Iso Internal Auditor

2. ISO Internal Auditor Compliance ManagementPrepared &Presented by Yamin K Hajeej

3. 15Introduction to AuditingAuditor Competence and Responsibilities2364Table of ContentThe Process Approach and Process AuditingManaging an Audit ProgramAudit ActivitiesConclusion

4. Introduction toAuditing

5. AuditingWhat is an audit?Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled (ISO19011: 2002 clause 3.1)Why audit?Requirement of ISO 9001:2008

6. Monitor and measure the management system

7. Promote continuous improvement of the management systemPrinciples of Auditing4.0Principles relating to auditors:Ethical conduct

8. Fair presentation

9. Due professional carePrinciples relating to audit:Independence

10. Evidence-based approachNote: reference toISO 19011:2002Clause number

11. Benefits of AuditingVerifies conformity to requirementsIncreases awareness and understandingProvides a measurement of effectiveness of the management system to top managementReduces risk of management system failureIdentifies improvement opportunitiesContinuous improvement if performed regularly

12. Types of AuditRegistration / CertificationProductCustomer contractGap assessment / Pre-assessmentSurveillanceCombined audit / joint audit

13. The Process Approach and Process Auditing

14. Process ApproachThe process approach emphasize the importance of:Understanding and meeting requirementsLooking at processes in terms of added valueObtaining results of process performanceContinual improvement of process

15. PlanYourProcessActDoCheckPDCA (Plan-Do-Check-Act)The Plan-do-Check-Act (PDCA) methodology applies to all processesDeploy and conform with plan

16. Activities

17. Controls

18. Documentation

19. Resources

20. ObjectivesContinualImprovementAnalyze/review

21. Decide/change

22. Improve effectiveness

23. Measure and monitor for conformity and effectivenessManagement System Standards and the Process ApproachISO 9001:2008:Is based upon the PDCA cycle which can be applied to processes

24. Applies the PDCA cycle to implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of a QMSISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system audits

25. Applying the Process Approach to AuditingAuditors can apply the process approach to auditing by ensuring the auditee:Can define the objectives, inputs, outputs, activities, and resources for its processesAnalyzes, monitors, measures, and improves its processesUnderstands the sequence and interaction of its processes

26. Process Auditing ApproachesIndividual Process:Input / Output / Value-added ActivityPlan-Do-Check-ActResourcesRelationship with other processes:Flow / Sequence / Linkage / CombinationInteraction / CommunicationEvidenceCustomer and supplier contract(s)

27. Process Auditing “Turtle Diagram”With what?ResourcesWith who?PersonnelInputsFrom Whom/WhereOutputsToWhom/WhereProcess(specific value-added activities)What results?PerformanceindicatorsHow done?Methods/Documentation

28. Process Auditing ExampleWith what?Order processing systemWith who?Customers

29. Competent sales and processing staffInputsCustomer requirementsSales staffOutputsProduction/Service DeliveryContractReviewWhat results?Order processing timeNumber or orders

30. Value of orders

31. Contract accuracyHow done?IT system

32. Processing system

33. Terms and conditions

34. Contract review procedureManaging an Audit Program

35. Managing an Audit Program Process Flow5.1PLANDOCHECKACTAUTHORIZEMONITOR &REVIEWESTABLISHIMPLEMENTIMPROVE SCHEDULE AUDITS

36. EVALUATE

37. AUDITORS

38. SELECT TEAMS

39. DIRECT ACTIVITIES

40. MAINTAIN RECORDS

41. OBJECTIVES

42. EXTENT

43. ROLES

44. RESOURCES

45. PROCEDURES

46. MONITOR

47. REVIEW

48. IDENTIFY NEED FOR CA/PA IDENTIFY OPPORTUNITIES TO IMPROVEAUDITORCOMPETENCE& EVALUZATIONSPECIFIC AUDITACTIVITIES

49. Audit Activities

50. Typical Audit Activities6.1Initialing the AuditPLANConducting Document ReviewPreparing for On-site ActivitiesConducting for On-site ActivitiesDOPreparing, Approving, Distributing Audit ReportCompleting the AuditCHECKConducting Audit Follow-upACT

