is compared.
It tells what we are going to check (or audit) the conformance. what are the requirements of the audit.
Audit criteria could be a combination of the following ISO requirement (example ISO 9001, ISO 27001, ISO 14001, etc,) Statuary or Regulatory Requirement Organization Process/Policies/Procedures, etc. Customer Requirement
What is the difference between audit scope and audit criteria?Example: A company located at Selangor and Muar, is certified to ISO 9001 & ISO14001
Audit Scope ? Audit Criteria ?
What is the difference between audit scope and audit criteria?Audit Scope : Location: Selangor and Muar When: 24-March-2014 – 26-March-2014 Who: All the departments/functions within the organizations.
Audit Criteria : ISO 9001 & ISO 14001 Statuary or Regulatory Requirement related to the business in
which the company is. Organization Process/Policies/Procedures, etc. Customer Requirement
Selecting the Audit Team
For Team size and competence, consider: Audit objectives, scope, criteria, and duration Whether audit is combined or joint Competence of team to meet objectives Statutory, regulatory, contractual and
accreditation/certification requirements Independence of the team
5. Auditor Competence & Responsibilities
Auditor CompetenceAuditor competence is based on: Personal attributes Application of knowledge and skillsCompetence is to be developed, maintained, and improved
Workshop 05
Auditor Competence
PERSONAL ATTRIBUTESETHICAL
OPEN-MINDED
DIPLOMATIC
OBSERVANT
PERCEPTIVE
TENACIOUS
VERSATILE
DECISIVE
SELF-RELIANT
Auditor CompetenceAuditor skills and competence could include: Audit principles, procedures, and techniques Management system and reference documents Organizational situations Laws, regulations, and other requirements
Auditor CompetenceSpecific knowledge and skills for quality auditors could include: Quality methods and techniques Quality terminology Quality management tools and their application Processes and products/services specific to the
sector being audited
Auditor Responsibilities Arrive on time Maintain confidentiality Be objective and ethical Support the audit team and team leader Plan and prepare work documents Inform auditees of the audit process Document and support all findings Keep auditee informed Safeguard all documents Prepare the audit report
Audit Activities (Cont’d)
Audit Planning Determine the objective of the audit Identify specified requirements Determine audit duration and resources needed Select the team Contact the auditee – agree the date(s) Draw up audit plan Brief the team Prepare work documents
Conducting Document ReviewA review of documentation:
Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit
May include relevant QMS documents, records, and previous audit reports
May include a preliminary site visit
Prepare Work DocumentsA review of documentation:
Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit
May include relevant QMS documents, records, and previous audit reports
May include a preliminary site visit
Conducting Document Review Prepare work documents Use as a reference and for recording audit proceedings Include checklists, sampling plans and forms, ISO 9001:2008
standard, etc. Keep checklists flexible to allow changes resulting from
information collected during the audit Safeguard any confidential and proprietary information Retain work documents and records
Conducting Document ReviewA review of documentation: Should be conducted prior to on-site audit activities
unless deferring review is not detrimental to the effectiveness of the audit
May include relevant QMS documents, records, and previous audit reports
May include a preliminary site visit
Checklists PreparationOne Approach is to: Identify audit scope and process(es) within scope Identify applicable factors (inputs, outputs, measures,
resources, etc.) Use these points and other requirements (ISO 9001:2015, system documentation, etc.) to:
Plan what to look at Plan what to look for (audit evidence)
Prepare checklist
Workshop 06
Checklists StructureAudit checklist structure
PROCESS / ACTIVITY AUDITED: REQUIREMENT SOURCE EVIDENCE NOTES
ISO 9001:2008Clause No.