51. Audit ProgramTop management should authorize responsibility for program management to:Establish, implement, review, and improve the audit program

52. Identify the necessary resources and ensure they are provided

53. Organization should develop audit program processes

54. Program should be managed by a member of the organization

55. Keep appropriate audit records to monitor and review the audit programAudit Program ResponsibilitiesTop management should authorize responsibility for program managementThose assigned responsibility should:Establish, implement, review, and improve the audit program

56. Identify the necessary resources and ensure they are providedInitiating the Audit6.2Initiating the audit includes:Appointing the audit team leaderDefining audit objectives, scope, criteriaDetermining feasibility of the auditSelecting the audit teamEstablishing initial contact with the auditee

57. Defining Audit Objectives, Scope, Criteria6.2.2Audit Objectives may include:Determining of the extent of conformity of auditee`s QMS with audit criteriaEvaluation of capability of QMS to ensure compliance with statutory, regulatory, and contractual requirementsEvaluation of effectiveness of the QMS to meet its objectivesIdentification of areas of improvement

58. Selecting the Audit Team6.2.4For Team size and competence, consider:Audit objectives, scope, criteria, and durationWhether audit is combined or jointCompetence of team to meet objectivesStatutory, regulatory, contractual and accreditation/certification requirementsIndependence of the team

59. Auditor Competence and Responsibilities

60. Auditor Competence7.1Auditor competence is based on:Personal attributes

61. Application of knowledge and skillsCompetence is to be developed, maintained, and improved

62. PersonalAttributesOpen-mindedDecisivePerceptiveEthicalObservantDiplomaticVersatileTenaciousSelf-reliantAuditor CompetencePersonal Attributes7.2

63. Auditor CompetenceGeneric Knowledge and skills7.3.1Auditor skills and competence could include:Audit principles, procedures, and techniquesManagement system and reference documentsOrganizational situationsLaws, regulations, and other requirements

64. Auditor CompetenceSpecific Knowledge and skills7.3.3Specific knowledge and skills for quality auditors could include:Quality methods and techniquesQuality terminologyQuality management tools and their applicationProcesses and products/services specific to the sector being audited

65. Auditor ResponsibilitiesArrive on timeMaintain confidentialityBe objective and ethicalSupport the audit team and team leaderPlan and prepare work documentsInform auditees of the audit processDocument and support all findingsKeep auditee informedSafeguard all documentsPrepare the audit report

66. Audit Activities(Continued)

67. Audit PlanningDetermine the objective of the auditIdentify specified requirementsDetermine audit duration and resources neededSelect the teamContact the auditee – agree the date(s)Draw up audit planBrief the teamPrepare work documents

68. Conducting Document Review6.3A review of documentation:Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the auditMay include relevant QMS documents, records, and previous audit reportsMay include a preliminary site visit

69. Prepare Work DocumentsPrepare work documentsUse as a reference and for recording audit proceedingsInclude checklists, sampling plans and forms, ISO 9001:2008 standard, etc.Keep checklists flexible to allow changes resulting from information collected during the auditSafeguard any confidential and proprietary informationRetain work documents and records

70. Checklists PreparationOne Approach is to:Identify audit scope and process(es) within scopeIdentify applicable factors (inputs, outputs, measures, resources, etc.)Use these points and other requirements (ISO 9001-2008, system documentation, etc.) to:Plan what to look at

71. Plan what to look for (audit evidence) Prepare checklist

72. Checklists StructureAudit checklist structure:

73. Conduct on-Site Audit Activities6.5Conduct opening meetingCommunicate during the auditExplain roles and responsibilities of participantsCollect and verify informationGenerate audit findingsPrepare audit conclusionsConduct closing meeting

74. Opening Meeting6.5.1Hold opening meeting with auditee top management and those responsible for processes auditedMeeting may be informalChaired by team leaderAudit team presentPurpose is to confirm all prior arrangements

75. Sources of informationAudit ConclusionsCollect by appropriate sampling & verificationEvaluate against audit criteriaReviewCollecting and Verifying Information

76. Auditing ProcessCollect & Verify information6.5.4Collect information relevant to:Audit objectives, scope, and criteria