or other requirement
What to “Look At”
What to “Look For”
Conduct on-Site Audit Activities Conduct opening meeting Communicate during the audit Explain roles and responsibilities of participants Collect and verify information Generate audit findings Prepare audit conclusions Conduct closing meeting
Opening Meeting Hold opening meeting with auditee top management and
those responsible for processes audited Meeting may be informal Chaired by team leader Audit team present Purpose is to confirm all prior arrangements
Workshop 07
Collecting and Verifying Information
Collect by appropriate
SAMPLING & VERIFICATION
CONCLUDE
EVALUATEagainst audit
criteria
REVIEW
SOURCE of Info
Collect & Verify information Collect information relevant to:
Audit objectives, scope, and criteria interfaces between functions, activities and processes
Collect audit evidence by appropriate sampling and verify and record it
Be aware on sampling limitations, if acting on the audit conclusion
Use only information that is verifiable as audit evidence
Techniques to Obtain Audit EvidenceInterview: Personnel that manage, perform, and verify activities Also ensure they are responsible for the activity being
audited Listen carefully to responsesObserve: Identity, status, condition, processes, equipment,
activities, environment, and people
Audit Evidence Review documents that describe:
Activities Plans Controls Strategies Exercises Tests
Review records for evidence of conformity to documents Review records, statements of fact, or other information
which are relevant to the audit criteria and verifiable Audit evidence may be qualitative or quantitative
Communication & Interpersonal Skills Put auditee at ease Ask short questions and listen Reflect right attitude, tone of voice, body language, and
facial expressions Smile and show eye contact Avoid interruptions Avoid off-cuff and condescending remarks Give praise when appropriate
Communication & Interpersonal Skills Show interest Be tactful and polite Show patience and understanding Remember to say please and thank you Ask the right person Don`t say you understand when you do not
Conducting Document ReviewA review of documentation:
Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit
May include relevant QMS documents, records, and previous audit reports
May include a preliminary site visit
Questioning Technique Open question
Using why, who, what, where, when, or how gets more than a yes or no answer
Expansive question Further elaborates the current point
Opinion question Asks opinion about current point
Non-verbal Uses body language, for example: raise eye-brow to
elicit further information
Questioning Technique Repetitive question
Repeats back response in form of a question Hypothetical question
Uses what if, suppose that, etc. Closed question
Gets yes or no answer Avoid using too often Used for confirmation
Silence Draws more information
Note Taking Notes could be used as reference for:
Immediate investigation Investigation later Use by a colleague Subsequent audits
Notes taken during an audit are a record of: The audit sample taken What was reported What was observed
Notes may be referenced by subsequent auditor
Control of the Audit Checklist is an aid, not a requirement If potential audit trails appear, decide to:
Disregard Note for later Follow up immediately
Following audit trails may effect: Sample size Audit plan
Handling Difficult Situation
Workshop 07
Uncooperative
Cannot find document
Volunteered Information
Unprepared
Long telephone calls
Constant interruptions
Provocation
Long auditees
Boastful
Called away
Language
Noisy environment
Diversionary tactics
Interdepartmental / Personality
conflicts
Establish the FactsJudgment in the Audit Process Audit focus must be on conformity and effectiveness,
NOT on finding nonconformities The auditee must be given the benefit of any doubt where
there is insufficient audit evidence
Establish the Facts Discuss concerns Verify the findings Record all the evidence:
Exact observation Where, what, etc.
Establish why a nonconformity or otherwise State who (if relevant) – preferably by job title Obtain agreement with the facts
Generate Audit Findings Evaluate audit evidence against audit criteria to generate
audit findings Indicate if findings are conformities, nonconformities or
opportunities for improvement Meet (audit team) to review findings Specify (with supporting evidence) or summarize
conformity by location, function, or processes, as required by audit plan
Nonconformity Non-fulfilment of a specified requirement:
Not doing it Partially doing it Doing it the wrong way
Specified requirement: Conditions of the customer contract Quality standard (ISO 9001:2015) Quality management system Statutory or regulatory requirements
Generate Audit Findings Record nonconformity findings and supporting evidence Obtain auditee acknowledgement of nonconformities for
accuracy and understandability Try and resolve differences of opinion Keep a record of unresolved issues
Nonconformity - MINOR Failure to comply with a requirement which (based on
judgment and experience) is not likely to result in QMS failure
Single observed lapse or isolated incident Minimal risk of nonconforming product or service Examples:
A two month lapse in the internal audit program A training record not available No actions taken to improve system based on previous
result findings
Nonconformity - MAJOR Absence or total breakdown of a system to meet a
requirement A number of minors related to the same clause or
requirement A nonconformity that experience and judgment indicate
will likely result in QMS failure or significantly reduce its ability to assure controlled processes and products
Nonconformity - MAJORExamples: No documented procedure for a required documented ISO
9001:2008 process/activity Document changes routinely made without authorization No awareness program for the quality management
system No future planned internal audits Insufficient scope Numerous minor nonconformities found in the production
process
Classifying the NonconformityConsider the seriousness: What could go wrong if the nonconformity remains
uncorrected? Is it likely the system would detect it before the customer
is affected? If you are not certain it is a nonconformity, it is not.