77. interfaces between functions, activities and processesCollect audit evidence by appropriate sampling and verify and record itBe aware on sampling limitations, if acting on the audit conclusionUse only information that is verifiable as audit evidence

78. Auditing ProcessTechniques to Obtain Audit Evidence6.5.4Interview:Personnel that manage, perform, and verify activities

79. Also ensure they are responsible for the activity being audited

80. Listen carefully to responsesObserve:Identity, status, condition, processes, equipment, activities, environment, and peopleAuditing ProcessAudit EvidenceReview documents that describe:Activities

81. Plans

82. Controls

83. Strategies

84. Exercises

85. testsReview records for evidence of conformity to documentsReview records, statements of fact, or other information which are relevant to the audit criteria and verifiableAudit evidence may be qualitative or quantitative

86. Communication and interpersonal skillsPut auditee at easeAsk short questions and listenReflect right attitude, tone of voice, body language, and facial expressionsSmile and show eye contactAvoid interruptionsAvoid off-cuff and condescending remarksGive praise when appropriate

87. Communication and interpersonal skillsShow interestBe tactful and politeShow patience and understandingRemember to say please and thank youAsk the right personDon`t say you understand when you do not

88. Questioning TechniquesOpen questionUsing why, who, what, where, when, or how gets more than a yes or no answerExpansive questionFurther elaborates the current pointOpinion questionAsks opinion about current pointNon-verbalUses body language, for example: raise eye-brow to elicit further informationQuestioning TechniquesRepetitive questionRepeats back response in form of a questionHypothetical questionUses what if, suppose that, etc.Closed questionGets yes or no answer

89. Avoid using too often

90. Used for confirmationSilenceDraws more informationNote TakingNotes could be used as reference for:Immediate investigation

91. Investigation later

92. Use by a colleague

93. Subsequent auditsNotes taken during an audit are a record of:The audit sample taken

94. What was reported

95. What was observedNotes may be referenced by subsequent auditor

96. SamplingSamples should test the effectiveness of the system and should be:Representative

97. Structured

98. Independently selectedSample size should be based on:Risk

99. Importance

100. Status

101. Findings from the previous/current auditControl of the AuditChecklist is an aid, not a requirementIf potential audit trails appear, decide to:Disregard

102. Note for later

103. Follow up immediatelyFollowing audit trails may effect:Sample size

104. Audit planConstant interruptionsCannot find documentDiversionary tacticsCalled awayEXAMPLESLong telephone callsNoisy environmentInterdepartmental or personality conflictsVolunteered informationLong-windedauditeesBoastfulUncooperativeUnpreparedProvocationLanguageHandling Difficult Situations

105. Establish the FactsJudgment in the Audit ProcessAudit focus must be on conformity and effectiveness, NOT on finding nonconformitiesThe auditee must be given the benefit of any doubt where there is insufficient audit evidence

106. Establish the FactsDiscuss concernsVerify the findingsRecord all the evidence:Exact observation

107. Where, what, etc.Establish why a nonconformity or otherwiseState who (if relevant) – preferably by job titleObtain agreement with the facts

108. Generate Audit Findings6.5.5Evaluate audit evidence against audit criteria to generate audit findingsIndicate if findings are conformities, nonconformities or opportunities for improvementMeet (audit team) to review findingsSpecify (with supporting evidence) or summarize conformity by location, function, or processes, as required by audit plan

109. Nonconformity6.5.5Non-fulfillment of a specified requirement:Not doing it

110. Partially doing it

111. Doing it the wrong waySpecified requirement:Conditions of the customer contract

112. Quality standard (ISO 9001:2008)

113. Quality management system

114. Statutory or regulatory requirementsGenerate Audit Findings6.5.5Record nonconformity findings and supporting evidenceObtain auditee acknowledgement of nonconformities for accuracy and understandabilityTry and resolve differences of opinionKeep a record of unresolved issues

115. Nonconformity - MinorFailure to comply with a requirement which (based on judgment and experience) is not likely to result in QMS failureSingle observed lapse or isolated incidentMinimal risk of nonconforming product or serviceExamples:A two month lapse in the internal audit program