You must have: A requirement that has been broken Proof that it has been broken
Good Report ExamplesNONCONFORMITY REPORT Incident No. / CAR No.: 01
Company under audit: ABC Sdn. Bhd.
Area under Review: Purchasing ISO 9001 Clause number 7.4
Category: Major Minor
Requirement:
Clause 7.4.1 of ISO 9001:2008 requires that the organization establish criteria for evaluation and re-evaluation of suppliers.
Nonconformity Findings:
Upon speaking with the purchasing Manager, it was found that no evaluation of XYZ supplier had taken place since the contract was signed and business begin with XYZ supplier.
Poor Report ExamplesThe nonconformity statements below are inadequate due to the lack of specified requirements and detailed evidence: Steering Group meeting minutes are not adequate The authority level for the Emergency Controller must be
documented for clarify purposes
Preparing Audit ConclusionsAudit team confer prior to the closing meeting: Scheduling of the audit plan To plan for closing meeting Purpose is to:
Review audit findings and other information Agree on audit conclusions
To prepare the audit report and recommendations If included in audit plan, to discuss audit follow-up
Audit ReportPrepare, Approve & Distribute1. Audit reference2. Client and Auditee details3. Audit team details4. List of auditee representatives5. Objectives, scope, and criteria6. Audit plan – dates, places, areas audited and timing7. Summary of audit process8. Audit Summary9. Uncertainty due to sampling
Audit ReportPrepare, Approve & Distribute10.Nonconformity reports11.Recommendation12.Obstacles encountered13.Any areas in audit scope not covered14.Any unresolved issues between the auditee and team15.Confirmation that audit objectives accomplished16.Confidentiality statement17.Distribution list
Audit Report Distribution
Issue within agreed time period If delayed, provide reasons and agree on new issue date Report must be dated, reviewed, and approved as per
procedures Distribute to recipients designated by audit client Report is property of audit client Recipients and audit team must respect the
confidentiality of the report
Completing the Audit Audit is complete when all activities in audit plan have
been carried out and audit report is distributed Maintain or dispose of audit documents based on
contractual, regulatory, and audit program procedures Maintain confidentiality of audit documents, information,
and report Notify audit client and auditee ASAP if disclosure of audit
information is required.
Closing Meeting Hold closing meeting to present audit findings and
conclusions Cover situations encountered during audit that may
decrease reliance on audit conclusions Discuss and resolve diverging audit findings and
conclusions Keep a record if not resolved Provide recommendations for improvement where
specified by audit objectives Keep minutes and attendance records Will normally be informal for internal audits
Completing the AuditConducting the Follow-up Audit conclusions may require corrective, preventive, or
improvement actions Auditee decides and carries out these actions within
agreed timeframe These actions are not part of the audit Audit team number should verify completion and
effectiveness of actions taken This verification may be part of a subsequent audit Maintain independence in subsequent audit activities
Completing the AuditCorrect the Follow-up Auditee receives the nonconformity report Auditee prepares and approves a corrective action plan Auditee submits the plan to auditors Auditors evaluate and approve the plan Auditee implements the approved corrective action plan Auditor verifies the implementation and effectiveness Records of all actions taken by auditor and auditee
Conclusion
Workshop 08
Q & A
THANK YOU