116. A training record not available

117. No actions taken to improve system based on previous result findingsNonconformity - MajorAbsence or total breakdown of a system to meet a requirementA number of minors related to the same clause or requirementA nonconformity that experience and judgment indicate will likely result in QMS failure or significantly reduce its ability to assure controlled processes and products

118. Nonconformity - MajorExamples:No documented procedure for a required documented ISO 9001:2008 process/activityDocument changes routinely made without authorizationNo awareness program for the quality management systemNo future planned internal auditsInsufficient scopeNumerous minor nonconformities found in the production process

119. NonconformityClassifying the NonconformityConsider the seriousness:What could go wrong if the nonconformity remains uncorrected?Is it likely the system would detect it before the customer is affected?If you are not certain it is a nonconformity, it is not. You must have:A requirement that has been broken

120. Proof that it has been brokenNonconformityGood Report Examples

121. NonconformityPoor Report ExamplesThe nonconformity statements below are inadequate due to the lack of specified requirements and detailed evidence:Steering Group meeting minutes are not adequateThe authority level for the Emergency Controller must be documented for clarify purposes

122. Preparing Audit Conclusions6.5.6Audit team confer prior to the closing meeting:Scheduling of the audit planTo plan for closing meetingPurpose is to:Review audit findings and other information

123. Agree on audit conclusionsTo prepare the audit report and recommendationsIf included in audit plan, to discuss audit follow-up

124. Audit ReportPrepare, Approve & Distribute6.6.1Audit referenceClient and Auditee detailsAudit team detailsList of auditee representativesObjectives, scope, and criteriaAudit plan – dates, places, areas audited and timingSummary of audit processAudit SummaryUncertainty due to sampling6.6.2

125. Audit ReportPrepare, Approve & Distribute6.6.1Nonconformity reportsRecommendationObstacles encounteredAny areas in audit scope not coveredAny unresolved issues between the auditee and teamConfirmation that audit objectives accomplishedConfidentiality statementDistribution list6.6.2

126. Audit ReportDistribution6.6.1Issue within agreed time period

127. If delayed, provide reasons and agree on new issue date

128. Report must be dated, reviewed, and approved as per procedures

129. Distribute to recipients designated by audit client

130. Report is property of audit client

131. Recipients and audit team must respect the confidentiality of the reportCompleting the Audit6.7Audit is complete when all activities in audit plan have been carried out and audit report is distributed

132. Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures

133. Maintain confidentiality of audit documents, information, and report

134. Notify audit client and auditee ASAP if disclosure of audit information is required.Closing Meeting6.5.7Hold closing meeting to present audit findings and conclusions

135. Cover situations encountered during audit that may decrease reliance on audit conclusions

136. Discuss and resolve diverging audit findings and conclusions

137. Keep a record if not resolved

138. Provide recommendations for improvement where specified by audit objectives

139. Keep minutes and attendance records

140. Will normally be informal for internal auditsCompleting the AuditConducting the Follow-up6.8Audit conclusions may require corrective, preventive, or improvement actions

141. Auditee decides and carries out these actions within agreed timeframe

142. These actions are not part of the audit

143. Audit team number should verify completion and effectiveness of actions taken

144. This verification may be part of a subsequent audit

145. Maintain independence in subsequent audit activitiesCompleting the AuditCorrective the Follow-up6.8Auditee receives the nonconformity report

146. Auditee prepares and approves a corrective action plan

147. Auditee submits the plan to auditors

148. Auditors evaluate and approve the plan

149. Auditee implements the approved corrective action plan

150. Auditor verifies the implementation and effectiveness

151. Records of all actions taken by auditor and auditeeConclusion

152. Typical Audit ActivitiesInitialing the AuditConducting Document ReviewPreparing for On-site ActivitiesConducting for On-site ActivitiesPreparing, Approving, Distributing Audit ReportCompleting the AuditConducting Audit Follow-up

153. Final Questions?

154. Thank You!For you attendance and participation!Prepared &Presented by Yamin K Hajeej

Iso Internal Auditor

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Iso Internal Auditor (20)

Recently uploaded (20)

Iso Internal Auditor